An analysis of the traditional IS security approaches: implications for research and practice
- PDF / 155,119 Bytes
- 13 Pages / 595 x 794 pts Page_size
- 33 Downloads / 139 Views
An analysis of the traditional IS security approaches: implications for research and practice Mikko T. Siponen Department of Information Processing Science, University of Oulu, Linnanmaa, P.O. BOX 3000, Oulun yliopisto FIN-90014, Finland Correspondence: Mikko T. Siponen, University of Oulu, Department of Information Processing Science, Linnanmaa, P.O. BOX 3000, FIN-90014 Oulun yliopisto, Finland. Tel: þ 358 8 553 1984; Fax: þ 358 8 553 1890; E-mail: [email protected]
Abstract Scholars have developed several modern information systems security (ISS) methods. Yet the traditional ISS methods – ISS checklists, ISS standards, ISS maturity criteria, risk management (RM) and formal methods (FM) – are still among the most used ISS methods. This study makes sense of these traditional ISS methods by comparing their underlying key assumptions. The main finding is that the traditional ISS methods regurgitate several features and assumptions that are required to be dealt with by traditional ISS methods developers and practitioners. European Journal of Information Systems (2005) 14, 303–315. doi:10.1057/palgrave.ejis.3000537 Keywords: information security management; secure systems design
Introduction
Received: 23 October 2001 Revised: 1 August 2002 2nd Revision: 16 February 2005 Accepted: 15 July 2005
The expanding use of IS has increased the importance of information systems security (ISS). It is reported that 75% of surveyed organizations have confronted different security attacks (Bagchi & Udo, 2003, p. 684). In order to ensure that organizations’ assets are protected against such threats, several ISS methods have been put forward. While scholars have classified ISS methods into three (Baskerville, 1988, 1993) or five generations (Siponen, 2005), there is relatively little evidence on the use of the later-generation methods in practice. In contrast, the earlygeneration ISS methods (the first and second generation using the terminology by Baskerville, 1993 and Siponen, 2005), ISS checklists, ISS standards, maturity criteria, risk management (RM), and formal methods (FM), are reported to be the most commonly used ISS methods. Furthermore, these early-generation ISS methods have enjoyed a great deal of research and development efforts. For these reasons, it is necessary to take a critical look at the underlying assumptions and features of these early-generation ISS methods, called traditional ISS methods. This paper analyses traditional (early generation) ISS methods: ISS checklists (e.g., Kraus, 1972; AFIPS, 1979; Wood et al., 1987), ISS standards (e.g., BS7799, 1993; Sanders et al., 1996; GASSP, 1999; Janczewski, 2000) and maturity criteria (e.g., Murine & Carpenter, 1984; Ferraiolo & Sachs, 1996; Hefner, 1997; SSE-CMM, 1998a, b), RM (e.g., Guarro, 1987; ; Halliday et al., 1996), and FM (Anderson, 1993; Barnes, 1998). A critical analysis of these traditional ISS methods is valuable for researchers and practitioners alike. While these methods are widely used in practice, they are developed in isolation. Not surprisingl
Data Loading...
