CHAPTER 2

LITERATURE REVIEW
This Chapter presents detailed literature review on the research area. The chapter covers the
literature on the following aspects of information security, its evolution and need, principles and
various components, information security related issues in global context, information security
related issues in Indian organizations, cyber security breaches and threats related issues in Indian
organizations, Information security: National as well International standards and their controls,
and information security policy.

2.1 Organization of Literature Review

The focus of this Chapter is to present literature related to information security (IS), cyber
security, standards, and information security policy (ISP) concerns of organizations on effective
policy development. The comprehensive information on literature review have been collected
from various journals of international and national repute, books, magazines, and articles and
authenticated websites of bodies working under IT sector organizations and Government of
India. These includes important data collection from various bodies including the reports and
survey carried out in the past by the Ministry of Electronics and Information Technology
(MeitY), Govt. of India, security policy regulators such as Computer Emergency Response
Team-India (CERT-In), National Criminal Records Bureau (NCRB), STQC, and training and
development bodies such as national administrative society, and NIELIT, along with
information, feedback gathered through various seminars, conferences and training attended also
helped a lot.

In order to gain a better insight into subject area on information security and policy related
matters, model development for Indian organizations, the literature review of this research study

Rashmi Anand, University of Lucknow 1

has been divided mainly into three phases. A brief theoretical background of the important and
relevant issues concerning the sub-topic has been presented to understand the scope of this study
clearly. Systematic literature review approach has been followed in this study. The approach is
widely used in identifying the literature in a systematic manner. Fink (2005) has defined
systematic research literature as a systematic, explicit, comprehensive and reproducible method
for identifying, evaluating, and synthesizing the existing body of completed and recorded work
produced by researchers, scholars and practitioners. Systematic literature review process given
by Denyer and Tranfield (2009), and same has been followed in this study, it is represented in
figure below (Figure 2.1.)

Figure 2.1: Systematic Literature Review Process (Sources: Denyerand Tranfield, 2009)
The literature review is organized under the following heads.
2.1.1 Literature on Information and Cyber Security

Many descriptions on information security have been found in the literature. The term is defined
in the multiple aspects. The purpose of information security is to protect the valuable resources
of an organization such as hardware, software and skilled people. Through the selection and
application of appropriate safeguard, security helps the organization to meet its business
objectives or mission by protecting its physical and financial resources, reputation, legal
position, employees and other tangible and intangible assets.

Sometimes, IS relates to an array of actions designed to protect information and information

systems (Gordon and Loeb, 2006). The element not only protects the information, but also
provides security to whole infrastructure and further makes its use easier. Sometimes,
information security includes hardware, software, and physical security. With the increase in
the number of applications, users and systems, the complexity of managing organization’s
information security also get increased. Dhillon defined the elements, by describing the role of
the top management for securing the information security, and suggests that security awareness
program should be raised, to ensure a secure use of hardware and software in organization
(Dhillon, 1999).

Nowadays, information in perceived as critical element to all categories of organisations.

Therefore, all of the organizations need to secure it, especially the organizations having more
critical information, customer’s personal details, as if customer database is lost, it may be
difficult or even impossible for them to run a business, in this scenario data protection act comes
into picture. For example, organization which is dealing with Intellectual Property Rights (IPRs)
and companies involves in creating innovations for certain category of products, all that have
sensitive research results, and if any persons tried to access them in a unauthorized way, the
organization may suffer substantial losses on financial aspects and taken had several years that
had been used in developing new products.
Therefore, not only business units but also researchers consider information security as a
technical problem. They need proper attention with a technical solution. But it’s not true always,
as information security involves management of risk also and risk management is done by
identifying and measuring threats to information assets in the organization. Therefore,
organisations must take appropriate actions to address to those threats. Sometimes, organizations
fail to manage their information security, integrity of an organisation will be compromised and
loss of money may occur (Jones, 2007).

In his study, Pfleeger and Pfleeger (2003) defined the basic four types of information risk viz.
Interception, Interruption, Modification and Fabrication. While defining interception, the
information while in transit is obstructed by unauthorized person. While in the case interruption,
accees to information is either delayed to the authorized person. With the modification threat,
information is tempered before the authorized person receives or accesses it. In the case of
fabrication, the information is sent to recipient by spoofing the identity.

In general, Information security is a broad subject and various definitions are available in the
various sources of literature. In literature various terms and their definitions such as information
security, computer security, information systems security and cyber security are used
interchangeably.

Referring to a report released by NIST during 1996, computer security is the protection
afforded to an automated information system to achieve the business objectives of preserving
the basic elements of integrity, availability and confidentiality of information system resources
(National Institute of Standard and Technology, USA (NIST, 1996 A). While, the term
Information Security is related with the concepts and techniques and is a technical measure to
protect information assets from unauthorized acquisition, damage, disclosure, manipulation,
modification, loss or use (McDaniel (1994). Information security is defined as technical methods
and managerial processes on information resources as if hardware, software and data in order to
keep organizational assets and personal privacy protected (Hong et al., 2003).

As per the definition of American National Standards Institute (ANSI, 2008), cyber security as
the protection of any computer system, software program and data against unauthorized
disclosure, transfer, modification or destruction, whether accidental or intentional. The institute
also used the terms several times in its various reports describing information security and cyber
security interchangeably. Institute releases wide categories of information standards and in the
views of the Institute, information security is the protection of information from a wide range of
threats in order to ensure business continuity, minimize business risk and maximize return on
investment and business opportunities (ISOIIEC 27002, 2005).

In view of protecting the information, Indian Information Technology (Amendment) Act, 2008
has defined cyber security as protecting information, equipment, devices, computer, computer
resources, communication device and information stored therein from unauthorized access, use,
disclosure, disruption, modification or destruction. Information Security is a broad subject of
which technological solutions are only a part.

2.1.2 Evolution of Information Security

Information security has always been a priority for all kinds of organizations. This has gained
importance when organizations were changing their information in electronic form. Von defines
the three stages of evolution of information security Von Solms (1996). First stage defines;
mainframe computers worked in isolation from highly secured buildings and physical access
control along with passwords. That point of time, most of the computer systems were simple and
single purpose in their design. Moreover, security control mechanisms were relatively simple
and well understood (Saltzer and Schoeder, 1975). Therefore, it is believed that a system
administrator could easily manage security with simple measures. There were not many such
computers and only big organisation could afford them. In the past, computers were not user
friendly and needed great expertise and mastery of computer languages to use them. Therefore,
an element of security was needed to inbuilt in the security environment in such systems. There
were not enough people to use such system, even though vulnerabilities existed.

During mid-1970s, the second stage of IS posed various restrictions in the organization. This
was the age networking of computers and there was more emphasis on the communication and
security aspects. This was the need of education sector and the networks were not open to
outsiders and even that time, the security situation was not alarming.

Third stage of information security faced global challenges when companies began to connect to
Internet and challenges those have emerged with the proliferation of networked computers. Later
after facing many difficulties, individuals, organizations, companies and governments have to
connect their networks to Internet. This was due to their interest to harness the benefits of
Internet Communication Technologies (ICTs), not only for their own profitability, efficiency but
also for creating effectiveness in the business of the organisation. Later, due to several benefits
of ICT, world changes and benefited by several kinds of strategic advantages from the
applications. Due to ICT advancements, security breaches in the form of hacking, data theft,
denial and diminishing of services, loss of confidentiality, etc. have become more venerable and
of big concern worldwide.

During 1990s, Morris worm demonstrated the vulnerability of Internet. Consequently,

seriousness towards cyber security started. Since then, vulnerabilities increased and now
exploited by various kinds of malware. During this time, thrust has been largely on
technological approach to the security. It has been realized that this approach is not sufficient to
tackle the emerging challenges and overall management of information security.

In the present age, information security is the element which decides survival of a company or
any organisations. Information security has become a matter of serious concern and apart from
technology, equal emphasis on people, procedure and policy, is the need of the hour (Govt. of
India, MeitY, 2011).

Evolution of information security waves given by Volms (2006) is shown in Table 2.1 below.
Table 2.1: Information Security: Emergence of Issues

Information Security Issues Focused on

First wave Technical aspects
Second wave Management aspects
Third wave Standardization and certification
Fourth wave Information security governance

2.1.3 Information Security Principles

Information Security stands on a tripod of confidentiality, integrity and availability of data and
services commonly known as CIA triad. It is presented in diagrammatic form in Figure 2.2
(Parker,1998; Gollmann, 1999; Denning, 1999; Tudor, 2001 and Pfleeger and Pfleeger, 2003).

The elements of CIA Traid describe the confidentiality, integrity and availability.

The description of 3triad is as follows.

a) Confidentiality means ensuring that the information is accessible only by authorized
persons and it does not fall in the hands of unauthorized persons. It must also remain
confidential while on transit.
b) Integrity means that the information remains same while on transit or while kept stored. No
 unauthorized person must be able to alter the information. Integrity is often discussed as
having two dimensions of data integrity and system integrity.
c) Availability means the information is accessible to authorized persons, whenever required,
without diminishing its value.

Figure 2.2: CIA Traid

Other than triad elements includes accountability has also been identified as another important
principle. In this reference, the term accountability for information security must be conveyed to
employees (Von Solms and Von Solms, 2004). Dhillon and Backhouse (2000) argue that CIA
principles are not enough to address information security because they apply to information that
is seen as data held on a computer system. The authors have also suggested extra principles such
as responsibility, integrity, trust and ethicality (RITE), found are related to employees in an
organization and are the initial steps in securing organization assets. These are described as:

• Responsibility (and knowledge of roles): Members are expected to develop their own
work practices on the basis of a clear understanding of their responsibilities.
• Integrity: Information is an important asset for the organizations must focus on
maintaining its integrity.
• Trust (as distinct from control): The organization depend more on self control and
responsibility; there have to be common systems of trust.
• Ethicality (as opposed to rules): Ethical content of informal norms and behaviour.

2.1.4 Information Security Components

Shim et al. (2000) have identified IS components into various categories such as physical
security, hardware security, software security, personal security, network security and security
policy as some of the components of information security. As already mentioned a computer
system consists of various parts consists of a computer system. In this view, the associated
physical and environmental security is the first step towards security where computer system
must be placed in secured location with proper access control, visual surveillance, and alarms,
system etc.
Another component is securing environment, and environmental security means securing the
system from fire, water, electrical hazards, heat, humidity, dust, etc. Environmental component
security starts from protection of the hardware, theft and damage (both physical and
environmental hazards). Nowadays in the changing world, employee of an organisation carry
highly valuable information in their laptops and PDAs, which, when stolen, can cause more loss.
This loss is huge and cost implications are on higher side. Security of network and its hardware
components are important to prevent attacks from outside.
Computer systems comprise of software and hardware and software is the brain behind the
hardware. It also consists of operating systems, other system utilities needed to perform various
activities and tasks. While using the computer system, security considerations are often ignored
at the cost of utility and functionality of the software products. Software security is not only a
desirable but also an essential feature of software so that it functions correctly even under
malicious attack. Moreover, software security is about designing secured. It is commonly seen
that most users do not patch their software regularly even though patches are readily available.
New software is discovered even before older ones are obsolete. In establishing the trade-off
between conveniences to operate versus software security, convenience at the cost of security is
to be well taken care of.

Today information has to travel on networks of various kinds such as Wide Area Network
(WAN), Local Area Network (LAN), Virtual Private Network (VPN), and Wi-Fi Networks, etc.
Theses network must be secured enough and their security must be ensured for effective
information security in transiting the data. The data may be form of source codes, software
applications, trade secrets and other intellectual property or data related to employees, customers
or business associates.

It is the fact that ultimately, behind every machine, it is the man which matters. Therefore,
people are often overlooked of security. More reliance is placed on the technical aspects of the
security forgetting that people could be the weakest link. Such category of people would be top
management of an organisation, present and ex-employees as well as customers. It lead to the
situation where there is always a possibility of phishing attacks if the customers are not well
informed and educated about cyber threats.

2.1.5 Information Security: Standards, Guidelines, Policies and Procedures

Standards, guidelines, policies and procedures ensure that the whole system of information
security works in a well coordinated manner. Peltier et al. (2005) have given a detailed
definition of policy, standards, procedures and guidelines.

An information policy is a high-level statement of organisation that belief, goals and objectives.
Standards are mandatory requirements that support individual policies. Procedures based on
information security are mandatory steps and detailed actions required to successfully complete
a task. In this views, guidelines are more general statements which are designed to achieve the
policy objectives but by providing a framework within which to implement procedure.

2.1.6 Information Security: Organizational Issues

Information is power and an important asset of an organization. Like any other vital asset, it
needs to be protected from intentional or unintentional damages. It is important that information
is available to authorized entities whenever needed and at the same time does not fall in the
wrong hands.

Non availability of information, when needed, may hamper business and sometimes result in
huge losses. Confidential or critical information falling in the hands of rival organizations may
be catastrophic. Losing third party information may involve legal and financial consequences
apart from loss of reputation. This may be an important requirement of a client or business
partner. Compliance to information security laws, regulations, standards and certifications are
also drivers of information security measures in an organization. In USA, Privacy Act of 1974,
E-Government Act of 2002, Sarbanes-Oxley Act, Health Insurance Portability and
Accountability Act (HIPAA) and Federal Information Security Management Act are examples
of regulatory compliance of information security. In India legal requirements of Section 43A of
Information Technology (Amendment) Act, 2008 and Information Technology (Reasonable
Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011,
make an organization, dealing with sensitive personal information, liable to pay compensation if
it fails to take reasonable information security measures.

2.1.7 Need for Information Security

The need for information security by the organizations was felt due to various reasons. It
became utmost important and necessary for the organizations dependent on ICT, for running
their business Organizations need to protect their vital and confidential information from cyber
criminals. Information security is essential for the functioning of organizations, which use ICT
extensively. There are legal requirements that mandate certain information security measures to
be taken by organizations handling personal or sensitive information.

2.2 Information Security: Issues in Global context

The global scenario information security has undergone a drastic change in terms of enhanced
threat perceptions and ever increasing vulnerabilities. Issues are intensified more with the
proliferation of internet, wide spread use of ICT solutions for various social and economic
activities. The threats are getting further complicated by fast emergence of new technologies.
As cyber space is unlimited, it is exploited by variety of crimes. The scale of such incidents is
continuously increasing. These incidents are bringing new challenges such as targeted and
deliberate attacks valuable information. In this way, potentially causing risk and un-estimated
losses to the national security, economic growth, public safety and competitiveness (Sources:
Official website: The Ministry of Electronics and Information Technology, Govt. of India).

The status of information security in most of the countries is far from satisfactory. Even the
most advanced countries are victims of information security breaches. Information related fraud
is common and evolving, but many companies are not prepared for when things go wrong
(Kroll, 2013). Approx. 90% of large organisations and 74% of small organisations experienced
information security breach incident in the last one year (PWC, 2015).

It has been estimated that 689 Million people in 21 countries experienced cybercrime. The cost
associated here globally will top $6 trillion annually by 2021, according to a report by research
firm Cyber security Ventures. According to another estimate; In the US alone, there has been an
increase of nearly 50 per cent in reported cyber incidents against its critical infrastructure from
2012 to 2015 (Norton Cyber Security Insights Report 2016). It is also estimated that average
per person cost of data breaches ranged from $51 in India to $201 in the United States. As per
the report on future of cybercrime and security during 2017, the rapid digitisation of consumers’
lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by
2019.

The Petya malware similarly wreaked havoc on organizations like banks, ministries, newspapers
and electricity firms in many advanced countries, specifically in Ukrain where the radiation
monitoring system at Chernobyl nuclear power plant went offline, and it is reported that in many
infected systems worldwide, important files were overwritten and thus permanently damaged
when the ransoms were not paid. The research has also found that the majority of these
breaches will come from existing IT and network infrastructure, while new threats targeting
mobile devices.

2.3 Information Security: Issues related to India

In the previous section, various issues on growing concerns of information security at global
level have been presented. These have been in the light of the growing importance of
Information Security Scenario. However, there is a need to explore advanced level of issues at
Indian level which could be related to protection of information, cyber threats, critical
infrastructure, communication networks, and other organizational assets. Referring to those
studies, it has been found that preparedness for information and cyber security by Indian
organizations, in both public and private sectors, is far from satisfactory. Some of the recent
incidents are a pointer to the level of existing vulnerabilities and gaping holes in the Indian
information security environment.

Few important threat incidents in the Indian contest are explored. In the year 2007, a Swedish
‘ethical hacker’ blogged details of e-mail accounts and passwords of several Indian Government
institutions, including the department of defence (DNA, 2007). Due to were lost following a
virus infestation in the computer, during December 2009, all digital records of details pertaining
to gate passes allotted to vehicles, crossed the assembly building. The loss assumes significance
in view of Parliament attack in year 2001 and terror attack in Mumbai (The Hindu, 2008). In
October, 2008, five educated cyber criminals were arrested by Noida Police when they illegally
transferred Rs. 16.6 million from the bank account of victim by hacking into his internet bank
account (HT, 2008). Another such incident includes a major Manesar based multinational IT
company, which has reportedly decided to shift its $10 million R&D facility to Australia due to
an incident of data theft, caused loss of Rs. 7.54 billion (McAffe, 2009). The Times of India,
during 2006 reported that Kingfisher Airlines, which reported loss of Rs. 170 million and
several other airline companies suffered similar losses due to fraudulent ticket purchases from
their online booking systems.

Referring to these kind of security incidents in the banking system, offering internet banking
facilities to their customers, they are increasingly getting vulnerable and exposed to threats such
as stealing of user passwords that can be used to access accounts and transfer funds illegally
(Hindustan Times, 2007). Business to Business (B-B) and Business to Customer (B-C)
business models in the Indian E-Commerce domain have not paid adequate attention towards
management of information security. Very few companies have taken adequate information
security measures. Government departments, for them information is sensitive such as defense,
have largely chosen to use stand-alone computers in a closed local area network to keep their
information secured.

At National level, there have been numerous cases of security breaches of Indian websites, both
of Government and private. Information from servers of more than 6,000 Indian enterprises was
reportedly put up for sale on dark net in one of the biggest data breach reported in the country
(Business Today, 2017).

As per the information reported to and tracked by CERT-In, a total no. of 44679, 49455, 50362
and 27482 cyber security incidents were observed during the year 2014, 2015, 2016 and 2017
(till June) respectively. Based on the discussion documents of Indian Rajya Sabha, major types
of cyber security incidents in Indian organizations include phishing, scanning, probing, website
intrusions and defacements, virus-malicious code, ransomware, denial of service attacks, etc.
(Rajya Sabha Discussion Document, Govt. of India, 2017).
According to a recently published report of Akamai, the cloud delivery firm, India ranks eighth
among countries across the world that are targeted by Distributed Denial of Service (DDoS)
attacks with US and Brazil leading the chart. Is has been found that India is the fifth largest
source for carrying out these DDoS attacks where close to 12 million attacks sourced during
2016 to 2017 (Indiatimes, 2017).

In another recent cyber attack, The Wanna Cry ransom ware which almost infected almost 150
countries. The incident impacted by encrypting data and demanding ransom payments in
bitcoins, forced LG electronics to shutdown large parts of its network after its systems were
affected by it. The malware had its spread globally including major players like Honda (the car
manufacturing company), Telenor, Renault and many Government departments and ministries
including India.
Rashmi Anand, University of Lucknow 15
In India, the ransomware hit major port operations in Mumbai, where one of the three terminals
came to a standstill after the attack (Hindustan times, 2017). Back home in India, the National
Crimes Records Bureau (NCRB) has given figures for cybercrimes cases which points to its
exponential rise in last few years. Approximately 11500 cases were registered in 2015 (as
against 9,622 cases registered in 2014) alone with majority of them related to Financial gains
and frauds. The rise in such cases is especially visible after the country went through the phase
of demonetization and online transactions increased manifold in that period (livemint, 2017).

2.4 Cyber Security Breaches and Threats

2.4.1 Cyber Crime
Crime has been part of all societies from the old to recent times. All most every advanced
society faces such problems and develops certain norms for its smooth functioning. Crimes
increases in respect to the advancements in the societies. They follow some norms and these
norms may be codified as in advanced societies or carried over by tradition, as seen in some
backward societies. More specifically, such norms are made to regulate the conduct of all
members of a acts in the society. Society runs by activities that are in breach of these norms can
be very broadly classified as crimes (Oberoi, 2002). There will always be class of society, which
look its beneficial potentials, while some others only see new opportunity to commit crime
(Standage, 1998). Many studies and authors have defined the Crime in many aspects and in
general follow opportunity (Cohen and Felson, 1979). With the advancements in
computerization, and ICTs applications in the society, various opportunities to make financial
gains, cyber crimes have been evolving in various ways. Thus, it gives birth to several cyber
criminals. Since birth, cyber crimes were committed by pranksters and script kiddies to prove
and demonstrate their skills. Here, hacking was limited to gaining access, and at the most
defacing some web pages. Later thereafter very soon, space in the cyber was flooded with all
kinds of criminal’s activities. Nowadays it has developed into an industry with organized gangs
operating world over. Today cybercrime is a big problem not only to India, but also to the world.
Rashmi Anand, University of Lucknow 16
It has emerged as a major challenge to the use of ICT by organizations (Simion, 2010). In this
view, a complete underground criminal economy has been developed, the society that lets
malicious actor’s steal money through the Web (Sood et al., 2013).

Table 2.2: Widely Listed Literature on Information Security and Cyber Threats
Sr. no. Research focus References
1. Computer crimes Dhillon & Moores (2001)
2. Economics and investment, violation of Gordon and Loeb (2002),
safeguards Dhillon (2001)
3. Analyzing the past to prepare for the future Webster and Watson (2002)
4. Insider cyber-threats and threat Hamin (2000), Steele and Wargo
management (2007)
5. Human factors in information security Colwill (2009)
6. Trend of the security research Hong et al. (2010)
7. Addressing bad actors and their actions Pfleeger et al.(2010)
8.
Common sense to insider threats Silowash et al. (2012)
9. Threat prediction tool Kaspersky and Furnell (2014)
10. White et al. (2009), Khoumbati
Emergency management, IT Policy and and Themistocleous (2007),
Cyber terrorism Harries and Yellowlees (2012),
Dahiya and Mathew (2016)

Jain has described, in this context of cybercrime where interruption triangle of opportunity,
motive and means for committing cyber crime explicitly explained by him (Jain, 2005). He
further elaborated that there must be a reasonable motive to commit a cybercrime. This could be
just to prove a concern to get financial gains. The criminals use ready-made software or
programming languages as a means to commit crimes. They have become very advanced and
their level of committing the crimes is very high. They can take any kind of risks due to easy
access to information available on the web. In a way, there are multiple opportunities available
to cyber criminal. The system vulnerabilities offer such opportunities.
During 2010, International Telecommunication Union defines cyberspace as the physical and
non-physical terrain created by and composed of some or all of the following: computers,
computer systems, networks and their computer programs, computer data, content data, traffic
data and users. Crime committed in cyber space maybe called as cyber crime. Sometimes, the
terms 'computer crime', 'computer-related crime', 'high tech crime', 'virtual crime' and 'cyber
crime' are often used interchangeably. Smith et al. (2004) have highlighted complexities 'Cyber
Crime' and have described it as conduct that involves the use of digital technologies. As per him,
Cyber Crime is incidental to the commission of other crimes. A broad definition of cyber crime
may be "a crime in which computer has been a target on which crime has been committed or
computer has been used as a tool to commit the crime". In a broader perspective, it would
cover crimes in which computers, networks and World Wide Web are involved.

Cybercrime as is any crime that is committed using a computer or networker hardware device
(Symantec, 2012). The United Nations Manual on the Prevention and Control of Computer-
Related Crime defines the following computer-related crimes in the following categories. (1)
fraud by computer manipulation, (2) computer forgery, (3) damage to or modifications of
computer data or programs, (4) unauthorized access to computer systems and service and (5)
unauthorized reproduction of legally protected computer programs (United Nations, 1990). A
workshop focussed on the issues of crimes related to computer networks, at the Tenth United
Nations Congress on the Prevention of Crime and Treatment of Offenders, classified cyber
crime into two categories- cybercrime in narrow sense and broader sense.
(a) Cyber crime in a narrow sense: Any illegal behavior directed by means of electronic
operations that targets the security of computer systems and the data processed by them.
(b) Cyber crime in a broader sense: Any illegal behavior committed by means of or in
relation to a computer system or network, including such crimes as illegal possession and
offering or distributing information by means of a computer system or network (UN2, 2000).

Rashmi Anand, University of Lucknow 18

 2.4.2 Classification of Cyber Crime
Many authors and researcher have classified the cyber crime in various ways. In this context,
Gordan and Ford (2006) have classified cyber-crimes according to factors associated with
human. Cyber crime really presents a continuum ranging from crime, which is almost entirely
technological in nature and crime, which is really, at its core, entirely people-related, as shown
in Figure 2.3

Figure 2.3: Continuum of Cyber Crime (Gordan and Ford, 2006)

Convention on Cyber Crime by Council of Europe (Budapest Convention) categorizes cyber
crime as follows (COE, 2001):
1. Offence against confidentiality, integrity and availability of computer data and systems:
i. Illegal access
ii. Illegal interception
iii. Data interference
iv. System interference
v. Misuse of devices
2. Computer-related offences:
i. Computer-related forgery
ii. Computer-related fraud
3. Content-related offences:
i. Offences related to child pornography
4. Offences related to infringements of copyright and related rights
International Telecommunication Union (ITU), has categorized the following types of cyber
crimes in its 'Toolkit for Cyber Crime Legislation', which acts as guide for developing cyber
crime legislation by various nations (ITU, 2010).
1. Unauthorized Access to Computers, Computer Systems and Networks
2. Unauthorized Access to or Acquisition of Computer Data, Content Data, Traffic Data
3. Interference and Disruption
4. Interception
5. Misuse and Malware
6. Digital Forgery
7. Digital Fraud, Procure Economic Benefit
8. Extortion

Based on the above discussion and numerous classifications, some of the important cyber-
crimes have been described below.

2.4.3 Hacking
Hacking is defined by many studies and classified as any unauthorized access to a computer is
defined as hacking. Hacking can be done very easily and depends on information access from
an organization. In this views if information is easily accessible and obtained in whatever way, a
hacker can steal, modify, block, delete or damage the information. Therefore, hackers can cause
loss to the information and organisation in the larger perspective. Hacking can be done in
several ways such as by stealing or obtaining the password by exploiting the vulnerabilities in
the computer network. Section 43 of the Indian Information Technology Act, 2000 defines a
number of acts, which are related to hacking (IT Act, 2000, Govt of India).
2.4.4 Cyber Frauds
Cyber fraud is intentional and deliberate activity concealing of facts. This induces impact on a
person to do or to omit to do certain thing, damages to him. Frauds could not have occurred had
he known the correct facts. There are many types of traditional frauds, which are now being
committed using digital and computer system. Therefore, frauds committed using computers are
called cyber frauds. It has been observed that cyber frauds account for nearly 1/3rd of all
cybercrimes. This includes credit card frauds after stealing credit card data, illegal fund transfer
after stealing passwords, etc.

Phishing is an activity which can harm to huge amount of information and has large implications
to an organization. Phishing includes which unsuspecting victims are sent fictitious E-mails
claiming to be from genuine sites to lure them to reveal their user ID, passwords, credit card
number. Literature review revealed that Phishing was known in developed countries for last
several years and this has now increased in India recently. Few examples include incidents
reporting at marketing companies M/s. Amazon, eBay, PayPal. Few banks have also witnessed
phishing attacks in the past. These attacks are now becoming sophisticated and are one of the
ways of committing identity theft in the cyber space.

There were at least 255,065 unique phishing attacks worldwide. This represents an increase of
over 10% from the 230,280 attacks we identified in 2015 (Global Phishing Survey, 2016). The
year 2005saw cyber frauds using an advanced technique, which is now called 'Pharming' in
which the account holder is directed to a bogus website even when correct address is typed and
confidential information is stolen. Pharming is usually achieved by poisoning or corrupting the
Domain Name Servers, which translate domain names to specific IP addresses. Unlike Phishing
where one person is tricked, each time, Pharming allows large number of users to be affected in
a single attempt.
It has been seen that India is also becoming a target of scams in last few years. Several versions
of such scams have been reported recently. Cybercrime has been reported as one of the top
economic crimes experienced by organizations in India out of the four economic crimes of
fraud, cyber-crime, bribery and corruption and asset misappropriation (PWC, 2016).

2.4.5 Virus and other Malware Attacks

Another kind of cyber-attack is virus and malware. Nowadays computer systems are open to
viruses, these are small programs that are themselves capable of multiplying, modifying and
propagating through various means. Information Technology Act defines the penalty to crimes
and according to Sec. 43 (h) (iii) of IT Act-2000, Govt. Of India, "Computer Virus" means any
computer instruction, information, data or program that destroys, damages, degrades or
adversely affects the performance of a computer resource and operates when a program, data or
instruction is executed or some other event takes place in the computer resource. These
malicious programs, which cause damage to computers system, are collectively called Malware.
Section 43 (h) of the same Act (i) defines the mass computer contaminant which means "any set
of computer instructions that are designed,
(a) To modify, destroy, record, transmit data or program residing within computer, computer
system or computer network or
(b) By any means to usurp the normal operation of the computer, computer system, or
computer network".

It has been observed that most of the malwares like viruses, worms and Trojan horses spread
through Emails. Nowadays organization face different types of malware and these are growing
problem of SPAM (unsolicited commercial mail). Thus, to protect organizations from malware
there is a need to have a proper E-mail filtering system in every organization.
Some of the most examples of malwares include Morris worm, Melissa virus, CodeRed, Nimda,
Netsky and its variants. These had caused damages to computers world-wide. In these recent
years, a new class of malware has been created where some of them are Adware, Spyware,
dialers, toolbars, pop-ups and hijackers.

Malware attacks continue to be the biggest threat to information security. As per the Computer
Crime and Security Survey 2010- 2011, there are 67.1% respondents reporting to (CSI, 2011).
During the year 2010, a highly sophisticated computer worm named "Stuxnet" was noticed,
which affected Programmable Logic Controllers (PLCs). PLCs are important part of Industrial
Control Systems (ICS) and also the part of Supervisory Control and Data Acquisition Systems
(SCADA). The worm affected systems in India are increasing day by day in its neighbouring
countries, Pakistan, Indonesia and Iran (Kerr et al., 2010). By September2010, it had affected at
least 45,000 industrial control systems around the world. This malware has started a new arms
race, and has created serious implications for the security of critical infrastructure worldwide
(Collins & Combie, 2012).

Mobile communication devices such as cell phones, smart phase and Personal Digital Assistants
(PDAs) are the latest to get affected by malwares. Increasing use of free applications by smart
phone users has brought another dimension to malware threats to cell phones. In these views, the
smart phones are particularly vulnerable to viruses due to their versatile communication
capabilitie, (Cheng et al., 2007). It has been also shown that smart phones are not adequately
protected against malwares (Cai et al., 2009).

It is often seen that even the most basic measures to deal with malware attacks such as installing
antivirus software, updating virus definitions and patching operating system and other software
are not taken by many organizations.
2.4.6 Denial of Service Attacks
In this kind of attack, hackers target computers such that they are not able to provide its services
to the end customers and users.

Figure 2.4: Distributed Denial of Service Attack

The targeted machine may starve of resources; precious internet bandwidth may be consumed
enormously. For example- Buffer overflow, SYN flooding, ICMP floods, teardrop attacks,
smurf attacks, etc. are some of the ways in which DoS attack may be caused. In this way,
Distributed Denial of Service Attack( DoS) attacks usually result in huge financial losses to the
companies.

In the more advanced and deadly form of DoS attack, the hacker is able to compromise a large
number of machines anywhere in the world and install attacking software on them. These
compromised machines act like zombies and on the command of the hacker start attacking a
target system in unison, as shown in Figure 2.4. This attack is called DoS.

Example for this category of attack include Yahoo web portal where company was remained
inaccessible for three hours in year 2000. Similarly, other e-commerce portals viz Amazon,
Buy.com, CNN and eBay were also affected in their operations significantly. Yahoo, in this
context, suffered a loss of $5 million in these three hours. The combined loss in a week of all
major sites is estimated to be $1.2 billion. In the worst ever DDoS attack,' Cyber Bunker', a
Dutch firm targeted 'Spamhaus', a Geneva-based volunteer group resulting in slow down of
Internet (BBC, 2013).
2.4.7 Identity Theft
Identity theft may be described as stealing personal information related to the identification of
an individual or an organization. Such theft may include name, address, date of birth, social
insurance or security numbers, health card number, driving licence, bank PIN, Permanent
Account number and the most valuable of all, credit card numbers. This information is later
used to commit fraud. Under Sec. 66A of Indian Information Technology (Amendment) Act,
2008, identity theft has been defined as fraudulently, loss of password or any another unique
identification feature of any other person. Bengaluru city in the Karnataka State, has seen major
of cyber crime with identity theft, impersonation taking up majority of reported cases.

Here, most complaints registered in Bengaluru have been of cheating through imitation. Falling
under Section 66D of the Information Technology Act, 574 such cases were filed in the city in
2015. It is seen that the next biggest offence was identity theft. As many as 336 such cases were
filed under Section 66C of the Information Technology Act (Indiaspend, 2017).

2.4.8 Cyber Espionage

Espionage, both by business organizations and governments, has been inexistence for decades.
In cyber age, when the sensitive data is kept in electronic form, it becomes more vulnerable to
theft by the adversaries or competitors. Cyber espionage uses computer systems, coupled with
conventional techniques, to gain intelligence and sensitive information. E-espionage as
unauthorized and usually criminal access, aim to confidential systems (PWC 2011). In
November 2010, US based automobile company Ford Motor, admitted in Federal Court that he
stole secret design documents. The loss was of the worth for more than $50 million from
company computers (infosecisland, 2010).

“Shadows in the Cloud” document a complex ecosystem of cyber espionage that’s

systematically compromised government, business, academic and other computer network
systems in India (Rohozinski,R. and Deibert, R., 2010). The offices of the Dalai Lama, the
United Nations and several other countries are victim to this.

2.5 Information Security Management

Information security has moved a long way from a bunch of technical tools to a holistic
management approach. Loss to information security is not a product or service problem, but
rather an engineering and management problem that must be approached with an appropriate IT
security process (Oppliger (2007). The author provides The information security issue needs to
move beyond traditional technological measures such as anti-virus and firewalls (Meity, Govt.
Of India, 2011).

Eloff and Eloff (2003) have suggested a holistic approach to information security management
(ISM). It refers to the structured process for the implementation and ongoing management of
information security in an organization. Figure 2.5 highlights an framework for ISO/IEC
27001:2005 Information Security Management System.
Rashmi Anand, University of Lucknow 26
 Figure 2.5: ISO/IEC 27001:2005 Information Security Management System

At the root of the need for information security management lies in the importance of
information as a business asset. The basic aim of ISM is to protect information and IT resources,
its underlying aim is to ensure the continuity of the organizations (Vermeulen and Solms, 2002).
 Figure 2.6: PDCA Cycle on Information Security Management

An ISMS is designed to ensure the selection of adequate and proportionate security controls that
protect information assets, also provides confidence to interested parties (ISOIIEC 27001:2005).
The standard follows a process approach for information security management and adopts a
"Plan-Do-Check-Act" (PDCA) model as shown in the Figure 2.6.
Since long time, it has been observed that information security issues have not been taken
seriously. The issues have been reporting by various international organisations in their data
bases and reports. It has been more than a decade, organizations globally now are investing in
infrastructure but lagging in implementation, measurement and review of security and privacy
policies (Annual Global State of Information Security Survey, 2007).

Therefore, management needs to pay more attention to information security issues (Dhillon and
Backhouse, 2000; Kankanhalli et al., 2003). The study of biometrics in banking security in New
Zealand, found that unauthorized access attempts by internal staff or external partners
constituted 34% to 50% of the security breaches (Venkatraman and Delpachitra, 2008). This
study also make effort for coping with a technology changes, a risk management strategy should
address the issues related to ethical and social area.

The influence of organizational culture on the effectiveness of implementing information

security management in Taiwan was studied by Chang and Lin (2007). They targeted on various
organizational culture traits such as co-operativeness, innovativeness, consistency and
effectiveness and their relationship with information security management principles. They
approach was towards confidentiality, integrity, availability and accountability of the data in
organisations. Their study suggest that control oriented culture traits (effectiveness and
consistency), have strong effect on all ISM principles and flexibility oriented traits (co-
cooperativeness and innovativeness) are not significantly associated with ISM with an exception
that cooperativeness is negatively related to confidentiality.

In view of managing the information, Mouratidis et al. (2008) has studied perception of persons
of authority in the management. Their study has justified the claims that personnel from general
management have different perspectives towards network security than personnel from the
network security management. The study of ISM from economic perspective, reveals the fact
that the realization of information security inside organizations is a problem of economic co-
operation among individuals (Pallas, 2009).

Hagen et al. (2008) in this context, the authors have studied the implementation IS measures in
various types of organisations. The authors have estimated effectiveness in select organizations.
They have also suggested organizational information security measures into four major
categories:
 a) Security policy indicated strategies, the planning work before organization's IS approach
and represented by a written document directly linked to the overall strategic objectives
of the company.
b) Procedures and controls comprises of set of documents indicating individual and
organizational behaviour.
c) Administrative techniques that are both pro-active and reactive and involves asset
classifications, risk analysis, audits , and incident reporting systems in an organisation
d) Development and maintenance of IS based awareness programme including which
includes both types of activities at individual and collective levels.
In view of information systems, the authors have talked about IS based system approach, the
theoretical approach suggests that developing and maintaining a comprehensive set of system
theory. The theory describes IS mechanisms and the effects of boundaries, regulators those will
enable security architects to examine entire system (Conklin and Dietrich, 2008). This theory
may help in assisting the understanding of complex security appliances that are comprised of
different kinds of independent devices.

2.5.1 Organizational Information Security Measures

Most of the recent researches have shown that technological measures of IS. But this is not
enough. Thus, there is also a need to understand the impact of factors related to human and
organizations (Beznosov and Beznosova, 2007; Bottaet al., 2007). Right approach to
management support is needed for IS (ISO/IEC: 27002, 2005). In these views, an ISMS
framework given by Ma et al. (2009) is given in the Figure 2.7. The figure explains the four
elements in originations, assess environment, establish IS objectives, analyse IS requirements,
develop and implement IS security controls.
 Figure 2.7: Information security management framework (Ma et al., 2009)

Literature shown many studies with IS, and organization interface. These studies are related to
IS aspects where importance of information loss to top management is reflected, moreover,
found related to commitment, identification and classification of information assets, providing
organization and resources for information security functions, allocation of responsibilities,
laying policies and procedures, training and awareness and inculcating a culture of security.
While exploring the subject area on human aspects of study, and organizational and
technological factors, Werlinger et al. (2009) have given low priority to organizational
challenges of security. In this following sub-section these aspect have been studied.

2.5.1.1 Top Management Commitment

Top management is an important factor for influencing the IS. As an important decision maker,
top manager, are found responsible for managing each and every activity at all levels within the
system boundary of organizations (Singh and Kant, 2008). The main responsibility for
managing information security is borne by corporate management. The approach to IS by top
management provides the resources and sets the requirements. On the hardware aspect, IT
security manager promotes and coordinates security plan and activities (Kajavaet al., 2006).
Therefore, top management commitment is an important enablers and influencing factor meeting
prerequisite of any information security program. Here, the importance of information is found
very high and found closely related to top management functions. This further shows a clear
direction and support to IS efforts and consideration by top management. Authors, Vaish and
Verma (2010) have found top management commitment as the most important parameter in the
contest of ISMS. The international standard- ISOIIEC 27001:2005 mandates that management
should actively support security within the organization, with a clear direction, and should have
demonstrated commitment, explicit assignment and acknowledgment of IS responsibilities.
Theses standard also highlights the role of management within the framework of ISMS
framework.

Referring to the draft ISO Guidelines under the section 83 (2011), which highlights that top
management roles and responsibilities stating they must demonstrate its commitment. Bjorck
(2001), in his study has also explore top managements’ commitment as one of the six important
parameter of IS in the context of Swedish organizations. In a kind of studies, finding were
reported by the authors Kankanhalli et al. (2003) in small and medium-sized, Singaporean
enterprises Abu-Zineh (2006) in Jordan. Authors Von Solms (2006) and Saint-Germain (2005),
all have also clearly mentioned that role of top management commitment, as the important
component in governance of corporate security. In order to implement the standards and policy
at user’s ends, top management support is also essential for the allocation of resources (Avolio,
2000). Information security must be understood from the top down (Harris, 2010). Strong top
management support is critical to information security management (NIST, 2008 A; Knapp et
al., 2006; Wright, 2008; Hagen et al., 2008). It has been observed that top management still are

Rashmi Anand, University of Lucknow 32

not exercising appropriate provisions of governance over the privacy and security of their digital
assets in their organisations (Westby, 2012).

2.5.1.2 Information Asset

Many studies found on the aspect of information asset, where the value of information is given
consideration for organization asset. In this view, information is indentified as an organizational
resource (Badenoch et al., 1994). Authors in the context of information assets have developed
models, equations in the past few years that have influenced top management for convincing the
information as a vital resource for the organization (Burk and Horton, 1988, Griffiths and King,
1993, Keyes, 1995). There is a link between the effective use of information and business
success. (Abell, 1994).

Sometime studies defines the information which satisfies the definition of an asset, This
definition is more important than having influence of information on employee or customer,
which all three are commonly referred to in the literature as intangible assets. Sometimes, the
information is defined as an intangible asset like brand, not a physical asset with relevant set of
attributes. It is associated with having service potential and being able to give economic benefits
to organizations. However, information as a resource was not widely covered in literature earlier
(Hawley, 1995).

2.5.1.3 Information Asset: Identification and Classification

Information as an important element many times is seen as asset to an organisation. For an
organisation, info needs to be protected must be first identified by the top management. The
amount of time, effort and money, which an organization wants to spend on protecting any
information asset, would depend on its value, utility, sensitivity, and legal requirements for
meeting the business objectives. In this reference, ISOIIEC 27001:2005 and ISOIIEC

Rashmi Anand, University of Lucknow 33

27002:2005, the documents have advocate identification of information assets, and also
indicated their classification and ownership. These documents also mention that the
identification of information processed on an information system is essential to the proper
selection of security controls (NIST, 2008 A; Whiteman and Mattord, 2012). Engelsman (2007)
has given a model for identification and valuation of information assets for managing the
information in various types of organisations.

2.5.1.4 Policy as Measure to IS

In general terms- A policy is typically described as a set of basic principles and guidelines,
formulated and enforced by top management of an organization. Policy document is meant in
order to achieve a certain objectives of an organisation. Sometimes, the term policy has shown
many definitions in the literature and prescribed aims, and objectives that need to be used to
achieve the organisational goals (Sushil et al., 2006). As per the NIST document, IS Policy is an
collective of directives, rules and practices that prescribe how an organization manages in
different sections (NIST, 2006). Hong et al. (2006) define IS policy as the set of rules set-up for
the use of information assets to achieve the objectives.

IS policy is a plan, outlining what kind of critical assets an organisational keeps and how they
must (and can) be protected. The main purpose of policy documents is to provide staff with a
brief overview of the “acceptable use” of any of the information assets. Thus, engaging assets to
secure critical systems of an organisation (Danchev, 2003). Sometimes the definition of IS
policy- is an organizations statement defining the rules and practices that regulate how it will
provide security (Khare and Srivastav, 2008).

In view of the author Hone and Eloff, the primary objective of an IS policy is to define the rights
and responsibilities of various users, so that they can pros and cons aspects of its behavior while

Rashmi Anand, University of Lucknow 34

using IS resources (Hone and Eloff, 2002). Therefore, it can say that a well defined policy
reduces ambiguities and works towards commitment of top management Diver (2006).

In views of the various definitions given by many authors and organisations on IS policy, the
information security policy shall fulfil following criteria:

IS policy should be protecting people and information. Later it can target to setting the rules for
expected behaviour by user. These users include system administrators, management and
security personnel, followed by authorizing security personnel. The users should also be
responsible for monitoring and investigating. Not only these, IS policy then should be defining
and authorizing the consequences of violation, and should seek approach to minimizing risks in
the organisations. Overall, the objectives of an IS Policy should be aligned towards tracking
compliance with regulations and legislations in organisations.

Moreover, IS policy is one of the important control defined in the international standards to
manage the information. Referring to the aspect of controls, according to ISO 27001:2005, IS
policy provides management direction and support for information security in accordance with
business requirements and objectives. Moreover, works towards relevant laws and regulations.
Top management should set a clear policy direction, in line with business objectives and
demonstrate support for commitment. However, compliance of an IS policy is difficult similar to
its development and implementation across the organization. At user’s perspectives in
organisations, IS policy can provides a basic framework, which must be followed by all
employees. Thus, it can be said that ISP defines both employee as well organisational attitude to
information, and is to be protected from unauthorized access, modification, disclosure and
destruction (Peltier et al., 2005). The overall main of IS policy is to create a shared vision and an
understanding of how various controls will be implementation for a safe organization (Dhillon,
2006).
2.5.1.5 Physical and Environmental Security of Organization
Physical and environmental security relates to measures taken to protect systems in physical
sense. For example, to protect buildings and related supporting infrastructure against threats
associated with their physical environment. These measures and guidelines are necessary to
protect the facility housing system resources (NIST, 1996). Organiations concerns are attach to
protecting their systems and computer resources, which they need physical protection from
unauthorized access and theft, sometimes threat to disasters such as fire, flood, earthquake,
environmental hazards, etc. (ISOIIEC 27001 :2005; ISOIIEC 27002:2005). In terms of
protecting the physical aspects of systems, protection include fences, walls, security guards,
cameras, intrusion detection systems and alarms, protection from electromagnetic radiations,
uninterrupted power supply, proper temperature and humidity controls (Trcek, 2006).

2.5.1.6 Human Aspects of Information Security

Human aspect is very important to IS. It has been observed that over the two decades, the focus
of IS management has shifted to its human aspects. The main reason for this as aspect is being
realized that the man behind the machine and technology is more important in the area of IS
management. In an IS system, man closely interacts with machine and are addicted to human
errors and failures ((intentional or unintentional). The omission, ignorance or error will result in
failure of the information system. Likewise in other areas, technology is often seen as the
immediate answer to information security problems. Therefore, on human aspect of IS, it is
justifiable to invest in people as in technology (Hinson, 2003).

However, despite the fact that many organizations make use of a high number of technical
security controls. But faces breaches with increasing severities. This generally happens because
information security is primarily a human factor problem that remains largely unaddressed in
most of the organisations. Thus, the aspect of human factor in IS could be in the form of
employees, customers, clients, vendors, etc. (Hinson, 2003).

Few studies found where, all three elements people, process and technology, are all needed for
IS (Merkow and Breithaupt, 2006). In this context, Information Systems Audit and Control
Association (ISACA), highlights the linkages between the elements people, process and
technology in an organization. The interaction and linkages of elements in the organisational
perspective has been given in the Figure 2.8 (ISACA, 2009).

Figure 2.8: Interaction of People, Process and Technology

In one of study on IS and human interaction, Nikolakopoulos stating that it is a false assumption
that people follow secure behavioural pattern by default. In this view Nikolakopoulos (2009) has
remarked the linkage of the human factor in IS, as shown in the following Figure 2.9.

Figure 2.9: Linking the Human Factor

Referring to another kind of study on same aspect of IS, human factor sometimes is the weakest
and sometimes easiest link for a hacker, which increase possibilities of breach of Internet
Communication Technologies (ICTs) system (Mitnick, 2003; ITU, 2009). In the interest of
protecting the information, human can be enabled through various social engineering
techniques. Doing so it becomes easy to tell people about confidential information or do certain
things, which they would otherwise not do. In one of the research done by AI-Wahaibi et al.
(2011), the authors have shown that human factors which have significantly influenced success
or failure of solution to IS.

2.5.1.7 Information Security Awareness and Training

In the previous sub-section, the human aspects of security are discussed. People found important
element of IS. Therefore, organization should focus on their skill and training so that people can
use the information asset and follow IS policy document. In this dereference, employees,
customers and vendors are also important actor responsible for protecting the information.
Therefore, these actors must be fully made aware of the various threats to IS. They should work
towards their roles and contributions in the overall goal of IS in an organization. Thus,
information security awareness becomes very important to protect organization from various
kinds of threats. In general, IS awareness is a condition where employees of organization or
actors working there are aware of their security mission (Siponen, 2000). In this view, several
security standards for industries at international level have been farmed. These includes Data
Security Council of India (DSCI), SANS, ISOIIEC 27001:2005, Control Objectives for
Information and related Technology (COBIT) and Payment Card Industry-Data Security
Standard (PCI-DSS). These standards have highlighted the need of IS awareness and training in
the interests of employee as well of organizations. Thus, both the factors awareness of the risks
and available safeguards in the organizations are on priority for securing IS systems. IS
awareness can be achieved in many ways and where core importance to employees or actors of
the organization should be given (Von Solms and Von Solms, 2004). It has been also seen that
compliance to IS policies will depend on their awareness on various issues involved in IS.
Referring to one of the important study carried out by ENISA, IS protection in organization
begins with securing and ensuring employees and make them aware about their roles and
responsibilities for IS and organizational objectives. This will help them in securing
organizational resources and assist the organization in keeping IT infrastructure safe (ENISA,
2009). Awareness and training is critical and innovative task. Due to low commitment of top
management in this regards, users are usually less trained, experienced and security-aware than
the information technology staff. This situation makes organization as well employees most
vulnerable to attack (Nikolakopoulos, 2009). Hinson (2003) recognize awareness as the most
cost-effective security control and makes a suggestion on how to optimize control investment.
The training and awareness of IS and policy, Indian organization are lacking behind due to less
source of fund and investment. United Kingdom developed Cyber Security Strategy in the
context of raising awareness of cyber security at all levels of government and to identify the
changes in behaviour and working culture in wider aspects of policy formulation. Similarly
Australian Cyber Security Strategy also recognized the importance of the same with emphasis
on conducting education and awareness activities to propagate culture related to cyber security
(Australia, 2009). In similar kind of recognition added by Estonian Cyber Security Strategy
(Estonia,2008), the country in the Europe has highlighted the need for raising awareness of IS
among all employee and user of organizations with particular focus on Small and Medium
Enterprises (SMEs), by spreading the informing across computer users and employees. In this
view, United State of America (USA) started National Initiative for Cyber Security Education
(NICE, 2010) for establishing an operational, sustainable and continually improving cyber
security education program on cyber practices.

Recognizing the need to strengthen the cyber security ecosystem in India and in light of the
recent cyber attacks, Ministry of Electronics and Information Technology (MeitY), Government
of India has started Cyber Surakshit Bharat initiative with the increased focus on cyber safety.
The purpose of the program is to spread awareness, build capacity as well as enable government
departments aware of steps to be taken to create a Cyber Resilient IT set up.

Basically, lifecycle of information security awareness and training program has four steps- such
as identifying training needs, developing a training plan to suit the needs, adequate funding and
resources for training, implementing the training and improving the training program based on
the feedback (NIST, 2003). In general, awareness activities should be completed before the
training activities. Moreover, awareness should simply focus attention on IS. In the reference to
information security, awareness is a blended solution of activities that promote security,
establish accountability and inform the work force of security news within the organisations.
Rashmi Anand, University of Lucknow 40
Awareness activities also look at attention on set of issues; sometimes it is a program that
continually pushes the security message to users in a variety of formats (NIST, 2006). In view
of differentiating two activities, the most important difference between training and awareness is
that training seeks to teach skills that allow a person to perform specific function, while
awareness aims to set of issues. Sometimes trainings are imparted based on the roles and
responsibilities of the employees and users, middle and upper management for the specific needs
of IS in their organization (NIST, 2006).

One of the study on importance of IS awareness brought out that global citizens react differently
to IS awareness due to differing cultures across the boundaries and differing organizational
objectives. The study recognises that awareness and training are placed on individualism (Chen
et al., 2008). In the context of India, which has different culture and individualism than that
existing in western developed world, Qing et al. (2007) points out that IS awareness programme
are important approach towards educating users to protect organizations. In one of the similar
kind of study, Puhakainen (2006) has indicated that user compliance with IS security policies is
a multi-faceted construct that, in addition to knowledge and skills, relates to motivation. Hagen
et al. (2008) have found that the effectiveness of IS awareness is least implemented but on
contrast is a most effective measure of IS management. Differentiation of the same, authors have
arrived by comparing other technical-administrative measures such as policy, procedure, control
and administrative tools.

Von Solms (2000) has also recognised importance of awareness in the third wave of IS, i.e. in
the institutionalization wave. IS based news-letter, help-desk, web-portal, slogans, posters,
seminars, conferences, film-clips, games, classroom training with case studies, etc., all could be
some of the ways of supplementing activities related to awareness and training. The entire
efforts for the same can be wasted if its quality and effectiveness is not measured by top
management of organisations. Adequate budget and other resources must be allocated for the
Rashmi Anand, University of Lucknow 41
purpose of training. Recognizing the importance of awareness and training, the National Cyber
Security Policy of Government of India released in 2013 has also given equally consideration to
comprehensive national awareness program.

2.5.1.8 Incident Management, Business Continuity Planning and Disaster Recovery

Even after best efforts, an information security incident can occur due to various reasons.
Organizations need to understand and mitigate risk. Risk management is the process that allows
IT managers to balance the operational and financial costs of protective measures of IT systems
and data that support their organizations' missions (NIST, 2002). In this process, alternative
strategies for dealing with risk are weighed and appropriate decisions are made (Hoo, 2000).
Business continuity management combines elements, including risk assessment, business impact
analysis, risk mitigation and contingency planning, into one cohesive and comprehensive unique
procedure (Stanton, 2005). Organizations deal with risk by identifying, analyzing and evaluating
it (ISO/IEC 31000:2009) using various techniques (ISO/IEC 31010:2009).ISO/IEC 27005:2011
describes risk management in specific context of information. Mitigation of risk is one of the
ways of dealing with risk (NIST, 2011).

Handling a disaster and recovering from an information security breach incident are integral
parts of information security management. Organizations must establish, maintain and
effectively implement these plans for emergency response, backup operations and post-disaster
recovery for organizational information systems. This will ensure the availability of critical
information resources and continuity of operations in emergency situations (NIST, 2006).
ISOIIEC 27001:2009 advocates an effective information security incident management process
along with an effective business continuity management approach. ISOIIEC 27002:2005 also
highlights the business continuity aspects of information security management.

2.5.1.9 Information Security Audit, Testing and Certification

Rashmi Anand, University of Lucknow 42
An IS audit is an inspection activities of the level of information security existing in an
organization. The IS based audits are done in comparison with a standard or documented
process. The audit generally, carried out by a third party, independent agency (authorized by
international organisation or by the government), so as to find out any IS security gaps and
deficiencies in the IS related process during IS policy implementation. In the similar kind of
activity, testing is the process of exercising one or more assessment objects. This is done in
underspecified conditions to compare actual and expected behaviors. Testing for ensuring IS
also involves hands-on work with systems and networks to identify security vulnerabilities
(NIST, 2008). In this context, IS certification is a stamp of approval by a competent and
relevant authority that an organization meets a set of requirements related to a specific standard.
ISO/IEC 27000 series of the international standards deals with various aspects of IS. ISOIIEC
27001:2005 is unique kind of standard in this reference to follow which deals with requirements
of ISMS. Santos and Pereira (2010) suggest that there are many IS problems that exists in
organisations which can be identified and remedied by conducting regular transparent audits.

2.5.1.10 Compliance to Legal and Regulatory Provisions

Likewise IS standards compliance, legal and regulatory provision are very important in the
context of IS. Organizations all over the world are impacted by increasing number of laws and
regulations. Many of them have important implications for IS and ISMS (Luthy and Forcht,
2006). Legal provisions specified in the forms of documents are exists in a several countries.
Such provisions have become mandatory for organizations, which deals sensitive personal
information and measures to ensure IS policy implementation in organisations.

Legal and regulatory provision of IS has been specified by Indian by means of Section 43A of
Indian Information Technology (Amendment) Act, 2008. The act has provisions of
compensation for employees and users if organization looses their personal information. At the
user end, compliance to legal provisions has become mandatory provisions, but is a critical
Rashmi Anand, University of Lucknow 43
driver for organizations to take adequate security measures (Mcaffee, 2011; Symantec, 2011). In
view of these, apart from the mandatory provisions, organizations follow many security
standards such as ISO/IEC 27001:2005, COBIT, and SANS Controls, etc. These legal
provisions are laws and standards are also a driving force for organizations to bind exiting IS
measures and new initiatives in organisations. In this view regulatory laws are a big driver for
IS management in an organization (Berends, 2007).

2.6 Information Security Standards

2.6.1 An Overview
Standards are published since 1980, with the publishing in the forms of orange and white books
by TCSEC in the U.S. and ITSEC in Europe, respectively. Thereafter two decades, four waves
of IS standards implemented one by one (Von Solms, 2000; 2006). First wave implemented
where IS was treated as a technical issue, second wave took the managerial dimension into
account, while the third wave recognised standardization, best practices and certification. This
wave also addressed the need IS audit and monitoring of IS, while the fourth wave embraced
information security governance. The evolution of IS based standards as motioned above
resulted in over a dozen standards with varying degrees of “representation” of each of the
waves. It was found from the literature review that some standards offer only technical
measures, while others provide comprehensive governance frameworks. ENISA (2006),
CLUSIF (2005), Poggi (2005), Saint Germain (2005), Tomhave (2005), in the context of IS
standards presented their studies, covering major kinds of standards that exist in the world. In
the subsequent sub-section, this study focuses on ISO/IEC 27000 set of standards.
Table 1.2: Select List of Literature on ISMS Practice and ISP Implementation
Sr. no. Research description Authors
1. ISM: An integrated system theory Shing Hong et al. (2003)
 2. A framework for the governance of Posthumus and Solms (2004)
information security
3. An information security governance framework Veiga and Eloff (2007)

4. Information security management objectives and Qingxiong et al. (2008)

practices: a parsimonious framework
5. A literature review on ISM standards Barlette and Fomin (2009)
6. Improved security: Information security Johnston and Hale (2009)
governance
7. Information security management practices Singh and Gupta (2017)

2.6.2 The specific case of ISO/IEC 27000 set of standards

Nowadays business operations are complex in nature. Additionally, given global nature of
contemporary business operations, with the more than 200 different IS standards (Poggi, 2005),
a need for a single reference point in IS has been recognized. International organisations have
recognised the need for the same (Humphreys, 2005). Consequently, ISO/IEC 27001 and 27002
standards are the two and commonly standards observed as a response to this need, as they
represent the building blocks of the ISO/IEC 27000 integrated and global standard. With the
example of ISO/IEC 27000 information security standards, we can see how the issue of
information security is taken as a governance issue, as ISO/IEC 27000 can be seen as a series of
standards, each complementing the other in some respect.

In this section deal with ISO/IEC 27001 and 27002, both kind of standards have their roots from
BS 7799: Since 1995 the British Standard Institution (BSI) established BS 7799-1 standard titled
“Information security part I: Code of practice for security management” and added in 1998 a
second part, BS 7799-2 “Information security part II: specification for Information Security
Management System (ISMS)”. BS 7799-2 is a set of requirements for developing an ISMS that
encompasses people, processes and IT systems. Both aforementioned BS standards were taken
up by the ISO (International Organization for Standardization) to become global ISMS
standards:
 BS 7799-1 was re-published in 2000 as ISO 17799 and renamed ISO/IEC 27002 in 2007;
 BS 7799-2 became ISO/IEC 27001 standard in 2005.

ISO/IEC 27001 can be viewed as an overall program that combines risk management, security
management, governance and compliance, all together into on standards. The standard an
organization and ensures right people, processes and also technologies, all are in well placed.
The placement is done so that elements are appropriate to the business model and facilitate a
proactive approach to managing security and risk. The standard also promotes strong values of
client and business information and responds to business needs in establishing comprehensive
ISMS policy. Implementing these, the standard allows not only harmonization of IS-related
organizational processes, but also certification, thus establishing a common reference point for
the certified organization in the global market.
ISO/IEC 27002 “established guidelines and general principles for initiating, implementing,
maintaining, and improving information security management within an organization”. The
actual controls listed in ISO/IEC 27002 are intended to address the specific requirements
identified via a formal risk assessment. The standard is also intended to provide a guide for the
development of “organizational security standards and effective security management practices
and to help build confidence in inter-organizational activities”.

There is a specific difference between ISO/IEC 27001:2005 and IS0/IEC 27002:2005. In the
context of certification, ISO 27002 is not a management standard so certification against ISO
27002 is not possible. Management standard defines how to run a system, whereas ISO/IEC
27001:2005, defines ISMS. Therefore, certification against ISO/IEC 27001:2005 is possible. In
addition, this IS based management system looks at planned system and should be implemented,

Rashmi Anand, University of Lucknow 46

monitored, closely reviewed, and further improved. This shows top management has its distinct
responsibilities, over the users and other levels of employees in organizations that objectives
must be set, measured and reviewed, that internal audits must be carried out. All such elements
are well defined in ISO/IEC 27001:2005, but not in ISO 27002.

Whereas ISO/IEC 27001:2005, standard is useful in building the foundations of information

security in the organization, and for developing information security framework. Whereas,
ISO/IEC 27001:2005 is useful for implementing controls, for carrying out risk assessment and
risk treatment, ISO 27005 is useful. Therefore, it can be concluded that without the details
provided in ISO 27002 could not be implemented. However, without the management
framework from ISO/IEC 27001:2005, ISO 27002 would remain just an isolated effort of a few
information security enthusiasts, with no acceptance from the top management and therefore
with no real impact on the organization.

2.6.3 Adoption of Information Security Standards

Adoption of IS standards by user at all levels in the organisations are very essential. The
measure for the same is level of compliance and conformations received from IS audits. In
addition, many methods and standards refer to as a set of “best practices”: von Solms define
them as “the most broadly effective and efficient means of organizing a system or performing a
function” (2006, p. 495). But very few recognised the measurement of adoption of standards,
which important in terms of certification received by users. The need of measure the same arisen
two years after publication of the ISO/IEC 27001:2005where number of ISO/IEC 27001
certifications was also found on lower side, which represented low awareness about of the
standards across the world. Later, two predecessors the ISO 9001, quality management, and
ISO 14001, environmental management system standards, during the same period came into the
existence (Fomin et al., 2009).
2.6.4 IS Standards: Success Factors
The most important success factor in obtaining a certification is management commitment made
by the top management of an IS management process (Saint-Germain, 2005). In order to protect
the organisation from threats, there are many factors where IS certification can be achieved. The
first factor of the preparation phase must be top management commitment. This is recognised as
top management carries the ultimate responsibility of backing activities and decisions involved
by this approach. Additionally, top management of an organisation support is also essential for
the allocation of information resources (Avolio, 2000). Sometimes, few studies recognized the
role and responsibilities of top management, and can be considered as a change agent. On a
prima face, top management is a means of gaining employee support for information security. In
their study, Knapp et al. (2006) found that top management support positively influences
security culture and policy enforcement. It was felt by other authors, who recognised the need
for managerial involvement (Siponen, 2000). Managerial involvement is recognised because
senior management has authority and leadership to overcome cultural and organizational
barriers.

A second success factor is related to IS management should become part of the management
structure of the organization. Involvement of management should no longer be regarded as
solely an IT issue (Vermeulen & von Solms, 2002). Thus, IS implementation approach should
be consistent with the organization’s culture (Hone & Eloff, 2002; Saint-Germain, 2005) and as
stated by von Solms & von Solms, “one way to ensure that employees actions, behaviors,
artefacts and relations are according to company policies is to align these with company
culture” (2004, p. 79). In addition, standards and certifications constitute important drivers as
“an information security culture emerges where specific behavior is encouraged, such as
complying with ISO 17799” (Martins & Eloff, 2002, p. 207).
In order to maintain and build up the better information security culture, it is important to
provide a proper training to the employees (Saint-Germain, 2005; Von Solms & Von Solms,
2004), which constitutes another success factors. The IS policies derived from standards must be
well aligned for a safe organisation and must be implemented towards corporate objectives
(Saint-Germain, 2005), moreover tailored to the organizational and its context (Doherty &
Fulford, 2005) and then rigorously enforced.

The third success factor is identified through the literature review, the factors related to the use
of a governing system. The system should ensure timely update of IS policies as well as wide
collaboration, and knowledge-sharing in the interest of an organisation (Saint-Germain, 2005).
Therefore, from these issues, this is noticed the important role played by the employees in the
successful implementation of SI standards. Therefore, it becomes necessary to study their
behaviors and their adoption of information security practices.

2.7 Information Security Policy

2.7.1 An Overview
Information security policy is a measure of performance of both employee working and business
objectives. Gaston (1996) defines an information security policy as: “broad guiding statements
of goals to be achieved; significantly they define and assign the responsibilities that various
departments and individuals have in achieving policy goals”.

The aspect of responsibility in the definition of IS policy is very important. In this context,
Higgins (1999) notes, “without a policy, security practices will be developed without clear
demarcation of objectives and responsibilities”. The objective of an IS policy is “to provide
management direction and support for information security” (BS 7799). Organisation should
keep reviewing their objective for short and long term periods and these objectives should be
consistent with those advocated by many studies and researchers. For example, the literature on
IS suggests that policies should be developed from ISMS standards and guidelines (Gaskell,
2000).

Rashmi Anand, University of Lucknow so

 Table 2.4: Select List of Literature on Policy Dimension of Information Security
Sr. no. Research description Authors
1. ISP framework: Best practices for security policy Palmer et al. (2006)
in the E-commerce age
2. ISP: development and implementation Avinash W.Kadam (2007)
3. ISP: An organization-level process model Knapp et al. (2009)
4. Information security policy compliance model Bulgurcu et al. (2010)
5. Analysis of information security vulnerabilities Parsons et al. (2013)
6. ISP: A content analysis approach Tuyikeze and Flowerday
(2014)
7. ISP compliance model model in organizations Safa et al. (2015)
8. ISP : Cultural aspect of study A. Da Veiga (2015)
9. ISP: A literature review Noli B. Lucila Jr. (2016)
10. ISP: The what, how and who Flowerday and Tuyikeze
(2016)
11. ISP: A case study approach Alqahtani et al (2017)

A policy is typically described as a set of basic principles and guidelines, formulated and
enforced by top management of an organization in order to achieve a certain goal. Policy
prescribes the aims, objectives and the targets that need to be used to achieve the goals (Sushil et
al., 2006). Information Security Policy is an aggregate of directives, rules and practices that
prescribe how an organization manages, protects and distributes information (NIST, 2006).
Hong et al. (2006) define information security policy as the set of rules set-up for the use of
information assets and the statement set-up for the security priorities to achieve organizational
objectives.

Danchev (2003) defines information security policy as a plan, outlining what the company's
critical assets are and how they must be protected. The main purpose of IS policy is to provide
staff with a brief overview of the “acceptable use”. The use could be related to any of the
information assets, thus engaging them in securing the organisational critical systems. In

Rashmi Anand, University of Lucknow 51

addition, a security policy is an organization’s statement defining the rules and practices that
regulate how it will provide security (Khare and Srivastav, 2008).

The primary objective of an IS policy is to define the rights and responsibilities of various users,
so that they understand acceptable and unacceptable behavior (Hone and Eloff, 2002). A well
defined policy reduces ambiguities and highlights top management’s commitment. Diver (2006)
has given following purposes, which an information security policy should fulfil:
a) Protect people and information.
b) Set the rules for expected behavior by users, system administrators, management and
security personnel.
c) Authorize security personnel to monitor, probe and investigate.
d) Define and authorize the consequences of violation.
e) Define the company consensus baseline stance on security.
f) Help minimize risk.
g) Help track compliance with regulations and legislation.

According to ISO 27002:2005, IS policy provides management direction and support for
information security in accordance with business requirements and relevant laws and
regulations. Management should set a clear policy direction, in line with business objectives and
demonstrate support for and commitment to, information security through the issue and
maintenance of an information security policy across the organization.

The policy provides a basic framework, which must be followed by all employees. Information
security policy defines the organization's attitude to information, announces internally and
externally that information is an asset, the property of the organization, and is to be protected
from unauthorized access, modification, disclosure and destruction (Peltier et al., 2005). The
purpose of the security policy is to create a shared vision and an understanding of how various
controls will be used such that the data and information is protected in an organization (Dhillon,
2006).

2.7.2 Policy Development Process

The policy development process includes implementing business objective, planning of IT,
Existing procedure, planning risk management and ensuring best practices. These are briefly
described as follows:
2.7.2.1 Business Objective: Mission of an organization is a written statement of organization
that supports business objectives while vision statement of an organization is a written
statement of organization that supports goals of organization. Policies can be developed
through support received from mission, vision and strategic planning of organization.
2.7.2.2 IT Plan: This is a planning for procurement of hardware and software as per the
requirements of current and future technologies in the organization, which support the IS
policy development process. It is also focused on the projects which are in pipeline.
2.7.2.3 Existing Procedures: Procedures specifies how specific guidelines and standards are
actually implemented in an organisation. In a way this support development of IS
policies. These procedures are related to either technology or to process, refer to specific
platforms, applications and processes.
 Figure 2.10: Policy Design Process: An Organizational Perspective
(Source: Munirul Ula1et al., 2011)
2.7.2.4 Risk Management: This is the process of identifying vulnerabilities in the
organization’s IS systems and taking carefully reasoned steps to ensure confidentiality,
Integrity and availability of all the components in the information systems. Without this
element, a IS policy cannot be designed, thus has been included in the policy
development process.
2.7.2.5 Best Practices: These are the methodologies or processes adopted by organization in
order to ensure that security measures have been correctly handled. Thus, best practices
influence the process development of ISP policies.
2.7.2.6 Possible Threats: In the context of IS, a threat is an object, person, or other entity that
represents a constant danger to assets of organization. Possible threats could be
unauthorized access or stealing of information or disclosure of information. Without
having experience of threat, it cannot
2.7.2.7 IT Assets Inventory: Basic objective of information security is to safeguard assets of
organization. IT assets are hardware components, supporting software and skilled people
working in the organization.

2.7.3 Effectiveness of Information Security Policy

Effectiveness of an IS policy depends on target audience, size of the organization, level of use of
ICT, compliance and regulatory legislations, value of information being protected and also
threats to them. According to Pfleeger & Pfleeger (2003), an effective IS policy should have the
following characteristics:
Coverage: A security policy must be comprehensive. It must either apply to or explicitly
exclude all possible situations. Furthermore, a security policy may not be updated as each new
situation arises, so it must be general enough to apply naturally to new cases that occur as the
system is used in unusual or unexpected ways.
Durability: A security policy must grow and adapt well. In large measure, it will survive the
system’s growth and expansion without change. If written in a flexible way, the existing policy
will be applicable to new situations. However, there are times when the policy must change, so
the policy must be changeable when it needs to be. An important key to durability is keeping the
policy free from ties to specific data or protection mechanisms that almost certainly will change.
Realism: The policy must be realistic. That is, it must be possible to implement the stated
security requirements with existing technology. Moreover, the implementation must be
beneficial in terms of times cost and convenience; the policy should not recommend a control
that works but prevents the system or its users from performing their activities and functions.
Usefulness: An incomplete security policy will not be implemented properly. The policy must
be written in language that can be read, understood and followed by anyone who must
implement it or is affected by it. For this reason, the policy should be succinct, clear and direct.
IS policy must be useable, workable and realistic. Proper documentation of the policy is
important. If employees are not made aware of an organization's policy, then there will be a risk
that it will become a dead document rather than a dynamic and effective security management
device (Doherty & Fulford, 2005). Users cannot be held responsible for security problems, if
they are not told what such security problems are and what they should do to prevent them. This
can be achieved by suitable reward and punishment mechanism. The policy must be easily
accessible to all the employees, users and other stakeholders. The threat scenario and the
information systems in organizations keep changing. The policy must continuously evolve and
adapt to keep pace with the changes so as to maintain its effectiveness. There is no point in
organizations having a policy without the mechanism to monitor and enforce compliance of
such a policy (Von Solms and Von Solms, 2004).

2.7.4 Standards in Policy Development

Most of the recent researches have shown that technological measures of information security
are not enough and there is also a need to understand the impact of human and organizational
factors (Beznosov and Beznosova, 2007; Botta et al., 2007). Appropriate management support is
needed for information security (ISO/IEC: 27002, 2005). Information security includes
organizational aspects such as top management commitment, identification and classification of
information assets, providing organization and resources for information security functions,
allocation of responsibilities, laying policies and procedures, training and awareness and
inculcating a culture of security.

In this context, standards are important for policy development. Through standards guidelines
and procedure users in organisations influence and get motivated about actual benefits to them.
But sometimes, a standard provide high performance to achieve and becomes crucial to follow.
While studying the interplay among human, organizational and technological factors, Werlinger
et al. (2009) have found that the organizational challenges of security have a low priority.
2.7.5 Policy Development Issues in Indian Organisations
Many organizations today have implemented various security controls and measures to ensure
the effective working of information security (Karyda et al., 2005, Hong et al., 2006 and Hagen
et al., 2008). One of these major mechanisms is information security policy which is a direction-
giving document for information security within an organization (Hone et al., 2002). Existing
literature suggests that the development of an information security policy is a necessary
foundation of organizational security programs in protecting them against the increasing levels
of security attacks from internal and external sources (Hong et al., 2006 and Knapp et al., 2009).
However, many organizations face difficulty on putting this document together particularly as to
what constitutes a policy and what it should look like (Hone et al., 2002 and Knapp et al., 2009).
In addition, literature suggests that the formulation of an effective security policy in an
organization is a multifaceted task (Knapp et al., 2009). Similarly, according to Karyda et al.
(2005), development of such policy is not a straightforward task which consequently depends on
many factors. In fact, various international standards such as ISO/IEC, COBIT, BS7799, all are
widely available to provide guidance and requirements for writing an effective information
security policy.

2.8 Management and Governance Approach to Resolve for Information Security

Concerns in Indian Organizations
The best proactive measure would be a rigorous security management process where a PDCA
cycle is enforced. Already noted, the approached described is based on the ISO /IEC 27001, the
standard for ISMS.
 • Information security strategy
• Leadership and sponsorships
Strategic • Security returns on investment
level • Security metric and measurement
• Internal and External Auditor
Information Security Program

• Security program organization

• Security policies, procedure, best
practices, standards and guidelines
Technical • Compliance
and • Monitoring and audit
• Legal and authority
• Ethical values and conduct
• Privacy
Trust

• Asset Management
• Physical and environmental Control
Technical • Technical Operations
• System Acquisition, Development
level and Maintenance
• Incident Management
• Business Continuity Plan
• Disaster Recovery Plan
User Management
Figure 2.11: The Initial Design of the Proposed ISG Framework
In view above, Figure 2.11 presents design of proposed ISG framework. The ISMS based PDCA
cycle consists of four phase. In the First, PLAN phase, where the ISMS’s scope is define, policy
is developed, risk assessment is conducted, as risk assessment, treatment strategy is determined,
security objectives and controls are selected, and selected controls are justified against risk
assessment (statement of applicability).
 Figure 2.12: Main components of Organization Security Level
(Source: Munirul Ula1et al., 2011)
In the second phase called, DO Phase, where preventive plans are implemented, security control
are actually operated and security incidents are promptly detected and responded. Third phase
classified as CHECK, where checks are made to ensure that security controls are firmly in place
and are achieving goals, residual risk level are reviewed, security process are reviewed, metric
for evaluation are determined, and monitoring and response capacity is checked. In this phase,
learning from others, such as CERT, is done, an ISMS audit is conducted, and a management
review is executed. In the last ACT phase, where actions are taken to correct, prevent and
improve (e.g. improvement of security processes refinement of risk mitigation plans,
development of new policies and refinement of existing policies and design and implementation
of new security controls).
The main components of organizational security level are presented in Figure 2.12 and 2.13.

Figure 2.13: High-level self-sustaining Information Security Management Framework

2.9 Research Gaps

Although a lot of research has been found in last decade about information security, policy
models, framework but most of the literature concentrates on the technical aspects of
information security. A study by Siponen et al. (2007) reveals that research on information
security traditionally has been dedicated to technological aspects and that more research on the
non-technological aspects would be needed. The organizational level information security
domain is relatively new and under-researched (Kotulic and Clark, 2004).
Kankanhalli et al. (2003) have highlighted that previous studies on information security have
focused on software for detecting information security breaches, measures for preventing
security abuses and perception of information security adequacy. With the exception of a few
interpretive studies, these studies tend to neglect organizational factors, specifically role and
responsibility of top management, importance of ISO: 27001 Control Objectives, all that may
partially explain the extent of information security abuses.

As per the ISACA, information security is not only a technical issue, but also a business and
governance challenge (ISACA, 2006). If other than technical issues, all other areas of
information security are explored and considered, then only an effective policy can be designed.
Management dimension to information security has been added in literature only in the last few
years. Organizational aspects of information security have also started receiving attention
recently. Most of the available literature focuses on the developed nations and very little India
specific literature and research data is available.

From the above, it has been observed that subject of management of information security policy
in Indian organizations, both in Government and private sectors, has not been studied
adequately, specifically from the angles of ISMS practice and IS policy implementation point of
view. Such kind of study is required and inspired researcher to carry out in the current form of
the research. From the literature review, it is observed that even though factor influencing IS
policy have been presented but the impact ISMS practice and ISP implementation has not
received adequate attention Indian context. As observed, there exists wide research gaps for
Indian organizations using IT or ITES about the cyber security environment in them, threat
perception, risk management, practices adopted to deal with cyber threats, financial losses
incurred by them, etc. Research gaps in information security policy focused on security
standards implementation in India, as compared to advanced countries have not been studied.
There is a lack of studies in Indian context that predicts policy trends in IS policy scenario in
coming couple of years in the country. In such case, adequate planning and preparations to deal
with the situation can’t be done properly in advance.

In addition to above gaps, this has been also observed that, the field of information security and
policy related issues are complex and multi-disciplinary. The issues need focused management
approach to manage the information from all dimensions and research must be taken into
account to ensure a proper and secure environment for an organization’s information assets
(Von Solms and Von Solms, 2004). The discipline of information security is evolving to keep
pace with new challenges of crimes and emerging threats in a technologically fast changing
environment of Indian economy and changes happening at organizational levels. The
dependence of national security on protection of its critical information infrastructure, many of
which are in private hands, is increasing and hence there is a need to evolve an assessment
framework for information security policy in Indian organizations from the national security
perspective as well. New research efforts seem to be required that minimize the gaps between
management and technical aspects of information security (Dlamini et al., 2009). Based on
theses, the current study focuses on a research on information security management practice
related to threats and breaches, and analyzes policies implementation at Indian organization. In
the nutshell, it can be said that, there is a further need to conduct research on the policy aspects
of information security, particularly in Indian context, so that Indian can move towards a safe,
secure and resilient information society.

2.10 Motivation for Research Study

Policy is as an essential assessment tool, have been realizing the importance of information
security. India is moving ahead in its quest of development and emerging as an economic
superpower. Various organizations adopted a policy as a tool to minimize threats and to improve
its governance in public delivery systems. Focusing on India’s vision on technology and
development, through effective participation from various organizations, her dependence on
Rashmi Anand, University of Lucknow 62
information technology is increasingly making it vulnerable to complex types of cyber security
threats if adequate measures are not taken immediately. This can only be achieved via following,
monitoring and implementing policy guidelines in at various levels within the organizational
architecture. The losses due to information security breaches have become significant, forcing
organizations to take various information security measures. Research on IS policy and
organizational management related issues of information security in Indian organizations is
beneficial for the stakeholders to arrive at strategic decisions to protect the organizations from
cyber threats and crimes. In the nutshell, this study has thrown light on some of the important
issues and the framework for implementing information security policy at organization level of
study.

2.11 Chapter Summary

The purpose of this Chapter was to explore literature on information security, standards and
policy related matter in a comprehensive manner. This chapter presented the literature review
and developed understanding on the subject area of information security, implementing policy
and further development related issues in Indian organizations. This chapter presented issues
related to information security, policy concerns in Indian organizations in current environment,
which are found rising. Literature review scope included challenges of information security,
cyber security which were found is a common problem being faced by Indian organizations.
Various issues related to information security, covers its evolution and need, principles and
various components, information security in global context as well as in Indian organizations,
cyber security breaches and threats, International standards and their controls and information
security policy. While exploring the same dimensions of issues, review focus was more
importantly on implementing policy Information Security Policy in Indian organizations. Based
on the literature review, and also close relationship between the international standards, detailed
literature on control objectives of ISO/IEC 27001:2005 was also presented.
The review presented above to identify important decisions on securing information, regarding
content, compliance, implementation, monitoring and active support, that have to be made in
order to achieve an information security policy that is usable. Literature review also reflected
various issues where, much of the existing literature in the field of information security policy
has been based largely on case studies and the prescription of industry "leaders". Relationships
among control variables, standards implementation for policy development in India have not
been studied. As a result, existing information security policy is less effective in many cases.
These research gaps have provided motivation for this research.

Most of the Indian organizations found working on the learning path of adopting information
security measures in varying proportions. In this context, implementing policy for addressing
security related challenges, found very important. Further, a need of exploring organizations
from the angle of information security policy management was felt as one of the important
research gap in this field, particularly in the Indian context. Additionally, it is also observed that
the managerial, organizational and human aspects of information security with the policy
dimensions implementation have not been researched adequately. Thus it is imperative to study
the area and to investigate the relationships between IS factors which includes security controls
of ISO, and ISMS practices and IS policy implementation in the Indian context of organisations.
Therefore, based on the literature review, it can be concluded that there is strong need to carry