An Action Research Program to Improve Information Systems Security ...

Proceedings of the 40th Hawaii International Conference on System Sciences - 2007

An Action Research Program to Improve Information Systems Security Compliance across Government Agencies Stephen Smith Rodger Jamieson Donald Winchester School of Information Systems School of Information Systems School of Information Systems University of NSW University of NSW University of NSW Australia Australia Australia E-mail: E-mail: E-mail: [email protected] [email protected] [email protected] Abstract Information Systems Security (ISSec) compliance is an important aspect of implementing e-government. This paper presents results from an action research project using longitudinal surveys as interventions to enhance understanding and improve security across the whole of the NSW government, in Australia. The ISO Standard AS/NZS ISO/IEC 17799:2001 Information Technology — Code of practice for information security management, was used a framework for developing the survey research instrument. The major findings are that this action research program led to an improvement in ISSec compliance by agencies, increased understanding and knowledge as agencies became more aware of ISSec issues, improved agencies ISSec policies and plans, as well as improved business continuity plans. This research is innovative as it is the first time that ISSec has been explored using an action research framework across whole of government.

1. Introduction Governments and business have both realized the importance of Information Systems (IS) to conduct business and public administration. This has involved the development of IS to support the initiatives of government and business [9] and the development of e-Commerce/e-Government systems. Governments collect and use vast amounts of personal information to services to people and serving the community. The protection of this information is critical in developing trust in the security of the information held. This is a key concern with the e-government domain. The security of these systems and the protection of information they contain [20, 21] is crucial to maintaining community confidence with government. The administration, business and legal processes associated with electronic information security are seen to have not been fully developed for government

[35]. Consequently, many governments are endeavoring to develop policies and procedures to improve security [15]. From the public’s perspective, government is seen as one entity; hence a security problem within one agency is reflected across the whole of government process. In a domain where the maintenance of public confidence is seen as paramount, the process of improving security across government information systems is viewed as essential and an ever-increasing problem. The determination of the status of a information systems security effort within an organization is also of key concern ”The NSW Government has a duty to safeguard its large information holdings” [16], not only in terms of how well protected the organization is against the threats it seeks to protect itself from but also in terms of the extent to which the overall effort meets, or will meet, managerial and other performance targets and criteria. A key criterion in this regard is compliance with the relevant standards which “is highly regarded as the most-recognized standard for managing information security” [18], being Information Security Standard AS/NZS7799.2:2003 1 within the Australian context. Determining whether an organization is, or is on target to be, compliant with this standard has proven difficult for those tasked with managing the organization security effort. “Electronic Government refers to public sector use of the Internet and other digital services ….” [42]. However, achieving e-government systems is not straightforward, [22] as many governments have been trying to develop these systems since the late 1990s and have still not achieve e-Government. Many issues, with security being a major issue, have blocked-their path. Nearly all governments recognize the importance of security but our survey results reveal that very few agencies have yet to achieve compliance with the 1

AS/NZS 7799.2 (2003):2003 - Information Security Management - Part 2: Specification for Information Security Management Systems”, Standards Australia

1530-1605/07 $20.00 © 2007 IEEE

1


Australian Standard on security, which was first released in 2000. A 2004 e-government report [1] indicated that security is fourth in a list of ‘barriers to more frequent eGovernment use’. In line with the importance of security within eGovernment, the ‘State of the Art’ position for governments is accreditation to AS/NZS7799.2:2003. This paper discusses the analysis of an IT Security Survey which is part of a major research program to raise agencies IT security readiness. A key concern of this study is not only improving overall IT security but also to understand how the improvement is achieved in practice. This paper explains the research methods used and identifies trends detected and subsequently attempts to explain them. It also examines the implication of conducting research, the difference between survey data and real life. While there are many studies around that discuss the perceptions of Business-to-Business (B2B) security in the private sector [33, 34], for the government sector (especially the NSW government) there are no similar measures of the perceptions of e-Government security. This research uses an action research program to improve security across all agencies within the NSW government of Australia. Specifically, the study aims to determine the level of security across government by benchmarking agencies’ progress towards accreditation across the whole of NSW Government.

2. Prior Literature A brief overview of three key aspects of this research, namely information systems security, ISO standards and e-Government are set out in the following sub sections and are related to this research project.

2.1. Information Systems Security IS Security (ISSec) is the effective implementation of policies to ensure the confidentiality, availability and integrity of information and assets is protected from theft, tampering, manipulation or corruption, and is defined as: “Information systems security is the protection of information systems against unauthorized access to or modification of information whether in storage, processing, or transit, and against denial of service to authorized users, including those measures necessary to detect, document, and counter such threats” [27]. The attention given to IT security is generally lower compared to other IT issues [7]. In a global information security survey, 59% of the IT Managers stated that they have a formal IT security policy

however less than 50%, have disaster recovery plans [1]. The Computer Emergency Response Team Coordination Centre (CERT/CC) reported that 22% of surveyed organizations had experienced of security incidents in 2006, 35% in 2005 and 49% in 2004 [4]. This reflects reluctance on the part of management to fully embrace IT security and prepare a framework with appropriate procedures and guidelines to reduce security breaches [44]. The 2005 Computer Security Institute reported losses of $130M(all USD) for 2005, $141M for 2004, $202M for 2003, $455M for 2002, $378M for 2001, $266M for 2000 and $124M in 1999 among the companies participating in the survey. Apart from the obvious financial loss to an organisation there other hidden consequences like, public perception, legal liability and service delivery. The vulnerability of an organisation to attack is increasing with the level of service provided via the Internet [6]. Previous IT security studies have concentrated on systems to detect IT security breaches [37], measures for preventing IS security abuses [38], perceptions of IS security adequacy [17], and IS security-planning models for management decision-making [39]. With the exception of a few interpretive studies [5] these studies tend to neglect organizational factors that may partially explain the extent of IS security abuses. The objective measures reported by these: studies may also lack accuracy because people may be reluctant to report such incidents [17, 32] suggest using a perceptual measure of IS security effectiveness as an alternative to the inaccurate objective counts of IS security abuses. With the exception of the studies cited above, the body of literature on IS security has largely been empirical [3] or theoretical [26, 29]. Few studies have developed theoretical models and tested these models with empirical data. This research program attempts to address these shortcomings and this paper reports on one aspect of a research program in eGovernment security.

2.2. The ISO Standards The ISO Standard AS/NZS ISO/IEC 17799:2001 2 Information Technology — Code of practice for information security management contains ten major sections, which deal with information security issues. The focus of AS/NZS ISO/IEC 17799:2001 is to protect security of information by providing a set of recommendations (in effect controls and best practices) 2

AS/NZS ISO/IEC 17799:2001: Information technology - Code of practice for information security management”, Standards Australia (2001).

2


for situations that are applicable for E-commerce and also for E-government.

2.3. NSW Government: Implementing the ISO Standard From a global perspective, all NSW Government priorities are generally to fulfill the following objectives: Improving service delivery - to tangibly improve service delivery and satisfy the highest service priorities of people, businesses, communities and employees by redirecting resources to priority services [14]. Getting value for money from the public purse Government expects agencies to operate within their budgets, rigorously pursue efficiencies, streamline regulatory systems and cut “red tape”. Aligning supporting government agendas Government wants to ensure that public sector planning, investment and management strategies align with its goals and that agencies work together to achieve the Government’s priorities [28]. As the agencies are required to achieve compliance with the ISO standard, the survey questions were grouped around the (nine) Information Security and (one) Business Continuity Management, which incorporates Business Continuity Planning (BCP) sections of the standard. [It should be noted that Business Continuity Management (BCM) incorporates Business Continuity Planning, and BCP in an information technology environment is also often referred to as Disaster Recovery Planning (DRP)].

hypotheses, opting instead to be constrained by, and focused around, a single clearly stated research question – namely “What is the current status of IS Security within government agencies?”.

3.1. Survey Methods and an Overview of the Research Program This study collected data from NSW Government agencies. The main phase of the data collection is the security survey, which involved surveys of 120+ agencies over seven survey cycles over the three years from November 2001 to December 2004. A summary of the survey timeline and areas covered in the survey is shown in Figure 1 and the questions for the survey were derived from the ISO standard. In April 2003 representatives from nine agencies participated in a round-table forum to determine the key drivers and inhibitors for IS Security and Business Continuity Planning. Results from this part of the research program were reported [36]. In November 2002, the first series of focus groups were held. The focus groups meet regularly, every 3 months and are open to all staff within NSW Government. Although there is no direct data collected from the group, major issues, which emerge from the focus group, were documented and resolved. The main purpose was to provide an arena for discussion and to present case studies so that the process of developing better security for agencies would be improved. These forums also provide feedback from this research to participants.

3. Research Methods This study uses the current standard for Information System Management (Information technology—Code of practice for information security management AS/NZS ISO/IEC 17799:2001) as the means to structuring the security survey for this research. Part of this research program is a longitudinal research study using action research with surveys on e-Government security used as interventions. The following subsections explain briefly both action research and the survey methodology. As this research is an exploratory study, it seeks only to describe the level of security of an Agency’s information system. The results are intended to serve as a possible foundation for further research, which may then seek to determine other factors affecting security or otherwise of this system and to what extent they may be influential. As such, it is argued that it is inappropriate for this study to propose or test any

Survey Questions S3

Survey Questions S2

Survey Questions S1

1

2

3

4

5

6

7

Survey No.

Nov01

Jan02

Apr02

Aug02

Nov02

Nov03

Nov04

Survey Date

Figure 1: Survey Questions Coverage In October 2003, one-on-one agency interviews commenced. These interviews provided a rich picture of the key issues and drivers within an agency. The interviews were firstly conducted with a small number of agencies to confirm the form and value of the questions. The study was then extended to cover 25 agencies; 15 of these risked not achieving accreditation by December 2004 and 10 agencies were reaching the milestones of the project timelines. The selection of the

3


agencies was extracted from Fuzzy Logic analysis of the results from the November 2004 Security Survey. A software application was developed using Fuzzy Logic and a model was developed which was capable of estimating the compliance level of Government agencies engaged in e-Commerce/e-Business activities, based on the an electronic survey data submitted. The fuzzy logic model developed was then successful in estimating agencies compliance level to the ISO standard. The final activity theory fuzzy based solution was developed into a prototype web application and was subsequently validated by an independent NSW audit report of the accreditation process at the end of 2004.

relevance to them. Action research is well used and well-understood methodology within health care [19]. This meant it was acceptable and easy to explain to participants in this research. Action Research was also described by [31] as “participative, ground in experience, and action orientated” thus action research focuses on the improving practice in this case IS Security. The application of IS security knowledge was seen as essential to the design of the survey and the data collection process. Many different types of action research spirals are available to action researchers [12, 13, 25, 30, 32, 40, 41]. For this study the following action research spiral was adopted:

3.2. Action Research

Survey Cycle Plan > Survey > Analyze > Evaluate which is show diagrammatically below in Figure 2.

Action Research is concerned with diagnosing “a problem in a specific context and attempting to solve it in that content” [8]. Action Research can also be described as a “cyclic or spiral process, which alternate between action and critical reflection “ [11]. The methods used in Action Research can involve direct intervention by taking an active role in the project. This invention is not a direct influence in the process but a co-operative approach to a common task or problem. The flexible nature of action research is achieved by its cyclic process allows iterations of the process to develop or understand better outcomes. The cyclic nature of action research produces two outcomes: action – provides a change; and research – provides understanding [12] Many authors agree that the ‘action’ component provides change and that ‘research’ provides the understanding and is associated with the practitioners of action research rather than by researchers [2, 12, 41]. Action Research is used to develop responses within complex situations that are unable to be explained by a conventional research philosophy. The action research methodology is a cyclic approach to “self-reflective inquiry” (p4) [24] to improve their own practice and understanding of the situation [23, 43] description of action research is similar and in his words "Action Research ...refers to ways of investigating professional experience which link practice and the analysis of practice into a single productive and continuously developing sequence ... “ (p14). Action research as a research method assists in answering research questions and generating theories, but it also helps potential research participants to improve aspects of their work that they are of

Survey Cycle 1

Survey Cycle 2

Survey Cycle 3 Plan

Plan Evaluate

Plan Evaluate Evaluate

Survey

Survey Analyse

Survey Analyse Analyse

Figure 2: Action Research Interacting Spiral Also, Davison [10] discussed the prominence of Canonical Action Research (CAR) and proposed five principles for CAR. 1. the Principle of Researcher-Client Agreement (RCA) – details the understanding of CAR by the client and its benefits and drawbacks for the organization. 2. the Principle of Cyclic Process Model (CPM), which describes seven criteria (see figure 3) to be followed to ensure that a CAR project maintains rigor. Exit

Entrance

Diagnosis

Reflection (Learning)

Action Planning Researcher-Client Agreement

Evaluation (Assessment)

Intervention (Action taking)

Figure 3: CAR process model (Davison, p72) 3.

the Principle of Theory – insists that a theoretical framework must be applied to the phenomena under investigation.

4


4.

5.

the Principle of Change through Action – seeks to develop action and change by using an intervention to generate the change the Principle of Learning through Reflection – describes the learning outcome of this process. The learning should be developed from knowledge gained during the research process.

The actions, which are being fostered, are directly related to the security level of an organization. The principal issue about the survey methodology is the extent in which participants’ actions are influenced by the ability to review their responses against the entire pool of responses, and make change in the following survey [13]. Between the 3rd (April 2002) and 4th (July 2002) survey, participants were able to compare their responses to survey questions against the average responses across all participants from the results of the 2nd (January 2002) survey 3 . This was based on the premise that the participant responded to the question initially. If the question was not answered the average response was withheld.

3.3. The Survey Instrument The research instrument (the survey) was divided into the following 10 categories in Table 1 are the subheadings of the Australian Standard for Information security and form the basis of the sub-questions of research question 4. These are the critical issues (based on the standard) in the protection of information and systems for an organisation. The longitudinal survey was based on these issues. The reports were state of play for agencies across government over the three years from 2001 to 2004. To achieve a recognized benchmark the survey was based on elements of the AS/NZS17799:2001. Table 1 shows the layout the survey that has been divided into 3 parts - Survey 1-3 and then surveyed over 7 surveying cycles. The areas from the Standard covered in the survey questions are also shown. Figure 1 provides an alternative way of looking at this arrangement.

3.4. Data Collection The data for the study was collected via a web based survey instrument and the data from all participants was used in the data analysis. The number of participants ranged from 88 in November 2001 to a 3

The average results were only given for the second previous survey to compare with the agency’s previous survey to avoid the chance of participant distorting their response to the average survey response. Thus only questions in the first round of questions were compared.

maximum of 151 in November 2004. The gathered information included numeric, textual and descriptive data. A data reduction technique was used for some of the quantitative data because the questions were coded into several categories. Key ISO 17799 Control Categories for Information Security

Survey S1

S2

S3

1.

Security Policies

U

U

U

2.

Security Organisation

U

U

U

3.

Asset Classification & Control

4.

Personnel Security

5.

Physical / Environmental Security

U

6.

Computer & Network Mgt.

U

7. 8.

Systems Development Maintenance System Access Control

9.

Business Continuity Planning

U

10.

IS Policy Compliance

U

U

and

U

U

U

U

Table 1 – Key security issues and survey distribution of questions

4. Research Results and Discussion Research results and discussion will be presented by matching the process and results against the Davison (CAR) framework. First the process will be discussed and then the results.

4.1. Process The principles described by Davison are intended to be measurable and are discussed below: Principle 1 was well established because the imprimatur for this project was given by the Head of State thus demonstrating to senior management the commitment to the project by government. Principle 2 defines the seven cycles of the longitudinal survey. Entrance – all agencies entered the CPM at the same time and there was no deviation from the process. Diagnosis – some independent analysis of an agencies security compliance was conducted and reported by another independent survey together with additional organizational information gained from many independent sources, eg government reports, annual reports etc. Also, diagnosis of the

5


Security Standard (7799) provided an independent approach to agencies security compliance. Action Planning – additional survey questions were added to three of the survey cycles. These questions focused on the level of understanding and security compliance across government agencies. Interventions – there were several interventions in the process. They were – one-on-one interviews with managers, the production and distribution of a video, government wide three-monthly forums were established and focused on case studies of agency security progress and finally focus groups were conducted to identify key IS security issues. Evaluation – details the analysis and evaluation of the survey results from each agency, which is described later in this paper. Reflection – and learning was investigated by interviews with the IS Security managers of agencies to determine their level of learning or gain in knowledge about IS Security. Principle 3 used Activity Theory as the theoretical framework. Activity Theory allows the action of the IS security managers to be translated into an outcome (activity). Increasing the number of questions in each cycle increased the knowledge of the IS security mangers. However, an increase in learning or knowledge does not directly translate into an activity. Principle 4 was given meaning by the analysis of the survey results which gave a measure of the level of IS security in each agency. This was monitored centrally and followed up with one on one interviews with IS Security managers to determine why change had occurred in some cases and not others. Principle 5 was achieved by conducting the postsurvey interviews with IS Security Managers and questions about what they had learnt and how effective was the survey process. Also, the results of the forum to determine drivers and inhibitors for IS Security was also distributed to managers who requested a copy.

4.2. Results The following results sub-section relate to the “Evaluation (Assessment)” box of Davison’s Cyclical Process Model. Firstly the data was prepared and transformed into stratified groups and clusters of data. The second step was to develop qualitative analysis and descriptive statistics to describe the basic features of the data in a study. The following series of graphs and tables provide simple descriptive statistics and graphs about the major survey categories. This forms the basis of the quantitative analysis of data. Due to space restrictions only a few categories will be discussed.

Category 1 - IS Security Policies The objective of this category of the standard was to give management clear direction in establishing an information security policy framework. The development of the security policy is a clear message by management about their involvement with security. Comments from the interview participants emphasize these issues. The important elements of the comments raised in the forum on the need for Senior Management Support in the development of a security policy include: “ ... the reason management support is lacking in many projects (security policy development) is the poor explanation of the issues and benefits middle management provide to senior management … ” (follow up interview). Security Policy Combined Survey

No

Yes

Date

%

Small No

Yes

Yes

Medium %

No

Yes

Yes

%

Large No

Yes

Yes

% Yes

Nov_01 39

41

51

29

28

49

5

6

55

5

7

58

Jan_02 46

50

52

33

32

49

5

6

55

8

12

60

Apr_02 49

57

54

37

34

48

5

10

67

7

13

65

Aug_02 50

58

54

39

33

48

5

12

71

6

13

68

Nov_02 55

58

51

40

34

46

8

9

53

7

15

68

Nov_03 50

67

57

36

42

54

9

9

50

5

16

76

A change of government after the 2003 election caused an agency re-shuffle Nov_04 48

61

56

34

44

56

9

10

53

4

7

58

Table 2 – Agencies with or without a Security Policy Table 2 demonstrates that the number of agencies with a security policy increased over the period from November 2001 to November 2003 for the small (26% - 31%), medium (27% - 37%), large (67% - 71%) and combined groupings (32% - 39%). November 2004 results reflected the changes in government resulting from an agency re-shuffle. A recorded decrease in large agency responses could be the result of new managers not being fully aware of the responsibilities in terms of the IS security project. Overall there is an increasing trend in the number of agencies with a security policy and the decrease in the number of agencies without a security policy. Part of this improvement may be attributable to the action research methodology. However, there is still room for improvement with 61% of agencies still having no security policy. Category 2 – Security Organization The objective of this category of the standard is to manage information security within the organization. A management framework should be established to initiate and control the implementation of information security within the organization. This structure needs

6


to be able to approve the information security policy, assign security roles and co-ordinate the implementation of security across the organization. This section further supports the previous issue of developing a security policy by creating a position within the management framework of the organization. The role of the IS security manager, was defined with responsibility for coordinating the implementation of IS security. The increase in the number of IS security managers demonstrates a commitment to security within the agencies, indicating that management is starting to become serious about the IS security problem. One respondent mentioned that “…..money / resources will be required (for a security manager)… ” (follow up interview - participant 3). The survey results showed the number of agencies with an IS Security Manager increased over the period from November 2001 to November 2004. In the last survey the number of agencies with a nominated IS security manager rose from 37/80 (46%) in November 2001 to 89/112 (80%) in November 2004. An analysis on the resources committed to IS security within agencies shows that resources have risen from an average of $54K in 2001 to an average of $92K in late 2004 – an increase of 70% in the budget allocated to IS Security. Category 6 - Communications & Network Management. The objective of this category of the standard is to ensure the correct and secure operation of information processing facilities. Responsibilities and procedures for the management and operation of all information processing facilities should be established. This includes the development of appropriate operating instructions and incident response procedures. These factors were measured by counting the number of Incidents over the previous 12 months and the frequency of software virus updates. This section seeks to identify the number of threats being acknowledged by agencies. Table 3 shows the change in the number of incidents over the 3 years of the survey and includes agencies with no incidents and those with ‘no comment’. “ ...lack of monitoring security logs of incidents of unusual events… ” (forum- participant 4) The number of agencies selecting automatic/daily updates for their virus updates has increased. The results shown in Table 3 indicate the majority of agencies who detect incidents only have < 6 per year during 2004. However, the significant number of ‘None detected’ and ‘not mentioned’ incidents may represent serious threats to agencies which they have

failed to detect due to inadequate monitoring of communications networks. The results also indicate the majority of agencies perform virus updates monthly or more frequently in 2004. The breakdown into the categories and small, medium and large agencies indicate small and large agencies implement virus updates weekly or more frequent. Number of Incidents Survey

0-1

2-5

6-9

10-19

20+

None detected

Not mentioned

Nov-01 Jan-02 Apr-02 Aug-02 Nov-02 Nov-03

14 16 19 20 21 22

13 18 19 19 21 26

1 1 2 2 3 4

0 0 1 1 1 2

3 3 2 2 2 2

45 51 54 54 56 55

2 5 7 8 7 7

Nov-04

17

28

3

2

2

59

8

Table 3 – Agencies with incidents Category 7 - System Access Control The objective of this category is to control access to information via passwords and other security policies and processes. Access to information, and business processes should be controlled because of business and security requirements. This should take account of policies for information dissemination and authorization. Summary Statistics Survey System Access Control Nov-04 Capability to prevent unauthorised IS access

Mean 4.98

Std Dev. 0.95

Nov-04 Privilege Management

4.77

1.07

Nov-04 Password Management

4.51

1.10

Nov-04 Monitoring System Access

4.34

1.20

Table 4 – Rating of Access Controls This section seeks to identify the level at which access control is rated within government agencies. Table 4 shows (Likert scale) ratings of in-house controls to prevent authorized access to systems, from the November survey 2004 only for the following items: o capability to prevent unauthorized is access; o privilege management; o password management; and o monitoring system access. “ ... IS security is a necessary evil which hindered productivity … ” (Participant 1). ‘Access control’ covers many security measures and is probably the single most important security measure. Passwords are the usual method of providing access control and are its weakest link. This is because passwords are not guaranteed to be under the sole control of their owner. This undermines

7


accountability by enabling people to repudiate their actions. New authentication techniques are becoming available to deal with this problem. The results shown in table 4 indicate the majority of agencies have effective system access controls with means for the four controls of around 4.6. All agencies also reported having some form of control, even if some participants believe that users view security as a necessary evil. Category 9 - Business Continuity Planning The objective of this category of the standard is to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters. A business continuity management process should be implemented to reduce the disruption caused by disasters and security failures (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventative and recovery controls. “BCP aimed at IT level - need to aim at executive level” (one-on-one interview No. 7) The results for BCP effectiveness Table 5 indicate a range from 3 to an adequate level for these three items with the mean of adequate. However, almost half the agencies rate the completeness, effectiveness and risk assessment below an adequate level. The results indicate the number of agencies with their plan ‘under development‘, or ‘never tested’ or tested in the range of ‘3-5 years’ indicates a poor level of compliance with the standard. BCP Effectiveness (2004) None Adequate 1 2 3 4 Completeness of your agency's BCP Level of risk assessment used in the development of the BCP Effectiveness of the plans

6

Excellent 7

4

18

29

28

16

8

2

6

19

16

30

18

13

2

5

14

21

35

18

9

2

Frequency of BCP testing under develop 6 never ment monthly yearly How often/regular do you test your BCP Plans?

5

9

48

10

17

1-2 3-5 years years > 5 years

13

6

0

Table 5 – BCP Effectiveness Table 5 shows that BCD completeness remains stable of the 2 years of the last 4 cycles of the survey. In summary small agencies - improved slightly, medium agencies – static, and large agencies – slight decrease. From 2001 to 2004 there was a 13% decrease in agencies who either did not have a plan or were testing inadequately, and a 22.7% increase in

those who had a plan and were adequately testing the plan. Table 5 shows an adequate level of BCP completeness / risk / effectiveness, which is satisfactory but highlights that further progress needs to be made in this area and this table highlights that a significant number of agencies BCP’s are under development in 2004. High Level IT Security Management The objective of this category is to record the overall security ratings for the following security requirements for small, medium and large agencies: x IT Security Management x Network Security x Web Security x Email Security x Physical Security Means Values of IT Security Management 5.20 5.00 4.80 4.60 4.40 4.20 4.00 3.80

Nov_01

Jan_02

Apr_02

Aug_02

Nov_02

Nov_03

Nov_04

Overall

4.30

4.28

4.32

4.35

4.40

4.44

4.52

Network Security

4.66

4.66

4.64

4.65

4.70

4.78

4.83

Web Security

4.72

4.72

4.74

4.76

4.71

4.75

4.83

Email Security

4.68

4.80

4.74

4.75

4.78

4.91

4.96

Physical Security

4.52

4.51

4.55

4.58

4.68

4.77

4.84

Figure 4: Overall IT Security Management Figure 4 shows that all controls show a small positive improvement over the 3 years of the survey. Ranging from a 2.5% improvement in web security, 4% for network, 6% for both overall and email, to a 7% improvement in physical security. One reason for the small and slow improvement is that it may take 1218 months to get approval to increase the security budget to employ an IS Security Manager. Then there may be a further lag until one is employed and IS Security improves.

5. Summary Control 1. Security Policies and plans 2. Position of IS Sec Manager occupied.

Status 71 agencies have policies and plans versus 42 that have not. 90% of agencies comply – Not discussed in this paper

8


3. Asset Classification & Control 4. Personnel Security 5. Physical / Environmenta l Security 6. Computer & Network Mgt.

7. System Access Control 8. Systems Development & Maintenance 9. Business Continuity Planning 10. IS Policy Compliance

The majority (90%) of agencies rate their level of asset classification and control as adequate or higher. Not surveyed Most agencies rate their physical security as adequate or higher The majority of agencies use automatic virus updates. Also the number of hacker attacks are low, although increasing slightly each year. The number of a attacks detected is disturbing. Most agencies (>90%) rate the effectiveness of their systems access controls as adequate or higher Those agencies who identify a need to develop cryptographic controls need to develop polices and management systems to support them. Half the agencies do not have adequate BCP plans and many have not been properly tested At the end of 2004 only 4 agencies achieved certification to the AS/NZS17799.1:2001 standard. Three more has become certified at it is expected several more will follow by the end of 2005. Note there has been a new deadline set of December 2006.

6. Conclusion The critical success factors (CSF’s) for the security standard highlight a set of measures, which support the controls of Part 1 of the security standard. The CSF’s really define the factors that would assist this research and it has shown the factors that would assist agencies achieve certification. Also, part of this improvement may be attributable to the action research methodology From a government agency perspective, the most important factor, which was mentioned at almost every government agency interview and frequently in the forum and focus group, was ‘senior management support’. Other issues include the development of security policies, plans and informed staff to understand the security requirements, risk assessment and management of their government agency. From a whole of government perspective there were four main factors influencing the drive to improve security. The first was the Premier’s Circular PC2001-

46, which established a government wide consistent approach to IS security management. The second was the use of OICT staff to effectively market the strategy to agencies and staff combined with providing guidance on information security policies. Thirdly, appropriate training and education given via the video and group forums to provide an environment for government agency staff to be informed and raise concerns. Finally the development of a ‘system of measurement’ to evaluate the performance of security was essentially this research - the on-line security survey in conjunction with the fuzzy logic analysis gave a measure of the performance of information security management within agencies. The conclusion from the current survey and government agency contacts, indicates that only a four agencies have achieved the goal of AS/NZS17799.1:2001 compliance within the original target date of December 2004 and seven by December 2005. While progress is being made, moving whole of government to IS Security compliance status is a long and slow process.

7. References [1] Accenture, "The New E-Government Equation", (2002) http://www.egov.vic.gov.au/pdfs/eGovConference22May200 3.pdf (Accessed 16-1-2003). [2] H, Altrichter, “Do We Need an Alternative Methodology for Doing Alternative Research?”, Zuber-Skerritt (Ed.) “Action Research for Change and Development”, Brisbane: Centre for the Advancement of Learning and Teaching (CALT). (1999). [3] G. Anthes, "Contingency planning: when disaster strikes" (1998) http://www2.computerworld.com/home/online9697. nsf/idgnet/980119managing (Accessed 22-2-2002). [4] Auscert, “2006 Australian Computer Crime and Security Survey” (2006), http://www.auscert.org.au/images/ACCSS2006.pdf . [5] J. Backhouse, and G. Dhillon, “Current direction in IS security research: towards socio-organizational perspectives”, Information Systems Journal, Vol. 11, (2001) pgs. 127-153. [6] C. Barsanti, “Modern network complexity needs comprehensive security”, Security, 36(7) (1999) pp65–68. [7] J, Bracheau, and J, Wetherbe. “Key Issues in Information Systems Management” (2003), http://www.bus.ucf.edu/leigh/ ism6367/6367%20midterm%20exams%20received%20by% 206%2025%201%20pm.doc”, (Accessed 20-10-2003). [8] L, Cohen, and L, Mannion, “Research Methods in Education”. London: Routledge (1994). [9] J, Damsgaard, and K, Lyytinen, "The Role of Intermediating Institutions in the Diffusion of Electronic Data Interchange (EDI): How Industry Associations Intervened in Denmark, Finland, and Hong Kong. " The Information Society (17:3), (2001), pp. 195-210.

9


[10] R, Davison, M.G, Martinsons and N, Kock, “Principles of canonical action research”, Information Systems Journal 14 (1), (2004), pgs65-86. [11] B, Dick, "What is Action Research", (2002) http://www.scu.edu.au/schools/gcm/ar/whatisar.html p4 (Accessed 17-1-2002). [12] B, Dick, "Session 5 - The change process and action research, Action Research and Evaluation On-Line" . St Lucia: Bob Dick (1995), URL ftp://psy.uq.edu.au./lists/arlist/areol_session05 (Accessed 25-8-2003). [13] B, Farbery, F, Land, D, Targett, "Reflections on a Qualitative Study", (1999) (online), Available at http://www.is.lse.ac.uk/wp/pdf/WP84.pdf (Accessed 17-12002). [14] Capgemini, “2006 Online Availability of Public Services: How is Europe Progressing? - 6th survey of Electronic Public Services provision in the EU. ” (2006) http://www.capgemini.com/resources/thought_leadership/20 06_online_availability_of_public_services/ (Accessed 28 August 2006). [15] D, Frank, “Policy would secure users, transactions”, Federal Computer Week, Falls Church, Jan 27, 2003, Vol. 17, Iss. 2, pg. 10, 1 pgs. [16] C, Gellatly, “2001-46, Premier's Circular -Security of Electronic Information" (2001) http://www.premiers.nsw. gov.au/pubs_dload_part4/prem_circs_memos/prem_circs/cir c2001/c2001-46.htm (Accessed 27-Feb-2004). [17] D, Goodhue, D, Straub, "Security concerns of system users: a study of perceptions of the adequacy of security", Source Information and Management archive (1991) Volume 20 , Issue 1 (January 1991) . [18] S, Groves, " The unlikely heroes of cyber security" Information Management Journal.: May/Jun 2003. Vol. 37, Iss. 3; pg. 34. [19] E, Hart, and M, Bond, “Action research for health and social care: a guide to practice”, Buckingham: Open University Press (1995). [20] R, Heeks, "eGovernment for Development Basic Definitions Page", IDPM, University of Manchester, UK, (2003), http://www.egov4dev.org/egovdefn.htm (Accessed 25-8-2003). [21] S, Hof, "Security Concepts and Requirements of eGovernment Sites and other Public Electronic Processes" (2002) http://falcon.ifs.uni-linz.ac.at/research/phd_hof/ (Accessed 25-8-2003). [22] M, Keil, P, Cule, K, Lyytinen, and R, Schmidt, “A Framework for Identifying Software Project Risks”, Communications of the ACM, 41(11) (1998). [23] S, Kemmis., “Emancipatory Aspirations in a Postmodern Era”, In O. Zuber-Skerritt (Ed.) “New Directions in Action Research”, London: The Falmer Press. (1996) pgs. 199-242. [24] S, Kemmis., “Action Research”, In J. Keeves & G. Lakomski (Eds.) “Issues in educational research”, Oxford, GB: Elsevier Science, (1999). [25] K, Lewin, "Reflection: Action Research", (1952) Available online http://www.gu.edu.au/text/centre/gihe/ teachinglearning/evaluation/serb/reflection/serbref_action.ht m (Accessed 17-4-2002).

[26] S.E, Madnick, “Computer Security”, Academic Press, New York, (1979). [27] NSTISSC "National Security Telecommunications and Information Systems Security Committee (NSTISSC)" NSTISSI No. 4009 National Information Systems Security (INFOSEC) Glossary, January 1999, p4. [28] OICT, "Office of Information and Communications Technology - connect.NSW: an Internet Strategy for NSW" (2004), http://www.oict.nsw.gov.au/content/1.3.1. Imp_Frame_Summary.asp (Accessed 28 April 2005). [29] D.B, Parker, “Computer Security Management”, Reston, Reston, VA, (1981). [30] P, Reason, “Choice and Quality in Action Research Practice.” Journal of Management Inquiry, 15(2), (2006). pgs 187-203. [31] P. Reason and H. Bradbury, “Handbook of AR”, Sage, Publications London UK (2006). [32] G, Roberts, "Action researching my practice as a facilitator of experiential learning with pastoralist farmers in Central West Queensland" (1997), available online http://www.scu.edu.au/schools/gcm/ar/art/t-groberts00.html (Accessed 17-1-2002). [33] S, Rossi, "CSC set to launch no frills security services", Computerworld online (2002) http://www.computerworld.com.au/index.php?id=156288646 0&fp=4&fpid=16 (Accessed 17-1-2002). [34] R, Saia, "Keep e-Commerce in mind when boosting security", ComputerWorld, February 25, Vol 25, no. 27, (2002) p1. [35] J, Scott, J “PricewaterhouseCoopers – Risk management survey” (2003). [36] S. Smith and R. Jamieson “Determining Key Factors in E-Government Information Systems Security” Information Systems Management, Spring 2006. [37] D.W. Straub, "Validating Instruments in MIS Research", MIS Quarterly (13:2) (1989), pp. 147-169. [38] D.W, Straub, “Effective IS Security (a working paper)”, Information Systems Research, 1(3) 255-276 (1990). [39] D.W, Straub, and R.J, Welke, “Coping with Systems Risk: Security Planning Models for Management DecisionMaking”, MIS Quarterly, Vol. 22, No. 4, December 1998, pp. 441-469. [40] E.T, Stringer, “Action Research”, 2nd Edition Sage, Publications London UK (1999). [41] G.I, Susman, “Action research: a socio-technical systems perspective”, In G. Morgan (Ed.) “Beyond method: strategies for social research”, Newbury Park, CA: Sage (1983). [42] D.M, West, "Global E-Government, 2004" http://www.insidepolitics.org/egovt04int.html (2004) (Accessed 20/1/04) [43] W, Winter, “Some Principles and Procedures for the Conduct of Action Research”, New Directions in Action Research (pages 13-27) London: The Falmer Press. (1996) [44] M, Zviran, and W. Haga, “Password Security: An Empirical Study”, Journal of Management Information Systems 15(4) (1999), pp. 161-185.

10