Abstract: | Recently, computer security and incidents of computer crime have received considerable attention. Without a doubt, in computer security the risks are high, and the problems and their solutions are complex; nonetheless, the emphasis of this attention has been misplaced. The emphasis should be primarily on the security of information itself and secondarily on the devices that handle information and on any of the other factors that go into information production. The factors of information production should certainly be considered, but only after planning and analysis based on information has been completed. For example, when considering the possibility that a competitor may steal your firm's proprietary information, it is best to consider first what information should be safequarded and what expenditure is warranted for such protection; then one can consider the environments in which this information appears (paper-based, computerized, verbal, etc.) and controls that are appropriate for these environments.This paper explores the application to the information security area of Information Resource Management (IRM), a new and promising approach that concentrates, on information not on computers. This paper explains the concepts underlying IRM, how they are applied, and what general information systems benefits can be obtained. In a more specifically security-oriented sense, it indicates how IRM can help address a few of the pressing problems now encountered by information security practitioners: controls suboptimization, the Maginot Line syndrome, top management understanding and support, disaster recovery planning, security policy-making, consideration of noncomputerized information, and expeditious resolution of security problems. |