The research described in this paper lead us to the conclusions that there is a big gap in perception of information security issues of respondents from banking and insurance companies and auditing managers. In general, banking and insurance managers graded higher all information security issues in own companies than auditing managers did it. These two populations of respondents have different motivation regarding information security. On one hand, mangers of banking and insurance companies do not appreciate the security strategy issues, and they are always trying to spend lesser on it. On the other hand, information security auditing managers have commercial motivation and they are trying to earn more by estimating information security worse than it really is. Real state of information security should lie somewhere between grades of these two populations of respondents. Screening methods
Ranking the significance of information security variables from groups of respondents has rather high correlation. Although they disagree in terms of real state of information security, they mostly agree concerning significance of particular security procedures. This should be a good starting point which can bring managers together when it comes to implementing information security procedures.
Comparative analyses of perception of information security barriers of both populations of respondents are illustrated in Figure 3. From the Figure 3 it is noticeable that highest graded barrier in banking and insurance managers was Price of standardisation of information security (1.47), while their lowest grade went to the factor Insufficient expertise of company managers in organisational issues (5.26). Highest graded barrier concerning auditing managers was Insufficient knowledge of company managers about information security importance (1.00), and lowest graded was Insufficient number of auditors (6.00). The biggest gap in perception of information security barriers was insufficient number of auditors (3.24) while lowest gap in perception of barriers was insufficient expertise of IT employees in companies (0.60).
There is a significant gap in perception of information security barriers of respondents from both groups. Managers in companies gave significantly higher importance to the Price of standardisation of information security and insufficient number of auditors than it was graded by auditors. At the same time auditors gave higher importance to insufficient knowledge of company managers about information security importance and insufficient expertise of company managers in organisational issues. It can be noticed that company managers have a perception that biggest information security barriers exist out of their companies, while auditors have a perception that biggest barriers are knowledge and skills of company managers regarding information security importance and organisational issues. Banks’ service
Factor analysis (Factor analysis was conducted with use of SPSS Statistics 17) was used to determine number of factors which explain relationships between variables and connection of those variables with factors. Based on correlation matrix of 12 variables and testing of null hypothesis that single coefficients of correlation are equal to null (Null hypothesis is accepted for values of significance greater than 0.05), it can be concluded that null hypothesis may accept coefficients of correlation of variable Information security policy and variables Information classification, Human Resources Security, Communications and Access Control; variable Compliance and Physical and Environmental Security, Information security incident management and Business Continuity management; variables Responsibility for Assets and Communications; variable Human Resources Security and variables Communications and Information security incident management; variable Communications and variables Information systems acquisition, development and maintenance and Information security incident management; variable Access Control and variables Information security incident management and Business Continuity management; and variables Information security incident management and Compliance. This means that it cannot be expected that these couples of variables occur together in explanation of single factors. Bartlett’s Test of Sphericity is highly significant and indicates a conclusion that there is a significant correlation between variables. Banker-customer
We present the textual interpretations of the results gathered from 35 banking and insurance companies and 4 information security auditing companies.
Comparative analyses of median value of perception of information security procedures of both samples of respondents are illustrated in the Figure 2. From the Figure 2 it is noticeable that highest graded factor by banking and insurance managers was Physical and environmental security (4.57), while their lowest grade went to factor of Compliance (3.26). Highest graded factor by auditing managers was Physical and environmental security (3.00), and lowest graded were Information security incident management and Communications (both 1.75). The biggest gap in perception was in Organisation of Information Security (2.24) while lowest gap in perception was in Information System Acquisition, Development and Maintenance (0.99).
The questionnaire was divided into two parts and comprised 18 questions. First part of the questionnaire covered information security according to ISO/IEC 27001:2005 norm, while second part covered information security barriers and marketing aspects of information security. Perception was expressed with grade of formalisation of procedures of information security in written form and it was measured with 12 variables on Likert scale from 1 to 5 (1 – procedure is not formalized in written form at all, 5 – procedure is fully formalized in written form). Bank
These variables were:
• Information security policy
• Organisation of information security
• Responsibility for Assets
• Information classification
• Human Resources Security
• Physical and Environmental Security
• Access Control
• Information systems acquisition, development and maintenance
• Information security incident management
• Business Continuity management
Primary research was conducted with dual methodology applied on two opposite populations with same instrument for measuring of variables, on one side management of banking and insurance companies, and on the other side management of information security auditing companies.
Standardisation of information security is not a compulsory activity in companies and institutions. It is still an optional choice for companies. Organisations from public sector may undertake standardisation activities based on political decision, while commercial sector does it as a measure of business protection as a whole. Banking and insurance companies are commercial companies; therefore they represent a pattern of behaviour for commercial sector. Banking sector
Standardisation of information security refers to introduction of procedures of protection and allocation of responsibilities in establishment of business recovery procedures. This means that protection of system in case of technical, environmental and management failure should be set as a routine task.
Guidelines for standardisation of information security should be aligned with the business strategy through effective implementation, procurement and integration of the system (Turban, McLean and Wetherbe, 2002). Standardized information security is a set of procedures consisting of hardware, software, lifeware, orgware, netware and dataware support.
Protection of information resources requires a sound security policy and set of controls. ISO/IEC 27001, an international set of standards for security and control, provides helpful guidelines. It specifies best practices in information systems security and control, including security policy, business continuity planning, physical security, access control, compliance, and creating a security function within the organisation. Reviewing european life
In literature it can be found results of different research of influence of information systems and security procedures on overall business and particularly on organisation aspects of business. In context of implementation of information security procedures, the issue of perception of management needs to be researched due to constant and rapid improvement of all aspects of information systems and their security. Framework of this research is based on issues of standardisation of information security. Particular emphasize has been put on ISO 27000 group of standards.
Information technology security is currently one of the most important topics that users and providers of information technology are facing. Organisations are dependent of information technology. This means that they are more vulnerable on information threats. The vulnerability of information systems is increasing as we move towards network computing. There are number of threats within and outside organisation that must be taken into account. These problems are caused by threats such as illegal access, malware, spam mails, and system troubles. Consequences of these threats can occur in forms of destroying resources, malfunction of applications and data, denial of service, stealing the service and stealing the resources. Payday Loans Online
Information security refers to the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. Most common threats against information technology systems can occur on client (user) side, communication lines, corporate servers and corporate systems. They can stem from technical, organisational, and environmental factors compounded by poor management decisions. An organisation should build strong safeguards to prevent valuable data being lost, destroyed, or could fall into the wrong hands, revealing important trade secrets or information that violates personal privacy.
Next the casual link between crisis and repression is discussed. As given in Table 8, it is repression^crisis(+) in India, Indonesia, Korea and Malaysia and repression^crisis in Thailand. While the high degree of financial repression seems to cause financial crisis in four countries, it is inverted in Thailand where the low degree of financial repression is clearly observed immediately before the Asian crisis (see Appendix 9(e)). For the countries except Thailand, we consider that an extremely high degree of financial repression in a boom period attracted more speculative funds — rather than contained a credit boom — further increasing the volatility in those economies where the financial market was progressively liberalized but not well regulated and controlled. Such a mechanism might have worked in India, Indonesia, Korea and Malaysia before these countries were severely hit by financial crisis. For Thailand, on the other hand, an expansionary financial trend — as approximated by the low degree of FR — might have typically created a financial boom led by investment opportunities that were rapidly increasing but were not properly hedged. Computer usage