Anda di halaman 1dari 67

SRM UNIVERSITY

(UNDER SECTION 3 OF UGC ACT 1956)


A PROJECT REPORT

ON A STUDY ON EFFECTIVNESS OF INFORMATION SECURITY MANAGEMENT Submitted in partial fulfillment of the requirements for the award of Master of Business Administration SRM University SUBMITTED BY N.SHARAN KUMAR Reg No. 3511010667 Under the Guidance of Dr. A. Chandra Mohan SRM School of Management Studies Faculty of Management Studies

SRM SCHOOL OF MANAGEMENT FACULTY OF ENGINEERING AND TECHNOLOGY SRM UNIVERSITY KATTANKULATHUR 1

MAY 2012

DECLARATION
I, N.SHARAN KUMAR, student of SRM University School of Management studies would like to declare that the Project entitled A STUDY ON EFFECTIVNESS OF INFORMATION SECURITY MANAGEMENT submitted to University School of Management studies, Chennai in partial fulfillment of Master of Business Administration (MBA) final year Degree course from the SRM University.

REGISTERED NO: 3511010667

PLACE: Chennai DATE :

Signature

BONAFIDE CERTIFICATE

This is to certify that the Project titled A STUDY ON EFFECTIVNESS OF INFORMATION SECURITY MANAGEMENT Submitted by N. SHARAN KUMAR in partial fulfillment of the requirements of the Post Graduate Degree course in Masters of Business Administration (MBA) for the Academic year 2010-2012 in the subject of Finance Management is the original work of the above candidate.

Head of MBA FACULTY IN-CHARGE


(Dr. Jayashree Suresh Chandra Mohan)

(Dr. A.

Date: MAY 2012 Station: Chennai

EXTERNAL IN-CHARGE

ACKNOWLEDGEMENT

I express my gratitude to Dr. Mrs. Jayashree Suresh, Dean, SRM School of Management and Dr A.Chandra Mohan for providing an amazing environment for me to complete this project successfully. At the outset, no words are adequate to express my sincere thanks to Mr. (Head - HR). For granting this opportunity to have a wide spread view and experience in the form of project work. I thank my relatives and friends for their assurance and encouragement. I am deeply indebted to my loving parents for their endurance and perseverance during the course of my study.

ABSTRACT
Although information security traditionally has been a technological discipline, the role and function of employees is an additional important part. Users can both be a threat and a resource in information security management. On the one hand, employees can produce or ignite threats and vulnerabilities. On the other hand, they are a precondition for safe and secure operation. As a consequence, information security management of employees is an important part of the total information security management in organizations. The general aim of this study is to explore the information security management of employees. This is approached by studying: users function in and view on information security; measures aiming at improving individual information security performance; and information security management practice in organizations. Employee participation is evaluated to be the most effective process to improve individual information security performance, but is modestly used. An intervention study based on direct participation, dialogue and collective reflection in order to improve individual information security awareness and behavior showed significant improvements among participants. Employee participation is likely to improve the quality of technological and administrative security solutions; improve the usability of security technology; improve security professionals knowledge of sharp-end information security activities; close the gap in understanding and communication between security managers and users; improve individual ownership, acceptance and motivation for information security; and ensure democratic rights that influence personal working conditions. The analysis of data was done using various statistical tools such as Chi-square test, ANOVA, Rank correlation etc.

Among the 120 respondents, majority are satisfied that the company is using a systematic approach for the identification, assessment and management of information security risks.

TABLE OF CONTENTS
DESCRIPTION CHAPTER NO INTRODUCTION 1.1 Introduction I 1.2 Industry Profile 1.3 Company Profile 1.4 Review of Literature MAIN THEME 2.1 Research Objectives 2.2 Need for the study II 2.3 Scope of the study 2.4 Research Problem 2.5 Research Methodology 2.6 Limitations of the study RESULT III 3.1 Data Analysis & Interpretation 3.2 Research Findings 3.3 Suggestions 3.4 Conclusion 26 54 56 57 19 20 21 22 23 25 1 5 10 14 PAGE NO

APPENDICES REFERENCES

CHAPTER 1 1.1 INTRODUCTION


Information security has traditionally been technology-oriented, with a large number of technological security solutions available. However, by the widespread use of computers at both work and home; the increased connectivity and access to information; the communication channels available by information technology; convergence of technology; and the utilization of technology in new organizational forms and ways of organizing work, non-technological aspects of information security now must be considered in addition to technological aspects. This development implies that the role and function of users of information technology is important to deal with, since users might be a considerable threat to the security level as well as being essential resources to prevent incidents from happening. The general aim of the study is to explore information security management of employees. Information security is viewed in a framework of a socio-technical system. Technological, individual and organizational attributes and the interactions between these contribute in preserving information security in an organization. User performance is created by the organizational context. Organizational members information security behavior and awareness are created by a combination of technology, workplace conditions and formal and informal organizational factors. Employees are important resources in the information security activities of an organization. It would be nave to neglect employees as a possible malicious threat, but in principle users are not the enemies within. To make use of the this resource, employee participation is regarded an important principle in all organizational processes.

1.1.1 OVERVIEW OF ISMS An Information Security Management System (ISMS) is way to protect and manage information based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security. Information security is the protection of information to ensure: Confidentiality: ensuring that the information is accessible only to those authorized to access it. Integrity: ensuring that the information is accurate and complete and that the information is not modified without authorization. Availability: ensuring that the information is accessible to authorized users when required. Information security is achieved by applying a suitable set of controls (policies, processes, procedures, organizational structures, and software and hardware functions).

1.1.2 INFORMATION SECURITY MANAGEMENT SYSTEM An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems. An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. The governing principle behind ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

1.1.3 ISMS DESCRIPTION As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001 therefore incorporates the typical "Plan-Do-Check-Act" (PDCA), or Deming cycle, approach:

The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls. The Do phase involves implementing and operating the controls. The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS. In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.

1.1.4 NEED FOR A ISMS Security experts say and statistics confirm that:

Information technology security administrators should expect to devote approximately one-third of their time addressing technical aspects. The remaining two-thirds should be spent developing policies and procedures, performing security reviews and analyzing risk, addressing contingency planning and promoting security awareness;

security depends on people more than on technology; employees are a far greater threat to information security than outsiders; Security is like a chain. It is as strong as its weakest link; the degree of security depends on three factors: the risk you are willing to take, the functionality of the system and the costs you are prepared to pay; Security is not a status or a snapshot but a running process.

These facts inevitably lead to the conclusion that: Security administration is a management and NOT a purely technical issue.

1.2 INDUSTRY PROFILE


Introduction:
The software industry includes businesses involved in the development, maintenance and publication of computer software using any business model. The industry also includes software services, such as training, documentation, and consulting and outsourcing those business models.

History:
The word "software" had been coined as a prank by at least 1953, but did not appear in print until the 1960s. Before this time, computers were programmed either by customers, or the few commercial computer vendors of the time, such as UNIVAC and IBM. The first company founded to provide software products and services was Computer Usage Company in 1955. The software industry expanded in the early 1960s, almost immediately after computers were first sold in mass-produced quantities. Universities, government, and business customers created a demand for software. Many of these programs were written in-house by full-time staff programmers. Some were distributed freely between users of a particular machine for no charge. Others were done on a commercial basis, and other firms such as Computer Sciences Corporation (founded in 1959) started to grow. The computer-makers started bundling operating systems software and programming environments with their machines. The industry expanded greatly with the rise of the personal computer in the mid-1970s, which brought computing to the desktop of the office worker. In subsequent years, it also created a growing market for games, applications, and utilities. DOS, Microsoft's first operating system product, was the dominant operating system at the time.In the early years of the 21st century, another successful business model has arisen for hosted software, called software as a service, or SaaS ,this was at least the third time this model had been attempted. SaaS reduces the concerns about software piracy, since it can only be accessed through the Web, and by definition no client software is loaded onto the end user's PC.

Software sectors: The Global Scenario


5

There are several types of businesses in the software industry. Infrastructure software, including operating systems, middleware and databases, is made by companies such as Microsoft, IBM, Sybase, EMC, Oracle and VMWare. Enterprise software, the software that automates business processes in finance, production, logistics, sales and marketing, is made by Oracle, SAP AG , Sage and Infor. Security software is made by the likes of Symantec, Trend Micro and Kaspersky. Several industryspecific software makers are also among the largest software companies in the world: SunGard, making software for banks, Black Board making software for schools, and companies like Qualcomm or Cyber Vision making software for telecom companies. Other companies do contract programming to develop unique software for one particular client company i.e outsourcing, or focus on configuring and customizing suites from large vendors such as SAP or Oracle.

Leading companies: Mindshare and Marketshare


In terms of technology leadership, the software industry has long been led by IBM. However, Microsoft became the dominant PC operating system supplier. Other companies that have substantial mindshare (not: marketshare) in the software industry are SUN Microsystems, the developer of the Java platform (purchased by Oracle in 2010), Red Hat, for its open source momentum, and Google for its Google Docs. However in terms of revenues coming from software sales, the software industry is clearly dominated by Microsoft, since inception. Microsoft products are still sold in largest number across the globe.

Size of the industry:


According to market researcher DataMonitor, the size of the worldwide software industry in 2008 was US$ 303.8 billion, an increase of 6.5% compared to 2007. Americas account for 42.6% of the global software market's value. DataMonitor forecasts that in 2013, the global software market will have a value of US$ 457 billion, an increase of 50.5% since 2008.

Software Magazine's Top 10 ranking of 2011:


1. International Business Machine 2. Oracle Corporation 3. Accenture 4. Google 5. Yahoo 6. HP 7. Symantec 8. Capgemini 9. Computer Sciences Corporation

INDIA IT INDUSTRY:
The Indian information technology (IT) industry has played a major role in placing India on the international map. The industry is mainly governed by IT software and facilities for instance System Integration, Software experiments, Custom Application Development and Maintenance (CADM), network services and IT Solutions. According to Nasscom's findings Indian IT-BPO industry expanded by 12% during the Fiscal year 2009 and attained aggregate returns of US$ 71.6 billion. Out of the derived revenue US$ 59.6 billion was solely earned by the software and services division. Moreover, the industry witnessed an increase of around US$ 7 million in FY 2008-09 i.e. US$ 47.3 billion against US$ 40.9 billion accrued in FY 2008-09.

IT Outsourcing in India:
As per NASSCOM, IT exports in business process outsourcing (BPO) services attained revenues of US$ 48 billion in FY 2008-09 and accounted for more than 77% of the entire software and services income. Over the years India has been the most favorable outsourcing hub for firm on a lookout to offshore their IT operations. The factors behind India being a preferred destination are its reasonably priced labor, favorable business ambiance and availability of expert workforce. Considering its escalating growth, IBM has plans to increase its business process outsourcing (BPO) functions in India besides employing 5,000 workforces to assist its growth. 7

In the next few years, the industry is all set to witness some multi-million dollar agreements namely: A 5 year agreement between HCL Technologies and News Corp for

administering its information centers and IT services in UK. As per the industry analysts, the pact is estimated to be in the range of US$ 200-US$ 250 million US$ 50 million agreement between HCL Technologies and Meggitt, UK-based Global giant Walmart has short listed their Indian IT dealers namely Cognizant security apparatus manufacturer, for offering engineering facilities. Technology Solutions, UST Global and Infosys Technologies for a contract worth US$ 600 million

India's domestic IT Market:


India's domestic IT Market over the years has become one of the major driving forces of the industry. The domestic IT infrastructure is developing contexts of technology and intensity of penetration.

In the FY 2008-09, the domestic IT sector attained revenues worth US$ 24.3 billion as compared to US$ 23.1 billion in FY 2007-08, registering a growth of 5.4%. Moreover, the increasing demand for IT services and goods by India Inc has strengthened the expansion of the domestic market with agreements worth rising up extraordinarily to US$ 100 million. By the FY 2012, the domestic sector is estimated to expand to US$ 1.7 billion against the existing from US$ 1 billion.

Government initiative in India's domestic IT Market:


The Indian government has established a National Taskforce on IT with an aim Endorsement of the IT Act, which offers an authorized structure to assist

of formatting a durable National IT Policy for India electronic trade and electronic operations.

Major investments in India's domestic IT Market


According to Andhra Pradesh Government the state's SEZs and Software

Technology Parks of India (STPI) will witness an investment of US$ 3.27 billion in the next few years. VMware Inc, San Francisco-based IT firm is looking forward to invest US$ 100 EMC Corporation's total Indian assets is expected to reach US$ 2 billion by 2014 million by 2010 in India.

Indian Software Industry:


The Indian Information Technology industry accounts for a 5.19% of the country's GDP and export earnings as of 2010, while providing employment to a significant number of its tertiary sector workforce. More than 2.3 million people are employed in the sector either directly or indirectly, making it one of the biggest job creators in India and a mainstay of the national economy. In 2011, annual revenues from outsourcing operations in India amounted to US$54.33 billion compared to China with $35.76 billion and Philippines with $8.85 billion. India's outsourcing industry is expected to increase to US$225 billion by 2020.

Recent trends in software Industry:


The computer software industry, unlike the more traditional manufacturing and services industries, is coping with the current gloomy economic climate as best it can by concentrating on transforming interesting ideasinto novel technology, must-have applications, and competitive maneuvering rivals. Profits may be down at the moment but expectations, whether for companies like Microsoft, Apple, and IBM or Intel, Symantec and Oracle, remain quite high.Remond, WA-based software giant Microsoft is currently battling the European Commission over inclusion of its Internet Explorer web browser in operating system software.

Additional issues facing the computer software industry are piracy, a crime which may lessen once software applications are more often found and used on the Internet and are not available on individual computers; portability, the transferability of software among operating systems

Future of software industry:


Hardware, software, and people are the three basic ingredients of enterprise business technology. They provide the enterprise with an economic advantage through automated and improved business processes, increased employee productivity, and more accurate and precise information. The relationship between these three components has evolved over time. In the business technology era, we predict that managing the third part of the equation people will emerge as the dominant focus. As software applications become business services, the cost of human resources producing, operating, and managing software will soon be prohibitive and the new focal point.

10

1.3 COMPANY PROFILE


Yamee Cluster We pride ourselves especially in our ability to deliver precise solutions
within the stipulated time-limit and budget and provide support after delivery. Yamee Cluster global presence combined with offshore delivery Network delivers business and technology expertise to help organizations foster innovation and leverage leading edge technologies for business improvement. By offering innovative yet flexible solutions combined with a solid delivery backbone, Yamee Cluster can work collaboratively with clients thereby providing high-value approach to your Outsourcing Strategy. Mission: Our mission is to emerge and propel as an international identity on the basis of our renowned solutions, while we continue to grow. We strive to deliver excellence by Implementing Innovative Ideas Delivering Cost Effective Solutions Being a trustworthy and fair business partner Maintaining Quality Standards Vision: We strategize our business techniques and deliver unmatched quality solutions that exceed our customers satisfaction. Our vision is to earn respect as an individual identity and emerge as an esteemed software service provider by: Building and maintaining long term relationship Delivering quality products Providing innovative business solutions Services offered Web Design, Development & Customized Web Solutions Content Management Systems(CMS), Customer Relationship Management (CRM) E-commerce (Shopping Cart, Payment Gateway) 11

Skills

Quality Promoters / ISO Certification promoting Bodies Training & Placement Services Bulk SMS & Bulk Email Softwares Software Development : Customized Software Solutions On-site programmers and Offshore Project Based Exclusive Programmers for Clients UI (User Interface) Design Graphic Design, Artworks , Logo, Vector Art, Digitizing Animation, Flash, Game Development Open Source Customization Application Development : ipad, iphone, mobile, android & windows Phones Interactive Web Applications Analytics : Web, Data, Business Online Advertising Database Programming

Microsoft .NET (ASP.NET, C#, VB .NET) MYSQL, MSSQL, Oracle, Postgre SQL,MS Access AJAX, JavaScript, VBScript, Jquery MAPI, TAPI, SAPI, HTML/DHTML, XHTML, XML/XSLT Tomcat, Microsoft IIS, Apache,MS Exchange Server Windows 9x/2000/CE/ME/NT/XP ,Linux, FreeBSD, Symbian OS, UbunduPHP Solutions, PHP5, Cake PHP, Zend Framework DevelopmentLAMP / WAMP Development Graphic Design, Artworks , Logo, Vector Art, DigitizingJoomla, Drupal, Word press, Flash, Animation, CorelDraw, Photoshop OS commerce, Virtue Mart, Magento etc.,

Recent Clients www.the-village.in www.globeshine.com www.afreshtech.com 12

www.anupackersmovers.com www.lavinz.com www.gbtech.in www.kimsindia.com www.wintechdiamondprods.com www.graceelevators.com www.elimagchurch.com www.indomodulars.com

Our Management:

Mr.Sasi Kumar R

Founder, Managing Director


Mobile: +91-9080247659 / +91-8148232188

Mr.Sasi Kumar R
Past:

Manager - Business Development at Lavinz Infraa Services ICT Networks Onsite project Manager at The Copycat Ltd Network & Software support engineer at TATA Consultancy Services

He is responsible for the overall strategy and focus of the company. He keeps updated with the latest technological developments in BPO industry and brings in extensive management experience to YAMEE CLUSTER.

Mrs. Subhasmita Garnayak


Executive HR
Mrs. Subhasmita Garnayak, is responsible for all type of HR activities.

13

1.4 REVIEW OF LITERATURE


INFORMATION SECURITY MANAGEMENT Information security management (ISM) fundamentally emphasizes confidentiality (to ensure privacy of information), integrity (to ensure authorized operations on information), and availability (to ensure availability of functional systems) (Dhillon, 2007). Technical aspects of ISM include computer software and hardware control concepts such as encryption and network security (Dhillon, 2007). Non-technical aspects cover topics such as risk management, culture management, and regulatory compliance (Dhillon, 2007; Nosworthy, 2000; von Solms, 2001). As the field has grown, it is obvious that nontechnical aspects as they are much related to people behaviors are far more challenging to manage and, costly if failed, than technical ones. Among greatest risks in the field of ISM are insider threats (Humphreys 2008; Theohariduo et al. 2005) and security awareness (Jones, 2007; Kelly, 2006; Siponen, 2000; Straub and Welke, 1998; von Solms, 2001; von Solms and von Solms, 2004). First, insider threats refer to threats originating from people who can access corporate systems and abuse such privileges for personal gains. Such misbehaviors violate security protection of the firm and lead to losses of a combination of tangible and intangible assets. Second, according to the Information Security Forum (ISF) (2005), security awareness is defined as the extent to which organizational members understand the importance of information security, the level of security required by the organization and their individual security responsibilities, and act accordingly. Many incidents of security breaches could have been prevented if people are knowledgeable and aware of their actions. A case in point that shows how people factors are critical to ISM is the explicit inclusion of human resource security controls in the ISO/IEC 27001 and 27002 (previously ISO/IEC 17799) (Humphreys, 2008; Theohariduo et al., 2005). They require that organizations establish HR practices such as conducting background and reference 14

checks, requiring employees to sign confidentiality agreement, offering security awareness and training programs, and deleting all computer accounts associated with terminated employees. In sum, due to significant implications of people factors for ISM, the role of human resource management must be acknowledged and strategically planned to support ISM. Rather than technology, people factors such as security awareness and insider threats are more significantly challenging to manage and are now considered more than ever to be fundamentally critical to the field of information security management (ISM) (Chang and Lin, 2007; Dhillon, 2007; Ruighaver et al., 2007; Schultz, 2004; Siponen, 2000; von Solms, 2001; von Solms and von Solms, 2004). As a result, it is unavoidable to acknowledge the potential role of human resource management (HRM) to ISM. Indeed, both the 2007 Deloitte Global Security Survey and 2007 Ernst & Young Global Information Security Survey suggest that it is crucial how an organization screens and employs people and that simple criminal background checks are not enough and that security training and awareness programs need to be emphasized and provided because how employees deal with information essentially represents risks. In short, since HR practices such as staffing and training appear to be very pivotal to ISM, it is more critical than ever to shift the role of HRM in organizations from traditionally seen as being passive to strategically active. Securing infrastructure is one of the most critical issues facing business and governments today worldwide, as it becomes conventional wisdom that the health of the collective cyber community is vital to the growth and stability of the global economy. As an outgrowth of that realization, it is becoming widely accepted that information security professionals are critical to protecting the trusted environment in which global Internet communications, instant information access, and business transactions are made possible every day.

15

Its become conventional wisdom among information security professionals that people are the most critical part of effectively securing an organization. From the staff accountant end user to the Board of Directors, every person involved in an organization plays a role in that organizations security. This includes having first-rate information security personnel to create policies and oversee implementation, obtaining management buy-in and support for the security program, and ensuring employees throughout the enterprise understand, respect and evangelize security policy. Why are people so important in the security equation? They are highly unpredictable, and even the most comprehensive awareness program cannot ensure that all employees will make the right security choices 100% of the time. Conscious or not, employees are faced with decisions every hour that can impact the security of an organizations or its customers data. The most expensive intrusion detection system in the world can be breached by an employee simply divulging their password over the phone to a company impostor. And employees take laptops home every day that may contain sensitive customer data. Technology cannot prevent or protect against human error, which is the cause of up to 42 percent of all data breaches1. It is only with a careful balance of people, policy and processes that an organization can effectively manage its risks. While information security professionals are obviously integral to managing an organizations risk, they alone cannot corral the human variable present in all organizations. Thats why many information security professionals believe there is a critical need to partner more closely with the one department that deals exclusively with the human component of the organization human resources. The international standard for information security management, ISO/IEC 17799, describes information security as the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. If not mitigated, these threats can destroy a companys reputation, violate a consumers privacy, result in the theft or destruction of intellectual property, and, in some cases, endanger lives.

16

Twenty years ago, the field of information security was in its infancy. Many companies did not take threats to their infrastructure seriously. For those companies that did, the majority of people responsible for protecting information assets did not have a formal background or education in the field and obtained their experience in information technology or related disciplines, transferring into information security only as the need arose. Information security professionals frequently reported to someone in IT and did not carry much weight with upper management. Today, driven by increasing regulations and the desire to maximize global commerce opportunities, protecting information assets has become one of the most important functions within any organization, public or private. For this reason, organizations increasingly rely on information security professionals to implement a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions. These controls need to be established, implemented, and continually monitored, reviewed and improved to ensure that the specific security and business objectives of the organization are met. The 2006 Global Information Security Workforce Study (GISWS), sponsored by (ISC)2 [pronounced ISC-squared], reported that the number of information security professionals worldwide in 2006 was approximately 1.5 million. This figure is expected to increase to slightly more than 2 million by 2010, displaying a compound annual growth rate (CAGR) of 7.8 percent from 2005 to 2010, compared to 4.6 percent of projected growth in the number of IT employees globally in the same timeframe. After surveying more than 4,000 information security professionals worldwide, the GISWS indicated that more than 37 percent of respondents work for organizations with annual revenue of one billion or more, and more than 62 percent work for organizations with at least 1,000 employees. Often, information security professionals are found in the greatest numbers in organizations whose mission is to safeguard critical infrastructure, such as government defense agencies, telecommunications and the financial industry. Because the profession is still relatively new, many small to medium businesses do not have a security department at all. 17

A common misconception of information security is that is a function of IT. While it may have begun in the IT department, information security is a highly specialized function, and its influence has grown exponentially in recent years as executives have seen both the necessity for and returns on investment in information security. Today, information security professionals often have a seat in the executive boardroom, enabling them to make valuable recommendations during the earliest stages of business initiatives. Another common misconception is that the information security professionals job functions are similar to those of IT professionals. In fact, information security responsibilities can run the gamut, from risk management to computer forensics. Each responsibility can require vastly different skill sets and experience beyond the bits and bytes of IT.

CHAPTER 2
18

MAIN THEME OF THE STUDY 2.1 RESEARCH OBJECTIVES


The main objective is to explore the information security management of employees. To study employees responsibility towards information security. To study the managerial and operational functions of information security management system. To analyze the integration functions of information security management system. To analyze whether there is a common view of information security among employees and top management of a company. To reduce the risk towards their work.

2.2 NEED FOR THE STUDY


In todays globally networked environment, the significance of information and corresponding information systems is truly massive to users. Securing that information and incorporating it into an overall corporate or enterprise governance approach are critical. Too often, enterprise information security has been dealt with or relegated as a technology issue with little or no consideration given to the holistic enterprise priorities and requirements. All information systems users (e.g., management, staff, business partners) need to understand their roles and responsibilities to protect the confidentiality, availability and integrity of the organizations information assets.

2.3 SCOPE OF THE STUDY


19

Every organizational member using a computer is a user independent of knowledge, skills, authority and the situation they use the computer. As a result there are many different kinds of users. This study concentrates on users that are employees in an organization and their use of computers when working. The studied employees have no particular information security expertise. It is studied how users operate at a daily basis in interplay with other organizational members, technology and organizational structures and norms, i.e. normal proactive operation rather than a reactive view on critical actions crating incidents. I thus assume that employees in principle not are enemies within, but rather are important resources in the information security activities in an organization.

2.4 RESEARCH PROBLEM

Many companies struggle to gain a good information security level, since employees lack such training and also dont follow internal information security .I believe that employees an top level management focus differently a information security issues ,due to different work task ,responsibilities and information security skills. And behavior models explaining technology, environment and people may explain improvement of polices. This may cause a gap which mat lead to problem like weak password security, how to handle sensitive data in a good way and take appropriate action in relation to this subject.

2.5 RESEARCH METHODOLOGY


20

AIM OF THE RESEARCH The general aim of the study is to explore information security management of employees. RESEARCH AREA: The area of study covers the information security management system followed in Yamee Cluster. RESEARCH UNIT: Yamee Cluster, Chennai. RESEARCH APPROACH: Descriptive approach. RESEARCH PERIOD: Two months DATA SOURCES PRIMARY DATA: With the help of structured questionnaire, personally administered interview technique has been used for the collection of primary data from the respondents. SECONDARY DATA: The secondary data has been collected from the company records and website http://www.yamee.co.in/ . RESEARCH INSTRUMENT 21

Questionnaire consists of open ended, dichotomous, closed ended and 3 point scaling. SAMPLE UNIVERSE: 240 employees (All levels) SAMPLE SIZE: The sample size is taken as 120.

SAMPLING METHOD: Convenient random sampling DATA COLLECTION METHOD: Interview STATISTICAL TOOLS 1. Percentage analysis 2. Chi-square test. 3. Weighted average 4. Rank correlation 5. ANOVA.

2.6 LIMITATIONS OF THE STUDY


22

The thesis does not deal extensively with the technological aspects of information security. However, it is difficult to avoid mentioning the technology in a mainly technological field of research and practice. The technology is important to information security, and must not be forgotten although it has a minor part of this thesis. There are a lot of information security means, methods and processes, which can be technological, formal or informal. This thesis concentrates on different types of measures directed at users, i.e. aiming at improving and maintaining the quality of users awareness and behavior

CHAPTER 3 3.1 DATA ANALYSIS AND INTERPRETATION


23

3.1.1 Distribution of respondents based on age group Table no.3.1.1 S.no 1 2 3 4 5 Employee group Up to 20 21-30 31-40 41-50 >50 Total age Number of respondents 8 46 34 21 11 120 Figure 3.1.1.1 Employee age group
Percentage of respondents 45 40 35 30 25 20 15 10 5 0 38.33 28.33 17.5 6.66 9.18

Percentage of respondents 6.66 38.33 28.33 17.5 9.18 100

Up to 20

21-30

31-40 particulars

41-50

>50

Inference: From the above table it is inferred that 40 % of the employees belongs to the age group 21-30, 30 % of the employees belong to the age group 31-40 .It shows that the majority of the employees are middle aged group. 3.1.2 Split-up of respondents based on gender. Table no 3.1.2

24

S.no

Gender

Number of respondents

Percentage respondents

of

1 2

Male Female Total

97 23 120

80.83 19.17 100

Figure 3.1.2.1 Based on gender

80.83

19.17

19.17

Male Female

Inference: It is inferred that 81% of the employees belong male gender, only 19% of them belong to female gender .it shows majority of employees belong to male gender.

3.1.3 Split-up of respondents based on marital status Table no.3.1.3

25

S.no

Marital Status

Number respondents

of Percentage respondents 63.33 36.67 100

of

1 2

Single Married Total

76 44 120

Figure 3.1.3.1 Based on marital status

36.67 Single Married

63.33

36.67

Inference: From the above table it is inferred that 63 % of the employees are single, 37% of the employees are married .It seems that the majority of the employees are single.

3.1.4 Distribution of respondents based on employees Qualification. Table no.3.1.4

26

S.no 1 2 3

Employees Qualification Graduate Post graduate Others Total 72 38 10 120

Number of respondents 60 31.67 8.33 100 Figure 3.1.4.1

Percentage of respondents

Employees Qualification.
Percentage of respondents 70 60 50 40 30 20 10 0 Graduate Post graduate Particulars others 8.33 31.67 60

Inference: From the above table it is inferred that 60% of the employees are graduate, 32 % of the employees are post graduate .It shows that the majority of the employees are graduate and only 8% belong to others.

3.1.5 Distribution of respondents based on length of service. Table no.3.1.5 S.no Length of service Number respondents 27 of Percentage respondents of

1 2 3

Up to 5yrs 6-10 yrs > 10 yrs Total

63 45 12 120 Figure 3.1.5.1

52.5 37.5 10 100

length of service

60 50 40 Percentage of 30 respondents 20 10 0 Upto 5yrs 6-10 yrs Length of service 52.5 37.5 10 > 10 yrs

Inference: It is inferred that 53% of the employees have rendered the length of service up to 5 years and 37% of them lies between 6-10yrs of service .it shows that majority of employees have been along with organization for long duration.

3.1.6 Distribution of respondents based on salary. Table no3.1.6 S.no 1 Particulars Up to 10,000 Number respondents 61 28 of Percentage respondents 50.83 of

2 3

11000-30000 >30000 Total

38 21 120

31.67 17.5 100

Figure 3.1.6.1

Respondents based on salary

60 50 40 Percentage of 30 respondents 20 10 0

50.83 31.67 17.5

Up to 10,000

11000-30000 Particulars

>30000

Inference: It is inferred that 51% of the employees obtain salary up to 10,000 and 32% of them obtain in between from 11,000-30,000 .It shows that only few employees obtain more than 30,000.

3.1.7 Analysis on whether job description specified the security responsibilities of employees. Table no.3.1.7 S.no particulars Number respondents 1 Yes 116 29 of Percentage respondents 96.67 of

No Total

4 120

3.33 100

Figure 3.1.7.1

job description

3.33

yes No

96.67

Inference: It is inferred that 97% of the employees are aware of job description specifying the security responsibilities, only 3% of them are unaware .It shows organization providing more importance on specifying the security responsibilities to employees. .

3.1.8 Analysis on the security education and training provided to employees Table no3.1.8 S.no Particulars Number respondents 1 2 Agree Disagree 101 19 30 of Percentage respondents 84.16 15.9 of

Total

120

100

Figure 3.1.8.1

security education and training

84.16

15.9

15.9

Agree Disagree

Inference: From the above table it is inferred that 84 % of the employees agree on availing security education and training, only 16% of the employees disagree to it .It seems that the majority of the employees are availing security education and training.

3.1.9 Analysis on the familiarity of information security policies among employees Table no.3.1.9 S.no Particulars Number respondents 1 2 Extremely Moderately 86 34 31 of Percentage respondents 71.67 28.33 of

Not at all Total

0 120 Figure 3.1.9.1

0 100

Familiarity of information security policies

80 70 60 50 Percentage of 40 respondents 30 20 10 0

71.67

28.33 0 Extremely Moderately Particulars Not at all

Inference: From the above table it is inferred that 72 % of the employees agree on familiarity of information security policies and 28% of the employees agree moderately to it .It seems that the majority of the employees are familiar with information security policies.

3.1.10 Analysis on the top management support towards information security controls Table no3.1.10 S.no Particulars 1 2 3 4 To a great extent Somewhat Very little Not at all Number respondents 104 12 4 0 32 of Percentage of respondents 86.67 10 3.33 0

Total

120 Figure 3.1.10.1

100

Top management support


Percentage of respondents 100 80 60 40 20 0 To a great extent Somewhat Very little 10 3.33 0 Not at all 86.67

Particulars

Inference: It is inferred that 87% of the employees are satisfied with top management support towards information security controls and only 3% of them agrees very little .It shows that only few employees seeking much more support from top management.

3.1.11 Analysis on whether the security awareness program is provided to the employees. Table no3.1.11 S.no 1 2 3 4 5 Particulars Sure to Happen Very likely to Happen Likely to Happen Might Happen Wont Happen Total Number respondents 51 22 32 12 3 120 33 of Percentage respondents 42.5 18.33 26.67 10 2.5 100 of

Figure 3.1.11.1

security awareness program


Percentage of respondents 45 40 35 30 25 20 15 10 5 0 42.5 26.67 18.33 10 2.5 Sure to Happen Very likely to Happen Likely to Happen Particulars Might Happen Wont Happen

Inference: It is inferred that 43% of the employees agreed that the security awareness program is provided to them and 27% of them agreed likely to Happen. It shows that there is a moderate occurrence of security awareness program in the organization.

3.1.12 Analysis on the password management training provided to employees. Table no3.1.12 S.no Particulars Number respondents 1 2 3 Agree undecided Disagree Total 95 20 5 120 of Percentage respondents 79.20 16.67 4.16 100 of

Figure 3.1.12.1 34

Password management training


79.2 80 70 60 50 Percentage of 40 respondents 30 20 10 0

16.67

4.16

Agree

undecided Particulars

Disagree

Inference: It is inferred that 79% of the employees agreed password management training provided to them. And 17% of them are undecided. It shows that organization have to concentrate on this issue.

3.1.13 Analysis on the co-operation of information security measures among employees. Table no3.1.13 S.no 1 2 3 4 5 Particulars Enthusiastic Cooperative Neutral Uncooperative Disruptive Total Number respondents 35 62 13 8 2 120 of Percentage of Size respondents 29.20 51.67 10.83 6.67 1.67 100 35*5 62*4 13*3 8*2 2*1 Total Score 175 248 39 16 2 480 W.A

4.0

Figure 3.1.13.1

35

co-operation of information security measures


Disruptive Uncoperative Particulars Neutral Cooperative Enthusiastic 0 10 29.2 20 30 40 50 60 10.83 51.67 1.67 6.67

Percentage of respondents

Inference: It is inferred that 29% of the employees are Enthusiastic on the co-operation of information security measures among them and 52% of them are cooperative. Since the weighted average on the co-operation of information security measures among employees is 4. It shows good relationship among employees.

3.1.14 Analysis on the allocation of information security roles and responsibilities. Table no3.1.14 S.no 1 2 3 4 Particulars Exceeded Met Nearly met Missed Total Number respondents 87 30 3 0 120 of Percentage respondents 72.5 25 2.5 0 100 of Size 87*4 30*3 3*2 0 Total Score 348 90 6 0 444 W.a

3.7

Figure3.1.14.1

36

allocation of information security roles and responsibilities

80 60 Percentage of 40 respondents 20 72.5 25 Met 2.5 0 Missed

0 Exceeded

Nearly met Particulars

Inference: From the above table it is inferred that 73% of the employees are satisfied on the allocation of information security roles and responsibilities, 25 % of the employees are moderately satisfied. Since the weighted average on the allocation of information security roles and responsibilities is 3.7. It shows organization perform well on allocating the information security roles and responsibilities 3.1.15 Analysis on whether any special training like psychological manipulation is provided to employees Table no3.1.15 S.no 1 2 3 4 Particulars Often Sometimes Seldom Never Total Number respondents 29 48 10 33 120 of Percentage respondents 24.20 40 8.33 27.5 100 of Size 29*4 48*3 10*2 33*1 Total Score 116 144 20 33 313 W.A

2.6

Figure 3.1.15.1

37

special training
Percentage of respondents 45 40 35 30 25 20 15 10 5 0 40 27.5

24.2

8.33

Often

Sometimes

Seldom

Never

Particulars

Inference: From the above table it is inferred that 40% of the employees agree that they avail special training on sometime basis, 24 % of the employees agrees that held often. Since the weighted average on special training provided to employees is 2.6. It shows that the organization should concentrate on improving the occurrence of special training. 3.1.16 Analysis on whether the organizations communicate policy updates regularly to employees. Table no3.1.16 S.no Particulars 1 2 3 4 5 Very good Good Barely Acceptable Poor Very poor Total Number respondents 95 21 4 0 0 120 of Percentage of respondents 79.20 17.5 3.33 0 0 100

Figure 3.1.16.1

38

policy updates regularly


Percentage of respondents 90 80 70 60 50 40 30 20 10 0 79.2

17.5 3.33 Very good Good Barely Acceptable Particulars 0 Poor 0 Very poor

Inference: From the above table it is inferred that 79% of the employees agree that the organization communicate policy updates regularly to employees, 18 % of the employees agrees moderately. It shows the efficiency of an organization in communicating policy updates regularly to employees. 3.1.17 Analysis on regular updating of security policy. Table no3.1.17 S.no 1 2 3 4 Particulars Frequently Occasionally Rarely Never Total Number respondents 96 18 6 0 120 of Percentage of respondents 80 15 5 0 100

Figure 3.1.17.1

39

Updation of security policy.


Percentage of respondents 90 80 70 60 50 40 30 20 10 0 80

15 5 Frequently Occasionally Rarely 0 Never

Particulars

Inference: From the above table it is inferred that 80% of the employees agree that the organization regularly updates the security policy, 15 % of the employees agrees moderately. It shows only few of them opted rarely in updating the security policy

3.1.18 Analysis on whether information security is aimed more about human or technical side. Table no3.1.18 S.no 1 2 Particulars Human side Technical side Total Number of respondents 59 61 120 Figure 3.1.18.1 Percentage respondents 49.20 50.83 100 of

40

information securiy is aimed more about

49.2, 49% 50.83, 51%

Human side Technical side

Inference: From the above table it is inferred that 51% of the employees agree that information security is aimed more about technical side, 49 % of the employees agree on human side. It shows employees highly believe in Technical aspects.

3.1.19 Analysis on facilities offered is adequate for secured workstation. Table no 3.1.19 S.no Particulars 1 2 3 4 5 Strongly agree Agree Neutral Disagree Strongly disagree Total Number respondents 29 47 29 10 5 120 of Percentage of respondents 24.20 39.16 24.20 8.33 4.16 100

Figure 3.1.19.1 41

facilities offered are adequate for secured workstation


50 Percentage of respondents 40 30 20 10 0 Strongly agree Agree Neutral Particulars Disagree Strongly disagree 24.2 39.16 24.2 8.33 4.16

Inference: From the above table it is inferred that 39% of the employees agree that facilities offered are adequate for secured workstation, 24 % of the employees strongly agrees and 24% of them are neutral. It shows organization should concentrate on this area.

3.1.20 Analysis on the regular up gradation of softwares by the organization Table no3.1.20 S.no 1 2 3 4 5 Particulars Strongly agree Agree Neutral Disagree Strongly disagree Total Number of respondents 54 33 16 7 10 120 Percentage of respondents 45 27.6 13.33 5.83 8.33 100

Figure 3.1.20.1

42

Regular upgradation of softwares


Percentage of respondents 60 50 40 30 20 10 0 Extremely Very Moderately Slightly Not at all Particulars 27.6 13.33 5.83 53.33

Inference: From the above table it is inferred that 53% of the employees agrees on regular up gradation of softwares by the organization, 28 % of the employees very moderately agrees and 16% of them agrees slightly. It shows organization should do regular up gradation of softwares for efficient work station. 3.1.21 Analysis on the security awareness is mere educating employees rather than providing training. Table no3.1.21 S.no Particulars Number of respondents 1 2 True False Total 120 0 120 Figure 3.1.21.1 100 0 100 Percentage of respondents

43

security awareness is mere educating

0%

1 2

100%

Inference: From the above table it is inferred that 100% of the employees agrees that the security awareness is mere educating employees rather than providing training. It shows that employees strongly believe that security awareness is mere educating.

3.1.22 Analysis on the security awareness training provided to the employees Table no 3.1.22 S.no Particulars Number of Percentage respondents 89.20 10.83 100 of respondents 1 2 General Department wise Total 107 13 120 Figure 3.1.22.1

44

security awareness training

89%

11% 11%

General Department wise

Inference: From the above table it is inferred that 89% of the employees referred that security awareness training provided to the employees is general and 11% of them referred as departmental. It shows that the organization provide their employees with generalized training.

3.1.23 Analysis on the existing information security system meets the security objectives. Table no3.1.23 S.no 1 2 3 4 5 Particulars One of the best Above average Average Below average One of the worst Total 102 18 0 0 0 120 Number of respondents 85 15 0 0 0 100 Percentage of respondents

Figure 3.1.23.1

45

Existing information security system


Percentage of respondents 90 80 70 60 50 40 30 20 10 0 85

15 0 One of the best Above average Average Particulars 0 Below average 0 One of the worst

Inference: From the above table it is inferred that 85% of the employees accepted that the existing information security system is one of the best and 15% of them accepted as above average. It shows that the existing information security system meets the security objectives effectively.

DATA ANALYSIS AND INTERPRETATION


STATISTICAL TOOL APPLICATION CHI-SQUARE TEST 3.1.24 FIXING THE PROBLEM ON OCCURRENCE OF SECURITY

AWARENESS PROGRAM S. no 1. 2. 3. 4. Particulars Sure to happen Very likely to happen Likely to happen Might happen No. of Respondents 51 22 32 12 46 Percentage 42.5% 18.33% 26.67% 10%

5.

Wont happen

2.5%

Null hypothesis H0: There is no significant difference between the Occurrences of security awareness program. Alternative hypothesis H1: There is a significant difference between the Occurrences of security awareness program.

CHI SQUARE TEST TABLE 3.1.24 O 51 22 32 12 3 E 24 24 24 24 24 (O-E) 27 -2 8 -12 -21 (O-E)2 729 4 64 144 441 (O-E)2/E 30.38 0.17 2.67 6 18.37 57.59 X = 120/5=24 X =(O-E)2/E=57.59 df = r 1=5- 1=4 The table value of Chi square for 4.d.f @ 5% level of Significance 47

50.0 = 2for 4d.f=9.49 Since the calculated value is greater than the table value we reject the null hypothesis Hence it is concluded that there is significant difference between observed and expected value.

3.1.24 RANK CORRELATION-A comparison of the Facilities offered

and up gradation of softwares.


Table no 3.1.25 S.NO 1 2 3 4 5 Xi 3.5 5 3.5 2 1 Particulars Strongly Agree Agree Undecided Disagree Strongly Disagree Yi 5 4 3 1 2 Facilities offered (Xi) 29 47 29 10 5 Di=Xi-Yi -1.5 1 .5 1 -1 Up gradation of softwares (Yi) 54 33 16 7 10 Di2 2.25 1 0.25 1 1 Di=5.5

Rank correlation can be obtained by using the formula =1-{[6D2]/n(n2-1)} 48

=1-{6(5.5)/5(25-1)} =1-{33/120} =1-(0.275) =0.725 Remarks: The rank coefficient lies between -1 and +1.1-r1. Conclusion: Since the rank correlation between the Facilities offered and up gradation of softwares is positive. We conclude that the Facilities offered and up gradation of softwares have the nearest approach to the above factors.

3.1.26 ANOVA table Analysis on the effectiveness of system utilization.


Table no 3.1.26
Particulars Signifi cantly Above (x1) X12 Above (x2) X22 Met (X3) X32 Below (X4) X42 Signifi cantly Above (x5) X52

Speed Storage Accuracy Diligence Reliability

23 14 25 63 84 x1=209

529 196 625 3969 7056 x12 12375

47 48 66 34 16 x2 211

2209 2304 4356 1156 256 x22 10281

31 23 11 12 12 x3 89

961 529 121 144 144 x32 1899

11 28 9 8 7 x4 63

121 784 81 64 49 x42 1099

8 7 9 3 1 x5 28

64 49 81 9 1 x52 234

Null Hypothesis (H0): There is no significant difference between the effectiveness of system utilization. Alternative Hypothesis (H1): There is a significant difference between the effectiveness of system utilization. Calculation Sum of all the items of various samples = x1+x2+x3+x4+x5 49

= 209+211+89+63+28 = 600 Correlation Factor T2 /N = 6002/25 = 14400

Total Sum of squares (SST) = x12+x22+x32+x42+x52- T2 /N = 12375+10281+1899+1099+234-14400 = 11488 Sum of squares between samples (SSC) = x12 /N1+x22/N2+x32 /N3+x42/N4+x52/N5- T2 /N = 2092/5+2112/5+892/5+632/5+282/5-14400 = 8736.2+8904.2+1584.2+793.8+156.8-14400 = 5775.2 Sum of the squares with in the samples (SSE) SSE=SST-SSC = 11488-5775.2 =5712.8 Analysis Of Variance Table 3.1.27 Sources variation Between samples Within samples Total SST=11488 N-1=24 of Sum of squares Degrees (SS) The SSC=5775.2 the SSE=5712.8 of Mean Square MSC=SSC/K-1 =5775.2/4 MSE= SSE/N-K =5712.8/21 F MSC/MSE =5775.2/4 X 21/5712.8 F=5.31 freedom(D.F) K-1=(5-1) (N-k)=(25-4)

Calculated Value =5.31 Table Value = 2.84

50

Conclusion: Since the Calculated Value of F=5.31 is greater than the table value of F0.05=2.84 so the null hypothesis is rejected there is a significant difference between the Effectiveness of system utilization

3.2

RESEARCH FINDINGS

It is found that 40 % of the employees belongs to the age group 21-30, 30 % of the employees belong to the age group 31-40 .It shows that the majority of the employees are middle aged group.

It is found that 81% of the employees belong to male gender, only 19% of them belong to female gender .It shows majority of employees belong to male gender. It is found that 63 % of the employees are single, 37% of the employees are married .It seems that the majority of the employees are single. It is found that 60% of the employees are graduate, 32 % of the employees are post graduate. It is found that 53% of the employees have rendered the length of service up to 5 years and 37% of them lies between 6-10yrs of service .it shows that majority of employees have been along with organization for long duration.

It is found that 51% of the employees obtain salary up to 10,000 and 32% of them obtain in between from 11,000-30,000 .It shows that only few employees obtain more than 30,000.

It is found that 97% of the employees are aware of job description specifying the security responsibilities; only 3% of them are unaware. It is found that 84 % of the employees agree on availing security education and training, only 16% of the employees disagree to it .It seems that the majority of the employees are availing security education and training.

It is found that 72 % of the employees agrees on familiarity of information security policies and 28% of the employees agrees moderately to it .It seems that the majority of the employees are familiar with information security policies.

51

It is found that 87% of the employees are satisfied with top management support towards information security controls and only 3% of them agree very little. It is found that 43% of the employees feel that the security awareness program is provided to them and 27% of them agreed likely to happen. It shows that there is a moderate occurrence of security awareness program in the organization.

It is found that 79% of the employees agreed password management training provided to them. And 17% of them are undecided. It is found that 29% of the employees are Enthusiastic on the co-operation of information security measures among them and 52% of them are cooperative. It is found that 73% of the employees are satisfied on the allocation of information security roles and responsibilities, 25 % of the employees are moderately satisfied. It is found that 40% of the employees agree that they avail special training on sometime basis, 24 % of the employees agrees that held often. It is found that 79% of the employees agree that the organization communicate policy updates regularly to employees, 18 % of the employees agree moderately. It is found that 80% of the employees agree that the organization regularly updates the security policy, 15 % of the employees agree moderately. It is found that 51% of the employees agree that information security is aimed more about technical side, 49 % of the employees agree on human side. It is found that 39% of the employees agree that facilities offered are adequate for secured workstation, 24 % of the employees strongly agree and 24% of them are neutral.

It is inferred that 53% of the employees agrees on regular up gradation of softwares by the organization. It is found that 100% of the employees agree that the security awareness is mere educating employees rather than providing training. It is found that 89% of the employees referred that security awareness training provided to the employees is general and 11% of them referred as departmental. It is found that 85% of the employees accepted that the existing information security system is one of the best and 15% of them accepted as above average.

52

Every employee and visitor should sign and aware of Non-Disclosure Agreement (NDA). Security awareness training program will be held twice in a year. The background information of terminated employees is stored for specified duration for future reference.

3.3 SUGGESTIONS
The Organization can create a specific mechanism to assess and improve user awareness among employees, at least maintain records for the user awareness training conducted. User awareness audits can be conducted to check the level of awareness in the employees. Whatever technical solutions have be implemented, unless the user awareness is not strong, it will be biggest threat to the organization. Business Impact Analysis (BIA) can be performed to analyze the impact on the system due to various unprecedented events or incidents. Various failure scenarios and its possible business impacts are analyzed. This includes technical problems, human resources and other events. Social engineering is a method of extracting information from people (in this case the employee) to intrude into your premises or network. Social Engineering tests can be conducted by making telephone calls, sending emails etc. The organization can provide any special training like Psychological manipulation training to employees. The Security awareness program can be conducted every quarter of a year featuring the following elements, (a) Awareness is a blended solution of activities that promotes security, establishes accountability, and informs the workforce of security news. (b) Training strives to produce relevant and needed security knowledge and skills within the workforce. Training supports competency development and helps personnel understand and learn how to perform their security role. 53

(c) Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge and adds a multidisciplinary study of concepts, issues, and principles (technological and social).

3.4 CONCLUSION

The study have emphasized developing and applying formal systems, like security policies, procedures and controls, while awareness activities are less applied in the organizations. Technical-administrative measures (policy; procedures; control; and administrative tools) are the most implemented measures, but are at the same time assessed to have lower effectiveness than awareness creation .The results indicate that in order for information security measures to become effective, security should be built like a staircase of combined measures. Therefore the establishment, maintenance and continuous update of ISMS provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks. Since people factors are considered more crucial than ever to the field of information security management (ISM), organizations should pay more attention to the role of human resource management (HRM). This paper overall suggests that with more strategically active role of HRM through an effective combination of selection, training, and pay practices, organizations not only can manage people issues in ISM more effectively, but also may be able to sustain the competitive advantage of the organizations.

54

APPENDICES Questionnaire
A Study on Effectiveness Information Security Management System in Yamee Cluster. 1) Name 2) Age 3) Designation 4) Gender 5) Marital Status 6) Qualification : ____________________________________________________ : a) Up to20 b) 21-30 c) 31-40 d) 41-50 e) > 50 : _____________________________________________________ : a) Male : a) Single : a) 10th b) Female b) Married b) 12th c) Graduate d) Post Graduate e) others

7) Length of Service: a) Up to 5 yrs b) 6-10 yrs c) 11-15 yrs d) 16-20 yrs e) > 20 yrs 8) Salary : a) Up to 10,000 b) 11,000- 30,000 c) 31,000-50,000 d) 51,000-70,000 e) > 71,000 1) Does your job description specify the security responsibilities associated with a given job? a) Yes b) No

55

2) Do you receive adequate level of security education and training to reduce risk of human error? a) Agree b) Disagree

3) Are you familiar with the information security policies? a) Extremely b) Moderately c) Not at all

4) Rate the top management support towards information security controls a) To a Great Extent b) Somewhat c) Very Little d) Not at All 5) Do you have an employee security awareness training program? a) Sure to happen b) Very likely to happen d) Might happen e) Won't happen c) Likely to happen

6) Are you trained to understand the appropriate use of passwords and the need to keep passwords private? a) Agree b) Undecided c) Disagree 7) Co-operation of information security measures among employees a) Enthusiastic b) Cooperative c) Neutral

d) Uncooperative e) Disruptive 8) How well your management allocates the information security roles and responsibilities? a) Exceeded b) Met c) nearly met d) Missed

9) Do you engage office work at home? 56

a) Yes

b) No

10) Do security awareness training is general or specified to department wise? _____________________________________________________________________ 11) Does your organization provide any special training like Psychological manipulation training and so on? a) Often b) Sometimes c) Seldom d) Never

12) How often security policy will be updated? a) Frequently b) Occasionally c) Rarely d) Never

13) How well the organization is communicating with you regarding periodic updating of policy and other things? a) Very Good d) Poor b) Good c) Barely Acceptable

e) Very Poor

14) Information security is aimed more about a) Human side b) Technical Aspects 15) Do you agree that the facilities offered are adequate for secured workstation? a) Strongly agree b) Agree d) Disagree c) Neutral

e) Strongly Disagree

57

16) Does your organization regularly upgrade the softwares for Easy and effective utilization? a) Strongly agree b) Agree d)Disagree c ) Neutral

e )Strongly Disagree

17) Security awareness is mere educating employees rather than providing training a) True b) false 18) When leaving for lunch or to take a break, how do you secure your workstation? a) Turn my monitor off b) Logging off of the workstation c) Lock the workstation by pressing Ctrl+Alt+Delete and selecting Lock computer. d) Turn the computer off. e) None of the above f) Others ___________________________ 19) Human Wall Is Always Better Than a Firewall a) Definitely b) Probably c) Probably Not objectives

20) How well the existing information security system meets the security (Confidentiality + Integrity +Availability)? a) One of the best b) above average d) Below average c) average

e) one of the worst.

21) Effectiveness of system utilization. 58

Security objectives Speed Storage Accuracy Diligence Reliability

Significantly Above

Above

Met

Below

Significantly Below

59

REFERENCES
C.R.Kothari, (1997), Research Methodology Methods and Techniques 2nd Edition. ISO/IEC 27001(2005) Information technology - Security techniques - Information security management systems Requirements. NIST Special Publication 800-12. An Introduction to Computer Security: The NIST Handbook. October 1995. Thomson, M.E. and Von Solms, R. (1998) Information security awareness: Educating your users effectively, Information Management and Computer Security. Chang, S.E. and Ho, C.B. (2006) Organizational factors to the effectiveness of implementing information security management, Industrial Management & Data Systems.

WEBSITES: www.managementhelp.org/ www.oppapers.com www. wikipedia.org www.iso.org www.yamee.co.in

60

Anda mungkin juga menyukai