ON A STUDY ON EFFECTIVNESS OF INFORMATION SECURITY MANAGEMENT Submitted in partial fulfillment of the requirements for the award of Master of Business Administration SRM University SUBMITTED BY N.SHARAN KUMAR Reg No. 3511010667 Under the Guidance of Dr. A. Chandra Mohan SRM School of Management Studies Faculty of Management Studies
SRM SCHOOL OF MANAGEMENT FACULTY OF ENGINEERING AND TECHNOLOGY SRM UNIVERSITY KATTANKULATHUR 1
MAY 2012
DECLARATION
I, N.SHARAN KUMAR, student of SRM University School of Management studies would like to declare that the Project entitled A STUDY ON EFFECTIVNESS OF INFORMATION SECURITY MANAGEMENT submitted to University School of Management studies, Chennai in partial fulfillment of Master of Business Administration (MBA) final year Degree course from the SRM University.
Signature
BONAFIDE CERTIFICATE
This is to certify that the Project titled A STUDY ON EFFECTIVNESS OF INFORMATION SECURITY MANAGEMENT Submitted by N. SHARAN KUMAR in partial fulfillment of the requirements of the Post Graduate Degree course in Masters of Business Administration (MBA) for the Academic year 2010-2012 in the subject of Finance Management is the original work of the above candidate.
(Dr. A.
EXTERNAL IN-CHARGE
ACKNOWLEDGEMENT
I express my gratitude to Dr. Mrs. Jayashree Suresh, Dean, SRM School of Management and Dr A.Chandra Mohan for providing an amazing environment for me to complete this project successfully. At the outset, no words are adequate to express my sincere thanks to Mr. (Head - HR). For granting this opportunity to have a wide spread view and experience in the form of project work. I thank my relatives and friends for their assurance and encouragement. I am deeply indebted to my loving parents for their endurance and perseverance during the course of my study.
ABSTRACT
Although information security traditionally has been a technological discipline, the role and function of employees is an additional important part. Users can both be a threat and a resource in information security management. On the one hand, employees can produce or ignite threats and vulnerabilities. On the other hand, they are a precondition for safe and secure operation. As a consequence, information security management of employees is an important part of the total information security management in organizations. The general aim of this study is to explore the information security management of employees. This is approached by studying: users function in and view on information security; measures aiming at improving individual information security performance; and information security management practice in organizations. Employee participation is evaluated to be the most effective process to improve individual information security performance, but is modestly used. An intervention study based on direct participation, dialogue and collective reflection in order to improve individual information security awareness and behavior showed significant improvements among participants. Employee participation is likely to improve the quality of technological and administrative security solutions; improve the usability of security technology; improve security professionals knowledge of sharp-end information security activities; close the gap in understanding and communication between security managers and users; improve individual ownership, acceptance and motivation for information security; and ensure democratic rights that influence personal working conditions. The analysis of data was done using various statistical tools such as Chi-square test, ANOVA, Rank correlation etc.
Among the 120 respondents, majority are satisfied that the company is using a systematic approach for the identification, assessment and management of information security risks.
TABLE OF CONTENTS
DESCRIPTION CHAPTER NO INTRODUCTION 1.1 Introduction I 1.2 Industry Profile 1.3 Company Profile 1.4 Review of Literature MAIN THEME 2.1 Research Objectives 2.2 Need for the study II 2.3 Scope of the study 2.4 Research Problem 2.5 Research Methodology 2.6 Limitations of the study RESULT III 3.1 Data Analysis & Interpretation 3.2 Research Findings 3.3 Suggestions 3.4 Conclusion 26 54 56 57 19 20 21 22 23 25 1 5 10 14 PAGE NO
APPENDICES REFERENCES
1.1.1 OVERVIEW OF ISMS An Information Security Management System (ISMS) is way to protect and manage information based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security. Information security is the protection of information to ensure: Confidentiality: ensuring that the information is accessible only to those authorized to access it. Integrity: ensuring that the information is accurate and complete and that the information is not modified without authorization. Availability: ensuring that the information is accessible to authorized users when required. Information security is achieved by applying a suitable set of controls (policies, processes, procedures, organizational structures, and software and hardware functions).
1.1.2 INFORMATION SECURITY MANAGEMENT SYSTEM An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems. An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. The governing principle behind ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.
1.1.3 ISMS DESCRIPTION As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001 therefore incorporates the typical "Plan-Do-Check-Act" (PDCA), or Deming cycle, approach:
The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls. The Do phase involves implementing and operating the controls. The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS. In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.
1.1.4 NEED FOR A ISMS Security experts say and statistics confirm that:
Information technology security administrators should expect to devote approximately one-third of their time addressing technical aspects. The remaining two-thirds should be spent developing policies and procedures, performing security reviews and analyzing risk, addressing contingency planning and promoting security awareness;
security depends on people more than on technology; employees are a far greater threat to information security than outsiders; Security is like a chain. It is as strong as its weakest link; the degree of security depends on three factors: the risk you are willing to take, the functionality of the system and the costs you are prepared to pay; Security is not a status or a snapshot but a running process.
These facts inevitably lead to the conclusion that: Security administration is a management and NOT a purely technical issue.
History:
The word "software" had been coined as a prank by at least 1953, but did not appear in print until the 1960s. Before this time, computers were programmed either by customers, or the few commercial computer vendors of the time, such as UNIVAC and IBM. The first company founded to provide software products and services was Computer Usage Company in 1955. The software industry expanded in the early 1960s, almost immediately after computers were first sold in mass-produced quantities. Universities, government, and business customers created a demand for software. Many of these programs were written in-house by full-time staff programmers. Some were distributed freely between users of a particular machine for no charge. Others were done on a commercial basis, and other firms such as Computer Sciences Corporation (founded in 1959) started to grow. The computer-makers started bundling operating systems software and programming environments with their machines. The industry expanded greatly with the rise of the personal computer in the mid-1970s, which brought computing to the desktop of the office worker. In subsequent years, it also created a growing market for games, applications, and utilities. DOS, Microsoft's first operating system product, was the dominant operating system at the time.In the early years of the 21st century, another successful business model has arisen for hosted software, called software as a service, or SaaS ,this was at least the third time this model had been attempted. SaaS reduces the concerns about software piracy, since it can only be accessed through the Web, and by definition no client software is loaded onto the end user's PC.
There are several types of businesses in the software industry. Infrastructure software, including operating systems, middleware and databases, is made by companies such as Microsoft, IBM, Sybase, EMC, Oracle and VMWare. Enterprise software, the software that automates business processes in finance, production, logistics, sales and marketing, is made by Oracle, SAP AG , Sage and Infor. Security software is made by the likes of Symantec, Trend Micro and Kaspersky. Several industryspecific software makers are also among the largest software companies in the world: SunGard, making software for banks, Black Board making software for schools, and companies like Qualcomm or Cyber Vision making software for telecom companies. Other companies do contract programming to develop unique software for one particular client company i.e outsourcing, or focus on configuring and customizing suites from large vendors such as SAP or Oracle.
INDIA IT INDUSTRY:
The Indian information technology (IT) industry has played a major role in placing India on the international map. The industry is mainly governed by IT software and facilities for instance System Integration, Software experiments, Custom Application Development and Maintenance (CADM), network services and IT Solutions. According to Nasscom's findings Indian IT-BPO industry expanded by 12% during the Fiscal year 2009 and attained aggregate returns of US$ 71.6 billion. Out of the derived revenue US$ 59.6 billion was solely earned by the software and services division. Moreover, the industry witnessed an increase of around US$ 7 million in FY 2008-09 i.e. US$ 47.3 billion against US$ 40.9 billion accrued in FY 2008-09.
IT Outsourcing in India:
As per NASSCOM, IT exports in business process outsourcing (BPO) services attained revenues of US$ 48 billion in FY 2008-09 and accounted for more than 77% of the entire software and services income. Over the years India has been the most favorable outsourcing hub for firm on a lookout to offshore their IT operations. The factors behind India being a preferred destination are its reasonably priced labor, favorable business ambiance and availability of expert workforce. Considering its escalating growth, IBM has plans to increase its business process outsourcing (BPO) functions in India besides employing 5,000 workforces to assist its growth. 7
In the next few years, the industry is all set to witness some multi-million dollar agreements namely: A 5 year agreement between HCL Technologies and News Corp for
administering its information centers and IT services in UK. As per the industry analysts, the pact is estimated to be in the range of US$ 200-US$ 250 million US$ 50 million agreement between HCL Technologies and Meggitt, UK-based Global giant Walmart has short listed their Indian IT dealers namely Cognizant security apparatus manufacturer, for offering engineering facilities. Technology Solutions, UST Global and Infosys Technologies for a contract worth US$ 600 million
In the FY 2008-09, the domestic IT sector attained revenues worth US$ 24.3 billion as compared to US$ 23.1 billion in FY 2007-08, registering a growth of 5.4%. Moreover, the increasing demand for IT services and goods by India Inc has strengthened the expansion of the domestic market with agreements worth rising up extraordinarily to US$ 100 million. By the FY 2012, the domestic sector is estimated to expand to US$ 1.7 billion against the existing from US$ 1 billion.
of formatting a durable National IT Policy for India electronic trade and electronic operations.
Technology Parks of India (STPI) will witness an investment of US$ 3.27 billion in the next few years. VMware Inc, San Francisco-based IT firm is looking forward to invest US$ 100 EMC Corporation's total Indian assets is expected to reach US$ 2 billion by 2014 million by 2010 in India.
Additional issues facing the computer software industry are piracy, a crime which may lessen once software applications are more often found and used on the Internet and are not available on individual computers; portability, the transferability of software among operating systems
10
Skills
Quality Promoters / ISO Certification promoting Bodies Training & Placement Services Bulk SMS & Bulk Email Softwares Software Development : Customized Software Solutions On-site programmers and Offshore Project Based Exclusive Programmers for Clients UI (User Interface) Design Graphic Design, Artworks , Logo, Vector Art, Digitizing Animation, Flash, Game Development Open Source Customization Application Development : ipad, iphone, mobile, android & windows Phones Interactive Web Applications Analytics : Web, Data, Business Online Advertising Database Programming
Microsoft .NET (ASP.NET, C#, VB .NET) MYSQL, MSSQL, Oracle, Postgre SQL,MS Access AJAX, JavaScript, VBScript, Jquery MAPI, TAPI, SAPI, HTML/DHTML, XHTML, XML/XSLT Tomcat, Microsoft IIS, Apache,MS Exchange Server Windows 9x/2000/CE/ME/NT/XP ,Linux, FreeBSD, Symbian OS, UbunduPHP Solutions, PHP5, Cake PHP, Zend Framework DevelopmentLAMP / WAMP Development Graphic Design, Artworks , Logo, Vector Art, DigitizingJoomla, Drupal, Word press, Flash, Animation, CorelDraw, Photoshop OS commerce, Virtue Mart, Magento etc.,
Our Management:
Mr.Sasi Kumar R
Mr.Sasi Kumar R
Past:
Manager - Business Development at Lavinz Infraa Services ICT Networks Onsite project Manager at The Copycat Ltd Network & Software support engineer at TATA Consultancy Services
He is responsible for the overall strategy and focus of the company. He keeps updated with the latest technological developments in BPO industry and brings in extensive management experience to YAMEE CLUSTER.
13
checks, requiring employees to sign confidentiality agreement, offering security awareness and training programs, and deleting all computer accounts associated with terminated employees. In sum, due to significant implications of people factors for ISM, the role of human resource management must be acknowledged and strategically planned to support ISM. Rather than technology, people factors such as security awareness and insider threats are more significantly challenging to manage and are now considered more than ever to be fundamentally critical to the field of information security management (ISM) (Chang and Lin, 2007; Dhillon, 2007; Ruighaver et al., 2007; Schultz, 2004; Siponen, 2000; von Solms, 2001; von Solms and von Solms, 2004). As a result, it is unavoidable to acknowledge the potential role of human resource management (HRM) to ISM. Indeed, both the 2007 Deloitte Global Security Survey and 2007 Ernst & Young Global Information Security Survey suggest that it is crucial how an organization screens and employs people and that simple criminal background checks are not enough and that security training and awareness programs need to be emphasized and provided because how employees deal with information essentially represents risks. In short, since HR practices such as staffing and training appear to be very pivotal to ISM, it is more critical than ever to shift the role of HRM in organizations from traditionally seen as being passive to strategically active. Securing infrastructure is one of the most critical issues facing business and governments today worldwide, as it becomes conventional wisdom that the health of the collective cyber community is vital to the growth and stability of the global economy. As an outgrowth of that realization, it is becoming widely accepted that information security professionals are critical to protecting the trusted environment in which global Internet communications, instant information access, and business transactions are made possible every day.
15
Its become conventional wisdom among information security professionals that people are the most critical part of effectively securing an organization. From the staff accountant end user to the Board of Directors, every person involved in an organization plays a role in that organizations security. This includes having first-rate information security personnel to create policies and oversee implementation, obtaining management buy-in and support for the security program, and ensuring employees throughout the enterprise understand, respect and evangelize security policy. Why are people so important in the security equation? They are highly unpredictable, and even the most comprehensive awareness program cannot ensure that all employees will make the right security choices 100% of the time. Conscious or not, employees are faced with decisions every hour that can impact the security of an organizations or its customers data. The most expensive intrusion detection system in the world can be breached by an employee simply divulging their password over the phone to a company impostor. And employees take laptops home every day that may contain sensitive customer data. Technology cannot prevent or protect against human error, which is the cause of up to 42 percent of all data breaches1. It is only with a careful balance of people, policy and processes that an organization can effectively manage its risks. While information security professionals are obviously integral to managing an organizations risk, they alone cannot corral the human variable present in all organizations. Thats why many information security professionals believe there is a critical need to partner more closely with the one department that deals exclusively with the human component of the organization human resources. The international standard for information security management, ISO/IEC 17799, describes information security as the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. If not mitigated, these threats can destroy a companys reputation, violate a consumers privacy, result in the theft or destruction of intellectual property, and, in some cases, endanger lives.
16
Twenty years ago, the field of information security was in its infancy. Many companies did not take threats to their infrastructure seriously. For those companies that did, the majority of people responsible for protecting information assets did not have a formal background or education in the field and obtained their experience in information technology or related disciplines, transferring into information security only as the need arose. Information security professionals frequently reported to someone in IT and did not carry much weight with upper management. Today, driven by increasing regulations and the desire to maximize global commerce opportunities, protecting information assets has become one of the most important functions within any organization, public or private. For this reason, organizations increasingly rely on information security professionals to implement a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions. These controls need to be established, implemented, and continually monitored, reviewed and improved to ensure that the specific security and business objectives of the organization are met. The 2006 Global Information Security Workforce Study (GISWS), sponsored by (ISC)2 [pronounced ISC-squared], reported that the number of information security professionals worldwide in 2006 was approximately 1.5 million. This figure is expected to increase to slightly more than 2 million by 2010, displaying a compound annual growth rate (CAGR) of 7.8 percent from 2005 to 2010, compared to 4.6 percent of projected growth in the number of IT employees globally in the same timeframe. After surveying more than 4,000 information security professionals worldwide, the GISWS indicated that more than 37 percent of respondents work for organizations with annual revenue of one billion or more, and more than 62 percent work for organizations with at least 1,000 employees. Often, information security professionals are found in the greatest numbers in organizations whose mission is to safeguard critical infrastructure, such as government defense agencies, telecommunications and the financial industry. Because the profession is still relatively new, many small to medium businesses do not have a security department at all. 17
A common misconception of information security is that is a function of IT. While it may have begun in the IT department, information security is a highly specialized function, and its influence has grown exponentially in recent years as executives have seen both the necessity for and returns on investment in information security. Today, information security professionals often have a seat in the executive boardroom, enabling them to make valuable recommendations during the earliest stages of business initiatives. Another common misconception is that the information security professionals job functions are similar to those of IT professionals. In fact, information security responsibilities can run the gamut, from risk management to computer forensics. Each responsibility can require vastly different skill sets and experience beyond the bits and bytes of IT.
CHAPTER 2
18
Every organizational member using a computer is a user independent of knowledge, skills, authority and the situation they use the computer. As a result there are many different kinds of users. This study concentrates on users that are employees in an organization and their use of computers when working. The studied employees have no particular information security expertise. It is studied how users operate at a daily basis in interplay with other organizational members, technology and organizational structures and norms, i.e. normal proactive operation rather than a reactive view on critical actions crating incidents. I thus assume that employees in principle not are enemies within, but rather are important resources in the information security activities in an organization.
Many companies struggle to gain a good information security level, since employees lack such training and also dont follow internal information security .I believe that employees an top level management focus differently a information security issues ,due to different work task ,responsibilities and information security skills. And behavior models explaining technology, environment and people may explain improvement of polices. This may cause a gap which mat lead to problem like weak password security, how to handle sensitive data in a good way and take appropriate action in relation to this subject.
AIM OF THE RESEARCH The general aim of the study is to explore information security management of employees. RESEARCH AREA: The area of study covers the information security management system followed in Yamee Cluster. RESEARCH UNIT: Yamee Cluster, Chennai. RESEARCH APPROACH: Descriptive approach. RESEARCH PERIOD: Two months DATA SOURCES PRIMARY DATA: With the help of structured questionnaire, personally administered interview technique has been used for the collection of primary data from the respondents. SECONDARY DATA: The secondary data has been collected from the company records and website http://www.yamee.co.in/ . RESEARCH INSTRUMENT 21
Questionnaire consists of open ended, dichotomous, closed ended and 3 point scaling. SAMPLE UNIVERSE: 240 employees (All levels) SAMPLE SIZE: The sample size is taken as 120.
SAMPLING METHOD: Convenient random sampling DATA COLLECTION METHOD: Interview STATISTICAL TOOLS 1. Percentage analysis 2. Chi-square test. 3. Weighted average 4. Rank correlation 5. ANOVA.
The thesis does not deal extensively with the technological aspects of information security. However, it is difficult to avoid mentioning the technology in a mainly technological field of research and practice. The technology is important to information security, and must not be forgotten although it has a minor part of this thesis. There are a lot of information security means, methods and processes, which can be technological, formal or informal. This thesis concentrates on different types of measures directed at users, i.e. aiming at improving and maintaining the quality of users awareness and behavior
3.1.1 Distribution of respondents based on age group Table no.3.1.1 S.no 1 2 3 4 5 Employee group Up to 20 21-30 31-40 41-50 >50 Total age Number of respondents 8 46 34 21 11 120 Figure 3.1.1.1 Employee age group
Percentage of respondents 45 40 35 30 25 20 15 10 5 0 38.33 28.33 17.5 6.66 9.18
Up to 20
21-30
31-40 particulars
41-50
>50
Inference: From the above table it is inferred that 40 % of the employees belongs to the age group 21-30, 30 % of the employees belong to the age group 31-40 .It shows that the majority of the employees are middle aged group. 3.1.2 Split-up of respondents based on gender. Table no 3.1.2
24
S.no
Gender
Number of respondents
Percentage respondents
of
1 2
97 23 120
80.83
19.17
19.17
Male Female
Inference: It is inferred that 81% of the employees belong male gender, only 19% of them belong to female gender .it shows majority of employees belong to male gender.
25
S.no
Marital Status
Number respondents
of
1 2
76 44 120
63.33
36.67
Inference: From the above table it is inferred that 63 % of the employees are single, 37% of the employees are married .It seems that the majority of the employees are single.
26
S.no 1 2 3
Percentage of respondents
Employees Qualification.
Percentage of respondents 70 60 50 40 30 20 10 0 Graduate Post graduate Particulars others 8.33 31.67 60
Inference: From the above table it is inferred that 60% of the employees are graduate, 32 % of the employees are post graduate .It shows that the majority of the employees are graduate and only 8% belong to others.
3.1.5 Distribution of respondents based on length of service. Table no.3.1.5 S.no Length of service Number respondents 27 of Percentage respondents of
1 2 3
length of service
60 50 40 Percentage of 30 respondents 20 10 0 Upto 5yrs 6-10 yrs Length of service 52.5 37.5 10 > 10 yrs
Inference: It is inferred that 53% of the employees have rendered the length of service up to 5 years and 37% of them lies between 6-10yrs of service .it shows that majority of employees have been along with organization for long duration.
3.1.6 Distribution of respondents based on salary. Table no3.1.6 S.no 1 Particulars Up to 10,000 Number respondents 61 28 of Percentage respondents 50.83 of
2 3
38 21 120
Figure 3.1.6.1
60 50 40 Percentage of 30 respondents 20 10 0
Up to 10,000
11000-30000 Particulars
>30000
Inference: It is inferred that 51% of the employees obtain salary up to 10,000 and 32% of them obtain in between from 11,000-30,000 .It shows that only few employees obtain more than 30,000.
3.1.7 Analysis on whether job description specified the security responsibilities of employees. Table no.3.1.7 S.no particulars Number respondents 1 Yes 116 29 of Percentage respondents 96.67 of
No Total
4 120
3.33 100
Figure 3.1.7.1
job description
3.33
yes No
96.67
Inference: It is inferred that 97% of the employees are aware of job description specifying the security responsibilities, only 3% of them are unaware .It shows organization providing more importance on specifying the security responsibilities to employees. .
3.1.8 Analysis on the security education and training provided to employees Table no3.1.8 S.no Particulars Number respondents 1 2 Agree Disagree 101 19 30 of Percentage respondents 84.16 15.9 of
Total
120
100
Figure 3.1.8.1
84.16
15.9
15.9
Agree Disagree
Inference: From the above table it is inferred that 84 % of the employees agree on availing security education and training, only 16% of the employees disagree to it .It seems that the majority of the employees are availing security education and training.
3.1.9 Analysis on the familiarity of information security policies among employees Table no.3.1.9 S.no Particulars Number respondents 1 2 Extremely Moderately 86 34 31 of Percentage respondents 71.67 28.33 of
0 100
80 70 60 50 Percentage of 40 respondents 30 20 10 0
71.67
Inference: From the above table it is inferred that 72 % of the employees agree on familiarity of information security policies and 28% of the employees agree moderately to it .It seems that the majority of the employees are familiar with information security policies.
3.1.10 Analysis on the top management support towards information security controls Table no3.1.10 S.no Particulars 1 2 3 4 To a great extent Somewhat Very little Not at all Number respondents 104 12 4 0 32 of Percentage of respondents 86.67 10 3.33 0
Total
100
Particulars
Inference: It is inferred that 87% of the employees are satisfied with top management support towards information security controls and only 3% of them agrees very little .It shows that only few employees seeking much more support from top management.
3.1.11 Analysis on whether the security awareness program is provided to the employees. Table no3.1.11 S.no 1 2 3 4 5 Particulars Sure to Happen Very likely to Happen Likely to Happen Might Happen Wont Happen Total Number respondents 51 22 32 12 3 120 33 of Percentage respondents 42.5 18.33 26.67 10 2.5 100 of
Figure 3.1.11.1
Inference: It is inferred that 43% of the employees agreed that the security awareness program is provided to them and 27% of them agreed likely to Happen. It shows that there is a moderate occurrence of security awareness program in the organization.
3.1.12 Analysis on the password management training provided to employees. Table no3.1.12 S.no Particulars Number respondents 1 2 3 Agree undecided Disagree Total 95 20 5 120 of Percentage respondents 79.20 16.67 4.16 100 of
Figure 3.1.12.1 34
16.67
4.16
Agree
undecided Particulars
Disagree
Inference: It is inferred that 79% of the employees agreed password management training provided to them. And 17% of them are undecided. It shows that organization have to concentrate on this issue.
3.1.13 Analysis on the co-operation of information security measures among employees. Table no3.1.13 S.no 1 2 3 4 5 Particulars Enthusiastic Cooperative Neutral Uncooperative Disruptive Total Number respondents 35 62 13 8 2 120 of Percentage of Size respondents 29.20 51.67 10.83 6.67 1.67 100 35*5 62*4 13*3 8*2 2*1 Total Score 175 248 39 16 2 480 W.A
4.0
Figure 3.1.13.1
35
Percentage of respondents
Inference: It is inferred that 29% of the employees are Enthusiastic on the co-operation of information security measures among them and 52% of them are cooperative. Since the weighted average on the co-operation of information security measures among employees is 4. It shows good relationship among employees.
3.1.14 Analysis on the allocation of information security roles and responsibilities. Table no3.1.14 S.no 1 2 3 4 Particulars Exceeded Met Nearly met Missed Total Number respondents 87 30 3 0 120 of Percentage respondents 72.5 25 2.5 0 100 of Size 87*4 30*3 3*2 0 Total Score 348 90 6 0 444 W.a
3.7
Figure3.1.14.1
36
0 Exceeded
Inference: From the above table it is inferred that 73% of the employees are satisfied on the allocation of information security roles and responsibilities, 25 % of the employees are moderately satisfied. Since the weighted average on the allocation of information security roles and responsibilities is 3.7. It shows organization perform well on allocating the information security roles and responsibilities 3.1.15 Analysis on whether any special training like psychological manipulation is provided to employees Table no3.1.15 S.no 1 2 3 4 Particulars Often Sometimes Seldom Never Total Number respondents 29 48 10 33 120 of Percentage respondents 24.20 40 8.33 27.5 100 of Size 29*4 48*3 10*2 33*1 Total Score 116 144 20 33 313 W.A
2.6
Figure 3.1.15.1
37
special training
Percentage of respondents 45 40 35 30 25 20 15 10 5 0 40 27.5
24.2
8.33
Often
Sometimes
Seldom
Never
Particulars
Inference: From the above table it is inferred that 40% of the employees agree that they avail special training on sometime basis, 24 % of the employees agrees that held often. Since the weighted average on special training provided to employees is 2.6. It shows that the organization should concentrate on improving the occurrence of special training. 3.1.16 Analysis on whether the organizations communicate policy updates regularly to employees. Table no3.1.16 S.no Particulars 1 2 3 4 5 Very good Good Barely Acceptable Poor Very poor Total Number respondents 95 21 4 0 0 120 of Percentage of respondents 79.20 17.5 3.33 0 0 100
Figure 3.1.16.1
38
17.5 3.33 Very good Good Barely Acceptable Particulars 0 Poor 0 Very poor
Inference: From the above table it is inferred that 79% of the employees agree that the organization communicate policy updates regularly to employees, 18 % of the employees agrees moderately. It shows the efficiency of an organization in communicating policy updates regularly to employees. 3.1.17 Analysis on regular updating of security policy. Table no3.1.17 S.no 1 2 3 4 Particulars Frequently Occasionally Rarely Never Total Number respondents 96 18 6 0 120 of Percentage of respondents 80 15 5 0 100
Figure 3.1.17.1
39
Particulars
Inference: From the above table it is inferred that 80% of the employees agree that the organization regularly updates the security policy, 15 % of the employees agrees moderately. It shows only few of them opted rarely in updating the security policy
3.1.18 Analysis on whether information security is aimed more about human or technical side. Table no3.1.18 S.no 1 2 Particulars Human side Technical side Total Number of respondents 59 61 120 Figure 3.1.18.1 Percentage respondents 49.20 50.83 100 of
40
Inference: From the above table it is inferred that 51% of the employees agree that information security is aimed more about technical side, 49 % of the employees agree on human side. It shows employees highly believe in Technical aspects.
3.1.19 Analysis on facilities offered is adequate for secured workstation. Table no 3.1.19 S.no Particulars 1 2 3 4 5 Strongly agree Agree Neutral Disagree Strongly disagree Total Number respondents 29 47 29 10 5 120 of Percentage of respondents 24.20 39.16 24.20 8.33 4.16 100
Figure 3.1.19.1 41
Inference: From the above table it is inferred that 39% of the employees agree that facilities offered are adequate for secured workstation, 24 % of the employees strongly agrees and 24% of them are neutral. It shows organization should concentrate on this area.
3.1.20 Analysis on the regular up gradation of softwares by the organization Table no3.1.20 S.no 1 2 3 4 5 Particulars Strongly agree Agree Neutral Disagree Strongly disagree Total Number of respondents 54 33 16 7 10 120 Percentage of respondents 45 27.6 13.33 5.83 8.33 100
Figure 3.1.20.1
42
Inference: From the above table it is inferred that 53% of the employees agrees on regular up gradation of softwares by the organization, 28 % of the employees very moderately agrees and 16% of them agrees slightly. It shows organization should do regular up gradation of softwares for efficient work station. 3.1.21 Analysis on the security awareness is mere educating employees rather than providing training. Table no3.1.21 S.no Particulars Number of respondents 1 2 True False Total 120 0 120 Figure 3.1.21.1 100 0 100 Percentage of respondents
43
0%
1 2
100%
Inference: From the above table it is inferred that 100% of the employees agrees that the security awareness is mere educating employees rather than providing training. It shows that employees strongly believe that security awareness is mere educating.
3.1.22 Analysis on the security awareness training provided to the employees Table no 3.1.22 S.no Particulars Number of Percentage respondents 89.20 10.83 100 of respondents 1 2 General Department wise Total 107 13 120 Figure 3.1.22.1
44
89%
11% 11%
Inference: From the above table it is inferred that 89% of the employees referred that security awareness training provided to the employees is general and 11% of them referred as departmental. It shows that the organization provide their employees with generalized training.
3.1.23 Analysis on the existing information security system meets the security objectives. Table no3.1.23 S.no 1 2 3 4 5 Particulars One of the best Above average Average Below average One of the worst Total 102 18 0 0 0 120 Number of respondents 85 15 0 0 0 100 Percentage of respondents
Figure 3.1.23.1
45
15 0 One of the best Above average Average Particulars 0 Below average 0 One of the worst
Inference: From the above table it is inferred that 85% of the employees accepted that the existing information security system is one of the best and 15% of them accepted as above average. It shows that the existing information security system meets the security objectives effectively.
AWARENESS PROGRAM S. no 1. 2. 3. 4. Particulars Sure to happen Very likely to happen Likely to happen Might happen No. of Respondents 51 22 32 12 46 Percentage 42.5% 18.33% 26.67% 10%
5.
Wont happen
2.5%
Null hypothesis H0: There is no significant difference between the Occurrences of security awareness program. Alternative hypothesis H1: There is a significant difference between the Occurrences of security awareness program.
CHI SQUARE TEST TABLE 3.1.24 O 51 22 32 12 3 E 24 24 24 24 24 (O-E) 27 -2 8 -12 -21 (O-E)2 729 4 64 144 441 (O-E)2/E 30.38 0.17 2.67 6 18.37 57.59 X = 120/5=24 X =(O-E)2/E=57.59 df = r 1=5- 1=4 The table value of Chi square for 4.d.f @ 5% level of Significance 47
50.0 = 2for 4d.f=9.49 Since the calculated value is greater than the table value we reject the null hypothesis Hence it is concluded that there is significant difference between observed and expected value.
=1-{6(5.5)/5(25-1)} =1-{33/120} =1-(0.275) =0.725 Remarks: The rank coefficient lies between -1 and +1.1-r1. Conclusion: Since the rank correlation between the Facilities offered and up gradation of softwares is positive. We conclude that the Facilities offered and up gradation of softwares have the nearest approach to the above factors.
23 14 25 63 84 x1=209
47 48 66 34 16 x2 211
31 23 11 12 12 x3 89
11 28 9 8 7 x4 63
8 7 9 3 1 x5 28
64 49 81 9 1 x52 234
Null Hypothesis (H0): There is no significant difference between the effectiveness of system utilization. Alternative Hypothesis (H1): There is a significant difference between the effectiveness of system utilization. Calculation Sum of all the items of various samples = x1+x2+x3+x4+x5 49
Total Sum of squares (SST) = x12+x22+x32+x42+x52- T2 /N = 12375+10281+1899+1099+234-14400 = 11488 Sum of squares between samples (SSC) = x12 /N1+x22/N2+x32 /N3+x42/N4+x52/N5- T2 /N = 2092/5+2112/5+892/5+632/5+282/5-14400 = 8736.2+8904.2+1584.2+793.8+156.8-14400 = 5775.2 Sum of the squares with in the samples (SSE) SSE=SST-SSC = 11488-5775.2 =5712.8 Analysis Of Variance Table 3.1.27 Sources variation Between samples Within samples Total SST=11488 N-1=24 of Sum of squares Degrees (SS) The SSC=5775.2 the SSE=5712.8 of Mean Square MSC=SSC/K-1 =5775.2/4 MSE= SSE/N-K =5712.8/21 F MSC/MSE =5775.2/4 X 21/5712.8 F=5.31 freedom(D.F) K-1=(5-1) (N-k)=(25-4)
50
Conclusion: Since the Calculated Value of F=5.31 is greater than the table value of F0.05=2.84 so the null hypothesis is rejected there is a significant difference between the Effectiveness of system utilization
3.2
RESEARCH FINDINGS
It is found that 40 % of the employees belongs to the age group 21-30, 30 % of the employees belong to the age group 31-40 .It shows that the majority of the employees are middle aged group.
It is found that 81% of the employees belong to male gender, only 19% of them belong to female gender .It shows majority of employees belong to male gender. It is found that 63 % of the employees are single, 37% of the employees are married .It seems that the majority of the employees are single. It is found that 60% of the employees are graduate, 32 % of the employees are post graduate. It is found that 53% of the employees have rendered the length of service up to 5 years and 37% of them lies between 6-10yrs of service .it shows that majority of employees have been along with organization for long duration.
It is found that 51% of the employees obtain salary up to 10,000 and 32% of them obtain in between from 11,000-30,000 .It shows that only few employees obtain more than 30,000.
It is found that 97% of the employees are aware of job description specifying the security responsibilities; only 3% of them are unaware. It is found that 84 % of the employees agree on availing security education and training, only 16% of the employees disagree to it .It seems that the majority of the employees are availing security education and training.
It is found that 72 % of the employees agrees on familiarity of information security policies and 28% of the employees agrees moderately to it .It seems that the majority of the employees are familiar with information security policies.
51
It is found that 87% of the employees are satisfied with top management support towards information security controls and only 3% of them agree very little. It is found that 43% of the employees feel that the security awareness program is provided to them and 27% of them agreed likely to happen. It shows that there is a moderate occurrence of security awareness program in the organization.
It is found that 79% of the employees agreed password management training provided to them. And 17% of them are undecided. It is found that 29% of the employees are Enthusiastic on the co-operation of information security measures among them and 52% of them are cooperative. It is found that 73% of the employees are satisfied on the allocation of information security roles and responsibilities, 25 % of the employees are moderately satisfied. It is found that 40% of the employees agree that they avail special training on sometime basis, 24 % of the employees agrees that held often. It is found that 79% of the employees agree that the organization communicate policy updates regularly to employees, 18 % of the employees agree moderately. It is found that 80% of the employees agree that the organization regularly updates the security policy, 15 % of the employees agree moderately. It is found that 51% of the employees agree that information security is aimed more about technical side, 49 % of the employees agree on human side. It is found that 39% of the employees agree that facilities offered are adequate for secured workstation, 24 % of the employees strongly agree and 24% of them are neutral.
It is inferred that 53% of the employees agrees on regular up gradation of softwares by the organization. It is found that 100% of the employees agree that the security awareness is mere educating employees rather than providing training. It is found that 89% of the employees referred that security awareness training provided to the employees is general and 11% of them referred as departmental. It is found that 85% of the employees accepted that the existing information security system is one of the best and 15% of them accepted as above average.
52
Every employee and visitor should sign and aware of Non-Disclosure Agreement (NDA). Security awareness training program will be held twice in a year. The background information of terminated employees is stored for specified duration for future reference.
3.3 SUGGESTIONS
The Organization can create a specific mechanism to assess and improve user awareness among employees, at least maintain records for the user awareness training conducted. User awareness audits can be conducted to check the level of awareness in the employees. Whatever technical solutions have be implemented, unless the user awareness is not strong, it will be biggest threat to the organization. Business Impact Analysis (BIA) can be performed to analyze the impact on the system due to various unprecedented events or incidents. Various failure scenarios and its possible business impacts are analyzed. This includes technical problems, human resources and other events. Social engineering is a method of extracting information from people (in this case the employee) to intrude into your premises or network. Social Engineering tests can be conducted by making telephone calls, sending emails etc. The organization can provide any special training like Psychological manipulation training to employees. The Security awareness program can be conducted every quarter of a year featuring the following elements, (a) Awareness is a blended solution of activities that promotes security, establishes accountability, and informs the workforce of security news. (b) Training strives to produce relevant and needed security knowledge and skills within the workforce. Training supports competency development and helps personnel understand and learn how to perform their security role. 53
(c) Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge and adds a multidisciplinary study of concepts, issues, and principles (technological and social).
3.4 CONCLUSION
The study have emphasized developing and applying formal systems, like security policies, procedures and controls, while awareness activities are less applied in the organizations. Technical-administrative measures (policy; procedures; control; and administrative tools) are the most implemented measures, but are at the same time assessed to have lower effectiveness than awareness creation .The results indicate that in order for information security measures to become effective, security should be built like a staircase of combined measures. Therefore the establishment, maintenance and continuous update of ISMS provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks. Since people factors are considered more crucial than ever to the field of information security management (ISM), organizations should pay more attention to the role of human resource management (HRM). This paper overall suggests that with more strategically active role of HRM through an effective combination of selection, training, and pay practices, organizations not only can manage people issues in ISM more effectively, but also may be able to sustain the competitive advantage of the organizations.
54
APPENDICES Questionnaire
A Study on Effectiveness Information Security Management System in Yamee Cluster. 1) Name 2) Age 3) Designation 4) Gender 5) Marital Status 6) Qualification : ____________________________________________________ : a) Up to20 b) 21-30 c) 31-40 d) 41-50 e) > 50 : _____________________________________________________ : a) Male : a) Single : a) 10th b) Female b) Married b) 12th c) Graduate d) Post Graduate e) others
7) Length of Service: a) Up to 5 yrs b) 6-10 yrs c) 11-15 yrs d) 16-20 yrs e) > 20 yrs 8) Salary : a) Up to 10,000 b) 11,000- 30,000 c) 31,000-50,000 d) 51,000-70,000 e) > 71,000 1) Does your job description specify the security responsibilities associated with a given job? a) Yes b) No
55
2) Do you receive adequate level of security education and training to reduce risk of human error? a) Agree b) Disagree
3) Are you familiar with the information security policies? a) Extremely b) Moderately c) Not at all
4) Rate the top management support towards information security controls a) To a Great Extent b) Somewhat c) Very Little d) Not at All 5) Do you have an employee security awareness training program? a) Sure to happen b) Very likely to happen d) Might happen e) Won't happen c) Likely to happen
6) Are you trained to understand the appropriate use of passwords and the need to keep passwords private? a) Agree b) Undecided c) Disagree 7) Co-operation of information security measures among employees a) Enthusiastic b) Cooperative c) Neutral
d) Uncooperative e) Disruptive 8) How well your management allocates the information security roles and responsibilities? a) Exceeded b) Met c) nearly met d) Missed
a) Yes
b) No
10) Do security awareness training is general or specified to department wise? _____________________________________________________________________ 11) Does your organization provide any special training like Psychological manipulation training and so on? a) Often b) Sometimes c) Seldom d) Never
12) How often security policy will be updated? a) Frequently b) Occasionally c) Rarely d) Never
13) How well the organization is communicating with you regarding periodic updating of policy and other things? a) Very Good d) Poor b) Good c) Barely Acceptable
e) Very Poor
14) Information security is aimed more about a) Human side b) Technical Aspects 15) Do you agree that the facilities offered are adequate for secured workstation? a) Strongly agree b) Agree d) Disagree c) Neutral
e) Strongly Disagree
57
16) Does your organization regularly upgrade the softwares for Easy and effective utilization? a) Strongly agree b) Agree d)Disagree c ) Neutral
e )Strongly Disagree
17) Security awareness is mere educating employees rather than providing training a) True b) false 18) When leaving for lunch or to take a break, how do you secure your workstation? a) Turn my monitor off b) Logging off of the workstation c) Lock the workstation by pressing Ctrl+Alt+Delete and selecting Lock computer. d) Turn the computer off. e) None of the above f) Others ___________________________ 19) Human Wall Is Always Better Than a Firewall a) Definitely b) Probably c) Probably Not objectives
20) How well the existing information security system meets the security (Confidentiality + Integrity +Availability)? a) One of the best b) above average d) Below average c) average
Significantly Above
Above
Met
Below
Significantly Below
59
REFERENCES
C.R.Kothari, (1997), Research Methodology Methods and Techniques 2nd Edition. ISO/IEC 27001(2005) Information technology - Security techniques - Information security management systems Requirements. NIST Special Publication 800-12. An Introduction to Computer Security: The NIST Handbook. October 1995. Thomson, M.E. and Von Solms, R. (1998) Information security awareness: Educating your users effectively, Information Management and Computer Security. Chang, S.E. and Ho, C.B. (2006) Organizational factors to the effectiveness of implementing information security management, Industrial Management & Data Systems.
60