Journal of Librarianship

and Information Science

http://lis.sagepub.com/

Assessing the status of library information systems security

Roesnita Ismail and Awang Ngah Zainab
Journal of Librarianship and Information Science 2013 45: 232 originally published online 11 March 2013
DOI: 10.1177/0961000613477676
The online version of this article can be found at:
http://lis.sagepub.com/content/45/3/232

Published by:
http://www.sagepublications.com

Additional services and information for Journal of Librarianship and Information Science can be found at:
Email Alerts: http://lis.sagepub.com/cgi/alerts
Subscriptions: http://lis.sagepub.com/subscriptions
Reprints: http://www.sagepub.com/journalsReprints.nav
Permissions: http://www.sagepub.com/journalsPermissions.nav

>> Version of Record - Aug 23, 2013

OnlineFirst Version of Record - May 15, 2013
OnlineFirst Version of Record - Mar 11, 2013
What is This?

Downloaded from lis.sagepub.com at SEIR on October 28, 2014

77676

LIS45310.1177/0961000613477676Journal of Librarianship and Information ScienceIsmail and Zainab

Article

Assessing the status of library

information systems security

Journal of Librarianship and

Information Science
45(3) 232247
The Author(s) 2013
Reprints and permissions:
sagepub.co.uk/journalsPermissions.nav
DOI: 10.1177/0961000613477676
lis.sagepub.com

Roesnita Ismail

Universiti Sains Islam Malaysia (USIM), Malaysia

Awang Ngah Zainab

University of Malaya, Malaysia

Abstract
This study proposes an instrument to assess the current information system security status in libraries. The instrument is based on
a model named LISSAM (library information systems security assessment model), which comprises five components: technological
security foundation, information security policy, procedures and control, administrative tools, methods, and awareness creation. The
instrument was pilot-tested with 50 respondents responsible for information systems or information technology in their libraries. All
components received Cronbach alpha scores of <0.60 and were found to be reliable and acceptable. Findings revealed that over 95%
of libraries have a high level of technological implementation but 54% scored poorly on organizational measures, especially on the
lack of security policies, procedures, and user training. High scores on technological implementation were found to be correlated to
sufficient financial support and early information and computer technology adoption.

Keywords
Countermeasures, information systems, information systems security, libraries, Malaysia, organizational measures, security practices,
technological measures

Introduction
A sound information system security (ISS) practice
encompasses the technical and non-technical safeguards to
minimize vulnerabilities associated with a variety of
threats. In libraries, information systems (IS) are widely
used to deliver services and collections to local and remote
patrons. Moreover, connecting a library to the outside
world via the Internet has changed the type of risks faced
associated with and the controls used to secure the services
the IS support (Gupta and Sharman, 2008; Guttman and
Roback, 1995; Scarfone, et al., 2008; Westby and Allen,
2007 ).
However, little is known about actual ISS practices
within library settings; very few research-based papers
could be located. Thus, it is difficult to ascertain whether
the library sector is lacking or adequate in ISS management. Newby (2002) highlighted that ISS is often underappreciated in libraries and this is surprising since
information is a librarys core business; he stressed that
information systems are like buildings which require consistent maintenance in order to avoid inevitable decay due
to interactions with the environment. This study attempts
to propose an instrument to assess current ISS status in

libraries and to test it for reliability and acceptability. The

context is public and special libraries in Malaysia.

Selected related studies

The search strategies and information resources used to
find relevant information related to this study are summarized in Appendix 1. Most of the literature found was
related to ISS practice in organizations other than libraries.
While early studies assessing ISS in organizations focused
on economic and technological aspects, recent studies place
emphasis on organizational and people issues (Cross and
Bawden, 1987; Farahmand, et al., 2006; More, 1990).
Dhillon and Backhouse (2001) analysing trends in information systems and security research stressed the socioorganizational perspectives and were critical about
Corresponding author:
Roesnita Ismail, Faculty of Science & Technology, Universiti Sains Islam
Malaysia (USIM), Bandar Baru,Nilai, 78000 Nilai, Negeri Sembilan,
Malaysia.
Email: roesnita@usim.edu.my

Downloaded from lis.sagepub.com at SEIR on October 28, 2014

233

Ismail and Zainab

focusing too much on technical solutions. Very few studies
of ISS in libraries could be located and none was from
Malaysia. In the library context, information security has
been studied in relation to digital libraries. Adam et al.
(2002) proposed a content-based authorization model,
where users can access the multi-format content of a digital
library though flexible specification of authorization based
on users qualifications and characters. Samarati et al.
(1996) presented an authorization model for access at various levels in a distributed hypertext system.
The few Malaysian-related studies covered mainly ISS
in health care, IT organizations, and government sectors.
Al-Salihy et al. (2002) assessed the effectiveness of ISS in
a typical Malaysian IT organization. Their findings revealed
that systems environment and security, software control,
and organizational maturity are key factors contributing to
ISS effectiveness, while the effect of a code of ethics and
top management support were insignificant. Suhazimah
(2007) explored ISS management in Malaysian public services (MPS) and found that awareness about information
security existed in many MPS organizations and the
respondents believed that information security management practices were documented and had been communicated within their organizations. On the other hand, Samy
et al. (2009) studied the potential threats that exist in
Malaysian health care information systems. Their study
revealed that power failure was the most critical threat, followed by acts of human error, technological obsolescence,
hardware problems, software failures, network infrastructure failures, and malware attacks. This research holds significant value in terms of providing a complete taxonomy
of threat categories in health care information systems and
identifying the overall risks in the health care domain.
Realizing the lack of research in the library settings, the
researchers are motivated to explore and assess current ISS
practices in Malaysian libraries.

Objectives
This exploratory study aims to formulate an instrument to
assess the current ISS status in Malaysian libraries and to
pilot-test it for reliability. The instrument specifically
assesses the extent of IS safeguarding measures in a library
in terms of technological and organizational measures (security policy, procedures and controls, tools and methods and
awareness creation activities). The geographic context of this
pilot study is selected Malaysian public and special libraries.

Methodology
This exploratory study involves two phases. The first phase
involves formulating an ISS assessment model that comprises components that formed the basis for the development of a survey questionnaire to assess the implementation
status of ISS in Malaysian academic libraries. The second

phase involves piloting the survey questionnaire to determine its reliability, validity, and acceptability as an assessment instrument. The study uses a convenient sampling
method to pilot the questionnaire in selected public and
special libraries based on the minimum selection criteria,
that is, each of these libraries must have an automated
library system, provide Internet access, and also provide
online services. The respondent sample consisted of 110
individuals responsible for the IS or information technology (IT) in the selected libraries. Each questionnaire booklet was attached with an introductory letter which explained
the research objectives, instructions, and definitions of key
terminologies, together with a self-addressed stamped
envelope. Follow-up telephone calls and reminders via
emails were made to increase the response rate. The findings were analysed from 50 usable returned questionnaires.
Respondents came from 10 (20%) public libraries and 40
(80%) special libraries.

The library information systems

security assessment model
In this section, we present the library ISS assessment model
(LISSAM) and the results of reliability testing. We adopt
and adapt Hagen et al.s model (2008) to derive an ISS
assessment instrument in the library context. The model
illustrates that an effective ISS should be built like a staircase comprising two main combined components, which are
mutually dependent. These are the technological and organizational measures (Berghel, 2005; Sundt, 2006; Von Solms,
2000). The technological infrastructure (stage 1) forms the
critical and foundation stage that must be in place first and
foremost. In this study, the technological security measures
refer to the workstations, servers, hardware, software, data,
network and its physical facilities, and the environment in
libraries (Siponen and Oinas-Kukkonen, 2007). The hardware equipment comprises the telephone lines, input/output
ports, modems, network cablings, scanners, printers, and
storage media and this equipment needs to be secured from
threats including thefts, power failures, equipment incompatibilities, careless damage (INTOSAI, 1995; Yeh and
Chang, 2007). The scope of software security encompasses
protection from breaches and the assurance of confidentiality, availability, and integrity of the library software that
supports library systems, OPACs, and online databases
(Eisenberg and Lawthers, 2008; Newby, 2002; Siponen and
Oinas-Kukkonen, 2007). Workstations need to be secured
from viruses and worms, indiscriminate users accessing
pornographic sites, and hacking (Eisenberg and Lawthers,
2008; INTOSAI, 1995). The network need to be protected
from adware, spyware, or network intruders (Eisenberg and
Lawthers, 2008; Yeh and Chang, 2007). Server security
refers to protecting the systems network to provide access
to key library services such as online databases, catalogues,
circulation systems, computer hardware, the operating

Downloaded from lis.sagepub.com at SEIR on October 28, 2014

234

Journal of Librarianship and Information Science 45(3)

system, application programmes, web server, and email

server (Eisenberg and Lawthers, 2008). A sound data management system needs to be in place to protect data from
accidental loss, unauthorized modifications and access
(Powell and Gillet, 2007; Thiagarajan, 2002; Yeh and
Chang, 2007). The term physical and environmental security refers to measures taken to protect the library systems,
buildings, and related supporting infrastructure and
resources (including air conditioning, power supply, water
supply, and lighting) against physical damage associated
with natural disasters and physical intrusion (INTOSAI,
1995; Yeh and Chang, 2007).
The organizational components comprise four stages: the
existence of an information security policy (stage 2), the
establishment of procedures and controls (stage 3), the formulation of adequate administrative tools and methods
(stage 4), and awareness creation (stage 5). Information
security policy refers to a written document which spells out
the overall security strategy of the library (Doherty and
Fulford, 2006; Hone and Eloff, 2002), and which includes
rules and guidelines for access and use of the information
systems or the product and services supported by the IS
(Weise and Martin, 2001; Williams, 2001). Procedures and
controls are step-by-step instructions on how to implement
and enforce policies in an organization (Conklin et al., 2005;
Guel, 2007). In this context, the steps consist of documents
guiding individuals and organizations through user instructions, security plans, non-disclosure agreements, and follow-up activities of the documented systems. Administrative
tools and methods include asset classification, risk analysis,
audits, and incident-reporting systems. The awareness creation stage is often the most critical yet neglected. This stage
refers to the process of making people understand and aware
of the importance of security issues to improve staff ability
to identify as well as detect common security threats and to
enable them to handle and report effectively (Pipkin, 2000).
The human factor is the biggest threat to IS and ironically, is
also the best way to prevent breaches.
Good ISS practice therefore, should reflect acceptable
implementation levels at all stages in order to protect the
confidentiality (giving access to authorized users), integrity
(protecting data and facilities against unauthorized changes
and abuse), and availability (the system is always available
and usable) of data, facilities, and services supported by an
ISS (Eisenberg and Lawthers, 2008). The proposed Library
Information Systems Security Assessment Model is given
in Figure 1.
Even though the ideal sequence is to satisfy the requirements at all stages, the reality remains that libraries or any
organizations for that matter would be at various stages of
implementation at each stage. To assess the status of ISS
implementation, we use the Information Security Measure
Benchmark (Information-Technology Promotion Agency,
2008) to create an instrument that can be used to assess
the level of ISS implementation in a library. At each level,

the variables are measured based on five statuses of

implementation scores (1 = Not Implemented to 5 = Fully
Implemented) (Table 1).

The scoring instrument

Based on the ratings on all five components, a scoring instrument is used to determine the level of implementation of ISS
in libraries. This tool is an adaptation from the Information
Security Governance (ISG) Assessment Tool for Higher
Education (EDUCAUSE/Internet2 Security Task, 2004).
Table 2 illustrates the instrument used to evaluate the librarys
overall implementation status of technological measures.
This involves summing up all the seven sections of the technological components (sections 1 + 2+ 3 + 4 + 5 + 6 + 7 = A),
and the summed scores is entered into the corresponding box
(A) on this chart to determine the overall status of technological measures in a library. The details of the items for each
of the seven sections are listed in Appendix 2.
The librarys total score for organizational measures is
calculated as the sum value for the all the four sections of
the organizational components (sections 1 + 2 + 3 + 4= B)
and the summed score should be entered into the corresponding box (B) on this chart to determine the overall status of organizational measures in a library (Table 3).
Next, the overall assessment score for the library ISS
practices is evaluated based on the status of technological
measures and organizational measures, which indicates
implementation status of very poor practices, poor practices, average practices, good practices, or very good practices (Table 4). For instance, if the library scores high on
implementation of technological measures, and good on
implementation of organizational measures, the library is
considered to have a very good practice of information systems security overall.

Results and discussion

Reliability of the assessment instrument
The Cronbachs alpha scores of all items under the technological measures (stage 1) are above 0.60 with an average
score of 0.682 indicating the acceptability of the items in
measuring technological implementations. Amongst the
four organizational components, the information security
policy received the highest Cronbachs alpha score which
ranged from 0.849 (lowest) to 0.971 (highest) and with a
total item average score of 0.844. Items listed under the
procedures and control (stage 3) received Cronbachs alpha
scores of between 0.70 and 0.90 and a total average of
0.671 indicating items are acceptable as measures. The
items under administrative tools and method (stage 4)
received Cronbachs alpha scores of between 0.640 and
0.956 and a total average of 0.705 indicating that the items
are acceptable. All items listed under awareness creation

Downloaded from lis.sagepub.com at SEIR on October 28, 2014

235

Ismail and Zainab

Security goals for library information systems :
CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY













Administrative Tools and Methods

Asset and personnel classificaon

Incident handling/reporng procedures
Internal and external audits
Owner accountability procedures
Risk analysis procedures

Procedures and Control

Controls and disciplinary procedures

Intellectual property rights
Non-disclosure agreement/Confidenality agreement
Procedures for handling sensive data
Procedures for reviewing current informaon security policies
Requirement for outsourced acvies

Information Security Policy

Acceptable use policy

Asset protecon policy
Backup policy
Data classificaon and retenon policy
Job responsibilies policy
Policies on access control, authencaon , and authorizaon pracces
Policies on sharing, storing, and transming of library data
Privacy and confidenality policy
Registraon, authori zaon policy
Reporng, noficaon, and response policy
Secure disposal policies
Wireless use policy

Technological Security Foundation

Hardware security
Soware security
Workstaon security
Physical and environmental security

Very High

High

- Server security
- Data security
- Network security

Medium

Low

Very Low

Technological
Measures














Awareness Creation

Awareness of informaon security responsibilies and issues

Awareness programs/campaigns
Key performance indicators
Regular updates on crical security threats and vulnerabilies
Regular updates on security policies and procedures
Risk assessment approach
Security training and educaon
Top management support
User parcipaon

Organizational Measures











Implementation Status

Figure 1. Library Information Systems Security Assessment Model (LISSAM).

(stage 5) received Cronbachs alpha scores of above 0.60

and were found to be reliable. Table 5 listed the Cronbach
Alpha average scores of the 5 stages and Appendix 2 provides the score for each item listed.

Implementation of technological measures

For most items under the technological measures, both public and special libraries indicated high or very high levels of
implementation in terms of ensuring security for servers,

network, physical facilities, workstations, hardware and

software (Table 6). The results indicate that libraries, like
other organizations reported in the literature, choose to
place technological measures at a higher priority to answer
their information security issues (Volonino and Robinson,
2004). The libraries, however, need to strengthen their data
security measures to ensure the CIA (confidentiality, integrity and availability) of the data they handle.
The high implementation level of technological measures
in special and public libraries in Malaysia was found to be

Downloaded from lis.sagepub.com at SEIR on October 28, 2014

236

Journal of Librarianship and Information Science 45(3)

Table 1. Levels of ISS implementation in libraries.

Level

Status

Description of the attributes of ISS practice

1
2

Not Implemented
Only some part has been implemented

3
4

Implemented but has not been reviewed

Implemented and reviewed on a regular basis

No security measure has been established

Only some part of the security measure has been
implemented
Implemented but the stage has not been reviewed
Implemented and the state reviewed on a regular basis.

Implemented and recognized as a good

example for other libraries

Implemented enough to be recognized as a good

example for other libraries

Source: Information-Technology Promotion Agency (2008).

Table 2.Total score for technological measures.

Technological measures
Total score for presence of hardware security

Total score for presence of software security

Total Score for Presence of Workstation Security

Total Score for Presence of Network Security

Total Score for Presence of Server Security

Total Score for Presence of Data Security

Total Score for Presence of Physical Security

Total score for presence of technological measures

3i

Low

High

Presence

0
3
6
11
16
0
11
21
41
61
0
3
7
13
19
0
6
12
23
34
0
7
13
26
38
0
9
17
33
49
0
6
12
23
34
0
42
83
166

2
5
10
15
20
10
20
40
60
80
2
6
12
18
25
5
11
22
33
45
6
12
25
37
50
8
16
32
48
65
5
11
22
33
45
41
82
165
247

Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High

248

330

Very High

Downloaded from lis.sagepub.com at SEIR on October 28, 2014

237

Ismail and Zainab

Table 3.Total score for organizational measures.
Organizational measures
Total Score for Presence of Information Security (IS) Policy

Total Score for Presence of Procedures and Controls

Total Score for Presence of Administrative tools and Methods

Total Score for Presence of Awareness Creation

Total score for presence of organizational measures

(Presence of IS Policy, Procedures, Administrative tools and
Awareness creation)

significantly related to adequate financial support for ISS

(x =50,000, df2, p = 0.000) as well as the number of years
the libraries have adopted information and computer technology (ICT) (x =8.333, df2, p = 0.016). Libraries which
received a budget for ISS of between 1% and 3% of total
budget were more likely to have a higher implementation
level for technological measures. However, the study did not
find a significant relationship between the high presence of
technological measures and the availability of wireless connection, numbers of PC with Internet connection for staff,
types of operating systems used, availability of ISS jobs and
the number of training programmes attended by the IS staff.

Implementation of organizational measures

The majority of special and public libraries (27 out of 50,
54.0%) in Malaysia are at the poor implementation stage
of organizational measures, whereas 23 libraries (46.0%)
require improvement on the organizational measures.
Table 7 shows that 72.0% of libraries in this study demonstrate high presence of information security policies.
Dimopoulos et al. (2004), observe that the practice of
developing information security policies is becoming
increasingly popular in organizations and may be considered a source of competitive advantage amongst security
conscious practitioners. However, findings show a lack of
emphasis on security process in these sample libraries, as
the presence of security procedures, administrative tools
and awareness creation activities is average. It is therefore

Low

High

Presence

0
8
16
31
46
0
5
9
16
23
0
3
7
13
19
0
6
12
23
34

7
15
30
45
60
4
8
15
22
30
2
6
12
18
25
5
11
22
33
45

Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High

necessary for libraries to put organizational measures in

place as relying on technology alone will not solve the
security problems (Conklin et al., 2005). Literature has
highlighted the importance of creating policies, standards,
guidelines and procedures in an organization as this strategy is one of the best tools to protect against humancreated security problems as well as establishing details on
the roles for security administrators and users to maintain
the security of the systems (Conklin et al., 2005; Dhillon
and Backhouse, 2001).
Higher level of implementation status of organizational
measures in special and public libraries in Malaysia are more
likely in libraries that received a larger percentage of ISS
budget (x =16.318, df2, p=0.000). Also, when comparing the
status of organizational and technological measures, it is
apparent that a large numbers of libraries in the sample which
have high implementation of technological measures do not
necessarily have good practice in organizational measures.
This unsecure situation could result in a variety of security
issues as most of todays security challenges are related to the
human and organizational aspects of security (Anderson, 2007).

Overall status of library information systems

security measures in Malaysian special and
public libraries
Out of the 50 special and public libraries, 46.0% indicated
that they have in place good practices in general but require
improvements in organizational measures. Another 50%

Downloaded from lis.sagepub.com at SEIR on October 28, 2014

238

Journal of Librarianship and Information Science 45(3)

Table 4. Overall information systems security assessment rating.

Presence of technological Total score for presence of
measures (A)
organizational measures (B)

Presence of
organizational measures Overall assessment

Very high

Poor

90

91 130

High

Needs improvement

131 160
0 80

Good
Poor

81 120

Medium

Needs improvement

121 160
0 70

71 110

111 160

Low

Needs improvement
Good

60

61 100

101 160

Very low

Good
Poor

Poor
Needs improvement
Good

50

Poor

51

90

Needs improvement

91 160

Good

Table 5. Cronbach Alpha scores for the five components in the

LISSA model.
Items

Components

Cronbachs Alpha

1.0
2.0
3.0
4.0
5.0

Technological Component
Information Security Policy
Procedures and Controls
Administrative Tools and Methods
Awareness Creation

0.682
0.844
0.671
0.705
0.755

Total

0.769

are grouped in the category of those with poor practices in

general and need to give immediate attention to their organizational measures. Only a small number of libraries (4.0%)
have poor practices and their technological measures need
improvement and organizational measures require immediate attention. The results (see Table 8) are consistent with
findings in other organizations where the issue of technology is given high priority and less emphasis is given to

Poor practices, organizational measures need

immediate attention
Good practice, but organizational measures
need improvement
Very good practice
Poor practices, organizational measures need
immediate attention
Good practice, but organizational measures
need improvement
Very good practice
Poor practices, technological measures need
improvement and organizational measures
need immediate attention
Average practice, but organizational measures
need improvement
Good practice, but technological measures
need improvement
Very poor practices, technological measures
and organizational measures need urgent
attention
Poor practices, technological measures and
organizational measures need immediate
attention
Poor practices, technological measures need
immediate attention
Very poor practices, technological measures
and organizational measures need urgent
attention
Poor practices, technological measures and
organizational measures need immediate
attention
Poor practices, technological measures need
immediate attention

policies, processes and people issues. This is a concern as a

significant portion of security problems are the results of
human-created security problems and poor organizational
security practices, where users are not following established security policies and processes, and staff are not
aware or trained to implement and handle security breaches
(Conklin et al., 2005; Merkow and Breithaupt, 2005).

Discussion and conclusion

The ever increasing availability of online resources as well
as databases either gratis or on subscription has put the
library in the role of custodian of electronic resources and
provider of computer facilities and infrastructure to access
resources and facilities. It is becoming common to find
users using the workstations or computers in libraries to
search and locate available resources, to hook up to the
wireless network facilities, to use emails and other social
media services. In this event of new technologies, libraries
have no choice but to be particularly attentive to changes in

Downloaded from lis.sagepub.com at SEIR on October 28, 2014

239

Ismail and Zainab

Table 6. Presence of technological measures in Malaysian special and public libraries.
Presence of technological measures

Very low

Low

Medium

High

Very high

Total

Hardware Security

0
.0%
0
.0%
0
.0%
0
.0%
0
.0%
0
.0%
0
.0%

4
8.0%
0
.0%
0
.0%
0
.0%
0
.0%
0
.0%
0
.0%

16
32.0%
22
44.0%
12
24.0%
14
28.0%
5
10.0%
34
68.0%
15
30.0%

22
44.0%
28
56.0%
34
68.0%
35
70.0%
40
80.0%
15
30.0%
35
70.0%

8
16.0%
0
.0%
4
8.0%
1
2.0%
5
10.0%
1
2.0%
0
0.0%

50
100.0%
50
100.0%
50
100.0%
50
100.0%
50
100.0%
50
100.0%
50
100.0%

Software Security
Workstation Security
Network Security
Server Security
Data Security
Physical Security

Count
%
Count
%
Count
%
Count
%
Count
%
Count
%
Count
%

Table 7. Presence of organizational measures in Malaysian special and public libraries.

Presence of organizational measures
Information Security (IS) Policy
Procedures and Controls
Administrative tools and Methods
Awareness Creation

Count
%
Count
%
Count
%
Count
%

Very low

Low

Medium

High

Very high

Total

0
.0%
0
.0%
0
.0%
0
0%

0
0%
0
0%
6
12.0%
0
.0%

8
16.0%
25
50.0%
37
74.0%
37
74.0%

36
72.0%
25
50.0%
7
14.0%
13
26.0%

6
12.0%
0
.0%
0
.0%
0
.0%

50
100.0%
50
100.0%
50
100.0%
50
100.0%

Table 8. Overall status of ISS practices in Malaysian special and public libraries.
Overall status of ISS practices

Type of Libraries
Special library

Good practice but

organizational measures need
improvement
Poor practices, organizational
measures need immediate
attention
Poor practices, technological
measures need improvement
and organizational measures
need immediate attention
Total

Total
Public library

Count
% within Column

18
45.0%

5
50.0%

23
46.0%

Count
% within Column

20
50.0%

5
50.0%

25
50.0%

Count
% within Column

2
5.0%

0
.0%

2
4.0%

Count
% within Column

40
100.0%

10
100.0%

50
100.0%

associated IS risks and the controls used to secure the IS.

The overall monitoring and maintenance of the librarys
ISS has become necessary to ensure that library users have
access to information as well as for maintaining and monitoring the librarys hardware, software, and security issues
related to their uses, guided by documented policies and

procedures (Breeding, 2003). Libraries have become

responsible for maintaining the privacy and integrity of
their information assets (financial information, patrons circulation information, and user passwords) while providing
access to library computers, web sites, databases, and servers and ascertaining control through appropriate policies

Downloaded from lis.sagepub.com at SEIR on October 28, 2014

240

Journal of Librarianship and Information Science 45(3)

for backups and recovery to ensure their data and services

via information systems can be accessed and shared in a
convenient way whenever it is needed and data can be
restored quickly during downtime. This study is limited by
the small sample size of the data collected. In future other
contributing factors need to be investigated such as the
impact of local environment, ethics and culture that may be
related to the degree of implementation ISS in a variety of
library settings.
The instrument created to assess the levels of implementation of ISS in libraries was indicated to be valid with all
items scoring an acceptable Cronbach Alpha scores
(Appendix 2). The instrument has highlighted useable
items under two main factors, technological and organizational, that look at ISS issues in libraries with a more holistic approach. Technological measures are the basis of ISS
in libraries and act as the foundation in ISS management.
As a result most organizations, including libraries, have
overemphasized technology above other factors with the
misconception that technological measures can solve most
IS problems. This is also evident among the special and
public libraries sampled, which shows that the level of
implementation of technological measures is high.
Adequate financial support as well as sufficient years of
experience in ICT or library computerization have probably
made this possible. The issues of effectively putting policies into practice are often overlooked as during implementation, auditing, reporting and people issues come into
place. In this pilot study, the performance of the libraries in
establishing robust organizational measures is generally
poor. Policies seems to be in place (72%) in the libraries but
respondents rated poorly on items such asset clarifications,
risk analysis, incidences auditing and reporting. There are
medium levels of the implementation of awareness creation
programmes for both users and staff so that all concerned
are aware of the seriousness of security issues, and in enabling staff to audit, handle and report incidences effectively.
This instrument has tried to collate all possible relevant
items related to the management of ISS in libraries and it is
limited by issues that are reported in the literature as no
such instrument could be located. It does provide the possibilities for libraries to self-assess their implementation
status and identify areas that require attention.
Funding
This research received financial support from the Ministry of
Higher Education Malaysia and Universiti Sains Islam Malaysia
(USIM) under SLAI program.

References
Al-Salihy W, Ann J and Sures R (2003) Effectiveness of information systems security in IT organizations in Malaysia. In:
Proceedings of 9th Asia-Pacific conference on communication, Penang, Malaysia, 2124 Sept 2003, Vol.2, pp. 716720.
IEEE.

Adam NR, Atluri V, Bertino E, et al. (2002) A content-based

authorization model for digital libraries. IEEE Transactions
on Knowledge and Data Engineering 4(2): 296315.
Anderson K (2007) Convergence: A holistic approach to risk
management. Network Security 2007(5): 47.
Berghel H (2005) The two sides of RoI: Return on investment
vs. risk of incarceration. Communications of the ACM 48(4):
1520.
Bovil C, Morss K and Bulley C (2007) Curriculum Design for
the First Year Literature Review. Edinburgh: Queen Margaret University and Enhancement Themes. Available at: http://
www.enhancementthemes.ac.uk/docs/report/curriculumdesign-for-the-first-year-literature-review.pdf?sfvrsn=18
(accessed 22 January 2013).
Breeding M (2003) Protecting your librarys data. Computers in
Libraries. Available at: http://www.librarytechnology.org/
diglibfulldisplay.pl?SID=20110116654235839&code=bib&
RC=10343&Row=31& (accessed February 2006).
Conklin WA, White GB, Cothren C, et al. (2005) Principles of
Computer Security: Security+ and Beyond. Burr Ridge, lL:
McGrawHill Technology Education.
Cross R and Bawden D (1987) Information technology: Human
and organizational factors. Journal of Information Science
13(5): 277284.
Dhillon G and Backhouse J (2001) Current directions of IS security research: Towards socio-organizational perspectives.
Information Systems Journal 11(2):127153.
Dimopoulos V, Furnell S, Barlow I, et al. (2004) Factors affecting
the adoption of IT risk analysis. In: Proceedings of 3rd European conference on information warfare and security, Royal
Holloway, University of London, UK, 2829 June 2004.
Doherty NF and Fulford H (2006) Aligning the information security policy with the strategic information systems plan. Computers & Security 25(1): 5563.
EDUCAUSE/Internet2 Security Task (2004) The Information
Security Governance (ISG) Assessment Tool for Higher Education. Available at: http://net.educause.edu/ir/library/pdf/
SEC0421.pdf (accessed February 2006).
Eisenberg J and Lawthers C (2008) Library Computer and Network Security: Library Security Principles. Infopeople Project 2005. Available at: http://www.infopeople.org/resources/
security/basics/index.html (accessed May 2009).
Farahmand F, Navathe SB, Sharp GP, et al. (2006) A management
perspective on risk of security threats to information systems.
Information Technology and Management 6(2/3): 203225.
Guel MD (2007) A Short Primer for Developing Security Policies. Available at: http://www.sans.org/resources/policies/
Policy_Primer.pdf (accessed August 2008).
Gupta M and Sharman R (2008) Social and Human Elements of
Information Security: Emerging Trends and Countermeasures. Hershey, PA: IGI Global.
Guttman B and Roback E (1995) An Introduction to Computer
Security: The NIST Handbook. NIST Special Publication 8001. Washington, DC: US National Institute of Standards and
Technology. Available at: http://csrc.nist.gov/publications/
nistpubs/800-12/handbook.pdf (accessed August 2008).
Hagen JM, Albrechtsen E and Hovden J (2008) Implementation and effectiveness of organizational information security
measures. Information Management & Computer Security
16(4): 377397.

Downloaded from lis.sagepub.com at SEIR on October 28, 2014

241

Ismail and Zainab

Hone K and Eloff JHP (2002) Information security policy: What
do international security standards say? Computers & Security
21(5): 402409.
Information-Technology Promotion Agency (2008) Information
Security Management Benchmark (ISM-Benchmark). Available at: http://www.ipa.go.jp/security/english/benchmark//
Howtouse_ISM_Benchmark.pdf (accessed January 2009).
INTOSAI (1995) Information System Security Review Methodology: A Guide for Reviewing Information System Security in
Government Organizations. Available at: http://www.issai.org/
media(421,1033)/ISSAI_5310_E.pdf (accessed August 2006).
Merkow M and Breithaupt J (2005) Principles of Information
Security: Principles and Practices. Upper Saddle River, NJ:
Pearson Prentice Hall.
More E (1990) Information system as people issues. Journal of
Information Science 16(5): 311320.
Newby GB (2002) Information Security for Libraries. Available at: http://www.petascale.org/papers/library-security.pdf
(accessed February 2005).
Pipkin DL (2000) Information Security: Protecting the Global
Enterprise. Upper Saddle River, NJ: Prentice Hall.
Powell A and Gillet M (2007) Controlling access in the electronic
library. Ariadne 7. Available at: http://www.ariadne.ac.uk/
issue7/access-control (accessed February 2008).
Samarati P, Bertino E and Jajodia S (1996) An authorization
model for a distributed hypertext system. Knowledge and
Data Engineering IEEE Transactions 8(4): 555562.
Samy GN, Rabiah A and Zuraini I (2009) Threats to health
information security. In: IAS 09. Fifth international conference on information assurance and security, Xian, China,
1820 August 2009, Vol.2, pp. 540543. DOI: 10.1109/
IAS.2009.312. Available at: http://ieeexplore.ieee.org/stamp/
stamp.jsp?tp=&arnumber=5283006&isnumber=5282971
(accessed May 2010).
Scarfone K, Souppaya M, Cody A, et al. (2008) Technical Guide
to Information Security Testing and Assessment. Technical
Report Special Publication 800-11. Washington, DC: US
Department of Commerce, National Institute of Standards and
Technology. Available at: http://csrc.nist.gov/publications/
nistpubs/800-115/SP800-115.pdf (accessed May 2009).
Siponen MT and Oinas-Kukkonen H (2007) A review of information security issues and respective research contributions.
Database for Advances in Information Systems 38(1): 6081.
Suhazimah D (2007) The antecedents of information security
maturity in Malaysian public service organizations. PhD Thesis, University of Malaya, Malaysia.
Sundt C (2006) Information security and the law. Information
Security Technical Report 11(1): 29.
Thiagarajan V (2002) Information Security Management BS
7799.2:2002 Audit Check List for SANS. (2003). Available at:
http://www.sans.org/score/checklists/ISO_17799_checklist.
pdf (accessed August 2006).

Volonino L and Robinson SR (2004) Principles and Practice of

Information Security: Protecting Computers from Hackers
and Lawyers.: Upper Saddle River, NJ: Pearson Education.
Von Solms B (2000) Information security the third wave? Computers & Security 19(7): 615620.
Weise J and Martin CR (2001) Sample Data Security Policy
and Guidelines Template. Sun BluePrints, 2001) Available
at: http://www.sun.com/blueprints/tools/samp_sec_pol.pdf
(accessed August 2008).
Westby JR and Allen JH (2007) Governing for Enterprise Security (GES) Implementation Guide CMU/SEI-2007-TN-020.
Pittsburgh, PA: Software Engineering Institute, Carnegie
Mellon University. Available at: http://www.cert.org/archive/
pdf/07tn020.pdf (accessed January 2008).
Williams RL (2001) Computer and Network Security in Small
Libraries: A Guide for Planning. (Texas State Library &
Archives Commission. Available at: http://www.tsl.state.
tx.us/ld/pubs/compsecurity (accessed January 2006).
Yeh Q and Chang AJ (2007) Threats and countermeasures for
information system security: A cross-industry study. Information & Management 44(5): 480491.

Author biographies
Roesnita Ismail is a lecturer at the Faculty of Science and
Technology, Universiti Sains Islam Malaysia (USIM). She
received her BSc (Hons) (2001) in Information Studies from
MARA University of Technology, Malaysia, and her MLIS
(2005) and PhD (2012) in Information Science from the
University of Malaya. She was awarded the best dissertation
from the Librarians Association of Malaysia in 2006. Her areas
of research interests include information security issues in
libraries, e-resources, organization of information and e-records
management.
Awang Ngah Zainab is a professor teaching on the Master of
Library and information Science programme offered at the
Faculty of Computer Science and Information Technology,
University of Malaya since 1994. She received her BA (Hons)
(1976) and MA(1978) from the University of Wales, UK, MSci
(1991) and and PhD (2001) in Information Science from
Loughborough University, UK. She was awarded the J.D. White
Memorial Prize for her dissertation from Loughborough
University in 1991. Her area of research interests includes digital
libraries, collection development, scholarly communications and
bibliometrics. She publishes widely in national and international
journals. She is also the chief editor of the Malaysian Journal of
Library and Information Science and an editorial member of the
Journal of Library and Information Science and The Electronic
Library.

Downloaded from lis.sagepub.com at SEIR on October 28, 2014

242

Journal of Librarianship and Information Science 45(3)

Appendix 1
Search strategy.
Search Component

Search terms

Information security
OR
Information systems security
OR
Computer security

Threat
OR
Breach
OR
Vulnerability
OR
Risk
OR
Impact

Countermeasures
OR
Controls
OR
Safeguard measures
OR
Practices
OR
Protection mechanism

Academic Libraries
OR
University libraries
OR
Special Libraries
OR
Public libraries

Malaysia

Combinations of
search terms

A+B+C+D+E
A+B+D+E
A+B+D
A+B
A+C+D+E
A+C+D
A+C
A+D+E
A+D
1) English language only
2) 10 years limit (20022011)
3) NOT libraries at primary or secondary schools, therefore NOT school libraries
1) Focus on types of information security threats in libraries
2) Focus on types and level of information security measures deploy in libraries.

Limiters

Selection Criteria

Source: Format of this table is adapted from Bovil et al. (2007).

Selection of relevant information sources.

Information source

Malaysia-Specific

International

Library databases

Library Directory database in Malaysia

http://www.pnm.gov.my/index.php?id=924

ACM Digital Library

Emerald Full Text
ERIC
Google Scholar
IEEE Computer Society
Ingenta Connect
ProQuest Dissertations & Theses
Database
ScienceDirect
Scopus

Relevant websites

Statistics on Reported Computer Security Incidents in

Malaysia
http://www.mycert.org.my/en/services/statistic/
mycert/2011/main/detail/795/index.html
Computer and Network Security for Libraries by Jeff
Eisenberg and Connie Lawthers
http://infopeople.org/resources/security

Information security related statistics

http://www.pisa.org.hk/highlights/statistics/statistics_main.htm
Computer security institute
http://gocsi.com/node/594

Source: Format of this table is adapted from Bovil et al. (2007).

Downloaded from lis.sagepub.com at SEIR on October 28, 2014

243

Ismail and Zainab

Appendix 2
The library information system security assessment instrument.
The following is a list of Information Systems (IS) safeguarding measures.
Please tick () in the box to indicate the level of implementation in your library based on index below:
1-Not implemented
2-Only some part has been implemented
3-Implemented but has not been reviewed
4-Implemented and reviewed on a regular basis
5-Fully implemented and recognized as a good example for other libraries
a)
Hardware Security
Score
1.1
CCTV, visual camera, magnetic detection system, and electronic anti-theft
system at strategic places, public computer areas, and server areas.
1.2
Emergency power sources and alternative communication lines. (Use of
alternative telephone lines or cables and generators.)
1.3
Locks, security cables, locked cable trays, metal cages, or anchoring devices to
improve the security of hardware equipments.
1.4
Periodical remote mirroring or file mirroring to back up disk drives.

Total Score (a)

Cronbach Alpha
0.783

b)
1.5
1.6
1.7
1.8

Cronbach Alpha
0.878
0.846
0.832
0.899

1.9
1.10
1.11
1.12
1.13
1.14
1.15
1.16
1.17
1.18
1.19
1.20

c)
1.21
1.22
1.23
1.24

Software Security
Anti-spyware software to detect and remove any spyware threats.
Anti-phishing solutions to prevent phishing attacks.
Cleanup software to erase files or settings left behind by a user.
Desktop security software at application level and operating level to monitor,
restrict usage, or disable certain features of the workstations.
Distribution agents to automate the process of installing an application or
updates to workstations on a network.
ID management software to automate administrative tasks such as resetting
user passwords and enabling users to reset their own passwords.
Menu replacement software to replace the standard windows desktop
interfaces and to provide control on timeouts, logging, and browsing activities.
Multi-user operating systems and application software to allow concurrent
access by multiple users of a computer.
Periodical automatic debugging and tests to remove any defects from newly
developed software or hardware components.
Rollback software to keep track and record any changes made to the
computers and allow the system to be restored to its original state from any
chosen point in time.
Single sign on system for user authentication and authorization to access all
computers and systems without the need to enter multiple passwords.
Spam-filtering software to automatically detect unwanted spam e-mails from
reaching users inboxes.
Systems recovery to rebuild, repair the library computer systems after a
disaster or crash.
Timer software to control the amount of time a patron can use a workstation.
User entrance log to record and monitor user logs, which are regularly
analyzed.
Web-filtering software to prevent access to inappropriate materials or sites.
Total Score (b)

Score

Workstation Security
All office productivity software and browsers for the workstations/laptops are
configured to receive updates in a timely manner.
An application firewall is used for mobile laptops that connect to the librarys
LANs.
The computers BIOS are secured in order to create a secure public access
computer.
User identification and authentication are required before logging into the
librarys workstations, laptops screensavers, library network, or campus
network.

Score

Downloaded from lis.sagepub.com at SEIR on October 28, 2014

0.780
0.764
0.710

0.829
0.712
0.713
0.806
0.877
0.877
0.798
0.841
0.835
0.777
0.812
0.733

Cronbach Alpha
0.705
0.710
0.849
0.702

244

Journal of Librarianship and Information Science 45(3)

Appendix 2 (Continued)
1.25

d)
1.26
1.27
1.28
1.29
1.30
1.31
1.32
1.33
1.34

e)
1.35
1.36
1.37
1.38
1.39
1.40
1.41
1.42
1.43
1.44

f)
1.45

1.46
1.47

Virus protection programs, configuration settings, and security software

programs are installed for web browsers and e-mail programs.
Total Score (c)

0.760

Network Security
Antivirus software and desktop security software to receive regular updates to
protect the internal network from any security breaches.
Digital signatures are used to assure the authenticity of any electronic
documents sent via the librarys network (e.g., use of passwords, private key
encryption, public key encryption, or digital certificates)
Firewall to protect the internal network from external threats.
Firewall with virtual private network (VPN) capabilities is installed for remote
and wireless access connections.
Limitation of connection time is performed via configuration routines to
control and restrict access to the librarys high-risk applications or databases.
Public and staffs local area networks (LANs) are physically separated by means
of separate cabling for each network to provide alternative circuit.
Server segregation/perimeter network (DMZ) by using firewalls and some
other network access control devices to separate systems that are at a
relatively high risk from unsecured network.
The network is segmented with a router to increase the bandwidth available
to each user and reduce the congestions or collisions of the librarys network.
Wireless security products to secure the library wireless network. (Use of
default passwords on wireless access points, network ID, wireless intrusion
detection systems, wired equivalency protocol (WEP) encryption, MAC
address filtering, or virtual private networking (VPN).)
Total Score (d)

Score

Server Security
Antivirus software on servers and antivirus definition files are kept up-to-date.
Authentication systems to prevent unauthorized access to the librarys server.
Fault tolerance is implemented to ensure if one system fails, then there is a
backup system that immediately takes over.
Firewalls to protect the library network from unwarranted intrusions.
Intrusion-detection software and host-auditing software are installed to
monitor the servers or computers for signs of intrusion.
Regular backups of the data, hard copy of server hardware specifications,
installation information, installation software, and passwords are regularly
updated and stored at an offsite location.
Server logs are reviewed periodically by using a log file monitor utility to
monitor any signs of intrusion or security violations.
The file system in a server is restricted access to the directory structure using
file or directory permissions.
The library servers operating systems (OS) and applications are hardened to
protect from any vulnerabilities.
The server is placed in a secure location, such as in a lockable cage, a locked
room, and with environmental controls.
Total Score (e)

Score

Data Security
Attributes for each removable media application in the library are properly
recorded and the media are kept from accessing, running, or transferring data
to the library workstations and network from any unauthorized devices. (USB
thumb drives, tapes, CDs, DVDs, disks, drives, etc.)
Combination of authentication systems to restrict access to library data and
resources based on a variety of access rights (user identification, passwords, or
biometrics system)
Disposing of unused media and sensitive media are properly managed to
maintain an audit trail.

Score

Cronbach Alpha
0.667
0.719
0.819
0.810
0.783
0.810
0.770
0.695
0.656

Cronbach Alpha
0.845
0.829
0.894
0.928
0.898
0.859
0.907
0.878
0.751
0.634

Cronbach Alpha
0.917

0.672
0.776

(Continued)

Downloaded from lis.sagepub.com at SEIR on October 28, 2014

245

Ismail and Zainab

Appendix 2 (Continued)
1.48
1.49

1.50

1.51
1.52
1.53

1.54
1.55

1.56
1.57

g)
1.60
1.61
1.62
1.63
1.64
1.65
1.66
1.67
1.68

2.0
2.1
2.2

Enforced path is created between a user terminal and other library services to
reduce the risk of unauthorized access.
Event logging or log management software to ensure the library computer
security records are stored in sufficient detail for an appropriate period of
time. (Records for security incidents, policy violations, fraudulent activities, and
operational problems.)
Fraud detection and prevention measures to control fraudulent activity and
disclosure of information. (Use of address verification system/AVS, proprietary
encryption, internal intrusion detection system, multiple login monitoring,
password verification on transactions, or data access controls.)
Public key infrastructure (PKI) to secure the exchange of personal data via the
library network and Internet. (Use of public and private cryptography key pair.)
RFID tags to manage and secure the library collection as well as to track
attendance and prevent unauthorized access into the library building.
Systematic approaches conducted in-house or outsourced to a service
provider to address the librarys vulnerabilities (vulnerability discovery,
prioritization, remediation, dynamic protection, verification, and customized
reporting).
Use of cryptography techniques, hardware and software tokens, and single
sign on systems to control data access to the librarys internal and remote
computer systems.
Use of password protection for user accounts, antivirus software, firewalls,
wireless network protections, intrusion-detection systems, and Internet
Protocol Virtual Private Networks/IP VPNs to ensure data inserted and sent
from one end of a transaction arrives unaltered at the other end.
Vital librarys business information or records are regularly backed up.
(Inventory records, patrons data, library databases, production servers, and
critical network components and backup media.)
Web access management systems to manage and validate user access to
devices, applications, and library systems (e.g., authentication management,
single sign-on convenience, audit, or reporting systems).
Total Score (f)

0.646
0.606

0.869

0.921
0.803
0.867

0.817
0.869

0.826
0.790

Physical and Environmental Security

Air conditioning to stabilize the temperature and humidity within the library
building.
Earthquake early warning system to alert library staff and patrons prior to
damaging ground shaking.
Flood detector to provide an early warning of developing floods in a library.
Lightning protectors and surge protectors to protect any valuable machines or
equipments from lighting strikes, voltage spikes, and surges.
Security guards to monitor people entering and leaving the library buildings
and sites.
Use of automatic sprinkler systems, smoke detectors, fire extinguishers, and
fireproof installations in the library buildings and areas adjacent to the librarys
key assets to detect and prevent fires, toxic chemical spills, and explosions.
Use of magnetic stripe swipe cards, electronic lock, proximity cards, bar code
card, or biometrics to secure and control access to restricted library areas.
Warning signs, fencing, vehicle height-restrictors, site lightings, and trenches
around the library areas to provide initial layer of security for a library building.
Wireless gates, biometrics, or other user identifications and authentication
forms at the library main entrances, exits, and public access areas in the library
building.
TOTAL SCORE FOR (a+ b+ c+ d+ e+ f+ g)

Score

Information Security Policy

Backups and off-site storage policies for library data, media, or materials that
contain sensitive information.
Data classification, retention, and destruction policies for library data, media, or
materials that contain sensitive information.

Score

Downloaded from lis.sagepub.com at SEIR on October 28, 2014

Cronbach Alpha
0.770
0.648
0.666
0.822
0.815
0.878
0.785
0.911
0.825
0.682
Cronbach Alpha
0.849
0.880

246

Journal of Librarianship and Information Science 45(3)

Appendix 2 (Continued)
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11
2.12

3.0
3.1
3.2
3.3
3.4
3.5
3.6

4.0
4.1
4.2

4.3
4.4
4.5

Identity management policies for library IS user registration and password

management.
Job responsibility policy for individual employee responsibilities related to the
library IS security practices.
Policies on access control, authentication, and authorization practices for using
the library IS.
Policies on protection of library IS assets to protect your librarys hardware,
software, data, and people.
Secure disposal policies for library data, media, or materials that contain
sensitive information.
Polices on reporting, notification, and response of ISS events to affected parties
such as individuals, law enforcement, campus, or parent organizations.
Policies on acceptable use of wireless devices in your library such as laptops
and hand phones.
Policies on acceptable use of workstations, e-mails, databases, intranet, and
Internet in your library.
Policies on managing privacy and confidentiality issues, including breaches of
personal information.
Policies on sharing, storing, and transmitting of library data via ISPs, external
networks, or contractors systems.
TOTAL

0.983
0.904
0.925
0.943
0.971
0.941
0.900
0.912
0.899
0.960
0.844

Information Security Policy

Controls and disciplinary procedures if library staff or patrons breach
the ISS policies or rules (verbal warning, written warning, suspension, and
dismissal).
Procedures for handling sensitive data and personal data of library patrons
to prevent errors, unauthorized disclosure, or misuse by those who handle
it.
Procedures for non-disclosure agreement or confidentiality agreement to all
library staff and patrons to protect any type of confidential and proprietary
information.
Procedures for update and review of existing information security policies.
Procedures for intellectual property rights and copyrights to control and
protect any digital works or resources that are stored, transmitted, accessed,
copied, or downloaded via the library IS.
Procedures which list all requirements with regard to outsourcing any library
Information Systems service or activities.
TOTAL

Score

Information Security Policy

Procedure for owner accountability to ensure appropriate protection is
maintained for each library IS asset (e.g., information assets, software assets,
physical assets, and library services).
Procedures for the development and implementation of risk analysis to
protect your library from all types of threats. (Performance of assets analysis,
threat analysis, annual loss expectancy analysis, identification and evaluation of
security measures.)
Procedures on handling, reporting, notification, and response of IS security
events to affected parties such as individuals, law enforcement, campus, or
parent organization.
Procedures related to asset classification in order to organize it according to
its importance and sensitivity to loss (unclassified, confidential, secret, and top
secret)
Regular internal and external audits programs appropriate for the librarys IS
size, complexity of activities, scope of operations, risk profile, and compliance
with the relevant standards.
TOTAL

Score

Cronbach Alpha
0.932
0.793
0.876

0.913
0.917
0.671
Cronbach Alpha
0.712
0.956

0.640
0.758
0.721
0.705

(Continued)

Downloaded from lis.sagepub.com at SEIR on October 28, 2014

247

Ismail and Zainab

Appendix 2 (Continued)
5.0
5.1
5.2
5.3
5.4
5.5
5.6
5.7
5.8

5.9

Awareness Creation
All staff and patrons at various levels are made aware of their responsibilities
with regard to protecting the librarys Information Systems security and
trained to report any security breach incidences.
All staff and patrons at various levels receive appropriate information security
training and education.
All staff and patrons at various levels receive regular updates on the library
Information Systems policies and procedures.
Information security awareness training has become mandatory to all staff and
patrons at various levels.
Risk-assessment approach exists and follows a defined process that is
documented.
Staff and patrons at various levels are trained to monitor and handle the
librarys Information Systems on their own.
There are a balanced set of key performance indicators (KPIs) and metrics
used to provide real insight into the effectiveness of security awareness
programs.
There is positive support and commitment from the top management to
coordinate the implementation of Information Systems security controls
in your library (e.g., via allocation of budget, strong interest, and active
involvement).
Threats that could harm and adversely affect critical operations of your library
Information Systems security are identified and updated regularly.
TOTAL

Score

Cronbach Alpha
0.775
0.793
0.762
0.811
0.663
0.748
0.789
0.836

0.809
0.755

Downloaded from lis.sagepub.com at SEIR on October 28, 2014