Juhani Anttila
Venture Knowledgist Quality Integration
Helsinki, Finland




Information is a basic building block of our modern society and needs to be protected. This paper approaches the question of information security from the viewpoint of business management. Information security is not a separate entity, isolated from other business practices; rather, it constitutes an integral part of the modern business management system, and assists the organization to achieve and maintain a competitive edge over its business rivals. The aim for business performance, including information security, is superiority over competitors. Fulfilling only the minimum requirements or achieving mediocrity is not enough. Since modern businesses are based on a process approach, also information security should be integrated into the management of business processes.

Information and security

Information forms the basis of all intelligent activities. Thus, the performance of individuals and organizations depends on acquiring useful knowledge at the right time and using it to manage and improve their operational business and prepare their strategic plans for the future. This observation is relevant for all kinds of organizations, including private companies, public civil service organizations as well as third sector voluntary and non-profit organizations. Many organizations collaborate with their stakeholders or interested parties on a global scale, and they are strongly dependent on electronic information and communication technology as well as network solutions and services [5].

Business knowledge is a valuable asset and is consequently highly interesting also for others, such as business competitors and hostile groups. Sometimes this situation is described as information war [10, 11, 19, 23]. The incidence of data abuse is on the rise, producing considerable damage. As a result, information security and security management have become central components in the social and business activities of organizations [9, 12, 13, 16, 17, 18, 23].

Organizational information security

In 1995, W. H. Murray stated that "Security should pay: it should not cost". The prevalent notion at the time was that information security was unproductive and only incurred extra costs [15]. It goes without saying that information security must also be cost-effective, but everyone needs to understand that neglecting it may have dire economic consequences.[20]. Effective and efficient information security relies on the adoption of professional principles, methodology, and organizational infrastructure [21].

Research carried out in Finland indicates that many organizations are already aware of the risks involved and are motivated to improve their information security. Although this suggests that information security awareness is fairly good, it is a surprising finding that representatives of the senior management often understand security issues only at the end-user level. It appears that they fail to grasp the fact that management is a critical factor also for information security.
Investing only in the information security unit and its resources is an inadequate and misemphasized measure. Information security literature often describes information security as consisting of functional layers. However, descriptions of this kind fall short of fulfilling practical needs, which rarely involve phenomena that straddle separate functional layers. Each practical case and the risks involved in it are situationally unique.

Integration of information security management into business management system

The implementation of information security forms an integral part of all business activities, management activities in particular, both on the strategic and operational management level. Thus, we may speak of integrated information security management [6]. To achieve its aims, information security requires a professional approach and close cooperation between security experts and business executives. A company with superior information security knowledge has a great advantage over the competition, a lead that is difficult to close.
Neither technological solutions nor software-based security measures are sufficient as such. Even in principle, it is hardly likely that information security could be accomplished by means of separate information security systems. These might in fact cause more harm than benefit. Business management systems (see Figure 1) have no room for such systems; all business activities must be flavoured by professional information security measures.

Figure 1. Elements of the business management system form the basis for integrating information security management. Each company must develop its own management practices incorporating the necessary

According to the recognized international references [7, 8], information security comprises a variety of management-related issues, including:
- Security policy
- Security organization
- Asset classification and controls
- Personal security
- Physical and environmental security
- Computer and network management
- System access control
- System development and maintenance
- Business continuity planning
- Compliance management
- Data and information security
- Privacy protection

Operationally, information security originates from process-related activities and information flows between these activities. Thus, information security is affected directly in real time through process arrangements, tools and people which, in turn, are influenced by appropriate and systematic process management practices.
In today's world, e-business is an existing reality and offers increasing opportunities to organizations in all sectors. It is important to realize that Internet-based e-business is not merely a technological issue. The Internet provides a rapidly expanding worldwide communication infrastructure that covers all aspects of life. The net includes all people, organizations, cultures and communities, and it has already changed conditions for interaction as well as behaviours. E-business is no longer concerned only with explicit data and information possessed by organizations, but it extends to tacit knowledge which people rely on in communication. It then follows that information security should also be adapted to these new business realities. And that is not the end of it, e-business also creates new opportunities both for business management and operations and - consequently - for information security [5].

All these issues relate very strongly to the decisions and actions of the top management (the strategic viewpoint) and to the practices used in the management of business process (the operational viewpoint).
Integrating information security practices and management, it is extremely important to understand information security issues in the context of business processes. This is because, in practice, information security is a crossfunctional discipline, which requires close cooperation and multifarious expertise. Quality management has an established position in many organizations, along with an internationally recognized standardization basis. It has given rise to numerous practical principles and methodologies that are useful also in the field of information security [1, 2, 3, 14]. Information security management is fully analogous to the management of many other expertise areas important to a company. These include, for example,
- finances
- quality
- business risks
- human resource development
- information management and communications
- occupational health and safety factors
- environmental protection

Purposeful management of information security

Typically, corporate information security is the result of an evolutionary process. This indicates that the adopted approach has not necessarily been systematically considered, although a number of security solutions may be in place, often as a response to some mishap. In contrast, the purposeful development of information security is founded on three pillars (see figure 2), which form the basis for balanced and innovative practical solutions, custom-tailored for each individual company [21]. Should any of the three pillars be weak, the adopted solution is built on sand.

Figure 2. The three pillars of purposeful information security management, resulting in deeper understanding and efficiency and aiming at superior business performance

Guiding principles, based on a profound understanding of the various aspects of information security, including the various influences and dependencies therein, enable organizations to utilize information security as a foundation for its professional management. Such guiding principles should be employed effectively and efficiently using appropriate tools based on a range of methodologies, which are extensively considered in information security standards [7, 8] and literature. To ensure that the proposed measures and actions are also undertaken at the different management levels of an organization - especially in strategic and operational management - requires a clearly defined and consistently functioning management infrastructure that includes a definition of authorities, responsibilities, organizational structure and practices for internal and external communication.
If the organization has no clear guiding principles or ideas for information security, the required measures are very likely followed mechanically, or they are perceived by the end-users only as organizational solutions, which individual employees need not worry about. In the absence of professional tools, security-related activities are amateurish or ineffective even if the ideas themselves are good.

If the organization lacks a suitable management infrastructure, the principles, methods, recommended practices, etc. cannot be spead properly over the organization. Intended organizational results originate from the organization's business processes. Therefore, also from the viewpoint of information security, process management is a crucial issue [4,7] .

Information security must be seamlessly related to the organization's overall business performance, including its financial performance, its interactions and transactions with all stakeholders and deliveries to them as well as the organization's internal development. In competitive business environments, the organization should aim at excellence or superiority in terms of business performance. The same requirement should be applied to the implementation of information security.

Organizational information security management is an internal activity, where the final responsibility lies squarely with the top management. However, organizations must also be able to demonstrate to the various interest groups that they have information security issues under control [1]. As no organization can exist without collaboration with its interested parties, creating and maintaining an atmosphere of trust based on factual information to enable best practice decisions is a prerequisite of successful long-term collaboration.


In the next few years, business organizations must enhance the effectiveness and efficiency of their information security management. Solutions should be based on embedding professional information security measures into all business activities. Information security cannot be created through separate "information security modules"; the only tenable approach is its natural implementation into all business processes.

Today, business is oriented toward international cooperation, and strategic guidance is provided by the partners' common strive to develop their collaboration. In practical terms, the effects of these activities manifest themselves in the form of improved efficiency and better economic and other results. A high degree of security endows a measure of stability and reliability and leads to superior performance.

Business activities tend to focus on maximizing profits. A balanced integration of information security into all business activities provides stability, which in the long run will bring in more profits. After years of trying to wrestle security issues into submission, it has become clear that any single perfect solution does not exist. Consequently, we should aim at balancing both business and security aspects and embedding a professional risk management practice into the system.
Improving information security constitutes part of continual organizational learning. The crux of the matter is, how do organizations learn? In our experience, it all comes down to people and their shared learning experiences. Thus, integrating information security into the improved activities of their organization leads to a better balance between humans and technology.


[1] Anttila, J. "Managing and assuring information security in integration with business management of a company" in Information security. Small systems security & information security management. Vol. 2 (Vienna, Budapest: IFIP WG11.2 September 1998).
[2] J. Anttila, and J. Vakkuri, "Good Better Best" (Helsinki: Sonera Corporation, 2000).
[3] J. Anttila and J Vakkuri, "ISO 9000 for the Creative Leader" (Helsinki: Sonera Corporation 2001).
[4] Anttila J. "Business process management, a core issue of implementation of information security" in Information security and law. Current issues of information security (Rovaniemi, Finland: Laplands University 2002) (In Finnish).
[5] Anttila, J,. "Business Integrated e-Quality - Innovative opportunity for modern advanced organizations", EOQ Conference proceedings (Harrogate UK: EOQ and IQA 2002).
[6] Anttila, J., "Business management and quality aspects for information security management" in European intensive programme on information and communication technologies security IPICS'2004 (Oulu Finland: The University of Oulu 2004).
[7] BS 7799-2: "Information security management systems. Specification with guidance for use. Part 2" (London: British standards institution 2002).
[8] A code of practice for information security management, (London: Department of trade and industry, DISC PD003, British standards institution 1993).
[9] Computer Security Handbook, The Practitioners Bible. Computer Security Institute. Mac/Donnel Printers, USA.(1984).
[10] Denning, D. Information Warfare and Security. Addison-Wesley. ACM Press Books. Reading, Massachusetts. USA. (1999).
[11] B. Hutchinson, and Warren, M.: Information Warfare - Corporate Attach and Defence in a Digital World. Butterworth-Heinemann / Computer Weekly Professional Series. Oxford, UK. (2001)
[12] ISO-IEC-27, Guidelines for the Management of IT Security (GMITS): Part 1 - Concepts and models for IT Security. (1994).
[13] ISO/IEC JTC1/SC27, Guidelines for the Management of IT Security (GMITS). (1995).
[14] ISO 9000, Quality management standards, (Geneve: International Standardization Organization ISO 2000).
[15] Murray, W.H., "Security should pay: it should not cost". IFIP TC-11 Eleventh International Conference on Information Security (Sec'95), Information Security Management - The Next Decade. 8-12th May. Cape Town, South Africa. Chapman & Hall, London. (1995).
[16] The NIST handbook, An Introduction to Computer Security. NIST Special publications. October. USA. (1995).
[17] Parker, Donn B., Computer Security Management. Prentice Hall, Reston, USA. (1981).
[18] Royal Canadian Mounted Police, Security in the EDP Environment. Security Information Publication, Second Edition. Gendarmere Royale du Canada. Canada. (1981).
[19] Schwartau, W., Information Warfare. Second Edition. Thunder's Mounth Press. New York. USA. (1996). [20] Schweitzer, J. A., Managing Information Security: Administrative, Electronic, and Leagal Measures to Protect Business Information. Second Edition. Butterworths. Boston. (1990).
[21] Senge, P., C. Roberts, B. Ross and A. Kleiner: The Fifth Discipline Fieldbook (London: Nicholas Brealey Publishing Limited, 1995).
[22] D. Straub, Carson, P. and Jones, E., "Deterring Highly Motivated Computer Abuses: A Field Experiment in Computer Security". In Gable, G., Caelli, W., Ng, F., Ranai, K. and Soh, C. (eds.): Security and Control: From Small Systems to Large. Proceedigs of the IFIP TC11/Sec'92. Singapore. 27-29 May. (1992).
[23] Yourdon, E. : Byte Wars - Impact of September 11 on Information Technology. Prentice Hall PTR. Upper Saddle River, New Jersey. USA. (2002).

[This text was made together with Jorma Kajava and Rauno Varonen of the University of Oulu, Finland and presented as a conference paper at the Euromicro Conference in Rennes, France in September, 2004]