Final answer:
The upper management must structure IT and information security functions to protect information assets. This role is vital, as studies and real-world incidents, like the Target data breach, have shown the costly consequences of ineffective information security structures.
Step-by-step explanation:
The statement that upper management of an organization must structure the IT and information security functions to defend the organization's information assets is true. This is because management is responsible for establishing the proper protocols, procedures, and frameworks to ensure the security and integrity of data and information systems.
For instance, studies have shown that human factors such as cognitive load can affect the accuracy of decisions in information security settings. Heavy cognitive demands can increase the likelihood of personnel making errors, such as false positives in breach detection, which has cost implications. However, in these studies, such as the one done by Bruno & Abrahão (2012), the opposite error of overlooking actual intrusions did not increase with the rise in cognitive demand. This suggests that while mistakes can occur, systems and protocols need to be robust enough to manage human error.
The importance of proper structure for IT and information security was highlighted in the case of the Target data breach where signals were received but not correctly interpreted, leading to significant damage. This underscores how critical upper management's role is in defining and supporting effective information security measures.