Aligning Security Awareness With Information Systems Security Management

This paper explores the way information security awareness connects to the overall information security management framework it serves. To date, the formulation of security awareness initiatives has tended to ignore the important relationship with the overall security management context, and vice versa. In this paper we show that the two processes can be aligned so as to ensure that awareness activities serve the security management strategy and that security management exploits the benefits of an effective awareness effort. To do so, we analyze the processes of security awareness and security management using a process analysis framework and we explore their interactions. The identification of these interactions results in making us able to place awareness in a security management framework instead of viewing it as an isolated security mechanism

Assessing Employees’ Cybersecurity Attitude Based on Working and Cybersecurity Threat Experience

Many cybersecurity problems are caused by human error, which is a worry in the commercial sector. Due to their attitude towards cybersecurity, many employees in the firm do not work in a way that safeguards data. This study seeks to examine employees\u27 cybersecurity attitudes with a focus on their work experience and exposure to cybersecurity threats. Data were gathered through a survey conducted in targeted business firms located in the Klang Valley area, Malaysia. Utilizing ANOVA and two-sample tests, the study analysed 245 data samples to evaluate the hypotheses. The results show significant distinctions in employees\u27 cybersecurity attitudes in relation to the extent of their work experience and their previous encounters with cybersecurity threats. These findings hold valuable implications for the field of information security management, offering insights into how the industry can refine its strategic planning for information security. This can positively affect cybersecurity attitudes among employees within organizations

Understanding organisational responses to regulative pressures in information security management:the case of a Chinese hospital

This paper advances existing theoretical understanding of the factors impacting upon organisational responses to regulative pressures in the process of information security management (ISM). Drawing on institutional theory, we conduct a case study of ISM in a Chinese hospital. A theoretical framework is presented, which proposes that organisational response strategies devised in response to regulative pressures are determined jointly by internal organisational incentives and external government supervision and enforcement. Practical implications for policymakers to promote organisational ISM are given and suggestions for future research based on the theoretical findings of the case study are provided

Information security management and employees' security awareness : an analysis of behavioral determinants

[no abstract

Semantic discovery and reuse of business process patterns

Patterns currently play an important role in modern information systems (IS) development and their use has mainly been restricted to the design and implementation phases of the development lifecycle. Given the increasing significance of business modelling in IS development, patterns have the potential of providing a viable solution for promoting reusability of recurrent generalized models in the very early stages of development. As a statement of research-in-progress this paper focuses on business process patterns and proposes an initial methodological framework for the discovery and reuse of business process patterns within the IS development lifecycle. The framework borrows ideas from the domain engineering literature and proposes the use of semantics to drive both the discovery of patterns as well as their reuse

Empirical Analysis of Socio-Cognitive Factors Affecting Security Behaviors and Practices of Smartphone Users

The overall security posture of information systems (IS) depends on the behaviors of the IS users. Several studies have shown that users are the greatest vulnerability to IS security. The proliferation of smartphones is introducing an entirely new set of risks, threats, and vulnerabilities. Smartphone devices amplify this data exposure problem by enabling instantaneous transmission and storage of personally identifiable information (PII) by smartphone users, which is becoming a major security risk. Moreover, companies are also capitalizing on the availability and powerful computing capabilities of these smartphone devices and developing a bring-your-own-device (BYOD) program, which makes companies susceptible to divulgence of organizational proprietary information and sensitive customer information. In addition to users being the greatest risk to IS security, several studies have shown that many people do not implement even the most basic security countermeasures on their smartphones. The lack of security countermeasures implementation, risky user behavior, and the amount of sensitive information stored and transmitted on smartphones is becoming an ever-increasing problem. A literature review revealed a significant gap in literature pertaining to smartphone security. This study identified six socio-cognitive factors from the domain of traditional computer security which have shown to have an impact on user security behaviors and practices. The six factors this study identified and analyzed are mobile information security self-efficacy, institutional trust, party trust, and awareness of smartphone risks, threats, and vulnerabilities and their influence on smartphone security practices and behaviors. The analysis done in this research was confirmatory factor analysis (CFA) – structural equation modeling (SEM). The goal of this study was to cross-validate previously validated factors within the context of traditional computer security and assess their applicability in the context of smartphone security. Additionally, this study assessed the influential significance of these factors on the security behaviors and practices of smartphone users. This study used a Web-based survey and was distributed to approximately 539 users through Facebook® and LinkedIn® social media outlets which resulted in 275 responses for a 51% response rate. After pre-analysis data screening was completed, there were a total of 19 responses that had to be eliminated due to unengaged responses and outliers leaving 256 responses left to analyze. The results of the analysis found that vulnerability awareness, threat awareness, and risk awareness are interrelated to one another which all in turn had significance in predicting self-efficacy, security practices, and behaviors. This intricate relationship revealed in this study indicates that a user has to have an increased awareness in all three categories of awareness before they can fully understand how to protect themselves. Having an increased awareness in one category does not impact the overall security posture of the user and that risk, threat, and vulnerability awareness all work together. Another interesting find was that as risk awareness increased the less the smartphone users protected themselves. This finding warrants additional research to investigate why the user is more averse to risk, and willing to accept the risk, despite their increased awareness. Finally, institutional trust and party trust was found not to have any significance on any of the factors. These findings should give smartphone users and organizations insight into specific areas to focus on in minimizing inappropriate security behaviors and practices of smartphone users. More specifically, users and organizations need to focus on educating users on all three factors of threats, risks, and vulnerabilities in order for there to have any impact on increasing self-efficacy and reducing inappropriate security behaviors and practices

Knowledge Security - A Conceptual Analysis

Tietämys on arvokasta varallisuutta nykypäivän yrityksissä. Tietämys on ihmisiin sitoutunutta, ja se kehittyy ja sitä luodaan kokemusten ja aiemman tietämyksen kautta. Tietämystä hallitaan yrityksissä esimerkiksi tunnistamisen, luomisen, jakamisen ja strategian näkökulmista. Vaikka tietämyksen turvaamisen näkökulma on mainittu tietämyksenhallinnan kirjallisuudessa, sitä ei ole tietämyksenhallinnan kentässä kovin laajasti otettu huomioon. Tietoturvallisuuden johtamisen lähestymistapa tietoon on turvallisuuden näkökulma, joka korostaa tiedon eheyttä, saatavuutta ja luottamuksellisuutta. Vaikka tietoturvallisuutta monesti pidetään lähinnä teknisenä asiana, voidaan käsitteen tulkita kattavan myös tietämystä. Tämä tutkimus selvittää tietämysturvallisuuden käsitettä, mitä se tarkoittaa, ja miten tietämyksenhallinnan ja tietoturvallisuuden johtamisen kentät voidaan yhdistää. Tutkimus noudattaa käsiteanalyyttista tutkimusotetta. Analyysissa hyödynnetään sekä teoreettista että empiiristä materiaalia. Teoreettisessä analyysissa tutkitaan tietämysturvallisuuden käsitteen käyttöä, sekä tarkastellaan sen lähikäsitteitä. Empiirisessä analyysissa keskitytään selvittämään kuinka yritykset tunnistavat ja turvaavat tietämystä päivittäisessä toiminnassaan, välittämättä siitä kutsutaanko tätä yrityksissä tietämysturvallisuudeksi vai ei. Tutkimuksen lopussa teoreettinen ja empiirinen analyysi yhdistetään, ja tutkimuksen tuloksena rakennetaan malli tietämysturvallisuuden käsitteelle. Tietämysturvallisuus on prosessi joka tähtää yrityksen työntekijöihin sitoutuneen tietämyksen turvaamiseen. Prosessi aloitetaan yrityksissä tunnistamalla yritykselle tärkeä tietämys. Jotta tärkeää tietämystä turvaavat toimenpiteet voidaan valita oikein, tulee myös tunnistaa uhkat, joita tähän tietämykseen kohdistuu. Tietoturvallisuuden johtamisessa käytettyä tiedon ulottuvuuksien, eheyden, saatavuuden ja luottamuksellisuuden, kehikkoa sovelletaan tutkimuksessa tietämyksen kontekstiin. Tietämysturvallisuuden mallia hyödyntämällä yritykset voivat tarkastella tietämyksen ulottuvuuksia, tietämykseen liittyviä uhkia, sekä tietämyksenhallinnan sekä turvaamisen keinoja yhtenäisenä kokonaisuutena. Malli tarjoaa siis työkalun yrityksen johdolle, ja sen sopivuutta työkaluna tulisi jatkossa testata