Information Systems 1

Information system: Normative Standards

To overcome the neglected aspects in the information systems, several information system security methods

have been proposed, out of which, the most used aspects are as follows:

- Security checklists

- Management Standards

There were protests against these methods in the background though. A researcher, Baskerville, criticized

checklists for not paying enough attention to the fact that organizations security requirements differ while

other researchers such as Dhillon and Backhouse consider checklists as mechanistic and therefore, do not

pay attention to the social nature of organizations. This article helps in exploring the criticisms by focusing

on specific problems of selected management oriented information security standards and on the basis of

this analysis, offers various suggestions.

The research conducted, helped in developing a few worthwhile reasons:

- Scholars should be aware of the methods in detail and their weakness as well.

- Difference in common knowledge among humans, who reflects the different beliefs and kind of

knowledge imparted to them through upbringings, education or personal experiences.

Various types of management standards exist such as TCSEC/Orange Book, GMITS, CobiT, IT

Protection Manual, BS7799, GASSP, SSE-CMM, ITSEC (1990), CTCPEC, FC, CC, TNI,

NCSC, EPL, TDI. Organizational oriented standards differ in level of abstraction. They may vary from loose

frameworks for security management to a list of security imperatives. The maturity standards also have a social

level role, as they present the security “maturity” level of the organization. The three factors used for analysis

in this research are:

- BS7799

- GASSP

- SSE-CMM

Since they are new, criticisms cannot be made against these security standards. They are used internationally by

the practitioners and academic scholars. Their advocates are geographically separated. The three levels of

principles used by the Generally Accepted Information Security Principles (GASSP) are as follows:

- pervasive principles such as ethics and awareness

Information Systems 2
- broad functional

- detailed principles

BS7799 in the year, 1993, received the greatest attention and were praised to the skies in various academic

forums; hence being chosen for the present analysis. It has its advocates in Australia, South Africa and UK. It

suggests abstract controls, practices or procedures that should be implemented. It could also be used for

analyzing the level of maturity of a system. In such cases, a mature security system should be the one that meets

a certain amount of the principles described by standards.

SSECMM in the year, 1998 is mostly used in North America, where its roots lie. It was started in 1993 as a

NSA-sponsored endeavour to extend the Capability Maturity Model. SSECMM is a well organized effort. It

can be used for evaluating a system’s security and improving the security of systems. It is one of the most well

known approaches and it is more systematically developed than its competitors. BS799 is called a management

standard because it provides an aid for managers to ensure that certain issues are properly taken into account.

They guide the development through the given standards, hence, they are known as normative standards.

Maturity and management standards, therefore also have a role similar to that of traditional development

standards.

The term management standard is in fact misleading since security standards present a list of

controls/procedures at different levels of abstraction which should then be implemented.

“Management”, however, encompasses activities that are much more complex than just the insertion of a list of

controls suggested by the standard.

Sometimes, the standards suggest that the actions that organizations should take to secure their information

system can be derived from the prevailing industrial practices. Usually, best known practices means that

security experts have achieved a consensus on what the standards should include.

The normative standards are usually at best based on the naïve inductionism. Solutions are found out and then,

they are validated by singular observations made in a certain environment at a certain time. This observation is

universalized and the weakness derived is that even if singular observations are reliable, it does not follow that

they can be either generalized or universalized and this term is known as naïve inductionism.

The SSECMM recognized that each organizations security differs from each other. It becomes costly to follow

SSECMM as it may have to build too much security. The existing standards may not be based on naïve
Information Systems 3
inductionsm as the observation and underlying research processes are not considerable and results are not

duplicable.

Normative standards may go through an inference problem, which is argued to be a “fundamental problem in

computer security”. The Baseline approach compares the safeguards of a target organization with those of its

peers in the same industry, and if the target organization does not meet the "due care" standards for the

industry, then these baseline controls should be implemented. Example: areas that the standards do not cover

adequately, who would then know the weak points of organization that use such standards.

After analysing the paper, it was found that the three standards; BS7799, GASSP and SSECMM succumb to the

“is-ought” fallacy. The top companies wanting to use security as competitive edge or seeking innovations in

terms of security do not find normative standards very useful. The normative standards seem to be based on the

naïve inductionism by generalizing or universalizing a singular subjective observation. The normative standards

aren’t validated well enough, but they rather reflect their developers own preferences and personal experiences.

Such a research process can be labelled irrationalist in terms of the philosophy of science, as it suggests that

academically accepted research methods don’t count for anything, but that one may instead rely on intuitions.

The normative standards can be confronted with an inference problem, which refers to a situation in which a

malicious person, who knows that a certain organization abides by, given standards, might be able to infer areas

that the standard and the organizations following it will not render sufficiently secure. Further research would

be required to overcome these problems. They should focus more on the generalizablity of the findings in

particular.

The management (BS7799, GASSP) and maturity (SSECMM) standards as well as checklist can be regarded as

development-guiding – normative standards. The maturity and management standards are very much similar to

checklists, which are traditional development standards. The analysis helped to reveal three weaknesses which

are as follows:

- Normative standards are claimed to be generally valid.

- They are based on exploring the “is” matter (available protection, what is done by other organizations),

the norms for which they are universalized.

- These standards are based on unjustified personal observations, speculations and might include an

inference problem.
Information Systems 4
The major finding of this research was that the normative standards in their current forms were questionable.

A reliable approach would be the one, which is based on research programs.