||In recent years, there are more and more information security cases. As shown in the survey report by US Computer Security Institute (CSI) and Federal Bureau of Investigation (FBI), most information security cases are caused by internal employees in the organization, which can not be prevented with any advanced information technologies. Australian ‘Computer Crime and Security Survey Report’ in 2005 also shows that the ratio of organizations which have introduced security standards has increased from 37% in 2003 to 65% in 2005. The two reports indicate that information security has evolved from technological level (for example, firewalls) to management mechanism level.
Because military organizations have more urgent demand for information security management systems, this paper discusses the response of military staff members to the introduction of the information security management standard (BS7799) and the related ten control sections. Questionnaires were sent to military staff members, analysis and discussion are made based on collected data in the hope of providing some reference for military organizations.
Main research discoveries are:
Staff members of M organization have different overall views about BS7799. There is big gap between ‘important level’ and ‘implementation level’. Most respondents answered that the implementation level of each control section does not reach the important level they thought.
Among sections of the information security standard, ‘System Development and Maintenance’, ‘Compliance’ and ‘Security Policy’ score the top 3, while ‘Business Continuity Management’, ‘Physical and Environmental Security’ and ‘Communication and Operations Management’ rank the lowest three.
Through the IPA analysis, it is found that the most important sections to be improved are ‘Security Policy’ and ‘Personnel Security’.
Testes from different units have different reviews about factors in introducing BS7799. Particularly, they have significant difference in ‘internal organization inducement’ and members of information units have more self-identity than members of non-information units.
In the section of ‘Security Policy’, high level members have more cognizance than operators.
In sections of ‘Security Policy’, ‘Personnel Security’, ‘Physical and Environment Security’, ‘Access Control’, and ‘System Development and Maintenance’, voluntary servicemen have significant higher cognizance than compulsory servicemen. In the section of ‘Compliance’, voluntary servicemen and hired men have significant higher cognizance than compulsory servicemen.