2. BACKGROUND OF THE STUDY Perceptions about Information Security

The term information security is open to many deinitions. The leading reference on the subject, the BS 79 (2002, p3) deined it simply as “the security preservation of conidentiality, integrity and availability of information”. “Preservation of conidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved” (ISO/IEC 17799, 2005). The Canadian Communication Security Establishment gives a more elaborate deinition: “The application of security measures and safeguards to protect all types of information, processed in any form or operational environment. This includes the handling, storage, manipulation, distribution of information processed on paper, in electronic or other technical forms, or verbally” (CCSE, 1996, p100). Hence, collectively in this study, information security is deined as any technical methods and managerial processes on the information resources (hardware, software and data) to keep organisational assets and personal privacy assured of their conidentiality, integrity and availability.

It is relevant to highlight certain preliminary perceptions, or rather misconceptions, organisations have regarding the information security discipline. Firstly, organisations tend to spend money to solve information security problems with the belief that they can buy information security (Jenkins, 2003). However, Sommer (2003) believes that information security does not exist in a box by itself and that consequently, organisations will have to be concerned with information security not as a product but as a process. Secondly, organisations would like to believe that for every security problem there is a technological solution. They therefore believe that technical products will solve all their information security problems. Consequently, organisations take a piecemeal approach to information security, placing a wholly inappropriate degree of reliance on technology.

Volume 1

The problem however, lies in that if security is conceived as principally a technological problem, the focus is drawn away from the other two equally important components

Number 1

of information security, namely physical security and non-technological/procedural security. It must be realised that information security is a holistic discipline of which no one component may be ignored (Baskerville, 1998).

Thirdly, organisations believe that because they do not do anything that makes them a target, they are safe (Marsh, 2003). However, organisations need to realise that they do not have to do anything, or be someone before falling victim to an attack. In the cyber realm, mounting evidence indicates that attackers, be they mischievous or malicious in nature, do not need a reason to attack (Scheneir, 2002; Berinato, 2003). Finally, organisations believe that because they have not yet fallen victim to an attack, they are under the impression that they have efective security measures in place to adequately protect their information assets. There is however a law in their reasoning, as most organisations do not audit changes in their systems and/or applications (Scheneir, 2002). Therefore, they would not know if something has been changed or modiied. Even those organisations feeling conident that they would be able to detect a security breach or incident must answer questions such as ‘When will the organisation be able to detect the attack? Is it during the attack, afterwards, and how long afterwards?’ or ‘Could the organisation measure the impact of the attack?’ The mere fact that the organisation’s information system has not yet been compromised does not mean that the organisation has good security measures in place; it simply means that it may have been lucky thus far. Bhaskar (1993) said that most information systems are in fact highly vulnerable and can only be termed as secure in the sense that they have not been challenged or compromised yet.