Where networking and knowledge intersect.
Haris Hamidovic, CIA, ISMS IA, ITIL, IT Project+
Most enterprises today categorize information security as a technical or operational issue to be handled by the IT department. This misunderstanding is fed by outdated corporate structures, wherein the various silos within organizations do not feel responsible to secure their own data. Instead, this critical responsibility is handed over to IT—a department that, in most organizations, is strapped for resources and budget authority. Furthermore, the deferring of cyber-responsibility inhibits critical analysis and communication about security issues, which, in turn, hampers the implementation of effective security strategies.1
The often dramatic failures of enterprises to adequately address security issues in recent years are, to a significant extent, due to the inability to define security and present it in a way that is comprehensible and relevant to all stakeholders.2 In reality, information security is an enterprisewide risk management issue that needs to be addressed from a strategic, cross-departmental and economic perspective.3
Until recently, developing an information security program and integrating it into business goals, objectives, strategies and activities were complicated by the lack of a model describing what an effective information security program encompasses, how it functions, and how it relates to the enterprise and the enterprise’s priorities.4
The Business Model for Information Security (BMIS) began as a model for systemic security management and was created at the University of Southern California (USC) Marshall School of Business Institute for Critical Information Infrastructure Protection (USA). In 2008, ISACA entered into a formal agreement with the university to continue the development of the university’s Systemic Security Management Model.5
BMIS takes a business-oriented approach to managing information security. It utilizes systems thinking to clarify complex relationships within the enterprise and, thus, to manage security more effectively.6
Although systems thinking can contribute to these beneficial outcomes, it is important to note that BMIS, which is based on systems theory, should be treated as part of the strategic plan for the information security program, not as a quick-fix solution for a broken program. Systems thinking should be seen as a long-term exercise that will ultimately aid the enterprise in achieving business goals. In fact, it may help to think of it as a key to organizational maturity. The maturity of the information security program is often related to the maturity of the enterprise, which is linked to the degree to which systemic thinking is used in the organization.7
System functions can be well recognized and accurately determined if the system is considered together with its environment. This article introduces the basic features of the environment in which the enterprise’s information security system operates.
A system is an organized collection of parts (or subsystems) that are highly integrated to accomplish an overall goal.8 The system has various inputs that go through certain processes to produce certain outputs, which, together, accomplish the overall desired goal for the system.
Systems theory is not a new concept. It dates back to 1937 when Ludwig von Bertalanffy gave his first lecture about the General System Theory as a valid methodology for all sciences. According to systems theory, a system essentially consists of objects (physical or logical), attributes that describe the objects, relationships among the objects and the environment in which the system is contained.9
The essence of systems theory is that a system needs to be viewed holistically—not merely as a sum of its parts—to be accurately understood. A holistic approach examines the system as a complete functioning unit. Another tenet of systems theory is that one part of the system enables understanding of other parts of the system.
The goal of systems theory is to explain the nature of a concept and phenomenon and to define the concepts in such a manner as to facilitate understanding and problem solving.
A “term system” in systems theory is a synonym for “functional unit.” The term functional unit assumes that the system is something specific—something that, in a certain way, is different from its surroundings and that has a role or purpose in the environment.
Almost any phenomenon can represent one or more systems and, simultaneously, can be an element of a large number of very different systems.
Something is defined as a system only if it has a meaning, e.g., wanting to study the functioning of a system, to disclose any specific system properties, or to design a new system or improve an existing system.
It should also be noted that the functionality of most systems is influenced by many factors, either within the system or from its environment. Therefore, enterprises are forced to reduce the relatively infinite number of components and connections of absolute systems and to study a reduced system that contains only a certain number of elements, parts of the inputs and outputs from the absolute system.
The system environment, in general, can be considered as the set of all objects outside the system, for which these two assumptions are valid:10
These influences cause, as a rule, the reaction of the system. Their intensity depends on the type and severity of each impact. Negative impacts from the environment, in the case of high intensity, can act even on interruption of system functioning.
During the systematic analysis of a phenomenon, it is important to set, at the beginning, a point of view and goal of observation because, without them, the basic features of the system cannot be identified and, therefore, the system and its environment cannot be properly defined.
The information security system can be seen as a subsystem of the enterprise’s business systems. An enterprise’s business system represents an active environment for the information security system, or that part of the environment that significantly affects the information security system and vice versa (figure 1).
Looking at the enterprise as an economic system shows that it is a component of a larger system of certain industries, and this is a component of the economic system of the country. Further, the economic system of a country is only one component of the economic system, a larger area. If, however, the system of information security is viewed as a relatively isolated system, it consists of certain elements, e.g., people, processes, technology.
Many organizational activities relate in some manner to security, assurance or safety. Typical departments include risk management, legal, audit, compliance, privacy, business continuity, quality control, facilities, human resources, IT security, information security and physical security. Their activities tend to be viewed as silos, and they are typically not connected, have different reporting structures, speak different languages and may collectively consume more than a quarter of organizational resources. Nevertheless, they are all engaged in activities that have a bearing on, or are related to, security. Integration of these activities into a model that makes explicit the interrelationships and impacts among related tasks will begin to address the issues of overall assurance process integration and more cost-effective security.11
Information security is too often thought of as an IT issue rather than the enterprisewide risk management issue that it really is. Although information security obviously has a critical IT component, it is not a simple problem that can be solved with a technological fix.
Utilizing a systems thinking approach in information security management can help information security managers address complex and dynamic environments and can generate a beneficial effect on collaboration within the enterprise, adaptation to operational change, navigation of strategic uncertainty and tolerance of the impact of external factors.12
In many enterprises, technology strategies, policies, processes and standards are developed without an understanding of how organizational culture impacts program effectiveness. Security efforts that fail to consider how humans react to and use technology do not often deliver the intended benefits. Information security programs need to take into account how the organization and its people, processes and technologies interact and how organizational governance, culture, human factors and architectures support or hinder the ability of the enterprise to protect information and manage risk.13
BMIS tries to avoid these pitfalls by employing systems-thinking principles.
Systematic analysis of the enterprise’s business system is necessary for the creation of an optimal system of information security. Defining the system must be made on the basis of objectives and targets of research. The purpose and objective of the research determine what are considered the features of the system and what is considered the system environment.
From the techno-economic viewpoint of BMIS, an enterprise’s business system represents an active environment for the information security system. With the aim of producing an optimal model of information security for a business entity, it is necessary to consider both positive and negative environmental impacts on the information security system.
1 Internet Security Alliance (ISA); American National Standards Institute (ANSI), The Financial Management of Cyber Risk—An Implementation Framework for CFOs, USA, 20102 ISACA, An Introduction to the Business Model for Information Security, USA, 20093 Op cit, ISA4 Op cit, ISACA, 20095 Ibid.6 Ibid.7 Ibid.8 Ibid.9 Von Bertalanffy, Ludwig; General System Theory: Foundations, Development, Applications, Revised Edition, George Braziller Inc., USA, 196910 Žaja, Marko; Business System (in Croatian), Školska Knjiga, Croatia, 199311 Op cit, ISACA, 200912 Ibid.13 Ibid.
Haris Hamidovic, CIA, ISMS IA, ITIL, IT Project+is chief information security officer at Microcredit Foundation EKI Sarajevo, Bosnia and Herzegovina. Prior to his current assignment, Hamidovic served as IT specialist in the North American Treaty Organization (NATO)-led Stabilization Force (SFOR) in Bosnia and Herzegovina. He is the author of five books and more than 70 articles for business and IT-related publications. Hamidovic is a certified IT expert appointed by the Federal Ministry of Justice of Bosnia and Herzegovina and the Federal Ministry of Physical Planning of Bosnia and Herzegovina and is a doctoral candidate in critical information infrastructure protection at the Dzemal Bijedic University, in Mostar, Bosnia and Herzegovina.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.