Venture Knowledgist Quality Integration
OF INFORMATION SECURITY INTO BUSINESS MANAGEMENT
Information is a basic building block of our modern society and
needs to be protected. This paper approaches the question of information
security from the viewpoint of business management. Information
security is not a separate entity, isolated from other business
practices; rather, it constitutes an integral part of the modern
business management system, and assists the organization to achieve
and maintain a competitive edge over its business rivals. The aim
for business performance, including information security, is superiority
over competitors. Fulfilling only the minimum requirements or achieving
mediocrity is not enough. Since modern businesses are based on a
process approach, also information security should be integrated
into the management of business processes.
Information and security
Information forms the basis of all intelligent activities. Thus,
the performance of individuals and organizations depends on acquiring
useful knowledge at the right time and using it to manage and improve
their operational business and prepare their strategic plans for
the future. This observation is relevant for all kinds of organizations,
including private companies, public civil service organizations
as well as third sector voluntary and non-profit organizations.
Many organizations collaborate with their stakeholders or interested
parties on a global scale, and they are strongly dependent on electronic
information and communication technology as well as network solutions
and services .
Business knowledge is a valuable asset and is consequently highly
interesting also for others, such as business competitors and hostile
groups. Sometimes this situation is described as information war
[10, 11, 19, 23]. The incidence of data abuse is on the rise, producing
considerable damage. As a result, information security and security
management have become central components in the social and business
activities of organizations [9, 12, 13, 16, 17, 18, 23].
Organizational information security
In 1995, W. H. Murray stated that "Security should pay: it
should not cost". The prevalent notion at the time was that
information security was unproductive and only incurred extra costs
. It goes without saying that information security must also
be cost-effective, but everyone needs to understand that neglecting
it may have dire economic consequences.. Effective and efficient
information security relies on the adoption of professional principles,
methodology, and organizational infrastructure .
Research carried out in Finland indicates that many organizations
are already aware of the risks involved and are motivated to improve
their information security. Although this suggests that information
security awareness is fairly good, it is a surprising finding that
representatives of the senior management often understand security
issues only at the end-user level. It appears that they fail to
grasp the fact that management is a critical factor also for information
Investing only in the information security unit and its resources
is an inadequate and misemphasized measure. Information security
literature often describes information security as consisting of
functional layers. However, descriptions of this kind fall short
of fulfilling practical needs, which rarely involve phenomena that
straddle separate functional layers. Each practical case and the
risks involved in it are situationally unique.
Integration of information security
management into business management system
The implementation of information security forms an integral part
of all business activities, management activities in particular,
both on the strategic and operational management level. Thus, we
may speak of integrated information security management . To
achieve its aims, information security requires a professional approach
and close cooperation between security experts and business executives.
A company with superior information security knowledge has a great
advantage over the competition, a lead that is difficult to close.
Neither technological solutions nor software-based security measures
are sufficient as such. Even in principle, it is hardly likely that
information security could be accomplished by means of separate
information security systems. These might in fact cause more harm
than benefit. Business management systems (see Figure 1) have no
room for such systems; all business activities must be flavoured
by professional information security measures.
Figure 1. Elements of the business management system form the basis
for integrating information security management. Each company must
develop its own management practices incorporating the necessary
According to the recognized international references [7, 8], information
security comprises a variety of management-related issues, including:
- Security policy
- Security organization
- Asset classification and controls
- Personal security
- Physical and environmental security
- Computer and network management
- System access control
- System development and maintenance
- Business continuity planning
- Compliance management
- Data and information security
- Privacy protection
Operationally, information security originates from process-related
activities and information flows between these activities. Thus,
information security is affected directly in real time through process
arrangements, tools and people which, in turn, are influenced by
appropriate and systematic process management practices.
In today's world, e-business is an existing reality and offers increasing
opportunities to organizations in all sectors. It is important to
realize that Internet-based e-business is not merely a technological
issue. The Internet provides a rapidly expanding worldwide communication
infrastructure that covers all aspects of life. The net includes
all people, organizations, cultures and communities, and it has
already changed conditions for interaction as well as behaviours.
E-business is no longer concerned only with explicit data and information
possessed by organizations, but it extends to tacit knowledge which
people rely on in communication. It then follows that information
security should also be adapted to these new business realities.
And that is not the end of it, e-business also creates new opportunities
both for business management and operations and - consequently -
for information security .
All these issues relate very strongly to the decisions and actions
of the top management (the strategic viewpoint) and to the practices
used in the management of business process (the operational viewpoint).
Integrating information security practices and management, it is
extremely important to understand information security issues in
the context of business processes. This is because, in practice,
information security is a crossfunctional discipline, which requires
close cooperation and multifarious expertise. Quality management
has an established position in many organizations, along with an
internationally recognized standardization basis. It has given rise
to numerous practical principles and methodologies that are useful
also in the field of information security [1, 2, 3, 14]. Information
security management is fully analogous to the management of many
other expertise areas important to a company. These include, for
- business risks
- human resource development
- information management and communications
- occupational health and safety factors
- environmental protection
Purposeful management of information
Typically, corporate information security is the result of an evolutionary
process. This indicates that the adopted approach has not necessarily
been systematically considered, although a number of security solutions
may be in place, often as a response to some mishap. In contrast,
the purposeful development of information security is founded on
three pillars (see figure 2), which form the basis for balanced
and innovative practical solutions, custom-tailored for each individual
company . Should any of the three pillars be weak, the adopted
solution is built on sand.
Figure 2. The three pillars of purposeful information security management,
resulting in deeper understanding and efficiency and aiming at superior
Guiding principles, based on a profound understanding of the various
aspects of information security, including the various influences
and dependencies therein, enable organizations to utilize information
security as a foundation for its professional management. Such guiding
principles should be employed effectively and efficiently using
appropriate tools based on a range of methodologies, which are extensively
considered in information security standards [7, 8] and literature.
To ensure that the proposed measures and actions are also undertaken
at the different management levels of an organization - especially
in strategic and operational management - requires a clearly defined
and consistently functioning management infrastructure that includes
a definition of authorities, responsibilities, organizational structure
and practices for internal and external communication.
If the organization has no clear guiding principles or ideas for
information security, the required measures are very likely followed
mechanically, or they are perceived by the end-users only as organizational
solutions, which individual employees need not worry about. In the
absence of professional tools, security-related activities are amateurish
or ineffective even if the ideas themselves are good.
If the organization lacks a suitable management infrastructure,
the principles, methods, recommended practices, etc. cannot be spead
properly over the organization. Intended organizational results
originate from the organization's business processes. Therefore,
also from the viewpoint of information security, process management
is a crucial issue [4,7] .
Information security must be seamlessly related to the organization's
overall business performance, including its financial performance,
its interactions and transactions with all stakeholders and deliveries
to them as well as the organization's internal development. In competitive
business environments, the organization should aim at excellence
or superiority in terms of business performance. The same requirement
should be applied to the implementation of information security.
Organizational information security management is an internal activity,
where the final responsibility lies squarely with the top management.
However, organizations must also be able to demonstrate to the various
interest groups that they have information security issues under
control . As no organization can exist without collaboration
with its interested parties, creating and maintaining an atmosphere
of trust based on factual information to enable best practice decisions
is a prerequisite of successful long-term collaboration.
In the next few years, business organizations must enhance the
effectiveness and efficiency of their information security management.
Solutions should be based on embedding professional information
security measures into all business activities. Information security
cannot be created through separate "information security modules";
the only tenable approach is its natural implementation into all
Today, business is oriented toward international cooperation, and
strategic guidance is provided by the partners' common strive to
develop their collaboration. In practical terms, the effects of
these activities manifest themselves in the form of improved efficiency
and better economic and other results. A high degree of security
endows a measure of stability and reliability and leads to superior
Business activities tend to focus on maximizing profits. A balanced
integration of information security into all business activities
provides stability, which in the long run will bring in more profits.
After years of trying to wrestle security issues into submission,
it has become clear that any single perfect solution does not exist.
Consequently, we should aim at balancing both business and security
aspects and embedding a professional risk management practice into
Improving information security constitutes part of continual organizational
learning. The crux of the matter is, how do organizations learn?
In our experience, it all comes down to people and their shared
learning experiences. Thus, integrating information security into
the improved activities of their organization leads to a better
balance between humans and technology.
 Anttila, J. "Managing and assuring information security
in integration with business management of a company" in Information
security. Small systems security & information security management.
Vol. 2 (Vienna, Budapest: IFIP WG11.2 September 1998).
 J. Anttila, and J. Vakkuri, "Good Better Best" (Helsinki:
Sonera Corporation, 2000).
 J. Anttila and J Vakkuri, "ISO 9000 for the Creative Leader"
(Helsinki: Sonera Corporation 2001).
 Anttila J. "Business process management, a core issue of
implementation of information security" in Information security
and law. Current issues of information security (Rovaniemi, Finland:
Laplands University 2002) (In Finnish).
 Anttila, J,. "Business Integrated e-Quality - Innovative
opportunity for modern advanced organizations", EOQ Conference
proceedings (Harrogate UK: EOQ and IQA 2002).
 Anttila, J., "Business management and quality aspects for
information security management" in European intensive programme
on information and communication technologies security IPICS'2004
(Oulu Finland: The University of Oulu 2004).
 BS 7799-2: "Information security management systems. Specification
with guidance for use. Part 2" (London: British standards institution
 A code of practice for information security management, (London:
Department of trade and industry, DISC PD003, British standards
 Computer Security Handbook, The Practitioners Bible. Computer
Security Institute. Mac/Donnel Printers, USA.(1984).
 Denning, D. Information Warfare and Security. Addison-Wesley.
ACM Press Books. Reading, Massachusetts. USA. (1999).
 B. Hutchinson, and Warren, M.: Information Warfare - Corporate
Attach and Defence in a Digital World. Butterworth-Heinemann / Computer
Weekly Professional Series. Oxford, UK. (2001)
 ISO-IEC-27, Guidelines for the Management of IT Security (GMITS):
Part 1 - Concepts and models for IT Security. (1994).
 ISO/IEC JTC1/SC27, Guidelines for the Management of IT Security
 ISO 9000, Quality management standards, (Geneve: International
Standardization Organization ISO 2000).
 Murray, W.H., "Security should pay: it should not cost".
IFIP TC-11 Eleventh International Conference on Information Security
(Sec'95), Information Security Management - The Next Decade. 8-12th
May. Cape Town, South Africa. Chapman & Hall, London. (1995).
 The NIST handbook, An Introduction to Computer Security. NIST
Special publications. October. USA. (1995).
 Parker, Donn B., Computer Security Management. Prentice Hall,
Reston, USA. (1981).
 Royal Canadian Mounted Police, Security in the EDP Environment.
Security Information Publication, Second Edition. Gendarmere Royale
du Canada. Canada. (1981).
 Schwartau, W., Information Warfare. Second Edition. Thunder's
Mounth Press. New York. USA. (1996).  Schweitzer, J. A., Managing
Information Security: Administrative, Electronic, and Leagal Measures
to Protect Business Information. Second Edition. Butterworths. Boston.
 Senge, P., C. Roberts, B. Ross and A. Kleiner: The Fifth Discipline
Fieldbook (London: Nicholas Brealey Publishing Limited, 1995).
 D. Straub, Carson, P. and Jones, E., "Deterring Highly
Motivated Computer Abuses: A Field Experiment in Computer Security".
In Gable, G., Caelli, W., Ng, F., Ranai, K. and Soh, C. (eds.):
Security and Control: From Small Systems to Large. Proceedigs of
the IFIP TC11/Sec'92. Singapore. 27-29 May. (1992).
 Yourdon, E. : Byte Wars - Impact of September 11 on Information
Technology. Prentice Hall PTR. Upper Saddle River, New Jersey. USA.
[This text was made together with Jorma Kajava and Rauno Varonen
of the University of Oulu, Finland and presented as a conference
paper at the Euromicro Conference in Rennes, France in September,