Multicriteria analysis of the compliance for the improvement of information security

Authors

DOI:

https://doi.org/10.4301/S1807-1775201916007

Keywords:

Information security, Compliance, Security practices, Analytic hierarchy process, Decision support system

Abstract

Information security is a current issue of protection of information assets that considers significant variables of a strategic, organizational and IT governance nature, and that requires to analyze the compliance with international standards that regulate business actions. In this way, the work analyzes institutional compliance to improve information security applying the Analytic Hierarchy Process methodology to the specific practices defined in ISO/IEC 27002:2013. Expert Choice has been used as Decision Support Systems that has generated as a result the ranking of priorities of the criteria and alternatives used in the decisional process, been applied later in a medium-sized Brazilian industrial company. The results identify the main security practice related to the independent critical analysis of information security.

Author Biographies

Pedro Solana-González, Faculty of Business Administration and Economics University of Cantabria

Degree in Computer Science from the Polytechnic University of Catalonia (UPC), holds a Master in Applied Mathematics and Computer Science and a PhD in Industrial Engineering from the University of Cantabria (UC). Associate Professor of Business Organization in the Faculty of Business and Economics at UC. Member of the R&D Group of Application of Information Technology for Competitiveness and Innovation, develops its activity in teaching and research in the fields of information systems, knowledge management, project management and information security improving business management. Participates at various postgraduate programs both at the Polytechnic University of Valencia (UPV) and UC being responsible for Project Management module in the Innovation Management Expert program, professor of the Master in International Cooperation and Development of COIBA Chair and responsible for various IT subjects in the Official Master in Business and Information Technology at UC. In last years I have participated and directed, being the responsible researcher, over 20 R&D projects financed by public bodies - ECO Project (CIP, European Commision), Interministerial Commission for Science and Technology (CICYT), Ministry of Industry Tourism and Sport of the Government of Cantabria - and private industrial companies - Santander Shipyards, Nuclenor, CIC Consulting, Solvay Chemicals - accumulating more than 15 years of experience in project management. He has participated in numerous conferences - 15th CONTECSI, CUICIID 2017, CICID 2017, Emoocs 2017, In-Red 2016, InterTIC, IBIMA, EMCIS, ICAI, ACEDE, AEDEM, SOCOTE - member of scientific committees of several international conferences; and reviewer in journals like Future Generation Computer Systems or Total Quality Management & Business Excellence; I have published several book chapters - IGI Global and InTech Open Science - and articles in national and international journals - E-I, RISTI, IC, EM, IJHCITP, IJTM, EPI, JKDE, BEE - on IT and Management -.

Adolfo Alberto Vanti, Regional Integrated University of High Uruguay and Missions

Doctor in Economic and Business Sciences from the University of Deusto, Spain. Professor at the Integrated Regional University of Alto Uruguay and the Missions, Brazil

Karen Hackbart Souza Fontana, Educational Institution São Judas Tadeu Administration Department

Master in Accounting from the University of Vale do Rio dos Sinos - UNISINOS, research area Management Control, specialist in Controlling and Finance by the Educational Institution São Judas Tadeu and graduated in Business Administration from the same institution. Professional with more than 10 years of experience in the areas of costs and budget, preparing projections, forecasts, performance indicators, management reports. Teacher of the Institutions Cesuca - Inedi (Cost Management and Budget Management); Integrated Colleges São Judas Tadeu (Controllership; Management Information Systems; Research Methodology; Research Project).

References

Awad, A. I. (2018). Introduction to information security foundations and applications. In: Information Security: Foundations, Technologies and Applications, pp. 3-11. The Institution of Engineering and Technology (IET).

Bianchini, A. (2018). 3PL provider selection by AHP and TOPSIS methodology. Benchmarking: An International Journal, 25(1).

BS7799-2 (2002). Specification for information security management systems. London, UK: British Standard Institute.

Botha, R. A., & Gaadingwe, T. G. (2006). Reflecting on 20 SEC conferences. Computers & Security, 25(4).

Buccafurri, F., Fotia, L., Furfaro, A., Garro, A., Giacalone, M., & Tundis, A. (2015). An analytical processing approach to supporting cyber security compliance assessment. In: Proceedings of the 8th International Conference on Security of Information and Networks, pp. 46-53. ACM.

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34(3), 523-548.

COM (2006). The availability, reliability and security of networks and information systems are increasingly central to our economies and to the fabric of society. Commission of the European Communities.

Cong, H., Dang, D., Brennan, L., & Richardson, J. (2017). Information security and people: A conundrum for compliance. Australasian Journal of Information Systems, 21, 1-16.

Dhillon, G., & Backhouse, J. (2000). Technical opinion: Information system security management in the new millennium. Communications of the ACM, 43(7), 125-128.

Dimopoulos, V., Furnell, S. M., Jennex, M., & Kritharas, I. (2004). Approaches to IT security in small and medium enterprises. In: Proceedings of the 2nd Australian Information Security Management Conference 2004, Perth, Australia.

Doherty, N. F., & Fulford, H. (2006). Aligning the information security policy with the strategic information systems plan. Computers & Security, 25(1), 55-63.

Ferreira, E., Matos, F., Matos, D., Bugarim, M. C., & Machado, D. (2014). Governança corporativa na saúde suplementar: estudo de caso em uma operadora de plano de saúde. Pensamento & Realidade. Revista do Programa de Estudos Pós-Graduados em Administração-FEA, 29(3), 19-39.

Gao, F., Rau, P. L. P., & Zhang, Y. (2018). Perceived Mobile Information Security and Adoption of Mobile Payment Services in China. In Mobile Commerce: Concepts, Methodologies, Tools, and Applications, pp. 1179-1198. IGI Global.

Giannakouris, K., & Smihily, M. (2010). ICT security in enterprices, 2010. Eurostat, European Commision.

Gordon, L. A., & Loeb, M. P. (2006). Economic aspects of information security: an emerging field of research. Information Systems Frontiers, 8(5), 335-337.

Griffith, S. J., Thel, S., Baer, M., Miller, G. P., Manwah, G., Breslow, S., ... & Baxter Jr, T. C. (2016). The changing face of corporate compliance and corporate governance. Fordham Journal of Corporate & Financial Law, 21(1), 1-69.

Hasbini, M. A., Eldabi, T., & Aldallal, A. (2018). Investigating the information security management role in smart city organisations. World Journal of Entrepreneurship, Management and Sustainable Development, 14(1), 86-98.

Hina, S., & Dominic, P. D. D. (2018). Information security policies’ compliance: a perspective for higher education institutions. Journal of Computer Information Systems, 1-11, doi.org/10.1080/08874417.2018.1432996.

Hogue, J. T. (1987). A Framework for the examination of management involvement in decision support systems. Journal of Management Information Systems, 4(1), 96-110.

Hone, K., & Eloff, J. H. P. (2002). Information security policy – what do international security standards say? Computers & Security, 21(5), 402-409.

Hubbard, D. W. (2010). How to measure anything: finding the value of intangibles in business. 2nd Edition. New York: John Wiley & Sons.

Ishijaza, A., & Siraj, S. (2018). Are multi-criteria decision-making tools useful? An experimental comparative study of three methods. European Journal of Operational Research, 264(2), 462-471.

ISO/IEC 27001:2007. Information technology, security techniques, information security management systems: requirements. International Standard Organization.

ISO/IEC 27002:2013. Information technology - Security techniques - Code of practice for information security controls. International Standard Organization.

Kim, S., Leem, C. S., & Lee, H. J. (2005). An evaluation methodology of enterprise security management systems. International Journal of Operations and Quantitative Management, 11(4), 303-312.

Knuplesch, D., & Reichert, M. (2017). A visual language for modeling multiple perspectives of business process compliance rules. Software & Systems Modeling, 16(3), 715-736.

Kwon, S., Jang, S., Lee, J., & Kim, S. (2007). Common defects in information security management system of Korean companies. Journal of Systems and Software, 80(10), 1631-1638.

Luftman, J., Kempaiah, R., & Nash, E. (2006). Key issues for IT executives. MIS Quarterly Executive, 5(2), 81-99.

Mateescu, R. A. (2015). Corporate governance disclosure practices and their determinant factors in European emerging countries. Accounting and Management Information Systems, 14(1), 170-192.

May, C. (2003). Dynamic corporate culture lies at the heart of effective security strategy, Computer Fraud & Security, 2003(5), 10-13.

May, J., & Dhillon, G. (2010). A holistic approach for enriching information security analysis and security policy formation. In: ECIS 2010 Proceedings, Paper 146. http://aisel.aisnet.org/ecis2010/146

Melville, N., Kraemer, K., & Gurbaxani, V. (2004). Review: information technology and organizational performance: an integrative model of IT business value. MIS Quarterly, 28(2), 283-322.

Nasir, A., & Arshah, R. A. (2018). Information security culture dimensions in information security policy compliance study: A review. Advanced Science Letters, 24(2), 943-946.

Navarro, M. (2006). Security evolves towards maturity. Universia Business Review, 2nd quarter, 10, 96-103.

Nazari, S., Fallah, M., Kazemipoor, H., & Salehipour, A. (2018). A fuzzy inference- fuzzy analytic hierarchy process-based clinical decision support system for diagnosis of heart diseases. Expert Systems with Applications, 95(1), 261-271.

Ngo, L., & Zhou, W. (2005). The Multifaceted and Ever-Changing Directions of Information Security – Australia Get Ready! In: 3rd International Conference on Information Technology and Applications (ICITA 2005), Sydney, Australia: IEEE Press.

OECD (2005). The promotion of a culture of security for information systems and networks in OECD countries. Organisation for Economic Cooperation and Development.

OECD (2009). The impact of the global crisis on SME and entrepreneurship financing and policy responses. Organisation for Economic Cooperation and Development.

Oliveira, D., Silva, M. P., Lima, T. A., & Souza, M. M. (2015). Um estudo exploratório da gestão de pessoas na integração e disseminação da governança corporativa. Augusto Guzzo Revista Acadêmica, 2(16), 241-268.

Park, M., & Chai, S. (2018). Internalization of information security policy and information security practice: A comparison with compliance. In: Proceedings of the 51st Hawaii International Conference on System Sciences, pp. 4723-4731.

Park, S., & Ruighaver, T. (2008). Strategic approach to information security in organizations. In: Proceedings of the 2008 International Conference on Information Science and Security, Seoul, South Korea: IEEE Press.

Parsons, K. M., Young, E., Butavicius, M. A., McCormac, A., Pattinson, M. R., & Jerram, C. (2015). The influence of organizational information security culture on information security decision making. Journal of Cognitive Engineering and Decision Making, 9(2), 117-129.

Pérez-González, D., & Solana-González, P. (2006). Intranets: medición y valoración de sus beneficios en las organizaciones. El Profesional de la Información, 15(5), 331-341.

Rios, O. K. L., de Almeida Teixeira Filho, J. G., & da Silva Rios, V. P. (2017). Melhores práticas do COBIT, ITIL e ISO/IEC 27002 para implantação de política de segurança da informação em Instituições Federais do Ensino Superior. Revista Gestão & Tecnologia, 17(1), 130-154.

Saaty, T. L. (1980). The analytical hierarchy process: Planning, priority setting, resource allocation. New York: Mc Graw-Hill.

Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behaviour formation in organizations. Computers & Security, 53, 65-78.

Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70-82.

Sêmola, M. (2014). Gestão da segurança da informação: uma visão executiva. 2ª edição, Brasil: Elsevier.

Shamala, P., Ahmad, R., Zolait, A. H., & bin Sahib, S. (2015). Collective information structure model for Information Security Risk Assessment (ISRA). Journal of Systems and Information Technology, 17(2), 193-219.

Singh, V., & Margam, M. (2018). Information security measures of libraries of Central Universities of Delhi: A study. DESIDOC Journal of Library & Information Technology, 38(2), 102-109.

Siponen, M., & Willison, R. (2009). Information security management standards: problems and solutions. Information & Management, 46(5), 267-270.

Smith, S., & Jamieson, R. (2006). Determining key factors in e-government information system security. Information Systems Management, 23(2), 23-32.

Solana-González, P., & Pérez-González, D. (2011). Security model applied to electronic records management: experiences and results in the nuclear sector. International Journal of Technology Management, 54(2/3), 204-228.

Sprague, R., & Carlson, E. (1982). Building effective decision support systems. Englewood Cliff: Prentice Hall.

Uddin, M., & Preston, D. (2015). Systematic Review of Identity Access Management in Information Security. Journal of Advances in Computer Networks, 3(2), 150-156.

Von Solms, B., & Von Solms, R. (2005). From information security to…business security? Computers & Security, 24(4), 271-273.

Ward, J. L., & Peppard, J. (2002). Strategic Planning for Information Systems. Chichester, England: John Wiley & Sons.

Downloads

Published

2019-12-30

How to Cite

Solana-González, P., Vanti, A. A., & Hackbart Souza Fontana, K. (2019). Multicriteria analysis of the compliance for the improvement of information security. Journal of Information Systems and Technology Management, 16(1). https://doi.org/10.4301/S1807-1775201916007

Issue

Vol. 16 (2019)

Section

Articles

License

Terms and Conditions The articles are author's responsibility. The publisher allows the author(s) to hold the copyright without restrictions and to retain publishing rights without restrictions. When submitting an article to JISTEM, authors are responsible for acknowledge and list any conflict of interest and financial support that may have influenced on the research results. Authors are required to sign an official copyright form. CC licensing You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material for any purpose, even commercially. The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. Notices: You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation. No warranties are given. The license may not give you all of the permissions necessary for your intended use. For example, other rights such as publicity, privacy, or moral rights may limit how you use the material. The aim of the Directory of Open Access Journals is to increase the visibility and ease of use of open access scientific and scholarly journals thereby promoting their increased usage and impact. The articles have free availability on the public internet, permitting any users to read, download, copy, distribute, print, search, or link to the full texts of these articles Creative Commons License http://creativecommons.org/licenses/by/4.0/ Al papers are licensed under a Creative Commons Attribution 4.0 International License. Journal's policy of screening for plagiarism: Plagiarism is strictly forbidden, and by submitting the article for publication the authors agree that the publishers have the legal right to take appropriate action against the authors, if plagiarism or fabricated information is discovered.