Corporate information security management

Abstract

To ensure business continuity the security of corporate information is extremely important. Previous studies have shown that corporate information is vulnerable to security attacks. Companies are losing money through security breaches. This paper describes an MSc project that aimed to investigate the issues surrounding corporate information security management. Postal questionnaires and telephone interviews were used. Findings indicate that companies are not proactively tackling information security management and thus are not prepared for security incidents when they occur. Reasons for this lack of action include: awareness of information security threats is restricted; management and awareness of information security is concentrated around the IT department; electronic information is viewed as an intangible business asset; potential security risks of Internet access have not been fully assessed; and surveyed companies have not yet encountered security problems, and therefore are unprepared to invest in security measures. The recommendations include that companies: carry out a formal risk analysis; move information security management from being an IT‐centric function; and alter perceptions towards electronic information so that information is viewed as a valuable corporate asset.