Thursday, January 30, 2020
The Role Of Security Management Essay Example for Free
The Role Of Security Management Essay ABSTRACT Personal information security is usually considered a technical discipline with much attention being focused on topics such as encryption, hacking, break-ins, and credit card theft. Security products such as anti-virus programs and personal firewall software, are now available for end-users to install on their computers to protect against threats endemic to networked computers. The behavioral aspects related to maintaining enterprise security have received little attention from researchers and practitioners. Using Q-sort analysis, this thesis used students as end-users in a graduate business management security course to investigate issues affecting selection of personal firewall software in organizations. Based on the Q-sort analysis of end-users in relation to seven variables identified from review of the information security literature, three distinct group characteristics emerged. Similarities and differences between groups are investigated and implications of these results to IT managers, vendors of security software and researchers in information security area are discussed. ACKNOWLEDGEMENTS I would like to thank my supervisor Professor ____________ for his great supervision and guidance throughout the duration of my thesis project. I would also like to thank all colleagues for their help and support. Finally, I wish to thank my family for their continued support throughout the thesis. TABLE OF CONTENTS Page ABSTRACTâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦2 ACKNOWLEDGEMENTSâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦.â⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦.3 TABLE OF CONTENTSâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦..4 LIST OF ACRONYMSâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦.5 CHAPTER 1 ââ¬â INTRODUCTIONâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦6 â⬠¢ Statement of the Problemâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦7 â⬠¢ Research Questionâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦8 â⬠¢ Significance of the Researchâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦9 â⬠¢ Design and Methodologyâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦.10 Q-Sort Analysisâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦.12 â⬠¢ Organization of the Studyâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦14 CHAPTER 2- LITERATURE REVIEWâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦14 CHAPTER 3 ââ¬â RESEARCH QUESTION FINDINGSâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦.18 Data Analysisâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦..18 -Analysis of Resultsâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦26 -Limitations of the Studyâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦..29 Chapter 4- SUMMARY AND CONCLUSIONS Summaryâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦30 Conclusionâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦.31 Recommendationâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦..33 REFERENCESâ⬠¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦Ã¢â¬ ¦..34 LIST OF ACRONYMS Operational definition of these variables as it relates to the study are provided: Performance [PERF] : Refers to how well the software operates under various conditions (such as high traffic, types of data, port scans, etc.) Ease-of-use [EOU]: Refers to usability of the product (such as screen design and layout, access to features using tabs, buttons, etc.) Updates [UPDTS]: Refers to product updates at regular intervals after product has been installed and used Features [FEATR] : Refers to the number of program options and features available in software Reports [RPORT]: Refers to Intrusion Reports and log files generated by the firewall software Cost [COST]: Refers to price paid for the product (either as shrink wrapped package or as a download) Configuration [CONFIG]: Refers to setup and configuration after product has been installed Support [SUPPRT]: Refers to availability of online help and technical support either by phone or e-mail Installation [INSTLL]: Refers to initial installation of the product. Chapter 1 ââ¬â INTRODUCTION Security describes a process of protection from any harm. It also describes the countermeasures put in place by that process. Harm may indicate a loss of confidentiality, integrity, and availability. Security management focuses on preventing harm resulting from both random acts of nature and intentional strategic actions (Schechter, 2004). Security is considered to be a very important issue while developing complex personal information systems (Mouratidis et al., 2002). Security is a major concern in todays digital era. The Internet offers a low cost, but insecure means of reaching people. Owing to the ubiquity of the Internet, it is difficult to control and trace intrusions or attacks by unauthorized people, hackers, etc. Electronic commerce applications need secure mechanisms for accurate user identification, accessing sensitive database, storing and transmitting sensitive information, etc. Personal identification numbers (PINs), passwords, smart cards and digital certificates are some of the means normally used for this purpose. However, these means do not really identify a person, but only knowledge of some data or belonging of some determined object (Sanchez-Reillo et al., 1999), e.g. public key infrastructure (PKI) cannot assure identity of the maker of a transaction, it can only identify the makers computer. An imposter can easily masquerade as a legitimate user and defraud the system. Information must be readily available in organizations for making decisions to support the organizational mission. Murphy, Boren, and Schlarman (2000) state that due to increased connectivity and the urgency to exchange information and data among partners, suppliers, and customers on a real time basis, the need to protect and secure computer resources is greater than ever. As a result, this has created the possibility of exposing sensitive corporate information to competitors as well as hackers who can now access organizational computer resources from remote sites. Statement of the Problem The potential loss of such information to an organization goes beyond financial losses and includes the possibility of corrupted data, denial of services to suppliers, business partners and customers, loss of customer confidence, and lost sales. Security in business processes (i.e., maintaining proper authentication, authorization, non-repudiation, and privacy) is critical to successful e-business operations. Enabling business functions over the Internet has been recognized as a major component for the success of businesses and, by mitigating risks in a cost-effective manner, security is now being viewed as a component of business operations (Deise, Nowikow, King, Wright, 2000). Decisions about information systems made by managers are vital to the success, and even survival, of a firm (Enns, Huff, Golden, 2003). Despite increased security threats, organizations have traditionally allocated very little of the total IT budget to information security. Forrester Research estimates that in Fortune 500 companies, the average amount of money as a percent of revenue that is spent on IT security is 0.0025 percent or slightly less than what they spend on coffee (Clarke, 2002). Organizations must evaluate and prioritize the optimum mix of products and services to be deployed for protecting confidentiality (maintaining privacy of information), integrity (maintaining information is not altered in transit), and availability (maintaining access to information and resources) of corporate assets. The decision to deploy certain technology is based on variables such as the organizational business model, level of risk, vulnerability, cost, and return on investment (Highland, 1993). There are several ways in which information can be protected. One method to safeguard information is by using controls. The concept of controls can be applied to financial auditing as well as technical computer security. General controls include personnel, physical and organizational controls as well as technical security services and mechanisms (Summers, 1997). Computer security controls can be hardware or software-based and may include biometric devices, anti-virus software, smart cards, firewalls, and intrusion detection systems that can be used to build the enterprise security infrastructure. Additionally, these controls may be preventive, detective, or corrective. Research Question This paper will focus on one such computer security control Personal Firewalls. Firewalls intercept traffic and make routing and redirection decisions based on policies. Some firewalls can also inspect packets and make transformation and security decisions; therefore, they are critical components in maintaining security in organizations. There are different types of firewalls, such as hardware, software, enterprise, and personal firewalls. Personal firewalls are client-based solutions that are installed on desktop/laptop computers and may be administered individually from a central location. Successful selection and adoption of firewalls (enterprise as well as personal) is based on various factors, some of which are technical while others may be behavioral. This exploratory study looks at the new genre of personal firewalls and, based on the review of the literature, attempts to answer the following research questions: 1) What are the factors that could result in successful selection of personal firewalls in organizations? 2) What are the empirical evidence to support deployment of firewall software? Significance of the Research The study hopes to shed light on behavioral aspects of information security, which may be tied to perceptions of end-users who may influence technology selection in their organization. This will provide empirical evidence to an area that has been identified as lacking in research (Dhillon Blackhouse, 2001 Troutt, 2002) and provide directions and guidance for future studies. Another significance of this study is to look at end-user perception is that it may affect how well the user does his or her part in staying vigilant to combat threats posted by hackers to organizational assets. The end-user may be a conduit to organizational data being compromised. Proper software selection as well as positive user attitude and motivation for using the software are therefore important to ensure ongoing use of personal firewall software. Kettinger and Lee (2002) address the fact that the proliferation of personal computing and individualized software, and popularity of the Internet in organizations have resulted in users playing an important role in driving IT implementation. Their study found that for users selecting their own IT applications (such as desktop software programs), there is greater user satisfaction after implementation. Grantham and Vaske (1985) also state that positive user attitudes are important predictors in continued system use. This is especially important for personal firewall use because computers are at risk at all times when connected to the Internet. In reference to software selection, Chiasson and Lovato (2001) emphasize: Understanding of how users form perceptions of software innovation would help software designers, implementers and users in their evaluation, selection, implementation and ongoing use of software. However, with the exception of some recent work, there is little research examining how a user forms his or her perceptions of innovation overtime (p. 16). The area of information security as it relates to maintaining confidentiality and integrity of data stored on personal computers can benefit from identification of factors that would make it possible to safeguard corporate assets that are at risk as a result of remote data access by employees. Software selection for deployment on company computers cuts across different user levels in terms of knowledge and level of expertise of the user. Selection of software therefore must be done to accommodate all types of users ranging from novices to experts. The latter category of users may have higher tacit knowledge of tasks to be able to compensate for the interface without realizing it (Gery, 1997). Organization of Study The purpose of this paper is to investigate self-referent perceptions of end-users, and use Q-Sort analysis to investigate factors affecting deployment of security firewall software in organizations. The paper is organized as follows: review of research on information security is presented to the reader along with extraction of variables from the literature that may determine firewall deployment in organizations; The Q-Sort Factor Analysis method used for the study is explained and the research design is provided; Along with data analysis, results of the study are then explained, which is followed by discussion and applications to practice. Due to the nature of research design used in this study, limitations are also explained. Research Design and Methodology Subjects in this exploratory research study were 31MBA students enrolled in a security and Control of Information Systems course. The students came from different backgrounds, such as finance, liberal arts, nursing, and computer science. From a business perspective, the course examined implications of information security risks faced by organizations. Although technical issues of security, such as authentication, authorization, and encryption that make electronic commerce sites successful in processing business transactions securely were also explored in the course, the primary focus in the course was from a business perspective. There was no structured lab work during class, but to gain a better understanding of security issues, students were expected to complete hands-on exercises outside class. During initial weeks, topics covered included the PWC model, TCP/IP vs. OSI models, network, e-mail, database security, digital certificates and signatures, risk assessment, and privacy issues. Also, during Week 5, students had been previously tested on the topics using short-answer type questions to determine learning competency of factual information and applications related to information security in organizations. The test score counted towards 15% of overall course grade. With coverage of the aforementioned topics, it was safe to assume that students had knowledge of current security issues facing organizations in todays economy. Because there is no consensus on the common body of knowledge acceptable for all security professionals, and since this was an exploratory study, the study was conducted in a controlled environment with ahomogenous population of students to minimize confounding by extraneous variables. Using MBA students as surrogates for professionals or executives in reference to use and evaluation of technology has also been found to be acceptable (Briggs, Balthazard, Dennis, 1996). The hands-on firewall assignment in this course covered installation, configuration, and use of one standard personal firewall software (ZoneAlarm). After students had a chance to use the software, they were asked to participate in the study. No class discussion was conducted on results of the firewall tests in case it affected students perceptions about the software, which could have influenced their response. Therefore, the data reflected individual student perception without class discussions. Students were given instructions to visit a Web site that explained the nature of the study and provided information on how the Q-sort statements should be sorted. This was important since students are more used to completing questionnaires in a survey format that use Likert scale, open-ended, or closeended questions (such as those used during end of term class evaluation of instruction), but may not be familiar with the peculiarities of the Q-sort procedure. To reduce data errors and extract usable data, instructions were presented in detail before the respondents were shown the statements for the study. Q-Sort Analysis Q-sort analysis uses a technique for studying human subjectivity (Stephenson, 1953; Brown, 1980; McKeown Thomas, 1988). It is useful in exploratory research and a well-developed theoretical literature guides and supports its users (Thomas Watson, 2002). Q-sort methodology is suited for small samples and relies on theories in the domain area being researched to develop items for analysis. A disadvantage of the Q-sort methodology is that it is not suitable for large samples, and it forces subjects to conform to certain expectations (such as fitting responses within a normal distribution). Brown (1986) suggests that 30 to 50 subjects are sufficient for studies investigating public opinion. Q-sort uses an ipsative (self-referenced) technique of sorting participants statements about subjective conditions. It is a variation of factor analysis technique that uses Q-methodology theory to analyze correlation measure (Brown, 1980). Respondents to Q-sort studies are required to sort statements into predefined normal distribution type scale in which a fixed number of items fall under each category. The rankings provide clusters of perceptions of individuals consensus and conflict, which can be used to place individuals with similar characteristics into groups for further study, hi the past, the Q-sort technique used index cards for sorting, but now Web-based data collection programs (such as WebQ) are common. Initially the statements are presented to respondents in random order, and each respondent organizes statements into predefined categories. To view entered data, the respondent also can update statement rankings to see where the statements fall under each category. One advantage of using the WebQ method is that data submission errors are reduced since the program verifies that the statements are sorted according to predefined requirements. Figure 1. WebQ questionnaire Adapted from: Brown, 1980. In this personal firewall study, the statements were to be classified by respondents as Most Important (+2), Important (+1), Neutral (O), Less Important (-1), and Least Important (-2). To provide a forced distribution that is expected in the Q-Sort methodology, respondents were given instructions to identify one statement as Most Important, two statements each as Important and Less Important, and three statements as Neutral. The instrument used is shown in Figure 1 Chapter 2-LITERATURE REVIEW In the area of information security, research has often lagged practice. Dhillon Blackhouse (2001) have stressed the need for more empirical research to develop key principles for the prevention of negative events and therefore to help in the management of security. Despite known vulnerabilities in applications and operating systems, companies continue to deploy software to stay competitive, and steps taken to secure products and services are knee-jerk reactions to media stories that are more reactive than proactive in nature. Most IT managers lack a coherent framework and concrete methodology for achieving enterprise security. A security plan that includes technology, personnel, and policies would be a much better approach to developing an enterprise security strategy. One such model is the Enterprise security Framework Price Waterhouse Coopers (PWC) model. The PWC model is comprehensive because it addresses the entire enterprise of security architecture. The model emphasizes information security strategies within the organization using a holistic rather than apiecemeal approach. The framework is based on four pillars: security vision and strategy, senior management commitment, information security management structure, and training and awareness. Within the pillars are decision drivers, development, and implementation phases. Firewalls are placed in the development phase since they are used to provide interpretation of corporate standards at the technical level. For a detailed discussion of the PWC model, the reader is referred to Murphy, Boren, and Schlarman (2000). Firewalls can be considered a last line of defense in protecting and securing information systems. Wood (1988) provided a context for information security systems planning and proposed that reactive and incremental improvement approaches to address security are harbingers of a more serious problem. Other factors identified in Woods model are the lack of top management support, information overload, insufficient staffing, and limited resources. Straub and Welke (1998) advocate using deterrence, prevention, detection, and recovery security action cycle to mitigate systems risk and use prioritized security controls. Data on computer crimes is often under-reported because companies are not willing to risk public embarrassment and bad publicity. Most companies choose to handle these incidents internally without keeping documentation or reporting to local, state or federal authorities (Saita, 2001). There is a need for unbiased empirical studies in the information security area that will provide insight into problems affecting todays technology dependent corporations and industries. With a strong need to collect and analyze computer security data, the CSI/FBI Computer Crime and security Survey is published yearly (see http:// www.gocsi.com). This study provides descriptive statistics but does not attempt to identify relationship between variables, as is expected in analytical surveys. Also, results reported in this annual survey have been identified by the publishers themselves to be potentially misleading due to the limited number of respondents and their accuracy as a result of anonymous nature of the surveys. These results have also been called into question because of lack of statistical or scholarly rigor and self-serving interest (Heiser, 2002). Despite these limitations, the CSI/FBI survey provides a useful role in comparison of yearly data for similar parameters. The area of human computer interface provides a link between the user and software applications. User satisfaction is a function of features, user interface, response time, reliability, installability, information, maintainability, and other factors.â⬠If a products user interface catches a users attention and is simple to learn and use, and has the right price and features, then the product may gain competitive advantage (Torres, 2002, p. 15). The theory of user interface design and user involvement in completing task-based actions related to Internet and security software has been substantiated by two studies in which user interaction with peer-to-peer software (Good Kerkelberg, 2002), and PGP software (Whitten Tygar, 1999) were examined. Good and Krekelberg (peer-to-peer study) found that applications connecting to the Internet need better usability and software design to maintain integrity of information stored on a users computer. In this study, individuals assumed responsibility of keeping firewalls operational at all times. This contributed in large part to maintaining effective enterprise security. Whitten and Tygar (PGP study) found that user errors are a significant portion of computer security failures, and further concluded that user interfaces for security programs require a usability standard much different from other consumer software. (Although this study is not directly concerned with user satisfaction, but is more focused on factors that affect deployment rather than development of end-user software in a specific area, some factors may be directly tied to user satisfaction as will be shown by correlational analysis). Due to increasing mobile and off-site access by employees using cable modems, DSL connections, and wireless devices to access corporate resources, personal firewalls are a necessary component to maintain overall enterprise security in an organization. Because of the nature and availability of personal firewall software, most companies choose to acquire it rather than develop it in-house. Software acquisition that results in productivity gains and strategic advantage is of critical concern to organizations, and factors that relate to these benefits must be correctly identified and understood for software acquisition decisions (Nelson, Richmond, Seidmann, 1996). Purchase of commercial software includes identifying requirements, evaluating packages from different vendors, configuring, installing, and evaluating it either as server or client-based solution. This may further involve requirements acquisition that leads to product selection (Maiden, Ncube, Moore, 1997). As a method of selection, professionals in charge of evaluating personal firewall software could draft a feature requirements document, and evaluate vendor products by comparing available features as well as using demonstration versions of software. This would be followed by user experience with the software. As mentioned earlier, the need for user involvement in information systems has been considered an important mechanism for improving system quality and ensuring successful system implementation. It is further believed that the users satisfaction with a system leads to greater system usage (Baroudi, Olson, Ives, 1986). The requirements for software though must be as measurable as possible to enable product selection and may also use repertory grids in which stakeholders are asked for attributes applicable to a set of entities and values for cells in an entity-attribute matrix. This would produce representation of requirements in a standardized, quantifiable format amenable even to statistical analyses (Maiden, Ncube, Moore, 1997). In relation to the security area, Goodhue and Straub (1991) found company actions and individual awareness to be statistically significant in a study of perceptions of managers regarding controls installed in organizations. Chapter 3 ââ¬â RESEARCH QUESTION FINDINGS Data Analysis Q-Sort analysis is a type of inverse factor analysis in which the cases (subjects) rather than statement variables (features) are clustered. As recommended by Brown (1980), a procedure that arranged statements based on responses of a single individual was used for data analysis. The responses involved statements of opinion (also called Q-sample) that individuals rank-ordered based on the feature requirements in personal firewall software. The arrayed items (Q-sort) from the respondents were correlated and factor-analyzed. The factors indicated clusters of subjects who had ranked the statement in the same fashion. Explanation of factors was then advanced in terms of commonly shared attitudes or perspectives. A review of security literature (Hazari, 2000; Northcutt, McLachlan, Novak, 2000; Scambray, McClure, Kurtz, 2001; Strassberg, Rollie, Gondek, 2002; Zwicky, Cooper, Chapman, Russell, 2000) was used to extract the following statement variables relating to requirements in persona l firewall software: performance, ease-of-use, updates, features, reports, cost, configuration, and support. Table 1. Participant ranked scores Variable Mean SD PERF 4.45 0.77 EOU 3.39 1.08 UPDTS 3.23 0.88 FEATR 3.03 0.93 RPORT 3.00 1.03 COST 2.97 1.20 CONFIG 2.55 0.85 SUPPRT 2.35 0.98 INSTLL 2.00 0.89 Prior to conducting the Q-sort analysis, ranked scores of all participants (before identifying factor groups) on each statement variable were calculated for preliminary descriptive statistics. These are shown in Table 1, where a mean score of 5 = Most Important and 0 = Least Important). Correlation between the nine feature variables shows a low level of correlation between statements. This indicates there is a high degree of independence between the statement categories as used in the analysis. This finding is important since it supports the assertion that the statements represent relatively independent factors obtained from the review of the literature. In the correlation matrix shown, Table 2 shows significant correlation (p 0.05) between cost and updates, cost and reports, ease-of-use and performance, ease-of-use and updates, and installation and support. Table 2. Correlation matrix between variables COST FEATR EOU PERF INSTLL UPDTS RPORT CONFIG SUPPRT COST 1.00 -0.21 0.27 0.18 -0.13 -0.43 -0.49 -0.08 -0.10 FEATR 1.00 -.29 0.35 -0.16 0.06 -0.17 -0.13 -0.25 EOU 1.00 0.44 0.00 -0.37 -0.27 -0.20 -0.04 PERF 1.00 -0.10 -0.11 -0.13 0.13 -0.14 INSTLL 1.00 -0.13 -0.04 0.18 -0.53 UPDTS 1.00 0.26 -0.15 0.17 RPORT 1.00 1.00 0.03 CONFIG -0.24 SUPPRT 1.00 As mentioned earlier, in Q-factor analysis, the correlation between subjects rather than variables are factored. The factors represent grouping of people with similar patterns of response during sorting (Brown, 1980; Thomas Watson, 2002). Following guidelines for Q-factor analysis, eight factors were initially identified with eigenvalues 1 (an eigenvalue is the amount of variance in the original variable associated with the factor). These factors and their percentage of variance are shown in Table 3. Table 3. Eigenvalues of unrelated factors Eigenvalues % Cumul.% 1 11.56 37.28 37.28 2 6.03 19.45 56.73 3 3.91 12.61 69.34 4 2.98 9.61 78.95 5 2.14 6.92 85.87 6 1.93 6.23 92.10 7 1.43 4.61 96.71 8 1.02 3.29 100.00 Factors selected were rotated to maximize the loading of each variable on one of the extracted factors while minimizing loading on all other factors. Factors selected for rotation are usually identified by taking those with eigenvalue greater than one (Kline, 1994). However, in this study, the more rigorous Kaiser rule of selecting factors whose eigenvalue is at or above the mean eigenvalue (in this case 3.85) was used. Factors 1,2, and 3, which represented almost 70% of total variance in data, were then subjected to principal component analysis with varimax rotation. Following rotation, a Factor Matrix indicating defining sort (i.e., respondents in agreement) identified three factor groups with similar pattern of responses. The correlation of individual respondents with factors is shown in Table 4 below. Table 4. Factor matrix of respondents (* indicates defining sort) Q-Sort 1 2 3 1 02386 -0.0398 0.8988 2 0.0227 0.1971 0.8158* 3 0.4975 -0.3790 0.5458 4 0.8575* -0.2912 0.0811 5 -0.2639 0.0196 0.7993* 6 -0.0614 0.7524* -0.2289 7 0.4014 -0.1587 0.4678* 8 0.1367 0.0728 0.9054* 9 0.5351 0.1183 0.6886* 10 0.5065 0.3263 01754 11 0.5351 0.3357 0.6886 12 0.8192* 0.7321* 0.1035 13 -0.6495* 0.3450 -0.0844 14 -0.0464 0.8598* 0.5845 15 0.6535 0.0127 0.3053 16 0.2052 0.2324 0.2452 17 -0.1340 0.4049 0.9512 18 0.7553* 0.5865 0.2987 19 0.2431 0.4049 0.6946 20 0.5983* 0.5865 -0.0334 21 0.4660 0.6533* 0.4573 22 0.5672* 0.1057 -0.3342 23 0.3501 -0.1001 0.8195 24 0.1008 0.9240* 0.0038 25 0.3329 0.0999 0.7194 26 0.2254 0.6545* 0.1329 27 0.7660* 0.1246 0.5677 28 -0.1210 -0.3611* 0.2308 29 0.3850 0.7032* 0.0144 30 0.4656 0.5605 -0.3196 31 -0.1987 0.8988* 0.2470 % explained variance 21 22 26 From Table 4 it can be observed that for Factor 1, respondents 4, 12, 13, 15, 18,20,22, and 27 were in agreement and are highly loaded on this factor. Similarly, respondents 6, 10, 14, 16, 21, 24, 26, 29, and 30 were in agreement in Factor 2, and respondents 5,7,8,9,11,17,19, and 23 were in agreement in Factor 3. The statements in which these three factor groups were ranked are shown in Table 5. Table 5. Ranked statement totals with each factor No. Statement Factor 1 Factor 2 Factor 3 1 COST 0.31 5 0.91 2 -1.45 9 2 FEATR -0.45 7 0.10 5 0.70 2 3 EOU 0.91 2 0.63 3 -0.55 6 4 PERF 1.26 1 1.72 1 1.80 1 5 INSTLL -1.92 9 -0.31 6 -0.63 7 6 UPDTS 0.52 3 -0.54 7 0.61 3 7 RPORTS 0.03 6 -1.28 8 0.55 4 8 CONFIG -1.07 8 0.12 4 -0.17 5 9 SUPPRT 0.41 4 -1.34 9 -0.87 8 Table 6 shows correlation between the factors. Similar to the findings earlier about variable independence, the factor groups also show a high degree of independence. Table 6. Correlation between factors Factor 1 2 3 1 1.0000 0.3218 0.2970 2 0.3218 1.0000 0.2298 3 0.2970 0.2298 1.0000 The normalized factor scores for each factor were examined next. This provided ameasure of relative strength of importance attached by a factor to each statement on the scale used during sorting. Tables 7(a), 7(b), and 7(c) show these scores. Table 7(a). Normalized Factor 1 score No. Statement z-score 4 PERF 1.258 3 EOU 0.910 6 UPDTS 0.542 9 SUPPRT 0.409 1 COST 0.314 7 RPORT 0.032 2 FEATR -0.454 8 CONFIG -1.071 5I INSTLL -1.922 Table 7(b). Normalized Factor 2 score No. Statement z-score 4 PERF 1.717 1 COST 0.905 3 EOU 0.626 8 CONFIG 0.116 2 FEATR 0.102 5 INSTLL -0.313 6 UPDTS -0.535 7 RPORT -1.276 9I SUPPRT -1.343 Table 7(c). Normalized Factor 3 score No. Statement z-score 4 PERF 1.805 2 FEATR 0.702 6 UPDTS 0.606 7 RPORT 0.553 8 CONFIG -0.170 3 EOU -0.547 5 INSTLL -0.632 9 SUPPRT -0.872 1I COST -1.446 From the Table 7(a) it can be seen that adherents of Factor 1 feel strongly in favor of statement 4 (Performance) and oppose statements 8 and 5. This indicates for Factor 1 group, performance is preferred over initial installation, setup and configuration of the product. The results of Factor 2 group are consistent with Factor 1; that is, performance of the product is the highest rated criterion. Ease-of-use also rated highly in Factors 1 and 2. Perceived ease-of-use in an information systems product has been shown to play a critical role in predicting and determining a users decision to use the product (Hackbarth, Grover, Yi, 2003). The largest dissension between Factor 1 and 2 groups involved statements 9 (Availability of Online Help), 7 (Intrusion Reports generated), and 6 (Regular Product Updates). The results of Factor 3 are consistent with Factors 1 and 2 with Performance criteria once again being highly rated. The most dissension between Factors 2 and 3 involved statements 1 (Cost) and 3 (Ease-of-use). The most dissension between Factors 1 and 3 involved statements 1 (Cost), 3 (Ease-of-use), and 9 (Availability of Online Help). Analysis of Results The Q-sort analysis classified subjects into three groups. Eight subjects were classified under Factor 1, and 10 subjects each were included in Factors 2 and 3. There were three subjects in the study that were not distinguished in any group. These subjects were excluded from further analysis. The classification into factors gave a better idea of group characteristics. Since Factors 1 and 2 were similar and shown to include subjects who considered Performance, ease-of-use, and Availability of Online Help as the most important characteristics, this group can be considered to be comprised of non-technical users who place more emphasis on the product performing as expected in achieving goals for security. Factor 3 subjects emphasized technical characteristics and were more interested in number of features in the product, updates to the product on a regular basis, intrusion reports generated by personal firewalls, and setup/configuration of the product after installation. This group had c haracteristics of technical users. The normalized factor scores provided a measure of relative strength of importance attached by factors to each statement on the scale used during sorting. As mentioned earlier, adherents in Factor 1 felt strongly in favor of statement 4 (Performance) and opposed statements 8 (Setup/configuration) and 5 (Installation). The results of Factor 2 are consistent with Factor 1, that is, Performance of the product is the highest rated criterion. ease-of-use also rated highly in Factors 1 and 2. The largest dissension between Factor 1 and 2 groups involved statements 9 (Availability of Online Help), 7 (Intrusion Reports generated), and 6 (Regular Product Updates). The most dissension between Factors 2 and 3 involved Statements 1 (Cost) and 3 (Ease-of-use). Results of Factor 3 were consistent with Factors 1 and 2, with Performance criteria once again being highly rated. The largest dissension between Factors 1 and 3 involved statements 1 (Cost), 3 (Ease-of-use), and 9 (Availability of Online Help). Extreme differences between all factors appeared in Cost, Intrusion Reports generated, and Availability of Online Help. There was only one statement, Performance of the product, that showed consensus among all factors; that is, it did not distinguish between any pair of factors, which indicates Performance of the desktop firewall software is an agreed upon criterion irrespective of group characteristics. The managerial implications of this study can be assessed at the level of selecting appropriate software for use on computers in organizations to maintain security. There is evidence of user satisfaction being a useful measure of system success (Mahmood et al., 2000). While the end-user may not purchase individually preferred software for installation on company owned computers, the user can influence decisions for selection by making known to IS managers the features that would contribute to regular use of security software such as personal firewalls. Given access of these machines to corporate resources, appropriate and regular use of software would contribute to maintaining enterprise security. For technical professionals (e.g., programmers) who install firewalls on their desktop, programs could emphasize the statements that are defining characteristics shown in Factor 3. For an industry that has non-technical professionals (such as Factor 1 and 2), other non-technical characteristics of the product could be emphasized thus achieving maximum effectiveness in program deployment. Increased awareness should minimize user related faults, nullify these in theory, and maximize the efficiency of security techniques and procedures from the users point of view (Siponen, 2000). The results of this study could also benefit vendors who develop software for end-users. In this study it was found that performance of the software is the most important factor that affects selection of software, irrespective of group characteristics. Due to project deadlines and market competition, software is often shipped without being fully tested as secure, and standard industry practice is to release incremental service packs that address security issues in the product. In a case of security software, this may adversely affect the reputation of a vendor once its products have been shown to have high vulnerability to being compromised. The findings of this study could provide a better understanding of importance of personal firewall security software on organizational client computers. The decision to install an information system necessitates a choice of mechanisms to determine whether it is needed, and once implemented, whether it is functioning properly (Ives, Olson, Baroud i, 1983). More research needs to be done in the area of selection of software for implementation on users computers that are owned by corporations and given to employees for off-site work. This can include regular employees vs. contractors who may connect to employer and client networks from the same computer. If the findings are to have wider applicability, qualified industry professionals and security officers responsible for maintaining secure infrastructure in corporations should be included in the analysis. The study provides management and security professionals a basis for making decisions related to enterprise security. It provides personal firewall vendors an insight into feature requirements of the personal firewall market, and provides academic researchers interested in security, a more focused approach on various dimensions of security software from the behavioral perspective. Future studies could be industry and product specific in order to assess differences in selecting general- purpose software versus security specific products. In many cases, management has looked at the need for implementing information security programs and products as a necessary encumbrance, something akin to paying taxes or insurance premiums (Highland, 1993). But organizations are increasingly becoming aware of the potential for legal exposure via lawsuits, and are deploying countermeasures (such as personal firewalls) to reduce vulnerability and mitigate risk. The chief information security officer in todays organizations should have the responsibility of managing organizational risks by using empirical models and analysis to determine strategies for protecting corporate assets. Firewalls are the last line of defense in the corporate network and therefore play a critical role in information security. With personal firewalls being a new product genre, this study was conducted since there is no research available that specifically looks at determinants for selection of security software in a corporate environment to protect organizational assets. As the information security field evolves further, decisions for security software acquisitions need to be researched further. Selection and deployment of appropriate firewalls can make a significant difference in an organizations enterprise security strategy. It is therefore also important to understand the variables (as shown in this study) that may affect decisions to select and deploy personal firewall software in a corporate environment. Limitations of the Study Due to the exploratory nature of this study, there are several limitations. The sample used in the study comprised of all students enrolled in a security course at the same university, and was further limited to the firewall topic among a wide range of technical and behavioral information security topics. Students worked with only one type of firewall software and characteristics of this particular program may have heightened their awareness of certain strengths and weaknesses in the software. Since the purpose of information security implementation in an organization is to support business objectives of the organization, information security departments are sometimes placed under the chief financial officer recognizing the direct relationship between information assets and monetary assets. Software acquisition decisions may therefore be made by the finance department with limited input from the IT department. The purpose of this study was to explore an important topic for research on information security and determine operant subjectivity in a field where empirical research is severely lacking. The Q-sort technique itself is suitable for small sample populations (Thomas Watson, 2002), but the correlations obtained in smaller samples tend to have considerable standard errors (Kline, 1994). The exploratory nature of this study was not intended to prove some general proposition but to seek a better understanding of group characteristics that directly relate to maintaining a secure network environment (in this case by deploying personal firewalls to plug possible vulnerabilities that might exist in a network through use of computers by employees either on-site or at remote locations). The perceptions of end-users will therefore guide the selection and deployment of security technologies in an organization to provide a secure corporate environment. Chapter 4- SUMMARY and CONCLUSIONS Summary In the area of information security, research has often lagged practice. Dhillon Blackhouse (2001) have stressed the need for more empirical research to develop key principles for the prevention of negative events and therefore to help in the management of security. Despite known vulnerabilities in applications and operating systems, companies continue to deploy software to stay competitive, and steps taken to secure products and services are knee-jerk reactions to media stories that are more reactive than proactive in nature. Most IT managers lack a coherent framework and concrete methodology for achieving enterprise security. A security plan that includes technology, personnel, and policies would be a much better approach to developing an enterprise security strategy. One such model is the Enterprise security Framework Price Waterhouse Coopers (PWC) model. The PWC model is comprehensive because it addresses the entire enterprise of security architecture. The model emphasizes information security strategies within the organization using a holistic rather than apiecemeal approach. The framework is based on four pillars: security vision and strategy, senior management commitment, information security management structure, and training and awareness. Within the pillars are decision drivers, development, and implementation phases. Firewalls are placed in the development phase since they are used to provide interpretation of corporate standards at the technical level. For a detailed discussion of the PWC model, the reader is referred to Murphy, Boren, and Schlarman (2000). So it is important reason to look at end-user perception as it may affect how well the user does his or her part in staying vigilant to combat threats posted by hackers to organizational assets. The end-user may be a conduit to organizational data being compromised. Proper software selection as well as positive user attitude and motivation for using the software are therefore important to ensure ongoing use of personal firewall software. Kettinger and Lee (2002) address the fact that the proliferation of personal computing and individualized software, and popularity of the Internet in organizations have resulted in users playing an important role in driving IT implementation. Their study found that for users selecting their own IT applications (such as desktop software programs), there is greater user satisfaction after implementation. Grantham and Vaske (1985) also state that positive user attitudes are important predictors in continued system use. This is especially important for personal firewall use because computers are at risk at all times when connected to the Internet. In reference to software selection, Chiasson and Lovato (2001) emphasize: Understanding of how users form perceptions of software innovation would help software designers, implementers and users in their evaluation, selection, implementation and ongoing use of software. However, with the exception of some recent work, there is little research examining how a user forms his or her perceptions of innovation overtime (p. 16). The area of information security as it relates to maintaining confidentiality and integrity of data stored on personal computers can benefit from identification of factors that would make it possible to safeguard corporate assets that are at risk as a result of remote data access by employees. Software selection for deployment on company computers cuts across different user levels in terms of knowledge and level of expertise of the user. Selection of software therefore must be done to accommodate all types of users ranging from novices to experts. The latter category of users may have higher tacit knowledge of tasks to be able to compensate for the interface without realizing it (Gery, 1997). Conclusions In this study, Q-methodology was used to define participant viewpoints and perceptions, empirically place participants in groups, provide sharper insight into participant preferred directions, identify criteria that are important to participants, explicitly outline areas of consensus and conflicts, and investigate a contemporary problem relating to desktop firewalls by quantifying subjectivity. Similar to other IT areas, security software selection and deployment in todays environment faces many challenges, such as staying current with new threats, project deadlines, implementation issues, and support costs. Quality drives customer satisfaction and adoption of software. Human factors are important in contributing to successful software deployment in organizations, especially when it relates to desktop software applications. Organizations are now viewing security and controls as business enablers and desktop firewall technology plays a critical role in safeguarding corporate assets. In a fast-paced area where the new generation of applications and services are growing more complex each day, it is critical to understand characteristics that affect selection of end-user security products in enterprises. This study addresses a small but important area of safeguarding enterprise information security by using personal firewalls. As has been previously noted, limited research exists beyond the current study that explores behavioral aspects of information security. This study holds importance for professionals tasked with evaluating and selecting security products for company wide deployment. As the area of information security gains increased importance due to the strategic role of technology in organizations, and current events impact areas such as disaster recovery and enterprise continuity planning, a study of end-users to determine their perceptions about selection of technology controls in organizations is critical for protecting organizational assets. More research needs to be done in the area of perception of users towards other security software (such as anti-virus, intrusion detection, virtual private network software, and encryption products), and, due to varying security needs in different industries, studies could also be industry and product specific. While the findings should be considered preliminary, the results raise interesting observations about issues uncovered regarding security perceptions of feature requirements in personal firewalls. Information security is a dynamic area and, in this environment, this exploratory study contributes to evolving research by identifying variables from theoretical literature and using an empirical technique to study issues that affect safeguarding vital assets of an organization from internal and external threats. Recommendation It is recommended that in order to provide better evidence of factors that affect deployment of technology tools that create awareness of security issues and produce better informed employees, research into behavioral factors also needs to be conducted to gain insight into programs and processes that will lead to the development of a robust enterprise security strategy. Information security awareness research has been mostly descriptive and has not explored the possibilities offered by motivation/behavioral theories, or the related theory of planned behavior and the technology acceptance model, specifically in the information security domain (Mathieson, 1991 ; Siponen, 2000; Legris, Ingham, Collerette, 2003). Since security has been deployed at the perimeter of electronic network and on servers by system administrators, the area of information security has ignored users of information systems since software developers are far removed from how the user will interact with security software. Human compliance with information security rules require an understanding of how people work and think (Highland, 1993). Lane (1985) considers the human factor to be the first and most important component of security and a critical part of the risk analysis process. This is especially true in personal firewall software since the burden of maintaining a secure environment is being shared by the user and the system administrator. REFERENCES Baroudi, J., Oison, M., Ives, B. (1986). An empirical study of the impact of user involvement on system usage and information satisfaction. Communications of the ACM, 29(3), 785-793. Briggs, R.O., Balthazard, P.A., Dennis, A.R. (1996). Graduate business students as surrogates for executives in the evaluation of technology. Journal of End-user Computing, 8(4), 11-17. Brown, S.R. (1980). Political subjectivity: Applications of Q methodology in political science. New Haven, Connecticut: Yale University Press. Brown, S.R. (1986). Q-technique and method: Principles and procedures. In W.D. Berry M.S. Lewis-Beck (eds.), New Tools for Social Scientists: Advances and Applications in Research Methods. Beverly Hills, CA: Sage Publications. Chiasson, M., Lovato, C. (2001). Factors influencing the formation of a users perceptions and use of a DSS software innovation. ACM SIGMS Database, 32(3), 16-35. Clarke, R. (2002, February). Forum on technology and innovation: Sponsored by Sen. BillFrist (R-TN), Sen. Jay Rockefeller (D-WV), and the Council on Competitiveness. Retrieved October 28,2003, from hap:/ /www. techlawjournal, com/security/ 20020214.asp Deise, M., Nowikow, C., King, P., Wright, A. (2000). Executive s guide to e-business: From tactics to strategy. New York: John Wiley Sons. Dhillon, G., Blackhouse, J. (2001). Current directions in IS security research: Toward socio-organizational perspectives. Information Systems Journal, 11(2), 127-153. Enns, H., Huff, S., Golden, B. (2003). CIO influence behaviors: The impact of technical background. Information and Management, 40(5), 467-485. Gery, G. (1997). Granting three wishes through performance-centered design. Communications of the ACM, 40(7), 54-59. Good, N., Krekelberg, A. (2002). Usability and privacy: A study of Kazaa P2P file-sharing. Retrieved November 12, 2003, from http:// www. hpl. hp. com/shl/papers/kazaa/ Goodhue, D.L., Straub, D.W. (1991). security concerns of system users: A study of perceptions of the adequacy of security measures. Information Management, 20(1), 13-27. Grantham, C., Vaske, J. (1985). Predicting the usage of an advanced communication technology. Behavior and Information Technology, 4(4), 327-335 Hackbarth, G., Grover, V, Yi, M. (2003). Computer playfulness and anxiety: Positive and negative mediators of the system experience effect on perceived ease-of-use. Information and Management, 40(3), 221-232. Hazari, S. (2000). Firewalls for beginners. Retrieved December 17,2003, from http://online.securityfocus.com/ infoc Heiser, J. (2002, April). Go figure: Can you trust infosecurity surveys? Information security, 27-28.us/1182. Highland, HJ. (1993). A view of information security tomorrow. In E.G. Dougall (ed.), Computer security. Holland: Elsevier. Ives, B., Olson, M., Baroudi, J. (1983). The measurement of user information satisfaction. Communications of the ACM, 25(10), 785-793. Kettinger, W., Lee, C. (2002). Understanding the IS-User divide in IT innovation. Communications of the ACM, 45(2), 79-84. Kline, P. (1994). An easy guide to factor analysis. London: Rutledge Lane, YP. (1985). security of computer based information systems. London: Macmillan. Legris, P., Ingham, J., Collerette, P. (2003). Why do people use information technology? A critical review of the technology acceptance model. Information and Management, 40(3), 191-204. Mahmood, M.A., Burn, J.M., Gemoets, L.A., Jacquez, C. (2000). Variables affecting information technology enduser satisfaction: Ameta-analysis of the empirical literature. IntemationalJournal of Human-Computer Studies, 52, 751-771. Maiden, N., Ncube, C., Moore, A. (1997). Lessons learned during requirements acquisition for COTS systerns. Communications of the ACM, 40(12), 21-25. Mathieson, K. (1991). Predicting user intentions: Comparing the technology acceptance model with the theory of planned behavior. Information Systems Research, 3(2), 173-191. Murphy, B., Boren, R., Schlarman, S. (2000). Enterprise security architecture. CRC Press. Retrieved November 2, 2003, from http://www.pwcglobal.com Nelson P., Richmond W. , Seidmann A., (1996). Two dimensions of software acquisition. Communications of the ACM, 39(1), 29-35. Northcutt, S., McLachlan, D., Novak, J. (2000). Network intrusion detection: An analysts handbook (2nd ed.). IN: New Riders Publishing. Saita, A. (2001, June). Understanding peopleware. Information security, 72-80. Siponen, M.T. (2000). A conceptual foundation for organizational information security awareness. Information Management security, 5(1), 31-41. Strassberg, K., Rollie, G., Gondek, R. (2002). Firewalls: The complete reference. NY: Osborne McGraw-Hill. Straub, D.W., Welke, RJ. (1988). Coping with systems risk: security planning models for management decision making. MS Quarterly, 22(4), 441-469. Zwicky, E., Cooper, S., Chapman, D., Russell, D. (2000). Building Internet firewalls (2nd ed.). CA: OReilly.
Wednesday, January 22, 2020
Abortion - Denying the Undeniable Essay -- Argumentative Persuasive To
Denying the Undeniable à à à Grief after induced abortion is often more profound and delayed than grief after other perinatal losses. Grief after elective abortion is uniquely poignant because it is largely hidden. The post-abortion woman's grief is not acknowledged by society because the reality of her child's death is not acknowledged. In order to gain her consent for the abortion she has been told that the procedure will remove a "blob of tissue" a "product of conception", or a "pre-embryo." She has been assured that her "problem will be solved" and that she will be able to "get on with her life" as though nothing significant had happened. Yet the pregnant woman knows by the changes in her body that something very significant is happening to her: her menses have stopped, her breasts are enlarging, she is sick in the morning (or all day long), and she knows that the process which has begun in her will most likely result in the birth of a baby in nine months time if allowed to run its course. She is aware of the expected date of delivery and she has often thought of a name for her baby as she has begun to picture the child as he or she would be at birth (Bonding begins very early in pregnancy.). All of these feelings and fantasies about her pregnancy must be denied in order to undergo an elective abortion. The pregnant woman is asked to deny the fact that she is carrying a child at all! à Theresa Bonopartis relates her true story in her book, Divine Mercy In My Soul: à I could feel the baby thrashing around as his skin and lungs were burned by the saline. He was dying. Labor began. After twelve hours of labor, alone in the room, I gave birth to a dead baby boy. I looked at his tiny feet and hands. All... ...hat they have committed 'the unforgivable sin' and fear God's anger. à Women who have had an abortion often have many questions, the answers to which are indispensable to beginning the healing journey. Can God ever forgive me? Can my child? Can I ever forgive myself? Will the Church let me stay when I confess this sin? Will this horrible pain ever go away? Is healing possible? The answer to all these questions is, of course, YES! à WORKS CITED à "Aftermath." http://www.hopeafterabortion.com/hope.cfm?sel=A31Q à Bishops, US Catholic. "Bishops' Official Notes Coverage of Post-Abortion Program." http://www.nccbuscc.org/comm/archives/00-084.htm à Bonopartis, Theresa. Divine Mercy In MY Soul. http://www.hopeafterabortion.org/hope.cfm?sel=C18L à "Stories of Healing." http://www.hopeafterabortion.com/hope.cfm?sel=JHY7
Monday, January 13, 2020
Safety, Health and Environmental Risk
For most people, the words safety, health and environment risk would automatically be synonymous with occupations involved in industrial and mechanical factories, chemical labs, or construction sites. Although these factors may be more common in such work settings, the truth is safety risks and hazards also exist in a regular office or work place. The risks however, manifests in the form of biomechanical-related stress and injuries. This includes lower back injury, carpal tunnel syndrome, and repetitive strain injury among many others. Such types of physical stress can result to fatigue and pain which may then cause the worker to perform poorly and even be unproductive. This paper will discuss various types of biomechanical and ergonomics-related injuries in the workplace. It will also tackle the causes as well as their negative effects on the workers. Consequently, this paper also aims to give recommendations on how to effectively and efficiently address this problem. A regular work desk at a typical office may seem like a hazard-free and safe work environment. However, several studies showed that prolonged and sustained work posture may result to various musculoskeletal disorders. Injuries include repetitive strain injury, carpal tunnel syndrome, and cumulative trauma disorder among many others. In fact, Bureau of Labor Statistics report that cases of ergonomic disorders are now rapidly growing in figures. According to researches, occupational illnesses as well as musculoskeletal disorders increased from 18 percent in 1985 to a staggering 56 percent in 1991 (University of Maryland 2008). Today, these numbers continue to rise as more and more workers experience physical strain in the workplace. According to the Occupational Health and Safety Administration there are over 647,000 cases of work-related injuries to date. Apart from this, occupational injuries account for more than $20 billion of the workersââ¬â¢ compensation costs (USA Bureau of Labor Statistics, 1996). There are several types of biomechanical or ergonomic disorders. One of which is the carpal tunnel syndrome. The carpal tunnel syndrome or median neuropathy is a type of physical strain generally associated with computer workers. It is one of the most common types of work related injuries primarily because of the widespread use of computers. Reports show that about 50 percent of computer workers experience this disorderââ¬â¢s symptoms frequently. This condition roots from the overuse and repetitive manual activities such as typing which causes the median nerves to be compressed in the wrists. Indivuals with this condition would usually feel numbness, muscle weakness, and sometimes even pain in the hands, arms, and fingers. Some patients even feel a pronounced pain or sensations at night. As this injury progresses, the person may feel cramping and weakness in the hand. It can also lead to a decrease in grip strength. Sharp pains will also be frequent as it will cause the patient to suffer (Medicine. net, 2009). Lower back injury is another common type of musculoskeletal disorder in the work place. According to the Bureau of Labor Statistics, about 20 percent of occupational injuries are back injuries. Further, about a quarter of the employment compensation claims are back injury (USA Bureau of Labor Statistics, 1996). This condition is often attributed to incorrect sitting postures. Office workers are especially vulnerable to this injury primarily because they retain their sitting posture for hours. Apart from the posture, office equipments also contribute to this condition. Poorly designed chairs or computer table can highly affect the posture of the user. Sitting in such chair for long hours can easily result to lower back pains. Cumulative trauma disorder of the upper extremity is another type of ergonomics- related disorder. Similar to carpal tunnel syndrome, this condition is a result of repetitive manual work. This causes the body, such as the fingers, shoulders, and neck to feel pain. Recent researches show that cases of cumulative trauma disorder of the upper extremities have increased over the years. The National Institute for Occupational Safety and Health even categorizes this condition asâ⬠one of most significant occupational health problems todayâ⬠. This is due to the fact that cumulative trauma disorder of the upper extremities account for about 56 percent of work-related injuries (Melhorn 1996, p. 1264). Cumulative trauma disorder of the upper extremities, carpal tunnel syndrome, and lower back injuries are all caused by excessive physical load. In the research work entitled ââ¬Å"Biomechanical Aspects of Work Related Musculoskeletal Disorderâ⬠, Robert Radwin et al. (2002) explained that the terms ââ¬Å"physical loadâ⬠or ââ¬Å"loadâ⬠would refer to the physical stress acting on an individualââ¬â¢s body (Radwin et. al. , 2002, p. 153). Similarly, physical stress is the physical quality that makes up both the internal and external factors. This includes kinetic force, kinematics, oscillatory, and thermal. Kinetic force would refer to the voluntary motions exerted against an external object such as pounding or string an object. This type of pressure would then create a strain on the tendons and ligaments in the body. An increase pressure or force would result to a greater level of stress (Radwin et. al. , 2002, p. 156). Kinematics refers to the motions or movements that position the body. An uneven or unbalanced motion could cause angular displacement. This in turn, could create stress and load on the nerves as well as in the blood vessels. Consequently, oscillatory force creates pressure and load to the body. Oscillatory or external vibrations affects the not only the musculoskeletal system but also the bodyââ¬â¢s vascular and nervous system. Temperature of thermal measurement also plays an essential role to the performance and dexterity of an individual. Long exposure to cold environment for instance, can decrease the strength as well as the sensibility of the muscle. Most of these loads are affected by external factors such as the work place, office furniture, and energy sources among many others. Biomechanical factors like motions, exertions, body position, and forces also contribute to the physical load endured by the body. (Radwin et. al. , 2002, p. 154). Musculoskeletal disorders also come from various activities, repeated and accumulated over time. Thus, individuals such as employees or workers who are exposed to as much as eight hours daily, experience work related disorders such as carpal tunnel syndrome and back injuries. This is largely because of the long and repetitive activities that are transferred through the different parts of the body which then creates an internal load ands stress on the tissues, nerves and ligaments. The combination of external and internal stress can add much stress on the ligaments and connective tissues of the body. Studies reveal that constant exposure to loads and stress can cause damage to the muscles and nerves. One way of reducing this external stress is through ergonomics. Ergonomics is the science that deals with engineering machines and equipments in order to reduce stress on the human body. At the same time, it is also intended to increase human productivity by eliminating discomfort and fatigue (Answers. com, 2009). Ergonomically designed office and workplace furniture such as work desks, tables, chairs, and computers can effectively reduce the load on the human body. According to studies, ergonomic furnishings in the workplace do not only reduce the level of stress among workers, but it also optimizes and increases productivity. Studies also reveal that there is a significant increase in efficiency levels as well as the quality of service in ergonomic-friendly companies. Employees also feel more motivated as they experience less stress and suffer fewer pains. A recent study conducted by Michael Smith and Antoinette Bayehi (2003) showed that an ergonomic controlled office increased the performance of call center workers by 50 percent. Over all, a total of 4. 87 percent of output increase was recorded among the control group (Smith and Bayehi, 2003, p. 16). Similar increase in productivity was also recorded in a research conducted in a silicon chip plant showed a 400 percent growth in productivity. This increase involves an increase in man hours as well as a decrease in work errors (Relating Productivity to Ergonomics, 2009, p. 3). Apart from productivity, studies and researches also reveal that companies who have decided to switch to ergonomically designed furnishings saved thousand of dollars in terms of compensation and insurance cost. A recent study showed that a steel company who redesigned their observation pit was able to save as much as $150,000 (Ergoweb, 2009). With such benefits, it is only fitting that companies should address their work-related problems through ergonomics. This means considering essential office equipments such as tables, chairs, and computers. An office chair for instance, plays an important part in any office environment. This is because almost all employees spend their working hours sitting in their work desks. As such, a chairââ¬â¢s height, width, depth, and back rest should carefully be considered. The chairââ¬â¢s height should be adjustable or it should measure from 16 to 20 inches. This will allow the user to comfortable place his feet flatly on the ground. When it comes to seat width, it is essential that the chair provides enough space so that the user will be able to seat comfortably. The standard width for most office chair is 17 to 20 inches. This leaves the user with enough space or room so that he or she can seat in ease (Ergonomics Safety Program, 2009). The back rest is also an important part of an ergonomic chair. Thus, the back rest should at least be 19 inches wide. Also, the chair should have a lumbar support that adapts to the curvature of the userââ¬â¢s back. An arm arrest should also be present as this will allow the userââ¬â¢s shoulder and arms to relax. Other factors such as the swivel function and the seat material must also be considered. The swivel function will allow the user to move around in his or her work desk with ease and comfort. Likewise, the chairââ¬â¢s material should be soft enough so that the worker will be able to seat and work comfortably. The office desk or table is an office furniture that requires to be ergonomically designed. Along with the chair, the work desk is used by most office employees for long number of hours. Therefore, it is important that the work desk allows the users to frequently stretch in order to prevent muscle cramps and pain. The tableââ¬â¢s height should be at least 23 to 33 inches. An adjustable table is also recommended so that the userââ¬â¢s forearms are parallel to the floor. Similarly, the work space should provide enough leg space in order for the user to come close to the desk as possible (Ergonomics Safety Program, 2009). The work desk should also have enough room for the user to work properly. A writing surface of about 16 to 20 inches should be provided. Document holders and drawers are also necessary. Material-wise, it is important for the work desk to have a matte finish. This will eliminate the glare from the computer. Desks with rounded corners are also recommended in order to prevent the arms or wrist from coming in contact with square or sharp edges. The positioning of the computer in the work desk is equally significant. The computer monitor should be placed directly in front of the user. This means that the top of the screen must be parallel to the userââ¬â¢s eyes. Apart from this, the monitor should be positioned in such a way that there is very minimal reflection and glare (Ergonomics Safety Program, 2009). The computer keyboard on the other hand, should be placed in such a way that the user will be able to reach it without extending his upper arm. The forearms of should also be aligned floor so that the wrists will not bend while typing. This can be addressed by selecting a keyboard that can be adjusted and tilted. When typing, the arms should hang loose or it should rest comfortably in the desk to prevent the muscles in the shoulders from cramping (Daniels, 1996). Likewise, the computer mouse must be placed at the same area as the keyboard. This means that the click button of the mouse is aligned properly with the keyboards. Utilizing a mouse tray with trackballs can permit the user to use the mouse with ease and comfort. This will also allow the wrist to relax while staying in a neutral position (Daniel, 1996). Although ergonomically designed work equipments can reduce the risks of occupational injuries and disorders, it is still important to remember that this alone, cannot make up for bad practice. Employees and workers must also be aware of the proper measures in order to reduce stress and injury. One way of doing this is to educate the employees about the seriousness and risks of office-related injuries. This can be done through seminars and workshops about office and workplace safety. Memos and reminders about work place safety should also be frequently posted in the workplace. Distributing fliers and brochures about ergonomics-related injuries can also help spread awareness. At the same time, the management should also set an example to the employees by following all the safety measures. Informing the employees about the different consequences as well as the benefits of this issue will allow them to be aware about this looming workplace problem. More importantly, this will encourage the employees to take the proper measures to prevent work-related injuries from happening.
Sunday, January 5, 2020
The Four Major Categories Of Computer Crimes Essay
-Within this writing assignment, I will discuss the four major categories of computer crimes. I will explain the most common forms of digital crime and why cyber terrorism is the greatest threat. I will also discuss the roles of the U.S. government, court systems, and law enforcement agencies in combating computer crime. First, we will define the four major categories of computer crimes. -The technical definition of computer crimes is an act performed by a knowledgeable computer user, sometimes referred to as a hacker that illegally browse or steals a company s or individual s private information, but in general terms, it is the unauthorized use of a computer for personal gain, as in the illegal transfer of funds or to alter the data or property of others (Computer Crime, 2016). There are four major categories of computer crimes, first we will discuss using the computer as a target. When using the computer as a target, they must do two things: intrusion meaning to gain access to the computer and deny the owner of the computer access to the service and data. Intrusion is when the individual alters the data. To use the computer as a target, the hacker must alter the password and/or login and by doing this he is denying the owner access to the data. If a hacker makes a copy of data they are denying the owner rights to privacy of his or her data. The hacker will use that information to intrude upon another computer. One popular method that can be used to deny service is toShow MoreRelatedThe Major Categories Of Computer Crimes Essay996 Words à |à 4 Pageswriting assignment I will discuss the four major categories of computer crimes. I will explain the most common forms of digital crime and why cyber terrorism is the greatest threat. I will also discuss the roles of the U.S. government, court systems, and law enforcement agencies in combatting computer crime. First we will define the four major categories of computer crimes. -The technical definition of computer crimes is an act performed by a knowledgeable computer user, sometimes referred to as a hackerRead MoreDigital Evidence and Computer Crime1738 Words à |à 7 PagesDigital Evidence and Computer Crime: Forensic Science, Computers, and the Internet is essentially a guide on how to collect and process digital evidence in any situation. In this book, digital evidence is defined as ââ¬Å"any data stored or transmitted using a computer that support or refute a theory of how an offense occurred or that address critical elements of the offense such as intent or alibiâ⬠(Casey, 7). Most crimes today have some kind of digital element to them, from the crime itself to the criminalââ¬â¢sRead MoreEssay on Computer Crime: Technology and Cyberspace1343 Words à |à 6 PagesA major part of the world today revolves around technology and cyberspace. Almost every day one will use a type of computer in some way, whether it is work related or if it is for personal use such as social networking. Another thing occurring on a daily basis is criminals committing either trivial or major crimes; so it is not hard to imagine that these two actions would start to syndicate into one. Cyber-crime is defined as ââ¬Å"unauthorized use of a computer for personal gainâ⬠(Dictionary.com), butRead MoreBlade Runner Essay1517 Words à |à 7 PagesCategory One ââ¬â Context Context investigates a textââ¬â¢s personal, social and historical context. Blade Runner, directed by Ridley Scott, was first released in 1982. At this time, computers were at an all-time high in popularity and productivity, businesses were booming and the environment was being ignored for financial profits. All of these values had an impact on the way Blade Runner was written and directed. Blade Runner was released right in the middle of the ââ¬ËComputer-Age.ââ¬â¢ This was the periodRead MoreInformation Technology And Its Impact On Our Lives1731 Words à |à 7 Pages Abstract First thing that comes to mind when we talk about information technology (IT) security is computer security. In todays world, as we know technology is on the rise and more and more threats are accruing each day. By increasing and taking proper security measures in the world of evolving information technology has assist organizations in protecting they information assets. As society has grown more complex, the significance of sharing and securing the important resource of information hasRead MoreHacking And The Social Learning Theory1365 Words à |à 6 Pagesannual DEFCON hacker gathering, at which knowledge, tools and tales are exchanged. Chapters of the 2600 hackers organization meet weekly in towns and cities across the US. In ââ¬Å"virtualâ⬠or online settings, peer groups are formed and sustained via computer-mediated interaction in ââ¬Å"chat roomsâ⬠and via ââ¬Å"bulleton boardsâ⬠. These groups not only provide opportunities for novice or would-be hackers to learn the tricks of the trade from their more experienced counterparts, they also socialize new membersRead MoreThe nature of crime1412 Words à |à 6 Pagesï » ¿UOW1 ââ¬â The nature of crime The nature of crime The nature of crime embodies the offences made against the state representing society and the population. Within this concept is the operation of principles going to the rights of the victim and the accused in the criminal law process. This process encompasses the commission and elements of the crime going to the actus reus (action of the accused), mens rea (intention of the accused) and causal link to make out the crime; the criminal investigationRead MoreComputer Forensics Tools And Resources For Hjc Corporation1515 Words à |à 7 Pages Computer Forensic Tools Michael J. Hudgins Strayer University Professor Jessica Chisholm SEC405 Computer Crime Investigation March 3, 2016 Computer Forensic Tools We are now in the process of purchasing computer forensics tools and resources for HJC Corporation. There are many programs, utilities, etc. available on the market that provide computer forensic data retrieval capabilities, however, we are only required to provide information on just two of these tools in our research. TheRead MoreCyber Crime And Its Beginning2343 Words à |à 10 PagesFrostburg State University Cyber Crime COSC 631 ââ¬âWeb Development Programming II By: Thanuja Gonugunta July 31, 2015 Table of Contents 1.0 Introduction 3 1.1 Cyber Crime and its beginning 3 1.2 Classification of Cyber Crime 3 1.3 Categories of Cyber Crime 4 1.4 Impact of Cyber Crime 5 2.0 Concepts of Cyber Security 5 2.1 Cyber Security 5 2.2 Categories of Cyber Security 5 2.3 Cyber Crime Prevention Plans 6 3.0 Web Application Security 6 3.1 DeclarativeRead More Hacking Essay1574 Words à |à 7 Pages As the world becomes more and more reliant on computers the computer hacking industry is greatly rising. With people such as Kevin Mitnick, who is known as a quot;computer terroristquot; (Kjochaiche 1), computerized information isnt safe any more. Kevin is known as quot;the most high-profiled computer criminal and responsible for more havoc in the computer world today.quot;(1) He considered this a fun and easy task. He got caught and thrown into prison, but once he got out nothing changed.
Subscribe to:
Posts (Atom)