Your SlideShare is downloading. ×
Information Security Considerations In Is It Outsourcing Projects
Information Security Considerations In Is It Outsourcing Projects
Information Security Considerations In Is It Outsourcing Projects
Information Security Considerations In Is It Outsourcing Projects
Information Security Considerations In Is It Outsourcing Projects
Information Security Considerations In Is It Outsourcing Projects
Information Security Considerations In Is It Outsourcing Projects
Information Security Considerations In Is It Outsourcing Projects
Information Security Considerations In Is It Outsourcing Projects
Information Security Considerations In Is It Outsourcing Projects
Information Security Considerations In Is It Outsourcing Projects
Information Security Considerations In Is It Outsourcing Projects
Information Security Considerations In Is It Outsourcing Projects
Information Security Considerations In Is It Outsourcing Projects
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Information Security Considerations In Is It Outsourcing Projects

2,075

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,075
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
97
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. ARTICLE IN PRESS International Journal of Information Management 24 (2004) 29–42 Information security considerations in IS/IT outsourcing projects: a descriptive case study of two sectors Abdulwahed Mo. Khalfan* Information Systems Research Group, School of Computing, University of Leeds, Leeds LS2 9JT, UK Abstract This paper presents an overview of a national case study exploring the information security considerations in the Information Systems/Information Technology (IS/IT) outsourcing projects in the public and private sectors of Kuwait where the data collection for this study was carried out. The primary data on IS/IT outsourcing practices, obtained for the first time in Kuwait, were collected by means of survey questionnaires and semi-structured interviews supported by organisational documentation. Several public and private sector organisations were selected to participate in the investigation. This study is descriptive in nature. Its main findings suggest that security concerns have been the most prominent risk factors and have overtaken the other risk issues (e.g. loss of control, hidden costs) which were thought to be the most serious in dealing with IS/IT outsourcing in the Kuwaiti environment. The causes of such concerns are also addressed. The findings also provide an insight into how outsourcing practices, as an information system strategy, are managed in the context of Kuwait. r 2004 Published by Elsevier Ltd. Keywords: IT outsourcing; Information security; Public sector; Private sector 1. Introduction As the business environment of the new millennium world-wide moves towards a knowledge- based economy, and also as information and telecommunications technology increase in sophistication and complexity, organisations are facing ever more challenges and difficulties in their management of IS/IT operations for business success. On the one hand, organisations are striving to gain competitive advantages by cutting costs through IT outsourcing and focusing more of their internal resources on core activities. However, on the other hand, compromises in management control and data security are coupled with hidden costs. According to Victor *Corresponding author. E-mail address: khalfan@comp.leeds.ac.uk (A.M. Khalfan). 0268-4012/$ - see front matter r 2004 Published by Elsevier Ltd. doi:10.1016/j.ijinfomgt.2003.12.001
  • 2. ARTICLE IN PRESS A.M. Khalfan / International Journal of Information Management 24 (2004) 29–42 30 Wheatman of Gartner Group’s Information Security Strategies services, ‘‘enterprises face an increasing risk to information security’’ (Heights, 1997). Besides technological vulnerabilities, organisations are experiencing an increased risk due to an absence of security measures (Heights, 1997). Outsourcing Information Systems/Information Technology (IS/IT) has become a world-wide phenomenon in both the private and public sectors, and has received much attention in more recent years (Buck-Lew, 1992; Evans, 1994; Currie, 1996; Lacity & Willcocks, 2001). IS/IT outsourcing is a term that encompasses a variety of approaches to contracting for Information Technology (IT) services. IS/IT outsourcing leads to significant changes in the management processes of the IT organisation. The terminology of IS/IT outsourcing was perhaps first used in 1989 when Eastman Kodak made the decision to make total outsourcing agreements with three large IS external providers (Loh & Venkatraman, 1992a, b; De Looff, 1995; Slaughter & Ang, 1996). Industrial analysts predicted that the global market for IS/IT outsourcing would grow from $86 billion in 1996 to more than $137 billion in 2001 (Diromualdo & Gurbaxani, 1998). In addition, on conservative estimates, IT outsourcing may well represent, on average, 30–35% of IT budgets by 2002 (Lacity & Willcocks, 2000). Also, the outsourcing market has been predicted to grow to over $120 billion by the year 2002, and even $150 billion by 2004 (Lacity & Willcocks, 2001). The paper is structured as follows. The next section sets out the research objectives and a review of the IS/IT outsourcing framework. It is followed by a review of information security. The differences between the private and public sectors are discussed next. The research methodology is then described and the results of the analysis of the data are presented. The final section presents the conclusions and an indication of future work. 1.1. Research objectives There is growing awareness of the need to understand MIS issues from a global perspective (Palvia, Palvia, & Zigli, 1992). The aim of this research is to explore IS/IT outsourcing practices as an information systems strategy in the context of Kuwait. Attention will be focused on differences between Kuwait and the developed countries and their implications for outsourcing. Specific issues related to IS/IT outsourcing include motivation, the client/vendor relationship, types of outsourcing, risk analysis and evaluation, contractual and legal aspects, vendor selection criteria and post-implementation evaluation. However, the focus of this paper is on outsourcing risk analysis and evaluation, as information security has become a significant risk posing a substantial threat to organisations globally. Regardless of the setting, security is a major control issue facing not only today’s IT managers, but everyone affected by the technology. 1.2. It Outsourcing: definitions Loh and Venkatraman (1992, p.9) define IT outsourcing as ‘‘the significant contribution by external vendors in the physical and/or human resources associated with the entire or specific components of the IT infrastructure in the user organisation’’. IT outsourcing can be considered a significant administrative innovation where there is a significant shift in the mode of governance, significant change in the internal processes of user organisations, and significant change in the
  • 3. ARTICLE IN PRESS A.M. Khalfan / International Journal of Information Management 24 (2004) 29–42 31 organisational routines used to deal with the external environment (Loh & Venkatraman, 1992). In the public sector of the UK government, the term IT outsourcing is now used interchangeably with other programmes: market testing, compulsory competitive tendering (CCT), and contracting out (Currie, 1996). In recent years, IT outsourcing has been used increasingly in the public sector as a policy instrument for changing the way publicly funded services are provided. Governments have been outsourcing for decades under the term ‘‘contracting out’’ (Dorsi, 1998). 1.3. Information security Jack (1992) notes the importance of addressing ‘‘data security’’ within the context of IT outsourcing contractual relationships. Radcliff (2000) argues that once an organisation has handed its computer application over to a vendor, its biggest concerns include ‘‘who’s handling and accessing the data and what guards the networking connection from outside’’. In the same vein, Greenemeier (2001) observes that outsourcing security services is a ‘‘contentious issue’’ because organisations are hesitant to entrust IT service providers with the keys to their IT systems and data. But the threat of legislation, combined with increased Web-based intrusion, is placing information security services in high demand. To add to the picture, Vijayan (2001) points out that an increasing number of vendors are offering outsourced security services in anticipation of a significant demand. Security services include managing firewalls and virtual private networks; performing vulnerability analysis, intrusion detection and anti-virus protection; and, in some cases, designing, implementing and managing security architectures. He highlights that the main driving causes of the demand for these services are the shortage of trained security professionals and the complexity of implementing and maintaining organisation-wide security architectures. However, it is very critical that organisations make sure that vendors have adequate security measures in place. In a similar analysis, Peterson, Brown and Maw (2002) define information security as: Information security means: Integrity: gathering and maintaining accurate information and avoiding malicious modifica- * tion. Availability: providing access to the information when and where desired. * Confidentiality: avoiding disclosure to unauthorised or unwanted persons. * Further, according to British Standard (1999), security of information refers to the preservation of: Confidentiality: ensuring that information is accessible only to those authorised to have access. * Integrity: safeguarding the accuracy and completeness of information and processing methods. * Availability: ensuring that authorised users have access to information and associated assets * when required. The degree to which these aspects are preserved must be based on the business’ security requirements. This can be properly understood through accurate risk and impact analysis, as security management is concerned with addressing activities that are required to maintain risks at a manageable level.
  • 4. ARTICLE IN PRESS A.M. Khalfan / International Journal of Information Management 24 (2004) 29–42 32 Data security refers to the level of protection provided to prevent unauthorised access and ‘tampering’. As noted by Fink (1994) and Sherwood (1997), information security is an area often neglected in outsourcing arrangements. Information security covers both data security and business recovery planning (Lee, 1995). The former aims to ensure the integrity and privacy of data owned by the organisation, whereas the latter aims to include measures which ensure the rapid restoration of normal business operations in case of an occurrence of IT-related problems (e.g. infection by computer virus, destruction of data, sudden outage of the IT function). When the IT function is outsourced to an external service provider, the organisation no longer retains full control of information security (Lee, 1995), whereas full control is retained when the IT function is provided in-house. To IT professionals and researchers, the term ‘security outsourcing’ usually evokes two general themes. The first theme is concerned with information and data security when transmitting and exchanging data and information especially through networks. The second theme is concerned with the security arrangements and measures placed with the vendors, as an increasing number of threats have been posed recently by vendors working simultaneously with two clients competing with each other. This paper addresses both concerns. 1.4. Differences between public and private sector on IS/IT issues The distinct differences between private and government organisations are the core of public administration theory and have been the topic of on-going research. Many differences have been identified, for example, in the decision-making process, personnel management, and the management of information systems (Rainey, 1983a, b; Perry & Rainey, 1988; Bretschneider, 1990; Mohan, Holstein, & Adams, 1990; Bretschneider & Wittmer, 1993). Failing to address clearly these differences would be a mistake and managers working in the public sector must be cautious when attempting to draw lessons from MIS literature (Bozeman & Bretschneider, 1986). 2. Research methodology This section outlines the research methodology used in this study. It covers the research approach, questionnaire design, semi-structured interviews, selection of respondents, unit of analysis, and finally analytical tools. 2.1. Research approach In this study, a methodological triangulation approach is adopted through the use of a national case study whereby a survey questionnaire is used as the selected quantitative method (‘hard’ data), and semi-structured interviews were used to collect the qualitative data (‘soft’ data) supported by organisational documentation. Case studies are most appropriate for exploratory and explanatory research since they are able to capture a grater depth and breadth of detail on the subject’s activities. Construct validity was established by triangulation, chain of evidence and formal review by the interviewees for verification. A case study protocol as proposed by Yin (1994) was utilised to support the objective
  • 5. ARTICLE IN PRESS A.M. Khalfan / International Journal of Information Management 24 (2004) 29–42 33 of reliability. Empirical research was undertaken in two iterative phases in 1999 and 2000 in Kuwait to identify current practices. The research sites were selected to support analytic generalizations due to their diversity. Case study research is an accepted research strategy in the Information Systems (IS) discipline. Many researchers have used the case study approach as their research strategy (see, for example, Benbasat, Goldstein, & Mead, 1987; Kaplan & Duchon, 1988; Lee, 1989; Eisenhardt, 1989; Galliers, 1992; Gable, 1994; Yin, 1994; De Looff, 1995; Walsham, 1995; Cavaye, 1996). The case study approach refers to an in-depth study or investigation of a contemporary phenomenon using multiple sources of evidence within its real-life context (Yin, 1994). A case study methodology was selected for this research as this approach lends itself to concentrated focus on the topic, and accommodates several data-gathering techniques. The strengths of the case study approach are in the degree of breadth and depth that can be obtained in complex real-world situations (Galliers, 1992; Shanks, Rouse & Arnott, 1993). According to Avison (1993) the strength of the case study is also in its use for examining natural situations and in the opportunity it provides for deep and comprehensive analysis. Guba (1981) argues that the validity of this type of research is increased when different research methods are pitted against each other in order to cross-check data and interpretations. He suggests that different methodologies like ‘‘questionnaire, interviews and documentary analyses’’ should be used whenever possible. This study may be characterised as exploratory. The lack of systematic research in this area justifies its exploratory nature. 2.2. Questionnaire design The questionnaire was designed to obtain a comprehensive view of IS/IT outsourcing practices in Kuwait. It was designed to serve two primary purposes. The first was to identify the current framework of outsourcing practices in the different Kuwaiti sectors. The second purpose was to establish the level and sophistication of each sector. The survey questionnaire drew upon previous studies of outsourcing practices and general IT (Lacity & Hirschheim, 1993, 1995; Currie, 1995; Tye & Chau, 1995; Lee & Kim, 1997). The questionnaire consisted of seven main categories with mainly closed questions. In addition, two final open-ended summary questions were used. The general structure of the questionnaire was as follows: Organisational Profile; Information Technology Department Profiles and Plans; Outsourcing Terminology and Issues; Outsourcing Decision Process; Training and Educational Issues; Personal and Job-related Profile; General Comments. Five possible responses were provided (strongly agree, agree, undecided, disagree, strongly disagree). This type of question was used because it was deemed to be efficient, specific in measuring attitudes, and relatively easy to complete (Robson, 1993). The instrument was validated using the procedures recommended by Straub (1989a, b, c), i.e. instrument review by an expert in the field, a pilot test, internal reliability, and statistical conclusion validation. In order to check the applicability of the questionnaire in context, it was pre-tested on a number of organisations in Kuwait. A revised survey questionnaire was then dispatched to the organisational targets. Where previous organisational experience with IS/IT outsourcing was identified, further copies of the survey questionnaire were distributed to other key members of the IT department.
  • 6. ARTICLE IN PRESS A.M. Khalfan / International Journal of Information Management 24 (2004) 29–42 34 2.3. Semi-structured interviews Interviews were conducted throughout the period of data collection. In total 20 people, selected in the light of their qualifications and involvement in their organisations, were interviewed including departmental heads and senior IT managers. The interviews were semi-structured in nature. As Mintzberg (1979, p.587) states, ‘‘semi-structured interviews provide a controlled framework which facilitates analysis but also allows for the collection of ‘soft’ anecdotal data’’. Interviews were recorded to free the interviewer from note taking and to increase the accuracy of data collection. Interviews were conducted in both English and Arabic, because the interviewees were multi-cultural, originating from different nationalities. Recordings were later transcribed, and the data was organised and analysed in terms of the research model. The data from the survey questionnaires and semi-structured interviews was supplemented by documenta- tion from the participant organisations. After the data were collected, analysis began with the transcription of the interviews. All data obtained from interviews and documents was consolidated and linked together to create a picture of the entire IT outsourcing process. A content analysis (Remenyi, 1992; Jankowicz, 1995) was used to discover important patterns from the data. 2.4. Selection of respondents The research project covers all sectors of Kuwait’s economy: public, private and semi-private. However, the focus of this paper is on the public and private sectors. Those main public-sector ministries which may be described as IT intensive users were selected to participate in the study. They include: Ministry of Planning, Ministry of the Interior, Ministry of Electricity and Water, Ministry of Trade and Commerce, Ministry of Finance, Ministry of Justice, and Ministry of Public Health. For the private sector organisations, the official Kuwaiti stock market index was used as a guideline for selecting the banking, insurance, and investment industries as the main participants from the private sector in the study. The participating organisations represent a wide cross-section of private-sector organisations. The intention of the study was to target the highest possible level in the IT departments of each organisation: IT general managers, IT directors, heads of IT departments, or equivalent. 2.5. Unit(s) of analysis The unit of analysis defines the boundaries of the case study research. The units of analysis can be individuals (e.g. employees or patients), events (e.g. decisions or programs), or finally entities (e.g. groups, or organisations). In this study, the units of analysis were the IT functions within the selected Kuwaiti public and private sector organisations. 2.6. Data collection The main purpose of this study is to explore IS/IT outsourcing practices as an information system strategy in the context of Kuwait as a developing country. In this study, we have followed a detailed and precise theoretical and methodological framework. Extensive field research was
  • 7. ARTICLE IN PRESS A.M. Khalfan / International Journal of Information Management 24 (2004) 29–42 35 conducted in Kuwait, whose main aim was to survey and elicit the attitudes and opinions of the different organisations in different sectors towards the practices of evaluation of IS/IT outsourcing arrangements. The survey was distributed to more than 100 respondents in Kuwait and 87 questionnaires were valid and useable for statistical analysis. 3. Discussion and analysis of the public sector IT outsourcing, as a legitimate management strategy, has deficiencies and drawbacks as well as several advantages. This study has unveiled the main disadvantages of IS/IT outsourcing in the public sector in Kuwait and Table 1 shows the rank, mean, and standard deviation of each risk factor. The purpose behind the questions in Table 1 was to examine and elicit the opinions of respondents about which factors they consider as being risky when dealing with IT outsourcing. An examination of the mean values in Table 1 confirms that the key risk factor is ‘‘security issues/ data confidentiality’’, since all risk factors follow a very similar mean pattern, the only exception being ‘‘security issues’’, which loads considerably higher, with an average difference in magnitude of 0.30. Sixty two percent of the respondents stated that security was a key issue. As a matter of fact, the figure of 62% should come as no surprise, since data confidentiality has always been given a very high priority in the region. Indeed, this finding is consistent with that of Badri (1992); he found IS/ IT security has been a top priority issue in the Arab Gulf region. Public organisations are increasingly cautious in dealing in IT outsourcing operations because of the information security threats posed by the vendors, as many IT managers expressed ‘loudly’ the information security concerns. In addition, ‘‘ability to operate or manage new systems’’ ranked as the second risk factor when considering outsourcing. It is a common perception that an internal IT department cannot manage effectively the transition to new technological platforms. One possible explanation is that the organisation, as discussed earlier, has no internal capability to handle or manage the new systems. ‘‘Loss of key IT employees’’ was ranked joint second in terms of mean value and importance. Gupta and Gupta (1992) recommend that key IT employees be involved in the IS/IT outsourcing decision. They believe that it is critical for those employees to understand the rationale and motives behind the decision. Kiely (1992) cites a study by an industrial psychologist Table 1 Ranking of risk factors in IS/IT outsourcing in public sector Factor Rank Mean Std deviation Scale Security issues (data confidentiality) 1 3.77 1.09 1–5 2a Ability to operate or manage new systems 3.46 0.97 1–5 2a Loss of key IT employees 3.46 1.27 1–5 4a Hidden costs (unspecified in the contract) 3.31 1.18 1–5 4a Inadequate planning and management 3.31 1.11 1–5 a Denotes tie for risk factor.
  • 8. ARTICLE IN PRESS A.M. Khalfan / International Journal of Information Management 24 (2004) 29–42 36 on the best methods of communicating to employees the progress of an IT outsourcing deal. In his study, it was found that the employees would rather hear communications from the IS executives than the president of the organisation. It is widely believed that if the key IT staff are involved in the IT outsourcing deal and transition operation, such ‘deep’ involvement would eliminate their early departure, as they would no longer find themselves ‘surplus to requirements’. In addition, the tasks and functions of key IT staff may have to change in the light of the new ‘developments’ as IS/IT outsourcing arrangement are being negotiated, and therefore their future tasks will be more directed towards co-ordination and relationship management with the IT vendor. It was also interesting to note that ‘‘hidden costs (i.e. unspecified in the contract)’’ is considered to be a major drawback. A serious concern is that vendors may charge excessive fees for ‘additional’ services, services which would have been thought to be included in the scope of the contract (Lacity & Hirschheim, 1993). It is also interesting to note that the public sector in Kuwait has been encountering the same difficulties as others in the developed nations are experiencing: tighter budgets, lack of specialised skills in the government sector, downsizing of the government, and so on (Dorsi, 1998). 4. Discussion and analysis of the private sector IS/IT outsourcing, as a legitimate management strategy, has deficiencies and threats as well as advantages. This study has unveiled the main risk factors to IS/IT outsourcing in the private sector in Kuwait. Table 2 shows the rank, mean, standard deviation, and scale for each risk factor. The purpose behind this question was to examine and elicit the opinions of respondents about which factors they consider as being risky when dealing with IT outsourcing. An examination of the mean values in Table 2 confirms that the key risk factor is ‘security issues/data confidentiality’, since all risk factors follow a very similar mean pattern, the only exception being ‘security issues’, which loads considerably higher with an average difference in magnitude of 0.40. The security issue ranked first among the risk factors associated with IT outsourcing. Sixtynine percent of the respondents stated that security was a key issue. Again, the figure of 69% should come as no surprise, since data confidentiality always has very high priority in the region. Indeed, this finding is consistent with that of Badri (1992); he found IS/IT security has been a prominent priority issue in the Arab Gulf region. As noted by Fink (1994), information security is an area often neglected in outsourcing arrangements. Information security covers both data security and Table 2 Ranking of risk factors in private sector Factor Rank Mean Std deviation Scale Security issues (data confidentiality) 1 4.02 1.14 1–5 Hidden costs (unspecified in contract) 2 3.55 1.04 1–5 Loss of flexibility/control 3 3.48 0.94 1–5 4a Lack of prior outsourcing experience 3.45 0.97 1–5 4a Ability to operate or manage new systems 3.45 1.02 1–5 a Denotes tie for risk factor.
  • 9. ARTICLE IN PRESS A.M. Khalfan / International Journal of Information Management 24 (2004) 29–42 37 business recovery planning (Lee, 1995). When the IT function is outsourced to an external service provider, the organisation no longer retains full control of information security (Lee, 1995), whereas full control of the information security is retained when the IT function is provided in- house. According to Collins and Millen (1995), the ‘‘corporate security issue’’ was one of the most frequently cited reservations made by American firms. As was quoted by one senior Kuwaiti IT manager ‘‘Security vendors claim to have specialised expertise and experience. Vendors keep claiming that that they are trained in new IT technologies and techniques, and are aware of up-to- date vulnerabilities and security updates and measures. The difficulty facing many public and private organisations is the measurement of this claimed expertise and knowledge and actually how we—as an organisation—can benefit from it’’. Another IT manager stated the main reason for outsourcing security arrangements, ‘‘The most significant driver for outsourcing security for many organisations is the sharp shortage of IT skills in some critical areas like security measures, which involve more than just a firewall or simple security measures’’. He added that ‘‘the number of IT security services providers is fast growing to meet the demand for security management’’. It was also interesting to note that ‘‘hidden costs (i.e. unspecified in the contract)’’ is considered to be a major drawback, which attracted 64.3% of the respondents’ agreement. The cost of IT outsourcing involves more than vendor fees. A study of 50 outsourcing deals-conducted by Barthelemy (2001) shows that organisations are largely unaware of the hidden costs. The hidden costs of IT outsourcing (Betts, 2001) include: 1. Finding the vendor and writing the contract costs an average of $500,000, or about 3% of the average total outsourcing cost, 2. Hard-to-quantify transition costs, and 3. Managing the contractor costs an average of $300,000 annually. Barthelemy (2001) notes that although ‘‘the benefits of IT outsourcing are clear, they often get eaten away by costs that managers cannot pinpoint’’. Lacity and Hirschheim (1993) call these ‘‘excess fees’’, and note that it was a major concern expressed by many organisations. In a more recent study, Willcocks and Currie (1997) found that a major risk that materialised after the initiation of outsourcing was hidden costs. It was also observed by Hendry (1995) that outsourcing can have hidden costs, especially in the longer term, arising from a lack of awareness of the changing environment and technology and of user requirements. The respondents also pointed to ‘‘loss of flexibility/control’’ as the third important threat connected with IT outsourcing in the Kuwaiti environment. It was found that 52.4% of the respondents have come to accept this finding. Perhaps the greatest risk after security considerations, according to the interviewees, is the ‘‘loss of control and flexibility’’. This concern is supported in the literature by Lacity, Hirschheim and Willcocks (1994) and McFarlan and Nolan (1995). Particularly vulnerable is software IT outsourcing (Ang & Toh, 1998). 4.1. Discussion of the findings It is widely believed that a number of reasons may underlie the fact that security concerns have been the most frequently cited reservation in the Kuwaiti environment, including: 4.1.1. Sub-contracting Due to the rapidly mounting demand for fast and efficient IS/IT services/applications, many competing vendors are not highly skilled; those vendors who lack expertise or technical skills must
  • 10. ARTICLE IN PRESS A.M. Khalfan / International Journal of Information Management 24 (2004) 29–42 38 look elsewhere. This often results in the further sub-contracting of parts of their original work to smaller unfamiliar firms. These subcontracting practices also increase the risks of inappropriate programming practices, virus infection, poor communication, and over-all low-quality service being delivered to the customer. Given the subcontracting relationship, there is little the organisation can do directly, and it often has to work indirectly through the prime vendor. As a result of such practices, clients/customers are becoming more fearful of security breaches by either the prime vendor or other sub-contracting vendors. 4.1.2. Lack of user awareness It is needless to emphasise that security management must address end-user security awareness and education. Adequate information security and computer usage policies must be developed, implemented and communicated to users. Sometimes, using foreigners (vendors) to develop policies and procedures raises the risk that these policies may not consider the current organisational culture. There might be some internal resistance by employees to such policies, as many employees would perceive these policies as obstacles to getting their tasks completed. 4.1.3. Employees/people dimension Most outsourcers focus primarily on perimeter and host security, i.e. technical solutions. The people aspects of security are often ignored, yet most security-related incidents occur within the organisation. These security compromises/breaches can take many forms, including: Using the organisation’s resources for personal business purposes. Sharing of passwords with colleagues and outsiders. Inserting incorrect and falsified information into the information system and computer programs. 4.1.4. Lack of security policies and procedures The absence and weakness of a security policy can prevent organisations from applying necessary action against attackers or employees. In fact, security services are driven by security policies. Before any security service is outsourced, the organisation should ensure that security needs are understood and compensating mechanisms such as policies are created and implemented throughout the organisation, as security policies are also extremely useful in raising security awareness. 4.1.5. Lack of awareness of the culture and people Organisations are usually unaware both of the organisational culture of the vendor and the type of staff working for the IT service providers. Understanding cultural critical issues is very essential in IT management. This lack of awareness may create ‘frustration’ between the organisation and the vendor as there are many differences, in terms of hours of business, organisational politics, business practices and culture which could also lead to communication weaknesses and the failure to deliver services.
  • 11. ARTICLE IN PRESS A.M. Khalfan / International Journal of Information Management 24 (2004) 29–42 39 4.1.6. Leading-edge IT technology The vendor may be keen to implement leading-edge IT technology on security measures, tools and policies; however this could create unnecessarily complex procedures in relation to the current processes if the business need is not initially considered. The employees in the organisation may be irritated by new ‘sophisticated’ security procedures which might increase their workloads, and may be tempted to bypass procedures and breach security. 4.2. Recommendations Lee (1995) notes that the information security is ‘‘an integral part of all outsourcing activities and it’s important for the outsourcing company to reach agreement with the vendor as regards what type and what level of information security will be provided by the vendor in relation to the outsourced activities’’ (p. 12). In addition, ‘preventive measures’ should be put in place by the vendor to reduce the level of risks incurred at the different stages of the contracting period. Data confidentiality should be viewed as a critical element by the different parties, and therefore should be respected by the vendor throughout the contracting period and after termination. Taking into consideration that a particular vendor may work simultaneously with two competing organisations, extra caution must therefore be exercised to ensure that data confidentiality is not compromised, through proper ‘operational safeguards’ (Lee, 1995). Furthermore, Sherwood (1997) contends that the management of the customer organisation should adopt a security strategy in any outsourcing arrangements, based on the following principles: Adequate definitions of responsibilities and liabilities of both parties in the outsourcing * agreement with respect to security. A series of security management processes applying to both the customer and the IT service * provider, including: (1) authorisation processes which retain all aspects of security policy, (2) administration processes which enable the outsourcing service provider to act as ‘custodian’ and to implement privileges, and (3) audit processes which provide the customer organisation with a means of inspecting and assessing the security performance of the vendor. A security target document which describes the organisational primary security requirements. * Supporting documents which assist both sides with the implementation of the ‘Security Target’ * The challenge for organisations concerned to meet security requirements and to prevent such disastrous impacts, is to answer some key questions: should they keep the responsibilities of information security in-house; or should they outsource security services to a vendor specialist? Once an organisation decides to outsource its IT functions/services to a vendor, it must ensure that the vendor complies with the organisation’s policy. The organisation should search for reputable security companies who utilise the most modern techniques and sophisticated equipment available in providing their specialised services. One of the most important items to consider in an outsourced security arrangement is the preparation of a well-developed service- level agreement (SLA) while negotiating the IS/IT outsourcing deal. The SLA must include legal clauses which will prevent unnecessary risks to the organisation. Non-disclosure agreements which prevent vendors from using the organisation’s architectures and strategies must also be drawn up, perhaps with penalties for violations.
  • 12. ARTICLE IN PRESS A.M. Khalfan / International Journal of Information Management 24 (2004) 29–42 40 5. Conclusions and future work The IT outsourcing phenomenon has created a whole new sophisticated environment for customer–vendor activity. The security of information is a key management concern in the modern, electronic business world. In order for organisations to maintain their competitive edge, business decisions must be based on accurate, complete and accessible information. However, the question remains, how can IT departments be expected to keep pace with ever-changing security requirements, especially considering the unprecedented rate of change of IT technology. As the need for security services increases, organisations should establish criteria to evaluate security management internally and externally. The decision to outsource security management needs to be weighed carefully as this highly debatable decision has both pros and cons. This purpose of this paper has been to highlight some critical security issues faced by organisations in Kuwait when engaging in IT outsourcing projects, since, as has been shown throughout the paper, security concerns have been considered as of paramount importance. Organisations need to exercise caution in the matter of selecting a partner (i.e. vendor). Also, organisations must address their security concerns properly and adequately as they establish and develop their security policies, which should be concise and effective and cover all security layers. Organisations must not rush to choose a service provider without compelling evidence on the quality and level of the vendor, as the consequences of an information security breach include business harm and legal liability. Outsourcing contracts should include robust provisions for information security, especially in drafting the SLA. Despite, the importance of this subject to researchers and practitioners, the evaluation and assessment of the benefits and risks of outsourcing security services is still an area which requires further and vigorous research. The descriptive analysis presented in this paper has its limitations. Nevertheless, considering that there has been so little previous research in Kuwait, this study may provide a good input to IT policy makers and managers in the different sectors in Kuwait. One final interesting conclusion can be drawn here that security concerns are the same whether in developing or developed economies as the world moves toward globalisation. References Avison, D.E. (1993). Research in information systems development and the discipline of IS. Proceedings of 14th of Australian conference on information systems, Brisbane. Badri, M. (1992). Critical issues in information systems management: An international perspective. International Journal of Information Management, 12, 179–191. Barthelemy, J. (2001). The hidden costs of IT outsourcing. Sloan Management Review, 42(3), 60–69. Benbasat, I., Goldstein, D., & Mead, M. (1987). The case research strategy in studies of information systems. MIS Quarterly, 11(3), 369–386. Betts, M. (2001). Hidden costs of IT outsourcing. Computerworld, 1(4), 33–34. Bozeman, B., & Bretschneider, S. (1986). Public management information systems: Theory and prescription (Special issue). Public Administration Review, 46, 475–487. Bretschneider, S. (1990). Management information systems in public and private organizations: An empirical test. Public Administration Review, 50(5), 536–545.
  • 13. ARTICLE IN PRESS A.M. Khalfan / International Journal of Information Management 24 (2004) 29–42 41 Bretschneider, S., & Wittmer, D. (1993). Organizational adoption of microcomputer technology: The role of sector. Information Systems Research, 4(1), 88–108. British Standard, Part 1 (1999). Information security management. Buck-Lew, M. (1992). To Outsource or Not? International Journal of Information Management, 12, 3–20. Cavaye, A. (1996). Case research: A multi-faceted research approach for IS. Information Systems Journal, 6, 227–242. Collins, J., & Millen, R. (1995). Information systems outsourcing by large American industrial firms: Choices and impact. Information Resources Management Journal, 8(1), 5–13. Currie, W. (1995). Outsourcing the new IT Strategy. In W. Currie (Ed.), Management for IT: An international perspective. London: Pitman Publishing. Currie, W. (1996). Outsourcing in the private and public sectors: An unpredictable IT strategy. European Journal of Information Systems, 4, 226–236. De Looff, L. (1995). Information systems outsourcing decision making: A framework, organisational theories and case studies. Journal of Information Technology, 10, 281–297. Diromualdo, A., & Gurbaxani, V. (1998). Strategic intent for IT outsourcing. Sloan Management Review, 39(4), 67–80. Dorsi, M. (1998). Worldwide trends in outsourcing information technology. Newsletter of U.S. General Service Administration. Office of Government Policy (Outsourcing Edition), Vol. 3, 2–4. Eisenhardt, K. M. (1989). Building theories from case study research. Academy of Management Review, 14(4), 532–550. Fink, D. (1994). A security framework for information systems outsourcing. Information Management & Computer Security, 2(4), 3–8. Gable, G. (1994). Integrating case study and survey research methods: An example in information systems. European Journal of Information Systems, 3(2), 112–126. Galliers, R. D. (1992). Choosing information systems research approaches. In R. Galliers (Ed.), Information systems research: issues, methods, and practical guidelines. Oxford: Blackwell Scientific. Guba, E. G. (1981). Critique for assessing the trustworthiness of natural inquires. ERIC/ECTJ Annual Review Paper, 29(2), 75–91. Gupta, U. G., & Gupta, A. (1992). Outsourcing the IS function: is it necessary for your organisation. Information Systems Management, 14(2), 74–77. Hendry, J. (1995). Culture, Community, and the Networks: the Hidden Cost of Outsourcing. European Management Journal, 13(2), 13–20. Jack, G. (1992). Successful outsourcing depends on a successful contract. Corporate Controller, 4(5), 17–20. Jankowicz, A. D. (1995). Business Research Projects. International Thomson Business Press. Kaplan, B., & Duchon, D. (1988). Combining qualitative and quantitative methods in information systems research: A case study. MIS Quarterly, 12(4), 571–587. Kiely, T. (1992). The Wrong Goodbye. CIO, September 1, 34–43. Lacity, M., & Hirschheim, R. (1993). Information systems outsourcing myths, metaphors, and realities. New York: Wiley. Lacity, M., & Hirschheim, R. (1995). Beyond the information systems outsourcing bandwagon. The insourcing response. New York: Wiley. Lacity, M., Hirschheim, R., & Willcocks, L. (1994). Realizing outsourcing expectations. Information Systems Management, 11, 7–18. Lee, A. (1989). A scientific methodology for MIS case study. MIS Quarterly, 33–50. Lee, J., & Kim, Y. (1997). Information systems outsourcing for affiliated firms of the Korean conglomerate groups. Journal of Strategic Information Systems, 6, 203–229. Lee, M. (1995). IT Outsourcing Contracts: Practical Issues for Management, Working Paper # 95/05. Information Systems Department, City University of Hong Kong. Loh, L., & Venkatraman, N. (1992a). Diffusion of information technology outsourcing: Influence sources and kodak effect. Information Systems Research, 3(4), 334–358. Loh, L., & Venkatraman, N. (1992b). Management. 29, 265–275. McFarlan, F. W., & Nolan, R. L. (1995). How to Manage an IT Outsourcing Alliance. Sloan Management Review, Winter, 9–23. Mohan, L., Holstein, W. K., & Adams, R. B. (1990). EIS: It can work in the public sector. MIS Quarterly, 14(4), 435–448.
  • 14. ARTICLE IN PRESS A.M. Khalfan / International Journal of Information Management 24 (2004) 29–42 42 Palvia, S., Palvia, P., & Zigli, R. (1992). Global information technology environment: Key MIS issues in advanced and less-developed nations. In S. Palvia, & P. Palvia (Eds.), Global issues of information technology management (pp. 2–34). London: Idea Publishing Group. Perry, J. L., & Rainey, H. G. (1988). The public-private distinction in organization theory: A critique and research strategy. Academy of Management Review, 13(2), 182–201. Peterson, B., Brown, M., & Maw, R. (2002). Information security in outsourcing agreements. http://www. outsourcing-journal.com/issues/mar2002/legal.html. Accessed in March 2002. Radcliff, D. (2000). Thinking ASP? Don’t forget security!. Computerworld, 34(44), 58. Rainey, H. G. (1983a). Public Agencies and Private Firms. Administration and Society, 15(2), 207–243. Rainey, H. G. (1983b). Regulated institutions. Journal of Government Information, 24(4), 267–283. Robson, C. (1993). Real world research. Oxford: Blackwell. Shanks, G., Rouse, A., & Arnott, D. (1993). A review of approaches to research and scholarship in information systems. Proceedings of 14th of Australian Conference on Information Systems, Brisbane. Sherwood, J. (1997). Managing Security for Outsourcing Contracts. Computers & Security, 2, 603–609. Slaughter, S., & Ang, S. (1996). Employment Outsourcing in Information Systems. Communications of the ACM, 39(7), July, 47–54. Straub, D. (1989a). Validating instruments in MIS research, MIS quarterly, June, 147–166. Straub, D. (1989b). the ACM, 39(7), 47–54. Straub, D. (1989c). The USA Public Administration. Information Systems Journal, 7, 85–108. Tye, E., & Chau, P. (1995). A Study of Information Technology Adoption in Hong Kong. Journal of Information Science, 21(1), 11–19. Vijayan, J. (2001). Outsourcers rush to meet security demand. Computerworld, 35(9), 34. Walsham, G. (1995). Interpretive case studies in IS research: Nature and method. European Journal of Information Systems, 4, 74–81. Willcocks, L., & Currie, W. (1997). Contracting out Information Technology in the public sector context: Research and critique. Journal of the Australian and New Zealand Academy of Management, 2(2), 34–49. Yin, R. K. (1994). Case study research design and methods, (2nd ed.). Newbury Park: Sage Publications. Abdulwahed Khalfan completed his Ph.D. in Information Systems from University of Leeds, UK. He has been Assistant Professor at the College of Business Studies, Kuwait. His main research fields are IT outsourcing, knowledge management, e-commerce adoption, and IT strategic planning. He is involved in many national and international research projects and he is author of more than 14 articles published on national and international journals and conference proceedings. He served as a reviewer for a number of journals and prestigious IT conferences.

×