Corporations and the Rule of Law

CHAPTER 2

LET’S TAKE A QUICK high-level tour of some elements related to corporations and the rule of law to set the stage for what’s to come. Because this is an introduction to legal and organizational concepts, many of the concepts presented here might be new. Rest assured that we will revisit the most important of these points in later chapters in different contexts, which should make them more relevant. Our purpose here is to simply introduce the ideas for later elaboration. Why do you suppose knowing how corporations are formed as a legal entity might matter to security? Quite simply, managers must be familiar with laws and regulations if they are going to effectively manage their organizations securely. Along with ethics, the rule of law forms the backbone of information security. We will begin this chapter by defining some terms and basic concepts, and then present an overview of some crucial legal aspects of corporations to prepare for later, when we will dive a little deeper into security-specific laws and regulations.

2.1 Legal Organizational Structure

As with people working in a company, a corporation is a legal entity having rights, is subject to legal duties, and is regulated by the state in which it was incorporated. Therefore, both employees and corporations have rights and duties. From a legal perspective, a right is defined as the capacity of a person or corporate entity, with the aid of law, to compel another person or corporate entity to perform or to refrain from performing an action. A duty is defined as an obligation that the law imposes on a person or corporate entity to perform an action or refrain from performing the action. Along with rights comes accountability; along with duties comes responsibility. Thus duties and rights are interdependent. A right cannot legally exist without a corresponding duty upon another.

In addition to the state’s incorporation laws, corporations may also be subject to governance of commercial transactions under the Uniform Commercial Code (UCC) and by federal and even international laws. In terms of security, this is especially meaningful as it relates to employment-specific matters and regulation of industries. For example, corporations may be subject to certain regulations such as the Health Insurance Portability and Accountability Act (HIPAA) or the Payment Care Industry Data Security Standard (PCI DSS), both of which (among others) require that managers provide directives and policies for employees on the proper handling of information and computer systems in the organization [1].

2.1.1 Accountability, Responsibility, and Law

Accountability might be thought of as in the cliché the buck stops here, whereas responsibility involves a duty to perform some action; therefore, one can be held accountable but not responsible for some act. Managers are accountable when it comes to meeting business performance objectives. That may mean overseeing personnel who are responsible for maintaining the performance of applications at the levels expected by users and, from a security standpoint, for ensuring the confidentiality, integrity, and availability of information and systems—along with meeting other business objectives. In most cases, managers are accountable for actions taken by their subordinates, and are also responsible for taking actions, such as giving clear directions to them.

For example, managers may be held accountable for meeting expectations or contractual obligations for the performance of an application—contractually, this is often called a service-level agreement (SLA). In order to meet that agreed level of performance, administrators may need to configure the systems and networks to achieve the performance commitments. This might involve working to make sure that a network can distinguish high-priority network traffic based on the type of application or data that the network carries, which may include using policy-based routing in a TCP/IP network. As illustrated in this example, accountability and responsibility are represented by an inverted tree. By this, we mean that accountability and responsibility accrue as we examine bottom-up from the organizational chart.

In terms of accountability, management and governance structures of corporations are determined largely by the type of incorporation, and also by agreement of the board of directors through, for example, the articles of incorporation and bylaws, and individual contracts such as employment agreements. Types of incorporations include partnerships, limited liability corporations (LLC), subchapter “S” corporations, “C” corporations, for-profit and non-profit companies, and others.

Because a corporation is a legal entity that owes its existence to the state in which it was incorporated and is distinct from the individuals who control its operations, it holds certain liability protections for management principals. A partnership is an association of two or more people who work as co-owners of a business. Partners are personally liable for most legal violations, but the business structure has some tax advantages. A limited liability partnership is one where co-owners create a legal entity granted by statutes in the governing state. It is popular for small businesses because it offers some liability protections for the management principals. A subchapter “S” corporation allows a group of people to conduct business with the benefits of a public corporation such as liability protections, but it allows the principals to be taxed on an individual basis, similar to a partnership.

The specific legal aspects of incorporation are beyond the scope of this textbook, but it is important to realize that management and governance are constrained to varying degrees depending on the legal structure of the organization and industry-specific regulations. It is also important to recognize that the formal or legitimate power structure within corporations is largely a function of the legal and organizational structures by which corporations are established when they are formed and reestablished as they operate. When legal violations or grievances arise, there are different classifications of law that apply, as well as venues for adjudication. Legal classifications include procedural and substantive, public and private, and civil and criminal law [2].

•  Procedural law deals with the methods of remedies for violations of the law. More specifically, procedural law creates, defines, and regulates legal rights and obligations. It establishes the rules for enforcing rights and the methods for remedies in court.

•  Public law comes into play when there is a breach of procedural law that deals with the rights and powers of the government in its political or sovereign capacity relative to individuals or groups. Public law consists of constitutional, administrative, and criminal law.

•  Private law is the part of procedural and substantive law governing individuals and legal entities such as corporations in their relationships with one another. Private law deals with torts, contracts, sales, agency, and property.

•  Civil law defines duties and what constitutes a violation or wrongdoing against an “injured” party. Civil law is part of private law.

•  Criminal law defines duties and what constitutes violations or a “wrong” committed against a community or society. Criminal law is part of public law.

2.1.2 Roles of Corporate Trust and Regulation

Corporate officers are employees who hold a special position of trust and are accountable to a board of directors and, if the organization is a public company, to the shareholders. Among these officers are the Chief Executive Officer (CEO), who plays a key role in organizational leadership, and the Chief Financial Officer (CFO), who is responsible for the company’s financial transactions. The Sarbanes–Oxley Act of 2002, also called SOX or, more formally, the Public Company Accounting Reform and Investor Act of 2002, regulates these officer roles. For example, part of the act stipulates that CEOs and CFOs must jointly issue written statements about financial transactions.

A Chief Information Officer (CIO) is responsible for enterprise information resources such as information technology and computer systems that support the enterprise goals and operations, and is typically involved in overseeing information processing and information strategy and identifying and developing the information infrastructure, including computing architecture and networking. Information security policies are usually under the control or jurisdiction of the CIO. Generally speaking, the CIO reports directly to the CEO.

The Chief Technology Officer (CTO) is similar to the CIO, but this is typically a role given in an information technology provider company. A CTO has the responsibility to oversee the technological development of the company’s products. With the growing recognition of the importance of information security, and along with regulation, increasingly companies are creating the role of Chief Security Officer (CSO) or Chief Information Security Officer (CISO), whose job it is to ensure that effective policies are created and enforced.

Depending on the industry or agency, there are various regulations that may dictate certain responsibilities for these roles of trust. As indicated, the Sarbanes–Oxley Act attempts to protect investors by imposing on companies and their management specific duties to help protect the integrity of information used internally and released externally. It requires CEOs and CFOs at all public companies in the United States to certify the accuracy of their quarterly and annual financial reports (called 10-K reports), and to create internal controls for reporting and facilitating auditing. Also depending on the type of organization, information and communications related to these reports must be retained for 7 to 10 years in the United States, and companies must institute procedures to keep track of financial transactions from beginning to end and are accountable to the Securities and Exchange Commission (SEC) and the Internal Revenue Service (IRS) regarding their accuracy.

Other legislation that affects corporate officers and other roles of trust include the Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act, which requires that financial institutions ensure the security and confidentiality of customer data. These data must be stored in a secure place or medium and have protections in place to preserve the data, whether stored or in transit. There are also many federal and state regulations that may reinforce these requirements. In addition, there are industry-specific regulations. As mentioned earlier, an example is HIPAA, which stipulates medical and privacy rules and procedures in the administration of health records. Billing and the transfer of healthcare records among healthcare providers and payers require companies to retain patient information for 6 years and ensure that the data are kept confidential [1].

2.1.3 Formal Project Undertakings

To live up to their corporate obligations, organizations undertake various approaches to implement services or technologies or develop products, all of which might be considered projects. For example, to determine what new security technologies might be needed, management may conduct an assessment of the organization’s strengths, weaknesses, opportunities, and threats, called a SWOT analysis [3], or they may involve cross-functional teams to conduct brainstorming or utilize a total quality management approach including CMMi, Six Sigma, or a process method such as COBIT (more about these later). These approaches help managers determine what is needed, where, and when, and just as importantly, what is not needed.

Critical issues in project undertakings include determining the scope of the project. The scope element involves defining requirements, the resources and costs, and the end point for achieving the objectives of the project and meeting the requirements. Another issue that must be contended with is unfamiliarity. A lack of previous experience (or precedent) with a similar undertaking usually leads to uncertainty about the scope of the undertaking. Complexity is another critical issue. Complexity is partly owing to the project scope, but in addition, it involves the degree of interdependence among tasks and among workers. The more a task depends on other tasks, and the more one team member depends on others to complete a project, the greater the complexity. A fourth set of critical issues in project undertakings is what is at stake, and who the stakeholders are.

What is at stake might be thought of in terms of the amount of money invested in the project, the opportunity costs, potential revenues, or the ability to compete in the marketplace, among others. Stakeholders are those who have a vested interest in the outcome, which includes all employees because the company’s survival depends on successful project undertakings, but also customers, investors, and, if a public company, shareholders. However, not all members of the organization have an equal stake in a given project. Managers must determine the impact of what is at stake and give priority to those stakeholders who have most at stake (primary stakeholders).

One avenue to help managers decide these issues is to conduct a survey of primary stakeholders regarding expenditures, requirements, preferences for strategic relationships, and the other factors that are important to or involved in the project. For example, a question using a Likert-type scale (from 1 to 7) might be, “We should purchase our equipment from a single supplier,” scaled as 1, and “We should purchase our equipment from a variety of suppliers,” scaled as 7. The survey scores for each question asked of the stakeholders would be tallied for a mean score (a statistical average) and a standard deviation (a measure of dispersion or agreement).

The mean scores on the survey questions explain where the stakeholders lean in terms of the questions; for example, a mean score of 2 on the scale related to questions about purchasing from a single or established vendor versus multiple or emerging vendors would indicate that stakeholders want to purchase equipment from a single or established vendor—perhaps due to standardization or volume buying discounts. On the other hand, a mean score of 6 would suggest that stakeholders want to purchase equipment from a variety of suppliers, perhaps to avoid being locked into a single vendor due to high costs of switching vendors, or to avoid a single point of failure, or to leverage more innovative emerging products. The standard deviation is a statistical measure of dispersion or variance; thus it tells how much agreement there is among stakeholders about these decision principles. A small standard deviation indicates strong agreement among stakeholders, but a large one indicates large disagreement, so perhaps the manager would need to get the primary stakeholders together in a meeting and discuss the issues and strive to gain greater consensus.

Based on the questions, the means, and standard deviations, managers are able to develop a guiding principles framework, and when faced with a conflict, they can refer to these principles to guide their decision. For example, say a group of stakeholders strongly favor a Linux platform whereas others strongly favor a Windows platform; if the principle is to use open systems, the choice becomes clearer to go with the Linux platform. This is not to say that the manager would always choose the Linux platform, but unless there is a compelling reason not to, the principle acts as a default or tiebreaker.

2.1.4 Power and Organizational Structure

In dealing with the critical components of a project undertaking and in gaining consensus among stakeholders, it is obvious that the abilities to communicate and influence others are critical managerial skills. However, in order to communicate and influence well, managers must understand the power distributions throughout the organization—both formal and informal. Power is the ability to influence someone to do something. The ability to influence someone may be accomplished through incentives, persuasion, or coercion. Thus, how power is exercised depends on the power source or base used; for example, managers have the power to reward and punish subordinates (this is called formal, legitimate, or positional power), whereas subordinates may have expertise (expert power) or charisma (referent power), which are forms of informal power [3].

Because power is often related to control over valued resources, the formal organizational structures offer the most recognizable sources of power. Formal organizational structures and the use of power are accomplished by means of statutory and legal perspectives. In other words, power is formally exercised through incorporation and bylaws and other agreements or, alternatively, through the delegation of authority. Nevertheless, power is often distributed through organizations in ways that go beyond the legitimate power structure.

An example of the use of informal power is when a charismatic person with less positional power is able to influence or persuade others to form a coalition against a more powerful individual on an action. This source of power is known as coming from a referent power base. Also, we often find in technical and knowledge work that power comes from expertise. In this case, power is inverted. Said another way, managers often rely on the expertise of individuals in the groups they oversee. Those individuals hold a valuable resource (meaning knowledge and skills) that the manager needs in order for his or her group to accomplish organizational goals. To effectively manage in those cases, managers typically exercise a combination of legitimate power—using rewards and punishments— along with using an informal referent power commonly called “leadership.”

Organizational Structure, Principals, and Agency

We should point out that shareholders are people who purchase or are given stock in a corporation, and although they may not have an operational role in the company, they do have power to influence it. Whether a company is “private” or “public” along with the types of stock the corporation issues affect shareholder ownership and their influence in corporations. The most powerful kinds of stock are called “voting shares” because they allow shareholders to cast votes on important matters. As an example, members with voting shares may elect the board of directors for the corporation to represent their interests. In so doing, they delegate to these principals the power to manage company operations and exercise control over its resources.

We have used the term “principal” in a number of places thus far. Principals are legally vested parties in an organization who may or may not have been assigned an operational role. By this we mean that some principals may simply act as corporate advisors, whereas principals with an operational role are executives who run the day-today operations of the company. Because they have a vested right (usually due to founding financial investments or because they are a corporate board member or officer), principals have a special say in how corporations are run. As a result, all principals hold positions of trust and confidence and are expected to devote their efforts to the benefit of the company and the shareholders. Going beyond this obligation, principals with operational duties have implied agency—that is, the ability to bind the corporation to legal agreements. Some duties and agency, however, may be further delegated to company officers and other management or staff, or even to subcontractors and independent actors.

Likewise, equity owners may or may not be principals—that is, they may simply be shareholders, and they are not necessarily agents. This may seem a little confusing at this stage, given the many variations of involvement, ownership, and power available through corporate structures. We will elaborate on these ideas later; for now, just keep in mind that legally, agency is a consensual relationship between a principal and an authorized actor (agent) formed by contract or agreement, and it is generally formed for the purpose of having the agent conduct some legitimate action on behalf of a principal. Examples of agency might be a company officer executing his or her assigned duties during the normal course of doing business, or an attorney or a consultant acting on behalf of his or her client [1].

Delegation of Responsibilities and Power

As seen, by agreement corporate principals establish the standards, activities, and responsibilities for managing the business, either by acting as advisors or by managing the business through an operational role in the company. As such, boards of directors with their votes typically appoint officers in the company who are actively involved in leading and overseeing daily company operations and executing the tactical aspects of the corporate strategy. In other words, the corporate structure dictates the formal power structure and the allocation or delegation of duties and resources.

This is typically accomplished in a corporation as follows: The board of directors has the power to manage the business of the corporation. These “directors” exercise dominion and control over the corporation, hold positions of trust and confidence, and determine the courses of operating policy. They have broad authority to delegate power to agents and to officers who hold their offices at the will of the board and who in turn hire and fire all necessary operating personnel and manage the daily transactions of the corporation [1].

Board members may function in an operational role, or they may act only as advisors, and as a voting group delegate authority to corporate officers who run the day-to-day affairs of the operation. Consequently, corporate boards select, remove, and determine the compensation of corporate officers, and furthermore (typically by a majority vote), shareholders may remove a director or an entire board of directors with cause by means of their voting [3]. Thus, power and the exercise of control, and the corresponding responsibilities in corporations, are not viewed strictly as a pyramid often represented in organizational charts, or even as an inverted one, but rather as a spectrum of power, rights, duties, responsibilities, and liabilities that transcend organizational structures.

2.2 Fiduciary Responsibilities

The preceding section has led us to an important legal and security concept. Principals and agents in a corporation owe to each other a fiduciary responsibility. A fiduciary responsibility is one that holds special duties. More specifically, a fiduciary is an actor in a position of trust and confidence such that he or she owes his or her principals the duty of obedience, diligence, and loyalty. This includes the duty to inform relevant parties and provide an accounting of financial and other material transactions to all the principals [2].

Diligence means that in the execution of duties, they are discharged in a manner exercised using ordinary (or due) care and with prudence “reasonably” expected of someone in that position who is acting in good faith, which is to say, with care taken by an ordinarily prudent person in that position given the circumstances, and in a manner one would “reasonably” believe to be in the best interest of the corporation [3]. Failure to uphold fiduciary responsibilities may expose a principal (or agent) to legal liabilities. For example, a breach of obedience might be to execute an unauthorized binding action, such as to enter into an unauthorized contract [1].

A breach of duty includes failure to use due care in acting. This can range from failure to pay attention to instruments a principal or officer signs or accedes to, or misrepresenting that a principal has a skill that one does not actually have, which is in turn relied upon by a third party in an assumption about the principal’s ability to perform his or her duties. A breach of loyalty involves failures to properly inform or account to other principals regarding material matters such as sources of income and any “side work” a principal may perform. It also includes the agreement not to compete, not to engage in conflicts of interest, and not to disclose confidential information to unauthorized parties [2].

2.2.1 Fiduciary Duties and Legal Ethics

Beyond the legal dynamics explained in the previous sections regarding corporate structural relationships that comprise the legitimate or formal exercise of power, it has been argued that socially responsible behavior pays a debt owed on a moral obligation to the society that contributes to a corporation’s overall success. This line of reasoning affirms that social responsibility buys goodwill, and goodwill can (albeit sometimes as an intangible factor) translate into corporate development and future success. It is from this philosophy that the terms “social contract” and “stakeholder” were derived; concepts such as psychological contract, equity, and organizational justice all stem from this notion of social responsibility. In this view, it is not just “stockholders” but “stakeholders” who have a legitimate right to exercise control and power in a corporation [4–6].

Working from this position, we note that ethics are codes of conduct for what constitutes “right” and “wrong.” Ethics in general is a systematic effort using logical reasoning to make sense of individual, organizational, and social moral dilemmas in such a way as to determine the principles that should govern human conduct and the values they express. Unlike law, the assessments of ethics have no central authority such as a court or legislature. As such, there are no clear-cut universal ethical standards for managers to rely upon [1, 4].

Philosophically, there are different views about ethics that fall into various categories [7]. Ethical objectivism is an absolute commitment to a central authority or set of rules to guide decision making [4]. Ethical relativism asserts that individuals must judge their actions by what they perceive as right or wrong [8]. Situational ethics is the view that developing precise rules for navigating ethical dilemmas is difficult because real-life decision making is complex and ambiguous. To judge the morality of a behavior, the people judging must psychologically place themselves in the other person’s situation to understand what motivated the other to choose a course of action [9]. Utilitarianism tries to view right and wrong in terms of consequences of actions. It is important to note that there are two major forms of utilitarianism, which are act- and rule-based utilitarianism [10].

Act-based utilitarianism views each act according to whether it maximizes pleasure over pain. Rule-based utilitarianism supports the rules that balance individual pleasures from one’s own actions against the pleasure of others. Cost–benefit assessment compares the objective and subjective direct and indirect costs and benefits of an action and seeks the greatest economic efficiency at the least cost [1]. From these concepts derives the notion of deontology, which means a duty or obligation to perform or refrain from performing some action [2].

The rule of law generally stems from deontology, which seeks to address practical problems of utilitarianism by holding that certain underlying principles are either right or wrong regardless of the pleasure or pain involved [10]. Additionally, civil law has evolved to incorporate concepts of social ethics including egalitarianism, where persons are expected to share, in equal measure, both responsibilities and consequences. The concept of distributive justice developed from this ideal, which seeks equal opportunity but does not necessarily expect equal results [11].

2.2.2 Law and Ethics Intersection

There are differences between laws and ethics, as we have indicated. Laws are affected by ethical concepts, but the concepts are distinct and different. Laws are universal tenets and are codified into rules that have sanctions for disobedience. Without law, there cannot be justice. Justice has many definitions, but a common one is the fair, equitable, and impartial treatment of competing interests and desires of individuals and groups with careful regard for the common good [12]. On the other hand, ethics are generally considered to be heuristic in nature, meaning that they are “rules of thumb” to guide proper or generally acceptable human behavior [11].

For example, many people have an ethical code of conduct that would prohibit them from watching a blind person walk onto a busy road in front of a speeding car. Although failing to prevent the blind person from getting hit by the automobile lacks a legal sanction as a consequence, it may be considered wrong; yet because it is a rule of thumb rather than a rule of law, people differ in their assessments of responsible actions, such as whether to risk one’s own life in the process [1].

Because laws are codified into rules, they must be specific enough to determine when a law has been violated. However, because ethics are rules of thumb and involve multiple subjective views about proper actions, ethical conduct must be negotiated. There are some guiding legal principles to inform and assist in this negotiation when it comes to information security, and these are due care, which in this context is the careful handling of information according to the rules defined generally in security policies, and due diligence, which is a legal requirement that goes beyond just careful handling but also to carrying out with vigor the protection of information or performing required actions to a standard minimally defined as in a “workmanlike manner” [1, 12].

A commonly used example of an ethical violation in security involves the use of personal social security numbers as employee identifiers in light of the threat of identity theft [2]. Due care would dictate that simply because a social security number is unique does not mean that it makes a good candidate for employee identification. Employees expect that management will be concerned about their personal security, which forms the basis of a psychological contract, a tacit agreement about what is owed an employee such as pay or safe working conditions, based on what the employee provides, such as expertise or work effort [11]. Although ethics are rules of thumb rather than laws, attempts have been made to specify a set of maxims to govern ethical behavior in organizations. For example, as seen in Table 2.1, the Brookings Institution [13] produced a set of prohibitions [12].

Although such a set of maxims can be useful in general, there is a broad range of ethical considerations managers must address in the workplace. Most companies establish a behavioral policy or code of conduct or, even more formally, a set of security policies, which establish the guiding principles to govern the behavior of employees and management. These tend to address items such as privacy, publicity, and accessibility of information resources.

2.2.3 Legal and Ethical Consciousness

The function of law is to prescribe consequences for law breakers, but it can also act to deter crime. For example, in their research with computer science students, Straub, Carlson, and Jones [14] found that the threat of punishment helped to deter cheating. In particular, using general deterrence theory as a foundation, they discovered that deterrent measures, preventive measures, and deterrent severity acted as inhibitors to information security breaches and also predicted information system security effectiveness. However, the threat of punishment is not always effective in stopping information security attackers or preventing people from failing to implement important security countermeasures [15].

Relative to law, public attitudes, and behavior, there are at least two major contrasting views. One view holds that the law has to reflect societal sentiments of justice and morality, whereas the other holds that law is a vehicle to shape those sentiments and bring about social responsibility [16]. Furthermore, some researchers have shown that attitudes toward the law are part of an individual’s ethical system or philosophy. From this perspective, people develop a “legal consciousness” based on their conceptions of rights, powers, duties, and related legal interactions [17]. Consequently, a person’s attitude toward law is largely shaped by the person’s legal socialization.

According to Fuller [18], legal socialization occurs in three main ways: (1) socialization by societal imposition, where an individual conforms to norms and customs imposed on members in order to belong, (2) socialization by state-law constraints, where an individual is willing to observe the law in order to be accepted and not punished, and (3) socialization by human interaction, where an individual perceives, respects, and participates in creating reciprocal expectations.

Tapp and Kohlberg [19] developed a moral levels classification to try to understand why people follow rules and why people should follow rules. From this classification, they developed three categories or levels. Level I was called the pre-conventional level, which consisted of people who followed rules to avoid negative consequences as well as those for whom the concept of authority was the motivating factor in their behavior. The pre-conventional level of law consciousness is therefore a reaction to the fear of punishment, and people who are classified as such seek the greatest pleasure and reward from their actions and to avoid pain and suffering to the greatest extent possible.

Tapp and Kohlberg described Level II as the conventional level, consisting of people who followed rules out of a sense of social conformity as well as those who followed rules out a sense of duty, such as to be fair to others who obeyed the law. The conventional level of law consciousness therefore involves conformance behavior to meet the expectations of a group under normative pressures such as that of peer groups, and the basis for this conformity is loyalty, affection, and trust.

The third level was labeled the post-conventional level, and this level included a category named rational-beneficial-utilitarian to reflect those who followed the rules based on logical and utilitarian considerations. That is, they followed rules as a result of weighing the consequences of their behavior rather than out of fixed obligations to obey. This level also consisted of those who followed rules out of self-defined principles independent of society. Consequently, the post-conventional law consciousness level reflects the acceptance of principles according to why things are considered “right” or “wrong.” Viewed from this perspective, ethical principles are voluntary, are internalized rather than externally imposed, and stem from one’s own ethical ideals, even if they question laws and values that society and others have adopted.

2.3 Law and Enforceable Security Policies

Up to this point, we have been covering legal and ethical systems that are implemented and enacted by people typically in relation to laws, regulations, and policies. However, we should take a moment to note that security policies can also be written or codified as rules in computer software. We will consider computer-based security policies later, but in this last section of the chapter, we discuss some key considerations for creating enforceable written policies. In short, written policies address various threats with generalized rules and sanctions for violating them. A threat is defined as the anticipation of a psychological (e.g., assault), physical (e.g., battery), or sociological (e.g., theft) violation or harm to oneself or others [6].

When it comes to written policies, managers need to balance between having too much or too little specified. If there is too much specificity, several problems can occur: (1) Employees may not read them, (2) there can become contradictions in the policies that can lead to legal problems and generate a need for legal interpretations, (3) too much specificity may lead employees to refuse tasks that are not defined or are too narrowly defined, and (4) specificity in policies may actually lead to disadvantages for employers during adjudication because the policies might be too narrowly interpreted to accomplish the objective that the policy was designed to address [1].

As long as a company and its workers comply with the law, statutes, and regulations, to avoid lawsuits most organizations need only a limited number of policies to sufficiently cover important acceptable behaviors that are not otherwise common sense, commonly reasonable, or governed by the law, statutes, and regulations. Thus the number of policies management needs to create should be guided by whether there is a compelling need or regulation or statute that requires a policy, and a good policy statement is one that is general and brief but is as unambiguous as possible [20].

2.3.1 Enforceable Security Policies

For legal purposes, security policies must be both enforced and enforceable. Enforcement includes the idea that managers cannot “look the other way” or “play favorites” when a policy has been violated. Enforceability is partly a contractual matter and must meet criteria that constitute a legal agreement, and for that reason, the corporate legal and human resources departments must be involved in the drafting of security policy documents [2]. Managers should not draft security policies without having legal advice because, as with policies in general, security policies carry certain legal constraints, duties, and obligations. Some of the legal constraints fall under employment law, or corporate law, or they may be legislated or are regulatory in nature, such as those established by HIPAA for the healthcare industry. There may also be international laws to contend with.

Additionally, security policies may either be designed to address a broad group of people at a relatively general level, or they may need to be targeted at a group or role in an organization. In any case, from a legal standpoint, it is crucial that managers avoid creating policies that involve steps or procedures or state specifically “how to” perform tasks [1]. As indicated before, creating those kinds of policies can create problems where employees may need to deviate from the specified procedure to accomplish a goal or in case of an emergency, and that may invite a legal challenge. It is better to place procedures in a separate set of documents along with the qualification that procedures, where applicable, may need to be altered or revised [20].

Even with taking these precautions, sometimes grievances arise from the enforcement of security policies. In such cases, it is important for organizations to have systems in place to ensure organizational procedural justice. Procedural justice means that employees and employers deem the decision-making processes fair. There are a number of situations that lead people to perceive justice in a process. First, people want to be able to have a say or voice in any decision that might affect them. Furthermore, people want to know that managers and those with power in an organization are suspending their personal biases in their decisions and are striving to utilize objective data where possible. Finally, procedural justice is perceived when people are presented with a mechanism for correcting perceived errors or poor decisions, such as having an appeal process [6].

2.3.2 People and Policies—The Weakest Link

With the growing threats to information systems security, organizations have been looking beyond the purely technological approaches to include more behavioral controls. One example is that organizations are negatively affected by employee failures to implement discretionary security policies. An area of particular concern to managers involves policies governing information systems security behaviors that are well defined but are not obeyed. For this reason, the security literature often refers to people as the “weakest link.”

To mitigate, there have been a number of recommendations in the literature, such as (1) improving the quality of security policies, (2) improving the specification of security procedures, (3) improving situational factors such as reducing workload so that security professionals have time to implement the recommend procedures, (4) creating better alignment between an organization’s security goals and its practices, and (5) gaining improvements from software developers regarding the security implementations during the software development cycle [3].

A common recommendation [2] to improve information and systems security is to increase the use of mandatory controls. Mandatory controls are automatic security mechanisms that systems or network administrators set up, such as requiring users to change their passwords at certain intervals and generating “strong” passwords that are not found in a dictionary. However, as we shall see later, not all controls can be made mandatory—many functions must rely on discretionary controls, where the user is responsible for implementing a security mechanism; for example, a person might have the ability to set and change the read, write, and execute privileges on computer files that he or she creates, or change the ownership of a file from one user to another, or copy a file from one place to another. We will return to these issues in subsequent chapters and provide suggestions on how to address them.

Topic Questions

2.1: What does procedural justice refer to?

2.2: What are the two major contrasting views about how legal attitudes are developed?

2.3: What are two primary constraints on management and organizational governance?

2.4: A requirement that goes beyond just careful handling but also to carrying out with vigor the protection of information is:

___ Due process

___ Due diligence

___ Due care

___ Obligatory duties

2.5: HIPAA is an acronym for regulations related to health care.

___ True

___ False

2.6: SOX refers to

___ Government legislation that requires public companies to shield themselves from private scrutiny

___ The Public Company Accounting Reform and Investor Act of 2002

___ A congressional act that requires public U.S. corporations to file a 10-K report

___ What government agency is in charge of investigation

2.7: Corporations are subject to the laws of state in which they are incorporated.

___ True

___ False

2.8: If organizational security policies are going to be effective, they must be:

___ Determined by the management team

___ Approved by the HR department

___ Enforceable and enforced

___ Drawn up by an attorney

2.9: Corporations are:

___ Formed by a management team

___ Created by an attorney

___ State entities and governed by the state

___ Required to submit always and only to the Universal Commercial Code (UCC)

2.10: Deontology is:

___ Formed by its very existence (i.e., ontological as existence)

___ Law decided by judges such as through case law

___ Created by an attorney

___ The duty or obligation to perform or refrain from performing some action

Questions for Further Study

Q2.1: Should security policies specify every permissible and prohibited behavior? Why or why not?

Q2.2: What can happen if an agent breaches his/her fiduciary responsibilities?

Q2.3: Explain the key features of a “good” security policy.

Q2.4: Managers are not typically attorneys, so when laws and/or regulations are involved in managerial questions, what should managers do?

Q2.5: If a manager is questioned about his or her legal liabilities regarding a lawsuit brought about by a former employee over an issue of termination for a security breach, what should that manager do first, second, and next?

References

1.  Knudsen, K. H. (2010). Cyber law. In H. Bidgoli (Ed.), The handbook of technology management (pp. 704–716). New York, NY: John Wiley & Sons.

2.  Grama, J. L. (2011). Legal issues in information security. Sudbury, MA: Jones & Bartlett Learning.

3.  Workman, M., Phelps, D., & Workman, J. (2008). The management of Infosec. Boston, MA: eAselworx Press.

4.  Spinello, R. A. (2011). Cyberethics: Morality and law in cyberspace. Sudbury, MA: Jones & Bartelett Learning.

5.  Workman, M., Bommer, W., & Straub, D. (2008). Security lapses and the omission of information security measures: An empirical test of the threat control model. Journal of Computers in Human Behavior, 24, 2799–2816.

6.  Workman, M., Bommer, W., & Straub, D. (2009). The amplification effects of procedural justice with a threat control model of information systems security. Journal of Behaviour and Information Technology, 28, 563–575.

7.  Mingers, J. (2011). Ethics and OR: Operationalising discourse ethics. European Journal of Operational Research, 210(1), 114–124.

8.  Mingers, J., & Walsham, G. (2010). Toward ethical information systems: The contribution of discourse ethics. MIS Quarterly, 34(4), 833–844.

9.  Valentine, S., & Fleischman, G. (2008). Professional ethical standards, corporate social responsibility, and the perceived role of ethics and social responsibility. Journal of Business Ethics, 82(4), 657–666.

10.  Brenner, S. W. (2010). Cybercrime and the U. S. criminal justice system. In H. Bidgoli (Ed.), The handbook of technology management (pp. 693–703). Hoboken, NJ: John Wiley & Sons.

11.  Baldwin, T. T., Bommer, W. H., & Rubin, R. S. (2008). Developing management skills: What great managers know and do. Boston, MA: McGraw-Hill/Irwin.

12.  Purser, S. (2004). A practical guide to managing information security. Boston, MA: Artech House.

13.  Brookings Institution (2006). Computer ethics institute: The 10 commandments of ethics. Retrieved January 13, 2010, from http://www.brook.edu/its/cei/cei_hp.htm

14.  Straub, D. W., Carlson, P., & Jones, E. (1993). Deterring cheating by student programmers: A field experiment in computer security. Journal of Management Systems, 5, 33–48.

15.  Bobek, D. D., & Hatfield, R. C. (2003). An investigation of the theory of planned behavior and the role of moral obligation in tax compliance. Behavioral Research in Accounting, 15, 13–39.

16.  Workman, M., & Gathegi, J. (2007). Punishment and ethics deterrents: A comparative study of insider security contravention. Journal of American Society for Information Science and Technology, 58, 318–342.

17.  Petrazhitskii, L. J. (1955). Law and morality. Cambridge, MA: Harvard University Press.

18.  Fuller, L. L. (1977). Some presuppositions shaping the concept of socialization. In J. L. Tapp & F. J. Levine (Eds.), Law, justice, and the individual in society: Psychological and legal issues (pp. 89–105). New York, NY: Holt, Rinehart & Winston.

19.  Tapp, J. L., & Kohlberg, L. (1977). Developing senses of law and legal justice. In J. L. Tapp & F. J. Levine (Eds.), Law, justice, and the individual in society: Psychological and legal issues (pp. 96–97). New York, NY: Holt, Rinehart & Winston.

20.  Sovereign, K. L. (1994). Personnel law. Englewood Cliffs, NJ: Prentice-Hall.