Academic journal article Communications of the IIMA

Beyond Awareness: Using Business Intelligence to Create a Culture of Information Security

Academic journal article Communications of the IIMA

Beyond Awareness: Using Business Intelligence to Create a Culture of Information Security

Article excerpt


Organizational information systems are increasingly coming under attack from viruses, hackers, denial of service attacks, and other threats (Bodin, Gordon, & Loeb, 2005; Jourdan, 2010; Mitnick & Simon, 2002). According to the Ponemon Institute, in 2010, the average cost for a data breach in the US was $6.75 million. The security breach in Sony's online PlayStation Network and Qriocity music service is expected to cost Sony $10 million in lost revenue per week, and at least $70 million in lawsuits (Pham, 2011). The leading cause for data breaches is negligence (41%) with malicious or criminal attacks second (31%) (Ponemon Institute, 2010).

While traditionally, information security has been the domain of the IT department, more and more researchers are discovering that, for an organization to be secure, all employees must be fully engaged. Business intelligence (BI) systems have been used to promote other changes in organizations, capitalizing on BI systems' ability to monitor activity, set goals for users, and provide accountability. Because of this, BI systems should also be able to help organizations create a culture of information security. However, for such an approach could be effective, an understanding of both the organizational psychology surrounding information security and how business intelligence tools are used is needed.


Information security traditionally means protecting the integrity, availability, and confidentiality of data and systems, which may be vital to maintaining an organization's operations (da Veiga, Martins, & Eloff, 2007; Tipton & Krause, 2009). Because of the focus on information systems, information security has traditionally been treated as a technology issue and the domain of the IT department (Anderson & Moore, 2009; Salazar, 2006). According to Professor Basie von Solms, before the 1980s, information security was viewed as something that could be addressed through technology alone (von Solms, 2000).

Then, increased media attention and regulations made the information security field more visible. In the last several years, several regulations, standards and frameworks have developed. Multiple documents, ISO/IEC 27002:2005, NIST Special Publication 800-53, and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, for example, define controls that are needed to protect certain information systems (United States Department of Commerce, 2010). Respondents to a 2010 survey indicated that regulatory compliance has had a "positive effect on their organization's security programs" (Computer Security Institute, 2011, p. 7), and as of 2010, executives reportedly are increasingly more interested in the state of their organizations' information security (Hoehl, 2010).

However, even in 2006, many organizations in developed countries still had not taken this first step towards a more secure organization and lacked basic, foundational information security policies or programs (Dimopoulos, Furnell, Jennex, & Kritharas, 2004; Gupta & Hammond, 2005; ISBS, 2006). In 2008, Martin wrote that many organizations are "willing to commit resources to technology purchases, but ... much less willing to dedicate any resources at all to the less technical aspects of information security" (p. 6). In fact, many organizations would likely prefer to have no dealings with information security. West argued that "the vast majority [of users] would be content to use computers to enrich their lives while taking for granted a perfectly secure and reliable infrastructure that makes it all possible" (West, 2008, p. 40).

This concept can be seen in software and hardware systems designed to improve information security. In 2008, some of the most common technologies used were anti-virus software, antispyware, and firewalls (Richardson, 2008). These tools often rely heavily on alerts, meaning that, when a measurement goes out of a designated range, or when a specific event happens, an alarm is triggered and the user notified. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.