Michael E. Whitman

Enemy at the gate: threats to information security

A firm can build more effective security strategies by identifying and ranking the severity of potential threats to its IS efforts.

In defense of the realm: understanding the threats to information security

The popular press is replete with information about attacks on information systems. Viruses, worms, hackers, and employee abuse and misuse have created a dramatic need for understanding and implementing quality information security. In order to accomplish this, an organization must begin with the identification and prioritization of the threats it faces, as well as the vulnerabilities inherent in the systems and methods within the organization. This study seeks to identify and rank current threats to information security, and to present current perceptions of the level of severity these threats present. It also seeks to provide information on the frequency of attacks from these threats and the prioritization for expenditures organizations are placing in order to protect against them. The study then will compare these findings with those of previous surveys.

Research Commentary. Academic Rewards for Teaching, Research, and Service: Data and Discourse

In most institutions faculty members are expected to teach, research, and perform community service. The emphasis placed on each activity is expected to vary considerably between institutions and departments. To examine this expectation, a nationwide survey was made of both American Assembly of Collegiate Schools of Business (AACSB) institutions and nonAACSB institutions. participants rated 80 publications for their value in reviews of research performance, and responded to a series of questions pertaining to the importance of publication types on the merit compensation, promotion, and tenure processes. These results were made available to the IS community, and approximately 150 comments were obtained. The survey results and the comments suggest that there might be some convergence in expectations of academic performance a cross institutions, as research-oriented institutions require better performance on teaching, teaching-oriented institutions require better performance in research, and all institutions impose greater service demands on IS faculty.

Designing and teaching information security curriculum

With increasing interest by students and faculty in Information Security Curriculum, and increasing demand for information security professionals from industry, many institutions are beginning the task of creating a meaningful information security program. Whether the institution desires a single course, or an entire set of coursework, it is important that the faculty and administrators designing the curriculum follow an establish methodology and research the unique demands of this new and exciting field. This paper provides an overview of such a methodology.

IT divergence in reengineering support: performance expectations vs. perceptions

Abstract Current literature is replete with reports highlighting the successes and failures of business process reengineering (BPR) efforts. Organizations have begun to realize the key enabling role of information technology (IT) in support of these efforts. However, expectations of the influence of IT in BPR as well as aspects of the organization which influence IT, may far outweigh the actual results. A panel of experts was questioned and 43 businesses currently undergoing reengineering were examined in order to determine a ‘divergence’ between expectations and observations on the role of IT in BPR. The organizational groups within the businesses consisted of business managers, executives, administrative/staff personnel, IT personnel, and consultants actually involved in reengineering projects. The study sought answers to three research questions: Are there significant differences in IT in BPR expectations and observations?, Do they vary by constituency group?, and Do they vary according to the level of organizational IT effectiveness? The study identified three factors that represent significant differences in these shortfalls. These are labeled as Strategic Planning Empowerment, IT Support for Process Improvement, and IT/Business Politics. The study also determined differences between groups, as well as between varying levels of IT effectiveness.

The threat of long-arm jurisdiction to electronic commerce

Unfortunately for those whose businesses rely on the Internet, an increasing amount of legal conflict is also arising in reaction to this new business medium. As attorneys and the courts attempt to sort out the Internet’s legal status quo, both are considering such pressing substantive issues as electronic contracts, privacy, trademark, copyright, defamation, computer crimes, censorship, and taxation. It is imperative that information system professionals become aware of how evolving Internet law will affect the medium they are charged with administrating. An informed IS community is also much more capable of mounting legal and political challenges to law that might thwart continued development of e-commerce. One of the critical legal issues seriously threatening the continued growth of the Internet as a commerce medium concerns the exposure of Internet businesses to the long-arm jurisdiction of courts in 50 different states [7]. Under the U.S. legal system, any federal or state court can impose its authority upon parties (either people or corporations) in any other state if it can demonstrate jurisdiction [9, 11]. It is often legally or strategically advanta-

Planning, building and operating the information security and assurance laboratory

With increasing interest by students and faculty in Information Security (InfoSec) Curriculum, and increasing demand for information security professionals from industry, many institutions are beginning the task of creating an information security program. Within these programs of study, it is important that the faculty and administrators planning the facilities and curriculum for InfoSec labs understand the unique demands of this endeavor. This paper provides an overview of some current practices.

Considerations for an effective telecommunications-use policy

information privacy issues, has created a large gray area in organizational policy-making. What exactly should an organization formalize as a standing operational policy for day-to-day use of its telecommunications systems? As is evident, without a specific policy that addresses systems use, there can be no expectation of ethical and responsible use on the part of either an organization or an individual employee. A sound telecommunications policy serves a variety of purposes within an organization. First, it codifies system controls and reporting authorities. Second, it reinforces the organization’s expectations about how telecommunications systems should be used. Third, it serves to indemnify the organization against liability for an employee’s inappropriate or illegal system use. A published telecommunications policy serves as a legally binding agreement between parties (the organization and its employees) and shows that the organization has made a good R ecent changes in federal telecommunica-

The enemy is still at the gates: threats to information security revisited

In this paper the authors examine modern threats to information security and compare their findings to a 2003 study. The study also examines current risk management methods, metrics and preferred security standards that influence organizational information security efforts.

A Look at the Telecommunications ACT of 1996

The Telecommunications Competition and Deregulation Act of 1996 has significantly changed the market in which telecommunications providers compete. This column clarifies some of the important sections of the act and the implications of the changes for those involved in the provision and use of telecommunications services.