After reading chapter 12 of the text, it becomes obvious that Turban believes U.S. companies (of all sizes) do not budget enough for IT security. Although this may or may not be true, I had some difficulty understanding his argument regarding per employee IT security expenditure. Doesn't this seem like an odd metric when measuring or comparing IT expenditure. In section 12.5, Turban discusses security risk management. In the assessment stage, it states the that organizations should "evaluate their security risks by determining their assets, the vulnerabilities of their system, and the potential threats to these vulnerabilities" (Turban, 472). These determine the action/s needed to prevent attacks. Following this reasoning, most (I say most because the number of employees may add to the vulnerability of the system) IT security expenditures will be made irrespective of the number of employees. Therefore, using per employee expenditure, in my opinion, tells us very little in terms of the appropriate expenditure. (For example, two companies with the same number of employees may require much different IT security expenditures. Therefore using IT expenditure per employee wouldn't allow us to compare the two to make a reasonable assessment of such IT expenditure). Just thought I'd get your opinion on that!
I also wanted your opinion on penetration testing. It seems reasonable for companies to test their IT systems in such a way. However, the text talks about the need to test individual staff using this technique. This strategy involves having someone pretend to be a hacker and trying to get certain information out of the employee. The book mentions the adverse effect on employee moral - and only recommends debriefing the employee after the test to alleviate such a problem. Do you think these should be done at all? If so, do you think more would need to be done to reverse the adverse effects on employee moral? Do you think anyone has ever been fired for failing this test? And should they be? My own view (from a moral perspective) is that the company could if they so desired. However, I would urge great caution. They would need to fully understand the impact on employee behavior and moral before implementing such a test.