INFO5301 Information Security Management
Exercise 2:
Do we really need to understand and place high importance on the informal controls prior
to establishing security rules?
Yes, Why? / No, Why not?
Answer:
Statement: Yes
Explain:
Establishing security rules require costly effort and resources. Informal controls need to deal
with non-technical aspects of the information system including norm, culture of the organi-
zation, human behavior, employees’ and leaders’ mindset, and awareness. These are very
different from organization to organization. More importantly, informal controls affect the
effectiveness of both formal controls and technical controls. Therefore, in order to build se-
curity rules and successfully implement them to protect the information system, we need to
fully understand the risks from all aspects of the informal system and place high importance
on the informal controls. Additionally, organizations also need to conduct ongoing educa-
tion, training programs to educate employees and build their awareness/knowledge of the
security rules, policies.
Statement: No
Explain:
Organizations might follow best security practices, standards to build their security rules,
and policies and implement them. They then can update or modify these rules regularly
on the event of new incidents, attacks. The organizations can also conduct training pro-
grams to keep their employees being up-to-date to their rules. Therefore, even though the
informal controls are important, companies/businesses can establish security rules first and
update/make changes accordingly to meet their conditions (i.e., culture, principles).
Duration: This question is for group discussion. Each group has 25 min to discuss and 5 min to
present their answer to the main class
Exercise 3:
Even though information system security goes way beyond the security of the technical
edifice, applications and organization resources can only be protected by using the latest
security gadgets.
Isn’t this a contradiction in itself?
Discuss?
Answer:
The below includes sample points that you should address in your answer. Follow the
answers in question 1 and question 2 to present your answer.
Statement: it is a contradiction in itself
Information Security Management Page 2of 3