58
Executive Summary
Today information assets face more potential
security breaches than at any time in history.
To help mitigate the effect of the threats,
information security management (ISM)
is a very important part of a successful
organization’s strategic plan. Due to a
significant increase in the number of threats
over the past decade, organizations need
to be proactive to protect their information
assets. Unfortunately, there is a lack of experts
qualified to address the area of IT security.
We propose an integrated framework for ISM,
in which it is conceptualized as a continuous
decision-making process. The rationale of this
framework is based on four guiding principles.
1) Have goal in mind.
2) Align security goals with business
strategy.
3) ISM is a multivariate system.
4) ISM is a dynamic process.
ISM is more about the operating procedures
and processes in which crucial components
such as organizational infrastructure, human
factors and information security practices are
all involved.
An Integrated Framework for
Information Security Management
Qingxiong Ma, Harmon College of Business Administration,
University of Central Missouri
qma@ucmo.edu
Mark B. Schmidt, G.R. Herberger College of Business,
St. Cloud State University
mbschmidt@stcloudstate.edu
J. Michael Pearson, College of Business Administration,
Southern Illinois University
jpearson@cba.siu.edu
Key components of the ISM framework
include the following steps.
1. Assess the organizational environment.
2. Establish information security objectives.
3. Analyze information security
requirements.
4. Develop information security controls.
5. Train/evaluate information security
controls.
Researchers find that despite the seriousness
of the nature and scope of the security
threats posed by the environment, many
organizations are under-prepared or
completely unprepared to mitigate the
threatsystems
Further, there appears to be a lack of
consensus as to how an organization should
implement an information security policy,
what information security objectives should
be established, or how to react when the
information systems are threatened. The
framework described herein could be utilized
in an effort to effectively implement a holistic
and successful ISM plan.

59An Integrated Framework for Information Security Management
Introduction
Information security management (ISM) is
becoming a critical component to the modern
organization. In many cases, it is impossible,
or nearly impossible, to run a business without
the proper and smooth operation of its
information systems (Zviran and Haga, 1999,
p. 162). Threats to these information systems
have increased significantly over the past
decade, which requires organizations to be
proactive to protect their information assets.
Despite the seriousness of the threats, there is
a lack of experts qualified to address the area
of IT security (Furnell, Papadaki, Magklaras
and Alayed, 2001, p. 89).
The CSI/FBI report ... found that
56 percent of the respondents
reported some form of malicious
attack within the past year. ... Given
the organizations’ propensity to
under report, it is important not to
underestimate the seriousness of the
threat in today’s security milieu.
There appears to be a lack of consensus as to
how an organization should implement an
information security policy, what information
security objectives should be established,
or how to react when the information
systems are threatened. Further, Straub and
Welke (1998, p. 443) find that despite the
seriousness of the nature and scope of the
security threats posed by the environment,
many organizations are under prepared
or completely unprotected to mitigate the
threats. If an organization’s information
security efforts are integrated so that all
are focused on the same outcome, then the
information security management of an
organization should reside in a framework
easily understood by all parties at all levels of
the organization. Even without technological
solutions, a systematic framework is essential
for effective organizational information
security management.
Although ISM is a critical issue in today’s
business environment and has drawn
considerable attention from researchers and
practitioners, there is no universally accepted
definition. Security has been defined as the
state of being free from danger and not
exposed to damage from accidents or attack,
or as the process for achieving that state
(Bosworth and Kabay, 2002, p. 2). Computer
security has been defined as the necessary
controls to ensure the continuity of adequate
information and the protection of computing
assets from loss or damage (GFOA, 1997,
p. 44). In general, ISM is concerned with
protecting the confidentiality, integrity,
and availability of information and
information systems (Blackwell, 1998, p. 26;
Fried, 1994, p. 57).
Total quality management (TQM) may offer
to provide a good foundation for ISM. TQM
recognizes the importance of the customer,
participation and teamwork and continuous
improvement and learning. In the security
context, these TQM principles should be
supported and implemented by an integrated
organizational infrastructure, a set of
management practices and an appropriate set
of tools and techniques. As such, the goals of
TQM could benefit the security community.
Experience indicates that technology cannot
provide all the answers to the security
problems posed by people in the context
of ISM. The CSI/FBI report, which was based
on feedback from 697 computer security
practitioners and represents a diverse slice
of corporate America, found that 56 percent
of the respondents reported some form of
malicious attack within the past year (Gordon
and Loeb, 2006, p. 12). This statistic is up from
54 percent the previous year. Yet another
attempt to estimate the number of attacks
comes from iDefense. They report monitoring
approximately 27,000 attacks in 2004, half
of which were designed to covertly steal
information or take over computers.