security position

Analysis of the security position of the bank

Part (a)

Introduction

The process of network security management is necessary to the appropriate functioning of an organization's computer infrastructure. Network security is implemented specifically to protect this infrastructure from known and unknown risks. Yet no single component of an organization is allowed to function without limitations, such as financial resources and the oversight of management and shareholders. Therefore, network security is usually associated to risk assessment, where network security specialists identify specific risks, the potential impact of these risks, and whether the type and potential impact of a given risk qualifies it as a threat to the network. Nevertheless, security network risk assessment is a subjective process that is affected by multiple distinctive variables (Schneier, 2006). These variables include the priorities set by the network security supervisors; the capabilities of the security systems that have been implemented to target threats; the culture that arises within the organization itself (Haimes, 2005); and managerial attention (Parker, 1981). Therefore, to implement an effective network security system, it is necessary to approach these distinctive elements and identify how sensible, appropriate risk assessment can be conducted. This indicates that all network security specialists must take into account the costs and the benefits of preventing one specific type of risk; identify the priorities within the organization; and provide risk management strategies to meet these. On the other hand, since security specialists are not responsible for an organization's general priorities and are not usually allowed to lead policy development, a strong cooperation between security specialists and management is needed.

Study domain and participants

Our work is based on an empirical case study focused on a representative of the financial sector. Bank X[1] is a self-contained financial entity that is simultaneously large and has an impact upon an entire population (e.g. investors and private citizens residing within Country X). It was selected as the sample population of both general senior managers and senior network security specialists was large enough to provide a substantial population for data collection and analysis.

The case study approach deemed appropriate as all participants within unique organizational cultures share similar goals and are bound by the same policies (Rogers, 2003). Using a closed organizational culture helps to demonstrate how and to what extent these issues can arise and the possible consequences made by those within management or network security as they approach decision-making within network security. It is also worth mentioning that this study uses the descriptive approach. This descriptive type of research utilizes observations in the study. To illustrate the descriptive type of research, Creswell (1994) guided the researcher when he stated:

“Descriptive method of research is to gather information about the present existing condition. The purpose of employing this method is to describe the nature of a situation, as it exists at the time of the study and to explore the cause/s of particular phenomena.”

The choice of the banking domain for our work is also well justified. Banking is one aspect of network security in which multiple security systems ...