The Common Body of Knowledge: A Framework to Promote Relevant Information Security Research

This study proposes using an established common body of knowledge (CBK) as one means of organizing information security literature. Consistent with calls for more relevant information systems (IS) research, this industrydeveloped framework can motivate future research towards topics that are important to the security practitioner. In this review, forty-eight articles from ten IS journals from 1995 to 2004 are selected and cross-referenced to the ten domains of the information security CBK. Further, we distinguish articles as empirical research, frameworks, or tutorials. Generally, this study identified a need for additional empirical research in every CBK domain including topics related to legal aspects of information security. Specifically, this study identified a need for additional IS security research relating to applications development, physical security, operations security, and business continuity. The CBK framework is inherently practitioner oriented and using it will promote relevancy by steering IS research towards topics important to practitioners. This is important considering the frequent calls by prominent information systems scholars for more relevant research. Few research frameworks have emerged from the literature that specifically classify the diversity of security threats and range of problems that businesses today face. With the recent surge of interest in security, the need for a comprehensive framework that also promotes relevant research can be of great value

Consumer protection in the Kenyan financial sector: A case for a Twin Peaks model of financial regulation

Magister Legum - LLMThe dynamic character of the financial services industry necessitates frequent appraisal of the regulation of the sector. The main objectives for regulation of the financial sector include financial stability, promotion of competition and protection of the consumers. In ensuring consumer protection, there is need to balance this with all the other objectives to ensure optimal protection in the entire financial sector. This can be difficult as it is mostly dependent on the regulatory framework in the financial sector for the basic reason that most of the failures are associated with regulation. Key to the challenges is that consumer protection is served by measures that ensure proper conduct on the part of the service providers. Interests of the providers of the financial services may thus not be sufficiently aligned with those of the consumers of the products. There are three common models of financial regulation. They are the sectoral model, unified or integrated model and the Twin Peaks model. The financial sector in Kenya follows a sectoral model. It is a hodgepodge of institutional and functional regulation. There are five (5) government agencies that regulate specific segments of the financial sector with each of the regulators being established to operate independently within the permits of an Act of Parliament. This is without mentioning the many other segments that have no specific regulators

Kenya Financial Sector Stability Report, 2013

The report presents trend analysis and in-depth assessment of the global and domestic macro-financial developments affecting and emanating from the macroeconomy and the financial system. It analyses the performance and interactions involving the real economy, financial markets, financial institutions, financial infrastructure, and review of the legal and policy frameworks in 2013

A Draft Model Curriculum for Programs of Study in Information Security and Assurance

With the dramatic increase in threats to information security, there is a clear need for a corresponding increase in the number of information security professional. With a lack of formal curriculum models, many academic institutions are unprepared to implement the courses and laboratories needed to prepare this special class of information technologist. This paper provides an overview of lessons learned in the implementation of both individual courses and a degree concentration in information security. It refers to a more comprehensive document, available on the Web, which includes the methodology used in developing the curriculum, individual course syllabi for recommended components, and laboratory development and implementation recommendations

Maintaining a Cybersecurity Curriculum: Professional Certifications as Valuable Guidance

Much has been published about developing a cybersecurity curriculum for institutes of higher learning (IHL). Now that a growing number of IHLs globally offer such programs, a need exists on how to guide, maintain, and improve the relevancy of existing curricula. Just as cybersecurity professionals must hone their skills continually to keep up with a constantly shifting threat landscape, cybersecurity programs need to evolve to ensure they continue to produce knowledgeable graduates. In this regard, professional certifications in the cybersecurity industry offer an opportunity for IHLs to maintain a current curriculum. Governing bodies that manage professional certifications are highly motivated to ensure their certifications maintain their currency in the competitive marketplace. Moreover, employers who hire security professionals look for certifications in assessing a candidate’s overall credentials. This paper attempts to fill a void in the literature by exploring the use of professional certifications as helpful input to shaping and maintaining a cybersecurity curriculum. To this end, we offer a literature analysis that shows how changes made to professional certifications are applicable and relevant to maintaining a cybersecurity curriculum. We then provide a case study involving an undergraduate cybersecurity program in a mid-sized university in the United States. Before concluding, we discuss topics such as experiential learning, cybersecurity capstone courses, and the limitations to our approach. Keywords

Exploring key elements for e-trasformation in commercial banks in Kenya

A research report submitted to the Faculty of Humanities, University of the Witwatersrand, in partial fulfilment of the requirements for the degree of Master of Arts (in the field of ICT Policy and Regulation). 9th August 2016.Digital transformation on a national level is a framework that has been applied to a number of different contexts. Studies in both developed and developing countries have exhibited digital transformation in a manner that reflects its applicability across contexts and scenarios. However, this research explored what happens when the same is applied to organizational contexts in a developing country. The research did not divert too far from the national application of a digital transformation framework, but merely sought to incorporate the organizational perspective, and the different considerations that arise in commercial banks in Kenya; an area which was previously under-explored. A conceptual framework was developed to study only particular elements of digital transformation from qualitative analysis and different sources of data. The findings of this study illustrated that there is a huge uptake of technologies in these commercial banks, but also notes a significant number of limitations that currently exist. The report concludes with proposals as to how these limitations can be addressed through various recommendations, and also considers other avenues for improvement, and future research that can later be applied other contexts.GR201

The effect of cyberattacks on European financial institutions: an event study approach

openCyber risk has been a widely debated issue in recent years. The financial world could prove particularly vulnerable when it comes to cyberattacks, given the high level of interconnection between all of the sector’s players. This paper uses the event study methodology to assess the reaction of 15 European financial institutions’ share prices to direct cyberattacks. The same methodology is used for testing the reaction of a sample of 22 financial institutions, based in the Eurozone, to a series of systemic cyberattacks with potential worldwide repercussions. Our research represents an original contribution to the literature in two ways. Firstly, to the best of our knowledge, no authors have previously applied the event study methodology to a sample of shares pertaining exclusively to financial institutions. Even less so to financial institutions exclusively based in the Eurozone. Secondly, to the best of our knowledge, no existing research applied our subdivision between direct and systemic cybersecurity events in a single study. Overall, our study provides empirical evidence on the effect of 14 direct and 3 systemic cyberattacks. These attacks were announced by newspapers between October 2014 and August 2023. This represents an opportunity to update the results of the older event study cybersecurity literature, as well as an opportunity to test the results by more recent studies. The results can also be useful in the interpretation and anticipation of current and future European legislation on cybersecurity. In the case of direct cyberattacks, which explicitly target banks, insurance companies or electronic money institutions, we find that stock prices exhibit negative and significant cumulative abnormal returns. Furthermore, these negative effects become more relevant when considering larger event windows after the attack date. We also divide, in accordance with other studies, direct events between ones that compromise the confidentiality of information and ones that do not. We interestingly find that attacks that do not reveal confidential information have a significant negative effect on their targets. Conversely, cyberattacks that do reveal confidential information held by financial institutions do not have a significant effect on stock prices. Regarding the three systemic events, we find contrasting but interesting results. The breach of a major US bank has an overall negative and significant effect on European companies, in particular the ones based in Italy and Spain. On the other hand, when SolarWinds was discovered to be the vector of a cyberattack on the US Government, no such negative effect was observed. Lastly in the case of the WannaCry ransomware epidemic, we find empirical evidence of negative abnormal returns only for companies based in Germany and Spain.Cyber risk has been a widely debated issue in recent years. The financial world could prove particularly vulnerable when it comes to cyberattacks, given the high level of interconnection between all of the sector’s players. This paper uses the event study methodology to assess the reaction of 15 European financial institutions’ share prices to direct cyberattacks. The same methodology is used for testing the reaction of a sample of 22 financial institutions, based in the Eurozone, to a series of systemic cyberattacks with potential worldwide repercussions. Our research represents an original contribution to the literature in two ways. Firstly, to the best of our knowledge, no authors have previously applied the event study methodology to a sample of shares pertaining exclusively to financial institutions. Even less so to financial institutions exclusively based in the Eurozone. Secondly, to the best of our knowledge, no existing research applied our subdivision between direct and systemic cybersecurity events in a single study. Overall, our study provides empirical evidence on the effect of 14 direct and 3 systemic cyberattacks. These attacks were announced by newspapers between October 2014 and August 2023. This represents an opportunity to update the results of the older event study cybersecurity literature, as well as an opportunity to test the results by more recent studies. The results can also be useful in the interpretation and anticipation of current and future European legislation on cybersecurity. In the case of direct cyberattacks, which explicitly target banks, insurance companies or electronic money institutions, we find that stock prices exhibit negative and significant cumulative abnormal returns. Furthermore, these negative effects become more relevant when considering larger event windows after the attack date. We also divide, in accordance with other studies, direct events between ones that compromise the confidentiality of information and ones that do not. We interestingly find that attacks that do not reveal confidential information have a significant negative effect on their targets. Conversely, cyberattacks that do reveal confidential information held by financial institutions do not have a significant effect on stock prices. Regarding the three systemic events, we find contrasting but interesting results. The breach of a major US bank has an overall negative and significant effect on European companies, in particular the ones based in Italy and Spain. On the other hand, when SolarWinds was discovered to be the vector of a cyberattack on the US Government, no such negative effect was observed. Lastly in the case of the WannaCry ransomware epidemic, we find empirical evidence of negative abnormal returns only for companies based in Germany and Spain

Perceived Security of E-Learning Portal

Information technology has made e-learning possible and available on a large scale. Learning management system (LMS) has been widely used and is accessible through the Internet. However, LMS are exposed to various threats. Proper understanding of the threats is required. Furthermore strategy and best practices countermeasures will ensure a safe learning environment. Therefore, this study looks into the information security aspect of LMS. Specifically, there are two main purposes of this study. First, this study provides a review of information security in e-learning environments and explains the importance of information security. Second, this study looks at how student perceived the security of their e-learning portal. A total of 497 students responded to a survey questionnaires. Frequencies analysis was conducted to show the profile of the respondent. Overall, respondent has strong positive perceptions towards security of their LMS. This study serve as an introduction which help LMS administrator to understand the issues and possibilities related to the safety of LMS

Crafting an Undergraduate Information Security Emphasis Within Information Technology

Universities have only recently created an undergraduate course in information security (or related topics) but few have implemented an emphasis or comprehensive program at the undergraduate level. This article explores the creation of an undergraduate emphasis in information security at Weber State University (WSU) within the John B. Goddard School of Business and Economics (JGSBE) that is designed to train students in the skills necessary to implement and manage security. Specifically, the article discusses the skill sets for security management, the lab requirements for the courses in this emphasis and the incorporation of legal elements in the curriculum