The literature reveals that some types o f security controls are im plemented by the majority o f companies, while the use o f other controls is still in its infancy.
In the UK, M itchell et al. (1999) conducted a study to investigate the attitudes o f UK companies to inform ation security. The results revealed that although the majority o f companies did not have a formal information security policy, they all used safeguards to protect their electronic information. The most common security measures used include physical and technical access controls to information; however, the reliance on technical security m easures was higher than on physical measures. The results also revealed that the majority o f companies used remote backup and storage o f electronic information, followed by com puter access controls; however, only 45 percent were protecting IS from fire. The least popular method was the marking o f equipment and
* movable data storage. In addition, the most commonly used technical measures were anti-virus controls, followed by application and network access controls, however,
only 33 percent used firewalls, followed by user identification (ID) and encryption techniques to secure their corporate information. In addition, only one company used other safeguards such as software licence monitoring, software audit alert tools and smart cards.
In addition, the DTI Inform ation Security Breaches Survey (DTI 2006) revealed that the majority o f UK businesses are restricting access to m ost major computing facilities. Ninety seven percent o f companies are using locks, 49 percent are monitoring this access through logs or cameras; however, environmental controls are present in ju st under a h alf o f these facilities. The results also revealed that almost every company irrespective o f size installs anti-virus software on its computers. An increasing num ber o f com panies are implementing intrusion detection or prevention software. UK businesses still overwhelmingly depend on user IDs and passwords to check the identity o f users attem pting to access their systems. Strong authentication is becoming more com m on in large companies, with hardware tokens and biometrics seeming to give greater security benefits than software tokens. Firewalls remain the main defence for websites. However, over half o f all UK businesses are taking no steps to protect them selves against the emerging technologies that pose a potential security threat such as MP3 players, USB sticks, digital cameras and portable hard discs. The survey concluded that security awareness in the UK business community has never been better; however, the gap between the companies addressing information security and those that are not is widening.
More recently, the BERR Information Security Breaches Survey (BERR 2008) indicated that alm ost every UK business makes backups and the m ajority take these backups off-site. However, two thirds o f companies continue to rely solely on physical security controls to protect their computer equipment - PCs and laptops - and the data they contained and they do not take enough steps in encrypting their sensitive data. Again, two thirds o f companies seem to be either unaware o f the risks o f emerging technologies or unwilling to spend money on protecting themselves from these risks. In addition, the majority o f businesses use anti-spyware scanning software as well as anti-virus software. UK businesses are now restricting staff access to the 4 internet through establishing an acceptable usage policy, blocking inappropriate sites, monitoring usage, filtering incoming e-mail, encrypting e-mails exchanged with
business partners, and scanning outgoing e-mails as well. In addition, the growth in remote access is one o f the drivers for using strong (multi-factor) authentication controls like tokens, smart cards, or biometrics. Moreover, the survey revealed that the number o f com panies using a wireless network is increasing, which drives UK companies, particularly financial services companies to implement WPA (Wi-Fi protected access) or stronger encryption over their wireless transmissions.
Henry (1997) conducted a survey o f 261 companies in Hampton Roads, Virginia, USA to determine the nature o f their accounting systems and security methods in use.
The results revealed that the majority o f companies backed up their accounting systems, secured their systems with passwords but only 42.7 percent utilised protection from viruses. Physical security and authorisation for changes to the system were employed by less than 40 percent o f companies. In addition, only 15 companies used encryption for their accounting data, and almost 45 percent o f the sample conducted some sort o f audit o f their accounting data.
In a study to identify and rank current information security threats, W hitman (2004) investigated com panies’ spending priorities to protect against these threats. The results revealed that the m ost common protection mechanism employed by all companies is the user nam e/password access control, followed by m edia backup and virus protection software, audit procedures and firewalls.
In another study, Gupta and Hammond (2005) mailed a questionnaire to 1000 small business owners in Lynchburg, Virginia, USA, investigating the protection technologies used by their companies. The results revealed that the majority o f companies use technologies such as power surge protectors, data backup systems, system access controls, anti-virus software, and firewalls. In addition, Keller et al.
(2005) focused on how small businesses are managing information security. The results revealed that all com panies use anti-virus software and firewalls; however, less than two thirds o f com panies utilise passwords. Although it seems that security controls used by small com panies are similar to those o f large companies, it is clear that small companies use limited types o f controls compared to large companies, and
‘ this could be because o f the limited resources devoted to security.
In another study, Cerullo and Cerullo (2005) provided guidance to accountants and IT professionals on identifying significant risks and implementing security measures to manage these risks. They were given a list o f security measures to protect against threats. They include security measures to protect against human threats e.g. antivirus software, authentication/authorisation servers, biometrics, electronic scanning devices, firewalls, intrusion detection and penetration devices and passwords, and security m easures to protect against human non-malicious threats such as a corporate code o f conduct and environmental controls. In addition, they include security measures to protect against accidents e.g. card activated locks, environmental controls, internal and external file labels, motion-detection devices and preventive maintenance; and security m easures to protect against natural disasters and other unexpected disruptions such as environmental controls. Accountants and IT professionals therefore can select the most suitable security measures based on their experience and on cost-effectiveness.
On the other hand, the respondents to the Computer Crime and Security Survey (Gordon et al. 2006) were asked to identify the types o f security technology used by their organisations. The results revealed that the majority o f respondents used firewalls, followed by anti-virus software, anti-spyware, server-based access control lists and intrusion detection systems. On the other hand, only 20 percent o f respondents reported the use o f biometrics with a one third increase compared to the 2005 survey (Gordon et al. 2005). This result confirmed that the use o f biometrics in business and accounting was still in its infancy and many issues about its role in IS security were unresolved (Amoruso et al. 2005; Chandra and Calderson 2003; Down and Sands 2004). M ore recently, the results o f the Computer Crime and Security Survey (Richardson 2008) revealed that nearly all respondents reported the use o f anti-virus software and firewalls, followed by virtual private networks (VPN) and anti-spyware software. However, only 23 percent o f organisations were still using biometrics, only a three percent increase compared to the 2006 survey. Joyce (2008) argued that although the biometric technique was still not widely used, this technology could be found in large organisations where the security need is high such as financial services and governm ent agencies.
From the above, it seems that some security controls are well known and are used by the majority o f USA organisations. These include passwords, ant-virus and anti
spyware software, firewalls, and data backups followed by intrusion prevention and detection systems and encryption. However, other controls are not common for instance biometrics.
In a parallel study, Abu-M usa (2004b) investigated the opinions o f the heads o f internal audit departm ents and computer departments in the entire population o f the Egyptian Banking Industry (EBI) regarding the computerised AIS security controls implemented within their banks. A checklist was developed which included security controls under ten m ain security control groups. The results revealed that the heads o f computer departments paid relatively more attention to the technical problems o f AIS security controls e.g. softw are and electronic access security controls, data and data entry security controls, bypassing security controls, and user programming security controls. However, the heads o f internal audit departments emphasised behavioural and organisational security controls such as segregation o f duties and output security controls. The results revealed that some controls are more common in the Egyptian business environment as well e.g. virus protection software, data encryption, and backups o f software and data, whereas other controls such as biometrics have rarely been used in this country.
In a more recent study, A bu-M usa (2007b) examined the existence and adequacy o f the CAIS security controls implemented in Saudi organisations to prevent, detect and correct security breaches. The results highlighted a num ber o f inadequately implemented controls and some recommendations were made to the Saudi organisations. For example, they were recommended to restrict access to sensitive data to authorised em ployees only. M andatory vacations and rotation o f duties should be considered. Com puters should be installed in locked areas, sensitive data should be encrypted to reduce the chance o f unauthorised exposure, and adequate output security controls should be put in place.
From the above, it can be concluded that some security controls are used by nearly all
* companies irrespective o f type, size and location, whereas other controls such as biometrics are still uncom m on despite their importance in improving the effectiveness
o f internal controls. M oreover, despite the large number and variety o f security controls or counterm easures available today, emerging technologies continue to proliferate within the business environment and therefore companies should be adequately prepared to address associated security challenges and risks.