An analysis of information security in selected Australian organisations

An analysis of information security in selected Australian organisations

Previous, mainly quantitative, research has indicated that information security threats and incidents are having a significant impact on the conduct of electronic business - and office automation in general - both nationally and internationally. However, as revealed by this study's extensive review of the relevant literature, our understanding of the information security situation in Australian organisations has been quite limited. There has been very little detailed research into security threats and incidents and, equally importantly, the strategies the Australian IT industry is using to deal with them.

In addressing that deficiency, this study used a qualitative, case-based research methodology involving a variety of Australian organisations. The case based approach, using in-depth interviews, facilitated a thorough examination of the information security risks (threats and incidents) and enabled assessment and analysis of management actions (countermeasures) to mitigate the identified risks.

The major findings with regard to this study's research issues are:

 The case-study organisations are generally highly reliant on IT for the conduct of their business and therefore would be heavily impacted if it was unavailable
 They face a variety of information security threats with viruses being the most prevalent threat. The hacking threat was not as evident as reported in the literature
 There are some differences between the Australian information security experience and that reported in the literature for international organisations in particular many of the very large business overseas operate on a much larger scale than those in Australia
 The organisations do not believe that they are specific targets for security attacks; rather they believe that are 'targets of opportunity'
 A wide range of countermeasures are employed; generally, the larger the organisation the greater the diversity and complexity of countermeasures. However, the majority do not have a clear link between risks and countermeasures
 The majority of the organisations do not have a specific security budget.

Whilst Australian organisations were generally well prepared and versed on security issues, the findings indicate the need for the application of best practice across the industry as a whole. A degree of cynicism regarding the nature of the hacking threat was evident – with many participants believing that the threat is overstated. Indeed this study uncovered little direct evidence of the organisations involved being subjected to actual hacker attacks.

The framework developed for this study and its findings are readily adaptable for use by industry. By following the process specified in the framework, organisations will be better able to identify both likely and unlikely threats and incidents and deploy appropriate countermeasures.