Abstract

Today information security problems often hit the front page and become headlines in the news. The global cost of security breaches has been estimated to be over $15 billion a year. Despite the prevalence of security incidents, information security is not regarded as a high priority issue in many companies. To improve the information security of organizations, UK has developed an information security standard, BS7799, in 1995. Since its release as a British Standard and later became an international standard, its adoption as corporate practice was very slow. Compared with BS7799, the experience of ISO9000 was a tremendous success. From 1987 to 1998, over 270,000 firms in 143 countries have obtained certification. Despite the world-wide adoption and claimed benefits, ISO9000 has faced many criticisms. From the difficulties and problems faced by the ISO9000 series, a new approach to implementing BS7799 is needed so as to get effective results. This new approach, which we categorise as the knowledge-based approach, will integrate the theories and practices of information security, organizational learning and knowledge management. The knowledge-based approach is built on three assumptions. 1) People are the key factor in information security. Successful deployment will involve building new values and working habits. This is a transformation of the organizational culture; 2) Implementation should be seen as an act of innovation rather than executing a plan; 3) Information security is a capability that can be improved in stages or levels. Organizations will start with different levels and mature at different paces. The aim of this study is to develop and validate this approach to implementing information security in an organization. The research methodology is action research, which is a collaborative approach where the researchers and the internal users are engaged in a problem solving relationship. The research site is a Hong Kong-based electronics company. The company’s major product lines are electronic dictionary and Personal Digital Assistant (PDA). This study has been conducted through two cases. Case one is about a project to improve the security of a new product, which is a PDA with a build-in mobile phone device. A task force was set up to study the risk and recommended a series of security controls to protect the product against a range of threats such as theft and leakage of the new design before product launch to the market. Case two is about the deployment of a company-wide electronic document management system. This new system can support new product development, such as design change control, security control and sharing of documents across geographical areas. Each case goes through a process of planning, acting, evaluation and also the reflection of the researchers. The knowledge of the researchers and the internal users concerning information security grow with the progress of the case. From the findings of the two case studies, it is found that the knowledge-based approach is an effect way to improve information security. A cross case analysis is further used to draw out insights into the relevance and strength of this approach. Finally, the authors propose a complexity and tangibility framework, which can be applicable in the implementation of large-scale organizational change.

Download

Share

COinS