AN ANALYTICAL STUDY OF INFORMATION SECURITY MANAGEMENT IN THE

: Public sector organizations are in the early stages of adopting information security management in Albania. Organizations who have adopted these processes have underestimated information security within the governance framework. This study specifically investigates the information security management within public sector organizations. Its objective is to align local organizations with international standards and frameworks in terms of integrating information security management and information technology audits, risks, and control measures. A survey of selected organizations is completed and results are presented in this paper identifying the maturity level of information security management in Albanian organizations .


Introduction
Albania is among the countries that are experiencing the rapid development of telecommunications, Internet, and computerization of society.During 2017, the index of internet usage penetration was 66.4% according to Internet World Statistics (Internet World Statistics, 2017).Increased communication constitutes an added value to the economic and social development of a country.At the same time, it exposes the country to the risk of cyber-attacks from state and non-state players.In today's world, given the tendency to permeate boundaries, information security has become a global issue affecting everyone.Price Waterhouse and Coopers 'reported in The Global State of Information Security 2018 that 29% of businesses have suffered loss or damage of internal records as a result of security breaches, while 30% considered insiders, such as third parties and employees, were the source of these security incidents (Price Waterhouse and Coopers , 2018).These percentages are higher than those for the previous year.Despite its presence in every business process, information technology (IT) security continues to be treated as a technology issue in many cases, rather than a management issue.Information security management is the process of administering people, policies, and programs with the objective of assuring continuity of operations while maintaining strategic alignment with the organizational mission (Cazemier et al., 2000).Ideally, information security management activities should be driven by organizational objectives to avoid resources being expended on security without the explicit and documented understanding of how it supports the organizational mission (Choobineh, Joobin, Grimaila & Rees, 2007).However, the increasing use, value, and dependence on computerized systems to support practical operations have increased the importance of incorporating process and organizational issues in security risk management (Drucker, 1999;Blakley et al., 2001).Information security risk management, the process used to identify the optimal protection strategy when constrained by a limited security budget, has evolved as a required function within organizations that are concerned with their ability to mitigate the effects of a breach of information security (Finne, 2000).It is now widely understood and accepted that information security management and information security professionals can help the organization in achieving its goals and managing liability for privacy and security risks.The aim of this paper is to identify and analyze the maturity level of information security management in Albanian public organizations with the main focus on policies, standards, and employees.The study involves two questionnaires aimed at a sample population of employees listed on IT directorates and results are analyzed to reveal the current status of information security management.

Data and Methodology
The data regarding information security policies and risk management systems were collected using a standardized questionnaire, involving both a paper-based and a Web-based version, available in the Albanian language.The data collection period was from May 1 to July 30, 2017.The target population was IT directors and IT employees within the IT Directorates of the Albanian government ministries 1 Faculty of Economy, University of Tirana, Albania, el_balili@yahoo.comand subordinate institutions.The questionnaire contained nine sections with 52 closed questions in total.From the target group of 250 people, 89 completed questionnaires were received and analyzed in the study.

Results and Discussion
The questionnaire results showed the information security standards, policies, and employee training used by the organizations.The following are the main findings.Figure 1 shows that 43.82% of respondents replied that their organization used information security standards.A high percentage indicated that the government lacked actions on these issues with 40.45% and 15.73% of the respondents answering respectively 'No' or 'Not Applicable (N/A)' about the use of standards.
Figure 1.Application of information security standards Source: Author Figure 2 shows 48.31% of employees perceived the information was secure when the company had applied information security standards.Nevertheless, the number of employees that perceived a lack of security, replying 'No' or 'Somehow', was more than a quarter of respondents.There are two possible reasons for these results.First, the company may have failed to effectively implement their information security standards, meaning that not all the employees were aware of the importance of the standards.Second, possibly no person had the responsibility of successfully implementing the standards.The second reason is supported by the results shown in Figure 3.
Figure 2. Employees perception of security when an organization has applied information security standards Source: Author Figure 3 shows the results of the question "Is there any employee responsible to ensure that the standards are applied properly?".More than 56% responded 'No' (there were no employees) or 'N/A' (they were not aware of any).  Figure 4 shows that 82% of the employees responded that there was a policy on information security in their organization.Although more than 82% were aware of the existence of a policy (Figure 4), only about 75% recognized that the policy was applied within the company (Figure 5). Figure 6 shows that approximately 53% considered that the policy was revised periodically, while about 70% (Figure 7) responded that the policy was known (and understood) by all employees, which were IT employees within IT directories.Figure 8 shows the challenges of applying information security standards from the point of view of the employees.The main reason for not applying the standards properly (or at all) was the lack of a budget dedicated to information security (as stated by 37 employees, from 89 responders).The second reason was the lack of qualified human resources in information security (25 employees, from 89 responders) and 34 employees from 89 responders responded 'I don't know'.
Figure 8.The challenges of applying information security standards Source: Author Regarding information security policies, the results indicate that more than 80% of respondents were aware of the organization's information security policy, but not all respondents knew whether the policy was revised periodically and whether it was known to all employees.Hence, the policy did not meet the five criteria of dissemination which are review, comprehension, compliance, and uniform enforcement, considered necessary for enforcing the policy (Whitman& Mattord, 2011).The difference between a policy and a law is that ignorance of a policy is considered an acceptable defense.According to Nikolakopoulos, (2009), almost 65% of the economic damage caused by information security breaches is due to human error, while only 3% of such is due to malevolent outsiders, based on an assessment of the causes of security breaches.While the use of technology persists as a way of life for the general population, it will continue to affect the way people live, work, and interact with each other.Information security issues may be general occurrences unless appropriate action is taken.

Conclusion
The focus of this paper was to assess information security management in the public sector.The main findings indicate future work is needed in some areas of information security policies and standards, Other and with employees.The data reported by IT employees' shows that some organizations do not use information security standards.Thus, the first recommendation is that all organizations adopt a set of information security standards.Possibly, there is a benefit in using the same set of standards across all establishments.The second recommendation is that every policy for information security contains attributes that meet the five criteria of dissemination, review, comprehension, compliance, and uniform enforcement.This would facilitate the management of an organizations' liability regarding potential privacy and security breaches.Finally, the results of the questionnaires reveal that a lack of a dedicated budget, and a shortage of trained employees were obstacles in the successful management of information security.Employees would need to receive basic training with optional supplementary training for those seeking to work in particular positions.The final recommendation is that all organizations focus on improving employees' training and aim to reduce potential security breaches.

Figure 3 .
Figure 3. Employee percentage responsible for ensuring that standards are applied properly

Figure 4 .
Figure 4.Information security policy in your organization

Figure 5 .
Figure 5.Application of information security policy in your organization

Figure
Figure 6.Revision of Information Security policy