ARTICLE IN PRESS
International Journal of Information Management 24 (2004) 3–4
Special Section
Guest Editorial: the challenge of managing
information security
Until recently information security has always been considered as an afterthought. It was an
afterthought in the design and development of new systems. It was an afterthought in
implementation of systems. It was an afterthought in establishing new or improved business
processes. However given the increased dependence of businesses on information, its security is
increasingly being considered proactively. So, while designing, developing and implementing
systems, there are vociferous discussions of the relevance of certain controls, the hindrance such
controls would pose to the conduct of business and the efficacy of certain security tools. However
apart from the discussions, there is little by way of actually integrating security mechanisms and
policies into regular day to day activities of a business. In net effect therefore, security still ends up
being considered as an afterthought. What takes precedence is a functioning system or an
implementation of a new technology. Security often gets relegated down in the list of priorities.
Clearly there is no doubt that ensuring security of systems and processes is a key enabler of
realizing positive outcomes in a business. Two aspects of information security have indeed
confounded the problem of managing system threats and vulnerabilities—the balance between
quality of service and level of security and identifying appropriate levels of expenditure while
managing threats in organizations. This special section on the challenge of managing information
security seeks to address these two problematic aspects of managing information security.
The first paper in the special section is ‘‘GPRS Security as a QoS in the Telecommunication
Industry: Case of Vodafone Egypt’’ by Sherif Kamel (American University in Cairo) and Khaled
Wahba (Cairo University). The authors present a case study of Vodafone Egypt and argue that
the security of general packet radio service is a function of quality of service. Since infrastructure
security has to be carefully balanced with the business opportunities, it is imperative for businesses
to traverse the utility and security line very carefully. In their synthesis, the authors present a range
of solutions that provide a basis for developing adequate security policies. Although the solutions
are specific to Vodafone Egypt, the issues presented are equally relevant to businesses in general.
The second paper ‘‘Information Security Considerations in IS/IT Outsourcing Projects: A
Descriptive Case Study of Two Sectors’’ by Abdulwahed Khalfan explores the information
security considerations in the IS/IT outsourcing projects in the public and private sectors of
Kuwait. Although a lot of research has been undertaken in the area of IS/IT outsourcing in
general, it is interesting to note that there has been a limited amount of research specific to
Kuwait. The main findings of this research suggest that security concerns have been the most
prominent risk factors and have overtaken other risk issues (e.g. loss of control, hidden costs),
0268-4012/$ - see front matter r 2004 Elsevier Ltd. All rights reserved.
doi:10.1016/j.ijinfomgt.2003.12.002

ARTICLE IN PRESS
Guest Editorial / International Journal of Information Management 24 (2004) 3–4
4
which were thought to be the most serious in dealing with IS/IT outsourcing in the Kuwaiti
environment.
The third paper ‘‘In defense of the realm: understanding the threats to information security’’
is by Michael Whitman (Kennesaw State University). The author presents a reexamination of
1992 study by Loch, Carr and Warkentin that identified and examined categories of threats to
information security. In doing so the author seeks to identify and prioritize threats to information
security. This forms the basis for the author to evaluate the frequency of the threats and the
commensurate expenditure needed for the threats. The study is useful in identification and
prioritization threats and vulnerabilities inherent in the systems and methods within the
organization.
It is our hope that the research presented in these three papers will set the tone for further
research opportunities that will focus on appropriateness of information security control
measures. It is important to undertake this research since not only have information security
problems been growing at an exponential rate, but the nature and scope of security breaches has
not been successfully curtailed. This is indeed resulting in an information security investment
paradox. While companies have become sensitized to the importance of information security and
are instituting controls, the fine balance between offering quality services and yet maintaining
security has not been defined. This has often resulted in individuals circumventing controls to
undertake task at hand. On the other hand companies have vastly increased their security budgets
and have consistently implemented a range of technological solutions to ensure information
security. Although essential, how can this balance between relevance of technological controls and
provision of quality services be ensured? This is something that has not been carefully considered
by researchers and businesses alike.
G. Dhillon
Information Systems Department
Virginia Commonwealth University
1015 Floyd Avenue, Richmond, VA 23284-4000, USA
E-mail address: gdhillon@vcu.edu