PREVENTION OF SENSITIVE INFORMATION LEAKAGE IN BUSINESS ORGANISATION: A VIEW FROM MAQASID AL-
SHARIAH PERSPECTIVE
Perlindungan Ketirisan Maklumat Dalam Organisasi Perniagaan: Sudut Pandang Maqasid al-
Shariah
Mohd Fared Abdul Khir1, Mohd Faizal Abdul Khir2 & Mohd Fairooz Abdul Khir31Information Security and Assurance Programme, Faculty of
Science and Technology, Universiti Sains Islam Malaysia
2Department of Usuludin, Faculty of Islamic Study, Universiti Sultan Azlan Shah 3International Centre for Education in Islamic Finance
(INCEIF)
Abstract
In cyber world, business organizations are striving to prevent sensitive information leakage. Industry answer to this critical problem is the ever complex and hard to implement Data Loss Prevention (DLP) technology. Outweighing the issue requires very high motivational factors. Therefore, various aspects should be highlighted to show its importance, among others related to the Maqasid al-Shariah. In this work we conduct a study on the issue and present our findings on the use of a simplified Maqasid al-Shariah approach to raise the importance of preventing sensitive data loss from Islamic perspective for the case of a business organization.
Keywords: Sensitive Information Leakage, Data Loss Protection, DLP, Maqasid Shari’ah, Maqasid.
Abstrak
Dalam dunia siber, organisasi perniagaan berhempas pulas untuk menghalang ketirisan maklumat sensitif. Jawapan industri terhadap masalah kritikal ini ialah teknologi Data Loss Protection (DLP) yang kompleks dan sukar untuk untuk
542
diimplementasikan. Mengatasi isu ini memerlukan faktor motivasi yang sangat besar. Justeru, pelbagai aspek wajar diketengahkan bagi memperlihatkan kepentingannya antaranya berkaitan Maqasid al-Shariah. Dalam kajian ini, kami mempersembahkan hasil kajian yang dijalankan dengan pendekatan Maqasid al-Shariah yang dipermudahkan untuk meningkatkan kepentingan melindungi ketirisan data sensitif dari sudut Islam bagi kes organisasi perniagaan.
Kata kunci: Ketirisan Malumat sensitif, Perlindungan Ketirisan Maklumat, DLP, Maqasid Shari’ah, Maqasid.
1.0 INTRODUCTION
In todays world, digital transformation is unavoidable.
Organizations strive for efficient service demanded by their customers. As a consequence, all organizational informations are stored and transfered in the form of digital data which include sensitive informations such as business strategic informations, intellectual properties and legal documents. In doing so, organizations risk their sensitive informations to all kinds of threat exist in the cyber world. Without proper protection, these sensitive informations are always vulnerable to cyber threats. In this work, we discuss from Islamic point of view, the importance of data loss prevention concerning a business organization. We then developed a simplified framework from Maqasid al-Shariah perspective. The framework was applied to a few example of sensitive data loss scenarios in a business organization by looking at the risk factors.
2.0 PROTECTING SENSITIVE INFORMATIONS
To avoid sensitive data loss, companies would normally establish policies and procedures as part of organizational security program. In critical organizations, a holistic approach such as defense in-depth is a common practice, protecting asets including sensitive information at every layer of defense comprising perimeter, network, host, application and data. In preventing data loss, tools such as Intrusion Detecion System (IDS), firewall and Virtual Private Network (VPN) are insufficient as they are only effective in cases where rules are well defined in
(Praba & Satiavati 2017). In reality, as there exist many ways information can be leaked out of organization via various mediums such as e-mail and instant messaging, these rules can easily be defeated. A disgruntled employee may intentionally expose company’s strategic planning information to competitors.
On the other hand, a decent employee may send a meeting invitation email to a competitor while mistakenly attaches a sensitive file containing company’s classified intellectucal property aset.
For business organizations, impact of the aforementioned scenarios is intolerable as they may risk reputation, capital and competitiveness(Liu & Kuhn 2010). It is obvious that human factor plays significant role in data protection. This is even evidenced from the January 2020 to April 2020 ENISA Threat Landscape report on Information Leakage which listed insiders as the primary attack vector in information leakage. The term insiders is used to describe a person with an interest in
‘exfiltrating’ important inside information on behalf of a third party. Other common attack vectors used by this threat are misconfigurations, vulnerabilities and human errors. (ENISA 2020).
For this reason, many business organizations deploy Data Loss Protection (DLP) technology which is expected to reduce risks due to human factor. DLP is a technical
2.1 Prevention Of Sensitive Information Leakage In Business Organization: A View From Maqasid Al-Shariah Perspective
Security measure that enforces policies for information processing and transfer and supports classification of information, protecting and monitoring of critical and sensitive data (Liu & Kun 2010).
However, uses of DLP with all its tedious and complex implementation has always received a bad reputation in the industry as it is viewed as a tool which imposes extra work loads by employees and to some extend reduces performance. It is obvious that a big motivational factor is needed to outweigh the difficulties of implementing DLP technology. A brief review on this issue can be seen in our previous work in (Abdul Khir & Abdul Khir 2021). We argue from the point that for an organization
544
which emphasizes Islamic values, a view from Islamic perspective is a positive pushing factor to help organization overcome the said difficulties associated with DLP implementation. We have presented in (Abdul Khir & Abdul Khir 2021) the arguments related to being honest and trustworthy in carrying out work, which form the basis of motivation from Shariah perspective.
In this article we intend to direct readers attention to the general objectives of Islamic legislation or better known as the Maqasid al-Shariah, which according to (Ibnu Asyur 2001), consist of the deeper meanings and inner aspects of wisdom considered by the Lawgiver in the areas and circumstances of legislation. It is therefore of great interest to investigate the importance of preventing sensitive data leakage in view of Maqasid al-Shariah perspective particularly for the case of a business organization.
3.0 MAQASID AL-SHARIAH
3.1 Maqasid al-Shariah: A Foundational Construct
The primary objective of the Shariah is the realization of benefit (maslahah) to the people, concerning their affairs both in this world and the hereafter. It is generally held that the Shariah, in all of its teachings, aims at securing a benefit for the people or protecting them against harm and evil. This is essentially evidenced in the following verse of the Quran that indicates the mercy and beneficence that Allah wants for mankind: "And We have sent you (O Muhammad (PBUH)) not but as a mercy for the
‛Aalaminn (mankind, jinns and all that exists). (Al-Anbiya’ :107).
The word “rahmatan” in this verse denotes compassion, mercy, kindness and beneficence which further emphasizes the above objective of Shariah that lies in securing maslahah and avoiding harm. The concept of “rahmatan” implies that whatever is beneficial for mankind is considered in tandem with the maqasid (higher objective of Shariah) and every action, policy, measure etc. that lead to realization of maqasid is regarded as maslahah.
Thus, al-Ghazali exerts that maslahah is preservation of maqasid and the maqasid lies in the protection of the five aspects of human’s life namely religion, life, progeny, intellect, and wealth (Al-Ghazali 1993). In short, the concept of Maqasid al-Shariah entails that Shariah aims at safeguarding people's interest and
preventing harm from them in this world and the Hereafter.
According to al-Qahtani (2015: 2-4) and al-Khalufi (2015:
191), there are three approaches in categorizing the Maqasid al- Shariah. First, categorization based on the level of the maslahah that the Islamic law aims to preserve. It covers the Maqasid Daruriyyah, the Maqasid Hajiyyah and the Maqasid Tahsiniyyah.
Second, categorization of the maslahah based on its level of importance which is sub-divided into Maqasid Asliyyah and Maqasid Tabiʻah. Next, the third, categorization of Maqasid al- Shariah based on the extent of its coverage of various Islamic laws that can be divided into Maqasid al-Ammah, Maqasid al- Khassah and Maqasid al Juziyyah.
Ibn Ashur (2001) in his scholarly work deals with Maqasid al-Shariah by asserting on the third categorization in which he examines two important aspects namely (i) the general purposes of the Shariah i.e. Maqasid al-Ammah and the specific purposes of Shariah (Maqasid al-Khassah). The Maqasid al-Ammah includes but not limited to prevention of corruption, evil and harm (Dar al-Mafasid) and setting things right and attainment of good and benefits (Jalb al-Masalih). The Maqasid al-Khassah encapsulates specific purposes and objectives behind specific rulings of every command and prohibition in the Quran and the Sunnah (Ibn ‘Ashur. 2001).
3.2 Maqasid al-Shariah and Measures for Its Preservation According to Wahbah al-Zuhayli (2007), Shariah has laid down positive and preventive measures to ensure that the Maqasid al- Shariah in the five necessities of human’s life can be essentially attained. The positive measures lie in the commandments of the Law Giver while the preventive measures lie in the prohibitions and punishments prescribed by the Law Giver. For example, in the context of preservation of religion, the positive measure is primarily intended to establish and strengthen one’s religion and faith (iman) while the preventive measure ultimately aims to prevent a person from indulging in a vice that may destruct his faith and religion. For example, the Shariah has prescribed the five times daily prayers to instill faith in oneself and that every person is highly encouraged to keep himself in remembrance of
546
Allah so that his faith in Him remains strong and intact. As a preventive measure, the Law Giver has prohibited a number of acts such as apostacy, commitment of bid’ah (innovation) and involvement in superstitious acts with the purpose of protecting their faith and religion so that they will remain as Muslims and die as Muslims. In addition, the preventive measure is also manifest in various punishments enacted by the Law Giver to prevent the spread of the above acts that may lead to destruction of faith and religion. For example, the Law Giver has ordained that sentence to death is a prescribed punishment for apostacy.
PREVENTION OF SENSITIVE INFORMATION LEAKAGE IN BUSINESS ORGANIZATION: A VIEW FROM MAQASID AL- SHARIAH PERSPECTIVE
4.0 ANALYSIS
This section analyzes the need for sensitive information leakage prevention from maqasid viewpoint. In specific, the anayltical discussion in this section will concentrate on three sensitive data types exist in business organisation namely strategic planning, intellectual property and legal documents. For each data types, we scrutinize several inforamtion leakage scenarios by looking at relevant risk factors as mentioned in {Larry 2018) such as financial loss, reputational loss and loss of competitiveness and present the Maqasid al-Shariah perspective. To ease the readers, we summarize the discussion in Table 1at the end of this section.
4.1 Strategic planning
Every business organization has its own strategic planning developed to set its direction in pursuing its goals and objectives.
It includes among all, organization’s strategic plans, sales plans, merge, or acquisition information. These are examples of sensitive information which if fall into the hand of competitors, will cause severe damage to the respective business organization.
Leakage of strategic planning information to competitor may have a direct and indirect impacts. The former relates to case such as draft press release or strategic moves that if exposed will
erode shareholder values while the later will lead business organization into a weaker market position as the information could contain as simple as a SWOT analysis results. It could also include sales plans, research for mergers and acquisitions, drafts of press releases or other announcements, information about purchasing power all of which will jeoperdise organization’s competitive advantage. This accounts to loss of competitiveness (Al-Munafasah). The company’s image naturally will be tarnished and will further lead to brand damage which accounts to reputational loss (Al-Sum’ah).
The loss of competitiveness and reputation will translate into decrease in revenue and will eventually affects organization’s financial position. From Maqasid al-Shariah standpoint, this will essentially affect the wealth and financial stability of the company which is originally protected under the fourth pillar of Maqasid al-Shariah i.e circulation and accumulation of wealth. The daruriyyat (essential) category of Maqasid al-Shariah in relation to continuity and survivability of the company will be jeopardized in the event that the significant impact of the financial losses results in
winding up, closure or bankruptcy of the respective company.
4.2 Legal Documents
Every business organization would normally have documents, notes or memos pertaining to litigation, legal contracts or even internal investigations which can be categorised as legal documents.
Sensitive information leakage relating to legal documents may lead to a legal risk particularly in the event of litigation where the business will be at disadvantage if the sensitive information is leaked to the parties in litigation. In the case of lawsuit for example, the company as plaintif or defendant will be potentially lose to the other party due to leakage of information relating to legal evidences and proofs. The legal risk in this case may have significant financial impact to the company such as loss in the lawsuit resulting in financial compensation.
In relation to financial loss resulting from litigation exercise
548
and legal judgement, the organization’s image and reputation will be tarnished and will lead to loss of competitiveness. This situation will possibly lead to bankcruptcy or winding up of the company. From Maqasid al-Shariah viewpoint, as Shariah emphasizes the continuity and sustainability of a company, any element that may distract the company’s sustainability will be considered against the Maqasid al-Shariah in the preservation of a company that assumes legal capacity in business activities, particularly if the company’s core business is Shariah compliant.
The above losses may affect the company at the level of daruriayyat or essential as it involves company’s sustainability and continuity of its business activities.
4.3 Intellectual Property
Some business organizations are heavily dependent on their intellectual properties. While some rely on the registered patents, industrial designs or copyright, some rely on trade secrets to generate revenues. Exposures of these critical asets, will put the organizations in severe damage.
Leakage of patent portfolio development and management materials such as invention disclosures, unpublished patent applications, invention presentations etc may result in direct financial loss to the organization as it loses opportunity to profit from its investment. From Maqasid al-Shariah perspective, these scenarios will essentially affect the wealth and financial stability of the company which is originally protected under the fourth pillar of Maqasid al-Shariah i.e circulation and accumulation of wealth. The daruriyyat (essential) category of Maqasid al-Shariah in relation to continuity and survivability of the company will be jeopardized in the event that the significant impact of the financial losses results in winding up, closure or bankruptcy of the respective company.
PREVENTION OF SENSITIVE INFORMATION LEAKAGE IN BUSINESS ORGANIZATION: A VIEW FROM MAQASID AL- SHARIAH PERSPECTIVE
In addition, the organization may suffer from brand damage.
Brand damage due to information leakage to competitors will
tarnish the company’s image, reputation and eventually competitive advantage. This will essentially impact customer’s retention particularly those of high net worth category.
Futhermore, the above situation may also affect the company’s profitability, thus, with respect to Maqasid al-Shariah, such situation will eventually affect the essential level (daruriyyat) of Maqasid al-Shariah in relation to survivability of the company.
5.0 CONCLUSION
For business organizations, leakage of sensitive information causes serious damage and negatively impact their financial position, business competitiveness and reputation. From simple maqasidic analysis presented, this situation is intolerable in Islamic practice particularly with respect to wealth accumulation and circulation. It can be concluded that for business organizations, implementing data leakage protection scheme such as DLP is very much relevant and worth to be seriously considered. A model development for technology acceptance involving Maqasid al Shariah as motivational factor is left as our future works.
550 Data
Types
Examples Threats Risk Factor s
Maqasid al-Shariah Perspective
Strategi c plannin g
Strategic plans, Sales plans, Unrelease d merger or
acquisitio n
informatio n, Drafts of press releases or other announce ments, New designs, Informatio n about purchasin g power
Competit ors
Weaker market position to compet itors Erosion of sharehol
der value
Financial Loss, Reputa tional Loss and Loss of Competitiv eness
Essential level (Daruriyyat )
Company’s surviva bility and sustain ability are threate ned.
Legal docume nts
Notes, documen ts pertainin g to Litigation , Legal contracts ,
Internal investiga tions
Competit
ors Litigati on Weak post ure in a court of law
Financial Loss, Reputa tional Loss and Loss of Competitiv eness
Essential level (Daruriyyat )
Company’s surviva bility and sustain ability are threate ned.
Intelle ctual proper
ty
Patent portfolio developme nt and manageme nt
materials such as Invention disclosure s, Unpublis hed patent applicatio ns, Trade secrets
Compet itors Discont ent employ ees
Loss of comp any advan tage to compet itors Brand damage
Financial Loss, Reputa tional Loss and Loss of Competitiv eness
Essential level (Daruriyyat )
Company’s surviva bility and sustain ability are threate ned.
REFERENCES
Abdul Khir, M. Fared, Abdul Khir, M. Faizal. (2021). Kesedaran Terhadap Perlindungan Ketirisan Maklumat Digital Menurut Perspektif Islam. In Proceeding of The International Seminar on Islam and Science (SAIS2021).
Al-Ghazzali, Abu Hamid (1993), al-Mustasfa Min ‘Ilm al-Usul, v.
1. Beirut: Dar al-Kutub al- ‘Ilmiyyah
Al-Khalufi, ‘Isa bin Muhammad ‘Abd al-Ghani (2015). Al-Hiyal al- Fiqhiyyah wa ‘Alaqatuha bi A‘mal al-Masrifiyyah al- Islamiyyah: Dirasah Fiqhiyyah Tatbiqiyyah fi Daw’ al- Maqasid al-Shar‘iyyah. Riyadh: Dar Kunuz Ishbiliya li al- Nashr wa al-Tawzi‘.
Al-Qahtani, Musfir bin Ali (2015). Understanding Maqasid al- Shariah A Contemporary Perspective. Herndon, VA, USA:
International Institute of Islamic Thought (IIIT).
ENISA. (2020). ENISA Threat Landscape: Information Leakage.
https://www.enisa.europa.eu/publications/information- leakage. Accessed on 10th October 2021
552
Ibn ‘Ashur (2001). Maqasid al-Sharia’ah. Jordan: Dar al-Nafa’is.
Liu, S. L.& Kuhn, R. (2010). I Data loss prevention. IT Professional, 12(2):10–13
Larry, G., W. (2018). Data Loss Prevention – Next Steps. ISACA Journal. Vol 1. http:www.isaca.org. Accessed on 10th October 2021
Praba C. Mercy & Satyavathy, G,Dr.. (2017). A technical review on data leakage detection and prevention approaches.
Journal of Network Communications and Emerging Technologies (JNCET), 7:6, 09.
Wahbah al-Zuhayli. (2007). Usul al-Fiqh al-Islami. v. 2.
Damascus: Dar al-Fikr