Professional Documents
Culture Documents
To overcome the neglected aspects in the information systems, several information system security methods
have been proposed, out of which, the most used aspects are as follows:
- Security checklists
- Management Standards
There were protests against these methods in the background though. A researcher, Baskerville, criticized
checklists for not paying enough attention to the fact that organizations security requirements differ while
other researchers such as Dhillon and Backhouse consider checklists as mechanistic and therefore, do not
pay attention to the social nature of organizations. This article helps in exploring the criticisms by focusing
on specific problems of selected management oriented information security standards and on the basis of
- Scholars should be aware of the methods in detail and their weakness as well.
- Difference in common knowledge among humans, who reflects the different beliefs and kind of
Various types of management standards exist such as TCSEC/Orange Book, GMITS, CobiT, IT
Protection Manual, BS7799, GASSP, SSE-CMM, ITSEC (1990), CTCPEC, FC, CC, TNI,
NCSC, EPL, TDI. Organizational oriented standards differ in level of abstraction. They may vary from loose
frameworks for security management to a list of security imperatives. The maturity standards also have a social
level role, as they present the security “maturity” level of the organization. The three factors used for analysis
- BS7799
- GASSP
- SSE-CMM
Since they are new, criticisms cannot be made against these security standards. They are used internationally by
the practitioners and academic scholars. Their advocates are geographically separated. The three levels of
principles used by the Generally Accepted Information Security Principles (GASSP) are as follows:
- detailed principles
BS7799 in the year, 1993, received the greatest attention and were praised to the skies in various academic
forums; hence being chosen for the present analysis. It has its advocates in Australia, South Africa and UK. It
suggests abstract controls, practices or procedures that should be implemented. It could also be used for
analyzing the level of maturity of a system. In such cases, a mature security system should be the one that meets
SSECMM in the year, 1998 is mostly used in North America, where its roots lie. It was started in 1993 as a
NSA-sponsored endeavour to extend the Capability Maturity Model. SSECMM is a well organized effort. It
can be used for evaluating a system’s security and improving the security of systems. It is one of the most well
known approaches and it is more systematically developed than its competitors. BS799 is called a management
standard because it provides an aid for managers to ensure that certain issues are properly taken into account.
They guide the development through the given standards, hence, they are known as normative standards.
Maturity and management standards, therefore also have a role similar to that of traditional development
standards.
The term management standard is in fact misleading since security standards present a list of
“Management”, however, encompasses activities that are much more complex than just the insertion of a list of
Sometimes, the standards suggest that the actions that organizations should take to secure their information
system can be derived from the prevailing industrial practices. Usually, best known practices means that
security experts have achieved a consensus on what the standards should include.
The normative standards are usually at best based on the naïve inductionism. Solutions are found out and then,
they are validated by singular observations made in a certain environment at a certain time. This observation is
universalized and the weakness derived is that even if singular observations are reliable, it does not follow that
they can be either generalized or universalized and this term is known as naïve inductionism.
The SSECMM recognized that each organizations security differs from each other. It becomes costly to follow
SSECMM as it may have to build too much security. The existing standards may not be based on naïve
Information Systems 3
inductionsm as the observation and underlying research processes are not considerable and results are not
duplicable.
Normative standards may go through an inference problem, which is argued to be a “fundamental problem in
computer security”. The Baseline approach compares the safeguards of a target organization with those of its
peers in the same industry, and if the target organization does not meet the "due care" standards for the
industry, then these baseline controls should be implemented. Example: areas that the standards do not cover
adequately, who would then know the weak points of organization that use such standards.
After analysing the paper, it was found that the three standards; BS7799, GASSP and SSECMM succumb to the
“is-ought” fallacy. The top companies wanting to use security as competitive edge or seeking innovations in
terms of security do not find normative standards very useful. The normative standards seem to be based on the
naïve inductionism by generalizing or universalizing a singular subjective observation. The normative standards
aren’t validated well enough, but they rather reflect their developers own preferences and personal experiences.
Such a research process can be labelled irrationalist in terms of the philosophy of science, as it suggests that
academically accepted research methods don’t count for anything, but that one may instead rely on intuitions.
The normative standards can be confronted with an inference problem, which refers to a situation in which a
malicious person, who knows that a certain organization abides by, given standards, might be able to infer areas
that the standard and the organizations following it will not render sufficiently secure. Further research would
be required to overcome these problems. They should focus more on the generalizablity of the findings in
particular.
The management (BS7799, GASSP) and maturity (SSECMM) standards as well as checklist can be regarded as
development-guiding – normative standards. The maturity and management standards are very much similar to
checklists, which are traditional development standards. The analysis helped to reveal three weaknesses which
are as follows:
- They are based on exploring the “is” matter (available protection, what is done by other organizations),
- These standards are based on unjustified personal observations, speculations and might include an
inference problem.
Information Systems 4
The major finding of this research was that the normative standards in their current forms were questionable.