Introduction
These days, information security has become the most preferred choice of
almost every country for upgrading its economy. It is also helpful for it to
becoming competitive in the global markets. Not only in the developed states
like the US, the UK, and Australia, but also the under-developed countries like
India and Pakistan have enhanced the productivity to a greater extent with the
continuous involvement of security management and information technology.
Nowadays, it has become significant for organizations and education
institutions to receive, distribute, and store the information in a better way.
This is only possible when we develop better understanding and utilize the best
ways of security. It would not be wrong to say that the world’s economy has
moved from low-value basic industries to a fast paced high-value information
based economy. Now the institutions with readily available information
foundations are given high preference and are considered to be successful.
Thus, we can say that the reliability of an organization is purely dependent on
how well-structured and reliable its information and security system is. With
the passage of time, information security has brought drastic changes in the
landscape of the world of IT. Students of all subjects want to seek admission
to universities that provide them with both high-quality education and complete
feel of being secured.
The modern era is a diversified combination
of information society which has become the most defining feature of our 21st
century. Nowadays, the organizations need to receive, distribute and store the
information for better understanding and utilization. It has become an
important asset for organizations. The institutions with workable and sound
information foundations are considered to be highly reliable. Thus, the
reliance and resilience of an organization depends on a well-managed and
stacked information structures, accordingly a good information security
management system should be in place to protect all important information of an
organization and to avoid threats and risks of information being damaged or
hacked (Martijn
and Groenleer, 2009).
The prime educational institutions like universities,
because of having large and complex structures, need to rely heavily on
information to achieve their objectives globally. Almost all the activities of
universities like research undertaking, teaching and learning are dependent on
accurate and latest information. The operational and strategic controls also
demand high quality information system based on latest technology and a good
structure. Thus, the universities adopt a good comprehensive information system
to leave their mark in this competitive environment (Veiga
& Eloff, 2007).
The practical execution towards information
security is also dependent on analytical crafting of a good comprehensive
strategy. It needs to be supportive of organizational culture, level of
engagement of senior management, their approach towards organizational security
management and the level of awareness created in organization for information
security needs and its benefits (Tipton & Krause,
2009).
It is of paramount
importance to understand the current status of information security before
moving forward. According to Von Solms (2000), information security has passed
three stages of evolution: the first is the technical stage which started in
early 80s when the information security used to be done technically. But the
need of more management involvement was realized in this stage, thus, the
second stage started which is called the management stage. In this stage, there
was increased involvement of management in information security management.
However, soon it was further realized that information security needs to be
more effective in a way that the standards should be set and the security
should be compared against those standards. Thus, the third stage of
information security started which is called institutional stage. It involves
adoption of international standards, codes, ethics and continuous measurement
of information security against those standards. However, beyond technology and
these waves of information security, the management and governance is its most
important facet (Gordon and Loeb 2006).
Whitson (2003) says
that information security must ensure the integrity and secrecy. Besides this, it
should also be readily available. This is what Central Intelligence Agency (CIA)
model says. This model was considered to be the most important model of
security but now it does not meet the requirements of modern world. It is too
simple and includes only the basic elements while ignores some key facets of
information security like responsibility and accountability. It is because the
CIA model was developed in the age of computing while the environment of IT has
now changed significantly. Whitson (2003) says that information security is
achievable with the help of tactics like analysis of risk, use of security
policies, providing awareness and training to employees, documentation and
preparing for recovery from any damage or disaster. Anderson (2001) says that
effective information security management is possible with the help of significant
involvement of stakeholders and exercising the relevant security standards.
Past two decades have
seen a significant development in security management which has broadened the
scope and framework of information security. A proper security management
system should comprehensively recognize what is being implemented, what are the
deficiencies and what needs to be done to remove deficiencies and improve
processes (Martins and Eloff, 2001). Unfortunately if the management is not
involved in information security then there could be a drastic problem of many
controls or not a single control for monitoring in this area.
The measurement of
information security management is very necessary but difficult to undertake. Because
it will also be helpful to determine whether the business goals are aligned
with the security management system in place. However, the measurement of
information security and the relevant benefits attached to it are difficult to
judge; this is why the management is usually reluctant to implement it
(Kankanhalli, Teo, Tan and wei, 2003). It needs meeting of the standards, risk
assessment and evaluation of internal control systems. Some of the researchers
are of the view that information security can be managed effectively only under
some international certification. They are also of the view that for effective
implementation of information security, the recognized standards of security
should be followed. It is because these standards provide the direction to an
organization for development of operative strategies (May, 2003).
Although information security management is
very vital but unfortunately it is not given due importance in universities. In
addition to it there are always problems in implementation and the impact of
such security management practices on work is often not measured. There is need
to have a proper coordinated approach as to adoption and implementation of
information security management in this competitive and globalized environment
is concerned. There is also very limited academic literature on the selected
topic for this study (Bojanc & Borka, 2013). Therefore, the
current research will highlight the importance of information security
compliance at universities and will also suggest how it could be improved. It
will take into account the impact level of awareness, security approach,
security policy and top management engagement in information security
compliance.
Research Objectives
The objectives of this research have been
divided into the followings:
·
To investigate the impact of information security compliance
at Universities of Pakistan
·
To identify the issues, universities are facing in compliance
of information security management
·
To suggest ways in order to have better compliance in place
for information security management
Research Significance
There is a significant importance of this
study because to the best of researcher’s knowledge, it is the first study to
be conducted on information security management of universities of Pakistan. It
will study the existing situation of information security management in
universities, will identify the issues in it and will also suggest the ways to
improve it. With the help of this study, the universities of Pakistan will be
able to improve their information security and will identify the role of
everyone in maintaining their important aspect for their proper working.
The framework to be set for universities
will also be able to use at other organizations whether large or small to
manage their information security programs. Another contribution of this study
will be its addition to literature on the topic of security management as
stated earlier it will be the first study to investigate information security
compliance at universities of Pakistan.
Methodology
Research design
There is a range of
methodologies both qualitative and quantitative available for conducting
research. A qualitative research is one
which provides rich data helpful for exploring a particular phenomenon and to
make an in-depth analysis of the phenomenon being investigated. The techniques
commonly used in qualitative researches are interviews, focus groups,
observations, postcards etc. on the other hand, quantitative methods are helpful
to arrive at more generalized results. They also provide detailed study of a
particular behavior. The techniques commonly used to conduct quantitative
research include surveys, observations and secondary data (Bryman and Bell,
2007).
This research will use a
mixture of both qualitative and quantitative methodologies to investigate the
information security compliance status at universities of Pakistan. In this
regard, the use of qualitative techniques will be made to make an understanding
of the issue under investigation while quantitative techniques will be used to
evaluate the actual information security status at selected universities of
Pakistan so that recommendations could be made on the basis of results obtained
from this technique. This will be done as per the recommendations of Mason
(2002), Ritchie and Lewis (2003) and O’Leary (2004). With the help of
qualitative techniques, this research will investigate for the issues in the
existing security status in universities and to suggest improvements in it. On
the other hand quantitative methodology will help to make objective measurement
of the phenomenon under study. Also, the results of quantitative research are
more helpful to be generalized across groups (Bryman and Bell, 2007).
The rationale of using this
methodology is that it covers both qualitative and quantitative aspects. It is
also widely used by the researchers for carrying out research in information
security management. The questionnaire to be used in current research has also
been used in prior researches and has been confirmed to be valid. Thus, the
current research has also adopted the same methodology.
Limitations
This research will also carry few
limitations as for
instance it will investigate the information security compliance of universities
at a single point of time. It may be improved later-on due to technologically
enhanced management or change in technology etc., so, the research is valid
only for the time period in which it will be conducted. Furthermore, it includes only 8 to10
universities of Pakistan and that too only private sector; so, the results of
study may differ when the research is conducted for all universities of
Pakistan. The results of
study will be concluded on
the basis of response from higher management of universities and will not take
into account the views of students who usually have closer links to hack
information from information security practitioners.
Data Collection
and Sample Size
The data will be collected from
higher management of universities including Vice Chancellors as well as
registrars of universities using a structured questionnaire. This questionnaire
will be adopted from the researches of O’Leary (2004) and Lane (2007). So, the
instrument will confirm the validity and reliability being already used in
research.
The sample size will be 8 to 10
private sector universities of Pakistan and 5 persons from each university will
be interviewed through questionnaire. The rationale behind using only private
universities is that the security measures at both public and private sector
universities may differ significantly which cannot be comprehensively covered
in a single research. The sampling technique to be used for this purpose is
simple random sampling so that unbiased results could be obtained. Also, the
same type of methodology has been recommended by Lane (2007) for conducting information
security management study in universities.
Analysis
Technique
Data will be analyzed using Statistical
Package for Social Sciences (SPSS 20) and a spread sheet program. The
techniques of analyses include multiple regression and correlation as well as
descriptive statistics and graphs. This is so because these techniques have
already been used in similar researches of O’Leary (2004) and Lane (2007).
Other reasons include: the regression and correlation techniques are used to
study the relationship and impact of dependent and independent variables
whereas graph and descriptive techniques are used to better visualize the
response of sample selected (Bryman and Bell, 2007). On
the other hand, qualitative data will only be discussed theoretically to
describe the information security practices in universities at other parts of
the world.
Ethical
Issues
This research
undoubtedly requires the fulfillment of ethical standards to highest level as
it is going to probe and investigate the security compliance of universities
basing upon their security approach, security awareness, top management
involvement and security policies of universities for information security
management being rendered by the government. This research will not disclose
any information which will make it possible to recognize the university in
which the study will be conducted or the names of participants who were
interviewed to take information. Any other sensitive information relating to
them will also not be brought to public.
Timeline
|
Task
|
Day/Month/Year
|
Duration
|
|
Commencement of
Project (Introduction)
|
01 October 2016
|
10 Days
|
|
Literature
Research & Review
|
12 October 2016
|
10 Days)
|
|
Collection of
Relevant Data
|
22 October 2016
|
Three
Weeks (21 Days)
|
|
Analysis
|
11 November 2016
|
Two Weeks (14 Days)
|
|
Writing/Drafting
and Editing.
|
25 November 2016
|
Three Week (21 Days)
|
|
Conclusion/Revision
Discussion with
Managers
|
15 December 2016
|
10 Days
|
|
Submission of
project
|
25 December 2016
|
-
|
Conclusion
The aim of this
research is to analyze the current information security management status of
selected private universities of Pakistan and to suggest ways for improvements.
This proposal has provided a brief overview of the objectives of this study and
has proposed a methodology to carry it out from the previous literature on the
topic. This investigative research shall abreast us with the level of
compliance towards information security in universities of Pakistan. The
results of this research will be very useful for each university of Pakistan whether
in private or public sector to evaluate their security management techniques
and to get guidance for further improvements. Thus, the current study will be
very beneficial to catch the importance of an ignored area of research in
Pakistan.
Reference
List
Anderson.
P.W, 2001, Information security Governance, Information Security Technical
report, vol. 6, No. 3, pp. 60-70
Bojanc,
R. & Borka, J. 2013. A Quantitative Model for Information-Security Risk
Management. Rolla: American Society for Engineering Management.
Bryman
A. and Bell. E, 2007, Business Research Methods, Oxford, Oxford University
Press.
Gordon
A. L. and Loeb P. M (2006). Managing cybersecurity resources: A cost‐benefit analysis, McGraw Hill.
Kakanhalli.
A, Teo. H, Tan. B and Wei. K, 2003, An integrative study of Information Sysytem
security Effectiveness, International Journal of Information management, No.
23, pp. 139-154
Lane,
T. and May. L, 2004, Information Security Management in Australian
Universities, 5th Asia PacificIndustrial engineering and management
Systems Conference, pp. 36
Lane.
T, 2007, Information Security Management in Australian Universities – An
exploratory Analysis, Masters Thesis
Martijn
L.P. Groenleer (2009). Decision‐making,
MoT1450, Faculty of Technology, Policy and Management, Delft University of
Technology.
Martin
A and Eloff J, 2001, paper presented at 1st workshop on information
security systems rating and ranking.
Mason.
J, 2002, Qualitative Researching, Sage Publication, London.
May.
C, 2003, Dynamic Corporate Culture lies at the heart of effective security
strategy, Computer fraud and security, issue 5, pp. 10-13
O’Leary
Z, 2004, The essential guide to doing research, sage Publication, London
Ritchie
J and Lewis J, 2003, Qualitative research practices, Sage Publications. London.
Tipton,
H. & Krause, M. 2009, Information Security Management Handbook. Broken
Sound Parkway: Auerbach Publications.
Veiga,
A. & Eloff, J. 2007. An Information Security Governance Framework. Bristol:
Taylor & Francis, Inc.
Von
Solms. B, 2000, Information Security – The Third Wave, Computers and Security,
Vol. 19, No. 7, pp. 615-620
Whitson.
G, 2003, Computer Seurity, theory process and management, The Journal of
Computing , Vol. 18, No.6, pp.57-66
