How does intellectual capital align with cyber security?

Purpose – To position the preservation and protection of intellectual capital as a cyber security concern. We outline the security requirements of intellectual capital to help Boards of Directors and executive management teams to understand their responsibilities and accountabilities in this respect.Design/Methodology/Approach – The research methodology is desk research. In other words, we gathered facts and existing research publications that helped us to define key terms, to formulate arguments to convince BoDs of the need to secure their intellectual capital, and to outline actions to be taken by BoDs to do so.Findings – Intellectual capital, as a valuable business resource, is related to information, knowledge and cyber security. Hence, preservation thereof is also related to cyber security governance, and merits attention from boards of directors.Implications – This paper clarifies boards of directors’ intellectual capital governance responsibilities, which encompass information, knowledge and cyber security governance.Social Implications – If boards of directors know how to embrace their intellectual capital governance responsibilities, this will help to ensure that such intellectual capital is preserved and secured.Practical Implications – We hope that boards of directors will benefit from our clarifications, and especially from the positioning of intellectual capital in cyber space.Originality/Value – This paper extends a previous paper published by Von Solms and Von Solms (2018), which clarified the key terms of information and cyber security, and the governance thereof. The originality and value is the focus on the securing of intellectual capital, a topic that has not yet received a great deal of attention from cyber security researchers

Internal human based threats and security controls in computerized banking systems: evidence from Malaysia

Malaysia being a unique capital market, practices dual banking system to capture the disaggregation of conventional and Islamic banking systems. However, like most financial institutions, no bank is isolated from security threats, even if, it comes from within the organization. Thus the objective of this study is to examine bank managers’ experience on human based security threats and the existence of human based security controls in computerized banking systems (CBS) in Malaysia. Since most major financial institutions operate in the capital city of Kuala Lumpur, questionnaires were sent to some of these bank branches in Kuala Lumpur. Findings revealed that managers recognized the personal policies recruitment procedure, segregation of duties and physical access control as ways to mitigate risks of human security threats. Hence, provide insights of how internal control system of a financial institution can be improved as a means to reduce security threats that have monetary implications. Finally, the study provides a platform for promoting an efficient and effective internal control practices among financial institutions in Malaysia

Towards Governance of Information Security Incident Response

Organizations are increasingly digitizing their business models to complement or even replace physical contact with customers and suppliers. With this shift online comes an increase in information security attacks, which are occurring more frequently due to the increased attack surface, vulnerabilities in security controls, and a target-rich environment. Organizations prevent attacks however some attacks are still successful and result in security incidents that degrade operations. When an organization is successfully breached, the organization must respond to the incident as quickly as possible to ensure continued operations and business resilience. However, guidance is lacking for governance of the response function. In a thematic review, we find good governance plays a key role in smooth and efficient incident response and this paper extends knowledge about governance of information security incident response by identifying key governance concepts that improve incident response efforts within organizations

Knowledge sharing and information security: a paradox?

This paper presents the findings of a knowledge sharing and information security literature review and identifies an interesting research gap in the intersection of the two practices. In a fast changing environment where there is increasing need to understand customers’ demands and competitors’ strategies (Lin et al, 2012), knowledge sharing is recognised as an essential activity for organisational success (Wasko and Faraj, 2005; Renzl, 2008). Organisations continuously aim to exploit existing knowledge, seek new ways to improve and increase knowledge sharing activities, as well as to identify and reduce possible knowledge sharing barriers. However, albeit the integral role and benefits of knowledge sharing having been widely recognised, the security or protection of knowledge has not received the same level of attention. Although the importance of protecting knowledge has been stressed by some researchers (e.g. Gold et al, 2001; Desouza and Awazu, 2004; Desouza 2006; Ryan, 2006), research into the ‘softer’ or the human behaviour aspects of knowledge protection is scarce. Information security is another field that has grown tremendously and is now a globally recognised discipline (Gifford, 2009) receiving attention from academics and practitioners (Wiant, 2005). Information security measures aim to prevent the loss or leakage of an organisation’s valuable information and manage the resulting cost of any loss. Despite organisations’ investments in prevention measures, information security breaches are still common where humans are often seen as the weakest link and ‘incorrect’ human behaviour as the most common point of failure. However, much of the research carried out to prevent information security breaches focuses on technical facets (Gordon and Loeb, 2006; Coles-Kemp, 2009). From the literature review, it is evident that knowledge sharing and information security have become well-established concepts in academia and within organisations. However, the middle ground between these two equally important, and adjacent, practices, has received inadequate attention. Knowledge sharing aims to encourage individuals to share knowledge with colleagues, organisational partners and suppliers; on the other hand, information security initiatives aim to apply controls and restrictions to the knowledge that can be shared and how it is shared. This paper draws attention to the perceived paradoxical nature of knowledge sharing and information security and raises awareness of the potential conflict that could compromise the protection of knowledge, or alternatively, reduce the openness of knowledge sharing

Impact of Information Security Policies on Computer Security Breach Incidences in Kenyan Public Universities

The aim of this study was to investigate the Impact of Information Security Policies on Computer Security Beach incidences in Kenyan public universities. Information security policies are designed to safeguard network resources from security breaches.  The study utilized a questionnaire to collect primary data from Information Technology (IT) personnel in public universities with regard to their perceptions of how information security policies affect computer security breach incidents. A simple random sampling was used to identify 200 IT employees from public universities in Kenya. Pearson correlation analysis was used to study the relationships between the variables. Independent t-tests (2-tailed) and ANOVA test were used to determine the level of significance. According to the results of the study, there is a weak relationship between information security policies and security breaches. The study hopes to add to the body of academic knowledge in the public educational institutions in Kenya where information repository is a resource. Keywords: Information Security Policies, Security Breach Incidences, Kenyan Public Universitie

A Conceptual Model for Explaining Violations of the Information Security Policy (ISP): A Cross Cultural Perspective

This paper is an attempt to develop a model that explores the factors that affect the frequency of violations of information security policies (ISPs). Additionally, it examines the moderating effect of cultural attributes on the frequency of ISP violations. Does national culture affect the way managers and employees perceive and practice ISPs? If we understand why ISPs are violated, perhaps we can deter future violations before they occur. We look at three groups of factors and the impact they have on the frequency of violations of ISPs. The factors examined are 1) the individual characteristics and capabilities of employees, 2) the information security policy (ISP) itself and 3) management issues. Finally, the study examines the moderating effect of Hofstede’s cultural dimensions (uncertainty avoidance, individualism/collectivism, and power distance) on the proposed model

A Collaborative Process Based Risk Analysis for Information Security Management Systems

Today, many organizations quote intent for ISO/IEC 27001:2005 certification. Also, some organizations are en route to certification or already certified. Certification process requires performing a risk analysis in the specified scope. Risk analysis is a challenging process especially when the topic is information security. Today, a number of methods and tools are available for information security risk analysis. The hard task is to use the best fit for the certification. In this work we have proposed a process based risk analysis method which is suitable for ISO/IEC 27001:2005 certifications. Our risk analysis method allows the participation of staff to the determination of the scope and provides a good fit for the certification process. The proposed method has been conducted for an organization and the results of the applications are shared with the audience. The proposed collaborative risk analysis method allows for the participation of staff and managers while still being manageable in a timely manner to uncover crucial information security risks