It is difficult to exaggerate the widespread effects that information technology (IT) has already had on organizations. In just a few decades, IT has fundamentally changed how organizations operate, adding value in many ways. Organizations rely on IT systems to collect, manage, and inform across all parts of the value chain including operations, logistics, production, marketing, design, and service. Additionally, emerging IT-based ideas (e.g., blockchain, artificial intelligence, the Internet of Things) indicate that much, much more potential exists.

However, the effects of IT are far from universally positive. Pervasive reliance on IT has also brought pervasive risk as organizations struggle to secure computer systems. Frequent news reports remind us of how the same systems that provide so much value can also cause so much harm.

The challenge is to maximize the benefits of IT while limiting the negative consequences–a problem well suited for the INFORMS community. Researchers and practitioners alike have been actively working to understand, manage, and reduce these negative consequences in a wide variety of contexts through a wide variety of methodologies. This Editor's Cut volume highlights some work of the security community by considering four central questions about information security:

1. What are the top threats to information security?
2. How can system design affect and improve user security?
3. How can managers improve the security of their organization?
4. How can a broader view of information security inform organizations?

Finally, as a society, we have likely only begun to understand the potential, both bad and good, of information technology. As we continue to embed computer systems throughout society, the potential for vulnerabilities will grow. A recent special issue in Information Systems Research on Ubiquitous IT and Digital Vulnerabilities (see Research Articles) examines how several fundamental mechanisms (i.e., increased visibility, enhanced cloaking, increased interconnectedness, and decreased costs) may contribute to ubiquitous computing and make various entities—people, organizations, societies, objects, systems, processes—more vulnerable.

As the world increasingly relies on IT systems, there remains much to learn and do–this Editor's Cut illustrates the potential for the INFORMS community to help understand and improve our collective information security.

What are the top threats to information security?

The information security environment is constantly changing and nefarious actors benefit from the same IT advances that organizations do. As a result, organizations find themselves at risk of both random attacks (by just using computer systems) as well as targeted attacks. In an increasingly interconnected business environment, these risks come from all directions and we all suffer from the insecure behavior of others. It is difficult to understand where all the risks come from. As a result, managers and users must actively search for better information to understand their risks and improve their response. Similar to managing other areas of the business, better metrics and measurement are key to addressing the growing threat. Based on better data, many are finding that the same successes that organizations experience from analytical approaches in other domains also work in information security.

How can system design affect and improve user security?

Users are a fundamental component of the security – or insecurity – of a system. Many user incentives are not well aligned with improved security but there are a number of system design choices we can make to align user incentives with improved security. For example, if we design interfaces well, then users will continue to follow security guidelines. Or they will be better able to cope with threats such as phishing attempts. But if systems are not well designed, then the pesky irritation from repeated security warnings may make us more, not less, likely to fall victim.

How can managers improve the security of their organization?

Security is not only a technical problem; it is a management problem as well. Within organizations, managers can make decisions that can strengthen or weaken their organization’s information security. For some prevention-oriented questions, industry standards have been established for security practices. Other prevention decisions may be in the form of organizational policies. These policies can take the form of carrots (rewarding adherence) or sticks (punishing non-compliance). Some may be based on formal rules while others more social. There are many open questions about which user policy techniques are most effective. Similarly, managers must make a number of infrastructure-oriented decisions, such as the optimal policies for deploying software patches, particularly when using cloud based, software-as-a-service platforms. Finally, given the unfortunate inevitability of system attacks, managers must also make decisions about how to, for example, optimally manage intrusion detection systems. None of these questions have easy answers.

How can a broader view of information security inform organizations?

Information security does not operate in a vacuum. Instead, information security decisions can affect other parts of organizations. For example, the insights from cryptographic techniques can promote trust within a distributed logistics system. Or information security can inform contexts where research and development has incentives to both share and hide information with others. We are beginning to see examples of how organizations can simultaneously improve security and customer service by embedding security within processes, not as an afterthought. These examples illustrate ways that information security can become a core component of how organizations operate.

• INTRODUCTION
• THREATS
• SYSTEM DESIGN
• MANAGEMENT
• IMPLICATIONS
• RESEARCH ARTICLES
• VIDEOS
• INDUSTRY ARTICLES
• CALL FOR EDITORS