Information security management

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. ^[1] This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. ^[2] As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security. ^{[3] [4]}

Information security management has become an increasingly important part of modern organizations as it helps secure large databases often found within large organizations. ^[5] These databases often store sensitive information, such as personal identifiers and financial records. ^[5] A breach in these databases can ruin a company's reputation or put millions of people's information at risk. ^[6] For this reason, information security management is often discussed alongside cybersecurity practices, many of which are directly correlated or directly used in Information Security Management Systems (ISMS). ^[7]

Risk management and mitigation

Managing information security in essence means managing and mitigating the various threats and vulnerabilities to assets, while at the same time balancing the management effort expended on potential threats and vulnerabilities by gauging the probability of them actually occurring. ^{[1] [8] [9]} These ideas can be summarized into the Protection Motivation Theory, or PMT. The PMT "seeks to explain why individuals adopt or engage in protective behavior." ^[10] There are two main mechanisms of the PMT: threat appraisals and coping appraisals. ^[10] Threat appraisals refer to how people perceive the severity of a threat and their vulnerability to a threat. ^[10] A meteorite crashing into a server room is certainly a threat, for example, but an information security officer will likely put little effort into preparing for such a threat. Just as people don't have to start preparing for the end of the world just because of the existence of a global seed bank. ^[11]

The second half of the PMT is coping appraisals. This refers to self-efficacy and response efficacy. Self-efficacy is someone's perceived confidence in their ability to complete a task. ^[10] Response efficacy refers to someone's belief in a protective action's effectiveness. ^[10] Coping appraisals also include response costs, or any possible expenditures potentially required of someone to follow through with a protective action, such as money, time, or effort. ^[10] In order for the PMT to be successful, a person must have a strong sense of self-efficacy and response efficacy with the task at hand, along with a low perception of reward costs (which can also be influenced by self-efficacy). ^[10]

After appropriate asset identification and valuation have occurred, ^[2] risk management and mitigation of risks to those assets involves the analysis of the following issues: ^{[8] [9] [10] [12]}

• Threats: Unwanted events that could cause the deliberate or accidental loss, damage, or misuse of information assets.
• Vulnerabilities: How susceptible information assets and associated controls are to exploitation by one or more threats. This can also be referred to as threat appraisals in the PMT.
• Impact and likelihood: The magnitude of potential damage to information assets from threats and vulnerabilities and how serious of a risk they pose to the assets; cost–benefit analysis may also be part of the impact assessment or separate from it.
• Mitigation: The proposed method(s) for minimizing the impact and likelihood of potential threats and vulnerabilities. This is directly linked to coping appraisal strength when it comes to implementing each method.

Once a threat and/or vulnerability has been identified and assessed as having a high threat appraisal on information assets, a mitigation plan can be enacted. The mitigation method is chosen largely depends on which of the seven information technology (IT) domains the threat and/or vulnerability resides in. The threat of user apathy toward security policies (the user domain) will require a much different mitigation plan than the one used to limit the threat of unauthorized probing and scanning of a network (the LAN-to-WAN domain). ^[12]

Some of the most common reasons organizations may struggle implementing risk management protocol are: ^{[6] [7] [13]}

• Social engineering tactics tricking workers into giving out personal information, especially if they lack important online safety tools
• A lack of understanding in personal role or responsibility in information security management, or a complete disregard for it
• A lack of education in information security management

In order for a mitigation strategy to be effective, both the technological and user side of the strategy must be functioning with minimal errors. ^[13]

Information security management system

An information security management system (ISMS) represents the collation of all the interrelated/interacting information security elements of an organization so as to ensure policies, procedures, and objectives can be created, implemented, communicated, and evaluated to better guarantee the organization's overall information security. This combines technological and human collaboration to be successful. ^[13] This system is typically influenced by an organization's needs, objectives, security requirements, size, and processes. ^[14] An ISMS includes and lends to risk management and mitigation strategies, and often addresses many if not all of the factors discussed in the PMT. ^[10] Additionally, an organization's adoption of an ISMS indicates that it is systematically identifying, assessing, and managing information security risks and "will be capable of successfully addressing information confidentiality, integrity, and availability requirements." ^[15] However, the human factors associated with ISMS development, implementation, and practice (the user domain ^[12] ) must also be considered to best ensure the ISMS' ultimate success. ^[16]

Failures is ISMS can often be traced back to poor risk management or evaluation, a lack of depth in understanding, or misaligned goals with leadership. ^[17] This is why some companies choose to hire and/or implement a Chief Information Security Officer (CISO). ^[17] The CISO is often responsible for guiding policy, aligning security with business goals, handling risk and compliance, and communicating between management and technical terms. ^[17] The main purpose of implementing a CISO is to streamline security integration and provide a source of leadership to help guide the organization's information security management. ^[17]

Common Aspects of Cybersecurity Applied in ISMS

As society transitions to becoming more digitally interconnected, cybersecurity practices have become a focus of scholars and business leaders alike. ^[5] Although technology can be attacked, cybercrime has been shown to be more effective when it targets humans, with a strong focus on social engineering. ^[10] These tactics can include: ^{[5] [10]}

• Phishing - deceiving someone into providing personal information through email, text, or phone call to a fraudulent source
• Brand Theft - used to make employees of a certain company believe they are on a trusted company website or email by creating similar URLs with minor typos, most of which go unnoticed
• Impersonation - adopting someone else's identity to deceive another person into giving them sensitive information. In some cases, this can also be classified as identity theft depending on the depth of the impersonation.
• Scareware - urgent and often frightening pop-ups that appear on a user's computer, typically asking for immediate action. Used to make the user believe there will be negative consequences if they do not act immediately.

It is important for all aspects of cybersecurity to be addressed when implementing an ISMS. ^[18] The main reason these tactics are successful on humans is due to people's lack of awareness. ^[5] This is where employee training and education become major factors in successfully implementing an ISMS. ^[19]

Implementation and education strategy components

While IT departments or CISOs in many businesses are typically the ones handling Information Security Management, everyone in a business or organization must practice awareness and vigilance for information security management systems to be successful. ^{[17] [18]} Success rates for scams such as phishing and other social engineering tactics are shown to be directly correlated to someone's lack of internet safety awareness. ^[5] Because of this, many organizations are requiring some form of information security or cybersecurity onboarding. ^[5] These forms of training include: ^{[5] [6]}

• Reading or videos reviewing information security topics
• Modules that may contain quizzes alongside informative material
• Faculty meetings or emails that work as reminders for information security protocols
• Role-based training where employees act out different scenarios that could impact information security

These training typically don't end after onboarding, and are often required to be completed anywhere from every year to every month. ^[5]

Implementing an effective information security management (including risk management and mitigation) requires a management strategy that takes note of the following: ^[20]

• Upper-level management must strongly support information security initiatives, allowing information security officers the opportunity "to obtain the resources necessary to have a fully functional and effective education program" and, by extension, information security management system.
• Information security strategy and training must be integrated into and communicated through departmental strategies to ensure all personnel is positively affected by the organization's information security plan.
• A privacy training and awareness "risk assessment" can help an organization identify critical gaps in stakeholder knowledge and attitude towards security.
• Proper evaluation methods for "measuring the overall effectiveness of the training and awareness program" ensure policies, procedures, and training materials remain relevant.
• Policies and procedures that are appropriately developed, implemented, communicated, and enforced "mitigate risk and ensure not only risk reduction, but also ongoing compliance with applicable laws, regulations, standards, and policies."
• Milestones and timelines for all aspects of information security management help ensure future success.

Oftentimes, technology is not enough to keep organizations and businesses safe from information security threats. ^[13] Without sufficient budgetary considerations for all the above—in addition to the money allotted to standard regulatory, IT, privacy, and security issues—an information security management plan/system can not fully succeed.

Relevant standards

Standards that are available to assist organizations with implementing the appropriate programs and controls to mitigate threats and vulnerabilities include the ISO/IEC 27000 family of standards, the ITIL framework, the COBIT framework, and O-ISM3 2.0. The ISO/IEC 27000 family represents some of the most well-known standards governing information security management and their ISMS is based on global expert opinion. Over the past two decades, it has become globally used across multiple industries. ^[7] They lay out the requirements for best "establishing, implementing, deploying, monitoring, reviewing, maintaining, updating, and improving information security management systems." ^{[3] [4]} Gaining an ISO 27000 certification indicates an organization is dedicated to a strong ISMS, as gaining this certificate requires frequent security checks, updates, and a strong leadership at the forefront of implementation. ^[18] ITIL acts as a collection of concepts, policies, and best practices for the effective management of information technology infrastructure, service, and security, differing from ISO/IEC 27001 in only a few ways. ^{[21] [22]} COBIT, developed by ISACA, is a framework for helping information security personnel develop and implement strategies for information management and governance while minimizing negative impacts and controlling information security and risk management, ^{[4] [21] [23]} and O-ISM3 2.0 is The Open Group's technology-neutral information security model for enterprise. ^[24] Some other notable mentions, although less prevalent, as t6he GDPR, EU NIS directive, and NIST Cybersecurity Framework. ^[19]

See also

• Certified Information Systems Security Professional
• Chief information security officer
• Security information management
• Security management
• Risk management

References

1. Campbell, T. (2016). "Chapter 1: Evolution of a Profession". Practical Information Security Management: A Complete Guide to Planning and Implementation. APress. pp. 1–14. ISBN   9781484216859.
2. Tipton, H.F.; Krause, M. (2003). Information Security Management Handbook (5th ed.). CRC Press. pp. 810–11. ISBN   9780203325438.
3. Humphreys, E. (2016). "Chapter 2: ISO/IEC 27001 ISMS Family". Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House. pp. 11–26. ISBN   9781608079315.
4. Campbell, T. (2016). "Chapter 6: Standards, Frameworks, Guidelines, and Legislation". Practical Information Security Management: A Complete Guide to Planning and Implementation. APress. pp. 71–94. ISBN   9781484216859.
5. Aldawood, Hussain; Skinner, Geoffrey (2019-03-18). "Reviewing Cyber Security Social Engineering Training and Awareness Programs—Pitfalls and Ongoing Issues". Future Internet. 11 (3): 73. doi: 10.3390/fi11030073 . ISSN   1999-5903.
6. AkyeşİLmen, Nezir; Alhosban, Amal (2024-01-25). "Non-Technical Cyber-Attacks and International Cybersecurity: The Case of Social Engineering". Gaziantep University Journal of Social Sciences. 23 (1): 342–360. doi:10.21547/jss.1346291. ISSN   1303-0094.
7. Mirtsch, Mona; Kinne, Jan; Blind, Knut (February 2021). "Exploring the Adoption of the International Information Security Management System Standard ISO/IEC 27001: A Web Mining-Based Analysis". IEEE Transactions on Engineering Management. 68 (1): 87–100. Bibcode:2021ITEM...68...87M. doi:10.1109/TEM.2020.2977815. ISSN   0018-9391.
8. Watts, S. (21 June 2017). "IT Security Vulnerability vs Threat vs Risk: What's the Difference?". BMC Blogs. BMC Software, Inc. Retrieved 16 June 2018.
9. Campbell, T. (2016). "Chapter 4: Organizational Security". Practical Information Security Management: A Complete Guide to Planning and Implementation. APress. pp. 43–61. ISBN   9781484216859.
10. Dodge, Cassandra E.; Fisk, Nathan; Burruss, George W.; Moule, Richard K.; Jaynes, Chae M. (November 2023). "What motivates users to adopt cybersecurity practices? A survey experiment assessing protection motivation theory". Criminology & Public Policy. 22 (4): 849–868. doi:10.1111/1745-9133.12641. ISSN   1538-6473.
11. Lundgren, Björn; Möller, Niklas (2019). "Defining Information Security". Science and Engineering Ethics. 25 (2): 419–441. doi:10.1007/s11948-017-9992-1. ISSN   1353-3452. PMC   6450831 . PMID   29143269.
12. Kim, D.; Solomon, M.G. (2016). "Chapter 1: Information Systems Security". Fundamentals of Information Systems Security. Jones & Bartlett Learning. pp. 2–46. ISBN   9781284128239.
13. Almuqrin, Abdullah (2024-10-31). "How About Enhancing Organizational Security: Critical Success Factors in Information Security Management Performance". Journal of Global Information Management (in Ndonga). 32 (1): 1–18. doi:10.4018/JGIM.358745. ISSN   1062-7375.
14. Terroza, A.K.S. (12 May 2015). "Information Security Management System (ISMS) Overview" (PDF). The Institute of Internal Auditors. Archived from the original (PDF) on 7 August 2016. Retrieved 16 June 2018.
15. "Need: The Need for ISMS". Threat and Risk Management. European Union Agency for Network and Information Security. Retrieved 16 June 2018.
16. Alavi, R.; Islam, S.; Mouratidis, H. (2014). "A Conceptual Framework to Analyze Human Factors of Information Security Management System (ISMS) in Organizations". Human Aspects of Information Security, Privacy, and Trust. Lecture Notes in Computer Science. Vol. 8533. pp. 297–305. doi: 10.1007/978-3-319-07620-1_26 . ISBN   978-3-319-07619-5.{{cite book}}: |journal= ignored (help)
17. Ciekanowski, Marek; Zurawski, Slawomir; Ciekanowski, Zbigniew; Pauliuchuk, Yury; Czech, Artur (2024-04-01). "Chief Information Security Officer: A Vital Component of Organizational Information Security Management". EUROPEAN RESEARCH STUDIES JOURNAL. XXVII (2): 35–46. doi:10.35808/ersj/3370. ISSN   1108-2976.
18. Kajava, Jorma; Anttila, Juhani; Varonen, Rauno; Savola, Reijo; Roning, Juha (2006). "Information Security Standards and Global Business". 2006 IEEE International Conference on Industrial Technology: 2091–2095. doi:10.1109/ICIT.2006.372505.
19. Magnusson, Lars; Iqbal, Sarfraz; Elm, Patrik; Dalipi, Fisnik (2025). "Information security governance in the public sector: investigations, approaches, measures, and trends". International Journal of Information Security. 24 (4). doi:10.1007/s10207-025-01097-x. ISSN   1615-5262.
20. Tipton, H.F.; Krause, M. (2010). Information Security Management Handbook. Vol. 3 (6th ed.). CRC Press. pp. 100–02. ISBN   9781420090956.
21. Kim, D.; Solomon, M.G. (2016). Fundamentals of Information Systems Security. Jones & Bartlett Learning. p. 225. ISBN   9781284128239.
22. Leal, R. (7 March 2016). "ISO 27001 vs. ITIL: Similarities and differences". The ISO 27001 & ISO 22301 Blog. Advisera Expert Solutions Ltd. Retrieved 16 June 2018.
23. White, S.K. (22 December 2017). "What is COBIT? A framework for alignment and governance". CIO. IDG Communications, Inc. Retrieved 16 June 2018.
24. "Open Information Security Management Maturity Model (O-ISM3), Version 2.0". The Open Group. 21 September 2017. Retrieved 16 June 2018.

External links

• ISACA
• The Open Group