Dear Gideon!

I think you should analyze information security as a part of economic security. There are a lot of works connected with the problem

Employing an ethical hacker

Information security policy in public organization will fall into two categories. First category is protection the given data. This should be inline with Personal Data Protection Act. How well data is handle within the origination based on CIA and AAA threads? The second category is secure transmission of data to relevant organization that request to share the secure information. Also based on CIA and AAA threads. In all the above approach protecting the systems using the protection tools is straight forward. Need to implement relevant software and hardware to protect the data. The weakest link is human interactions. Based on the past researches, the weakest point is the human factor. Human actions is key reasons of breach of secure information within internal source. Organization need to train employees to understand the reason to protect the given data. Most of unhappy employee is weakest breaching point for any organization. First of all the top management need to understand security view points and need to translate the view points so that the employees understand why they need to protect the companies data. There are several researchers looking at this angel. But there is research gap in measuring this factor. You can organize research activity to measure awareness ICT security both on the employer and employee level. Research should also involves vendors whom providing products and services for the organization as well. This will be interesting non technical research that does not involves hardware and software that protects the data.

Please read the following paper to better understand management role in information security management

Article Information security management needs more holistic approach...

Check this article: Contents lists available at ScienceDirect Computers & Security

Information security assessment in public administration Edyta Karolina Szczepaniuka , Hubert Szczepaniuk b,∗ , Tomasz Rokicki b , Bogdan Klepacki b

There are several Information Security measures recommended by international standards and literature, but the adoption by the organizations should be designated by specific needs identified by Information Security Governance structure of each organization, although it may be influenced by forces of the institutional environment in which organizations are inserted. In public research institutes, measures may be adopted as a result of pressure from Government and other agencies that regulate their activities, or by the influence of Information Security professionals, or simply adopting the same measures of leading organizations in the organizational field .

This is a very interesting space as public organizations by nature are expected to be transparent and share information freely. However, integrity and accessibility are key issues. Most of the time, information hoarding keeps things stagnant and at a slow pace. This has a direct correlation with leadership styles which can directly influence the level of transparency and data integrity. Rather than focusing on the typical confidentiality issues, I suggest you concentrate on the data integrity and availability along with ease of access. Concepts of Recovery Point Objective and Recovery Point Objective and Recovery Time Objective can be adopted to this context. How much time is spent on getting the info and how recent/ old the info is. This directly leads to the level of automation and efficiency of processes which help capture real time data. Please let me know if you need to discuss further.