Aligning Security Awareness With Information Systems Security Management

This paper explores the way information security awareness connects to the overall information security management framework it serves. To date, the formulation of security awareness initiatives has tended to ignore the important relationship with the overall security management context, and vice versa. In this paper we show that the two processes can be aligned so as to ensure that awareness activities serve the security management strategy and that security management exploits the benefits of an effective awareness effort. To do so, we analyze the processes of security awareness and security management using a process analysis framework and we explore their interactions. The identification of these interactions results in making us able to place awareness in a security management framework instead of viewing it as an isolated security mechanism

A Call For Research On Home Users’ Information Security Behaviour

The number of home computer users is increasing faster than ever. Home users’ security should be an important research topic in IS security research, not only from the perspective of protecting home users’ personal or work information on their home computers, but also because hijacked home computers have become an ideal breading ground for hackers attacking organizations, and distributing illegal or morally questionable material. Despite the importance of studying home users’ security behaviour, the primary focus of the behavioural IS security research has been on an organizational context. While this research at an organizational context is important, we argue that the “home users” context require more attention by scholars. While there are similarities between “home users’ IS security behaviour” and “employees’ compliance with IS security procedures at organizational context”, it is necessary to understand their differences, to allow research and practice on “home users security behaviour” to develop further. We argue that previous research has not paid attention to such differences. As a first step in remedying the gap in our understanding, we first theorise these differences, we consider, that there are at least nine contextual factors that may result in an individual’s behaviour inconsistency in the workplace and home, and because of this, we argue that the same theories may not explain the use of security features in home and organizational contexts. Based on this conceptualization, we present a research agenda for studying home users’ security behaviour

Cybersecurity awareness in an Industrial Control Systems company

Abstract: This paper investigates the cybersecurity awareness levels of employees at an industrial control systems organization and measures their knowledge on the potential impact of cyber-related attacks on their systems through a case study. Attacks on industrial control systems as well as the information technology infrastructure which it relies on, are becoming a growing problem for governments and organizations. Cybersecurity policies of organizations are critical to ensure that industrial control systems environments are adequately protected. It is equally important for the organizations to ensure that their employees are aware of the cybersecurity policies and why they must be implemented. In many cases, however, organizations are faced with employees who are not aware of the potential cyber-related security threats posed to their industrial control systems, nor the impact these attacks might have. Results show that although employees understand the severity of cyber vulnerabilities their awareness is low

Semantic discovery and reuse of business process patterns

Patterns currently play an important role in modern information systems (IS) development and their use has mainly been restricted to the design and implementation phases of the development lifecycle. Given the increasing significance of business modelling in IS development, patterns have the potential of providing a viable solution for promoting reusability of recurrent generalized models in the very early stages of development. As a statement of research-in-progress this paper focuses on business process patterns and proposes an initial methodological framework for the discovery and reuse of business process patterns within the IS development lifecycle. The framework borrows ideas from the domain engineering literature and proposes the use of semantics to drive both the discovery of patterns as well as their reuse

Information System Security Commitment: A Study of External Influences on Senior Management

This dissertation investigated how senior management is motivated to commit to information system security (ISS). Research shows senior management participation is critical to successful ISS, but has not explained how senior managers are motivated to participate in ISS. Information systems research shows pressures external to the organization have greater influence on senior managers than internal pressures. However, research has not fully examined how external pressures motivate senior management participation in ISS. This study addressed that gap by examining how external pressures motivate senior management participation in ISS through the lens of neo-institutional theory. The research design was survey research. Data collection was through an online survey, and PLS was used for data analysis. Sample size was 167 from a study population of small- and medium-sized organizations in a mix of industries in the south-central United States. Results supported three of six hypotheses. Mimetic mechanisms were found to influence senior management belief in ISS, and senior management belief in ISS was found to increase senior management participation in ISS. Greater senior management participation in ISS led to greater ISS assimilation in organizations. Three hypotheses were not supported. Correlation was not found between normative influences and senior management belief, normative influences and senior management participation, and coercive influences and senior management participation. Limitations with the study included a high occurrence of weak effect sizes on relationships within the model and heterogeneity based on industry, organization size, and regulatory requirements in the sample. This study contributes to ISS research by providing a theoretical model to explain how external influences contribute to senior management belief and participation in ISS, and ultimately ISS assimilation in organizations. Empirical evidence supports the mediating role by senior management between external influences and ISS assimilation. The findings also suggest some limitations that may exist with survey research in this area. This study benefits practitioners in three ways. First, it reinforces the argument that senior management support is critical to ISS success. Second, it extends understanding of senior management\u27s role with ISS by explaining how IS and ISS management might nurture senior management belief and participation in ISS through industry groups and business partnerships. Third, the results inform government regulators and industry groups how they can supplement regulatory pressures with educational and awareness campaigns targeted at senior management to improve senior management commitment to ISS