Enterprise Risk Management and Information Systems: a Systematic Literature Review

Enterprise Risk Management (ERM) aims to help organizations better monitor, analyze, and control their risks and policymakers to focus on procedures to improve organization and risk governance. Over the years, several artifacts have been proposed in this area to address different goals in ERM. The main objective of this article is to provide an overview of the literature related to the areas of ERM and Information Systems in order to understand how traditional risk governance adapts to the new digital reality of organizations. To better structure the results obtained, the articles were divided into three distinct categories: articles that offer guidelines for ERM management, articles that propose ways to measure the maturity of organizations in ERM, and articles that propose methods to increase an organization\u27s maturity in ERM

Understanding Security Practices Deficiencies: A Contextual Analysis

This paper seeks to provide an overview of how companies assess and manage security risks in practice. For this purpose we referred to data of security surveys to examine the scope of risk analysis and to identify involved entities in this process. Our analysis shows a continuous focus on data system security rather than on real world organizational context as well as a prevalent involvement of top management and security staff in risk analysis process and in security policy definition and implementation. We therefore suggest that three issues need to be further investigated in the field of information security risk management in order to bridge the gap between design and implementation of secure and usable systems. First, there is a need to broaden the horizon to consider information system as human activity system which is different from a data processing system. Second, the involvement of relevant stakeholders in context for risk analysis leads to better appreciation of security risks. Third, it is necessary to develop ad-hoc tools and techniques to facilitate discussions and dialogue between stakeholders in risk analysis context

Analisis Risiko dan Keamanan Informasi pada Sebuah Perusahaan System Integrator Menggunakan Metode Octave Allegro

PT. XYZ sebagai salah satu perusahaan yang bergerak di bidang System Integrator telah menggunakan teknologi informasi dalam menjalankan aktivitas bisnisnya. PT. XYZ merupakan penyedia solusi teknologi informasi dan komunikasi di Indonesia yang menyediakan layanan pengadaan & implementasi infrastruktur TI serta layanan keamanan teknologi informasi. Aset informasi yang dimiliki PT. XYZ adalah aset informasi internal perusahaan termasuk aset informasi terkait customer. Sehingga dibutuhkan manajemen sistem informasi yang handal dan mendukung prinsip keamanan informasi yaitu kerahasiaan, keutuhan, dan ketersediaan.  Pada tahun 2019 PT. XYZ mengalami insiden serangan ransomware yang mengakibatkan data – data proyek dan data customer ter-enkripsi. Hal ini berdampak terhadap produktivitas & reputasi perusahaan karena kehilangan aset informasi yang diperlukan. Dengan demikian diperlukan penilaian risiko untuk dapat menentukan  strategi mitigasi risiko sebagai langkah manajemen risiko dalam mengatasi dan meminimalisir dampak permasalahan terkait keamanan informasi. Metode penilaian risiko yang digunakan dalam penelitian ini adalah Metode OCTAVE Allegro yang menggunakan 8 tahapan untuk dapat mengidentifikasi, menganalisa dan menentukan pendekatan mitigasi risiko. Penelitian ini mengidentifikasi aset informasi perusahaan berdasarkan pengumpulan data melalui wawancara narasumber PT.XYZ dan observasi. Dengan metode OCTAVE Allegro ditemukan 6 area of concern yang berpotensi menjadi risiko keamanan informasi dimana aset informasi teridentifikasi memiliki skor risiko relative ≥ 30 yang termasuk tinggi dalam rentang skor  matriks risiko.  Dengan demikian, diperlukan penilaian risiko untuk dapat menentukan strategi mitigasi risiko

Reducing human error in cyber security using the Human Factors Analysis Classification System (HFACS).

For several decades, researchers have stated that human error is a significant cause of information security breaches, yet it still remains to be a major issue today. Quantifying the effects of security incidents is often a difficult task because studies often understate or overstate the costs involved. Human error has always been a cause of failure in many industries and professions that is overlooked or ignored as an inevitability. The problem with human error is further exacerbated by the fact that the systems that are set up to keep networks secure are managed by humans. There are several causes of a security breach related human error such as poor situational awareness, lack of training, boredom, and lack of risk perception. Part of the problem is that people who usually make great decisions offline make deplorable decisions online due to incorrect assumptions of how computer transactions operate. Human error can be unintentional because of the incorrect execution of a plan (slips/lapses) or from correctly following an inadequate plan (mistakes). Whether intentional or unintentional, errors can lead to vulnerabilities and security breaches. Regardless, humans remain the weak link in the process of interfacing with the machines they operate and in keeping information secure. These errors can have detrimental effects both physically and socially. Hackers exploit these weaknesses to gain unauthorized entry into computer systems. Security errors and violations, however, are not limited to users. Administrators of systems are also at fault. If there is not an adequate level of awareness, many of the security techniques are likely to be misused or misinterpreted by the users rendering adequate security mechanisms useless. Corporations also play a factor in information security loss, because of the reactive management approaches that they use in security incidents. Undependable user interfaces can also play a role for the security breaches due to flaws in the design. System design and human interaction both play a role in how often human error occurs particularly when there is a slight mismatch between the system design and the person operating it. One major problem with systems design is that they designed for simplicity, which can lead a normally conscious person to make bad security decisions. Human error is a complex and elusive security problem that has generally defied creation of a structured and standardized classification scheme. While Human error may never be completely eliminated from the tasks, they perform due to poor situational awareness, or a lack of adequate training, the first step to make improvements over the status quo is to establish a unified scheme to classify such security errors. With this background, I, intend to develop a tool to gather data and apply the Human Factors Analysis and Classification System (HFACS), a tool developed for aviation accidents, to see if there are any latent organizational conditions that led to the error. HFACS analyzes historical data to find common trends that can identify areas that need to be addressed in an organization to the goal of reducing the frequency of the errors

A Security Situation Awareness Approach for IoT Software Chain Based on Markov Game Model

Since Internet of Things (IoT) has been widely used in our daily life nowadays, it is regarded as a promising and popular application of the Internet, and has attracted more and more attention. However, IoT is also suffered by some security problems which seriously affect the implementation of IoT system. Similar to traditional software, IoT software is always threated by many vulnerabilities, thus how to evaluate the security situation of IoT software chain becomes a basic requirement. In this paper, A framework of security situation awareness for IoT software chain is proposed, which mainly includes two processes: IoT security situation classification based on support vector machine and security situation awareness based on Markov game model. The proposed method firstly constructs a classification model using support vector machine (IoT) to automatically evaluates the security situation of IoT software chain. Based on the situation classification, we further proposed to adopt Markov model to simulate and predict the next behaviors of participants that involved in IoT system. Additionally, we have designed and developed a security situation awareness system for IoT software chain, the developed system supports the detection of typical IoT vulnerabilities and inherits more than 20 vulnerability detection methods, which shows great potential in IoT system protection

Automated Expert System Knowledge Base Development Method for Information Security Risk Analysis

Information security risk analysis is a compulsory requirement both from the side of regulating documents and information security management decision making process. Some researchers propose using expert systems (ES) for process automation, but this approach requires the creation of a high-quality knowledge base. A knowledge base can be formed both from expert knowledge or information collected from other sources of information. The problem of such approach is that experts or good quality knowledge sources are expensive. In this paper we propose the problem solution by providing an automated ES knowledge base development method. The method proposed is novel since unlike other methods it does not integrate ontology directly but utilizes automated transformation of existing information security ontology elements into ES rules: The Web Ontology Rule Language (OWL RL) subset of ontology is segregated into Resource Description Framework (RDF) triplets, that are transformed into Rule Interchange Format (RIF); RIF rules are converted into Java Expert System Shell (JESS) knowledge base rules. The experiments performed have shown the principal method applicability. The created knowledge base was later verified by performing comparative risk analysis in a sample company

Evaluating the Utility of Research Articles for Teaching Information Security Management

Research articles can support teaching by introducing the latest expert thinking on relevant topics and trends and describing practical real-world case studies to encourage discussion and analysis. However, from the point of view of the instructor, a common challenge is identifying the most suitable papers for classroom teaching amongst a very large pool of potential candidates that are not typically written for teaching purposes. Further, even in practice-oriented disciplines such as Information Security Management (ISM), high-quality journals emphasise theoretical contribution and research method rather than relevance to practice. Our review of the relevant literature did not find a comprehensive set of criteria to assist instructors in evaluating the suitability of research articles to teaching. Therefore, this research-in-progress paper presents a framework to support academics in the process of evaluating the suitability of research articles for their teaching programs

Information Security Awareness and Information Security Compliance in University Libraries in South-West, Nigeria

Information security compliance implies that library personnel follow the rules, guidelines, and principles governing information security and implement the security measures provided in the library to curb insecurity. Information security compliance ensures that information resources held in the library are protected from unauthorized access and preserved from risk of lost, damage and unwanted modification. However, evidence from the literature showed that there is low compliance with information security by library personnel in university libraries in Nigeria. This has impacted negatively information resources held by the library, especially the printed materials. A situation not unconnected with a lack of awareness of information security. This study therefore, examined the influence of information security awareness on information security compliance in university libraries in South-West, Nigeria. The study adopting a descriptive survey research design involving Multi-Stage random sampling technique to select 223who are library personnel (professional and Para-professional librarians) in university libraries in South-West, Nigeria. Data were collected with the use of a questionnaire. Findings of the study revealed that information security awareness (R2=0.3305,β = 0.363, t = 8.836, p\u3c0.05) had positive and significant influence on information security compliance. Also information security compliance among library personnel in university libraries is of low level. Similarly, there is low Information security awareness among library personnel in university libraries. The study concluded that information security awareness is inevitable for information security compliance in university libraries in South-West, Nigeria. The study recommended that management of the libraries should promote awareness programs among library personnel so as to boost awareness thereby curbing information security breaches and increasing compliance with information security. The study also recommended that, in order to avoid unauthorized access to library resources, library management and information professionals must devise strategies which will enable them provide adequate security that can protect the information resources available in the library

Teaching Information Security Management Using an Incident of Intellectual Property Leakage

Case-based learning (CBL) is a powerful pedagogical method of creating dialogue between theory and practice. CBL is particularly suited to executive learning as it instigates critical discussion and draws out relevant experiences. In this paper we used a real-world case to teach Information Security Management to students in Management Information Systems. The real-world case is described in a legal indictment (T-mobile USA Inc v. Huawei Device USA Inc. and Huawei Technologies Co. LTD) alleging theft of intellectual property (trade secrets) and breaches of contract concerning confidentiality and disclosure of sensitive information. The incident concerns a mobile phone testing robot (Tappy) developed by T-mobile USA to automate testing of mobile phones prior to launch. Tmobile alleges Huawei stole the technology by copying the robot’s specifications and stealing parts and software to develop its own testing robot. The incident scenario is interesting as it relates to a business asset that has both digital and physical components that has been compromised through an unconventional cyber-physical attack facilitated by insiders. The scenario sparked an interesting debate among students about the scope and definition of security incidents, the role and structure of the security unit, the utility of compliance-based approaches to security, and the inadequate use of threat intelligence in modern security strategies