Information System Security Mechanisms in Financial Management
Abstract
Organizations and people that use computers can describe their needs for information security and trust in systems in terms of three major requirements which are confidentiality, integrity and availability. Payroll and general ledger were among the first processes to become automated. However, organizations have continuously experienced targeted attacks and on an increasingly frequent basis. Security risk is increasing due to increased internal and external threats. Subsequently, security is getting harder to manage. In this climate, organizations must employ strategies to direct their security efforts and should optimize their limited resources. The study endeared to analyze and evaluate security strategies utilized in the financial management systems with the sole aim of driving innovation and generating competitive advantage. The researcher utilized desktop literature review, this type of review critiques and summarizes a body of literature and draws conclusions about the topic in question. The study found that many organizations operate in large-scale network environments with numerous servers, fixed terminals and portable wireless devices including laptops and smart phones. In addition, there are employees with complex access profiles to masses of information at varying levels of sensitivity. The strategies focused on security risk management include prevention, deterrence, surveillance, detection, response, deception, perimeter defense and layering. Of importance is the loss prevention which focuses on what critical assets are and how they can be protected. Attacks can be prevented by employing these strategies and the improvement of system efficiency. The study recommended that strategies should be devised to contend with risk exposure in financial security environments which requires a systematic and comprehensive approach with a view to learning and developing situational awareness especially from security incidents.
Keywords: Security, Strategy, Information system, Financial Management and Organization
References
Anderson EE, Choobineha J (2008) Enterprise information security strategies. Computers & Security 27:22–29
Anderson P (2001) Deception: A Healthy Part of Any Defense in-Depth Strategy. SANS Institute InfoSec Reading Room, February 15, 2001 edn. SANS Institute.
Andres, R. (2012). The Emerging Structure of Strategic Cyber Offense, Cyber Defense, and Cyber Deterrence. Trans. Array Cyberspace and National Security: Threats, Opportunities, and Power in a Virtual World. Derek S. Reveron. 1st ed. Washington DC: Georgetown University Press.
Applegate, S. D. (2012). The principle of maneuver in cyber operations. In Cyber Conflict (CYCON), 2012 4th International Conference on (pp. 1-13). IEEE.
Arce I, McGraw G. (2004) Why Attacking Systems Is a Good Idea. IEEE Security & Privacy 2 (4):17-19
Armstrong D, Carter S, Frazier G, Frazier, T. (2004) Autonomic Defense: Thwarting Automated Attacks via Real-Time Feedback Control. Complexity 9 (2):41-48
Artail H, Safa H, Sraj M, Kuwatly I, Al-Masri Z (2006) A Hybrid Honeypot Framework for Improving Intrusion Detection Systems in Protecting Organizational Networks. Computers & Security 25:274-288
Barford P, Dacier M, Dietterich TG, Fredrikson M, Giffin J, Jajodia S, Jha S, Li J, Liu P, Ning P, Ou X, Song Defense. Cyber Situational Awareness, Advances in Information Security (46):3-13
Baskerville, R., Lyytinen, K., Sambamurthy, V., & Straub, D. (2011). A response to the design-oriented information systems research memorandum. European journal of information systems, 20(1), 11-15.
Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), 138-151.
Bauer M (2001) Designing and Using DMZ Networks to Protect Internet Servers. Linux Journal 2001 (83)
Bearavolu R, Lakkaraju K, Yurcik W, Raje H (2003) A Visualization Tool for Situational Awareness of Tactical and Strategic Security Events on Large and Complex Computer Networks. Paper presented at theMilitary Communications Conference (MILCOM) 2003, 13-6 Oct.
Beckman S., L, Rosenfield D., B. (2008) Operations Strategy: Competing in the 21st Century. McGraw-Hill/Irwin, New York
Bowen P, Hash J, Wilson M, Bartol N, Jamaldinian G (2006) Information Security Handbook: A Guide for Managers. . NIST Special Publication 800-100. NIST, Gaithersburg, MD.
Brykczynski B, Small RA (2003) Reducing Internet-Based Intrusions: Effective Security Patch Management. IEEE Software:50-57
Burnburg MK (2003) A Proposed Framework for Business Information Security Based on the Concept of Defense-in-Depth. Master's Thesis, University of Illinois at Springfield, Springfield,
Byrne P (2006) Application Firewalls in a Defense-in-Depth Design. Network Security (9):9- 11
Cahill TP (2003) Cyber Warfare Peacekeeping. Paper presented at the 2003 IEEE Workshop on Information Assurance, Jun.
Cao J, Lin M, Deokar A, Burgoon J.,K, Crews JM, Adkins M. (2004) Computer-Based Training for Deception Detection: What Users Want? ISI 2004, LNCS 3073:163–175
Cao, H., Zhu, P., Lu, X., & Gurtov, A. (2013). A layered encryption mechanism for networked critical infrastructures. IEEE Network, 27(1), 12-18.
Carroll T., E, Grosu D (2009) A Game Theoretic Investigation of Deception in Network Security. Paper presented at the 18th International Conference on Computer Communications and Networks (ICCCN ’09), Jan
Chakrabarti A, Manimaran G. (2002) Internet Infrastructure Security: A Taxonomy. IEEE Network 16 (6):13-21
Chen, S., & Song, Q. (2005). Perimeter-based defense against high bandwidth DDoS attacks. IEEE Transactions on Parallel and Distributed Systems, 16(6), 526-537.
Cohen F, Koike D (2004) Misleading attackers with deception. Paper presented at the Information Assurance Workshop, 2004. Proceedings from the Fifth Annual IEEE SMC, 10-11 June 2004.
CSSP (2009) Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In- Depth Strategies. Control Systems Security Program, National Cyber Security Division, Department of Homeland Security
Strater L, Swarup, V., Tadda, G., Wang C, Yen, J. (2010) Cyber SA: Situational Awareness for Cyber.
D’Arcy J, Hovav A, Galletta DF (2009) User Awareness of Security Countermeasures and its Impact on Information Systems Misuse: A Deterrence Approach. Information Systems Research 20 (1):79-98
Da Veiga A & Eloff JHP (2010) A framework and assessment instrument for information security culture, Computers and Security 29(2):196-207.
Dasgupta D. (2004) Immuno-Inspired Autonomic System for Cyber Defense. Computer Science Technical Report. Univ. of Memphis.
Debar H, Morin B, Boissee V, Guerin D (2005) An Infrastructure for Distributed Event Acquisition. Paper presented at the European Institute for Computer Antivirus Research (EICAR) 2005 Conference Best Paper, Saint Julians, Malta, April
Dourish P, Redmiles D (2002) An Approach to Usable Security Based on Event Monitoring and Visualization.
Hendriks, C. J. (2013). Integrated Financial Management Information Systems: Guidelines for effective implementation by the public sector of South Africa. South African Journal of Information Management, 15(1), 1-9.
Herath, T., & Rao, H. R. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154-165.
Illinois B., S. (2002) Security Attribute Evaluation Method: A Cost-Benefit Approach. Paper presented at the 24thInternational Conference on Software Engineering (ICSE '02), New York, NY,
Jackson, S., & Ferris, T. L. (2013). Resilience principles for engineered systems. Systems Engineering, 16(2), 152-164.
Jansen, W. A. (2011). Cloud hooks: Security and privacy issues in cloud computing. In System Sciences (HICSS), 2011 44th Hawaii International Conference on (pp. 1-10). IEEE.
Kriegel, H. P., Kröger, P., & Zimek, A. (2010). Outlier detection techniques. Tutorial at KDD, 10.
Krutz, R. L., & Vines, R. D. (2010). Cloud security: A comprehensive guide to secure cloud computing. Wiley Publishing.
Paternoster, R. (2010). How much do we really know about criminal deterrence?. The journal of criminal law and criminology, 765-824.
Peltier, T. R. (2005). Information security risk analysis. CRC press.
Poolsappasit, N., Dewri, R., & Ray, I. (2012). Dynamic security risk management using bayesian attack graphs. IEEE Transactions on Dependable and Secure Computing, 9(1), 61-74.
Rebollo, O., Mellado, D., Fernández-Medina, E., & Mouratidis, H. (2015). Empirical evaluation of a cloud computing information security governance framework. Information and Software Technology, 58, 44-57.
Richardson, R., & Director, C. S. I. (2008). CSI computer crime and security survey. Computer security institute, 1, 1-30.
Rodin-Brown, E. (2008). Integrated financial management information systems: A practical guide. United States Agency for International Development.
Rowland, C. H., Pettit, J., Rhodes, A., & Irwin, V. (2006). U.S. Patent No. 7,058,968. Washington, DC: U.S. Patent and Trademark Office.
Sabahi, F. (2011). Cloud computing security threats and responses. In Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on (pp. 245-249). IEEE.
Schwalbe, K. (2015). Information technology project management. Cengage Learning.
Siponen, M., Pahnila, S., & Mahmood, A. (2007). Employees’ adherence to information security policies: an empirical study. In IFIP International Information Security Conference (pp. 133-144). Springer, Boston, MA.
Spears, J. L., & Barki, H. (2010). User participation in information systems security risk management. MIS quarterly, 503-522.
Stevens, B. (2008). Corporate ethical codes: Effective instruments for influencing behavior. Journal of Business Ethics, 78(4), 601-609.
Van Niekerk, J. F., & Von Solms, R. (2010). Information security culture: A management perspective. Computers & Security, 29(4), 476-486.
Wailly, A., Lacoste, M., & Debar, H. (2012, September). Vespa: Multi-layered self- protection for cloud resources. In Proceedings of the 9th international conference on Autonomic computing (pp. 155-160). ACM.
Whitman, M. E., & Mattord, H. J. (2011). Principles of information security. Cengage Learning.
Young, K. S., & Case, C. J. (2004). Internet abuse in the workplace: new trends in risk management. Cyber Psychology & Behavior, 7(1), 105-111.
Zhang, D., Wang, Y., Suh, G. E., & Myers, A. C. (2015). A hardware design language for timing-sensitive information-flow security. ACM SIGPLAN Notices, 50(4), 503-516.
