An-Najah National University Faculty of Graduate Studies Information Security Management in Palestinian Banking By Abdellateef Lutfi Muhsen Supervisor Dr. Fady Draidi This Thesis is submitted in Partial Fulfillment of the Requirements for the Degree of Master of Science in Engineering Management, Faculty of Graduate Studies, An-Najah National University, Nablus, Palestine. 2014 iii Dedication In this wonderful opportunity, I would like sincerely to express my deepest thanks and gratitude to all my beloved Family members and surroundings, and to dedicate this work especially to:  My dear parents, who have given me the drive and discipline to tackle any task with enthusiasm and determination.  My dear father-in-law and mother-in-law, who have been my constant source of inspiration.  Dear wife for her understanding, patience and continuous support. Without her love and support this research would not have been made possible.  My precious Kids “Lamar, Lutfi, Yazan” whom their presence in my life motivates me always to strive for the best.  Treasured Brothers and Sisters “Hanan, Ahmad, Eman, Mohammed” for their encouragement.  Team of Al-Quds Open University for their Encouragement. iv Acknowledgement I would like to thank Dr. Fady for his endless support and Kind encouragement throughout the period of his supervision on my thesis. Appreciation and thanks are also extended to committee members, for their time and effort in reviewing this work. Special thanks are expressed to my friends for their help and encouragement. Special and sincere respect, gratitude and appreciation are expressed to my colleagues at work for their support in completing my thesis and making this study possible. I wish to express my sincere gratitude and warmest love to my family who were extremely supportive and encouraging at times I felt like I will give up. I am grateful to engineering management staff and to all my master colleagues, who provided all possible support with this thesis. I am also grateful to all people who in one way or another contributed and assisted in achieving my work successfully. v :العنوان تحمل التي الرسالة مقدم دناهأ الموقع ناأ Information Security Management in Palestinian Banking Declaration The work provided in this thesis, unless otherwise referenced, is the researcher's own work, and has not been submitted elsewhere for any other degree or qualification. Student's Name: : إسم الطالب Signature : : التوقيع Date: :التاريخ vi Table of Contents No. Title Page Dedication iii Acknowledgement iv List of Tables ix List of Figures xi Abbreviations xii Abstract xiii 1 Introduction 1 1.1 Overview 2 1.2 Background 4 1.3 Problem Statement 5 1.4 Significance of the Research 5 1.5 Research Aims and Objectives 6 1.6 Research Questions 7 1.7 Research Domains and Research Variables 7 1.8 Research Hypotheses 9 1.9 Research Methodology 11 1.10 Research Contributions 12 1.11 Research Limitations and Challenges 13 1.12 Research Organization 14 2 Literature review 16 2.1 Overview 17 2.2 Information Security 18 2.2.1 Information 18 2.2.2 Concepts of Information Security 20 2.2.3 Objective of Information Security 21 2.2.4 Principles of Information Security 22 2.2.5 Importance of Information Security 27 2.3 Corporate Governance 29 2.3.1 Information Security Obedience 30 2.3.2 Information Security Compliance 30 2.3.3 Information Security Governance 33 2.3.4 Information Security Governance Best Practices 34 2.3.5 Challenges Facing Corporate Governance 35 2.4 Information Security Management 36 2.4.1 Information Security Management Components 36 2.4.2 Information Security Program Development and Management 37 2.4.3 Information Security Management Approaches 38 vii 2.4.4 Unrealistic Optimism on Information Security Management 39 2.5 Information Security Management in Banking Sector 40 2.5.1 Related Studies about Information Security in Banking Sector 40 2.5.2 Palestinian Banking Sector 42 2.5.3 Information Risk in Banking Sector 43 2.5.4 Information Security Management in Palestinian Banking Sector 43 2.6 Information Security Standards 44 2.6.1 Global Information Security Standards and Best Practices 44 2.6.2 Importance of Information Security Standards 46 2.6.3 Standards and Best Practices Used In Research 47 2.7 Effective Information Security Management 48 2.7.1 People 48 2.7.2 Process 54 2.7.3 Products/Technology 58 2.7.4 Partners/Suppliers 61 2.7.5 Data 65 2.8 The Economic Approach of Information Security 67 3 Research Methodology 70 3.1 Research Design 71 3.2 Research Data 73 3.3 Data Collection 73 3.4 Research Population 74 3.5 Research Sample 75 3.6 Research Tool 75 3.7 Questionnaire Sections 76 3.8 Pilot Study 77 3.9 Reliability 78 3.10 Validity 80 3.11 Statistical Analysis 82 3.12 Ethics 82 3.13 Research Limitation 83 3.14 Research Procedures 84 4 Data Analysis and Discussion 86 4.1 Data analysis 86 4.2 Statistical Methods 88 4.3 Sample Characteristics 88 4.3.1 Qualifications 88 4.3.2 Specialty 89 viii 4.3.3 Experience 89 4.3.4 Information Security Certifications 90 4.3.5 Work Field 91 4.3.6 Number of the Bank Branches/Offices 91 4.3.7 Information Security Management Standard 92 4.4 Research’s Questions and Hypotheses 92 4.4.1 Current State of ISM in Palestinian Banking Sector 93 4.4.2 Influence of Research Domains on the Effectiveness of ISM 100 4.5 Discussion 123 5 Conclusions and Recommendations 131 5.1 Overview 132 5.2 Research Contribution 133 5.3 Recommendations 136 5.4 Future Studies 139 References 140 Appendices 163 Appendix A 163 Appendix B 165 Appendix C 172 Appendix D 173 ix List of Tables No. Title Page 3-1 Cronbach's Alpha Internal Consistency 79 3-2 Cronbach's Alpha Coefficients of the Questionnaire 79 3-3 Correlation Coefficients for Internal Harmony of the Questionnaire 80 4-1 Likert Scale 87 4-2 Scaling Degrees 87 4-3 Respondents’ Qualifications Representation 89 4-4 Respondents’ Specialty Representation 89 4-5 Respondents’ Experience Representation 90 4-6 Respondents’ Carrying Certifications’ Related to Information Security Representation 90 4-7 Respondents’ Work Field Representation 91 4-8 Respondents’ Number of The Bank Branches/Offices Representation 92 4-9 Respondents’ Banks Holding International ISM Standard Representation 92 4-10 Application Degree for Section Two Controls 94 4-11 Number of the Bank’s Branches/Offices 97 4-12 ANOVA Test for Number of the Bank’s Branches/Offices 97 4-13 LSD Post Hoc Tests for Number of Branches/Offices 98 4-14 Banks Holding ISM Standard 99 4-15 People Effectiveness Degree 101 4-16 Process Effectiveness Degree 102 4-17 Product/ Technology Effectiveness Degree 103 4-18 Partners/Suppliers Effectiveness Degree 104 4-19 Data Effectiveness Degree 104 4-20 Section Three Effectiveness Degree 105 4-21 Section Three & Qualification Statistics 107 x 4-22 ANOVA Test for Qualification 109 4-23 Section Three & Specialty Statistics 110 4-24 ANOVA Test for Specialty 112 4-25 LSD Post Hoc Tests for Specialty 114 4-26 Section Three & Experience Statistics 116 4-27 ANOVA Test for Experience 118 4-28 T- Test for Experience 119 4-29 Section Three & Work Field Statistics 121 4-30 ANOVA Test for Work Field 123 4-31 Research Domains Effectiveness Degree 125 xi List of Figures No. Title Page 2-1 The CIA Triad 22 2-2 Framework for an Information Security Management System 46 2-3 Achieving Effective ISM Through the Four Ps 48 4-1 Rank of the Five Domains Depending on the Means 126 5-1 Research Domains 136 xii Abbreviations Abbreviation Definition ANOVA Analysis of Variance BCM Business Continuity Management BS British Standard CIA Confidentiality Integrity Availability COBIT Council for Bibliographic and Information Technologies DLP Data-Leak Protection or Prevention DSS Data Security Standards HR Human Resources ICT Information and Communication Technology IEC International Electrotechnical Commission ISF Information Security Forum ISM Information Security Management ISO International Organization for Standardization IT Information Technology KGI Key Goal Indicator KPI Key Performance Indicator KRI Key Risk Indicator NDA Non-Disclosure Agreement OECD Organization for Economic Cooperation and Development PCI Payment Card Industry PDA Personal Digital Assistant PDCA Plan-Do-Check-Act PMA Palestine Monetary Authority SPSS Statistical Package for the Social Sciences xiii Information Security Management In Palestinian Banking By Abdellateef L. Muhsen Supervisor Dr. Fady Draidi Abstract Recently, organizations’ reliance on technology, communications and information has been increased, and this is accompanied with the increase of cyber threats and social engineering. Therefore, information security issues not only occupy high importance in management plans of organizations, but also in the strategic planning of organizations. Banks are considered as one of the most important sectors that depend on information, and are one of the most significant sectors in Palestine; therefore, information security management in Palestinian banking was selected for this study. The aim of this study is to examine and review the current state of information security management in Palestinian banks, and measure the application degree of information security management controls in this sector, as well as to highlight issues related to information security management such as governance, compliance and risk. In addition it aims to identify respondents’ point of view on the degree of influence of research domains (People, Process, Product/Technology, Partners/Suppliers and data) on the effectiveness of information security management. The researcher used the descriptive analysis methodology, so he designed a questionnaire distributed to the staff of information technology and internal xiv audit departments, working in headquarters in Palestinian banks that are licensed to operate from Palestine Monetary Authority (PMA). Therefore, 94 questionnaires were distributed, but only 82 questionnaires were valid for analysis, with response rate 87%. Research results showed that Palestinian banks are applying information security management controls in a High degree, but the “training and awareness of employees”, and “Data integrity checking” controls were applied in a Moderate degree. In addition, the study indicated that banks that have (10-19) branches are the highest Palestinian banks in applying information security management controls, and the banks that hold international information security management standard apply information security management controls higher than others. The research also found that People domain (employees) is the most influential domain on the effectiveness of Information Security Management, and relate this result to a "training and awareness to employees" control were applied moderately; this leads to the need of Palestinian banks to further training courses and information security awareness for employees. Moreover; the study recommended the Palestinian banks to give more importance to “Data integrity checking” control. The study also recommended the Palestinian banks to follow international information security management standards because of their impact on the application of Information Security Management controls. Chapter One Introduction 2 1. Introduction This chapter aims to introduce an overview of the research title, research approach, and background. Moreover, this chapter clearly shows the problem statement, research aims and objectives, research questions, research hypotheses, research variables and research methodology. In addition; research contribution, research limitation, research challenges and research organization will be explored in this chapter. 1.1. Overview In the last decade, the Information Security Management (ISM) depended mainly on the technical control measures. However, researchers have shown that the majority of information security failures occur because of violation of controls by trusted personnel. Therefore, Information Security Management can only be adequately assured if the emphasis goes beyond technical controls, and incorporates business process and organizational issues. Many different frameworks, guidelines, and standards were proposed by researchers, practitioners, consultants, and professional organizations to protect their information assets (Choobineh et al., 2007). Since Palestine in the development stage and has embraced development rapidly, immature implication of those standards in its organizations has been faced. Thus, we need more investigations related to this issue to study, measure and evaluate the current state. 3 Depending on upcoming results and by surveying the current state of Palestinian organizations, this research is an attempt to study and analyze the situation; in addition, the researcher attempts to identify the most influential issues on Information Security Management in Palestine banking. Every organization has different assets; one of those main assets is information. Therefore this information should be secured to save the organization, and ensure the success and progress of their business. Moreover, securing information is required to build bridges of trust between the client of the service and the presenter of the service (Rezakhani et al., 2011). The bank is an establishment that holds the client’s bank account in order to enable him to pay and to get paid by third party. Banking business relies increasingly day by day on the information technology. Accordingly, information security has become an essential part for their business success and improvement( ,3102 ). Therefore, this study focuses on the Information Security Management in the Palestinian banking. This research aims to form a starting point for conducting more advanced Information Security Management studies and frameworks, which could be applicable and compatible with the Palestinian banking sector as well as other organizations. 4 1.2. Background Information Security Management is primarily concerned with strategic, tactical, and operational issues. Those issues are surrounding the planning, analysis, design, implementation, and maintenance of an organization’s information security program. Most of salient issues include asset valuation, auditing, business continuity, planning, disaster recovery planning, ethics, organizational communication, policy development, project planning, risk management, security awareness education/training, and various legal issues such as liability and regulatory compliance (Muller et al., 2011). Information Security Management is a relatively immature discipline. Therefore additional academic study and researches are required. In addition there is a growing need for research to verify/confirm the management challenges, discover current management deficiencies, identify best practices, devise methodologies, and specify requirements for the management of information security (Yeniman Yildirim et al., 2011). Authors of a case study on banks in Gaza Strip titled “Threats that affect computerized accounting information systems: as A Case study of the banks in Gaza Strip – Palestine. 2008”, claim that threats occur but in low frequency. The main reason behind the threat was the lack of expert employees responsible for technology management in the Gaza strip. Therefore they recommended to enhance the employees’ ability in IT and 5 information security in order to control the security tools, and assuring work continuity and information availability ( 3112, شعبان& بحيصي ). 1.3. Problem Statement There is almost an absence of relevant Palestinian standards in banks’ Information Security Management. Moreover, the importance and sensitivity of information security “especially” in the banking sector and its relation to national security have become very crucial to the development sector worldwide. Therefore, collecting and analyzing the current state of information security management practices can help to identify major gaps in information security the target banks of the study. The research problem could be summarized as follows: “To what extent is Information Security Management in Palestinian banking effective?” by posing this question, this research aims to identify the problems, implications, benefits, gaps and possible improvements in information security management implementation. 1.4. Significance of the Research The relevance of this research work is of significant importance to the Palestinian banking sector. It represents the first study about information security management in the banking sector. The research provides an insightful examination of the current state of Information Security Management application. In addition to highlights 6 issues and deficiencies and identify the most influential issues on Information Security Management effectiveness. Therefore this research could help to improve Information Security Management in the Palestinian banking sector, and consequently improve its performance and customer satisfaction. 1.5. Research Aims and Objectives First, the research aims to explore the current state of Information Security Management followed by the Palestinian banking sector, and to highlight the major obstacles and deficiencies in Information Security Management implementation and its effectiveness. Second, the researcher aims to survey the opinion of information technology specialists in Palestinian banks about the five domains of research, which are (People, Process, Product/Technology, Partner/Supplier, and Data), so as to find the domain that influences Information Security Management effectiveness the most. Finally, the researcher tries to combine the output of current state of Information Security Management and the output of the most important issues influencing Information Security Management effectiveness in order to make contributions in this field. 7 1.6. Research Questions Through this research project, the researcher aims to answer the following research questions which have been designed to achieve the research objectives.  To what extent are research controls applied in Palestinian banks to achieve Information Security Management?  What are the most influential domains and controls that influence the effectiveness of Information Security Management from respondents’ point of view? 1.7. Research Domains and Research Variables The research is planned to measure the current state application degree of Information Security Management controls in Palestinian banks. In addition, it aims to measure the influence of research domains (People, Process, Product/Technology, Partner/ Supplier, Data) on the effectiveness of Information Security Management. Here we have a brief definition to research controls and research domains:  Controls: Group of Information Security Management factors adapted from the Payment Card Industry PCI (2013), and were used in the questionnaire.  People: Employees who work across organizations in dealing with information. 8  Process: Procedures used to implement and achieve Information Security Management.  Product/Technology: Software or hardware used to gain Information Security Management.  Partner/ Supplier: Third party that deal with organization and affect its information.  Data: Information converted into binary digital form. The researcher also wants to examine the existence of any differences in the application degree of Information Security Management controls among banks that can be attributed to:  Number of bank’s branches.  International Information Security Management standard. In addition, the researcher wants to examine the existence of any differences in the degree of Information Security Management effectiveness of the research domains as perceived by respondents’ attributed to respondents’:  Qualification.  Specialty.  Experience years. 9  Information security certifications.  Work Field. 1.8. Research Hypotheses The current state of the Information Security Management in Palestinian banks and the influence of research domains on the effectiveness of Information Security Management will be measured in this study through different analytical and descriptive techniques. However, to further investigate the relationship between the degree of the current state application of Information Security Management in Palestinian banks and the degree of its effectiveness utilizing the different research domains. The following hypothesis will be tested to address the objectives of the study. H10: There are no differences denoting a statistical significance (α≤0.05) between Palestinian banks in applying the Information Security Management controls attributed to Number of the bank’s Branches/Offices variable. H20: There are no differences denoting a statistical significance (α≤0.05) between Palestinian banks in applying the Information Security Management controls attributed to holding International Information Security Management standard variable. H30: There are no differences denoting a statistical significance (α≤0.05) between research’s domains that influence the effectiveness of Information 10 Security Management in Palestinian banks from the point of respondents’ view, attributed to respondent’s Qualification variable. H40: There are no differences denoting a statistical significance (α≤0.05) between research’s domains that influence the effectiveness of Information Security Management in Palestinian banks from the point of respondents’ view, attributed to respondent’s Specialty variable. H50: There are no differences denoting a statistical significance (α≤0.05) between research’s domains that influence the effectiveness of Information Security Management in Palestinian banks from the point of respondents’ view, attributed to respondent’s Experience variable. H60: There are no differences denoting a statistical significance (α≤0.05) between research’s domains that influence the effectiveness of Information Security Management in Palestinian banks from the point of respondents’ view, attributed to respondent’s information security certifications variable. H70: There are no differences denoting a statistical significance (α≤0.05) between research’s domains that influence the Effectiveness of Information Security Management in Palestinian Banks from the point of respondents’ view, attributed to respondent’s work field variable. 11 1.9. Research Methodology The researcher has used the descriptive analytical approach, which tries to describe and evaluate the extent to which Palestinian Banks are applying Information Security Management controls. In addition, to measure the dominant factors affecting the effectiveness of Information Security Management. Therefore, this approach satisfies the research goals in order to compare and evaluate the results; raising research hopes to publicize a meaningful content to support the available knowledge of the research theme. In order to achieve that; the researcher utilized both primary and secondary data sources:  Primary data: the data collected by hand, for the specific research problem, such as the questionnaire that was distributed to the banks.  Secondary data: the data collected by other researchers, or for other research purposes, including English and Arabic books and references, journals, articles, reports. In addition to the analysis of Palestine Monetary Authority (PMA) and Palestinian banks websites, and previous research studies that have tackled the subject. 12 1.10. Research Contributions The findings of this research project constitute basis for Palestinian banks to perform their Information Security Management, where the whole Information Security Management process and factors influencing the effectiveness of Information Security Management are identified. Palestinian banks can utilize this study to structure their Information Security Management assessment and identify major gaps in their current performance which can be mitigated. Moreover, researchers can utilize this research as a starting point for further research projects that approach different aspects of the subject, since the subject was not targeted by other researchers before. The results of this research are of great importance to researchers, Palestinian banks, and PMA. Therefore, this research is considered to be a significant contribution in Information Security Management. There is a high application degree of Information Security Management controls in Palestinian Banks; that is satisfactory but still needs more attention and improvements. Respondents claim that “People” are considered the dominant domain that influences the effectiveness of Information Security Management with a very high degree (85.8%). 13 Research results show that there is a moderate application degree in “Training and awareness” and “Data Integrity Checking” controls. Therefore; as “People” considered the dominant domain that influences the effectiveness of Information Security Management, training for employees and improving awareness culture is very important and a sensitive issue for Palestinian banks. There are differences denoting a statistical significance between Palestinian banks in applying Information Security Management controls due to number of bank’s branches and whither the bank holding international Information Security Management standards. The researcher supplemented additional domain “Data” to the 4Ps framework that was developed by Information Technology Infrastructure Library (ITIL) (Clinch, 2009), and this could be a starting point for developing new Information Security Management framework in future studies. 1.11. Research Limitations and Challenges One of the main limitations of this research was the lack of prior research studies on the subject which is considered relatively new to the Information Security Management in Palestine, and to the banking sector in the world. This presents an important opportunity for other researchers interested in the subject to explore Information Security Management from other perspectives. 14 Since the banking sector is very sensitive, and information security is very confidential, there were very difficulties in acquiring information. According to PMA (2013), there are seventeen banks working in Palestine, and all IT related issues and specialists are places in the headquarters, so the targeted population was small and limited to headquarters in Ramallah. Information security policy has become a key instrument for managing security in organizations however its impact on improving security has not been evaluated empirically. 1.12. Research Organization The rest of this thesis is organized as follows: Chapter two provides a literature review of the state of art in Information Security Management. First we defined information security, and then we explore corporate governance. After that Information Security Management, Information Security Management in banking sector, information security standards, effective Information Security Management, and the economic approach of information security will be discussed. Chapter three clarifies the research methodology, research design, research data, data collection, research population and research sample. In addition chapter three discusses research tool, pilot study, reliability and validity. 15 Farther more, it addresses the ethics, research limitation and research procedure. Chapter four discusses data analysis, statistical methods, answering research questions and testing research hypotheses. In addition it discusses research findings with previews related research. Last chapter is about conclusions and recommendations. It explores the research contributions, recommendations and future studies. 16 Chapter Two Literature Review 17 2. Literature review This chapter consists of nine sections; overview, information security, corporate governance, information security management (ISM), ISM in the banking sector, information security standards, effective ISM, and last section is the economic approach of information security. 2.1. Overview Information security is not a new field, it has a very long history even before the computer existed, and it has been used since human beings learned how to write. In a global and competitive business environment as the one existing today, firms depend more and more on their information, because it has been proved that information have huge influence on improving the level of competitiveness between firms(Teece, 2010). For that reason, firms are aware of the huge importance of having adequate information security programs as well as a correct management of information. In spite of the fact that there are still many firms that continue assuming the risk of lacking adequate protection measures, there are many others that have understood the importance of information security management (Sánchez et al., 2009). 18 2.2. Information Security The history of information security reaches back to ancient times and starts with the emergence of bureaucracy in administration and warfare. Some aspects, such as the interception of encrypted messages during World War II, have attracted huge attention, whereas other aspects have remained largely uncovered (de Leeuw & Bergstra, 2007). In this section; information, concepts of information security, objective of information security, principles of information security and importance of information security will be discussed. 2.2.1. Information Information is the most valuable asset in the organizations’ care and is considered a critical resource, enabling the organization to achieve its goals. ‘‘Information is the oxygen of the modern age’’ (Ronald Reagan, 40th U.S. President) (Guardian, 1989). It has grown to become the lifeblood of most firms today. Therefore the world has moved into the information economy, an economy based on the exchange of knowledge and services rather than physical goods (Flowerday & von Solms, 2005). According to Dey (2007) information includes all forms of data, knowledge, messages, recordings, conversations, communications, documents, and images. Therefore, every business depends heavily on 19 information. In most cases, information has become the vital ‘asset’ called ‘information asset’ or ‘intellectual asset’ for any business. Information is used to drive most business processes, involving employees from the highest to the lowest levels and not just used as an enabler in modern firms today. Thus, information is indeed a critically important and one of the most fundamental assets for the firms. However, information is an abstract asset; it can exist in many forms, electronic, hard copy, verbal etc. (Ozkan & Karabacak, 2010). Confidential and critical assets need to be protected satisfactorily. If the information asset is critically important to the future existence of the organization, then the protection of thereof should become a Board of Directors’ main issue and the top level management should handle the tast of protecting such asset (R. von Solms & von Solms, 2006). Information can be seen as a basic ware, similar to electricity, without it many businesses simply cannot operate. In addition many organizations will be unable to do business without access to their information resources. That being said, protecting information resources often has no direct return on investment(J. F. Van Niekerk & Von Solms, 2010). According to Furnell (2008), Information Technology (IT) products or systems ought to perform their functions whilst exercising appropriate control of information. In addition to ensure it is protected against accidental or deliberate dissemination, modification, or loss. 20 There has been a significant shift in the valuation of firms as the world has advanced into the information economy. One of the driving forces behind this shift in market valuations of firms could be the need for increased investment performance. However, regardless of what the driving forces may be; to ensure that information retains its worth, it needs to be secured and the users need to have confidence when basing their decisions on the information (Davenport, 2013). The banking sector, which is the focus of this research, can be considered a developed and a vital sector in Palestine. This sector relies on information as its core asset, since information technology is used for transactions and other banking processes. Therefore securing information is extremely important in order to achieve the objectives of the banks and guarantee their survival. 2.2.2. Concepts of Information Security Information Security is such a broad discipline and therefore it is easy to get lost in a single area and lose perspective and focus. The main concept behind information security is that security is only as strong as the weakest link(Sasse et al., 2001). Sasse et al. (2001), pointed out that “users are the weakest link”. As such, information security is not only a technical issue, but also a behavioral issue involving users. Therefore an abundance of research has been conducted to understand users’ security-related behaviors, such as 21 information systems misuse or security-enhancing actions mostly in work environment settings (Bang et al., 2012). According to Ren and Du (2013), information security consists of many components, the core component dependents on human cooperative behavior. Employees whether intentionally or through negligence, often due to a lack of knowledge, are the greatest threat to information security. Johannes Frederick Van Niekerk (2011) points out that without an adequate level of user cooperation and knowledge, many security techniques are liable to be misused or misinterpreted by users. 2.2.3. Objective of Information Security The objective of information security is protecting the interests of those depending on information technology and communication systems that deliver the information, from harm resulting from failures of security principles “availability, confidentiality, and integrity” (Abu-Musa, 2010). According to COBIT (2007) information security relates to the protection of valuable assets against loss, misuse, disclosure or damage. In this context, “valuable assets” are the information recorded on, processed by, stored in, shared by, transmitted or retrieved from an electronic medium. Securing information resources does not as a rule generate income for an organization. Business people are therefore rarely interested in how their information resources are protected. From a business perspective, any 22 solution would be adequate as long as it is cost-effective and takes into account issues such as productivity and ease of use (J. F. Van Niekerk & Von Solms, 2010). J. F. Van Niekerk and Von Solms (2010) argued that the goal of securing information is in conflict with the normal business goals of maximizing productivity and minimizing cost. Thus security is often seen as detrimental to business goals because it makes systems less usable, the only absolutely secure system is an unusable one. 2.2.4. Principles of Information Security Information security can be defined in a variety of ways; however, every definition, even if different, may still be correct. Information security consists of 1) Confidentiality, 2) Integrity, and 3) Availability of information. Also referred to as the C-I-A triad (Stewart et al., 2012). Figure (2-1): Information Security concepts(YOYO, 2010). The next sections discuss each of the main information security concepts. 23 Confidentiality In the context of information security, confidentiality means that information should remain guarded and confidential and only those persons authorized to access it may attain access (Fourie, 2003). Unauthorized access to confidential information may have devastating consequences, not only to national security applications, but also to commerce and industry in general. Main mechanisms of protection of confidentiality in information systems are cryptography and access controls. Examples of threats to confidentiality are malware, intruders, social engineering, insecure networks, and poorly administered systems (dos Santos Moreira et al., 2008). Confidentiality is the privacy of an asset. Specifically, confidentiality can be defined as which people, and under what conditions, are authorized to access an asset. Since the exposure of confidential information could bring about embarrassment to a company or a business and heavy penalties, such information should be assigned a “High” rating, to indicate that the confidentiality of this information is extremely important (Yazdanifard et al., 2011). Directory information may draw a “Low” confidentiality rating. This information is, for the most part freely available to the public, unless otherwise requested by the user (Shirtz & Elovici, 2011). 24 Integrity According to Birgisson et al. (2011), Integrity is concerned with the trustworthiness, origin, completeness, and correctness of information, in addition to the prevention of improper or unauthorized modification of information. Integrity in the information security context refers not only to integrity of information itself, but also to the origin integrity—that is, integrity of the source of information. Integrity protection mechanisms may be grouped into two broad types (Stewart et al., 2012):  Preventive mechanisms, such as access controls that prevent unauthorized modification of information.  Detective mechanisms, which are intended to detect unauthorized modifications when preventive mechanisms have failed. Fourie (2003) point out that integrity is more difficult to define than confidentiality as there are two primary properties to consider when evaluating it.  First, there is the notion that an asset should be trusted; that is, there is an expectation that an asset will only be modified in appropriate ways by appropriate people. 25  The second part of integrity is that in the event that data is damaged, or incorrectly altered by authorized or unauthorized personnel, you must consider how important it is that the data be restored to a trustworthy state with minimum loss. Information security is liable for the information’s integrity. Subsequently, information integrity requires both system integrity and data integrity (Mishra & Dhillon, 2006). For management to rely on the information within the information systems, assurances need to be provided that the information’s integrity has not been compromised, intentionally or unintentionally (Poolsappasit et al., 2012). Nevertheless, it is not enough to provide assurances months later; it needs to be in real-time. Thus information has its integrity only when the accuracy, completeness, timeliness, validity and processing methods are safeguarded (Fisher et al., 2012). Stamp (2011) argued that information integrity is dependent on system integrity. In other words, information integrity can be no better than the integrity of the system processing the data or information, although it can be worse. A system demonstrates processing integrity if ‘‘its outputs fully and fairly reflect its inputs, and its processes are complete, timely, authorized and accurate’’ (Khan, 2012). 26 To emphasize the two aspects, a system may have integrity but if the data it processes lack integrity at the time the system receives it, then the data will continue to lacks integrity when it is transferred to its destination or transformed into information. Thus, to be confident that information, which important business decisions are based on, is trustworthy, both the input data and the processes that are used to produce the information are properly protected (Zissis & Lekkas, 2012). Protection normally comes in the form of internal controls that result from a thorough risk management process. Risk management therefore plays an important function in ensuring information integrity. Availability Availability represents the requirement that an asset be accessible to authorized person, entity, or device. Therefore, despite being mentioned last in the C-I-A triad, availability is just as important and as a necessary component of information security as confidentiality and integrity (Mirkovic et al., 2004). Natural and manmade disasters obviously may also affect availability as well as confidentiality and integrity of information, though their frequency and severity greatly differ—natural disasters are infrequent but severe, whereas human errors are frequent but usually not as severe as natural disasters. In both cases, business continuity and disaster recovery planning 27 (which at the very least includes regular and reliable backups) is intended to minimize losses (Stewart et al., 2012). 2.2.5. Importance of Information Security Computers and networks, particularly the Internet, have become an integral part of everyday life, used for a variety of reasons at home, in the workplace, and at schools. Moreover, most enterprises have become totally reliant on IT; extending outside trusted environments and increasing range of services. Globalization and technology revolution lead to dependence on computers and networks that are used for communication and for varieties of online interactions and transactions. Therefore information security is required at all levels – the personal level, corporate level, state and country level, it has become the key issue in today’s information technology world (Castells, 2011). New vulnerabilities are found each day, and the evidence of the information threat is growing. Furthermore, those interested in exploiting these vulnerabilities are becoming a well-organized underground (Pfleeger & Pfleeger, 2012). An increasingly demanding framework of regulation and law, with the increasing concern for safety and integrity of information against attacks, it has become mandatory that organizations follow strict guidelines and 28 security framework to assure the safety and protection of data and systems (Bruce et al., 2005). To address these needs, many universities have incorporated information security courses at the undergraduate and graduate levels as part of information systems or computer science majors (Bishop & Taylor, 2009). Organization’s good name is paramount, and the reputation is priceless. Therefore top level management has to protect these from harm. Information security is a board of directors’ issue, which is becoming increasingly important as computer networks become more widespread. It encompasses computer- and network related crime, privacy issues, trust and confidence, and dependability of critical infrastructures (Sharma & Sefchek, 2007). Organizations have a responsibility to protect consumer and organizational proprietary information while ensuring compliance with laws and regulations (IISIT, 2008). Information security or offering adequate information about security, training and education requires financial resources. Firms do not want to pay for security and they prefer to maintain a physical security they are familiarized with. In fact, recent researches put forward the need to link information security to strategic planning information systems and therefore, to the enterprise objectives (Sánchez et al., 2009). 29 Information security is an all or nothing issue. For example: are the horses in the field 75% secured if a fence only exists on three of the four sides? Obviously the horses are not secured. In securing information assets and conducting business electronically, it raises information security from a technical issue to a business issue. This highlights the need of embedding risk and control within the culture of the company (Flowerday & von Solms, 2005). In accordance with the above statement, information security has in fact become a governance challenge and therefore requires all levels within the company to be conscious of the vulnerabilities and risks facing the company (Conner & Coviello, 2004). This has been accentuated by many governments around the world in passing new legislation concerning the safety of information. 2.3. Corporate Governance Corporate Governance consists of the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed (R. von Solms & von Solms, 2006). In this section; Information security obedience, Information security Compliance, Information security governance, Information security governance best practices and challenges facing corporate governance will be discussed. 30 2.3.1. Information Security Obedience Information is a fundamental asset within any organization and the protection of this asset, through a process of information security, is of equal importance. Therefore information security obedience explore the relationships between the three fields of corporate governance, corporate culture and information security, and highlight the importance of binding these fields together (Thomson & Von Solms, 2003). Kotter (2008) defines corporate culture as values that are shared by everyone in an organization, including fundamental beliefs, principles and practices. These fundamental beliefs, principles and practices have a direct influence on the behavior patterns of employees as far as information security is concerned (Kotter, 2008). Information is an organizational asset, and consequently the information security needs to be integrated into the organization’s overall management plan. 2.3.2. Information Security Compliance Practitioners and academics have started to realize that information security cannot be achieved simply through technological tools. Effective organizational information security depends on all three components, namely: people, processes and technology (Li et al., 2010). 31 However, with the advances in security technologies, many computing behaviors such as patch management and antivirus updates are now being automated to reduce the task knowledge and time load on end users. However, behaviors such as appropriate use of computer and network resources, appropriate password habits etc., that cannot be addressed by security technologies are often dealt with through organizational computer security policies (Li et al., 2010). Security breach incidents show that employee negligence and non- compliance often costs organizations millions of dollars in losses. Although, appropriate computer use policies in organizations have been recognized to be important for a long time (Herath & Rao, 2009). The objective of any organizational policy is to influence and determine employees' course of action. While the defined policies may be crystal clear and detailed, the result may not turn out to be as desired, especially with regard to information security (D'Arcy & Herath, 2011). The aim of behavioral aspects of security governance is to ensure that employees show conformity with the rules and policies. Since employees rarely comply with information security procedures. Policies, especially those involving information security, are viewed as mere guidelines or general directions to follow rather than “hard and fast rules” that are specified as standards (Herath & Rao, 2009). 32 According to Ifinedo (2012) due to the relatively discretionary nature of adherence to policies, organizations find enforcement of security a critical challenge. Thus more recently, research in behavioral information security has started focusing attention to employee intentions to follow security policies. In organizational information security, responsibility of whether to adhere to organizational security policies or ignore them is delegated to employees. Employees may choose to break security policies for malicious purposes or choose to avoid security policies for mere convenience (Herath et al., 2010). A study in context of access controls found that employees believe that higher level of information security restricts their ability to follow flexible operation routines, and perceive it as counterproductive. In addition, employee actions related to security policy compliance may also be difficult to monitor (Herath & Raghav Rao, 2010). Compliances have positioned themselves to be the vital requirements to ensure information security. Thus the rapidly growing use of information technology in various businesses and the transition of sensitive information into digital records have led to the formation of various compliances, guidelines, regulations and regulating bodies (Eastman et al., 2011). 33 2.3.3. Information Security Governance Information security governance has become an important business responsibility, and accountability escalated up to the boards of directors’ level. Therefore executive management and boards have started realizing that Information Security Governance is becoming their direct responsibility, and that serious personal consequences, specifically legally, could flow from ignoring information security (Spremić, 2009). According to B. Von Solms & von Solms (2005a) boards of directors will increasingly be expected to make information security an essential part of governance, preferably integrated with the processes they have in place to govern IT, in addition to information security will be properly addressed, greater involvement of boards of directors, executive management and business process owners is required (B. Von Solms & von Solms, 2005). One of the risks board members are exposed to: ‘Failure to understand the impact of security failures on the business, and potential effect on shareholders, share price and competition’ (B. von Solms & von Solms, 2005). Information security governance has become integral to good corporate governance. so company directors should keep in mind that failure and/or refusal to identify and address corporate IT risk may result in personal liability if damages or losses follow (Pfleeger & Pfleeger, 2006). 34 According to Rastogi and Von Solms (2012) director and even an IT manager may be personally liable for unlimited damages if the failures to identify and manage risks are classified as reckless management of the company by the courts. 2.3.4. Information Security Governance Best Practices According to Johnston and Hale (2009), it is important to integrate information security governance into corporate governance. Therefore to ensure that organizational goals and objectives are supported by the information security program. One of the best practices related to information security governance is to establish and maintain an information security strategy. This strategy should be in alignment with organizational goals and objectives to guide the establishment and ongoing management of the information security program. In addition to create an information security governance framework to guide activities that support the information security strategy (Ericsson, 2007). Developing information security strategy need to identify the internal and external influences to the organization (for example, technology, business environment, risk tolerance, geographic location, legal and regulatory requirements) to ensure that these factors are addressed by the information security strategy (Epstein, 2008). 35 Finally, defining and communicating the roles and responsibilities of information security throughout the organization to establish clear accountabilities and lines of authority, monitoring, evaluating and reporting metrics (key goal indicators [KGIs], key performance indicators [KPIs], and key risk indicators [KRIs]) to provide management with accurate information regarding the effectiveness of the information security strategy (Parmenter, 2010). 2.3.5. Challenges Facing Corporate Governance There are many challenges facing the convergence of corporate governance and information security, the most important point is to convince the senior management of an organization that they should be ultimately accountable and responsible for the protection of their organization’s information (Thomson & von Solms, 2005). According to ERIC and Goetz (2007), Board of Directors should be involved in the protection of information, an important organizational asset. The level of information security that the Board of an organization is prepared to propose and put into operation, and the level of information security that is acceptable to the shareholders should be consolidated and result in the corporate information security policy. The information security policy should be based on the approved corporate security objectives and strategy and is there to provide management direction and support for information security(Radovanovic et al., 2010). 36 2.4. Information Security Management Information security management argues that the focus of information security within organizations should be on business and management and not technical issues. Within the technical computer security literature, security policy is used as a synonym for overall security architecture of operating systems; while non-technical security management literature addresses the access control rules for a computer system. Furthermore, Information Security Management should be governed in a comprehensive rather than in project-based manner (Sipior & Ward, 2008). In this section; Information security management components, Information security program development and management, Information security management processes and Unrealistic optimism on information security management will be discussed. 2.4.1. Information Security Management Components Information security management can be defined as “a systematic approach that consisting of people, processes, and Information Technology systems, that protects critical systems and information, safeguards them from internal and external threats” (Topi et al., 2010). Information security management consists of various aspects, such as Information Security Policy, Risk Analysis, Risk Management, Contingency Planning and Disaster Recovery which are all interrelated in some way (Feng et al., 2014). . 37 According to Dey (2007) information security management can no more be done by merely a set of hardware and software. Rather, it requires a complete end-to-end system. In such a way that only authorized and valid users are allowed to access them. Thus strategic approach to Information Security Management will promote a focus on proper management of information as a key resource in global competition (Buchanan & Gibb, 1998). 2.4.2. Information Security Program Development and Management Developing the world's best information security program is great, but it needs to be effectively managed just like any other operational business unit or department. Information security objectives are a critical part of business. But unfortunately objectives and intentions are redundant without an action plan. An information security program ties the objectives to specific actions to ensure the required outcomes are reached (Mayer et al., 2007). Information security programs are logical and well thought out. They provide organizations with a structured way of meeting their information security objectives, such as establishing a 'top down' rather than 'bottom up' approach to information security management (Peltier, 2013). Thus effective information security program must these points in to account:  It must be aligned with business needs and protect assets in accordance with business priorities. 38  It must be risk-based and cost-effective.  It must be flexible to meet changing business needs and changing threats. According to Bishop (2012) by utilizing information security programs; firms will be organized by enabling risk based decision making for information security, articulating the links between other functional departments such as HR, IT, etc., and also identification of metrics to measure the effectiveness of information security management. There are a number of challenges to successfully managing an information security program such as, skill set limitations, limited budget, lack of management support, and general lack of awareness (Randone, 2011). Formal and professional management of information security program has many benefits, the most important is to ensure there is a strong alignment with the primary objectives of the business, to confirm that the right amount of protection is applied and it is in the right areas (M. E. Whitman & Mattord, 2010). 2.4.3. Information Security Management Approaches Modern security management approaches can be divided into three groups. The first group includes the approaches that are based on security management standards. The second group is based on best practices and the third is based on more formal approaches (Rezakhani et al., 2011). 39 A common mentioned problem with most of the above mentioned standards is that they do not provide a process of how to conduct security management but it is merely a checklist. A second problem is the threshold implied by the great amount of pages to read before one can start (Fourie, 2003). Therefore, a more holistic approach is needed. Research claims and practice have shown that a lot of dimensions have to be considered in security management. To take these dimensions into account a holistic approach that simultaneously considers them is therefore necessary. However, most state-of-the-art security management approaches are not holistic, as most of them only cover parts of the system lifecycle (B. von Solms & von Solms, 2005). 2.4.4. Unrealistic Optimism on Information Security Management Business environments continue to change with increasing dependence on information technology and widely use of the Internet. This greater connectivity has increased the vulnerability of information systems to various information security threats. In addition, challenges associated with information security are far from resolved, due to lack of managers and user awareness as the major obstacles to achieve a good information security posture (Gupta & Hammond, 2005). Awareness of information security is the attention in understanding various information security threats and in perceiving vulnerability related to these 40 threats. However, an understanding of threats alone seems insufficient to motivate one to take actual actions (Castells, 2011; Rhee et al., 2012). according to Rhee et al. (2012), in order for managers to understand the need for information systems safeguards and to exercise necessary security practices, they must perceive their own vulnerability associated with the information system. Therefore the problem is that in many negative situations, people demonstrate a tendency to believe that they are less at risk than others. This underestimation of the likelihood (or probability) of experiencing negative events is called optimistic bias. Optimistic bias relates to a perception of personal invulnerability. Optimistic bias represents a defensive distortion that could undermine preventive action, interfere with precautionary behavior, and aggravate users’ risk-seeking tendency (Rhee et al., 2012). 2.5. Information Security Management in Banking Sector In this section; related studies about information security in banking sector, Palestinian banking sector, Information risk in banking sector and Information security management in Palestinian banking sector will be discussed. 2.5.1. Related Studies about Information Security in Banking Sector  Sinclair et al. (2008), in their field study “Information Risk in Financial Institutions”, discussed that “the challenges facing 41 developers and managers in enabling appropriate information access in these data-driven firms, as they argued that, The changing organization environment, information accessibility, and regulatory environment all contribute to these challenges”.  Bauer (2012), in his paper “A Literature Review on Operational IT Risks and Regulations of Institutions in the Financial Service Sector”, the term “operational risk” is defined as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk”.  ( 3102, مصلح ) in his field study “Security of Accounting Data and information and its automated storage Means at Jordan Banks”, found that, “the compliance rate with hardware and place security of storage means was very high, 94.4%, the compliance rate with individuals security was 95.7%, the compliance rate with system and software and hardware and applications security was 95.1%, the compliance rate with computers and machines and communications was 93.2%, and the compliance rate with intact keeping methods of data in the storage process was 93.8%. The results indicate that the present protection procedures of accounting data and information are adequate and comprehensive”.  Roos (2013), in his PhD. Thesis titled “Governance responses to hacking in the banking sector of South Africa”, pointed out that 42 “the board of directors is not fully embracing its IT governance responsibilities and that IT matters are mostly dealt with by risk management committees at board level or IT steering committees at executive management level. The effect of IT risks on business risks such as human resource risk and physical risk is underestimated”. 2.5.2. Palestinian Banking Sector Banking sector in Palestine is managed by Palestinian Monetary Authority (PMA) which is "The emerging Central Bank of Palestine”, due to the special situation of occupied Palestine. Its main purpose is to ensure the effectiveness of the Palestinian financial system (PMA, 2013), and that via sustaining the economic and financial growth of the Palestinian economy through the following:  Effective regulation and transparent supervision of Banks operating in Palestinian territory.  Development of Monetary Policies designed to achieve price stability.  Focusing on the implementation and operation, into modern and efficient payment systems. Currently, there are seventeen banks operating in Palestine through a network of more than two hundred branches and representative offices. Appendix A, show all details about Palestinian banks. 43 The banking sector is important and vital sector in all societies, and it is often a target for theft and fraud, for this, researcher decided to search for this topic of utmost importance. 2.5.3. Information Risk in Banking Sector Financial institutions in recent years have introduced many new services to make their customers’ lives easier. Innovations such making payments online and communicating through mobiles and tablets bring real value to their customers, with great efficiencies and cost savings. On the other hand, those same advances also put institutions at a higher informational risk (Ensor et al., 2012). According to Bit9 (2014): 47 percent of surveyed organizations know they have suffered a cyber-attack in the past year; 70 percent say they are most vulnerable through their endpoint devices; And yet 52 percent rate at "average-to-non-existent" their ability to detect suspicious activity on these devices. 2.5.4. Information Security Management in Palestinian Banking Sector There are no previous studies about information security management in Palestinian banking sector, and most of the published studies, have addressed related topics such as e-services or topics related to banking operations. 44 Thus, this research could be considered the first research in this field to study the status of information security management in Palestinian banks, as well as the factors influencing the effectiveness of information security management process. 2.6. Information Security Standards Standards often define the characteristics of products and services. They are developed in an open process, reflecting the views of many stakeholders including technical experts, government representatives and consumers. The more active consumers are in developing standards, the more likely it is that products and services meet their need (M. Siponen & Willison, 2009). In this section; Global information security standards and best practices, Importance of information security standard, and finally standards and best practices used in research will be discussed. 2.6.1. Global Information Security Standards and Best Practices Information security is a concern for all organizations across the world, necessitating the sharing of global intelligence. A balance between security and privacy, that is acceptable to the majority of the community worldwide, must be found (Sipior & Ward, 2008). According to Dey (2007), the rapidly growing use of information technology in various businesses and the transition of sensitive information 45 into digital records have led to the formation of guidelines, standards, and best practices. The new version International Standards Organization / International Electro-technical Commission (ISO/IEC 27001:2013) specify the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature (ISO®, 2013). ISO 27001 is not a technical standard but rather a business standard that helps establishing an infrastructure for improving information security continuously in an organization (Ozkan & Karabacak, 2010). According to Dey (2007), most standards adopts Plan-Do-Check-Act (PDCA) model which is an iterative four-step management method used in business for the control and continuous improvement of processes and products that is reflecting the principles as set out by the Organization for Economic Co-operation and Development (OECD) in 2002. Information Technology Infrastructure Library (ITIL) describes a cycle as shown in Figure (2-2) with the following steps: Control, Plan, Implement, Evaluate and Maintain. 46 Figure (2-2): Framework for an Information Security Management System, (Clinch, 2009). Information security standards address people, processes and IT systems to assist in identifying, quantifying and managing threats to information. Appendix (D) contains the main international standers and best practices. 2.6.2. Importance of Information Security Standards Organizations need to establish the compliances, regulations and audit standards according to their nature of businesses. In addition; to demonstrating alignment with security policies and procedures, Violation of these regulations may be subject to unacceptable audits, penalties, liabilities, punishments to C-Level executives, and even complete closure of business (Dey, 2007). ISO/IEC 27001 standard provides a robust model for implementing the principles in earlier guidelines. It governs risk assessment, security design, implementation, security management and reassessment (Boehmer, 2008). 47 Standards provide systematic management approach to adopt the best practice controls, quantify the level of acceptable risk and implement the appropriate measures which protect the confidentiality, integrity and availability (CIA) of information (Jones & Learning, 2011). 2.6.3. Standards and Best Practices Used In Research There is an ever-growing list of global standards in Information Security Management. Therefore this research, the mainly adopted standards in forming the questionnaire were:  ISO/IEC 27002, which is a renumbering of ISO/IEC 17799 that based on BS 7799. ISO / IEC 27002:2005 provide a commonly accepted security architecture framework of guidelines and general principles for developing organizational security standards and effective security management practices (ISO®, 2013b).  Information Technology Infrastructure Library (ITIL), which is a framework of best practice guidance in Information Technology Service Management (ITSM). It describes processes, functions and structures that support most areas of IT Service Management, mostly from the viewpoint of the Service Provider.  Payment Card Industry (PCI), Data Security Standards (DSS) - govern the security standards for the most payment industries (Visa, MasterCard, etc.) 48 2.7. Effective Information Security Management Information security management has been developed to ensure that information is protected at all stages of all business processes. A useful perspective that divides up the scope might be the ITIL ‘Four Ps of Service Design’ shown in Figure (2-3). Figure (2-3): Achieving effective ISM through the four Ps, (Clinch, 2009) Our contribution in this research was the addition of the fifth domain “Data”, so the research’s domains will be (People, Process, Product/Technology, Partners/Suppliers and Data), and the researcher aims to study the influence of each domain on the effectiveness of information security management. 2.7.1. People There are very different ideas and interpretations of the role of the human in security, there are also widely different views of what information needs to be secured and how this could be achieved. 49 People; the first research domain, and researcher want to find the influence of this domain on the effectiveness of information security management. Thus in this sub section Human element, Role of users in information security, Information security awareness, and security behaviors will be discussed. Human Factor Information security basically focuses on protecting resources from external threats and takes insider attacks lightly. However, researches have been shown that a large number of information privacy threats are posed by insiders including organizations themselves (MacKinnon et al., 2013). Many International researches have shown that technical resolutions are not sufficient to control insider threats. Therefore changing security culture and increasing awareness is very necessary for that (Flynn et al., 2014). Da Veiga and Eloff (2010) argued that there are a number of papers conclude that insiders -people inside the organization- pose a threat to the protection of information . Therefore organizations need to pay serious attention to reduce the risk that employees pose. Reliable technical infrastructure, trusted internal processes, good corporate governance and other security measures are among the cornerstone aspects to be considered when aiming to reduce the intentional and unintentional damage caused by employees (McIlwraith, 2006). 50 Policies and procedures of the Information Security Management are carried out by employees, and that most security failures are related to errors caused by employees (M. Siponen et al., 2014). According to Corpuz and Barnes (2010) the biggest security threat results from malicious or negligent employees or from faulty controls and oversight. Thus organizations interest to hire employees whose individual actions, concerns, and perceptions are congruent with professional values. Schumacher et al. (2013) recognizing the consequences of the Information Security Management on employees and the organization is critical. Security practices of employees should be placed within the more holistic security management decision-making context. Role of Employees in Information Security A user can be characterized as a person with legitimate access to the organization’s information systems. Organizations recognize that their employees and users must protect information, as privacy breaches by employees can be an unwitting avenue to noncompliance (Harkins, 2012). Information security function of each user is an important part of information security. Users are often the weakest link in the information security chain, as users might be the least reliable barrier to prevent unwanted incidents(Sasse et al., 2001). 51 Dhillon and Backhouse (2001) have argued that the role, responsibility and integrity of users are important principles of information security management in new forms of organizations. Users should play an active part in the information security work by preventing unwanted incidents; protecting an organization’s material and immaterial assets; and reacting to incidents (Lean-Ping & Chien-Fatt, 2014). Users can contribute with several security actions in their daily work, e.g. locking the computer when absent from it; password etiquette; cautious use of e-mail and Internet; avoid using unlicensed software; cautious use of organizational assets when working outside the organization; and reporting information security breaches (Line et al., 2011). The behavior of Loss prevention is created by a combination of several factors: personal characteristics; administrative structures; technological and physical inscriptions; and social norms (Line et al., 2011). Albrechtsen (2007) argues that possible information security weaknesses related to user behavior should not only be explained by individual failures and violations but rather by mechanisms in the individual’s context that generates the behavior. The field of information security has traditionally mainly been directed towards technological problems and solutions, and has lacked attention to socio-organizational and human aspects (Albrechtsen, 2004). 52 Consequently, an important part of information security management is to deal with and to understand users’ function within their work context Besnard and Arief (2004). Information Security Awareness The Information Security Forum (ISF) defines information security awareness as the extent to which every member of staff understands the importance of information security, the levels of information security appropriate to the organization, and their individual security responsibilities (A. Jones, 2006). Security risks that associated with information technology are a topic that has become increasingly of concern. Therefore security-aware culture, referred to as an information security culture, develops as a result of employees’ interaction with information security controls such as passwords, access cards or anti-virus software. In addition information security culture can be defined as the way things are done in the organization to protect information assets (Da Veiga & Eloff, 2010). According to Kruger and Kearney (2006) the goal of a security awareness is to highlight the importance of information systems security and the possible negative effects of a security breach or failure. The effective management of information security requires a combination of technical and procedural controls to manage information risk. The value 53 of controls usually depends on the people implementing and using them (Breier & Hudec, 2013). The implementation of effective security controls is thus dependent upon the creation of a security positive environment, where everyone should be engaged in the behaviors that are expected of them (Al-Awadi, 2009). M. Whitman and Mattord (2013) classify information security awareness as a dynamic process, and so any awareness program needs to be continually measured and managed to keep abreast of changes in risk profiles. Security Behaviors Behavior of employees should be followed, so as to protect information assets it is important to remember that it is necessary to consider a variety of controls and not only technical measures (Risvold, 2010). One of the security behaviors that we focus on is the creation and use of passwords on an everyday basis, although alternative techniques such as graphical passwords and the use of passphrases potentially offer more secure methods of authentication, passwords are still the most popular measure for protecting information (Sui et al., 2012). Despite this, many problems with password usage and examples of bad security practice have been observed. Therefore choosing long passwords that are not in the dictionary puts an additional memory load on the user but yields little benefit if accounts are locked out after a fixed number of 54 failed logins (Duggan et al., 2013). Further, even in instances (e.g. phishing) where the users’ bank details could be compromised, the proportion of users actually affected is very small and banks typically reimburse customers who are victims of fraud (Duggan et al., 2012). Understanding the constraints that users operate under can help explain and/or help reduce the possible explanations for this bad practice. So, for example, limitations in memory capacity can constrain the length and number of passwords that users can remember (Dunphy, 2013). 2.7.2. Process According to Yeniman Yildirim et al. (2011) security process is the set of rules which help to define acceptable security levels in enterprises or associations. In this subsection; information security process, information security policy, business continuity management and information risk management will be discussed. Information Security Process Information security process is different for every institution. It’s usually including general statements of rules and applications regulating the liability of employees, security control tools, aims and goals, and management. (Yeniman Yildirim et al., 2011). 55 According to (Peltier, 2013) it is essential for an enterprise to define information security requirements, so as to determine appropriate management actions and privileges, and provide guidance for implementing appropriate controls to manage information security risks and provide necessary protection against these risks. The most important aspect of information security process is its documentation and the establishment of the rules of technology use as well as the codification of the enterprise’s information values to all employees from ordinary users to the managers throughout whole enterprise (Commission, 2013). Information Security Policy Schumacher et al. (2013) it is better if network security policies can be formed before establishing the process that will be resolve a possible security problem. In addition this is also easier than forming the security policy of an established system. In order to manage security effectively, both social and technical factors need to be considered concurrently. Security policies integrate these elements into a cohesive plan that organizations use for enforcing security (Goel & Chengalur-Smith, 2010). Creating a security policy involves gaining an understanding of the organization’s mission and assessing its needs for information security for deployment of appropriate security controls (Peltier, 2013). 56 Ratner et al. (2013) defines security policies as social, political, legal, - economic, and technological stipulations about security enforcement in an organization. Security policy development should be an iterative process where the policy is incrementally refined and its impact on the organization measured. There are guidelines for the creation of good policies; however, the metrics to characterize or measure the resultant policies are unavailable. It is thus difficult to find out if the policy is effective in managing security or what impact a policy had in improving security (Goel & Chengalur-Smith, 2010). Business Continuity Management (BCM) Business continuity management is the identification of potential business risks while trying to avoid, minimize or prepare for these risks, so as to continue business processes and services without interruption. It is a socio- technical approach, in which the emphasis is on preparation for possible continuity problems. Therefore, it has strategic implications for preserving the value of the organization. Service disruptions have been discovered to have significant negative effects on customer loyalty (Sawalha, 2011). BCM also includes social aspects, not just technical backups, thus, an awareness of the importance of business continuity is essential for ensuring disruption-free operations (Järveläinen, 2013). 57 Although, BCM literature has focused on the development and planning of business continuity in a single organization, its diffusion and standardization within organizations as well as their internal IT relationships should also be studied, especially within networked corporations. Information Risk Management The organization’s information risk management approach must be aligned with organizational goals. In addition it must be understood and supported across the senior management of the organization, as regular reporting to management is essential to demonstrate the value provided by effective information risk management practices, and effective information risk management programs contribute directly to successful organizational outcomes and sustainability (Hoo, 2000). Risk management programs must be provided with sufficient top management support and resources to ensure they are effective to achieve the wanted goals. Therefore information risk management programs are seen by executive and operational management as positive contributors to the success of the organization and not just as another cost of doing business (Peltier, 2013). It is necessary for management to take decision on applying resources, to manage the company’s risk and the auditors should be in agreement. 58 The risk management process attempts to balance risk against the needs of the company. The goal should be to mitigate the risk to an adequate level as no company can afford the resources to control risk to a zero level (Roos, 2013). 2.7.3. Products/Technology Computer security is a balance between protecting information and enabling authorized access. Tightening security by making systems more inaccessible can hinder employees and make them less productive. It can also result in lower security as workers struggle to find ways around the security conditions to enable them to do their jobs (Post & Kagan, 2007). In this subsection some of issues related to technology, such as secure remote management, cloud computing, physical and environmental security management, communication and operation management and access controls management will be discussed. Secure Remote Management Analyzing the requirements trends and implementation of information sharing needs has dramatically increased demand for secure remote access to multiple IT operations within the enterprise or large government entities. Additionally, when working with the virtualized services, organizations tend to create a need for more remote infrastructures (Oberheide et al., 2008). 59 The increasingly mobile work and warfighter force led system administrators to increase the role of remotely managed service as service provider instead of local management of assets. In addition to the increase of configuration Control, consistent patching, and reduced administrative costs comes with a price of perceived lower security because of the increased access to the systems control mechanisms (Farroha & Farroha, 2010). According to Stouffer et al. (2011) this situation needs to be mitigated by stronger access controls mechanisms, increased monitoring, increased auditing and more passive and positive control over the assets. Many organization and research facilities are developing highly secure remote management methods and products to allow system administrators control over local, virtualized and shared assets in serving the organization’s mission. Cloud Computing Enterprise strategists have shown strong interest in cloud computing even though initially a lot of confusion about the definition of a cloud. More recently there has been a general agreement that cloud computing represents a shift towards delivering dynamically scalable IT resources as services over the internet (Weinman, 2012). The main types of architecture are represented by a public and private cloud. Therefore if an enterprise decides to host cloud services in their own 60 data center, that is considered a private cloud, but if they use cloud services hosted by service providers, it is probably a public cloud (Farroha & Farroha, 2010). According to Jansen and Grance (2011) security of cloud computing is the biggest concern Enterprise. Thus information Security, isolation, and multi- tenancy are key requirements of any cloud. Therefore applications and users are more comfortable using private cloud especially when dealing with secret or sensitive data, or data that is protected by privacy laws like healthcare and financial data. The Enterprise can include private, public and hybrid cloud structure to process and store varying levels of sensitive information. Thus since private clouds are placed behind the company firewall, the risk here is more internal within the company (Mather et al., 2009). Physical and Environmental Security Management Physical security concerns with hardware. Whereas environmental security interests in computer center, delivery area, collection area, disposal/removal points, fire protection, air conditioning, cables, power supply, locks and alarms. In addition to establish log registry system for users, visitors and equipment coming in or going out of information facility areas (Dey, 2007). 61 Communication and Operation Management In order to ensure security and correctness of information processing, write down procedures and responsibilities for all related operations including housekeeping, change/update management, segregation of duties, software or service acceptance and deployment criteria (in-house, outsourced), network protection (wired, wireless, mobile). In addition to e-commerce , clock synchronization, backup, recovery, exchange or transfer of data media, exchange of communication, use of e-mail, fax and handling of public information. State monitoring mechanisms including maintenance of audits and logs (Al-Mayahi & Sa’ad, 2014). Access Controls Management Define procedures and responsibilities for all access related tasks. This will include user creation/registration for network (wired, wireless, mobile, and dialup), operating system, application and databases, allocation of rights and privileges. In addition to use of system utilities, port open/close criteria, monitoring of password, and access to critical systems, etc. Monitor access to information by maintaining audits and logs (Singh, 2012). 2.7.4. Partners/Suppliers Organizations can outsource their IT infrastructure and have interorganizational information systems, but they cannot ignore the 62 possible risk to their reputation if their external partners fail to provide the service required of them (Järveläinen, 2013). In this sub section; issues related to third parties like partners and suppliers such as contracts, audits, technical methods, training and new technology adoption will be discussed. Contracts Business dictionary defines contracts as: A voluntary, deliberate, and legally binding agreement between two or more competent parties. Contracts are usually written but may be spoken or implied, and generally have to do with employment, sale or lease, or tenancy (Järveläinen, 2013). In the contracts, clients require disaster recovery plans from the vendor, which are tested regularly and audited by the client or a third party. The managers understood that Information Security Management can preserve the value of the company, and reliable service increases the trust of customers (Kiefer, 2004). Audits Audits are used inside organizations to get feedback and update Information security measures. Whereas external audits are used to control vendors and increase the power of the client (Senft & Gallegos, 2010). According to Järveläinen (2012) auditing was used frequently when selecting a vendor, contract phase or before new system adoption. Some 63 companies were audited dozens of times a year, although Information security was not always part of the audit. Thus audits used as control mechanisms, to ensure that the vendor was actually trustworthy. Technical Methods Technical methods were also used to enhance Information Security in organizations, on both the system and individual level. Therefore the purpose of technical methods is mainly to control and limit damage, but also to transfer responsibility (M. T. Siponen, 2005). According to Järveläinen (2012) employees of the supplier have to sign a non-disclosure agreement (NDA) and information security policy. Thus, if they access a company’s network, a virtual private network and an individual account – restricted to a certain system – is used. In heavily regulated sectors, a security clearance was made for all employees, including the suppliers’ employees accessing the firm’s network. Therefore the technical methods were thus used for controlling the users and limiting possible damage. Training On the individual level, training was used for improving Information Security Management in inter organizational IT relationships. In addition, training created awareness of and embedded practices for external users working for outsourcing vendors (Leimeister, 2010). 64 According to (Fenton & Wolfe, 2007) in some cases, when the help desk was outsourced, help desk employees were treated in the same manner as the client’s own employees; they went to the same IT training and signed Information policies and NDAs. New Technology Adoption For today’s organizations, connecting to a complex environment is not a choice, but a necessity in order to survive and thrive. Intense competition requires organizations to be more effective, often by adopting new or advanced information and communication technologies (ICTs) (Baker & Wallace, 2007). The cost to organizations is that more complex technology requires specialized support and resources, and creates a rich environment for breeding vulnerabilities and risks. Therefore contribution of advanced ICTs is often compromised, because of the unacceptably high levels of security breaches experienced (Qian et al., 2012). However, most organizations view information security control as an overhead and adopt a reactive management approach. Indeed, “actions taken to secure an organization’s assets and processes are typically viewed as disaster preventing rather than payoff-producing” (Brown, 2011). Caralli et al. (2004) pointed out that “organizations do not routinely require return on investment calculations on information security investments, nor 65 do they attempt to measure or gather metrics on the performance of such investments.” 2.7.5. Data Protecting information could have profound business and legal implications. Basically, data became ‘life blood’ on business, and compromising this life blood, could kill the business (Gillies, 2011). In this sub section; data usage, asset management and data leakage will be discussed. Data Usage Information security focuses on providing confidentiality, availability, and integrity to informational assets of organizations. In contrast, the principle of security safeguards in information privacy focuses on achieving a ‘‘reasonable’’ or an ‘‘adequate’’ level of protection of information (Dayarathna, 2009). Clear understanding of the required level of protection is necessary for choosing appropriate organizational and technological measures for protecting information (Breier & Hudec, 2013). Asset Management Asset management interested in identifies information assets with responsible owners and defines rules for the acceptable use of these assets from security point of view. In addition to classify assets using any 66 standard classification mechanism such as ‘Sensitive’, ‘Confidential’, ‘Private’, and ‘Public’ along with handling, labeling and disposing procedures (Schumacher et al., 2013). K.-c. Chang and Wang (2011) argued management as part of organizations risk assessment process, is required to consider the risks to the company’s information assets. Once the threats have been identified, risk mitigation needs to take place so that the risks are contained and are at an appropriate level. Data Leakage For years, the security industry has focused on outside threats and thus has released products like those for intrusion prevention and malware scanning, focusing on keeping attackers from breaking into government or corporate networks and systems and stealing information, planting malware, or creating back doors for future access (Rodriguez & Martinez, 2013). According to Lawton (2008) while outside side threats remains a concern, a more recent trend is working on threats emanating from the inside, looking at threats from information leaving an organization without authorization. Data leakage prevention aims to keep employees and others with access to a system from intentionally or unintentionally sending out sensitive material, such as government or business secrets; intellectual property; research results; confidential e-mails; financial data; and Social Security, 67 credit-card, and bank-account numbers, from desktop or mobile systems without authorization (Greitzer & Hohimer, 2011). The approach that vendors have developed to address these problems is known by many names, including data-leak protection or prevention (DLP), extrusion prevention, anti-data leakage, insider-threat protection, and outbound-content management (Shabtai et al., 2012). In addition; to helping stop data leakage, DLP’s content monitoring gives organizations a good look at their daily business communications. This helps them identify patterns and improve their communications processes (Blasco et al., 2012). Moreover, DLP helps organizations comply with government regulations regarding privacy, the protection of sensitive data, and the maintenance of records. Therefore if a data leak receives a lot of public attention, it could damage an organization’s reputation, causing current and potential customers to lose trust (Tipwong, 2011). 2.8. The Economic Approach of Information Security Business has become increasingly dependent on information and its underlying communication technologies. While several efforts have been undertaken to set up concepts to secure the information infrastructure, security economic plan still lack metrics for decision support (Castells, 2011). 68 According to Maizlish and Handler (2010), evaluating IT investments should consist of accessible data, reliable information, accurate content, flexibility of the system usage, scalability of the system in adjusting and following business needs, and finally the cooperation of the team and managers in doing their job well. A key factor in getting value from security is to insure that, the financial returns from a successful implementation of a security-enabled business process should justify the cost of security in terms of enabling business. Therefore generally it is impractical or difficult to dissociate the returns from the business processes (Kleidermacher & Kleidermacher, 2012). Seker (2012) states that ‘‘the costs of implementing security measures must be weighed against the value of information being protected and the price of having a security incident caused by non-implementation of security measures’’. Information security infrastructure is the foundation of a secure environment. In addition it provides a comprehensive plan that protects the confidentiality, integrity, and availability of information resources. Therefore information security plan is composed of risk assessment, technology architecture, policies and procedures (M. Whitman & Mattord, 2013). Enterprises around the globe are increasingly concerned about the risk in cyber threats and the rising number of incidents shared publicly justifies 69 their worries. Therefore budgets are being reduced and technology departments are being asked to cut resources. Thus risk up, budgets down. In addition the risk realities are exploited by anyone who uses the downturn in security enf