Use Style: Paper Title
Total Page:16
File Type:pdf, Size:1020Kb
International Journal of Network Security, Vol.16, No.3, PP.161-167, May 2014 161 Critical Factors of Educational Institutions Adoption for BS 10012: Persional Information Management System Cheng-Yi Liu1, Shan-Shan Yang2, and Iuon-Chang Lin2,3 (Corresponding author: Iuon-Chang Lin) Department of Information Management, TransWorld University1 Yunlin, Taiwan Department of Management Information Systems, National Chung Hsing University2 Department of Photonics and Communication Engineering, Asia University3 Taichung, Taiwan (Email: [email protected]) (Invited Paper) Abstract of sustainable management. Computer Processing of the Personal Data Protection Personal Information Protection Act has passed in Taiwan Act has been implemented in Taiwan in 1995, but it has a in May, 2010 and relevant policy has been implemented in lot of disadvantage and the protection scope is very narrow, October, 2012. Most of the domestic educational so effectiveness was not as expected. As such the new institutions concentrated on constructing the personal Personal Information Protection Act (PIPA) has passed in information management system and reduced the risk of 2010 which removes restriction and includes the reverse personal information leakage. In this study, diffusion of burden of proof so that the public can supervise innovation theory and TOE framework are proposed to government and enterprises to follow PIPA [4]. BS 10012 evaluate the critical factor that influences the adaption of certification was released by British Standards Institution BS 10012 certification. The key factors, which includes (BSI) in 2009 which provides the standards of personal characteristics of environment, educational institution, information management system (PIMS). This certification personal information management system and etc., are used follows Plan-Do-Check-Act (PDCA) mechanism to provide to determine whether the educational institution has protection of personal information [5, 6]. adopted BS 10012 certification or not. Questionnaire survey is applied to the staff that works in educational In recent year in Taiwan, many organizations consider institution and the analysis result indicates that the adoption of the BS 10012 certification which could help reputation of school, the support of senior staff and the them with compliance of PIPA. However, to introduce a comparative advantage will have more influence on the certification is not a simple thing because it needs a whole adaption of BS 10012 certification. scope of evaluation and consideration. Thus, this study tried to find out the critical factors of consideration for Keywords: BS 10012 certification, diffusion of innovation educational institution before adopting the BS 10012 theory, personal information management system (PIMS), certification and expected that the results could provide personal information protection Act, TOE framework some advice for follow-up study and give decision makers as the guidance. 1 Introduction According to the DataLossDB website 2 Literature Review (http://datalossdb.org/) which aggregates the major leak of data in the world, data leakage incidents have been increasing year by year and 15% of them happened inside 2.1 Personal Information Protection Act (PIPA) the educational institutions [1]. Threat Report of Trend Micro in the first half of 2010 also pointed out that the 50% Personal Information Protection Act has passed in Taiwan of malware-attack targeted on educational institutions [2]. in May, 2010 composed of 6 chapters and 56 clauses. It However, because of the environment diversification, the ameliorates all disadvantages of the old PIPA and the campus cannot restrict all users using Internet which causes improvement is summarized as follows: the leakage awareness of information security [3]. 1) Expand the protection scope: PIPA gets rid of Therefore, educational institutions should construct the “computer-processing” restriction and any types of data protection of personal information, reduce the risk of data should comply with PIPA if it is identified as personal leakage, protect the rights of staff, and achieve the purpose information; International Journal of Network Security, Vol.16, No.3, PP.161-167, May 2014 162 2) Protect all subjects: in the old PIPA the protection 2.3 Diffusion of Innovation Theory subject only targets on the government and special Rogers proposed the diffusion of innovation theory in 1962 industries, while the new PIPA doesn’t have the restriction which defined innovation as “an individual or unit adopts a of protection subject. In other words, any subject in Taiwan, new concept, object or technology” [9]. This theory is used whether individuals or groups, could be protected by PIPA; to explain and predict the decision or adoption of 3) Strengthen the Code of Conduct: PIPA defines special innovative things in the organization or community [10]. personal information and specifies the restriction. If data Rogers proposed that an innovation includes 5 intrinsic leakage happens, organization should notify spontaneously factors which influence the decision of adoption. These the parties at first time. Also organization should obtain the factors are: written consent of the parties if the personal information is used in additional purpose. Whether obtaining personal 1) Relative advantage: According to the comparison of the innovation and previous generation, the innovation owns information directly or indirectly, organization has the the advantage; obligation to notify the parties before use; 4) Promote public participation: PIPA formulates “class 2) Complexity: Whether the innovation could be easily action” mechanism so that victims could entrust foundation assimilated or not; or corporation by written authorization for litigation to 3) Compatibility: Whether the innovation could match with perform relative action; previous generation or not; 5) Improve liability connotation: The compensation and penalties of data leakage are increased more than the old 4) Trialability: Whether the innovation could be easily PIPA. In addition, PIPA includes the reverse burden of experimented or not; proof which specifies that unintended data leakage should 5) Observability: Whether the innovation could be easily be provided by the organization; observed, discussed, and represented or not [11,12]. 6) Upgrade administrative supervision: The central or municipal government owns administrative competence, such as inspection, sanction, penalties and so on, to 2.4 Technology-Organization-Environment Framework supervise different kinds of industries to draft relevant Tornatzky and Fleischer proposed the TOE framework in plans and specification [7]. 1990, and defined 3 characteristics of innovation adoption [13,14]. The characteristics are: 2.2 BS 10012 Certification 1) Technology: The level of technology owned by the BSI released the BS 10012 certification in May, 2009. The organization, such as the ability of the IT department, the full name of BS 10012 certification is “Data protection - stability of information system, and the fluency of Specification for a personal information management operation and so on [15]; system”, and it provides a specific PIMS to assist 2) Organization: The intrinsic characteristics of the organizations with constructing a perfect protection organization, such as the size of the organization, the extent mechanism. As developed by experts in various fields, it of professionalizing, and the quantity of available resource could be suitable for any institutions and therefore, it is and so on [16]; famous and popular all over the world [8]. BS 10012 certification has 7 chapters. 0 to 2 chapters are standard 3) Environment: The overall surroundings of the description, nouns definition, and scope, while chapter 3 to organization including the parties such as competitors, 6 illustrates PIMS following PDCA mechanism explained suppliers, government, and so on [17]. as follows: 1) Plan: How to plan the PIMS, formulate the policy, and 3 Research Methodology allocate the authority in detail; 2) Do: This is the critical part in BS 10012 certification 3.1 Research Model whish states how to implement and operate the PIMS, such as responsibility assignment, risk assessment, assets According to the literature review, this proposed model measurement and so on; refers to the TOE framework and the innovation characteristics of the diffusion of innovation theory. It 3) Check: How to control and review the PIMS, audit the summarized 6 critical factors on 3 characteristics which implementation and effectiveness, and monitor the process could influence educational institution about the adoption by supervisors; of BS 10012 certification. The proposed model is shown in 4) Act: How to improve the PIMS in order to prevent the Figure 1. incident of data leakage, and keep the PIMS in the up-to- date situation [5]. International Journal of Network Security, Vol.16, No.3, PP.161-167, May 2014 163 H4. Information security awareness could promote more willingness of BS 10012 certification adoption for educational institution. 3.2.3 PIMS Characteristic Rogers pointed out that the relative advantage of the innovation could facilitate the adoption [30,31]. As BSI Figure 1: Research model points out that BS 10012 certification could contribute 6 advantages: the confirmation of risk control, the 3.2 Research hypotheses accomplishment of PIPA clause, the promotion of competitive advantage, the implementation of the PIMS, the commitment of top management, and the