Information systems in the corporate world

Information systems in the corporate world

Introduction

The corporate world has wholly embraced information systems but many businesses lack proper governance thus failing to effectively use these systems to realize significant benefits (problem).

This is important because information systems form a vital component of every business thus effective measures should be applied to create a solid integration with the existing organizational structure. Garr (2004) argues that information systems tend to support almost the entire business operations thus an incident that disrupts the software functionality can potentially bring a business to a halt (why select it).  

Abramowicz & Flejter (2009) asserted that with effective information systems governance, businesses can adequately exploit the large pool of information system resources at disposal to allow them deliver improved services, profitability, and economic stability, operate more efficiently, reduce costs, enhance employee productivity, improve customer experience and thus gain competitiveness over their rivals (why it is important to solve it).

Literature review

Owing to challenges facing businesses in exploitation of information systems to derive substantial benefits, many studies that seek to determine why businesses fail in effective use of information systems have been done. Different studies have shown that there is an increased use of information systems in businesses around the world, but due to lack of effective governance, many businesses have failed to reap benefits from these systems (Brynjolfsson & Hitt, 2000; Curtis & Cobham, 2005). The most successful businesses have adopted effective information systems governance incorporating managerial, organizational and social elements of a business (Brynjolfsson & Hitt, 2000). Variables here are the measure of contribution of managerial, organizational and social factors to business exploitation of information systems. Brynjolfsson and Hitt (2000) goes further to study how effective information systems governance create a sustainable development by researching on the said variables:

  • Managerial: Include dedicated strategic management support for business change, incentives that result to innovation, improved flexibility, teamwork, collaboration, and a culture that emphasize on value for knowledge.
  • Organizational: Supportive organizational culture that seeks effectiveness and efficiency, proper business model, decentralization of power in order to distribute decision rights, overwhelming support by stakeholders, and a solid information systems development team.
  • Social: These are elements made by the surrounding society, such as governments, other businesses, and key market players, such as laws and regulations, computing standards, internet, and technology. Effective governance must devise means of balancing information systems and social benefits to reap maximum benefits.

These findings are relevant for thus study as they show that effective governance is a necessity for valuable information systems.

Taft (2013) did a related research but sought to commoditize effective governance for it to appear like an asset that is needed to derive value from information systems by aligning them to appropriate variables namely communication networks, technology, organizational policies, and market demands. In addition, Taft (2013) showed that information systems investments tend to produce more returns than those of other investments but there are significant variations across firms. The study claims that these variations can be attributed to different levels of dedication to information systems governance thus this work is vital in that it perceives governance as an asset that can be managed to derive competitiveness just like any other asset.

Another study by Rapp and Nilsson (2005) on 60 Fortune 500 corporations found that 25% of these firms acknowledged that they experienced decreased performance immediately their information systems went live mainly. The research measured performance by variables such as user acceptance, error rate, rate of support requests, and rate of completion of tasks. The research also covers indirect variables including the: degree of systems integration with existing business models, systems implementation plan, communication breakdown issues, user training, and change and technology management. These variables were found to have contributed to the challenges faced by the 60 companies. The study also explored the risky variable of information systems investments whereby they discovered that such investments are risky efforts therefore proper information systems governance should be applied for businesses to fully exploit the systems in order to reap maximum benefits. It is only through effective governance that companies can achieve the real benefits of information systems (Rapp & Nilsson, 2005). Despite the invaluable information presented in these studies, there is no clear indication of the degree of governance that can be termed as effective. However, they have shown that companies derive different benefits yet they use similar information systems. This work is therefore important as it campaigns for adoption of effective information systems governance in attempts to drive business performance.

A related research by Tallon, Ramirez & Short (2013) revealed a strong connection between effective information systems governance and improved benefits from information systems. Tallon et al. (2013) has shown that businesses that failed to employ effective information systems governance by properly managing change, integrating the systems with business models among other actions have faced considerable difficulties and costs in implementation of information systems leading to losses or insignificant benefits.  These studies have been phenomenal in exemplifying the role of effective information systems governance in improved business performance.

Abramowicz and Flejter (2009) carried out a related research that examined challenges that arise due to underestimation of necessary variables including proper planning, development, implementation, change and risk management, legal and ethical concerns, network and communications technology, and user training, and reengineering business process in order to achieve a platform that adequately accommodates new information systems. Despite the study that without effective governance, information systems cannot make derive tangible benefits to a businesses, the findings are not enough to prove that they cover all elements of effective information systems governance as they failed to show the need to integrate these functions together in order to enhance their interaction and derive perceived benefits.

Another research sought to explore the role of organizational management in overseeing information system governance by studying the following variables: role in integrating information systems with existing organizational structure, recommending priorities for initiatives, standards and policies, assessing level of suitability of information systems, and assessing benefits realized from information systems (Keller & Price, 2011; Olugbode, Elbeltagi, Simmons & Biss, 2008). Similar research by Bider and Jalali (2014) showed that sound decisions from senior management plays an integral role in effective information systems governance. The studies show that management must be wholly involved in information systems governance for it to be effective and successful. However, the research does not detail the benefits of effective information systems governance.

Similarly, Garr (2004) cemented previous studies that effective information systems governance allows a business to leverage underlying benefits by showing that it leads to increased return on investment, and improved responsiveness to remain upfront in the market, reduce operational costs, and realize economies of scale, remain competitive and increased profits. From this research, it is apparent that businesses have exploited information systems to gain competitive advantage over their market rivals. By showing that some businesses have derived more benefits than others while using similar information systems, the importance of effective governance is further cemented.

These studies have magnified the need for effective information systems governance to allow for proper integration with business processes and realize superior returns.

Research question

From a business perspective, there is the question: Which major actions have successful businesses undertaken in order to reap maximum benefits from information systems and surpass their rivals who are using the same systems? This leads to the question: What would happen if effective governance is practiced in integration of information systems with the managerial, organizational and social elements of an organization? The ultimate question is: What is the role of effective information systems governance in increasing a firm’s performance and profitability?

Theoretical framework

Implementing an information system does not directly lead to improved business performance. 

Curtis & Cobham (2005) cements this statement by arguing that introduction of an information system may lead to even more challenges and potentially destroy a business even further. How can a business gain maximum benefits from implementing an information system?  According to Abramowicz & Flejter (2009), a company must first dismantle the perceived benefits into actionable activities in order to align each one of them with existing business structures and achieve a relative position to build a business wide oriented platform that is within the set objectives and vision.  

 Information systems governance is focused on creating a collection of continuous processes that outline roles and responsibilities of various stakeholders and an actionable and practical approach to organization decision making (Tallon et al., 2013).  Taft (2013) claims that effective governance is the one that allows information systems supported decisions to be aligned with the business’s future vision, enables smooth coexistence between an information system and existing organizational culture and mandates, and optimize exploitation of information systems assets. It is beyond cost savings but an end-to-end process that yearns to develop an efficient, highly dynamic and effective business infrastructure to achieve optimal value.

According to Olugbode et al. (2008) business perspectives demand attention from the managerial and information nature of business information systems. Therefore, despite the promising nature of information systems, there are variations in derived benefits because businesses have different capacities to challenge problems posed by social, management and organizational elements. However, with effective means to overcome these challenges, every business that invests in an information system is capable of gaining significant benefits (Garr, 2004). 

It is evident that organizations that employ a well-planned implementation of information systems with close attention to surrounding factors: managerial, organizational and social factors benefit most from their investment.  Apparently, businesses that fail to appropriately align their information systems with the correct business model are destined for derive insignificant benefits (Curtis & Cobham, 2005). Therefore, it is important to ensure that implementation of an information system is accompanied by tangible controls and procedures to eliminate instances of broken communication and uncoordinated operations thus hindering managers from making better decisions.

Businesses are becoming more demanding calling for more complex information systems to handle business processes, decision making, drive innovation, coordinate business with partners and other actors spread geographically and meet industry laws, regulations and standards (Bider & Jalali, 2014). Therefore, without proper coordination, it is impossible for businesses to realize substantial benefits from merely implementing information systems.

With effective information systems governance, business management is helped to make better decisions aimed at improving the efficiency of business processes and boost profitability (Abramowicz & Flejter, 2009). Effective governance enables an organization to regulate and control its processes in order to avoid conflicts related to different business elements including shareholders, employees, assets, operations and organizational structures (Keller & Price, 2011). Therefore, since information systems governance entails management of proposed and  implemented information systems to gain set objectives, it forms an integral component of corporate governance.  

An information system investment is a source of competitive advantage but also amounts to a challenge because it is a cost like any other.  Rapp & Nilsson (2005) notes that information systems investments amounts to a risk that need to be mitigated so as to achieve the desired results and this is where governance comes in to fundamentally shift information systems investments into the organizational infrastructure.

Hypotheses

Managers can adequately determine necessary elements that enable information systems achieve desired business objectives. Managers that employ effective information systems governance are more likely to reap more benefits than those that simply implement information systems and wait for a bolstered business performance.  This implies that managers must devise effective governance mechanisms to ensure that their information systems incorporate all business internal and external factors in order to exploit the power of these systems.

References

Abramowicz, W. & Flejter, D. (2009). BIS 2009. Springer Science & Business Media.

Bider, I., & Jalali, A.  (2014). Agile Business Process Development: Why, How and When

Applying Nonaka’s theory of knowledge transformation to business process development. Information Systems and e-Business Management. DOI 10.1007/s10257-014-0256-1.

Brynjolfsson, E., & Hitt, L.M. (2000). Beyond Computation: Information Technology,

Organizational Transformation and Business Performance. Journal of Economic Perspectives. 14(4): 1 – 4

Curtis, G., & Cobham, D.P. (2005). Business Information Systems: Analysis, Design and

Practice. Pearson.

Garr, N.G. (2004). Does IT Matter?: Information Technology and the Corrosion of Competitive

Advantage. Harvard Business Press.

Keller, S., Price, C. (2011). Beyond Performance: How Great Organizations Build Ultimate

Competitive Advantage. John Wiley & Sons.

Olugbode, M., Elbeltagi, I., Simmons, M., & Biss, T. (2008). The Effect of Information Systems

on Firm Performance and Profitability Using a Case-Study Approach. Electronic Journal Information Systems Evaluation.11 (1): 12-16. Retrieved from http://www.ejise.com/issue/download.html?idArticle=574.

Rapp, B., & Nilsson, F. (2005). Understanding Competitive Advantage: The Importance of

Strategic Congruence and Integrated Control. Springer.

Taft, D.K. (2013, September 9). Information Governance: Why It’s Becoming a Boardroom

Imperative. eWeek, 23,  6 – 6.

Tallon, P.P., Ramirez, R.V., & Short, J.E. (2013). The Information Artifact in IT Governance:

Toward a Theory of Information Governance. Journal of Management Information Systems. 30(3): 152-176.

Information Security Assessments

Information Security Assessments

Cyber-attacks pose real problems to organizations with an IT infrastructure—which translates to just about every corporation or agency around the world. Corporations invest a lot of resources (personnel and money) and time on maintaining the confidentiality, integrity, availability, and accountability and non-repudiation of data. One course of action for achieving those objectives is through effective and efficient information security assessments. An information security assessment is a strategy implemented to determine if a specific information asset meets documented security constraints. It is primarily used for gaining an overarching understanding and clarification of an IT environment by obtaining substantiating evidence from assessment results (Whitman & Mattord, 2011).

Today, there are many information security and privacy requirements that take the following major dimensions: organizational, industry, and legal and regulatory. Therefore, today’s organizations are forced to devise proactive information security risk management. The most effective and efficient way to determine the information security status of an organization and prevent potential security concerns rests in performing regular security /privacy risk assessments. Security assessment encompasses testing, examination and interviewing techniques to understand the security and privacy posture of a wide collection of information assets (Cholez & Girard 2014). However, performing information security assessments constitute a challenging process because of the immense increasingly evolving (in terms of complexity and frequency) cyber security vulnerabilities and threats. Moreover, there are challenges that are associated with intrinsically huge workload which comes with use of methodologies and frameworks to facilitate information security assessment? Nevertheless, performing information security assessments cannot be ignored because they help bolster the overall information security in an organization. 

Benefits of information security assessments

Basically, information security assessment involves use of tools and techniques to determine if an information asset meets expected security levels. As such, it entails comparing the actual outcome of an assessment process with expected security requirements. This way, it is possible to ascertain missing or inefficient information security measures, which forms the foundation for implementing appropriate information security controls, standards, best practices, and procedures and policies. These assessments are also critical to creation of a corporate risk management and knowledge transfer culture, which can help provide business continuity and if implemented and adhered to can assist in maintaining solid information security (Schmittling & Munns, 2010). According to Tipton and Krause (2003), failure to have adequate and relevant knowledge about the overall information assets, existing and potential security risks, and existing security controls creates room for electronic crime or cybercrime such as Denial of Service (DoS), malware propagation, and information reconnaissance.

Performing information security assessments helps ensure that information systems and the IT infrastructure at large are sufficiently secure. They help to identify any security weaknesses that need to be addressed while evaluating organizational security requirements to ensure they are being met. IT is constantly evolving and so are the associated cyber threats. This requires that the assessments be done after initial IT set-up and periodically (Peltier, 2005). Schmittling and Munns (2010) postulates that information security assessments help identify substantial imminent internal and external security vulnerabilities and threats, evaluate the perceived likelihood and severity of impact related to each threat, and ascertain the efficiency and effectiveness of implemented security measures to prevent and/or mitigate risks.  Therefore, information security assessments are valuable procedures to continuous IT systems and data confidentiality, integrity, availability, and accountability and non-repudiation. These are one of the fundamental legal and regulatory requirements mandated by the Health Insurance Portability and Accountability Act (HIPAA) and the US Sarbanes-Oxley Act (SOX) and other data security and privacy laws (Tipton & Krause, 2003; Vacca, 2012).

A formal methodical security assessment allows an organization to   make sound decisions regarding the severity of diverse business risks based on the information asset at risk and associated vulnerabilities, threats and existing controls. The severity of each risk is determined by the likelihood of occurrence and the degree or level of impact in the event that a threat becomes a reality. While such a comprehensive, objective and methodical approach is crucial to meeting legal and regulatory requirements, it also helps better manage information security investments. It provides information necessary to support a business impact and economic discussion regarding justification of human resources, processes, technological, monetary and time invested in security controls. Moreover, such information can be incorporated into cost-business analysis and reporting – crucial for top management buy-in, support, and commitment (Peltier, 2005; Whitman & Mattord, 2011).

Information security assessment frameworks

There are studies that have delved into security risk assessment frameworks. For example, a risk management framework should be implemented to provide an overarching structure for effective IT management procedures (Layton, 2007). The risk management framework should represent the security life cycle of a corporation. The National Institute of Standards and Technology (NIST) published a management model in the NIST SP 800-30 (Layton, 2007). The basic requirements or steps are categorizing, selecting, implementing, assessing, authorizing and monitoring. Categorizing the information system means defining the level of data sensitivity in terms of impact to business performance and objectives. After the criticality level of the information has been determined, security options can be selected. Selecting the baseline security controls is basically tailoring the security controls to match the level of sensitivity of the information (Blackley, J.Peltier, & T.Peltier, 2003). Implementing the control measures should encompass sound security configuration settings across all IT software and hardware. After implementation of security controls and/or measures, an assessment should be done to determine the effectiveness of various security implementations. People require read and write rights and privileges to data in the course of their day-to-day jobs, thus proper authorization, accountability and non-repudiation strategies need to be established. The final step in the life cycle before starting over is monitoring the security control measures to determine their effectiveness (Popov, Popova, & Melnikov, 2015).

Information security frameworks and regulatory requirements require objective and substantial security risk assessment. This is because the effectiveness of security controls rests on how well they meet real risks facing an organization’s information assets (Vacca, 2012). Basically, a framework plays an integral role in establishing the rules and guidelines that govern what information assets and risks need to be assessed, the roles and responsibilities of different stakeholders, the terminologies or language used in the assessment process, risk quantification and prioritization criteria, and necessary documentation (Tipton & Krause, 2003). According to Whitman and Mattord (2011), a framework facilitates creation of objective risk measurements that help organizations understand the degree of impact to different information assets from both quantitative and qualitative considerations. Ultimately, organizations are empowered to come up with objective decisions regarding the process of bringing risks to acceptable levels. Major risk frameworks include: Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), NIST Special Publication 800-30, COBIT, ISO 27005:2008, and Baseline, Audit and Assess, Secure, and Evaluate and Educate (BASE) (Vacca, 2012).

Information security assessment methodology

Research has shown that successful information security assessment initiatives and frameworks are founded on a well-documented, repeatable, objective and structured methodology. Such a methodology provides a strong foundation for determining the vulnerabilities or exposures to information security threats. The adopted methodology should support the following major information assessment phases: identification, analysis, and prioritization of information security risks. In addition, an effective methodology should facilitate evaluation of existing security controls to ascertain their adequacy and potential inefficiencies (Vacca, 2012). An assessment methodology starts with identification of organizational information asset, including telecommunications devices (switches, access points, wireless distribution systems (WDSs), and routers), PCs, personal devices within the Bring Your Own Device (BYOD) environment, software applications, MAN and WAN, the internet, virtualized and cloud computing infrastructures, operating systems, and LAN and wireless LAN (WLAN) infrastructures. This phase seeks to gain an end-to-end visibility into information assets by gathering details such as asset name or ID, IP address, domain name, type or classification, responsible personnel and/or department, brief description, and location (physical and/or logical) (Peltier, 2005; Whitman & Mattord, 2011).

The second phase encompasses vulnerability and threat analysis, leading to network enumeration which lists all ports (open and closed), discovered protocols, system services, patch levels, configuration flows, password reuse, technologies in use, data flows, authentication and authorization implementations, session management functionalities, input validation to assess potential SQL injection, business logic, encryption mechanisms, and WLAN security among other elements of risk assessment (Peltier, 2005) . The following are common security vulnerabilities and threats: deliberate IT systems attacks (vandalism, theft, negligence, and sabotage) involving hardware and software, open ports and/or services, configuration errors, technical IT systems failures, human errors, inadequate or inefficient physical security measures, cyber espionage, software errors, information extortion, inefficient Bring Your Own Device (BYOD) environment, former employees, technological obsolescence, intellectual property breaches, natural calamities, advanced persistent threats, gaps in information security training and awareness, inefficient human resource recruitment process, DNS poisoning, password cracking, eavesdropping, cyber stalking, code injection, buffer overflows, network disruption, social engineering, malware threat, privilege escalation, hacking, and Quality of Service (QoS) breaches (Tipton & Krause, 2003). Then, each threat is assigned a specific risk factor calculated from the likelihood of occurrence and the severity of impact in the event a disaster arises. Defining priorities (or risk prioritization) is a crucial step towards proper allocation of resources (personnel, equipment, processes, money and time) and effective risk management and/or mitigation programs because security risks are addressed in the “most-to-least-critical order”. More precisely, risks with high likelihood of occurrence and with critical or catastrophic impact are highly prioritized in terms of allocation of resources and speed of action (preventive or mitigation) to prevent or eliminate severe impacts, for example, interruption to mission-critical operations. On the other hand, risks with low likelihood of occurrence and with insignificant impact are lowly prioritized in that they are allocated minimal resources geared towards monitoring them. This can be attributed to the fact that such risks constitute insignificant threats to information security (Vacca, 2012).

The final phase entails security control assessment to identify implemented measures to protect specific information assets. In addition, this phase seeks to identify additional security controls that need to be implemented to address existing and potential vulnerabilities and threats (Whitman & Mattord, 2011). Tipton & Krause (2003) postulates that security controls should consider the following three major dimensions: physical, logical, operational or administrative, and organizational. As a good practice, there should be a documentation showing how defined and implemented controls eliminate or minimize the impact of individual threats. Typically, the following are security prevention and/or mitigation controls that should be implemented: incident response plan (qualified personnel, disaster recovery procedures, and business continuity planning), physical security (strong doors and windows, electrical and computerized security systems (biometric and card-based building access controls, CCTVs, smoke detectors, fencing, proper landscaping and lighting to boost facility visibility, signage, intrusion alarm systems, and raised floors in critical rooms such as data center to address flooding), security training and awareness programs, strong collaboration between an organization and law enforcement agencies, firewalls, encryption, proper management of BYOD, anti-virus software installation, device hardening or secure configurations, strong policies associated with passwords, encryption, BYOD, internet use and remote access among others, software security (application software and operating systems), Intrusion Detection and Prevention Systems (ID/PSs), SLAs related to vendor support, and VPN and IPSec protocols for remote access (Tipton & Krause, 2003; Whitman & Mattord, 2011).    

Lee and Chang (2014) presented a different approach to information security assessment by claiming that methodology includes the planning, execution and post-execution phases. Planning involves gathering the information required for the execution of the assessment project. Execution is identifying any vulnerability and validating them appropriately. Post-execution evaluation seeks to ensure that an organization achieves the complete value of a security assessment project because it leads to documentation of residual risks after implementation of security controls. Therefore, post-execution evaluation provides information necessary to support decisions regarding the justifiability of accepting, mitigating or correcting the security risks (Lee & Chang 2014; Vacca, 2012).

It is evident that critical elements in security assessment methodology, including proactive risk management and focus on the need for regular or on-going information security risk assessments to address increasingly evolving risks are not emphasized. Moreover, a lifecycle approach to security risk assessment may not be adequately effective in the current world of increasingly growing information security threats. Basically, security risk assessment and management should not be treated as a one-off process. Therefore, proper optimization and “fine tuning” are necessary steps to proactive information security assessment.  Focusing on the most critical information security risks has also been echoed by Vacca (2012). Allowing key technology and business personnel to get a clear understanding into where resources should be focused is critical to combating risks that carry in the order of severity of impact, thus facilitating business continuity (Peltier, 2005). Moreover, there is need to have proper technical and organizational strategies to continuous monitor security risks and cater for evolving threats. These strategies may include: port scanning, intrusion detection technologies, anti-malware software programs to detect viruses, worms and Trojan horses, penetration testing tools such as Nessus, firewalls, proxy servers, deep packet inspection, network access control, audit logs, anti-phishing software, whistle-blowing tools aimed at detecting unauthorized IT systems, and user security training and awareness (Tipton & Krause, 2003).

Vacca (2012) argues that information security assessments are largely quantitative in nature, thus they may fail to capture in-depth knowledge into security controls needed to completely eliminate security risks. Moreover, the quantification process itself may suffer from systematic bias and/or subjective validation, leading to poor recommendations. As a countermeasure, organizations must always seek the services of qualified and certified information assessment professionals. The following are common certifications: CISSP, CISA, and QSA/ISA. These certifications act as proof of possessing extensive expertise and knowledge in latest information security threats and controls needed to sufficiently avert them (Peltier, 2005).

Conclusion

Today, cyber-attacks pose significant challenges to organizations relying on IT systems to run their everyday processes and operations. Corporations invest a lot of resources (personnel and money) and time on maintaining the confidentiality, integrity, availability, and accountability and non-repudiation of data. Nevertheless, security investments would be fruitless if an organization does not adopt a proper security risk framework and methodology.

Basically, information security assessments provide the following benefits: improved productivity regarding IT security operations, business continuity, and knowledge transfer capacity; better existing security controls to prevent electronic crime; helps meet fundamental legal and regulatory requirements  such as HIPAA and SOX; and better cost-benefit analysis and reporting which is crucial for top management buy-in, support, and commitment. 

There are many published risk assessment frameworks such as OCTAVE, NIST SP 800-30, COBIT, ISO 27005:2008, and BASE that facilitate creation of rules and guidelines that govern what information assets and risks need to be assessed, the roles and responsibilities of different stakeholders, the terminologies or language used in the assessment process, risk quantification and prioritization criteria, and necessary documentation. A risk assessment framework provides one or more methodologies for gathering information related to information security risks (vulnerabilities and threats) and risk levels as well as appropriate security controls – strategies, processes and procedures, policies, training and awareness, IT management personnel, and technologies. Methodical information security assessments are performed to help cross-sector organizations better determine and manage the ever-growing risks to information confidentiality, integrity and confidentiality. Organizations should contract qualified and certified information assessment professionals to eliminate potential biasness, inefficient and subjective decisions regarding information security threats and controls needed to avert them





References

Blackley, J. A., Peltier, J., & Peltier, T. (2003). Information security fundamentals (1st ed.). Boca Raton, FL. Auerbach Publications.

Cholez, H., & Girard, F. (2014). Maturity assessment and process improvement for information security management in small and medium enterprises. Journal of software: Evolution & process, 26(5), 496-503.
Layton, T. (2007). Information security: Design, implementation, measurement, and compliance. Auerbach Publications.

Peltier, T. R. (2005). Information security risk analysis. CRC press.

Popov, G., Popova, E., & Melnikov, A. (2015). Analysis of the parameters of information security of the automated systems based on the specified expert assessments. (English). Vestnik of astrakhan state technical university. Series: Management, computer science & informatics, 1(2015), 33-39.

Lee, Z. J., & Chang, L. Y. (2014). Apply fuzzy decision tree to information security risk assessment. International Journal of Fuzzy Systems, 16(2), 265-269.

Schmittling, R., & Munns, A. (2010). Performing a Security Risk Assessment. ISACA Journal, 1(2010), 1-7.

Tipton, H. F., & Krause, M. (2003). Information security management handbook. CRC Press.

Vacca, J. R. (2012). Computer and information security handbook. Newnes.

Whitman, M., & Mattord, H. (2011). Principles of information security. Cengage Learning.

Phishing

Phishing

Abstract

Phishing is an attack that entails acquisition of sensitive information like personal data, and sometimes money, though indirectly. The attacker either masquerades as a trustworthy person or uses entities that appear genuine in an attempt to lure an unsuspecting victim into a security breach trap. There is a number of mitigation approaches against phishing attacks, which include: legislation, technical security implementations, and user training and awareness. Information security education and awareness programs play a critical role in helping secure an organization by instilling vigilance across users to curb the risk of social engineering exploits, in this case, phishing. As such, it is important to educate and raise awareness across all faculty members, other staff and students at Drake University about phishing exploits and potential defense mechanisms. The creation and evaluation of an Information Security Education and Phishing Awareness program for the institution forms the bulk of this project.

1.0 Introduction. 3

1.1 About Drake University. 3

1.2 Background. 3

1.3 Project Purpose. 5

1.4 Significance of this research. 6

2.0 The Importance of a Security Education & Awareness Training Program.. 7

3.0 Implementation of Drake University’s Security Education & Awareness Training Program.. 13

3.1 Overview.. 13

3.2 Project phases. 13

3.3 Information security and phishing awareness training program topics. 15

3.4 Target audiences at Drake University. 21

3.5 Communication plan and delivery methodologies. 23

4.0 A review of Drake University’s Security Education & Awareness Training Program using Kirkpatrick’s Four-Level Training Model 25

5. 0 Conclusion and recommendations. 29

6.0 References. 33

1.0 Introduction

1.1 About Drake University

Drake University is a private institution located in Des Moines, Iowa. The university enrolls undergraduate and graduate students, community members, and working professionals from approximately 40 U.S. states and 40 countries. Educational programs are offered through 6 colleges and schools (Drake University, 2015a).

1.2 Background

Basically, an Information Security Education and Awareness program is a system that incorporates the following three key elements: security education, training and awareness. As one of the most used attack approach in online espionage according to a survey by Verizon Communications Inc., phishing seeks to compromise users (KrebsonSecurity, 2013). Digital communications that appear to originate from popular and genuine social sites, banks, brokers, auctioneers, online payment gateways, internal IT administrators, or even top management are typically used as they appear trustworthy. Phishing emails might be malware infected or lure users into clicking on links that redirect them to fraudulent sites that are identical to legitimate ones (Drake University, 2015c).

Greenberg (2015) argues that technological implementations may as well be exploited. From the start, widespread phishing exploits are often conducted by botnets, which internet service providers (ISPs) can successfully thwart by examining unusual amount and/or type of traffic or activity originating from an average daily PC user. When a phishing email endures traffic filters and similar security technologies, the element of the PC user truly becomes an important consideration factor. As at that point, the user interacting with a malicious email ought to be given different warnings to prevent any serious phishing incident (Workman, 2008). As the attack incident approaches the final stages, the user may proceed to open a document, click on presented link, or download a file, and technological measures can prevent suspicious and malicious files and sites from opening or loading. As such technological measures should be implemented to prevent users from engaging in any malicious or insecure activity (D’Arcy, Hovav, & Galletta, 2009). 

With regards to educating employees, training and awareness means totally different activities. Training provides users with a rigid collection of knowledge and skills, and perhaps tests them to measure the level understanding. On the other hand, awareness is not as great as training. Awareness implies a sense of consciousness, where users can confirm a phishing threat without necessarily having a deep understanding into the issue. More broadly, phishing awareness is being aware of existing and potential threat (Rezgui & Marks, 2008). Nevertheless, both training and awareness are critical to successful mitigation against phishing and other security attacks as they provide users with a solid understanding and recognition of information security threats.    

There have been many phishing attacks to date, most notable ones include:

  • Home Depot, a major retailer in the U.S. was attacked through phishing, leading to unauthorized release of credit card details and personal data of over 100 million customers across all 2200 stores (KrebsonSecurity, 2014).
  • Target Inc. was a victim of a huge data breach, an attack that started with an email laced with malware that was sent to staffs at Fazio Mechanical Services Inc., an HVAC subcontractor. Attackers stole credentials from the subcontractor using email phishing to break into Target stores’ cash registers and steal credit card data from approximately 110 million shoppers (O’Connell, 2014).
  • The Washington Post website was hacked after a complex phishing attack was launched against its unsuspecting newsroom staff. The attackers embedded the Washington Post‘s site with a code that successfully redirected users to the Syrian Electronic Army (SEA), a hacker group’s website.  The hackers were able to acquire one reporter’s Twitter password information, which allowed them to send SEA messages and malware codes to other reporters using the individual’s Twitter account (KrebsonSecurity, 2013).
  • A spear phishing involving email messages was initiated in November 2014 on the Internet Corporation for Assigned Names and Numbers (ICANN) systems. The messages were crafted as if to originate from the ICANN’s domain and sent to staff members, leading into compromise to email account credentials of many employees as well as unauthorized access to other corporate systems, including the Centralized Zone Data System, ICANN GAC Wiki,  ICANN Blog, and ICANN WHOIS (Internet Corporation For Assigned Names and Numbers [ICANN], 2014).

1.3 Project Purpose

This research was aimed at identifying the characteristics of and to illustrate the differences in behavior between organizations which have implemented a successful Security Education & Awareness Training Program and those which have not. Second, the project has determined the value of implementing an e-mail phishing awareness program within an information security policy and measured the effectiveness of such campaign and its progress specifically at Drake University using the Kirkpatrick’s Four-Level Training model in a formalized evaluation process, to illustrate the program’s benefits.

1.4 Significance of this research

Phishing attacks typically lure unsuspecting users, whereby cybercriminals masquerade as trustworthy entities on the digital platform to steal sensitive information, for example, usernames and passwords, or even money (Kayworth & Whitten, 2010). Many phishing attacks have been reported across small and large organizations, including data breaches at Home Depot, Target Inc., Washington Post, and ICANN.  In addition, KrebsonSecurity (2013) cites a survey conducted by the Verizon Communications Inc.  that showed that almost all incidents related to online espionage involved some aspect of phishing. As the incidents show, phishing attacks are real going by Verizon Communications Inc.’s survey findings, and that they are still growing in complexity owing to the fact that the newsroom reporters at the Washington Post and employees at ICANN could not discover the impending attacks. In addition, Peltier (2013) argues that the most serious penetrations into security systems often exploit employees within an organization. As such, employees and/or users should be educated of potential impacts of successful phishing attacks alongside best defense mechanisms against the threat. Therefore, the Information Security Education and Phishing Awareness program is a practical tool towards effectively ensuring that employees can detect manage existing and potential threats, and that organizational IT systems and information assets are protected against security and privacy breaches arising from phishing attacks.

Today, education and phishing awareness training programs are making a tangible impact in the reduction of successful IT security attacks. These strategies keep the negative elements of phishing plans top-of-mind across IT system users, and the knowledge and skills are vital in helping bolster other security implementations in place (Hansche, 2001). This work implements an information security education and phishing awareness project for Drake, and recommends continuous assessment of to maximize retention and bolster security levels. Therefore, the program may help the organization teach its people on ways to discover security risks and avoid being compromised.

2.0 The Importance of a Security Education & Awareness Training Program

The most successful security education and awareness programs reduce the rates of “click through” cases of phishing. This kind of decrease can result to significant cost and security risk reduction (Abraham & Chengalur-Smith, 2010). Applegate (2009) argues that when users no longer become victims of attacks that compromise IT systems, the incident response personnel have a lesser load and attackers have fewer chances of executing unauthorized access, modification, or loss. Security awareness creates desired conscious with regard to potential phishing exploits, thus it allows users to avoid common social engineering traps (Aloul, 2012). 

Herold (2010) argues that information security education and awareness training are the most valuable strategies for enhancing IT security implementations. Developing an information security training and awareness program is often a daunting task (Herold, 2010). Furthermore, ordinarily, unfortunately, it may be pursued yet deliver inefficient benefits to an organization with regard to network, information systems and information security (Shaw, Chen, Harris, & Huang, 2009). Nevertheless, furnishing Drake University’s personnel with appropriate security and phishing awareness, and ensuring that they solidly understand and comply with security requirements is an essential element of the organization’s day-to-day success.

To comply with regulatory requirements: there are an ever increasing number of laid down laws and regulations that require organizations to observe some types of information security training and awareness to be conducted within foundations for different jurisdictions. Based on the U.S. Federal Sentencing Guidelines, there are a number of factors that affect the severity of judgments that can be imposed on an organization for non-compliance. These include:

  • The frequency and the degree of effectiveness with regard to communication of policies and/or procedures to concerned people.
  • The degree of effectiveness regarding personnel training and awareness.
  • The strategies the association used for training and awareness communications.
  • Whether desired training results are verified.
  • Whether the training and awareness program is updated continuously to enhance communications and deliver the right message to people.
  • Whether the program covers ethical practices.
  • Whether there is continuous compliance across organizational people and the management.
  • Whether management is receiving the same training and awareness messages as other people.

The Department of Justice reported 111 organizations as defendants which were charged under the rules, and 83 cases attracted related fines in 1995. By 2001, Herold (2010) notes that number of organizations that were sentenced increased to 238. Of the cases, 137 ended in fines while 49 were both fined and restituted. On average, there are approximately $3.3 and $2.2 million in restitution and fines respectively. Most strikingly, Herold (2010) points out that, of those cases, 90 organizations did not have a compliance program.  Therefore, it is worth noting that an effective compliance strategy is required as stipulated by different guidelines. In addition, the effectiveness of such strategies dictates the weight in sentence judgments. Whitman & Mattord (2011) claims that the growing screening of compliance, along with necessary training and awareness programs will see the number of fines or penalties increase.  Therefore, security education and awareness supports the measures taken by an organization to mitigate potential risks and uphold high levels of security based on the outcomes of a defined baseline evaluation, and ultimately support company policies.

To bolster customer satisfaction and trust: security training and awareness helps an organization respect its customers’ information confidentiality and privacy through enhanced IT security (Shaw et al. 2009). Today, organizations face the challenge of securing their customer data against security and privacy breaches, thus all people involved in IT systems must be educated on best ways to bolster information security (Whitman, 2003). We have come across many headlines about data privacy breaches, eliciting fear across the public. Therefore, customers would want to be assured that an organization is doing everything at its disposal to responsibly protect personally identifiable data (PII). Herold (2010) argues that an organization should practice practical consideration in all activities and processes that relate to PII. Organizations should offer their people with training and awareness with respect to protection of PII, and keep their customers informed regarding measures put in place to safeguard their security, confidentiality and privacy of their personal information through appropriate training and awareness messages (Tsohou, Kokolakis, Karyda, & Kiountouzis, 2008).

There are a number of specific items that need to be included in training and awareness programs to improve the desired impact regarding how customers view an organization, along with the degree of satisfaction and trust. The objective of an effective training and awareness program entails (Rhee, Kim, & Ryu, 2009):

  • Adequately protecting every customer’s PII and associated data from unauthorized access, use or sharing. 
  • Allowing customers to indicate their preferences with regard to the PII that is collected by an organization.
  • Staff’s understanding Building an understanding across employees that the executive is serious about securing PII associated with customers, and that everyone who fail to comply with organizational security policies would face severe consequences.
  • Ensuring that customers’ PII is only used for explicitly indicated purposes.
  • Allowing customers to opt out of organizational services, for example, a newsletter membership, and guaranteeing that employees understand appropriate procedures that must be set up to respect the decision.
  • Guaranteeing customers that their PII is going to be sufficiently protected, and how it will be protected and used.
  • Upholding opt-in for all organizational email correspondences, with few exceptions for strictly administrative communications.  In addition, third-party information sharing and mobile phone advertising and marketing should be confined to opt-in. 
  • Securing customer PII through a written agreement or contract, and subjecting such security to regular compliance reviews.

Training and awareness also helps ensure that all organizational processes comply with security and privacy policies, and ultimately live up to customer expectations (Puhakainen & Siponen, 2010). To comply with best practices and published security and privacy policies, organizations need to their IT users. Failure to enforce compliance results into damages to the worth of such policies (Tsohou et al., 2008). Therefore, organizations must train their employees about individual roles and responsibilities with respect to supporting compliance with information security and privacy policies.

Senior management serves as role models to personnel, and backers for training and awareness programs. As such, their support and commitment intensely impacts on the level of policy compliance and awareness. Senior management need to visibly support and encourage activities related to information security and privacy. Consequently, this ensures that an organization follows a unified set of policies, and industry best practices and standards are always incorporated into security and privacy strategies, because senior management support and commitment increase chances of acceptance (Abraham & Chengalur-Smith, 2010).

Due diligence is another important factor with respect to information security education and awareness training. Generally, due diligence provides exhibited guarantee that organizational management has implemented satisfactory security of corporate resources, for example, data, along with compliance with contractual and legal requirements. This is a great enabler of an information security education and awareness program. Due diligence help detect and prevent criminal behaviors. Organizations are required by the Sarbanes-Oxley Act of 2002 to prevent any form of criminal conduct and demonstrate effective, bolstered, and executive-supported information security training projects. The provisions of such an Act dictate sentencing guidelines, and they motivate an organization to devise strategies to ideally eliminate or reduce criminal conduct through implementations of effective ethics and compliance programs. Other regulations include: Health Insurance Portability and Accountability Act (HIPAA), GLBS, and the HITECH Act. To create a program that conforms to set rules, organizations should show due diligence in promoting an information security and ethics culture. Educating and training on awareness helps implement procedures for preventing and detecting criminal conduct as well as responding to security and privacy violations to prevent future occurrences (Herold, 2010).

Corporate reputation can be bolstered through high levels of customer data security and privacy. Reputation is a vital business success resource as good reputation helps improve customer retention and sales. Herold (2010) argues that upholding good reputation can be achieved through training employees on best ways to adhere to the correct information security precautions. This way, it would be possible for personnel to avoid compromising the security and privacy of personal and sensitive information. Consequently, it is unlikely that there will be no unfavorable news and damaging media attention due to security breaches. Corporate reputation can be effectively managed through continuous information security education and awareness training.

Organizations understand that personnel performance evaluation for specific activities improves their efficiency. This entails upholding accountability in that personnel strive to complete their roles and responsibilities regarding information security compliance. Victims of insufficient education and awareness on security practices may file suits against their organizations citing failure to receive solid skills that could have prevented an incident from occurring. Knowledge on security practices is a requirement for every personnel using any corporate network resource. Today, there has been a shift from corporate or management responsibility for security breaches toward individuals. Therefore, there is need to enhance personnel accountability, and education and awareness training are vital for ensuring that people can be held responsible for security breaches as opposed to merely blaming technological implementations (Herold, 2010). After all, tools such as intrusion detection systems are implemented by individuals, thus everyone’s responsibility to follow best practices and standards regarding information security is best solidified through effective information education and awareness training.

3.0 Implementation of Drake University’s Security Education & Awareness Training Program

3.1 Overview

The program pursued in this project has two major components: (1) education; and (2) awareness with respect to information security and phishing. Therefore, the program incorporates many policies to ensure that the above two major components are implemented. The security of private and confidential information is very important since it prevent unauthorized access and modification, thus safeguarding the confidentiality, integrity and availability of organizational network resources (Rhee et al., 2009).  Therefore, Drake University needs to secure its network resources through technological tools with full support and commitment from senior management, system administrators, IT security personnel, and employees for effective information protection.

3.2 Project phases

The implementation of Drake’s information education and phishing awareness program involved the following major phases:

  • Designing the project: Rhee et al. (2009) argue that the design of security training and awareness programs should consider organizational mission to support the actual business needs, IT architecture and culture. The users must also be considered to enhance relevance and ultimately acceptance. The key question answered by the design phase is: what is the plan for implementing training and awareness opportunities that comply with directives at hand? In this phase, the organization’s training and awareness requirements are identified, organizational buy-in pursued, and priorities established (Puhakainen & Siponen, 2010).
  • Developing the training and awareness materials. Supporting materials are then developed from the training and awareness design. The following are the fundamental considerations prior to development of these materials: the skills needed by users to understand and use (training); and the behavior that need to be reinforced (awareness) (Peltier, 2013). Workman (2008) claims that there should be special focus on specific materials that trainers and employees need to integrate into their roles and responsibilities. Users tend to pay close attention to training and awareness materials if they are assured that such works were specifically developed for them. The materials should also uphold currency and attractiveness (Drake University. n.d.-c). The training and awareness target audience should include all IT users at Drake University. Users may entail normal organizational stakeholders – faculty staff, employees and students, or external contractors, guests, and other associates. The intended message should promote awareness with regard to personal and communal information security obligations (Whitman, 2003). Training materials should be in far-deeper detail than those used for awareness sessions or campaigns (Rhee et al., 2009). 
  • Implementing the project. Prior to implementation of an information security training and awareness project; the following elements must be completed: an analysis of user and business needs, an implementation plan, and development of appropriate training and awareness materials. For successful implementation, Aloul (2012) argues that it is necessary to explain the program to organizational management to gain support and commitment for its execution and resourcing. This clarification incorporates expectations of staff and management support, and additionally expected outcomes, for example, the benefits to Drake University. Senior management support should be sought to guarantee funding. Drake University should adopt the best suit means of presenting and disseminating the training and awareness materials across its internal and external IT resources users. 
  • Change management: it is important to ensure the project, as planned, can be continuously updated as new innovations and related security issues emerge. There are also instances where organizational culture, objectives and/or missions may change, influencing ideas on how to best design training content and schedules. These shifts training needs since new skills, knowledge and capacities are required to counter the changes. Emerging external issues, for example, homeland defense and federal and state laws and regulations also impacts on the nature and degree of information security awareness exercises necessary to enable users remain informed on the most recent exploits and mitigation approaches. More precisely, with different internal and external changes likely to happen at any time, security training and awareness materials and schedules should be tailored accordingly to accommodate the shifts (Puhakainen & Siponen, 2010).

3.3 Information security and phishing awareness training program topics

The topics to be covered at Drake University’s training and awareness program are collected from several sources, which include:

  • Information security and privacy policies: All personnel involved in handling or accessing Drake’s information should be offered training and awareness regarding their roles as required by the organization’s policies, guidelines, standards and procedures (Drake University, n.d.-c),.
  • Information disposal: means of secure disposal of sensitive, confidential and private print and digital information. In addition, the topic should cover secure disposal of computers and storage media (Herold, 2010). Drake University. (n.d.-b) notes that the university has an open event for all faculty, staff and students, where personal documents are shred.
  • Security and privacy related to third-party access and outsourced services: granting IT system access to third-parties introduces security threats to an organization since private and sensitive information can be easily stolen, accessed or modified by unauthorized people (Whitman & Mattord, 2011).
  • Information classification: Drake University protects confidential data, comprising of personal/identity, financial data and others. At Drake, examples of data stored in IT systems include: bank account, credit and card numbers, student loan information, academic records, employee medical data, parents’ names, payroll data and others. If improperly accessed, such data can be used to execute identity theft, compromise organizational systems or even to extort a person or the organization. A security or privacy breach would lead to unwanted corporate reputation damages. Remember, users must be notified in case of breaches related to confidential data such as credit card details, passwords, bank account numbers, and social security numbers (Drake University, 2012). On the other hand, breaches to data such as academic records do not require users to be notified as they are less confidential (D’Arcy et al., 2009). Therefore, the need to understand different data categorizations.
  • Security and privacy incident response: people need to know how to effectively respond to unique security and private breaches in a unified manner and ultimately achieve recovery on time and at minimal cost (Herold, 2010).
  • Personal equipment and remote computing security: people should be educated on how to use their personal devices on the organization network in a manner that shields the devices and enterprise resources from phishing schemes (Herold, 2010).
  • Security roles and responsibilities: all Drake stakeholders have a duty regarding information security and privacy concerns. Everyone is also required to comply to set policies, guidelines, standards and procedures, thus there is need to offer training and awareness on security roles and responsibilities (Puhakainen & Siponen, 2010).
  • Malware defenses: people should be trained on how to control installation, execution and propagation of malicious codes, because malware is a serious internet threat that can be crafted to attack corporate IT systems and data (Drake University, 2015c).
  • IT systems user access controls: user access controls help people stay in control of their computer or personal accounts with respect to system and application software. Individuals need to be informed of their privileges and how to prevent loss of access credentials, among other user-specific IT systems data (Tsohou et al., 2008).
  • Information security and privacy laws and regulations: Drake University is expected to uphold various information security and privacy laws and regulations to protect specific data. Examples include: eDiscovery, Social Security Numbers – RCW 28B.10.042, PCI, HIPAA, Red Flags Rule, American Recovery and Reinvestment Act (ARRA), Digital Millennium Copyright Act (DMCA), and Higher Education Opportunity Act, and Disclosure of Library User Identity – WAC 478-168-190. Compliance ensures strong corporate reputation and eliminates issues related to penalties and fines (Herold, 2010).
  • PII security and privacy: people should be trained on ways to protect information that can be used singly or in combination to identify a specific person. Agencies such as the U.S. General Services Administration provide information about safe handling of PII (Herold, 2010).
  • Social engineering, particularly phishing and email security: Spam is the act of sending unsolicited email messages, unwanted or junk mail. Spamming is one of the major means used to launch phishing attacks, thus there is need to devise its countermeasures. How will Drake University avoid or reduce spam? First, as a good practice, personal and institution email programs should have their filters enabled to block unwanted emails and out of context attachments (Drake University, 2015b). Second, users should report suspected spam as indicated by email clients which flag unsolicited messages. Lastly, managing own online presence is very important, thus one should hide personal email addresses from unnecessary online profiles, for example, social media sites.  If possible, one should only allow specific persons to access personal information as opposed to everyone (Tsohou et al., 2008).

Phishing awareness is one of the most effective security measures against cybercriminals. As email communication turned into a tool for maintaining relationships with employees, banks, suppliers, and social networks among others, it also attracted cybercriminals to break into organizational information assets (Kayworth & Whitten, 2010). Today, many criminal email messages try to lure people into disclosing their personal data such as passwords and credit card numbers. The following policies should be observed by users to prevent them from becoming phishing victims:

  • Always check all emails for the sender address. In case an email does not originate from a drake.edu address, but rather purports to be from Drake University, it is most likely that is illegitimate ((Drake University, 2015i). Additionally, users must be ware that phishers might craft the sender’s address in a manner that appears as if it originated from Drake. The main concern: if you are requested that disclose any personal data through email or asked to click a link from an email that is not from the drake.edu address, you should never respond (Drake University, 2015b). 
  • Be cautious about what lays ahead. In case an email has links to redirect you to a site, it is important to carefully check the links before clicking on them. Most email software will show the URL on mouse hover over a link, thus it is possible to check the corresponding address before clicking on it.  A simple approach is to type the URL on a new tab or browser window to prevent transferring login credentials to a cybercriminal. Checking the address area on a browser is also an effective way of validate the authenticity of a site (Drake University, 2015c).
  • Never post personal username or password for auto-initiated online activities. You must seek to unearth the legitimacy of the online system before entering such confidential data (Drake University, 2015i). In addition, users should not provide login data if requested via an email and should change their password if they suspect any malicious activity (Drake University, 2015d). 
  • Keep in mind that no Drake staff, even from the IT department, ought to request for personal credentials. Such approaches are malicious attempts to steal personal credentials, and should be reported. In the event that you suspect that your login credentials have been stolen, change them immediately (Drake University, 2015i).

Figure 1 represents a screen shot for a phishing attack attempt. It purports to be a genuine email from DigitalFax, an e-document transfer company, and with links which can redirect unsuspecting recipients to an adversary’s site. Clicking on the “Click here to view your message” link may trigger a malware download, while 7 days expiry notice amounts to threats to compel recipients to click on the URL.

Figure 1: Sample phishing attempt (Drake University, 2015e).

  • Due diligence and ethics: security and privacy controls are prevalent measures in today’s computing world characterized by over-reliance on the pervasive internet. Technology has come with several risks related to cybercrime, necessitating laws and regulations to protect violators. As such, IT users should be educated to achieve high levels of information security and validly assure compliance to legal and ethical frameworks (SANS, 2002). 

However, the list is not intended to imply exhaustiveness, but it covers major security training and awareness topics. In addition, different user groups should be given training and awareness specific to their needs.

3.4 Target audiences at Drake University

Target audiences define the methodology that should be used to convey different messages. Peltier (2013) argues that security training and awareness is a collection of ongoing activities, which incorporate the following key principles: knowing the users’ skills gaps; selecting the best knowledge sharing for them; selecting the right methodologies for use in imparting skills and awareness; monitoring progress; and repackaging training and awareness materials to meet the dynamic demands of organizational, external and technological environments. The following are the target groups for Drake’s Information security education and awareness project:

  • Management/administration: presidents, board of trustees, deans, and departmental heads define strategies, lay down priorities, allocate resources, and make a variety of far-reaching strategic decisions, thus an information security training and awareness project is an essential tool that helps them understand existing and potential security threats facing the organization, alongside associated risks and mitigation techniques. Training and awareness programs eliminate technical jargons, enabling managers to incorporate it into business operations (Peltier, 2013).
  • Students: with proliferation of portable computing devices, students tend to bring a wide array of personal devices into the university network. This implies introducing different operating systems, software applications, and usually security loops into the network (Drake University, n.d.-c). Consequently, it may prove difficult for the university to manage all devices on its network, thus the need to educate students on securing their personal devices.
  • Faculty and employees: this group needs to understand safe working practices to prevent security breaches and infringement into federal and state laws that govern protection and use of data, for example, the Family Educational Rights & Privacy Act (Kayworth & Whitten, 2010). There also healthcare personnel who need to handle sensitive health-related data with care to avoid non-compliance consequences. Training and awareness is necessary to ensure such staffs comply with regulations such as HIPAA Act. Campus security personnel also need some basic understanding regarding cyber-security threats, risks and laws to handle information security incidents. All IT staff (such as help desk personnel, database administrator, network administrator and others) needs to undertake their day-to-day activities and implementations with practical security considerations. These are technical staff and they need more specialized training than other users to ensure that security is fostered across the entire organization. Specialized training may be obtained from programs from different organizations, for example, SysAdmin, Audit, Network, Security (SANS) Institute and Carnegie Mellon University Software Engineering Institute’s CERT Coordination Center. SANS offers news digests, security alerts, security training, certification, and research summaries, while CERT Coordination Center offers training on developing incident response projects, enhancing network security, and analyzing incidents (Whitman & Mattord, 2011).

3.5 Communication plan and delivery methodologies

Definition of target audience groups makes it easier to tailor security messages and actual delivery effectively (Kayworth & Whitten, 2010).  Drake University’s training and awareness program can adopt a number of delivery methods. Delivery methodologies include:

  • Meeting presentations: this is the most effective means of training on information security and awareness. It entails tailoring presentations to meet the needs of specific groups. It can also take the form of one-on-one discussions, thus can be labor intensive. Videos may be used as an entertaining, yet educational tool to highlight security issues, for example, it is evident that Drake’s Human Resources are expected to offer online training and awareness to faculty and employees through a 12-minute video (Drake University, n.d.-b).
  • Handbooks: information security handbooks may be used as introductory materials to faculty, staff and students to provide knowledge on security issues and their roles and responsibilities. Handbooks may be in print or electronic format (Applegate, 2009).
  • Online quizzes: the organization may require students and staff to complete online quizzes before being assigned device or software accounts. Online quizzes can motivate users to study presentation materials and books to understand critical security issues regarding phishing and other human-centered concerns (Applegate, 2009).
  • Handouts: brochures, posters or post cards may be used to convey security tips and warnings inexpensively for use in different settings, including back-to-school occasions and orientation events. Handouts need to be short and attractive. For example, Drake University. (n.d.-b) notes that Drake used poster to conduct the “Stop. Think. Connect” campaign.
  • Security sites and online advertisements:   the web provides an easy means of updating information on information security and privacy threats and mitigation techniques to maintain relevance and currency (Shaw et al., 2009). Even Drake provides different security policies on its site. The university can also leverage the power of the web to deliver web ads that provide tips for improving information security. 
  • Security alerts: the management, faculty, staff, students, and authorized outsiders need to be given security alerts through email lists and in person, as noted by Drake University (n.d.-c) and seen in Drake University (2015b), or corporate newsgroups and website. However, there is one major concern: eliciting user interest. Therefore, they should be conveyed sparingly, in a timely manner, and without too much technical terms.
  • Articles: popular organizational publications may be used as vessels to carry information security articles. Editors at institutions such as Department of Homeland Security may publish security information owing to the fact that it is a timely and relevant topic nowadays (Aloul, 2012).
  • Security conferences, fairs and seminars: pre-existing events may be shoehorned with information security training and awareness (Peltier, 2013). Such events include new staff or student orientations. Security conferences may feature high-profile experts to address management, faculty, staff and students on basic and technical information security concerns depending on user groups.  

4.0 A review of Drake University’s Security Education & Awareness Training Program using Kirkpatrick’s Four-Level Training Model

According to Whitman (2003), an organization’s information education and awareness program risk becoming obsolete in case there is inadequate consideration for technology advancements, organizational changes, external factors such as legislation, and changes to organizational priorities. As such, Drake University’s IT security personnel must recognize this potential challenge and devise measures to ensure that the project continuously upholds relevance and compliance with overall organizational goals. Workman (2008) notes that formal evaluation is a critical component of any information security training and awareness program; because it is impossible to conduct continuous improvement without a concrete understanding of how the implemented project is performing. Therefore, a review of the security education and awareness training program is an important exercise to assess the degree of success in the implementation of such a project. Basically, how does the program relate to a successful information security training and awareness program? The following are fundamental indicator to assess the level of success of a security training and awareness program:

  • Adequate resourcing – funding and staff to implement and maintain the program. Appropriate placement enables people with significant responsibilities, for example, project managers and IT systems security personnel to adequately execute the project (Wilson & Hash, 2003). 
  • Support for expansive distribution, for example, website and email for conveying security awareness (Wilson & Hash, 2003).
  • Senior management engagement in transmitting security messages to employees, for example, through staff meetings and official institutional broadcasts (Wilson & Hash, 2003).
  • Use of appropriate metrics to demonstrate: a decrease in security cases or infringements, a shrinking gap between existing training and awareness scope and defines needs, an increasing rate of users that is offered training and awareness, and an increasing percentage of people being properly training. (Drake University, n.d.-c; Wilson & Hash, 2003).
  • All people in the organization adhere to provisions of security controls regardless of their rank or status (Wilson & Hash, 2003).
  • Recognition of information security and privacy contributions, for example, Drake University. (n.d.-b) notes that participants of security awareness training would earn one credit hour awards. In addition, Drake employees also qualified for tokens of appreciation for contributing to continued success (Human Rewards, personal communication, April 1, 2015).
  • Personnel involved in key responsibilities in the information security training and awareness program demonstrate practical motivation to other staff (Drake University, n.d.-c).
  • The support, acceptance, and commitment of all organizational stakeholders to a program are also key success factors (Kayworth & Whitten, 2010). 

In order to effectively measure the success of an e-mail phishing training and awareness program within an information security program, a suitable evaluation model should be selected and applied. Kirkpatrick’s Four-Level Training Model was specifically designed to evaluate training programs and consists of a four-level evaluation system that includes reaction, learning, behavior and finally results (Kirkpatrick, 2000). However, this project uses only two components of the Kirkpatrick Four-Level Training Model, namely the learning and behavior steps to measure the success of the Information Security Education and Phishing Awareness training program.

Learning seeks to assess the degree to which participants acquire the desired skills, attitudes, commitment, and knowledge from training and awareness activities. Behavior assesses the degree to which participants practice what they learnt from training and awareness exercises on real-world job environment. To evaluate learning and behavior, tools such as tests, interviews or expert observations may be used (D. Kirkpatrick & J. Kirkpatrick, 2007).

Typical questions to help evaluate learning included:

  1. Did the users learn about the intended security skills?
  2. Was the intended experience achieved across IT users?
  3. Is the change in skills inclined in the intended direction?

On the other hand, typical questions to help evaluate behavior included:

  1. Did users exercise what they learnt in training and awareness activities while on the actual job environment?
  2. Were relevant knowledge and skills applied?
  3. Would trained users transfer their knowledge and skills to other persons?
  4. Are users aware of their transformation in the level of knowledge, skills and behavior?

With regard to Drake University’s training and awareness program, it is evident that the directives of Kirkpatrick’s learning and behavior are considered. This is because; Drake University (2012) notes that the university conducts periodic review to its training and awareness programs. In addition, Drake University (n.d.-a) notes that the university seeks to ensure that users’ behavior have change to conclude that something has actually been learned. Drake University (2015f) also notes that the organization performs email metrics collected to monitor training and resultant effectiveness in reducing the number of phishing victims. 

Figure 2-3 shows that Drake University produces reports to show the actual learning and behavior performance across its email users.

Figure 2-3: PhishMe Scenario February Report (Drake University, 2015g)

Figure 3-3: PhishMe Scenario May Report (Drake University, 2015h)

It is evident that in the “click only” exercise running from February 12, 2015 to February 19, 2015, the percentages of people who clicked the test link, opened the email only and never responded were 27.03%, 29.67%, and 43.29% respectively. Most strikingly, the percentages of clicked link and opened email dropped to 13.41% and 26.42% respectively, while that no response increased to 60.16% for a similar exercise. This shows that people have relatively gained from Drake’s phishing training and awareness activities.

5. 0 Conclusion and recommendations

It is evident that phishing attacks may be prevented with proper user training and awareness. However, it is important to implement technological measures such as traffic filters to automatically prevent users from engaging in malicious activities unknowingly. Information security is increasingly gaining recognition as a people-related issue than a technical-oriented one. In addition, information security experts have realized the need to share necessary knowledge with normal end users in an effort to bolster security of enterprise networks and associated resources. Of course, organizations have obtained different technical tools to maintain required security controls, but they are implemented by people or are used to control some aspects of user actions.

Upon creation of proper information security controls, an organization tries to make its employees understand set policies. However, there is an immediate problem with regard to upholding compliance. Therefore, there is need to seek a significant incentives to provide people with the will to comply. Threats as a form of punishment in case one fails to comply with some form of provisions may not work; therefore, it is recommended that an organization should incorporate security roles and responsibilities in every person’s job description, and encourage compliance through performance appraisal assessments.

Now, having set up the platform for education and phishing awareness training, getting started is a key challenge. The standard training and awareness tools and methodologies need to be laid down. In getting started, an organization must devise and adopt the best suit methods for its immediate and future requirements. Every person requires some basic level of understanding, for example, how one should cope with instances of social engineering; however, there is need to instruct specialists on specific or detailed security-oriented issues, for example, incident response and recovery procedures.

In case Drake faces a serious IT security attack, it may lose its confidential documents related to faculty members, employees or even students. The actual impact of such an incident may prove challenging to accurately quantify, thus necessitating appropriate policies to minimize security and privacy breaches. An IT security and awareness training program is an essential tool for overcoming security challenges and associated impacts, for example, penalties and other costs.  Phishing awareness training creates a collection of skills across organizational stakeholders to effectively assess the consequences of social engineering threats and mitigation measures that can be implemented to safeguard information – the most valuable enterprise asset.  An effective information security training and awareness program ought to address the following key elements:

  • Help the users to gain a solid understanding and respond appropriately to existing and potential data security breaches.
  • Make users aware of data assets residing in systems.
  • Offer information regarding how to detect scams, fraud, and data loss through burglary, phishing awareness.
  • Decrease the number and/or the severity of data security breaches.
  • Enable cost savings through security educational, awareness and coordination of the human element of IT security measures.
  • Create a culture of solid information security and privacy competence, and spur the users to control their conduct and make sound decisions regarding information security.
  • Improve the general compliance with the organization’s security measures, policies, checklists, and procedures.

Information security education and awareness programs offer a myriad of advantages to an organization. It enables the user community to understand the importance of information security and privacy alongside effective risk mitigations programs. It provides an end-to-end visibility into an organization network to detect suspicious activities and potentially reduce the number of security breaches. Through proper training, Drake University can also enjoy tangible cost savings through effective controls. Users are also helped to promote growing improvement, thus enhancing customer trust, satisfaction, and the overall reputation of the institution.

In addition, executive support, commitment and sponsorship are critical for an effective information security education and phishing awareness training program. Failure to work closely with senior management would lead to extreme difficulties, because training and awareness programs are expensive and on-going with respect to organizational funding and people’s time. The best security education and awareness training programs demonstrate strong human-centric controls in addition to technical tools that indicate any instance of compromise. It is also recommended that an organization should have a comprehensive network and IT systems security monitoring software to gather and analyze signs of intrusion.

The program has been reviewed using Kirkpatrick’s learning and behavior steps, and found to have sufficiently satisfied the two components of the training model guidelines. In case Drake’s personnel do not understand how they can maintain confidentiality and privacy of informational assets, or how to protect its IT systems properly, it not only risk its information being misused, improperly used, or acquired by unauthorized people, but additionally risk having noncompliance issues with an increasing number of national and/or industry-specific laws and regulations. Organizations must abide with certain kinds of data security training and awareness activities. An organization also risks damaging another key valuable resource, corporate image or reputation. 

 6.0 References

Abraham, S., & Chengalur-Smith, I. (2010). An overview of social engineering malware:

Trends, tactics, and implications. Technology in Society, 32(3), 183-196.

Aloul, F.A. (2012). The need for effective information security awareness. Journal of Advances

in Information Technology, 3(3), 176-183.

Applegate, S.D. (2009). Social engineering: hacking the wetware!. Information Security Journal:

A Global Perspective, 18(1), 40-46.

D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its

impact on information systems misuse: a deterrence approach. Information Systems Research, 20(1), 79-98.

Drake University. (2012). Drake Technology Services: INFORMATION SECURITY [IT

Policy]. Drake University. Drake University. (2015a). ABOUT DRAKE. Drake University. Retrieved from http://www.drake.edu/about

Drake University. (2015b). Attachments can be dangerous.  Drake University.

Drake University. (2015c). Drake February Spear Phishing Education. Drake University.

Drake University. (2015d). Drake March Spear Phishing Education. Drake University.

Drake University. (2015e). Drake May Email Review. Drake University.

Drake University. (2015f). Email Security Education. Drake University.

Drake University. (2015g). PhishMe Scenario February Report. Drake University.

Drake University. (2015h). PhishMe Scenario May Report. Drake University.

Drake University. (2015i). Why Didn’t My Spam Filter Catch This Training Video. Drake

University.

Drake University. (n.d.-a). Drake E-mail Phishing Education Key Points Used. Drake University.

Drake University. (n.d.-b). Cyber Security Awareness Kickoff Email. Drake University.

Drake University. (n.d.-c). Drake University Security Education & Awareness Training Program.

Drake University.

Greenberg, A. (2015, April 23). RSA 2015: Successful phishing attacks compromise users and

technology. Sc Magazine. Retrieved from http://www.scmagazine.com/compromised-user-often-gets-blamed-in-successful-phishing-attack/article/410824/

Hansche, S. (2001). Designing a security awareness program: Part 1. Information Systems

Security, 9(6), 1-9.

Herold, R. (2010). Managing an information security and privacy awareness and training

program. CRC press.

Internet Corporation for Assigned Names and Numbers. (2014). ICANN Targeted in Spear

Phishing Attack Enhanced Security Measures Implemented. Internet Corporation For Assigned Names and Numbers. Retrieved from https://www.icann.org/news/announcement-2-2014-12-16-en

Kayworth, T., & Whitten, D. (2010). Effective information security requires a balance of social

and technology factors. MIS Quarterly executive, 9(3), 2012-52.

Kirkpatrick, D.L., & Kirkpatrick, J.D. (2007). Implementing the Four Levels. Berrett-Koehler

Publishers.

KrebsonSecurity. (2013, August 15). Washington Post Site Hacked After Successful Phishing

Campaign. KrebsonSecurity. Retrieved from http://krebsonsecurity.com/2013/08/washington-post-site-hacked-after-successful-phishing-campaign

KrebsonSecurity. (2014, September 3). Data: Nearly All U.S. Home Depot Stores Hit.

KrebsonSecurity. Retrieved from http://krebsonsecurity.com/2014/09/data-nearly-all-u-s-home-depot-stores-hit/

Peltier, T. R. (2013). Information security fundamentals. CRC Press.

Puhakainen, P., & Siponen, M. (2010). Improving employees’ compliance through information

systems security training: an action research study. Mis Quarterly, 34(4), 757-778.

O’Connell, L. (2014, February 12). Report: Email phishing scam led to Target breach.

BringMeTheNews.com. Retrieved from http://bringmethenews.com/2014/02/12/report-email-phishing-scam-led-to-target-breach

Rezgui, Y., & Marks, A. (2008). Information security awareness in higher education: An

exploratory study. Computers & Security, 27(7), 241-253.

Rhee, H. S., Kim, C., & Ryu, Y. U. (2009). Self-efficacy in information security: Its influence on

end users’ information security practice behavior. Computers & Security, 28(8), 816-826.

SANS. (2002). The Legal System and Ethics in Information Security [whitepaper]. SANS.

Retrieved from http://www.sans.org/reading-room/whitepapers/legal/legal-system-ethics-information-security-54

Shaw, R.S., Chen, C.C., Harris, A.L., & Huang, H.J. (2009). The impact of information richness

on information security awareness training effectiveness. Computers & Education, 52(1), 92-100.

Stephanou, A. (2009). The impact of information security awareness training on information

security behaviour [Doctoral dissertation].

Tsohou, A., Kokolakis, S., Karyda, M., & Kiountouzis, E. (2008). Investigating information

security awareness: research and practice gaps. Information Security Journal: A Global Perspective, 17(5-6), 207-227.

Whitman, M. (2003). Enemy at the gate: threats to information security. Communications of the

ACM, 46(8), 91-95.

Whitman, M., & Mattord, H. (2011). Principles of information security. Cengage Learning.

Wilson, M., & Hash, J. (2003). INFORMATION TECHNOLOGY SECURITY AWARENESS,

TRAINING, EDUCATION, AND CERTIFICATION. National Institute of Standards and Technology. Retrieved from http://www.itl.nist.gov/lab/bulletns/bltnoct03.htm

Stock markets

Stock markets

1. Introduction

1.1 Nature of the case

Stock markets across the world remained relatively stable in 2017, but the year still saw a number of business scandals that can be attributed to ethical violations. This report focuses on the case of Kobe Steel, Ltd., a Japanese-based company that manufactures and sells steel, aluminium, titanium, and copper products. It also offers industrial and construction machinery such as cranes and welding robots. In October 2017, the company disclosed that it has been involved in information falsification regarding the quality (tensile strength and durability) of some products and materials sold in domestic and global markets since 2007.  Toyota, Ford and Boeing are examples of the top customers that may be affected by this misdeed. Nonetheless, the crisis could affect companies in excess of 500 across the world (Inajima & Stapczynski 2017; Shane 2017b; Shen 2017). The issue is of organizational, sector-wide, national and global nature. This can be attributed to the fact that the company as well as its domestic and overseas stakeholders (like customers, subsidiaries, the manufacturing  sector, and Japan as a country) were or stand to be affected by the improper conduct.  

1.2 Relationship of the case to business ethics and/or sustainability

Kobe Steel engaged in unfair business practices because it deliberately deceived unsuspecting customers through statements that were explicitly false. According to Johnson (2012), unfair business practices entail fraudulent, information misrepresentation, and unconscionable acts by an organization, especially against customers. As such, securing an unfair or illegal gain through deliberate deception implies that the company’s leaders perpetrated corporate fraud. This is a corporate governance failure because the act made Kobe’s products appear to meet customer specifications as well as legal, social, and industry requirements. In today’s globalised economy, trust stands to be eroded very fast since people have become more watchful of ethical issues. Conducting international business in a manner that is not open and honest is a common ethical issue in a globalised economy (Melville-Ross 2013). Therefore, the illegal corporate act violated international business ethics related to unfair competition and dishonest operations.

Blowfield (2013) argues that sustainability is the capacity to thrive in an intensely competitive and dynamic global environment.  It is achieved through superior predictability and management of existing and potential social, economic and environmental opportunities and risks. Ultimately, it is possible to create long-term competitive advantage and stakeholder value (Blowfield 2013). Therefore, the information misinterpretation scandal is a real threat to the Kobe’s corporate sustainability. This is mainly because the company focused on financial prosperity at the expense of making positive contributions to all stakeholders, such as shareholders, partners, subsidiaries, suppliers and customers. Kobe also failed to prioritize innovation and quality despite the fact that the two factors play a critical role in enabling sustainability.

1.3 Main arguments

In this report, the following main arguments are made:

  • Today, the public is more alert to product quality than ever before, increasing the likelihood of business engaging in improper conduct being detected and resisted.
  • There is a strong business case for accepting and advancing corporate business ethics and sustainability.
  • Kobe’s act of falsification of information implies poor corporate governance, and the longer term consequences might be catastrophic.

2. Case description

2.1 Background information

Japan’s economy has been on a steady growth over the past two decades. Manufacturing giants have played a major role in the economic transformation of Japan. While lower cost substitutes from South Korea and China have penetrated the global market, Japanese manufacturers have managed to gain a competitive edge by hinting at the superior quality of their products. However, a number of Japan’s major manufacturers have admitted to a series of information faking incidents in recent years. Some of the implicated companies include Mitsubishi, Takata, Toshiba, and Kobe Steel (Shane 2017a; Shane 2017b; Shen 2017). However, this report focuses on Kobe Steel as a case study. The company was founded on September 1, 1905. As such, it is more than a century old. Kobe operates in the following major business domains: iron and steel, welding, copper and aluminium, machinery, engineering, construction equipment, electronics, electric power, and eco-solutions (Kobe Steel 2018). Therefore, the company plays a major role in the Japanese economy. 

2.2 What happened

Essentially, employees falsified reports with the intention of making it appear as though Kobe products met or exceeded the requirement specifications placed by customers. However, in reality, the products did not possess the claimed properties. In October 8, 2017, Kobe Steel confessed that it misrepresented information related to the tensile strength and durability of thousands of tons of steel, copper and aluminium products it had been selling since 2007 (Shane 2017b; Shen 2017). The crisis became worse when the manufacturer admitted to finding falsified information on iron ore powder following internal inspections and audits. Over 500 companies from automobile, railway, aviation, and power industries around the world have been supplied with these products. The company’s integrity has been damaged badly. Unsurprisingly, the then President and CEO (Hiroya Kawasaki) conceded that the company had eroded its credibility to ‘zero’. He promised to launch an internal investigation to unearth what actually happened (Shida 2017).

2.3 Key stakeholders involved

Kobe Steel employees were involved in the faking of reports.  Preliminary investigations reveal that the cheating went on for close to a decade with full knowledge of quality control and plant managers (Shida 2017). Three senior executives in the aluminium and copper businesses were said to have been aware of the orchestrated cheating (Tsukimori 2017). The then President and CEO was replaced in April 1, 2018 (Inoue, M 2018). This implies that he was held responsible for the scandal.

2.4 Effects of what happened

The mislabelling affected more than 500 companies, including Toyota, Central Japan Railway Company, Ford, Nissan, GM, Mazda, Honda, Tesla, Daimler, General Electric, Airbus, Hitachi, Subaru, Mitsubishi Heavy Industries, Boeing, and others. Most customers cited concerns about potential negative safety implications following the revelation. However, Mitsubishi and Boeing have insisted that they believe there are no safety concerns related to the parts. Airbus, Mazda and General Motors (GM) have confirmed that they are yet to find any suspect component, but they are still examining supplies from Kobe. Similarly, Toyota, Nissan and Honda have already acknowledged they are evaluating potential consequences of Kobe’s parts to their vehicles (Inajima & Stapczynski 2017; Shane 2017a; Shane 2017b). However, the Central Japan Railway Company performed tests on some Kobe-supplied components of its bullet trains, and reported that 310 of them had parts of sub-standard quality (Shane 2017b). While it is already a considerable headache and worry for affected customers, the crisis could deepen in case more sub-standard parts are discovered (Ostrower 2017).

After admission to data falsification, Kobe’s shares instantly fell by 18%. By October 11, 2017, shares had dropped by 33-42%. Moreover, the market value of Kobe suffered a plunge of between $700 million and $1.9 billion – a loss in excess of 30% within one week (Inajima & Stapczynski 2017; Shane 2017a; Shida 2017). The creditworthiness of the company could be quite negatively affected, shaking its foundation (Inajima & Stapczynski 2017). Other than customers, the inappropriate act could affect consumers, investors, suppliers, lenders, and regulators. For example, investors could not realize their perceived benefits if the value of the company continue to decline. Hiroya Kawasaki was replaced by Mitsugu Yamaguchi on April 1, 2018 (Inoue 2018). Senior officials involved in the copper and aluminium businesses, where cheating was prevalent were reassigned (Tsukimori 2017). 

The cost of handling the scandal did not significantly affect the profit margin of the company for the calendar year March 2017 to March 2018 (Shida 2017). The overall financial hit has not been estimated. Nonetheless, it is likely that affected and suspect products will be recalled. Considering the need to repair affected aircraft, cars and trains as well as legal liabilities (such as compensation to customers and penalties for breaching unfair competition regulations), the overall cost might soar to unprecedented levels (Shane 2017a; Shane 2017b). This could see Kobe face substantial impact on its financial position. Even worse, its investments and running costs have been greater than the sales revenue over the past two years. In addition, the company’s profits had been declining over the same period. Foreign customers might ditch the company for its rivals, leading to a further decline in sales. This could turn out to be catastrophic (Shane 2017a). Furthermore, iron and steel business that accounts for approximately 33% of revenue is among the most implicated (Inajima & Stapczynski 2017). Some business analysts have openly claimed that Kobe may go bust or fail. Others have hinted that it could be split and sold (Shane 2017b). Combining these woes makes the future of the company very unclear. Therefore, the company’s survivability may eventually be significantly challenged.

3. Analysis of ethical and/or sustainability issues

3.1 Ethical and sustainability issues related to the case

The 2017 Kobe scandal raises a number of ethical and sustainability questions. To start with, are Kobe workers ethical? How could data fabrication pertaining to several thousands of tons of products happen for over a decade without the knowledge of the President and CEO? Is cheating at Kobe a corporate culture? How can Kobe assure customers that only the parts shipped over the 2007-2017 period have falsified quality information? In other words, are reports made before 2007 accurate and credible? Was Kobe unable to deliver the right specifications or it was out to unethically pursue self-interests like cost savings and competitive advantage? And, can the company manage restore its reputation? Lastly, does Kobe have the capacity to sustain the brand as a global manufacturing powerhouse that assures high-quality products?

Corporations are expected to organize and control their codes of ethics internally. This way, a corporation is supposedly a moral agent that organizes and manages its own ethical practices as if it is an ethically self-sufficient and/or sovereign individual. However, in the democratic space where today’s corporations operate, the assumed ethical independence can be resisted by the society in case well-established or expected ethics are violated (Sher 2012). Therefore, companies are subject to radical democratic resistance despite the fact that they are assumed to be ethically self-sufficient. Today, companies are priding themselves in values of ethical responsibility on a level that has never been seen before (Wray-Bliss 2007). Again, Kobe is a perfect case. Until October 2017, Kobe was globally proclaimed to be a leader in quality assurance and exceptional ethical credentials. It had glossy quality reports, attractive strategies, diverse corporate initiatives, and public praise. All these were organized and controlled internally. Arguably, they were voluntary and ethical acts intended to drive value to all stakeholders. Nevertheless, Kobe engaged in an undeniable unethical practice by cheating about the quality of its products. Kobe legitimized its business by mounting a fake image of an undisputable and ethically self-sufficient corporate self. Therefore, the ‘moral righteousness’ of the company is questionable. 

From the 1980s, increased liberalisation and globalisation of markets have influenced the expansion of corporate citizenship and CSR programs among other organizational practices. Such practices enable companies to directly or indirectly communicate their ethical values or virtues to stakeholders. Nonetheless, over years, some corporations have reduced the matter of business ethics to a tool for enhancing their competitiveness. The  widespread strategy has been: if it does not make tangible business sense, then it is important (Wray-Bliss 2007). Harvey (2005) asserts that unregulated corporate activities have opened room for self-centred companies to misuse the autonomy they possess to the detriment of different stakeholder groups. In turn, stakeholders’ value is damaged (Harvey 2005). Kobe clearly took advantage of the neo-liberalised manufacturing market to organise the highly conspiratorial scheme to appeal to domestic and global customers. The company praised its ethical values to unfairly increase its competitiveness. According to Buckland and Suga (2017), the harsh reality behind the data-falsification scandal that hit Kobe was the need to assure higher quality products to compete.

According to Ostrower (2017), the scandal had significantly harmed the integrity of the larger corporate Japan throughout the global supply chain within the aerospace, defence, rail, nuclear power, and automotive engineering industries. In turn, Kobe’s long-term sustainability could be significantly challenged if it fails to effectively manage the scandal. The license to continue with its operations could as well be lost. A business should embrace a long-term perspective, manage the needs and expectations of every stakeholder, promote quality and innovation, and act for long-term value creation to gain sustained leadership in a globalized economy (Haines 2016). Therefore, Kobe ought to have focused on innovation to increase the cost-efficiency and competitiveness of its metal products. This is as opposed to falsification of product quality reports, which badly threatens its integrity, sustainability, and stakeholders’ value.

3.2 Who was affected and how key stakeholders did or did not account for business ethics and/or sustainability

The 2017 Kobe corporate scandal negatively affected the company. Its shares and market value declined sharply. The reputation and creditworthiness of the company was also quite adversely ruined (Inajima & Stapczynski 2017; Shane 2017a; Shida 2017). Therefore, the certainty of the economic future of Kobe is very unclear. Moreover, its global market share stand to fall. Domestic, regional and global customers, investors, suppliers, lenders, and regulators – the key stakeholders were also directly or indirectly affected. The CEO and President as well as senior copper and aluminium business executives were replaced and reassigned respectively (Inoue 2018; Tsukimori 2017).  Alongside other scandals that have hit the contemporary corporate Japan, Kobe’s case could weaken the entire Japanese manufacturing industry and economy.

Management coordination and ethical responsibility at Kobe was evidently poor. For example, some senior executives attached to copper and aluminium businesses were implicated in the scandal because they were aware of the information-falsification scam. Therefore, executives attached to these segments acted unethically. Moreover, the relationship among Kobe executives was evidently poor, leading to inconsistent undertakings at different businesses of the group. According to Crane and Matten (2016), business ethics constitute a powerful resource through which companies and executives mobilise relevant agents to sustain their ideological authority. Therefore, Kawasaki and other senior executives failed to constantly mobilise Kobe officials and employees (as agents of ethical behaviour) to act ethically at all times.

The then President and CEO failed to conduct and promote the affairs of Kobe with the essential standards of corporate governance and integrity. In addition, it appears that the board was not adequately committed to and supportive of the highest standards of good corporate governance. Failure to do so meant that the company could not deliver its strategic goals without endangering stakeholders’ long-term value and interests. Lastly, the company’s chain of command in the governance/management structure is also to blame since the fraudulent act went undetected for close to a decade.

4. Recommendations

With growing dominance of companies under neoliberalism, business ethics and sustainability constitute precise organizational practices that are strictly observed. The following are some of these practices: formulation of codes of ethics, corporate social responsibility (CSR) initiatives, ethical audits, and good corporate governance. Basically, business ethics entails a company internally organizing itself through corporate governance and compliance as well as management coordination to improve its ethical practices and integrity or public trust (Crane & Matten 2016).

The practice of business ethics is voluntary, but institutionalised as a fundamental expectation of every company. While ethics are largely voluntary, they play an integral role in helping companies achieve long-term success irrespective of how challenging economic conditions are. There is a strong business case for ethics because positively regulating a company’s ethical behaviour helps enact social and environmental sustainability, bolster stakeholders satisfaction, strengthen market relations and value, and maximize profits (Johnson 2012; Sher 2012). Therefore, business ethics is a strategy that boards and executives pursue for its role in driving value. However, Kobe Steel is a telling case of poor relationship between a company and the ethical and sustainability practices it champions for and organizes. And, the society or people have a democratic power to resist Kobe and its deceitful pursuit of self-interest.

Automakers are looking for steel metals that are sufficiently strong to assure safety, yet adequately light to bolster fuel-efficiency. This has influenced steel makers to start creating a collection of alloys and new forms of steel among other metals to meet the safety and fuel-efficiency demands from car and craft manufacturers among other customers. However, steel delivers superior versatility and cost performance outcomes compared to materials such as aluminium and copper (Buckland & Suga 2017).  Therefore, Kobe could have been pushed to the limit in relation to reducing the weight of steel without compromising its rigidity. This could have forced it to fake reports to compete. After all, it explicitly understood what customers required. Opting to cheat demonstrates that Kobe Steel lacked a number of fundamental ethical and sustainability values it ought to pride itself in. It was an unfair business practice because some customers could have been influenced to settle on its products that were perceived to be of higher quality. Following the incident, people have resisted Kobe as manifested by a number of factors. To start with, its shares have fallen. A massive percentage of its market value has been lost. Its economic future is evidently uncertain. At best, the company’s reputation has been tattered with a potential recovery. At worst, Kobe may lose a large proportion of its market share to an extent that it closes business.

Basically, good corporate governance plays a vital role in helping organizations to effectively define, pursue and meet business goals without breaching existing and future social, industry, legal and/or regulatory, and contractual requirements. It is applied in the day-to-day monitoring and control of business activities, including the impact on the society and environment (Benn & Dunphy 2007). Therefore, shared value creation founded on a strong code of ethics and corporate governance could have inspired Kobe to implement a longer term strategy that observed social, economic and environmental aspects of sustainability. This way, the company could have avoided the corporate misconduct. The interests of stakeholders could also have been met.

5. Conclusion

Increasingly growing fuel-efficiency and safety pressures have forced steel makers pursue further steel improvements or material substitutes to compete. However, some metal manufacturers have turned to unethical acts of deceiving. And, Kobe Steel is a perfect case study. The once Kobe’s outstanding product quality record was badly ruined in October 2017 when the company admitted to faking information about the strength and durability of some supplies since 2007 in an orchestrated manner. The scandal caused the following major effects: damaged corporate reputation, decline in shares, loss in market value, potential customer apathy and reduced market share, and decreased competitiveness of the Japanese manufacturing sector.

The corporate misconduct violates the very ethical and sustainability considerations the company ought to take pride in. Kobe was explicitly self-centred because it prioritised its gains, while disregarding the interests of its diverse stakeholders. Implicating a few people attached to some business segments, yet approximately 500 globally-dispersed customers were supplied with affected products shows that the management and governance structures were inefficient. The board and executives were aware about the growing pressures to deliver metal products that assured optimal fuel-efficiency and safety performance; therefore, they could have masterminded the cheating.

Poor corporate governance saw Kobe adopt unethical practices, focus on short-term goals, lack accountability and transparency, and disregard stakeholders’ long-term value and interests. The President and CEO in addition to senior executives lacked integrity because they were not committed to ethics and sustainability issues. What went wrong aside, the longer term consequences of the misconduct might be catastrophic as more Kobe’s product tests are being carried out.

References

Benn, S & Dunphy, D (eds) 2007, Corporate Governance and Sustainability, London: Routledge.

Blowfield, M 2013, Business and Sustainability, Oxford: Oxford University Press.

Buckland, K & Suga, M 2017, ‘Kobe Steel cheating scandal driven by competition to improve metals, especially for automakers’, The Japan Times, 13 October, Available from: <https://www.japantimes.co.jp/news/2017/10/13/business/corporate-business/kobe-steel-woes-laid-part-race-continuously-improve-metals-especially-carmakers/#.WxAEe58zat->, [Accessed 29 May 2018].

Crane, A & Matten, D 2016, Business ethics: Managing corporate citizenship and sustainability in the age of globalization, 4th edn, Oxford University Press.

Haines, S 2016, The New Manager’s Survival Guide: Everything You Need to Know to Succeed in the Corporate World, McGraw Hill Professional.

Harvey, D 2005, A Brief History of Neoliberalism, New York: Oxford University Press.

Inajima, T & Stapczynski, S 2017, ‘Kobe Steel Scandal Expands Into Core Business Overseas’, Bloomberg, 13 October, Available from: <https://www.bloomberg.com/news/articles/2017-10-13/kobe-steel-scandal-expands-into-core-steel-business-overseas>, [Accessed 30 May 2018].

Inoue, M 2018, ‘Kobe Steel Faces Japan Government Inquiry Over Data Scandal’, The New York Times, April 25, Available from: <https://www.nytimes.com/2018/04/25/business/kobe-steel-investigation-japan.html>, [Accessed 28 May 2018].

Johnson, C 2012, Organizational Ethics: A Practical Approach, Thousand Oaks, CA: SAGE.

Kobe Steel 2018, KOBELCOs Business Activities, Available from: <http://www.kobelco.co.jp/english/about_kobelco/outline/business/index.html>

Melville-Ross, T 11 Jul 2013, ‘Ethical business: companies need to earn our trust’, The Guardian, Available from: <https://www.theguardian.com/sustainable-business/ethical-business-trust-values>, [Accessed 27 May 2018].

Ostrower, J 2017, ‘Kobe Steel scandal ensnares plane makers Boeing and Mitsubishi’, 13 October, CNN Money, Available from: <http://money.cnn.com/2017/10/13/news/companies/kobe-steel-boeing-mitsubishi/index.html?iid=EL>, [Accessed 29 May 2018].

Shane, D 2017a, ‘Kobe Steel shares crash again. Can it survive fake data scandal?’, 11 October, CNN Money, Available from: <http://money.cnn.com/2017/10/11/investing/kobe-steel-scandal-stock-crash/index.html?iid=EL>, [Accessed 31May 2018].

Shane, D 2017b, ‘The Kobe Steel scandal: What we know so far’, CNN Money,  16 October, Available from: <http://money.cnn.com/2017/10/16/news/companies/kobe-steel-scandal-what-we-know/index.html>, [Accessed 28 May 2018].

Shen, L 2017, ‘Corporate Misdeeds: The 10 Biggest Business Scandals of 2017’, Fortune, 31 December , Available from:< http://fortune.com/2017/12/31/biggest-corporate-scandals-misconduct-2017-pr>, [Accessed 29 May 2018].

Sher, G 2012, Ethics: essential readings in moral theory, New York : Routledge.

Shida, Y 2017, ‘Habitual cheat: Kobe Steel faked product data for more than 10 years’, 17 October, REUTERS, Available from: <https://www.reuters.com/article/us-kobe-steel-scandal/habitual-cheat-kobe-steel-faked-product-data-for-more-than-10-years-source-idUSKBN1CL31N>, [Accessed 26 May 2018].

Tsukimori, O 2017, ‘Kobe Steel says senior executives knew about data tampering’, REUTERS, 21 December, Available from <https://www.reuters.com/article/us-kobe-steel-scandal-moves/kobe-steel-says-senior-executives-knew-about-data-tampering-idUSKBN1EF0LJ>, [Accessed 29 May 2018].

Wray-Bliss, E 2007, Ethics at Work, in  D. Knights and H. Willmott (Eds.) Organizational Behaviour and Management, London: Cengate.