Organizational Security: A Conceptual Framework and Implementation Issues.

• Author: Yasin, Mahmoud M.

INTRODUCTION

Recent environmental and technological changes and challenges have forced organizations to shift their organizational business model from the closed system orientation to the open system orientation. Such a shift has opened the organization to its customers, its suppliers, and even its competitors. The emerging open system organizational model presented today's organizations with many opportunities and serious concerns. In this context, the open system facilitated reaching new markets, customers and suppliers. However, with this openness different facets of organizational security presented the open system organization with serious threats.

Under the closed system organizational orientation, the focus of organizational security was mainly concerned with internal entities and functions. However, the open system organizational model required the organization to deal with security and risks from a broader perspective. Therefore, organizational security concerns and related investments should evolve to keep up with increasing openness of the organization to its environment, customers and suppliers. Figure 1 depicts the nature of the organizational shift from the closed to the open system orientation in the context of risks, goals and investments related to organizational security.

The objective of this research is to present a conceptual framework, which advocates a total organizational security approach. The implementation of such an organizational approach to security utilizes the Rapid Assessment Methodology (RAM). The organizational benefits and challenges resulting from the implementation of the advocated integrated organizational total approach security are addressed.

BACKGROUND

Organizational security can be defined in a variety of ways depending on the particular context and environment in which the organization operates (Brooks 2010; Hesse & Smith, 2001; Morley & Vogel, 1993). For example, closed-system organizations are likely to focus on intra-organizational security systems, buttressed by intranets, to control internal sharing of information while protecting and isolating the organization from external security threats (Siegel et al., 1998). Conversely, open-system organizations will emphasize both intra- and inter-organizational security aimed at the effective sharing of internally- and externally- generated information through developing and utilizing intranet, extranet and internet technologies (Sindhuja & Kunnathur, 2015). This allows for collaboration with external partners such as suppliers and customers, enabling closer relationships with external constituencies and faster responses to changes in the supply chain. However, open-systems are more exposed to the vagaries of the external environment than closed-systems and are, therefore, likely to be subject to greater internal and external security breaches and other security challenges (McKendrick, 2012; Siegel et al., 1998, Zailani, et al., 2015).

ENVIRONMENT

It must be noted, however, that organizational security involves more than just securing the organization's information. Organizations must also secure and protect their buildings and other physical structures, their processes, and any other significant organizational assets. Organizations also need to ensure the safety and security of their personnel (Karlsson et al., 2016). Information security will involve developing, procuring and securing computer servers, setting up server defenses such as encryption of data and using firewalls to fend off hacking, malware and phishing attacks by cyber criminals (Tetri & Vuorinen 2013; Sbora, 2014; Zhang et al., 2015). Both electronic and physical defense systems such as electronic surveillance, radio-frequency identification (RFID), metal detectors and human or robotic guards can be deployed to protect personnel and physical assets.

Effective security of an organization's information, assets and people must be coordinated using an organizational security strategy advanced by top management. The distinct security objectives of the strategy must be incorporated into a holistic design of the overall security system, especially its technical and automated components. Organizational security policies will be developed to guide users and evaluators of the various components of the security system to protect these components from unauthorized use and to ensure adequate restraints against voluntarily or involuntarily contravening the security policies (Baskerville & Siponen, 2002). Adequate training on the use of the security systems and about the details of the security policies should be provided to all designated users (Hwang et al., 2017; Karlsson et al., 2016; Mubarak, 2016; Yuryna, 2017). And such training should be continuously updated to incorporate any changes in the security strategy, the security policies, the configuration of the security systems or any technological advancements (Abbas, 2011; Tsohou et al., 2015).

Among the various components of organizational security, Information Systems (IS) security has been subject to the most research endeavors. A well-designed IS provides the foundation that allows an organization to focus on information security. Information System security is a complex organizational issue which concerns the implementation of computer technology and supportive technical safeguards, but depends on human interactions to enable the attainment of that security and then contributes to security assurance. Consequently, the success of the IS security system is dependent on human interaction and the extent to which organizational personnel are willing to comply with security policies and guidelines. Human reaction is one area that cannot be designed into IS security systems, but it has the potential to be counterproductive if supporting personnel are not compliant with the security policies. In addition, as employees become more competent at computer usage there is an increasing threat of disaffected or disgruntled employees initiating insider threats to the organization (Straub & Nance, 1990; D'Arcy et al., 2009).

It has been suggested that technology, acting on its own, cannot solve the organization's need for information security (Narain Singh et al., 2014; Tang et al., 2016). The human aspect is just as important when an organization must design a secure environment for the organization's information. An employee's attitude to and compliance with organizational security policies can both negatively and positively affect the strength of the information security system. One study indicated that information security knowledge-sharing, collaboration, intervention and experience all have a significant positive effect on employees' attitude towards compliance with organizational information security policies (Safa et al., 2016). They also suggest that information security is not only intended to protect the information and interest of the organization, but it contributes to the effective protection of the end-users data.

Compared to closed-system organizations, those organizations with an open-systems approach typically require and use more sophisticated information systems including advanced hardware and software. One consequence of the openness offered by the evolving and more advanced information technology has been an increase in the risk of data breaches, thereby increasing the need for improved information security and a heightened emphasis on risk management (McKendrick, 2012). The likelihood that an organization can fall victim to these threats is labelled information systems risk (Straub & Welke 1998). Information Security is implemented to protect against this risk and is concerned with protecting data and information generated by the business and its partners and also protecting the information system software. Given that a business' data and information can be considered as a vital competitive tool, an organization's Information...