An Exploratory Study of the Relationship among the High-level Management’s Security Awareness, Organizational Information Security Activities, and the Execution Level of Organizational Information Security

As the issue of information security becomes increasingly important, high-level management security awareness on operation of organizational information security activities is a significant factor in success. Hence, the aim of this research is to explore how the organizational information security activities are being influenced by high-level management security awareness, and to use information security standard BS7799 to evaluate the execution phase of organizational information security. Combining literature research, case study and the main security codes of BS7799, this paper proposes a conceptual model of high-level management security awareness, organizational information security activities and organizational information security standard in relation to each other. In our conclusion, we discovered that the higher the high-level management security awareness cognizance about industry risks, the implementation of security measures and the threats to organizational security not only facilitate the four information security activities of deterrence, prevention, detection and recovery, they also enhance the standard of organizational information security. In practice, the conclusion of this paper hopes to remind high-level management to be aware of the threats of human factors and also to strengthen risk evaluation and deterrence activity

A Framework for Decision Support in Information Systems Security

As the structure of modern organizations shifts, so correspondingly must the methodologies which underlie the evaluation and development of the security posture of their information systems. We have witnessed an ever-growing gap between organizational policy and technology. We have also witnessed an ever increasing complexity of decisions regarding the planning and design of IS security. Within this paper, we propose a decision support framework consistent with security and decision theory and develop a model of the decision analysis space suitable for multiple criteria decision making (MCDM). The adoption of MCDM techniques within the context of this model can show inherent trade-offs between alternatives in a security decision, encapsulate qualitative as well as quantitative elements within the analysis space, and facilitate group-decision making thereby dealing with conflicting perspectives of multiple stakeholders. The paper concludes with a demonstration of the proposed model through a case study conducted with a major financial services provider

Deepening the Knowledge on Information Security Management in Developing Countries: Evidence from Ghana

Following the seamless integration of the internet with computer information systems and the rapid increase in the number of people worldwide who possess the skills needed to launch cyber-attacks on public communication systems, businesses and organizations can hardly assume adequate security by depending on anonymity and geographical location. The basis of this study deepens knowledge on information security management in developing countries. This study uses both quantitative and qualitative approaches to examine the information security management practices of Social Security and National Trust in Ghana. Findings from results from the study suggest significant indications of human factor vulnerabilities and threats to information security. Findings also suggest that high levels of vulnerability to an external attack. Other findings however indicate management level recognition of education and training as very essential in improving information security practices. Although the results of this study may not be generalizable, we recommend that the issue of education and training on information security management should be made top priority on the IT agendas of all organizations in Ghana. A further study is proposed to assess the value placed on information security management within the context of developing countries and the factors that influence these values. Keywords: Information Security Management, Cyber-attack, developing countries, computerization, security policy, security awareness, education and trainin

Decision Support in Information Systems Security

As the structure of modern organizations shifts, so correspondingly must the methodologies which underlie the evaluation and development of the security posture of their information systems. We have witnessed an ever-growing gap between organizational policy and technology. We have also witnessed an ever increasing complexity of decisions regarding the planning and design of IS security. Within this paper, we propose a decision support framework consistent with security and decision theory and develop a model of the decision analysis space suitable for multiple criteria decision making (MCDM). The adoption of MCDM techniques within the context of this model can show inherent trade-offs between alternatives in a security decision, encapsulate qualitative as well as quantitative elements within the analysis space, and facilitate group-decision making thereby dealing with conflicting perspectives of multiple stakeholders. The paper concludes with a demonstration of the proposed model through a case study conducted with a major financial services provider

Current State of Information Security Research In IS

The importance of information security in a pervasive networked environment is undeniable, yet there is a lack of research in this area. In this study we conduct a comprehensive survey of the information security articles published in leading IS journals. We then compared the research themes with those of the IBM Information Security Capability Reference Model

Multiple Case Study Approach to Identify Aggravating Variables of Insider Threats in Information Systems

Malicious insiders present a serious threat to information systems due to privilege of access, knowledge of internal computer resources, and potential threats on the part of disgruntled employees or insiders collaborating with external cybercriminals. Researchers have extensively studied insiders’ motivation to attack from the broader perspective of the deterrence theory and have explored the rationale for employees to disregard/overlook security policies from the perspective of neutralization theory. This research takes a step further: we explore the aggravating variables of insider threat using a multiple case study approach. Empirical research using black hat analysis of three case studies of insider threats suggests that, while neutralization plays an important role in insider attacks, it takes a cumulative set of aggravating factors to trigger an actual data breach. By identifying and aggregating the variables, this study presents a predictive model that can guide IS managers to proactively mitigate insider threats. Given the economic and legal ramifications of insider threats, this research has implications relevant both for both academics and security practitioners

Towards a conceptual framework for information security digital divide

In the 21st century, information security has become the heartbeat of any organisation. One of the best-known methods of tightening and continuously improving security on an information system is to uniquely and efficiently combine the human aspect, policies, and technology. This acts as leverage for designing an access control management approach which not only avails parts of the system that end-users are permitted to but also regulates which data is relevant according to their scope of work. This research explores information security fundamentals at organisational and theoretical levels, to identify critical success factors which are vital in assessing the organisation’s security maturity through a model referred to as “information security digital divide maturity framework”. The foregoing is based on a developed conceptual framework for information security digital divide. The framework strives to divide end-users, business partners, and other stakeholders into “specific information haves and have-nots”. It intends to assist organisations to continually evaluate and improve on their security governance, standards, and policies which permit access on the basis of each end-user or stakeholder’s business function, role, and responsibility while at the same time preserving the traditional standpoint of confidentiality, integrity, and availability. After a thorough review of a range of frameworks that have influenced the information security landscape, COBITTM was relied upon as a baseline for the development of the framework of the study because of its rich insight and maturity on IT management and governance. To ascertain that the proposed framework meets the required expectation, a survey targeting end-users within three participating organisations was carried out. The outcome revealed the current maturity level of each participating organisation, highlighting strengths and limitations of current information security practices. As such, for new organisations relying on the proposed framework for the first time, the outcome of such an assessment will represent a benchmark to be relied on for further improvement before embarking on the next maturity assessment cycle. In addition, a second survey was conducted with subject matter experts in information security. Data generated and collected through a questionnaire was then analysed and interpreted qualitatively and quantitatively in order to identify aspects, not only to gauge the acceptance of the proposed conceptual framework but also to identify areas for improvements. The study found that there was a general consensus amongst experts on the importance of a framework for benchmarking information security digital divide in organisations. It also provided a range of valuable input relied upon to improve the framework to its final version.School of ComputingM. Sc. (Computing

Formality and informality in internal control systems: A comparative study of control in different social and cultural environments in a global bank.

This thesis examined the relationship between formal systems and informal norms in internal control systems in a global bank. The thesis argues that the global policies and standardised manuals and procedures of multinational firms cannot be internalised and interpreted in the same way as anticipated by the management in every branch. This assumption confirms the importance of the need for this study to increase an understanding of the issues and concerns in the management of internal control systems among different organisations in different cultural and social environments. A broad range of literature has been reviewed and it was found that little research in information systems security had previously focused on the internal control systems. As such, this research presents a new area in information systems security study. This research aimed to provide a qualitative approach to increase an understanding of the relationship between formal and informal systems. The main objective was to analyse in depth the interaction between these two systems. More focus was placed on the study of people who played a significant role in the control systems. In pursuing this aim, the interpretive case study of a global bank in two branches was conducted. The findings from this research suggest that there are problems in implementing internal control systems globally across the bank. The internal control systems should be examined with respect to both formal and informal analysis. The considerations should be focused more at the informal level where pragmatic and semantic concerns should be addressed. The thesis concludes that qualitative approach is an appropriate way to conduct research in cross-cultural studies in information systems security, also that semiotics theory is an appropriate approach in this area of study

Shaping Strategic Information Systems Security Initiatives in Organizations

Strategic information systems security initiatives have seldom been successful. The increasing complexity of the business environment in which organizational security must be operationalized presents challenges. There has also been a problem with understanding the patterns of interactions among stakeholders that lead to instituting such an initiative. The overall aim of this research is to enhance understanding of the issues and concerns in shaping strategic information systems security initiative. To be successful, a proper undertaking of the content, context and process of the formulation and institutionalization of a security initiative is essential. It is also important to align the interconnections between these three key components. In conducting the argument, this dissertation analyzes information systems security initiatives in two large government organizations – Information Technology Agency and Department of Transportation. The research methodology adopts an interpretive approach of inquiry. Findings from the case studies show that the strategic security initiative should be harmonious with the cultural continuity of an organization rather than significantly changing the existing opportunity and constraint structures. The development of security cultural resources like security policy may be used as a tool for propagating a secure view of the social world. For secure organizational transformation, one must consider the organizational security structure, knowledgeability of agents in perceiving secure organizational posture, and global security catalysts (such as establishing trust relations and security related institutional reflexivity). The inquiry indicates that strategic security change would be successful in an organization if developed and implemented in a brief yet quantum leap adopting an emergent security strategy in congruence with organizational security values