- Email: [email protected]
Organizational structuring of the computer security function
Computers & Security, 7 (1988) 185-195
Refereed Article
Organizational Structuring of the Computer Security Function Detmar W. Straub, Jr. MIS Area Croup, Management Sciences Dept,, Curtis L. Carson School of Management, University of Minnesota, 271 19th Avet,ue South, Minneapolis, MN 55455, U.S.A.
The effectiveness of an organizational unit can be dramatically affected in a positive or negative way by its placement within the organization. Because protection of the information resource is becoming more and more critical for organizational survival, the organizational positioning of computer security is being investigated in this study. According to data gathered from 39 U.S. organizations with data or computer security administrators, the function is currently being relegated to lower levels in the organizational hierarchy. Security officers are most frequently being supervised by line managers in the IS (Information Systems) area. There are exceptions to this pattern, notably in financial institutions and government, but overall evolutionary trends of security unit initiation do not typically include high level reporting relationships. From the standpoint of the need for independent watchguards, this policy is unwise. A normative model for organizational placement of the security function is offered as a solution to the present state of affairs. Use of this prescriptive model should greatly assist IS and top corporate managers in administering the information security area.
Keywords: Organizational structuring of security, Hierarchical placement of computer security, Principle of control independence, Organizational structuring of EDP audit.
1. Introduction his study investigates the ways in which the computer security function is being structured administratively in U.S. organizations. Based on an evaluation of empirical study data and a normative model of organizational control derived from the principle of control independence, prescriptive recommendations are made for initially structuring or restructuring the security function.
T
1.1 Placement of Administrative units and Management Responses to the Placement of Computer
Security Placement of an administrative unit within the organizational hie-
0167-4048/88/$3.50 (~) 1988, Elsevier Science Publishers Ltd.
rarchy is often a choice exercised by management [10]. A variety of contextual considerations may also help to explain the positioning of particular functions within organizational charts [37], but it is clear that organizational structuring is extremely important to overall corporate health. It can, for instance, greatly influence the internal posture of a function [26] and the effectiveness of its control [37, 34]. To ensure that critical functions are capable of meeting their objectives, top management is charged with developing effective and efficient organizational structures. Bringing order to the complex reporting relationships and intricate processes that characterize modern organizations is both the prerogative and duty of top management, who need to consider overall placement issues and resolve them in the light of organizational priorities. Considerations about the placement o f critical organizational functions such as computer security [36] are integral, therefore, to sound management practices [31]. Unfortunately, it appears that many top U.S. executives do not believe that computer security is a critical functional area [14]. They have been slow to understand the enormous risks involved [23] in spite of the fact that such fears are frequently stressed by both Internal Audit and EDP managers [29]. ~ This reluctance to deal with the issue by granting status and committing resources to the computer security function [24] flies in the face of a new set oflegal proscripx Shoor [39] feels that executives are aware of the security problem and are willing to help prevent it. The evidence would tend to refute this view, though.
185
D. W. Straub, Jr.~Organizational Structuring Computer Security
tions specifically designated for corporate managers who are negligent in protecting information assets [30]. Although ultimate responsibility for reasonable internal control systems rests with the Board of Directors [32], all management levels can now be held liable for sloppy, misleading and inaccurate records, according to the Foreign Corrupt Practices Act [12, 9]. It behoves executive and lower level managers alike, therefore, to have an active role in protecting information assets [21], and to recognize the key liaison role that can be played by sccurity personnel. Unlike top executives, IS (Information Systems) managers in the U.S. are generally aware of the crucial role of computer security specialists in underwriting organizational survival. In fact, security and control has been cited as a key management issue in every opinion survey of IS managers since the early 1980s [5, 27, 20, 41, 16, 22, 11]. Security and integrity have also been cited as the primary management concern in end user computing [8]. Corroboration of this heightened concern is tbund in the overt ways IS managers value the security administrative function. Salary is a good surrogate measure of imputed worth [26], and can be used to compare security specialists with other DP professionals. Such comparisons indicate that computer security has consistently ranked in the upper third decile of DP professionals, i.e. they are highly valued by IS managers. According to the annual Datamation DP salary surveys, security specialists ranked 11 th of 32 DP positions in the 1981 survey [18] and 10th of 32 in the 1985 survey [19]. 2
186
1.2 Establishmentof the Computer Security Function
[15, 40], especially if concerns about misplacement of the function prove to be accurate. This study will provide empirical data on the actual placement of security officers in the organizational hierarchy and present arguments for how it should be structurally placed. 3
As a response to the perception of latent vulnerability in computer systems, IS managers have initiated specialized computer security units over the last decade [44]. Somewhere between 50% and 60% of U.S. organizations assign personnel to the administration of computer security on a full or part-time basis [42, 43]. In terms of organizational structure, most o f these administrators are situated in the IS area [42]. Some c o m m o n titles include "Director of Data Security," "Manager of Computer Security," and "Computer Security Administrator" [421. Computer security can be positioned at several levels in the organization, both from a vertical and a horizontal perspective. The vertical perspective has to do with management reporting level. Security administrators, for example, can report to top management such as Vice President of Information Services, to middle-level managers such as EDP manager/director, and finally to line managers such as manager/director of EDP operations. The horizontal perspective, on the other hand, has to do with the functional area of primary reporting responsibility. C o m puter security, for example, may report to accounting managers, such as the Controller, to Plant Security managers, to the Audit Committee of the Board of Directors, or to IS management, which, as noted above, is the most common arrangement. Clearly, IS managers need to build senior management commitment to computer security
a pilot study of 1000 randomly-selected DPMA managers in January of 1985 [42]. Both the pilot and the current study were underwritten by grants from IRMIS (Institute for Research on the Management of Information Systems, Indiana University Graduate School of Business) and the Ball Corporation Foundation. Fellowship support was generously provided by the IBM Corporation. Continuing research support is being provided by the MISRC
There were 32 positions c o m m o n to both surveys.
(Management Information Systems Research Center, University o f Minnesota).
2
2. Research Questions for this Study Exactly what is currently known about the placement of security within the organization? Descriptive statistics presented in prior computer security studies address important questions about the phenomenon of computer abuse, but do not address computer security structuring issues. These studies include: (1) victimization surveys [1, 2, 25] and (2) archival data gathered from media and police reports of abuse [35, 36]. Aside from the observation in ref. 42 that security typically reports to the IS department, no prior empirical study to my knowledge has addressed this general question. To investigate these salient issues, two primary research ques3 The current study, which has been u n derway for several years, was preceded by
Computers and Security, Vol. 7, No. 2
Q(1): Where is the computer security function currently being placed in the organizational hierarchy? Q(2): What is the most effective organizational positioning for computer security units? Figure i. Research Questions
tions have been devised, as shown in Fig. 1, "Research Questions."
3. The Study T o address these research questions and to determine correspondences between variablcs of interest, a questionnaire instrument was chosen (See Appendix for the study instrument). This study is part o f a larger project which investigates the abuse o f computer systems, but items addressing organizational placement, namely items 1 and 2, were added to this victimization questionnaire to assess reporting relationships. Measures in the study instrument were devised and validated over the two year period, 1984-1985. The instrument was validated via extensive field interviews with 35 system professionals, interviews and questionnaire responses from a group o f 88, and finally questionnaire responses from 170. This validated survey was mailed out to a group o f 5489 randomly-selected D P M A (Data Processing Management Association) members in the U.S. The sample base that resulted from a final administration o f the survey was 1211 with reports on 259 separate abusive incidents. A more detailed description o f the overall validation process is found in ref. 43? Besides the variables measuring
abusive incidence, variables of greatest relevance to the present study are items 1 and 2, which ask for the respondent's position and that of his/her immediate superior. Altogether 39 o f these randomlyselected respondents indicated in item 1 that they served in this capacity of d a t a / c o m p u t e r security director. This sub-group o f respondents, therefore, served as a primary sample base for this study. An initial set of tests for nonresponse bias in the sample data was performed to ensure that respondents did not differ systematically from non-respondents. Systematic differences reduce confidence in our ability to generalize findings to the entire population. Results from these tests indicate that non-response bias was not present [43].
4 There is an obvious bias present in the data from the fact that DPMA has a heavily IS and DP orientation and security oflqcers in other functional areas would
more likely join other professional societies, e.g. ASIS (American Society for Industrial Security). To ensure the meaningfulness of results here, the distribution of computer security among functional areas was checked against the pre-study data, three-fourths of which was gathered directly from organizations, i.e. organizations which did not necessarily have DPMA members. Distributions splitting IS and other areas were nearly identical in both samples.
4. Analysis of Research Question 1 4.1 Current Placement of the Security Function In answer to research question 1--the current placement of the security function--analysis o f pretest and pilot study data originally reported in ref. 42 reveals that most security administrators report to line managers, and specifically to line managers in Information Systems. Findings in the current study confirm these results. Slightly less than 56% o f computer security specialists report to line managers in the IS area, according to the data. This is shown in Fig. 2, "Distribution of C o m p u t e r Security Reporting Relationships." The data shows quite clearly, though, that significant proportions (19% + 25% = 44%) o f security officers report to top or middle level managers, a statistic which indicates that security is not being placed low in the hierarchy by default. The option for a different horizontal placement was exercised in two cases; in these organizations a Controller and a Corporate Security manager direct computer security. Reasons for placement o f computer security under the IS u m brella are fairly obvious. Security officers need to work closely with IS to implement procedures for use o f systems and security software [43]. Because o f similarities o f computer security ot~icers and line security officers in the Corporate or Facilities Security [7], there is also an argument for incorporating computer security into this group. Both are entrusted with physical security measures and with establishing procedures for protecting
187
D. W. Straub, Jr.~Organizational Structuring Computer Security
Chill £1(ectltl we/ Officer
I
[ Chief Production] L 0.1c,r )
,.,or~o,,o°~ J
c,,e, F, .... ,ol l Oflicer J
F
S
~ep.rtl.q
(c,,o, ~ Officer
C
~Oirectot-/Head~
¢
~
ee~,rti,¢ Leve!
-
"
"3 I Hanager of 1 Operatlon$~
Figure 2. Distribution of Computer Security Reporting Relationships
assets. By this time, moreover, there has been a cumulative tradition of security in Corporate Security. The one offsetting caveat is that technical, computer sophistication must be advanced in the Corporate Security department before the match would make sense. Unfortunately, this is often not the case. h should be noted that management reporting levels of various industrial types were overviewed to determine if particular industries led the way in assigning computer security to higher organizational levels. According to the data, fin-
188
ancial institutions and government accounted for 56% of top and middle level reporting structures in the seven respondent industries. This concentration is not surprising in these two groups given the past attention paid to security issues in the government PCIE study [251. 5 s There were, however, no statistically significant differences between the groups according to a Chi-Square C o n t i n g e n c y table test, (Chi Square = 0.163, pvalue = 0.66). This lack o f significance should not be taken as the final word since the statistical power was so low, however
(cf. [6]).
5. The Principle of Control Independence and Computer Security Structuring Before exploring research question 2 - - h o w should computer security be positioned--it is important to review the conceptual precepts of control independence. The principle of control independence advocates that control functions should be as objective as possible, i.e. "independent," in order to monitor fairly and accurately organizational outcomes, including
Computers and Security, Vol. 7, No. 2
deviation o f performance from standards and goals. Part o f this objectivity arises from and is inherent in proper organizational placement. T o ensure, for instance, that internal auditors are not unduly influenced by superiorsubordinate relationships, they should not report to business line functions outside of accounting, i.e. functional areas they are charged with overseeing [4]. In the most desirable control situation, they will, in fact, report directly to the Auditing C o m m i t t e e o f the Board o f Directors [13]. This ensures that they are able to serve as watchdogs for the Accounting function itself. 6 As an elaboration on this line o f reasoning, U.S. Auditing Standard 322.07 [3] is telling. This standard cautions outside auditors to look at the organizational position of the internal audit function before evaluating its capability to "act independently." When considering the objectivity of internal auditors, the independent [outside] auditor should consider the organizational level to which internal auditors report the results of their work and the organizational level to which they report administratively. This frequently is an indication of the extent oftheir ability to act independently of the individuals responsible for the functions being audited.
5.1 Normative Placement of the Computer Security Function The implications o f this passage are clear. Positioning internal audit at lower levels in the organizational 6 For all practical purposes, organizational structuring for control purposes need not be taken beyond the first level, the level of who controls the controllers, or who watches over the watchers. In the final analysis it is the independent outside auditor who has the ultimate monitoring responsibility.
hierarchy compromises independence o f j u d g m e n t by auditors in placing them in subordinate roles to individuals in the organization they are charged with monitoring. In the Auditing standards, this is otherwise k n o w n as e m p l o y e r employee bias. It is also the underlying logic behind having internal audit report to the Audit C o m m i t t e e o f the Board of Directors or a senior officer in many organizations [13]. The attention paid in the auditing standards to these matters reinforces the importance that needs to be attached to this control principle.
5.2 Addressing Research Question 2 There are sound reasonsfor believing that what has been cited as an important operating principle in internal audit applies equally well to computer security, and these reasons address research question 2, which concerns normative rules for organization positioning o f computer security. In the first place, internal audit and computer security are frequently linked in terms of their essential functional roles [24, 33]. Secondly, computer security is very likely to have liaisons with virtually every operating unit in the organization [21], and be responsible for monitoring security breaches in these diverse groups, including its o w n departmental unit. Without control independence, they will be intrinsically and extrinsically pressured not to report many supervisory violations. Without high organizational positioning, they cannot be acceptably objective. In sum, admonitions that security, like auditing, is a watchdog function that should be independent o f managerial pressure
("Who controls the controllers?") stand out in the literature. These concerns, moreover, can be addressed by a strategic positioning o f computer security in the organization.
6. S u m m a r y of Central Findings and Implications for Practice The thrust of the study conclusions are summarized in Fig. 3, "Central Findings and Key Points of the Study." There may be viable explanations for w h y security is being placed at particular levels within organizations that are at the m o m e n t undetermined. The goal of further studies should be triangulation on the actual facts and reasoning behind structuring of the security unit. N u m e r o u s authors have suggested that security responsibilities be decentralized to functional areas that create and maintain information [38, 24]. The viability of this alignment needs empirical validation or, at least, careful study. Some organizations may be more logical choices for such an arrangement, and these choices need delineation. The study findings suggest several major implications for Board Directors, top management VPS and Directors of Information Systems, and practitioners who administer computer security. Based on the evidence in this study and the principle of control independence, numerous implications can be cited for the organizational positioning o f computer security, as shown in Fig. 4, "Major Implications o f the Study." As we have seen, most organizations have found it conducive to place computer
189
D. W. Straub, Jr.~Organizational Structuring Computer Security
The majority of computer security units are now supervised by line managers in the IS department. The principle of control independence argues that for maximum effectiveness the security group should be positioned as high in the organization as possible. Figure 3. Central Findings and Key Points of the Study
Vertical placement of the computer security function should be as high as possible in the organization. Horizontal placement of the computer security function should be in the Information Systems department, or a technologically-advanced Corporate Security department, or in an autonomous entity. Figure 4. Major Implications of the Study
security in the EDP department. For technological and other reasons, this horizontal placement makes good sense [36, 28]. Another viable possibility is a forward-thinking and technologically-advanced Corporate Security department [36]. In terms of vertical placement, the best control will be produced with the highest possible placement. Parker [36] has even suggested a VP of Information Protection be established to encourage managers of all functional areas to take computer security more seriously. Given the Realpolitik of modern organizations, this best-of-all-possibleworlds scenario is not likely to take place. C o m p u t e r security, therefore, will very likely continue to be placed within an already existing department, or report as a staff function to the VP level. These heuristics attempt to max'imize the potential of security administration. As the administrative
190
activity is gradually incorporated into the lifestream o f American business, it is undergoing numerous, inevitable changes. This evolution needs to be carefully managed lest security problems degrade from their current state into an unacceptable out-of-control state.
References [1] ABA: "Report on Computer Crime," pamphlet, prepared by the Task Force on Computer Crime, American Bar Association, Section on Criminal Justice, 1800 M Street, Washington, D.C. 20036, 1984. [2] AICPA: "Report on the Study of EDP-related Fraud in the Banking and Insurance Industries," pamplet, American Institute of Certified Public Accountants, Inc., 1211 Ave. of the Americas, NY, NY, 1984. [3] AICPA ProfessionalStandards. Chicago: Commerce Clearing House, 1983. [4] Arens, Alvin, A. and James, K. Loebbecke: Auditing: An hztegrated Approach. Englewood Cliffs, NJ: Prentice-Hall, 1984.
[5] Ball, L. and R. Harris: "SMIS Member: A Membership Analysis,"
Management lnformatio, System Quarterly, Vol. 6, No. 1 (March, 1982), 19-38. [6] Baroudi, JackJ. and WandaJ. Orlikowski: "Misinformation in MIS Research," Center for Research on Information Systems Working Paper, CRIS, 125, GBA 86-62 (Graduate School of Business Administration, New York University), 1986. [7] Beane, W.F.: "Computer Security-Who's in Charge?" Inside Security World, Vol. 20, No. 10 (October, 1984). 42-46. [8] Benson, David H.: "A Field Study of End User Computing: Findings and Issues," Management Information System Quarterly, Vol. 7, No. 4 (December, 1983) 35-45. [91 Bezdek, Jiri: "Across-the-Board
Training Protects Data: Crime Requires Preventive Action of Execs," Computer-World, 29 October, 1984, 10-11. [10] Bobbitt, H. Randolph,Jr. and Jeffrey D. Ford: "Decision-Maker Choice as a Determinant of Organizational Structure," Academy of
Computers and Security, Vol. 7, No. 2
Management Review, Vol. 5, No. 1 (Winter, 1980), 13-23. [1 l] Braneheau, James and James C. Wetherbe: "Key Issues in Information Systems--1986," Mar,agement b~formation System Quarterly, Vol. l I, No. 1 (March, 1987), 23-45. [12] Brickman, Bruce K.: "The Corporate Computer: A Potential Timebomb," Financial Executive, Vol. 51, No. 4 (April, 1983), pp. 20, 22, 24. [13] Brill, Alan E.: Building Controls into Structured Systems. NY: Yourdon, 1983. [14] Buss, Martin D.J. and Lynn M. Salerno: "Common Sense and Computer Security," Harvard Business Review, Vol. 62, No. 2 (March-April. 1984), 112-121. [15] Campitelli, Vincent A.: "Is Your Computer a Soft Touch?" Fina,cial Executive, Vol. 52, No. 2 (February, 1984), 10-14. [16] Canning, Richard: "Information Security and Privacy," EDP At,alyzer, Vo. 24, No. 2 (February, 1986), 1-6. [17] Casscll, Dana: "Crime Climbing Up the Organization," Dun's Business ll/lonth, Vol. 128, No. 3 (September, 1986), 70. [181 Datamation Staff: "1981 DP Salary Survey," Datamation, Vol. 27, No. 5. (May, 1981) 98-115. [191 Datamation Staff: "1985 DP Salary Survey," Datamation, Vol. 31, No. 18 (September, 1985), 88-104. [201 Dickson, G.W., R.L. Leitheiser, J.C. Wetherbe, and M. Nechis: "Key Information Systems Issues for the 80's," Management Informatiot,s System Quarterly, Vol. 8, No. 3 (September, 1984), 135-159. [21] Fisher, Royal, P.: Infonnatio, Systems Security. Englewood Cliffs, NJ: Prentice-Hall, 1984. [22] Hartlog, Curt and Martin Herbert: "1985 Opinion Survey of MIS Managers: Key Issues," Management Information System Quarterly, Vol. 10, No. 4 (December, 1986), 351-361. [23] Katz, David M.: "Keeping Up with Computer Capers," National Underwriter, 24 February, 1984, pp.
2, 18-19. [241 Keefe, Patricia: "Computer Crime Insurance Available--For a Price," Computerworld, 31 October, 1983, 20-21; Kraus, Leonard i and Aileen MacGahan: Computer Fraud and Countermeasures. Englewood Cliff, Nj: Prentice-Hall, 1979. [251 Kusserow, Richard P.: "ComputerRelated Fraud and Abuse in Government Agencies," unpublished paper, U.S. Dept. of Health and Human Services, Washington, D.C., 1983. [26] Mahoney, Thomas A.: "Organizational Hierarchy and Position Worth," Academy of Management Journal, Vol. 22, No. 4 (Fall, 1980), 726-737. [27] Martin, E.W.: "Information Needs of Top MIS Managers," Man,~ement Information System Quarterly, Vol. 7, No. 1 (September, 1983). 1-I1. [28] Martin,James (1973): Security,
Accuracy, and Privacy in Computer Systems. Englewood Cliffs, NJ: Prentice-Hall, 1973. [29] Mautz, Robert K., Alan G. Merten, and Dennis G. Severance: "Corporate Computer Control Guide," Financial Executive, Vol. 52, No. 6 (June, 1984), 25-36. [30] McKibbin, Wendy: "Who Gets the Blame for Computer Crime," lnfosystems, Vol. 5 (July, 1983), 3436. [31] Moulton, Roll: "Data Security is a Management Responsibility," Computers at,d Security, Vol. 3, No. 1 (February, 1984), 3-7. [321" Nasuti, Frank W.: "Investigating Computer Crime, "Journal of Accountivg, Vol. 2, No. 3 (Fall, 1986), 13-19. [33] Nevell, Paul: "The Internal EDP Audit Function: An Investigation of Current Organizational Practices and Issues," MISRC Working Paper (MISRC-WP-82-13), University of Minnesota, 1982. [341 Ouchi, W.G.: "The Relationship between Organization Structure and Organizational Control," Admit,istrative Science Quarterly, Vol. 22, (1977), 95-113. [35] Parker, Doon B.: Crime by Corn-
purer. New York: Scribner's 1976. [36] Parker, Donn, B.: Computer Security Management. Reston, Va.: Reston. 1981. [37] Ranson, Stewart, Rob Hinnings, and Royston Greenwood: "The Structuring of Organizational Structures." Administrative Sciet,ce Quarterly, Vol. 25 (March, 1980), 117. [38] Reid. Gordon L.: "Decentralizing Data Security," Datamatio,, Vol. 30, No. 20 (December, 1984), 14748. [39] Shoor, Rita: "Microcomputer Security: Back to Basics," Infosystems, Vol. 33, No. 9 (September, 1986), 44-46. [40] Silverman, M.E.: "Selling Security to Senior Management, DP Personal and Users," Computer Security Journal, Vol. 2, No. 2 (Fall/Winter, 1983). 7-17. [41] Sprague, Ralph H.,Jr. and Barbara C. McNurlin, eds.: Information Systems Managemet,t in Practice. Englewood Cliffs, NJ: PrenticeHall, 1986. [42] Straub, Dctmar W.: "Computer Abuse and Computer Security: Update on an Empirical Study,"
Security, Audit, and Control Review. ACM Special Interest Group journal, Vol. 4, No. 2 (Spring, 1986), 21-31. [43] Straub, Detmar W.: "Deterring Computer Abuse: the Effectiveness of Deterrent Countermeasures in the Computer Security Environment," unpublished dissertation, Indiana University School of Business, Bloomington, IN, 1986. [44] Straub, Detmar W. Jr. and Jeffrey A. Hoffer: "Computer Abuse and Computer Security: An Empirical Study of Contemporary Information Security Systems," IRMIS (Institute for Research on the Management of Information Systems. Indiana University School of Business, Bloomington, IN 47405) Discussion Paper, 1987. [45] Straub, Detmar W. and Cathy Spatz Widom: "Deviancy by Bits and Bytes: Computer Abusers and
191
D. W. Straub, Jr.~Organizational Structuring Computer Security
Control Measures" in Computer Security: A Global Challenge, eds. James H. Finch and E.G. Dougall. Amsterdam: Elsevier Science Publishers B.V. (North-Holland) and IFIP, 1984, pp. 91-102.
D e t m a r W. S t r a u b , J r . is currently Assistant Professor of Management Information Systems at the University of Minnesota's Curtis L. Carlson School of Management. He joined the faculty there
192
in September, 1986 after completing a dissertation at Indiana University entitled "Deterring Computer Abuse: the Effectiveness of Deterrent Countermeasures in the Computer Security Environment." Dr. Straub has published a number of studies in the computer security arena, but his research interests extend as well into EDP auditing and error analysis. Besides his academic experience, he has served as Director of MIS for administrative computing at the university level and in the Accounting Department of International General Electric Co. He has also consulted widely with corporate and government clientele on computer security matters.
L
J S e c t i o n I.
Computer
Abuse Questionnaire
Personal Information 1. Y O U R
POSITION:
[ ] President~Owner/Director/Chairman/Partner [ ] Vice President/General Manager [ ] Vice President of EDP [ ] Director/Manager~Head~Chief of EDP/MIS [ ] Director/Manager of Programming [ ] Director~Manager of Systems & Procedures [ ] Director/Ma nager of Communications [ ] Director/Manager of EDP Operations [ ] Director/Manager of Data Administration [ ] Director/Manager of Personal Computers [ ] Director/Manager of Information Center [ ] Data Administrator or Data Base Administrator [ ] Data/Computer Security Officer [ ] Senior Systems Analyst [ ] Systems/Information Analyst [ ] Chief/Lead/Senior Applications Programmer F1 Applications Programmer [ ] Chief/Lead/Senior Systems Programmer 1"3 Systems Programmer
[ ] Chief/Lead/Senior Operator [ ] Machine or Computer Operator [ ] Vice President of Finance 13 Controller [ ] Director/Manager Internal Auditingor EDPAuditing [ ] Oirector/Managerof Plant/BuildingSecurity [ ] EDP Auditor [ ] Internal Auditor [ ] Consultant [ ] Educator [ ] Userof EDP [ ] Other (please specify):
2. YOUR IMMEDIATE SUPERVISOR'S POSITION: 13 [] 17 [] O [] [] [] [] [] [] [] [] [] rl
President/Owner/Director/Chairman/Partner Vice President~General Manager Vice President of EDP Director/Manager/Head/Chief of EDP/MIS Director/Managerof Programming Director/Manager of Systems & Procedure~ Director/Ma nager of Communications Director/Manager of EDP Operations Director/Manager of Data Administration Director/Manager of Personal Computers Director/Manager of Information Center Data/Computer Security Officer Senior Systems Analyst Chief/Lead/Senior A l ~ i c a t i o n s Procrammer Chief/Lead/Senior Systems Procrammer Chief/Lead/Senior Machine or C,omputer Ope~tor
O [] [] []
Vice President of Finance Controller Director/Manager Internal Auditing or EDP Auditing Director/Manager of Plant/Buildir~ Security
[]
[ ] Other (please specify):
3. NUMBER OF TOTAL YEARS EXPERIENCE IN/WITH INFORMATION SYSTEMS? [ ] More than 14 years 1-1 1 ] to 14 years [ ] 7 to 10 years F1 3 to 6 years [ ] Lessthan 3 years [ ] Not sure Organizational I n f o r m a t i o n 4. Approximate ASSETS and annual REVENUES of your organization:
ASSETS
REVENUES
At all At this Locations Location O D D 13 n 0 0 O n O 13
0 13 13 O O 0 0 [] n [] 0
. . . . . . . Over 5 Billion . . . . . . . . . . . . . 1 Billion-5 Billion . . . . . . . . . 250 Million-! Billion . . . . .. 100 Million-250 Million... . . . 50 M i l l i o n - I O 0 Million . . . . . . I0 Million-50 Million . . . . . . . . 5 Million-].0 Million . . . . . . . . 2 Million-5 Million . . . . . . . . . I Million-2 Million . . . . . ..... Under i Million . . . . . . . . . . . . . . Not sure . . . . . . . . .
At all At this Locations Location n 0 0 0 O 17 O O O 0 O
I-1 0 17 O O O O 0 0 O []
5. NUMBER OF EMPLOYEES of your organization: At all At this Locations Location ! O,(X)O cw" m o r e . . . . . . . . . . . . . . . . . . . . . D D 5,000-9.999 ....................... O D 2,500-4,999 ....................... O D 1,000-2.499 ....................... D D 750-999 .......................... O D 500-749 .......................... D (3 250-499 .......................... D D 100-249 .......................... O O 6-99 ............................ O O Fewer than 6 . . . . . . . . . . . . . . . . . . . . . . D O Not sure . . . . . . . . . . . . . . . . . . . . . . . . . D O 6. PRIMARY END PRODUCT OR SERVICE of your organization at this location: [] [] [] O
Manufacturing and Processing Chemical or Pharmaceutical Government Federal, State. Municipal including Military Educational: Colleges, Universities, and other Educational Institutions [ ] Computer and Data Processing ~-,~ices including Software Services, Service Bureaus, Time-Sharing and Consultants 13 Finance: Banking. Insurance. Real Estate. Securities, and Credit O Trade: Wholesale and Retail O Medical and I ,=~xl O Petroleum [ ] Transportation Services: Land. Sea. and Air O Utilities: Communications. Electric. Gas, and Sanitary Services [ ] Conslruction. Mining. and Agriculture [ ] Other (please specify): Are you located at C o q ~ a t e Headquarters: Yes [ ]
No O
193
7. CITY (at this location)?
STATE?
8. TOTAL NUMBER OF EDP (Electronic Data Processing) EMPLOYEES at this location (excluding data input personnel): [ ] More than 300 O 50-99 [ ] 250-300 O 10-49 [] 200-249 [] Fe~rthan |0 [3 t50-199 [] Notsure [ ] 100-149 9. Approximate EDP BUDGET per year of your organization at this location: [ ] Over $20 Million 17 $244 Million C) $ 1 0 4 2 0 Million [] $1 4 2 Mullion [ ] $8-$10 Million [ ] Under $1 Mallion [ ] $6-$.8 Million [ ] Not sure [ ] $4-$6 Million Computer Security. Internal Audit. and Abuse Incident Information A Computer Security function in an o~ganization is any purposeful activity that has the objective of protecting assets such as hardware, programs, data, and computer service f r o m loss or misuse. Examples of personnel engaged in c o m p u t e r security functions include: data security and systems assurance officers. For this questionnaire, c o m p u t e r security and EDP audit functions will be considered separately. Coml~.~er EDP Security Audit 10. How many staff members are working 20 hours per week or more in these functions at this location? (number _ _ (number of ~.rsons) of persons) 11. How many staff members are working 19 hours per week or less in these functions at this location?
(number _ _ ( n u m b e r of persons) of persons)
12. What are the total personnel hours per week dedicated to these functions? 13. When werethese functions initiated?
_ _
(total
hour~/~)
_/_
(month/yr)
(total hours/wk)
_ _
__/_
(month/yr)
If your answer to the Computer Security part of question 12 was zero. please go directly to question 25. Otherwise. continue. 14. Of these total c o m p u t e r security personnel hours per week (question 12), how many are dedicated to each of the following? A. Physical security administration, disaster recovery, and contingency planning . . . . . (hours/week) B. Data security administration . . . . . . (hours/week) C. User and coordinatoqtraining . . . . . (hours/week) D. Other . . . . . . . . . . . . . . . . . . . . . . . . . . (please specify):
(hours/week)
15. EXPENDITURES per year for computer security at this location: Annual computer security personnel salaries . . . . .
$
~
Do you have insurance (separate policy o¢ rider) spedfically for computer .security losses? 0 Yes 0 No 0 Not s~re If yes. what is the annual cost of such insurance...
$ _ _
1 6 SECURITY SOFTWARE SYSTEMS available and actively in use on the mainframe(s) [or minicomputer(s)] at this location: Nucrtberof Number of available systems systecwS? in ~ ? Operating system access Control facilities... DBMS security access control facilities.. Fourtfl Generation software access cont m; facilities . . . . . . . . . . . . . . . . . . . .
194
17. Other than those security software systems you listed in question ] 6. how many SPECIALIZED SECURITY SOFTWARE SYSTEMS are actively in use? (Examples: ACFII. RACF) (number of SOeClilhzeCl SeCuritysollwaresystems~lK:h,,,~yonuse) Of these, how many were purchased from a vendor? _ _ (number purchasedfrom a ~n00~) • . and how many were d e v e l O ~ in-house? (number develooedin-hous~) 18. Throughwhat INFORMATIONALSOURCESarecomputersystem users made aware OF THE APPROPRIATE AND INAPPRO. PRIATE USES OF THE COMPUTER SYSTEM?
(Choose as many as applicable) [] [] 0 [] [] [] [] [] []
Oistributed EDPGuidelines Administrative program to classify information by sensitivity Periodic departmental memosand notes Distributed statements of professional ethics Computer S~curity Violations Reports Orgamzational meetings Computer Security Awareness Training sessions Informal discussions Other (please specify):
19. Which types of DISCIPLINARY ACTION do these informational sources mention (question 18) as consequences of purposeful c o m p u t e r abuse?
(Choose as many as applicable) (3 Reprimand [ ] Probation or suspension [] Firing [ ] Criminal prosecution [ ] Civil prosecution [ ] Other (please specifiy): In questions 20-24, please indicate your reactions to the following statements: Strongly Not Strongly Agree Agree Sure DisagreeDisagree 20. The current computer security e f l o d was in reaction in L~rge part to actual O~s~JspectedPast incidents of coml:xfterabuse at this location 0 0 0 0 0 21, The activities of com(~Jte¢ SeCurityaClministratO~rSare well known to u ~ at this location. 0 0 0 0 0 22. The presenceand activities of com~Jter security administratoesdeter anyonewho might abuse the computer systema;. this location. 0 0 E) 0 n 23. Relativetoour type of i~clustry computer securityisvery effect~ at this location. 24. The o~erallsecurityphilosophy
at this location is to provide veryticht security ~Wtho~ hinderin~ I:x'oducllvity.
0
0
0
0
0
0
[]
0
O
[]
25. How m a n y SEPARATE UNAUTHORIZED A N D DELIBERATE INCIDENTS OF COMPUTER ABUSE has your organization at this location experienced in the 3 year period, Jan. 1. 1983J a n 1, 19867 (number of incidents)
(Please fill out • separate "'Computer Abuse Incident Report'" [Blue-colored Section II] for each incidenL ) 26. How many incidents do you have reason to suspect o t h e r than those n u m b e r e d above in this same 3 year period, Jan. 1. 1983-Jan. I . 19867 (number of suspeded incidents) 27. Please briefly describe the basis (bases) for these suspicions.
Section II. C o m p u t e r A b u s e I n c i d e n t Report (covering the 3 year period. Jan. 1, 1983-Jan. 1. 1986)
In~ructions: Please fill out a separate report for each incident of computer abuse that has occurred in the 3 year period, Jan. 1, 1983-Jan. 1, 1986 28. WHEN WAS THIS INCIDENT DISCOVERED? Month/year _ _
36. If the incident had been going on for a period of time how long was that? __years months
/ _ _
29. HOW MANY PEOPLE WERE INVOLVEDin committing the computer abuse in this incident?
__(number
of perpetrators)
30. POSITION(S) OF OFFENDER(S): Top executive . . . . . . . . . . . . . . . . . . . . . . Security officer . . . . . . . . . . . . . . . . . . . . . Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . Controller . . . . . . . . . . . . . . . . . . . . . . . . . Manager, supervisor . . . . . . . . . . . . . . . . . Systems Programmer . . . . . . . . . . . . . . . . Data entry staff . . . . . . . . . . . . . . . . . . . . . Applications Programmer . . . . . . . . . . . . . Systems analyst . . . . . . . . . . . . . . . . . . . . Machine or computer operator . . . . . . . . . Other EDP staff . . . . . . . . . . . . . . . . . . . . . Accountant . . . . . . . . . . . . . . . . . . . . . . . . Clerical perSOnnel . . . . . . . . . . . . . . . . . . . Student . . . . . . . . . . . . . . . . . . . . . . . . . . Consultant . . . . . . . . . . . . . . . . . . . . . . . . Not sure . . . . . . . . . . . . . . . . . . . . . . . . . . Other . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Main Offender [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] []
Second Offender [] [] [] [] [] [] [] [] n [] [] [] [] [] [] [] []
(please specify): (Main) (Second) 31. STATUS(ES) OF OFFENDER(S) when incident occurred:
Main Offender [] [] [] [] []
Second Offender [] [] [] [] []
Main Offender Ignorance of proper professional conduct.. [] Personal gain . . . . . . . . . . . . . . . . . . . . . . [] Misguided playfulness . . . . . . . . . . . . . . . [] Maliciousness or revenge . . . . . . . . . . . . . [] Not sure . . . . . . . . . . . . . . . . . . . . . . . . . . [] Other . . . . . . . . . . . . . . . . . . . . . . . . . . . . []
Second Offender 0 [] [] [] [] []
Employee . . . . . . . . . . . . . . . . . . . . . . . . . Ex-employee . . . . . . . . . . . . . . . . . . . . . . . Non-employee . . . . . . . . . . . . . . . . . . . . . Not sure . . . . . . . . . . . . . . . . . . . . . . . . . . Other . . . . . . . . . . . . . . . . . . . . . . . . . . . . (please specify): (Main).
37. In your judgment, how serious a breach of security was this incident? (Choose one only) n Extremely serious 0 Serious 0 Of minimal importance O Not sure O Of negligible importance 38. Estimated $ LOSS through LOST OPPORTUNITIES (if measurable): (Example: $3,000 in lost business because of data corruption)
$. (estimated $ loss through lost opportunities) 39. Estimated $ LOSS through THEFT a n d / o r RECOVERY COSTS from abuse: (Example: $12,000 electronically embezzled plus $1,000 in salary to recover from data corruption + $2,000 in legal fees = $15,000)
$
(estimated $ loss through theft and/or recovery costs) 40. This incident was discovered... (Choose as many as applicable) [ ] by accident by a system user [ ] by accident by a systems staff member or an intemal/EDP auditor [ ] through a computer security investigation other than an audit [ ] by an internal/EDPaudit [ ] through normal systems controls, like software or procedural controls [ ] byanexternal audit [ ] not sure [ ] other (please specify):
(Second) 32. MOTIVATION(S) OF OFFENDER(S):
(please specify): (Main) (second) 33. MAJOR ASSET AFFECTED or involved: (Choose as many as applicable) [] Unauthorized use of computer service [] Disruption of computer service [] Data [] Hardware
41. This incident was reported to (Choose as many as applicable) 0 someone inside the local ocganization 17 someone outside the local oq~anizaUon n not sure . . . .
42. If this incident was reported to someone outside the local organization, who was that? (Choose as many as applicable) n someone at divisional or corpo~te headquarters 0 the media 0 the pofice I-I other authorit~s 0 not sure 43. Please briefly describe the incident and what finally happened to the perpetrator(s).
[] Programs
34. Was this a o n e - t i m e incident o r had it been going on for a period of time? (Choose one only) [] one-time event [] going on for a period of time [] not sure 3.5. If a one-time incident, WHEN DID IT OCCUR? Month Year
195
Refereed Article
Organizational Structuring of the Computer Security Function Detmar W. Straub, Jr. MIS Area Croup, Management Sciences Dept,, Curtis L. Carson School of Management, University of Minnesota, 271 19th Avet,ue South, Minneapolis, MN 55455, U.S.A.
The effectiveness of an organizational unit can be dramatically affected in a positive or negative way by its placement within the organization. Because protection of the information resource is becoming more and more critical for organizational survival, the organizational positioning of computer security is being investigated in this study. According to data gathered from 39 U.S. organizations with data or computer security administrators, the function is currently being relegated to lower levels in the organizational hierarchy. Security officers are most frequently being supervised by line managers in the IS (Information Systems) area. There are exceptions to this pattern, notably in financial institutions and government, but overall evolutionary trends of security unit initiation do not typically include high level reporting relationships. From the standpoint of the need for independent watchguards, this policy is unwise. A normative model for organizational placement of the security function is offered as a solution to the present state of affairs. Use of this prescriptive model should greatly assist IS and top corporate managers in administering the information security area.
Keywords: Organizational structuring of security, Hierarchical placement of computer security, Principle of control independence, Organizational structuring of EDP audit.
1. Introduction his study investigates the ways in which the computer security function is being structured administratively in U.S. organizations. Based on an evaluation of empirical study data and a normative model of organizational control derived from the principle of control independence, prescriptive recommendations are made for initially structuring or restructuring the security function.
T
1.1 Placement of Administrative units and Management Responses to the Placement of Computer
Security Placement of an administrative unit within the organizational hie-
0167-4048/88/$3.50 (~) 1988, Elsevier Science Publishers Ltd.
rarchy is often a choice exercised by management [10]. A variety of contextual considerations may also help to explain the positioning of particular functions within organizational charts [37], but it is clear that organizational structuring is extremely important to overall corporate health. It can, for instance, greatly influence the internal posture of a function [26] and the effectiveness of its control [37, 34]. To ensure that critical functions are capable of meeting their objectives, top management is charged with developing effective and efficient organizational structures. Bringing order to the complex reporting relationships and intricate processes that characterize modern organizations is both the prerogative and duty of top management, who need to consider overall placement issues and resolve them in the light of organizational priorities. Considerations about the placement o f critical organizational functions such as computer security [36] are integral, therefore, to sound management practices [31]. Unfortunately, it appears that many top U.S. executives do not believe that computer security is a critical functional area [14]. They have been slow to understand the enormous risks involved [23] in spite of the fact that such fears are frequently stressed by both Internal Audit and EDP managers [29]. ~ This reluctance to deal with the issue by granting status and committing resources to the computer security function [24] flies in the face of a new set oflegal proscripx Shoor [39] feels that executives are aware of the security problem and are willing to help prevent it. The evidence would tend to refute this view, though.
185
D. W. Straub, Jr.~Organizational Structuring Computer Security
tions specifically designated for corporate managers who are negligent in protecting information assets [30]. Although ultimate responsibility for reasonable internal control systems rests with the Board of Directors [32], all management levels can now be held liable for sloppy, misleading and inaccurate records, according to the Foreign Corrupt Practices Act [12, 9]. It behoves executive and lower level managers alike, therefore, to have an active role in protecting information assets [21], and to recognize the key liaison role that can be played by sccurity personnel. Unlike top executives, IS (Information Systems) managers in the U.S. are generally aware of the crucial role of computer security specialists in underwriting organizational survival. In fact, security and control has been cited as a key management issue in every opinion survey of IS managers since the early 1980s [5, 27, 20, 41, 16, 22, 11]. Security and integrity have also been cited as the primary management concern in end user computing [8]. Corroboration of this heightened concern is tbund in the overt ways IS managers value the security administrative function. Salary is a good surrogate measure of imputed worth [26], and can be used to compare security specialists with other DP professionals. Such comparisons indicate that computer security has consistently ranked in the upper third decile of DP professionals, i.e. they are highly valued by IS managers. According to the annual Datamation DP salary surveys, security specialists ranked 11 th of 32 DP positions in the 1981 survey [18] and 10th of 32 in the 1985 survey [19]. 2
186
1.2 Establishmentof the Computer Security Function
[15, 40], especially if concerns about misplacement of the function prove to be accurate. This study will provide empirical data on the actual placement of security officers in the organizational hierarchy and present arguments for how it should be structurally placed. 3
As a response to the perception of latent vulnerability in computer systems, IS managers have initiated specialized computer security units over the last decade [44]. Somewhere between 50% and 60% of U.S. organizations assign personnel to the administration of computer security on a full or part-time basis [42, 43]. In terms of organizational structure, most o f these administrators are situated in the IS area [42]. Some c o m m o n titles include "Director of Data Security," "Manager of Computer Security," and "Computer Security Administrator" [421. Computer security can be positioned at several levels in the organization, both from a vertical and a horizontal perspective. The vertical perspective has to do with management reporting level. Security administrators, for example, can report to top management such as Vice President of Information Services, to middle-level managers such as EDP manager/director, and finally to line managers such as manager/director of EDP operations. The horizontal perspective, on the other hand, has to do with the functional area of primary reporting responsibility. C o m puter security, for example, may report to accounting managers, such as the Controller, to Plant Security managers, to the Audit Committee of the Board of Directors, or to IS management, which, as noted above, is the most common arrangement. Clearly, IS managers need to build senior management commitment to computer security
a pilot study of 1000 randomly-selected DPMA managers in January of 1985 [42]. Both the pilot and the current study were underwritten by grants from IRMIS (Institute for Research on the Management of Information Systems, Indiana University Graduate School of Business) and the Ball Corporation Foundation. Fellowship support was generously provided by the IBM Corporation. Continuing research support is being provided by the MISRC
There were 32 positions c o m m o n to both surveys.
(Management Information Systems Research Center, University o f Minnesota).
2
2. Research Questions for this Study Exactly what is currently known about the placement of security within the organization? Descriptive statistics presented in prior computer security studies address important questions about the phenomenon of computer abuse, but do not address computer security structuring issues. These studies include: (1) victimization surveys [1, 2, 25] and (2) archival data gathered from media and police reports of abuse [35, 36]. Aside from the observation in ref. 42 that security typically reports to the IS department, no prior empirical study to my knowledge has addressed this general question. To investigate these salient issues, two primary research ques3 The current study, which has been u n derway for several years, was preceded by
Computers and Security, Vol. 7, No. 2
Q(1): Where is the computer security function currently being placed in the organizational hierarchy? Q(2): What is the most effective organizational positioning for computer security units? Figure i. Research Questions
tions have been devised, as shown in Fig. 1, "Research Questions."
3. The Study T o address these research questions and to determine correspondences between variablcs of interest, a questionnaire instrument was chosen (See Appendix for the study instrument). This study is part o f a larger project which investigates the abuse o f computer systems, but items addressing organizational placement, namely items 1 and 2, were added to this victimization questionnaire to assess reporting relationships. Measures in the study instrument were devised and validated over the two year period, 1984-1985. The instrument was validated via extensive field interviews with 35 system professionals, interviews and questionnaire responses from a group o f 88, and finally questionnaire responses from 170. This validated survey was mailed out to a group o f 5489 randomly-selected D P M A (Data Processing Management Association) members in the U.S. The sample base that resulted from a final administration o f the survey was 1211 with reports on 259 separate abusive incidents. A more detailed description o f the overall validation process is found in ref. 43? Besides the variables measuring
abusive incidence, variables of greatest relevance to the present study are items 1 and 2, which ask for the respondent's position and that of his/her immediate superior. Altogether 39 o f these randomlyselected respondents indicated in item 1 that they served in this capacity of d a t a / c o m p u t e r security director. This sub-group o f respondents, therefore, served as a primary sample base for this study. An initial set of tests for nonresponse bias in the sample data was performed to ensure that respondents did not differ systematically from non-respondents. Systematic differences reduce confidence in our ability to generalize findings to the entire population. Results from these tests indicate that non-response bias was not present [43].
4 There is an obvious bias present in the data from the fact that DPMA has a heavily IS and DP orientation and security oflqcers in other functional areas would
more likely join other professional societies, e.g. ASIS (American Society for Industrial Security). To ensure the meaningfulness of results here, the distribution of computer security among functional areas was checked against the pre-study data, three-fourths of which was gathered directly from organizations, i.e. organizations which did not necessarily have DPMA members. Distributions splitting IS and other areas were nearly identical in both samples.
4. Analysis of Research Question 1 4.1 Current Placement of the Security Function In answer to research question 1--the current placement of the security function--analysis o f pretest and pilot study data originally reported in ref. 42 reveals that most security administrators report to line managers, and specifically to line managers in Information Systems. Findings in the current study confirm these results. Slightly less than 56% o f computer security specialists report to line managers in the IS area, according to the data. This is shown in Fig. 2, "Distribution of C o m p u t e r Security Reporting Relationships." The data shows quite clearly, though, that significant proportions (19% + 25% = 44%) o f security officers report to top or middle level managers, a statistic which indicates that security is not being placed low in the hierarchy by default. The option for a different horizontal placement was exercised in two cases; in these organizations a Controller and a Corporate Security manager direct computer security. Reasons for placement o f computer security under the IS u m brella are fairly obvious. Security officers need to work closely with IS to implement procedures for use o f systems and security software [43]. Because o f similarities o f computer security ot~icers and line security officers in the Corporate or Facilities Security [7], there is also an argument for incorporating computer security into this group. Both are entrusted with physical security measures and with establishing procedures for protecting
187
D. W. Straub, Jr.~Organizational Structuring Computer Security
Chill £1(ectltl we/ Officer
I
[ Chief Production] L 0.1c,r )
,.,or~o,,o°~ J
c,,e, F, .... ,ol l Oflicer J
F
S
~ep.rtl.q
(c,,o, ~ Officer
C
~Oirectot-/Head~
¢
~
ee~,rti,¢ Leve!
-
"
"3 I Hanager of 1 Operatlon$~
Figure 2. Distribution of Computer Security Reporting Relationships
assets. By this time, moreover, there has been a cumulative tradition of security in Corporate Security. The one offsetting caveat is that technical, computer sophistication must be advanced in the Corporate Security department before the match would make sense. Unfortunately, this is often not the case. h should be noted that management reporting levels of various industrial types were overviewed to determine if particular industries led the way in assigning computer security to higher organizational levels. According to the data, fin-
188
ancial institutions and government accounted for 56% of top and middle level reporting structures in the seven respondent industries. This concentration is not surprising in these two groups given the past attention paid to security issues in the government PCIE study [251. 5 s There were, however, no statistically significant differences between the groups according to a Chi-Square C o n t i n g e n c y table test, (Chi Square = 0.163, pvalue = 0.66). This lack o f significance should not be taken as the final word since the statistical power was so low, however
(cf. [6]).
5. The Principle of Control Independence and Computer Security Structuring Before exploring research question 2 - - h o w should computer security be positioned--it is important to review the conceptual precepts of control independence. The principle of control independence advocates that control functions should be as objective as possible, i.e. "independent," in order to monitor fairly and accurately organizational outcomes, including
Computers and Security, Vol. 7, No. 2
deviation o f performance from standards and goals. Part o f this objectivity arises from and is inherent in proper organizational placement. T o ensure, for instance, that internal auditors are not unduly influenced by superiorsubordinate relationships, they should not report to business line functions outside of accounting, i.e. functional areas they are charged with overseeing [4]. In the most desirable control situation, they will, in fact, report directly to the Auditing C o m m i t t e e o f the Board o f Directors [13]. This ensures that they are able to serve as watchdogs for the Accounting function itself. 6 As an elaboration on this line o f reasoning, U.S. Auditing Standard 322.07 [3] is telling. This standard cautions outside auditors to look at the organizational position of the internal audit function before evaluating its capability to "act independently." When considering the objectivity of internal auditors, the independent [outside] auditor should consider the organizational level to which internal auditors report the results of their work and the organizational level to which they report administratively. This frequently is an indication of the extent oftheir ability to act independently of the individuals responsible for the functions being audited.
5.1 Normative Placement of the Computer Security Function The implications o f this passage are clear. Positioning internal audit at lower levels in the organizational 6 For all practical purposes, organizational structuring for control purposes need not be taken beyond the first level, the level of who controls the controllers, or who watches over the watchers. In the final analysis it is the independent outside auditor who has the ultimate monitoring responsibility.
hierarchy compromises independence o f j u d g m e n t by auditors in placing them in subordinate roles to individuals in the organization they are charged with monitoring. In the Auditing standards, this is otherwise k n o w n as e m p l o y e r employee bias. It is also the underlying logic behind having internal audit report to the Audit C o m m i t t e e o f the Board of Directors or a senior officer in many organizations [13]. The attention paid in the auditing standards to these matters reinforces the importance that needs to be attached to this control principle.
5.2 Addressing Research Question 2 There are sound reasonsfor believing that what has been cited as an important operating principle in internal audit applies equally well to computer security, and these reasons address research question 2, which concerns normative rules for organization positioning o f computer security. In the first place, internal audit and computer security are frequently linked in terms of their essential functional roles [24, 33]. Secondly, computer security is very likely to have liaisons with virtually every operating unit in the organization [21], and be responsible for monitoring security breaches in these diverse groups, including its o w n departmental unit. Without control independence, they will be intrinsically and extrinsically pressured not to report many supervisory violations. Without high organizational positioning, they cannot be acceptably objective. In sum, admonitions that security, like auditing, is a watchdog function that should be independent o f managerial pressure
("Who controls the controllers?") stand out in the literature. These concerns, moreover, can be addressed by a strategic positioning o f computer security in the organization.
6. S u m m a r y of Central Findings and Implications for Practice The thrust of the study conclusions are summarized in Fig. 3, "Central Findings and Key Points of the Study." There may be viable explanations for w h y security is being placed at particular levels within organizations that are at the m o m e n t undetermined. The goal of further studies should be triangulation on the actual facts and reasoning behind structuring of the security unit. N u m e r o u s authors have suggested that security responsibilities be decentralized to functional areas that create and maintain information [38, 24]. The viability of this alignment needs empirical validation or, at least, careful study. Some organizations may be more logical choices for such an arrangement, and these choices need delineation. The study findings suggest several major implications for Board Directors, top management VPS and Directors of Information Systems, and practitioners who administer computer security. Based on the evidence in this study and the principle of control independence, numerous implications can be cited for the organizational positioning o f computer security, as shown in Fig. 4, "Major Implications o f the Study." As we have seen, most organizations have found it conducive to place computer
189
D. W. Straub, Jr.~Organizational Structuring Computer Security
The majority of computer security units are now supervised by line managers in the IS department. The principle of control independence argues that for maximum effectiveness the security group should be positioned as high in the organization as possible. Figure 3. Central Findings and Key Points of the Study
Vertical placement of the computer security function should be as high as possible in the organization. Horizontal placement of the computer security function should be in the Information Systems department, or a technologically-advanced Corporate Security department, or in an autonomous entity. Figure 4. Major Implications of the Study
security in the EDP department. For technological and other reasons, this horizontal placement makes good sense [36, 28]. Another viable possibility is a forward-thinking and technologically-advanced Corporate Security department [36]. In terms of vertical placement, the best control will be produced with the highest possible placement. Parker [36] has even suggested a VP of Information Protection be established to encourage managers of all functional areas to take computer security more seriously. Given the Realpolitik of modern organizations, this best-of-all-possibleworlds scenario is not likely to take place. C o m p u t e r security, therefore, will very likely continue to be placed within an already existing department, or report as a staff function to the VP level. These heuristics attempt to max'imize the potential of security administration. As the administrative
190
activity is gradually incorporated into the lifestream o f American business, it is undergoing numerous, inevitable changes. This evolution needs to be carefully managed lest security problems degrade from their current state into an unacceptable out-of-control state.
References [1] ABA: "Report on Computer Crime," pamphlet, prepared by the Task Force on Computer Crime, American Bar Association, Section on Criminal Justice, 1800 M Street, Washington, D.C. 20036, 1984. [2] AICPA: "Report on the Study of EDP-related Fraud in the Banking and Insurance Industries," pamplet, American Institute of Certified Public Accountants, Inc., 1211 Ave. of the Americas, NY, NY, 1984. [3] AICPA ProfessionalStandards. Chicago: Commerce Clearing House, 1983. [4] Arens, Alvin, A. and James, K. Loebbecke: Auditing: An hztegrated Approach. Englewood Cliffs, NJ: Prentice-Hall, 1984.
[5] Ball, L. and R. Harris: "SMIS Member: A Membership Analysis,"
Management lnformatio, System Quarterly, Vol. 6, No. 1 (March, 1982), 19-38. [6] Baroudi, JackJ. and WandaJ. Orlikowski: "Misinformation in MIS Research," Center for Research on Information Systems Working Paper, CRIS, 125, GBA 86-62 (Graduate School of Business Administration, New York University), 1986. [7] Beane, W.F.: "Computer Security-Who's in Charge?" Inside Security World, Vol. 20, No. 10 (October, 1984). 42-46. [8] Benson, David H.: "A Field Study of End User Computing: Findings and Issues," Management Information System Quarterly, Vol. 7, No. 4 (December, 1983) 35-45. [91 Bezdek, Jiri: "Across-the-Board
Training Protects Data: Crime Requires Preventive Action of Execs," Computer-World, 29 October, 1984, 10-11. [10] Bobbitt, H. Randolph,Jr. and Jeffrey D. Ford: "Decision-Maker Choice as a Determinant of Organizational Structure," Academy of
Computers and Security, Vol. 7, No. 2
Management Review, Vol. 5, No. 1 (Winter, 1980), 13-23. [1 l] Braneheau, James and James C. Wetherbe: "Key Issues in Information Systems--1986," Mar,agement b~formation System Quarterly, Vol. l I, No. 1 (March, 1987), 23-45. [12] Brickman, Bruce K.: "The Corporate Computer: A Potential Timebomb," Financial Executive, Vol. 51, No. 4 (April, 1983), pp. 20, 22, 24. [13] Brill, Alan E.: Building Controls into Structured Systems. NY: Yourdon, 1983. [14] Buss, Martin D.J. and Lynn M. Salerno: "Common Sense and Computer Security," Harvard Business Review, Vol. 62, No. 2 (March-April. 1984), 112-121. [15] Campitelli, Vincent A.: "Is Your Computer a Soft Touch?" Fina,cial Executive, Vol. 52, No. 2 (February, 1984), 10-14. [16] Canning, Richard: "Information Security and Privacy," EDP At,alyzer, Vo. 24, No. 2 (February, 1986), 1-6. [17] Casscll, Dana: "Crime Climbing Up the Organization," Dun's Business ll/lonth, Vol. 128, No. 3 (September, 1986), 70. [181 Datamation Staff: "1981 DP Salary Survey," Datamation, Vol. 27, No. 5. (May, 1981) 98-115. [191 Datamation Staff: "1985 DP Salary Survey," Datamation, Vol. 31, No. 18 (September, 1985), 88-104. [201 Dickson, G.W., R.L. Leitheiser, J.C. Wetherbe, and M. Nechis: "Key Information Systems Issues for the 80's," Management Informatiot,s System Quarterly, Vol. 8, No. 3 (September, 1984), 135-159. [21] Fisher, Royal, P.: Infonnatio, Systems Security. Englewood Cliffs, NJ: Prentice-Hall, 1984. [22] Hartlog, Curt and Martin Herbert: "1985 Opinion Survey of MIS Managers: Key Issues," Management Information System Quarterly, Vol. 10, No. 4 (December, 1986), 351-361. [23] Katz, David M.: "Keeping Up with Computer Capers," National Underwriter, 24 February, 1984, pp.
2, 18-19. [241 Keefe, Patricia: "Computer Crime Insurance Available--For a Price," Computerworld, 31 October, 1983, 20-21; Kraus, Leonard i and Aileen MacGahan: Computer Fraud and Countermeasures. Englewood Cliff, Nj: Prentice-Hall, 1979. [251 Kusserow, Richard P.: "ComputerRelated Fraud and Abuse in Government Agencies," unpublished paper, U.S. Dept. of Health and Human Services, Washington, D.C., 1983. [26] Mahoney, Thomas A.: "Organizational Hierarchy and Position Worth," Academy of Management Journal, Vol. 22, No. 4 (Fall, 1980), 726-737. [27] Martin, E.W.: "Information Needs of Top MIS Managers," Man,~ement Information System Quarterly, Vol. 7, No. 1 (September, 1983). 1-I1. [28] Martin,James (1973): Security,
Accuracy, and Privacy in Computer Systems. Englewood Cliffs, NJ: Prentice-Hall, 1973. [29] Mautz, Robert K., Alan G. Merten, and Dennis G. Severance: "Corporate Computer Control Guide," Financial Executive, Vol. 52, No. 6 (June, 1984), 25-36. [30] McKibbin, Wendy: "Who Gets the Blame for Computer Crime," lnfosystems, Vol. 5 (July, 1983), 3436. [31] Moulton, Roll: "Data Security is a Management Responsibility," Computers at,d Security, Vol. 3, No. 1 (February, 1984), 3-7. [321" Nasuti, Frank W.: "Investigating Computer Crime, "Journal of Accountivg, Vol. 2, No. 3 (Fall, 1986), 13-19. [33] Nevell, Paul: "The Internal EDP Audit Function: An Investigation of Current Organizational Practices and Issues," MISRC Working Paper (MISRC-WP-82-13), University of Minnesota, 1982. [341 Ouchi, W.G.: "The Relationship between Organization Structure and Organizational Control," Admit,istrative Science Quarterly, Vol. 22, (1977), 95-113. [35] Parker, Doon B.: Crime by Corn-
purer. New York: Scribner's 1976. [36] Parker, Donn, B.: Computer Security Management. Reston, Va.: Reston. 1981. [37] Ranson, Stewart, Rob Hinnings, and Royston Greenwood: "The Structuring of Organizational Structures." Administrative Sciet,ce Quarterly, Vol. 25 (March, 1980), 117. [38] Reid. Gordon L.: "Decentralizing Data Security," Datamatio,, Vol. 30, No. 20 (December, 1984), 14748. [39] Shoor, Rita: "Microcomputer Security: Back to Basics," Infosystems, Vol. 33, No. 9 (September, 1986), 44-46. [40] Silverman, M.E.: "Selling Security to Senior Management, DP Personal and Users," Computer Security Journal, Vol. 2, No. 2 (Fall/Winter, 1983). 7-17. [41] Sprague, Ralph H.,Jr. and Barbara C. McNurlin, eds.: Information Systems Managemet,t in Practice. Englewood Cliffs, NJ: PrenticeHall, 1986. [42] Straub, Dctmar W.: "Computer Abuse and Computer Security: Update on an Empirical Study,"
Security, Audit, and Control Review. ACM Special Interest Group journal, Vol. 4, No. 2 (Spring, 1986), 21-31. [43] Straub, Detmar W.: "Deterring Computer Abuse: the Effectiveness of Deterrent Countermeasures in the Computer Security Environment," unpublished dissertation, Indiana University School of Business, Bloomington, IN, 1986. [44] Straub, Detmar W. Jr. and Jeffrey A. Hoffer: "Computer Abuse and Computer Security: An Empirical Study of Contemporary Information Security Systems," IRMIS (Institute for Research on the Management of Information Systems. Indiana University School of Business, Bloomington, IN 47405) Discussion Paper, 1987. [45] Straub, Detmar W. and Cathy Spatz Widom: "Deviancy by Bits and Bytes: Computer Abusers and
191
D. W. Straub, Jr.~Organizational Structuring Computer Security
Control Measures" in Computer Security: A Global Challenge, eds. James H. Finch and E.G. Dougall. Amsterdam: Elsevier Science Publishers B.V. (North-Holland) and IFIP, 1984, pp. 91-102.
D e t m a r W. S t r a u b , J r . is currently Assistant Professor of Management Information Systems at the University of Minnesota's Curtis L. Carlson School of Management. He joined the faculty there
192
in September, 1986 after completing a dissertation at Indiana University entitled "Deterring Computer Abuse: the Effectiveness of Deterrent Countermeasures in the Computer Security Environment." Dr. Straub has published a number of studies in the computer security arena, but his research interests extend as well into EDP auditing and error analysis. Besides his academic experience, he has served as Director of MIS for administrative computing at the university level and in the Accounting Department of International General Electric Co. He has also consulted widely with corporate and government clientele on computer security matters.
L
J S e c t i o n I.
Computer
Abuse Questionnaire
Personal Information 1. Y O U R
POSITION:
[ ] President~Owner/Director/Chairman/Partner [ ] Vice President/General Manager [ ] Vice President of EDP [ ] Director/Manager~Head~Chief of EDP/MIS [ ] Director/Manager of Programming [ ] Director~Manager of Systems & Procedures [ ] Director/Ma nager of Communications [ ] Director/Manager of EDP Operations [ ] Director/Manager of Data Administration [ ] Director/Manager of Personal Computers [ ] Director/Manager of Information Center [ ] Data Administrator or Data Base Administrator [ ] Data/Computer Security Officer [ ] Senior Systems Analyst [ ] Systems/Information Analyst [ ] Chief/Lead/Senior Applications Programmer F1 Applications Programmer [ ] Chief/Lead/Senior Systems Programmer 1"3 Systems Programmer
[ ] Chief/Lead/Senior Operator [ ] Machine or Computer Operator [ ] Vice President of Finance 13 Controller [ ] Director/Manager Internal Auditingor EDPAuditing [ ] Oirector/Managerof Plant/BuildingSecurity [ ] EDP Auditor [ ] Internal Auditor [ ] Consultant [ ] Educator [ ] Userof EDP [ ] Other (please specify):
2. YOUR IMMEDIATE SUPERVISOR'S POSITION: 13 [] 17 [] O [] [] [] [] [] [] [] [] [] rl
President/Owner/Director/Chairman/Partner Vice President~General Manager Vice President of EDP Director/Manager/Head/Chief of EDP/MIS Director/Managerof Programming Director/Manager of Systems & Procedure~ Director/Ma nager of Communications Director/Manager of EDP Operations Director/Manager of Data Administration Director/Manager of Personal Computers Director/Manager of Information Center Data/Computer Security Officer Senior Systems Analyst Chief/Lead/Senior A l ~ i c a t i o n s Procrammer Chief/Lead/Senior Systems Procrammer Chief/Lead/Senior Machine or C,omputer Ope~tor
O [] [] []
Vice President of Finance Controller Director/Manager Internal Auditing or EDP Auditing Director/Manager of Plant/Buildir~ Security
[]
[ ] Other (please specify):
3. NUMBER OF TOTAL YEARS EXPERIENCE IN/WITH INFORMATION SYSTEMS? [ ] More than 14 years 1-1 1 ] to 14 years [ ] 7 to 10 years F1 3 to 6 years [ ] Lessthan 3 years [ ] Not sure Organizational I n f o r m a t i o n 4. Approximate ASSETS and annual REVENUES of your organization:
ASSETS
REVENUES
At all At this Locations Location O D D 13 n 0 0 O n O 13
0 13 13 O O 0 0 [] n [] 0
. . . . . . . Over 5 Billion . . . . . . . . . . . . . 1 Billion-5 Billion . . . . . . . . . 250 Million-! Billion . . . . .. 100 Million-250 Million... . . . 50 M i l l i o n - I O 0 Million . . . . . . I0 Million-50 Million . . . . . . . . 5 Million-].0 Million . . . . . . . . 2 Million-5 Million . . . . . . . . . I Million-2 Million . . . . . ..... Under i Million . . . . . . . . . . . . . . Not sure . . . . . . . . .
At all At this Locations Location n 0 0 0 O 17 O O O 0 O
I-1 0 17 O O O O 0 0 O []
5. NUMBER OF EMPLOYEES of your organization: At all At this Locations Location ! O,(X)O cw" m o r e . . . . . . . . . . . . . . . . . . . . . D D 5,000-9.999 ....................... O D 2,500-4,999 ....................... O D 1,000-2.499 ....................... D D 750-999 .......................... O D 500-749 .......................... D (3 250-499 .......................... D D 100-249 .......................... O O 6-99 ............................ O O Fewer than 6 . . . . . . . . . . . . . . . . . . . . . . D O Not sure . . . . . . . . . . . . . . . . . . . . . . . . . D O 6. PRIMARY END PRODUCT OR SERVICE of your organization at this location: [] [] [] O
Manufacturing and Processing Chemical or Pharmaceutical Government Federal, State. Municipal including Military Educational: Colleges, Universities, and other Educational Institutions [ ] Computer and Data Processing ~-,~ices including Software Services, Service Bureaus, Time-Sharing and Consultants 13 Finance: Banking. Insurance. Real Estate. Securities, and Credit O Trade: Wholesale and Retail O Medical and I ,=~xl O Petroleum [ ] Transportation Services: Land. Sea. and Air O Utilities: Communications. Electric. Gas, and Sanitary Services [ ] Conslruction. Mining. and Agriculture [ ] Other (please specify): Are you located at C o q ~ a t e Headquarters: Yes [ ]
No O
193
7. CITY (at this location)?
STATE?
8. TOTAL NUMBER OF EDP (Electronic Data Processing) EMPLOYEES at this location (excluding data input personnel): [ ] More than 300 O 50-99 [ ] 250-300 O 10-49 [] 200-249 [] Fe~rthan |0 [3 t50-199 [] Notsure [ ] 100-149 9. Approximate EDP BUDGET per year of your organization at this location: [ ] Over $20 Million 17 $244 Million C) $ 1 0 4 2 0 Million [] $1 4 2 Mullion [ ] $8-$10 Million [ ] Under $1 Mallion [ ] $6-$.8 Million [ ] Not sure [ ] $4-$6 Million Computer Security. Internal Audit. and Abuse Incident Information A Computer Security function in an o~ganization is any purposeful activity that has the objective of protecting assets such as hardware, programs, data, and computer service f r o m loss or misuse. Examples of personnel engaged in c o m p u t e r security functions include: data security and systems assurance officers. For this questionnaire, c o m p u t e r security and EDP audit functions will be considered separately. Coml~.~er EDP Security Audit 10. How many staff members are working 20 hours per week or more in these functions at this location? (number _ _ (number of ~.rsons) of persons) 11. How many staff members are working 19 hours per week or less in these functions at this location?
(number _ _ ( n u m b e r of persons) of persons)
12. What are the total personnel hours per week dedicated to these functions? 13. When werethese functions initiated?
_ _
(total
hour~/~)
_/_
(month/yr)
(total hours/wk)
_ _
__/_
(month/yr)
If your answer to the Computer Security part of question 12 was zero. please go directly to question 25. Otherwise. continue. 14. Of these total c o m p u t e r security personnel hours per week (question 12), how many are dedicated to each of the following? A. Physical security administration, disaster recovery, and contingency planning . . . . . (hours/week) B. Data security administration . . . . . . (hours/week) C. User and coordinatoqtraining . . . . . (hours/week) D. Other . . . . . . . . . . . . . . . . . . . . . . . . . . (please specify):
(hours/week)
15. EXPENDITURES per year for computer security at this location: Annual computer security personnel salaries . . . . .
$
~
Do you have insurance (separate policy o¢ rider) spedfically for computer .security losses? 0 Yes 0 No 0 Not s~re If yes. what is the annual cost of such insurance...
$ _ _
1 6 SECURITY SOFTWARE SYSTEMS available and actively in use on the mainframe(s) [or minicomputer(s)] at this location: Nucrtberof Number of available systems systecwS? in ~ ? Operating system access Control facilities... DBMS security access control facilities.. Fourtfl Generation software access cont m; facilities . . . . . . . . . . . . . . . . . . . .
194
17. Other than those security software systems you listed in question ] 6. how many SPECIALIZED SECURITY SOFTWARE SYSTEMS are actively in use? (Examples: ACFII. RACF) (number of SOeClilhzeCl SeCuritysollwaresystems~lK:h,,,~yonuse) Of these, how many were purchased from a vendor? _ _ (number purchasedfrom a ~n00~) • . and how many were d e v e l O ~ in-house? (number develooedin-hous~) 18. Throughwhat INFORMATIONALSOURCESarecomputersystem users made aware OF THE APPROPRIATE AND INAPPRO. PRIATE USES OF THE COMPUTER SYSTEM?
(Choose as many as applicable) [] [] 0 [] [] [] [] [] []
Oistributed EDPGuidelines Administrative program to classify information by sensitivity Periodic departmental memosand notes Distributed statements of professional ethics Computer S~curity Violations Reports Orgamzational meetings Computer Security Awareness Training sessions Informal discussions Other (please specify):
19. Which types of DISCIPLINARY ACTION do these informational sources mention (question 18) as consequences of purposeful c o m p u t e r abuse?
(Choose as many as applicable) (3 Reprimand [ ] Probation or suspension [] Firing [ ] Criminal prosecution [ ] Civil prosecution [ ] Other (please specifiy): In questions 20-24, please indicate your reactions to the following statements: Strongly Not Strongly Agree Agree Sure DisagreeDisagree 20. The current computer security e f l o d was in reaction in L~rge part to actual O~s~JspectedPast incidents of coml:xfterabuse at this location 0 0 0 0 0 21, The activities of com(~Jte¢ SeCurityaClministratO~rSare well known to u ~ at this location. 0 0 0 0 0 22. The presenceand activities of com~Jter security administratoesdeter anyonewho might abuse the computer systema;. this location. 0 0 E) 0 n 23. Relativetoour type of i~clustry computer securityisvery effect~ at this location. 24. The o~erallsecurityphilosophy
at this location is to provide veryticht security ~Wtho~ hinderin~ I:x'oducllvity.
0
0
0
0
0
0
[]
0
O
[]
25. How m a n y SEPARATE UNAUTHORIZED A N D DELIBERATE INCIDENTS OF COMPUTER ABUSE has your organization at this location experienced in the 3 year period, Jan. 1. 1983J a n 1, 19867 (number of incidents)
(Please fill out • separate "'Computer Abuse Incident Report'" [Blue-colored Section II] for each incidenL ) 26. How many incidents do you have reason to suspect o t h e r than those n u m b e r e d above in this same 3 year period, Jan. 1. 1983-Jan. I . 19867 (number of suspeded incidents) 27. Please briefly describe the basis (bases) for these suspicions.
Section II. C o m p u t e r A b u s e I n c i d e n t Report (covering the 3 year period. Jan. 1, 1983-Jan. 1. 1986)
In~ructions: Please fill out a separate report for each incident of computer abuse that has occurred in the 3 year period, Jan. 1, 1983-Jan. 1, 1986 28. WHEN WAS THIS INCIDENT DISCOVERED? Month/year _ _
36. If the incident had been going on for a period of time how long was that? __years months
/ _ _
29. HOW MANY PEOPLE WERE INVOLVEDin committing the computer abuse in this incident?
__(number
of perpetrators)
30. POSITION(S) OF OFFENDER(S): Top executive . . . . . . . . . . . . . . . . . . . . . . Security officer . . . . . . . . . . . . . . . . . . . . . Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . Controller . . . . . . . . . . . . . . . . . . . . . . . . . Manager, supervisor . . . . . . . . . . . . . . . . . Systems Programmer . . . . . . . . . . . . . . . . Data entry staff . . . . . . . . . . . . . . . . . . . . . Applications Programmer . . . . . . . . . . . . . Systems analyst . . . . . . . . . . . . . . . . . . . . Machine or computer operator . . . . . . . . . Other EDP staff . . . . . . . . . . . . . . . . . . . . . Accountant . . . . . . . . . . . . . . . . . . . . . . . . Clerical perSOnnel . . . . . . . . . . . . . . . . . . . Student . . . . . . . . . . . . . . . . . . . . . . . . . . Consultant . . . . . . . . . . . . . . . . . . . . . . . . Not sure . . . . . . . . . . . . . . . . . . . . . . . . . . Other . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Main Offender [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] []
Second Offender [] [] [] [] [] [] [] [] n [] [] [] [] [] [] [] []
(please specify): (Main) (Second) 31. STATUS(ES) OF OFFENDER(S) when incident occurred:
Main Offender [] [] [] [] []
Second Offender [] [] [] [] []
Main Offender Ignorance of proper professional conduct.. [] Personal gain . . . . . . . . . . . . . . . . . . . . . . [] Misguided playfulness . . . . . . . . . . . . . . . [] Maliciousness or revenge . . . . . . . . . . . . . [] Not sure . . . . . . . . . . . . . . . . . . . . . . . . . . [] Other . . . . . . . . . . . . . . . . . . . . . . . . . . . . []
Second Offender 0 [] [] [] [] []
Employee . . . . . . . . . . . . . . . . . . . . . . . . . Ex-employee . . . . . . . . . . . . . . . . . . . . . . . Non-employee . . . . . . . . . . . . . . . . . . . . . Not sure . . . . . . . . . . . . . . . . . . . . . . . . . . Other . . . . . . . . . . . . . . . . . . . . . . . . . . . . (please specify): (Main).
37. In your judgment, how serious a breach of security was this incident? (Choose one only) n Extremely serious 0 Serious 0 Of minimal importance O Not sure O Of negligible importance 38. Estimated $ LOSS through LOST OPPORTUNITIES (if measurable): (Example: $3,000 in lost business because of data corruption)
$. (estimated $ loss through lost opportunities) 39. Estimated $ LOSS through THEFT a n d / o r RECOVERY COSTS from abuse: (Example: $12,000 electronically embezzled plus $1,000 in salary to recover from data corruption + $2,000 in legal fees = $15,000)
$
(estimated $ loss through theft and/or recovery costs) 40. This incident was discovered... (Choose as many as applicable) [ ] by accident by a system user [ ] by accident by a systems staff member or an intemal/EDP auditor [ ] through a computer security investigation other than an audit [ ] by an internal/EDPaudit [ ] through normal systems controls, like software or procedural controls [ ] byanexternal audit [ ] not sure [ ] other (please specify):
(Second) 32. MOTIVATION(S) OF OFFENDER(S):
(please specify): (Main) (second) 33. MAJOR ASSET AFFECTED or involved: (Choose as many as applicable) [] Unauthorized use of computer service [] Disruption of computer service [] Data [] Hardware
41. This incident was reported to (Choose as many as applicable) 0 someone inside the local ocganization 17 someone outside the local oq~anizaUon n not sure . . . .
42. If this incident was reported to someone outside the local organization, who was that? (Choose as many as applicable) n someone at divisional or corpo~te headquarters 0 the media 0 the pofice I-I other authorit~s 0 not sure 43. Please briefly describe the incident and what finally happened to the perpetrator(s).
[] Programs
34. Was this a o n e - t i m e incident o r had it been going on for a period of time? (Choose one only) [] one-time event [] going on for a period of time [] not sure 3.5. If a one-time incident, WHEN DID IT OCCUR? Month Year
195