7 Application of Collaborative Management in Information Theft Prevention
7.1. Introduction
This chapter presents results of cross-case analysis in selected UK retail companies, adapted from Okeke (2015), to show the benefits of collaborative management while conducting information security audit (ISA) while preventing internal information theft. The approach of the collaborative audit has only enhanced the audit plan, criteria, scope and duration; it has also improved the audit report, efficiency and effectiveness of the audit operations in compliance with regulations. The case results provided in this chapter acknowledge that the collaborative ISA approach enhances the management effort in building a strong work ethic in prevention of internal information theft. And this can be evidenced by security management performance in meeting the information security requirement in prevention of information theft. In addition, the collaborative ISA approach can enable retail security audit teams to detect loopholes in their IT security systems and tackle them effectively and collaboratively.
A collaborative management effort could provide an effective internal security control and improved risk assessment against internal threats. If management can collectively take control of internal IS security issues, it would ease the ISA procedures, reduce the audit time and cut down logistics. The collaborative ISA approach can also promote the sharing of security expertise and IT skills that can contribute to effective ISA in prevention of information theft. It is vital to note that collaborative ISA can enhance the chance to identify internal security risks, which can be achieved through effective collaboration between audit and IT security management.
In contrast, in the cases where the audit practices and management roles were not collaborative, like in the case of an independent audit, the impact of ISA on information theft prevention may not be realised. Collaboration can make it possible for management to share their roles/responsibilities, thereby improving the likelihood for security and crime prevention management to achieve effective security implementations. The effective information security audit in relation to prevention of information theft may depend on collaboration of management effort and roles. Thus, it is required that the management efforts and roles among the IT security and crime prevention management should be shared to achieve the goal of effective security against information theft in retail companies.
7.2 Benefits of Collaborative Information Security Audit
The benefits of Information Security Audit (ISA) can be measured based on three key criteria: time, logistics and effectiveness. Cost reduction and internal security control have been identified as the major impacts of using collaborative ISA approaches in the prevention of information theft.
Cost reduction benefits: The use of independent first-party audit and second-party audits could be perceived by retail management as cost saving if a retail company is paying for a few audit teams. However, subjectively, such companies may incur the indirect costs of a protracted audit and potential security risks compared to an approach where both first-party and second-party audits are working together. In this collaborative audit by a first party and a second party, both audit teams would utilise the combined support of IT security, a security auditor and an external auditor to ease the burden of audit roles and responsibilities.
The approach of combined support would enable the team to prepare the audit plan in advance to meet the audit criteria and expected targets. The collaborative atmosphere would facilitate the audit performance and provide room for suggestions and new requirements.
Benefits of internal security control assurance: A sound internal security control is one of the benefits of collaborative security management. Independent audits through either first-party audit or second-party audit can create bias between retail companies and the visiting auditor. And this might extend the audit duration and more cost to business, not only for the cost of the security auditing but also the cost of disrupting business operation during the audit. Using a collaborative audit approach pays in reducing the internal information theft risk, as it gives the audit team the opportunity to leverage their skills. In a case where the software engineer is part of the collaborative management, it would be helpful for the team to review and meet the requirements of installing the latest updates needed to mitigate internal security threats.
Information systems security knowledge: The sharing of expertise between the IT security support and internal auditor can create a strong internal IS control system. This can facilitate comprehensive scrutiny of security risks and flaws and an opportunity to collaboratively design strategies for resolving the risks. This practice enables both the external and internal auditor to work cooperatively and in a timely fashion to resolve potential internal information theft issues. It can enable the audit team to avoid poor security audit planning, inconsistencies and shifting of responsibilities. These issues have great impact in meeting the aims and objectives of the ISA.
7.3. Management Collaboration Befits Effective ISA Implementation
Retail companies with greater collaboration of management roles are more likely to have effective implementation of IS security strategies required for the prevention of internal information theft. Management with shared understanding of data security operations are more likely to achieve a better security strategy in prevention of internal information theft; Management collaborative role sharing is likely to affect the level of performance management in preventing internal information theft.
Some retail companies neglect collaborative approaches in implementing security audit practices across their operations, as well as process and technologies. Some management take sharing of the prevention practices for granted and manage information theft prevention in relatively independent and predictable ways across their operations. In particular, the case analysis by Okeke (2015) suggests that it is vital for security management to share their data security roles and practices within the operational environment. The empirical evidence from Okeke (2015) shows that companies that neglect utilising IS management collaborative capabilities often encounter the challenges identified in Chapter 5.
7.3.1 Implications of Collaboration in Internal Information Theft Prevention
One of the consequences of lack of collaboration in the implementation of internal information theft prevention practices is a misunderstanding of IT security terms. The effect of this misunderstanding can lead to a breakdown and management override. There could be a situation in which the internal auditor is protective and shifting the responsibility to the company’s top management.
For instance, the internal auditor may not resolve issues related to security risks; instead, the risks would be left as the responsibility of the head of security management. In some cases, there would be a complete breakdown in communication among the audit team because of their independent work. This analysis agreed with Potter and Waterfall’s (2012) PWC ISBS report, which found that more than 56 per cent of business managers do not work together with their information security auditors. Instead, they leave the responsibility to the information security auditors or rather rely on the contingency plans, with the sole intention of cutting cost or investing less on IT maintenance. This issue was also noted by Potter and Waterfall (2012), who reported that less than half of large companies and only a quarter of small ones are collaboratively measuring the coordination of their regulatory data compliance and security management.
Moreover, this issue of the perception of ISA costs corresponds to the suggestions of Chris Potter of PWC ISBS (2012) that most managers often fail to evaluate their ISA investment. In line with the benefits of the collaborative ISA approach, discussed above, the first-party audit seems to pay off when an external auditor is hired, but, apparently, the cost of the expended time for the audit and poor audit execution outweigh the benefits of the approach. The operation manager may fail to evaluate the pros and cons of paying for the external IS security auditor. This observation confirms Cilli’s (2003) suggestion that IS retail management fail to provide answers to ISA effectiveness and efficiency related questions such as IS security awareness, control, profiling and performance measurement. According to Nieminski (2008), effective internal control management equips the ISA team to detect, correct and prevent related information theft threats. She further suggested that any crack in the internal control management of the ISA team often leads to limited judgement, breakdowns and management override.
Another notable implication of lack of collaboration of management in implementing effective prevention practices is that companies are likely to develop data security practices that align with the internal information theft prevention challenges they face. Because such practices lead to the perception of improved IS security, the management may begin to take the challenges for granted. This perception would lead to the development of culturally unethical security practices among the management. Consequently, it then leads to development of internalised prevention practices that are difficult to change. The external auditor may work with the available IS resources and information at their disposal to justify the cost of the services being paid for. This observation agrees with the suggestions of ACFE (2012) and ISBS (2012) that the perceived high cost of data compliance management and the assumption that adequate security checks are already in place often contribute to defects in the internal data security of most retail companies.
In order for crime prevention managers to deliver and counter this challenge of culturally oriented unethical security practices, Innes (2003) suggests that crime prevention managers must be integrated into an ethical occupational and organisational culture. This suggestion reaffirms the proposal of the role-based framework that effective integration of a cross-functional management team can enhance management performance in preventing internal information theft. In order to support the integration and execute the roles of their work efficiently, this suggestion requires that management will endorse the ethical cultural attitudes, beliefs and values to which they are exposed. In other words, the management will have to construct ethical cultural meanings that reflect their occupational responsibilities that are compliant with information theft prevention practices. However, this commitment to internal information theft prevention might not work for all cases. Strict compliance with the rules of security may encourage managers not to believe in themselves or not to follow their instinct in managing information theft incidents they deem suspicious.
An attempt to abide by strict compliance rules may make managers to have shared understanding to comply with security rules and to avoid scrutiny from their top managers. The shared understanding between the security managers would be focused on their occupational goal of ‘getting the job done’, avoiding criticism from the top managers by sticking to the clear security rules of the shared culture. This perception is what Van Maanen (1974) calls ‘cover your ass’, a characteristic of the security culture, which means that the security managers would make a conceivable story—that is, the security managers would make a conceivable story to cover them for everything they do when they are on duty in the name of abiding by culturally oriented security practices and security compliance rules.
7.3.2 Recommendations for Effective Collaboration
The discussion of the implications of collaborative management indicates that there is a strong need for retail companies to change their security strategy from an independent approach to a collaborative security approach. Importantly, the major change should be the review of the existing security culture, policies, procedures, structures and systems. Previous studies (e.g., McDonald and Nijhof, 1999; Roukis, 2006; Sekerka and Bagozzi, 2007) argue that implementing an effective ethics programme in an organisation would make the management and employees aware of formal organisational goals, information theft prevention, in this case, and their informal norms. Pelletier and Bligh (2006) recommends that business organisations should have suitable procedures and systems for ethical decision-making regarding sharing their employee roles and responsibilities. This suggestion corresponds with the recommendation of this guide that establishing a collaborative management system would enhance the necessary skills for ethical practices in retail companies.
Moreover, there is need for retail companies to invest in a collaborative management approach to the prevention of internal information theft. This practice can improve the overall effectiveness and reduce the impact of the identified challenges of online retail companies in the implementation of effective security systems. Additional benefits may accrue from these practices when supplemented with collaborative ISA by the management. However, the benefits might depend on the level of IT skills of the management, the perception of management roles, top management support and the organisational operations. The analysis of the implications above has shown that collaborative management can enhance the likelihood of effective and strategic prevention of information theft. It suggests that a collaborative approach where internal and external auditors work together can be a more robust audit practice than first/second party audit that entails either an internal or external auditor.
The collaborative approach is more effective in putting a check on the internal control of IS in retail company. This practice would enable the data security audit team to stay abreast of the evolving information theft-related risks. It would improve sustainable internal control management through effective collaboration of essential IS/IT skills in the ISA team. The collaborative functions between IS auditor and IS/IT encourage two-way communications, which are vital in keeping a spotlight on any potential security risks. It will encourage retail managers to hire and incorporate skilled IS/IT professionals in an ISA team. It will also enhance the management’s capacity to counter the trending cases of data leakages and theft resulting from increasing migration of businesses into digital realm.
7.4. Interdependence of Management Improves Internal Information Theft Prevention
The interdependence of management in carrying out information security roles improves efficiency in internal information theft prevention. A collaborative relationship between the management and employees is likely to improve employee compliance with IS security policies. The collaborative relationship between cross-functional management (HR, data compliance, IT security, crimes investigation, etc.) is likely to improve the effectiveness of internal data security by directing attention to internal information theft risks and minimizing the challenges encountered by management.
7.4.1 Implication of Interdependence of Management
Internal information theft prevention challenges that have been discussed in Chapter 5 can be minimised by effective management interaction. This key attribute of collaborative security suggests that management interaction can positively impact management performance by minimising the impact of the challenges (e.g., lack of clarity of roles, lack of management support, segregated authority and operational changes). These identified challenges can be a consequence of lack of interaction between management. Management often stick to their roles and practices as they work in their operational environments. If there is no management interaction, conflicts beg the question of which internal information prevention practice to follow. Reconciling these differences and resolving how to act in the face of unfamiliar management often lead to extra work and misunderstanding—and, as a consequentce, extra cost to data security implementation in terms of money, quality and time.
The collaborative sharing of expertise between skilled and experienced management could clarify roles and support issues and impact performance when it comes to implementing data security tools. The complexity of roles in resolving information theft issues in retail operations can be resolved through collaborative role sharing.
The efficiency of effort directed towards prevention of information theft depends on how the roles (security support, information theft incident investigation, data compliance management, security operation, technical security, software engineering, and human resources) interact with each other. The effectiveness of their interaction can be measured by the extent to which they reduce the impact of challenges such as lack of resources, disjointed prevention and data protection policy, IS/T security complexity, lack of clarity of roles, segregated authority, and operational changes.
Lack of effective interaction between management in tackling the challenges can result in lopsided investigation and poor remediation measures. This could have huge implications for the internal security controls and processes employed by retail security management. For instance, there can be implementation of weak internal data control systems and outdated intrusion prevention controls attributed to lax attitudes of management. Steinnon (2006) suggests that some companies fail to identify security risks because the security controls are not working together to keep pace with the evolving technology used by the perpetrators of information theft-related crimes.
7.4.2 Recommendations for Effective Interdependence of Management
An effective collaboration of the audit team would provide better returns on outputs, cost, quality, resources, and time, which neither an independent external audit nor an internal audit would comparatively provide.
With lack of resources, all other roles and responsibilities would be affected. The ripples of this challenge would impact how management learns and reacts to information theft incidents. It would also affect how IS security management implements controls and processes in anticipation of security risks. Lack of resources would have a huge impact on the management without support from internal and external cross-functional management teams—IT security, crime prevention and law enforcement agencies. There is a need for the IS security and crime prevention management roles to be mastered by the cooperative effort of a management team. The mastery roles require effective assurance of the security of the company PII/D assets and, thus, help to implement up-to-date security tools and data compliance regulations to remediate evolving security risks.
For instance, the collaborative ISA approach can enable building of a strong work force across management. The audit team can take control of the internal IS security issues which ease the audit activities, reduce the expended audit time and cut down logistics related to audit protocols. Hooks et al. (1994) suggest that internal information theft risks could be detected and put under control if the organisation and external auditor work together. If the audit team focused more on internal control, they could easily control the organisation’s data environment, improve risk assessment and ISA monitoring and enhance the team’s communication. Johnson and Rudesill (2012) agree with this suggestion that business owners, management and data security auditors should share the responsibility of internal information theft prevention. There is a need for every unit of the IS management to liaise with each other, prioritise the internal data security and control strategies and be a watchdog for the business. There should be a coordinated approach to assigning the responsibility of IS security. The crack that is often created due to a split in roles of data security can be corrected by effective interrelationship, coordination and communication among the management, external auditing, IT experts and internal auditing.
Engaging in either an independent external audit or an internal audit would require more work on the security auditor’s part in carrying out internal control management and audit plans accordingly. However, ISO 19011: 2011 and ACFE (2012) suggested a better chance of external ISA auditors detecting internal information theft risks; such a chance still depends on cooperation of the auditee management. Similarly, engaging in an independent internal audit would do little to meet the expectations of the IS security audit regulatory bodies. An effective exchange of data security strategies between the external and internal auditing should be paramount in companies that are working together to improve their internal data security.
7.4. Summary of Chapter 7
This chapter has provided knowledge, based on case results, of the importance of collaborative management in preventing internal information theft. Adoption of collaborative management in internal information theft prevention has led to redefining the capability of IS security management by examining the workings of collaborative management roles. Although the concept of collaborative security management might not be a universally applicable concept, as there may be some implications in some retail companies, IS security managers can benefit greatly from these insights. For example, as a first step, IS security managers can classify each management role and match it with responsibilities and skills. This could likely produce better role alignment within the IS security management team handling information theft prevention issues. The majority of challenges in the prevention of information theft can be solved through collaborative clarification of different responsibilities to IS security managers. Thus, a collaborative management approach provides a knowledge that can guide information security practitioners to understand and tackle some root causes of other issues on prevention of internal information theft.
However, it may be difficult to assign management with suitable internal information theft prevention roles to make up the management team. These issues might have varying effects across online retail companies, suggesting that some may have utilised collaborative role sharing in their ISA while others did not. As a corollary, it is the role of security and crime prevention management to work with the employees, outsourcing firms and law enforcement agencies. It behooves the management to train cross-functional management and shop-floor employees on how to work collaboratively among themselves while enforcing data security regulations. However, it may not be practicable for retail companies to implement the best data security practices only through trainings, software security, and regulatory strategies.
Proactive strategies such as vulnerability testing on network and web platform, staff vetting and profiling, and customer awareness campaigns might serve as better strategies. Ekblom and Pease (1995) suggest that the applicability of any crime prevention approach, like collaborative security in this guide, would be limited if it is designed without comprehensive contribution of every employee in the organisation. In addition, Ha et al. (2007) argues that software technologies and other technology-based security strategies can foil data breaches, but cannot match the analytic capabilities and creativity of human behaviour, which is paramount in internal information theft prevention. Hence, the next section discusses the theories in the literature that provide an understanding of human behaviour and their application in the context of this guide.
References
Association of Certified Fraud Examiners (ACFE), (2012). ‘Report to the Nations on Occupational Fraud and Abuse: Global Fraud Study’. Available at: http://www.acfe.com/uploadedFiles/ACFE_Website/Content/rttn/2012-report-to-nations.pdf, Accessed 12/06/2014.
Cilli, C. (2003). ‘IT governance: Why a guideline?’. Available: http://m.isaca.org/Journal/Past-Issues/2003/Volume-3/Documents/jpdf033-ITGovernance-WhyaGuideline.pdf, Accessed 23 April 2012.
Ekblom, P. and Pease, K. (1995). ‘Evaluating crime prevention’. In: M. Tonry and D.P. Farrington (Eds.), Building a Safer Society: Strategic Approaches to Crime and Justice. Crime and Justice: A Review of Research, 19. Chicago: University of Chicago Press, pp. 585–662.
Ha, D., Upadhayaya, S., Ngo, H., Pramanik, S., Chinchani, R. and Mathew, S. (2007). ‘Insider threat analysis using information-centric modelling’. International Federation for Information Processing, 242 (2007), pp. 55–73.
Hooks, K, L. and Kaplan, S, E. and Schultz J, J. (1994). ‘Enhancing Communication to Assist in Fraud Prevention and Detection’. Journal of Practice and Theory, 13 (2), pp. 86-113.
Innes, M. (2003). Understanding Social Control: Deviance, Crime and Social Order. Buckingham: Open University Press.
Johnson, G. G., and Rudesill, C. L. (2001). An investigation into fraud prevention and detection of small businesses in the United States: responsibilities of auditors, managers, and business owners. Accounting Forum, 25(1), 56.
McDonald, G. and Nijhof, A. (1999). ‘Beyond codes of ethics: An integrated framework for stimulating morally responsible behaviour in organisations’. Leadership and Organization Development Journal, 20 (3), pp. 133–146.
Nieminski, J. (2008). ‘Access and security internal control review’. Internal control review report, 08–3. Audit of HTE and Lenel system access and security, Gresham City.
Okeke, R.I. (2015). ‘The prevention of internal identity theft-related crimes: A case study research of the UK online retail companies’. Available: http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.656978, Accessed 1 August 2015.
Pelletier, K.L. and Bligh, M.C. (2006). ‘Rebounding from corruption: Perceptions of ethics programme effectiveness in a public sector organization’. Journal of Business Ethics, 67 (4), pp. 359–374.
Potter, C. and Waterfall, G. (2012). ‘PriceWaterCoopers’ information security breaches survey: Technical report’. Available: www.infosec.co.uk, Accessed 15 October 2012.
Roukis, G.S. (2006). ‘Globalisation, organizational opaqueness, and conspiracy’. Journal of Management Development, 25 (10), pp. 970–980.
Sekerka, L.E. and Bagozzi, R.P. (2007), ‘Moral courage in the workplace: Moving to and from the desire and decision to act’. Business Ethics: A European Review, 16 (2), pp. 132–149.
Steinnon, R. (2006). ‘Ignoring the insider threat’. Trade Publication: Network World, 23 (33), p. 58.
Van Maanen, J. (1974). ‘Working the street: “A developmental view of police behaviour”’. In H. Jacob (Ed.), The Potential for Reform of Criminal Justice. Sage Criminal Justice System Annual Review, 3. Thousand Oaks, CA: Sage.