Study determines why organizations fight data breaches differently

July 09, 2015

In the wake of recent high-profile security breaches at retail stores such as Target and Neiman Marcus, a new study from The University of Texas at Dallas determines why differences exist in the level of information security control resources among organizations.

Since digitalization began, organizations have understood how valuable their information is, said Dr. Huseyin Cavusoglu, the study's lead author and an associate professor of information systems at UT Dallas. More recently, dependency on the Internet has made it difficult for organizations to secure and protect this asset.

Protecting information initially was viewed as a technology-related problem, he said, and was solved by investing in technology-based solutions.

"But over the years, it has become clear that technology-based solutions are not foolproof or sufficient," said Cavusoglu, a security management researcher in the Naveen Jindal School of Management. "In light of this observation, we were interested in identifying a coherent set of organizational resources for information security controls that organizations should invest in to protect their information assets."

For the study, published in the June edition of Information & Management, the researchers surveyed senior and midlevel IT managers about information security practices and operations in their organizations. The analysis was based on responses from 241 organizations of varying industries and size.

The study found that organizations should invest in three distinct resources to better protect their information: security technologies, qualified information security personnel and security awareness of organizational users.Because organizations perceive security risks differently, they invest in information security controls at different levels. The researchers also examined the drivers of these investments.

"We found that coercive pressures -- stemming from business partners or industry and government regulations -- and normative pressures -- rooted in information security practices of partners, as well as the firm's exposure to security best practices through professional organizations, trade shows, conferences and security publications -- largely impact the firms' investments in security control resources," Cavusoglu said.

Cavusoglu said the findings have several implications for public policymakers, security vendors and individual organizations.

The study advises public policymakers to continue to support government-sponsored security groups and to work closely with professional security associations and councils to design regulatory rules on security and promote best security practices.

Cavusoglu said the study shows that information security is not solely about technology and that to ward off security threats, organizations should invest in both technology-based solutions and knowledge-based assets.

The study advises organizations to consider information security as an issue that can be managed with a combined portfolio of control mechanisms consisting of information security technologies, qualified information security personnel and security awareness of organizational users.

"Employees should understand that they play an important role in safeguarding the information assets of their organizations and keep themselves up-to-date with the contemporary security threats," Cavusoglu said. "Businesses should pay close attention to security education, which can change employees from being the weakest link in security to the biggest safeguard for security."
Dr. Hasan Cavusoglu and Dr. Izak Benbasat of the University of British Columbia and Dr. Jai-Yeol Son of Yonsei University also contributed to the study.

University of Texas at Dallas

Related Information Security Articles from Brightsurf:

Some employees more likely to adhere to information security policies than others
Information security policies (ISP) that are not grounded in the realities of an employee's work responsibilities and priorities exposes organizations to higher risk for data breaches, according to new research from Binghamton University, State University of New York.

Data Security in Website Tracking
Tracking of our browsing behavior is part of the daily routine of Internet use.

High-security identification that cannot be counterfeited
Researchers from University of Tsukuba have used the principles that underpin the whispering-gallery effect to create an unbeatable anti-counterfeiting system.

Focus on food security and sustainability
The number of malnourished people is increasing worldwide. More than two billion people suffer from a lack of micronutrients.

Eliminating infamous security threats
Speculative memory side-channel attacks like Meltdown and Spectre are security vulnerabilities in computers.

UBC study: Publicizing a firm's security levels may strengthen security over time
New research from the UBC Sauder School of Business has quantified the security levels of more than 1,200 Pan-Asian companies in order to determine whether increased awareness of one's security levels leads to improved defense levels against cybercrime.

An MSU-based researcher developed an algorithm to improve information security tools
A scientist from MSU developed an algorithm increasing the speed of calculation of cryptographic transformations based on elliptical curves that requires little computational power.

Peatland contributions to UK water security
Scientists from the University of Leeds have developed a new global index that identifies water supplied from peatlands as a significant source of drinking water for the UK and the Republic of Ireland.

Improve your information security by giving employees more options
A recent study published in the Journal of Management Information Systems suggests information security managers and supervisors could have greater success in motivating employees to act more securely by avoiding cold, authoritative commands, and instead create security messages that are relatable and provide options for how employees can better protect information and respond to threats.

Shh! Proven security for your secrets
Researchers show the security of their cipher based on chaos theory.

Read More: Information Security News and Information Security Current Events is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to