A Response to the AIS Bright ICT Initiative

In 2015, the President of the Associate for Information Systems introduced the Bright ICT Initiative (Lee 2015), which provides a framework for improving Internet security based on four principles: origin responsibility, deliverer responsibility, rule-based digital search warrants, and traceable anonymity. We review these principles and show that at least three of these principles are at odds with the United Nation\u27s Universal Declaration of Human Rights and the founding principles of the Internet and may actually decrease individual security. We conclude giving suggestions for developing principles more in line with human rights

Unpacking security policy compliance: The motivators and barriers of employees’ security behaviors

The body of research that focuses on employees’ information Security Policy compliance is problematic as it treats compliance as a single behavior. This study explored the underlying behavioral context of information security in the workplace, exploring how individual and organizational factors influence the interplay of the motivations and barriers of security behaviors. Investigating factors that had previously been explored in security research, 20 employees from two organizations were interviewed and the data was analyzed using framework analysis. The analysis indicated that there were seven themes pertinent to information security: Response Evaluation, Threat Evaluation, Knowledge, Experience, Security Responsibility, Personal and Work Boundaries, and Security Behavior. The findings suggest that these differ by security behavior and by the nature of the behavior (e.g. on- and offline). Conclusions are discussed highlighting barriers to security actions and implications for future research and workplace practice

Implementing the NIS Directive, Driving Cybersecurity Improvements for Essential Services

A review by the National Audit Office of the National Cyber Security Programme recommended a more robust performance framework, to understand the impact of the Programme and to focus activities going forward. The Directive on security of network and information systems (the NIS Directive) has placed responsibility for essential aspects of supply chains on Operators of Essential Services (OES). Our dependence on international supply chains also requires a performance framework to assist cybersecurity improvements in this area. The following sections describe work to investigate the implementation of the NIS Directive by Competent Authorities (CA) and OES and proposes a framework to monitor performance across interdependencies. This is to enable development of a more effective set of performance metrics to guide interventions and improvements in cybersecurity for critical infrastructure

A framework towards effective control in information security governance

The importance of information in business today has made the need to properly secure this asset evident. Information security has become a responsibility for all managers of an organization. To better support more efficient management of information security, timely information security management information should be made available to all managers. Smaller organizations face special challenges with regard to information security management and reporting due to limited resources (Ross, 2008). This dissertation discusses a Framework for Information Security Management Information (FISMI) that aims to improve the visibility and contribute to better management of information security throughout an organization by enabling the provision of summarized, comprehensive information security management information to all managers in an affordable manner

Adoption and Usage Patterns of an IT Audit and Control Framework,

In 1996, the Information Systems Audit and Control Foundation (ISACF) published Control Objectives for Information and Related Technology (COBIT)i. COBIT provides a framework of generally applicable and accepted IT security and control practicesii that can be used to evaluate an organization’s current and planned IT environment. The COBIT framework is intended to be useful to management and users (business process owners), in addition to auditors. For management, users, and auditors COBIT provides a framework to evaluate IT investments and risks and to provide assurance that IT- related business objectives are achieved. COBIT strengthens the understanding, design, exercise and evaluation of internal controls. It also helps to focus management’s responsibilities to ensure that systems have integrity and that appropriate controls are in effect. COBIT outlines internal or external audit’s responsibility to provide assurance with respect to those objectives

A Descriptive Study of Ethical Procedures That Maintain Cultural Security When Conducting Health Research With Aboriginal and Torres Strait Islander School Children in Western Australia

Cultural security is the maintenance of values and beliefs and the celebration of diversity unique to different cultures. This honours thesis developed a proposed framework to guide collaborative ethics procedures that demonstrate the Aboriginal values relevant to health research for use in Western Australia (WA). These values of reciprocity, respect, equality, responsibility, survival and protection, and spirit and integrity have been identified in the National Health and Medical Research Council\u27s Values and Ethics: Guidelines for Ethical Conduct in Aboriginal and Torres Strait Islander Health Research. Ethical procedures for maintaining cultural security when conducting health research among Aboriginal people throughout Australia were investigated. Current practices in international and national Indigenous health research were reviewed to gain a better understanding of an Australian Aboriginal context. The literature confirmed that a community development approach aimed at empowering a community through involvement, consultation and ownership would assist in maintaining the cultural security of Aboriginal health research participants. As a descriptive study, the attitudes and experiences of Aboriginal researchers and Aboriginal health workers in the demonstration of these values in Aboriginal child health research were also investigated. Data were gathered using two questionnaires. The first questionnaire collected practice-based evidence (in a face-to-face interview) from two Aboriginal researchers with extensive experience in Aboriginal· child health research to create case studies of the procedures they employed to demonstrate the values listed above. The literature review and the case studies were used to develop a proposed framework for demonstrating the values. Expert consultation was sought for content validation of the proposed framework. A panel of health promotion practitioners and researchers were asked to complete a semi-structured questionnaire about the proposed framework. Nineteen participants were recruited for the expert panel and seven completed questionnaires were returned. On a continuous scale of 1-5 for maintaining cultural security (where a higher score indicates cultural security would be maintained) all 29 proposed framework examples received a mean rating of \u3e3.5. The 29 framework examples were then matched to the values of reciprocity, respect, equality, responsibility, survival and protection and spirit and integrity. An additional 87 items were presented to the expert panel members to explore group consensus that the examples demonstrate the Aboriginal values relevant to health research. Seventy nine items received a mean rating \u3e4.0. Unexpectedly, consensus among the panel members that framework examples demonstrated the Aboriginal values relevant to health research was not reached for 27 of the 87 examples. These examples were related to: participant recruitment; capacity building; community involvement; committee involvement; potential use of project information; project agreements; and complaints processes. A more indepth expert consultation on these examples was outside the scope of this thesis project. The overall feedback from the expert panel indicated that a revised framework would assist researchers achieve two things: demonstrate the Aboriginal values relevant to health research; and maintain the cultural security of project participants. Mean scores and comments by the expert panel were used to review the proposed framework. The revised framework will be used to guide the ethics application for a school-based Aboriginal bullying prevention and reduction project to be conducted in a Midwest, Murchison community in W.A

Who needs XAI in the Energy Sector? A Framework to Upgrade Black Box Explainability

Artificial Intelligence (AI)-based methods in the energy sector challenge companies, organizations, and societies. Organizational issues include traceability, certifiability, explainability, responsibility, and efficiency. Societal challenges include ethical norms, bias, discrimination, privacy, and information security. Explainable Artificial Intelligence (XAI) can address these issues in various application areas of the energy sector, e.g., power generation forecasting, load management, and network security operations. We derive Key Topics (KTs) and Design Requirements (DRs) and develop Design Principles (DPs) for efficient XAI applications through Design Science Research (DSR). We analyze 179 scientific articles to identify our 8 KTs for XAI implementation through text mining and topic modeling. Based on the KTs, we derive 15 DRs and develop 18 DPs. After that, we discuss and evaluate our results and findings through expert surveys. We develop a Three-Forces Model as a framework for implementing efficient XAI solutions. We provide recommendations and a further research agenda

Towards a conceptual framework for information security digital divide

In the 21st century, information security has become the heartbeat of any organisation. One of the best-known methods of tightening and continuously improving security on an information system is to uniquely and efficiently combine the human aspect, policies, and technology. This acts as leverage for designing an access control management approach which not only avails parts of the system that end-users are permitted to but also regulates which data is relevant according to their scope of work. This research explores information security fundamentals at organisational and theoretical levels, to identify critical success factors which are vital in assessing the organisation’s security maturity through a model referred to as “information security digital divide maturity framework”. The foregoing is based on a developed conceptual framework for information security digital divide. The framework strives to divide end-users, business partners, and other stakeholders into “specific information haves and have-nots”. It intends to assist organisations to continually evaluate and improve on their security governance, standards, and policies which permit access on the basis of each end-user or stakeholder’s business function, role, and responsibility while at the same time preserving the traditional standpoint of confidentiality, integrity, and availability. After a thorough review of a range of frameworks that have influenced the information security landscape, COBITTM was relied upon as a baseline for the development of the framework of the study because of its rich insight and maturity on IT management and governance. To ascertain that the proposed framework meets the required expectation, a survey targeting end-users within three participating organisations was carried out. The outcome revealed the current maturity level of each participating organisation, highlighting strengths and limitations of current information security practices. As such, for new organisations relying on the proposed framework for the first time, the outcome of such an assessment will represent a benchmark to be relied on for further improvement before embarking on the next maturity assessment cycle. In addition, a second survey was conducted with subject matter experts in information security. Data generated and collected through a questionnaire was then analysed and interpreted qualitatively and quantitatively in order to identify aspects, not only to gauge the acceptance of the proposed conceptual framework but also to identify areas for improvements. The study found that there was a general consensus amongst experts on the importance of a framework for benchmarking information security digital divide in organisations. It also provided a range of valuable input relied upon to improve the framework to its final version.School of ComputingM. Sc. (Computing

Survey On Ensuring Distributed Accountability for Data Sharing in the Cloud

Cloud computing is the use of computing of sources that are delivered as a service over a network for example on internet. It enables highly scalable services to be easily utilized over the Internet on an as needed basis. Important characteristic of the cloud services is that users’ data are usually processed remotely in unknown machines that users do not operate. It can become a substantial barrier to the wide taking on cloud services. To address this problem highly decentralized responsibility framework to keep track of the actual usage of the user’s data in the cloud. In this work has automated logging and distributed auditing mechanism. The Cloud Information Accountability framework proposed in this work conducts distributed auditing of relevant access performed by any entity, carried out at any point of time at any cloud service provider. It conations two major elements: logger and log harmonizer. This methodology will also take concern of the JAR file by converting the JAR into obfuscated code which will adds an additional layer of security to the infrastructure. Rather than this here in this work, increase the security of user’s data by provable data control for integrity verificatio

High-Risk Deviant Decisions: Does Neutralization Still Play a Role?

Extant research has shown that neutralization processes can enable potential IS security policy violators to justify their behavior and overcome the deterrence effect of sanctions in order to engage in unethical behaviors. However, such sanctions are typically moderate and not career ending. We test the boundary conditions of this theory by evaluating whether neutralization plays a role in overcoming the impact of extreme levels of deterrence. We extend the Siponen and Vance (2010) framework within a professional context that assigns extreme sanctions to violators. Using the scenario-based factorial survey method common in IS security research, we collected data from future auditors who understand these extreme sanctions. We test the reasons that auditors may use to form intentions to falsify information concerning an information security issue with a company’s accounting information system, thereby jeopardizing data integrity and security by modifying working papers to hide irregularities and, by doing so, violating their professional standards, which could result in career-ending sanctions. We empirically validated and tested the theoretical model. Our results show that sanctions play an important role in reducing employees’ intentions to violate policy but that, even under extreme boundary conditions, employees might seek to rationalize their unethical behavior by denying responsibility for their actions through, for example, arguing that their supervisors pressured them into performing the violations. We also establish that messages heightening the awareness and perceptions of the certainty and severity of organizational punishment are likely to attenuate such deviant behaviors. We discuss the implications of these findings and suggest future avenues for research