Learning the lessons from the developed world: e-banking security in Nigeria

In the past decade banks invested heavily in internet technology so as to engage in e-business and e-commerce activities. However, this development exposed banks to threats, such as online fraud. Consequently, there was a need to adopt security measures and controls to mitigate such threats. Banks in developed countries have developed a level of ‘best practice’ to reduce such online threats. The objective of this study was to explore the extent to which banks in the developing world were benefitting from the experiences of banks in the developed world in terms of how they address online security threats. Case studies of two Nigerian Banks were undertaken using interviews and short questionnaire. The findings show respondents perceived the level of threats to e-banking in Nigeria to be low. When adopting e-banking security controls, the case study banks placed more emphasis on the technical dimension than the human dimension. Senior management commitment is a significant barrier to adopting best practice, which is highlighted in limited financial resources being provided for new investment in training or customer education. The study concludes that senior managers need to change their perceptions and priorities towards IT security to reduce the vulnerability of their e-banking services

Stakeholder involvement, motivation, responsibility, communication: How to design usable security in e-Science

e-Science projects face a difficult challenge in providing access to valuable computational resources, data and software to large communities of distributed users. Oil the one hand, the raison d'etre of the projects is to encourage members of their research communities to use the resources provided. Oil the other hand, the threats to these resources from online attacks require robust and effective Security to mitigate the risks faced. This raises two issues: ensuring that (I) the security mechanisms put in place are usable by the different users of the system, and (2) the security of the overall system satisfies the security needs of all its different stakeholders. A failure to address either of these issues call seriously jeopardise the success of e-Science projects.The aim of this paper is to firstly provide a detailed understanding of how these challenges call present themselves in practice in the development of e-Science applications. Secondly, this paper examines the steps that projects can undertake to ensure that security requirements are correctly identified, and security measures are usable by the intended research community. The research presented in this paper is based Oil four case studies of c-Science projects. Security design traditionally uses expert analysis of risks to the technology and deploys appropriate countermeasures to deal with them. However, these case studies highlight the importance of involving all stakeholders in the process of identifying security needs and designing secure and usable systems.For each case study, transcripts of the security analysis and design sessions were analysed to gain insight into the issues and factors that surround the design of usable security. The analysis concludes with a model explaining the relationships between the most important factors identified. This includes a detailed examination of the roles of responsibility, motivation and communication of stakeholders in the ongoing process of designing usable secure socio-technical systems such as e-Science. (C) 2007 Elsevier Ltd. All rights reserved

Secure activity resource coordination: empirical evidence of enhanced security awareness in designing secure business processes

Systems development methodologies incorporate security requirements as an afterthought in the non-functional requirements of systems. The lack of appropriate access control on information exchange among business activities can leave organizations vulnerable to information assurance threats. The gap between systems development and systems security leads to software development efforts that lack an understanding of security risks. We address the research question: how can we incorporate security as a functional requirement in the analysis and modeling of business processes? This study extends the Semantic approach to Secure Collaborative Inter-Organizational eBusiness Processes in D’Aubeterre et al. (2008). In this study, we develop the secure activity resource coordination (SARC) artifact for a real-world business process. We show how SARC can be used to create business process models characterized by the secure exchange of information within and across organizational boundaries. We present an empirical evaluation of the SARC artifact against the Enriched-Use Case (Siponen et al., 2006) and standard UML-Activity Diagram to demonstrate the utility of the proposed design method

Proceedings of the Designing interactive secure systems workshop (DISS 2012).

In recent years, the field of usable security has attracted researchers from HCI and Information Security, and led to a better understanding of the interplay between human factors and security mechanisms. Despite these advances, designing systems which are both secure in, and appropriate for, their contexts of use continues to frustrate both researchers and practitioners. One reason is a misunderstanding of the role that HCI can play in the design of secure systems. A number of eminent security researchers and practitioners continue to espouse the need to treat people as the weakest link, and encourage designers to build systems that Homer Simpson can use. Unfortunately, treating users as a problem can limit the opportunities for innovation when people are engaged as part of a solution. Similarly, while extreme characters (such as Homer) can be useful for envisaging different modes of interaction, when taken out of context they risk disenfranchising the very people the design is meant to support. Better understanding the relationship between human factors and the design of secure systems is an important step forward, but many design research challenges still remain. There is growing evidence that HCI design artefacts can be effective at supporting secure system design, and that some alignment exists between HCI, security, and software engineering activities. However, more is needed to understand how broader insights from the interactive system design and user experience communities might also find traction in secure design practice. For these insights to lead to design practice innovation, we also need usability and security evaluation activities that better support interaction design, together with software tools that augment, rather than hinder, these design processes. Last, but not least, we need to share experiences and anecdotes about designing usable and secure systems, and reflect on the different ways of performing and evaluating secure interaction design research. The objective of this workshop is to act as a forum for those interested in the design of interactive secure systems. By bringing together a like-minded community of researchers and practitioners, we hope to share knowledge gleaned from recent research, as well as experiences designing secure and usable systems in practice

ERP implementation methodologies and frameworks: a literature review

Enterprise Resource Planning (ERP) implementation is a complex and vibrant process, one that involves a combination of technological and organizational interactions. Often an ERP implementation project is the single largest IT project that an organization has ever launched and requires a mutual fit of system and organization. Also the concept of an ERP implementation supporting business processes across many different departments is not a generic, rigid and uniform concept and depends on variety of factors. As a result, the issues addressing the ERP implementation process have been one of the major concerns in industry. Therefore ERP implementation receives attention from practitioners and scholars and both, business as well as academic literature is abundant and not always very conclusive or coherent. However, research on ERP systems so far has been mainly focused on diffusion, use and impact issues. Less attention has been given to the methods used during the configuration and the implementation of ERP systems, even though they are commonly used in practice, they still remain largely unexplored and undocumented in Information Systems research. So, the academic relevance of this research is the contribution to the existing body of scientific knowledge. An annotated brief literature review is done in order to evaluate the current state of the existing academic literature. The purpose is to present a systematic overview of relevant ERP implementation methodologies and frameworks as a desire for achieving a better taxonomy of ERP implementation methodologies. This paper is useful to researchers who are interested in ERP implementation methodologies and frameworks. Results will serve as an input for a classification of the existing ERP implementation methodologies and frameworks. Also, this paper aims also at the professional ERP community involved in the process of ERP implementation by promoting a better understanding of ERP implementation methodologies and frameworks, its variety and history

The Role of Information Security Awareness for Promoting Information Security Policy Compliance in Banks

Banks rely heavily on information security (IS) by preserving confidentiality, integrity, and availability of information. A key layer for ensuring information security is the employees, who need to be aware of possible information security issues and behave accordingly. Banks introduce information security policies (ISP) to establish required rules for IS behavior and implement information security awareness (ISA) programs, which are systematically planned ISA interventions such as structured campaigns using intranet messages or posters to educate employees and enhance their ISA. According to previous conceptual research, the most cost-effective method to prevent IS incidents is fostering ISA. The purpose of this dissertation is to explore the role of ISA for promoting employees' ISP compliance. The four stages of this dissertation project focus on organizational efforts such as ISA programs to improve employees' compliant IS behavior and identifying predecessors for explaining employees' ISP compliance based on established scientific theories. A developmental mixed methods approach is conducted through these four stages of analysis. Primary data were collected in each stage to investigate banks operating in countries such as Austria, Germany, Czech Republic, Hungary, Slovakia, and Rumania. In the first research stage, semi-structured expert interviews were conducted with operational risk and IS managers to explore banks' efforts to counteract IS incidents. The considered banks primarily use online methods such as intranet articles and conventional methods such as posters for building ISA. Second, the findings from stage one were incorporated in research stage two, in which a positivistic case study was conducted to test the Theory of Reasoned Action, Neutralization Theory, as well as the Knowledge-Attitude-Behavior model. The data were analyzed by utilizing partial least squares structural equation modeling (PLS-SEM). In addition to several qualitative interviews and an online survey at the headquarters of the case bank, data such as internal ISA materials (e.g., posters or IS intranet messages) were also analyzed. The second research stage provided empirical evidence that ISA program components affect employees' ISA, which further positively affects employees' attitudes and social norms toward compliance with ISPs, but negatively affects the use of neutralization techniques. All of these effects should eventually positively influence IS. This is shown in the chain of subsequent factors. The employees' attitudes and social norms positively affect the intention for compliant IS behavior, which is negatively affected by the use of neutralization techniques. In the third research stage, the influence of employees' perception of ISA programs on the Protection Motivation Theory was examined by conducting an online survey among German bank employees. It is demonstrated that employees' perception of ISA programs positively affects perceived severity as well as their coping mechanisms, which play the most important role in positively affecting the intention for compliant IS behavior. Surprisingly, employees' perception of ISA programs negatively affect perceived vulnerability. Moreover, perceived monitoring has a positive moderation effect on the intention-behavior link. Finally, the fourth research stage consists of a qualitative study to analyze the efforts of IS managers to enhance IS and examine how these efforts are perceived by users. Further, the inductive part of the study uncovers factors that influence the compliant IS behavior of users. Therefore, semi-structured interviews with IS managers were carried out to discover ISA program designs and categorize them according to design recommendations gained from current literature. In addition, this stage shows that individual ISP compliance seems to be connected with individual perceptions centering on IS risks, responsibilities, ISP importance and knowledge, and neutralization behaviors. To conclude, this dissertation provides several practical as well as theoretical contributions. From an academic perspective, the findings highlight the importance of attitudes, social norms, neutralization techniques, as well as coping mechanisms for employees' intentions to comply with their ISP. Future research might extend the findings by establishing and characterizing IS enhancing social norms and exploring methods of counteracting the common use of neutralization techniques. For practitioners, analysis of the design practices of ISA programs provides a better understanding of effectively using ISA interventions in the context of banks. (author's abstract

A framework to evaluate user experience of end user application security features

The use of technology in society moved from satisfying the technical needs of users to giving a lasting user experience while interacting with the technology. The continuous technological advancements have led to a diversity of emerging security concerns. It is necessary to balance security issues with user interaction. As such, designers have adapted to this reality by practising user centred design during product development to cater for the experiential needs of user - product interaction. These User Centred Design best practices and standards ensure that security features are incorporated within End User Programs (EUP). The primary function of EUP is not security, and interaction with security features while performing a program related task does present the end user with an extra burden. Evaluation mechanisms exist to enumerate the performance of the EUP and the user’s experience of the product interaction. Security evaluation standards focus on the program code security as well as on security functionalities of programs designed for security. However, little attention has been paid to evaluating user experience of functionalities offered by embedded security features. A qualitative case study research using problem based and design science research approaches was used to address the lack of criteria to evaluate user experience with embedded security features. User study findings reflect poor user experience with EUP security features, mainly as a result of low awareness of their existence, their location and sometimes even of their importance. From the literature review of the information security and user experience domains and the user study survey findings, four components of the framework were identified, namely: end user characteristics, information security, user experience and end user program security features characteristics. This thesis focuses on developing a framework that can be used to evaluate the user experience of interacting with end user program security features. The framework was designed following the design science research method and was reviewed by peers and experts for its suitability to address the problem. Subject experts in the fields of information security and human computer interaction were engaged, as the research is multidisciplinary. This thesis contributes to the body of knowledge on information security and on user experience elements of human computer interaction security regarding how to evaluate user experience of embedded InfoSec features. The research adds uniquely to the literature in the area of Human Computer Interaction Security evaluation and measurement in general, and is specific to end user program security features. The proposed metrics for evaluating UX of interacting with EUP security features were used to propose intervention to influence UX in an academic setup. The framework, besides presenting UX evaluation strategies for EUP security features, also presents a platform for further academic research on human factors of information security. The impact can be evaluated by assessing security behaviour, and successful security breaches, as well as user experience of interaction with end user programs

Towards a A New Meta-Theory for Designing IS Security Training Approaches

Employee non-compliance with information systems (IS) security policies is a key concern for organisations. To tackle this problem, scholars have advanced several IS security training approaches. Despite the fact that the importance of having effective training is understood by scholars and practitioners, IS security training is largely a theoretically underdeveloped area. To this end, we advance a meta-theory for IS security training, based on Hare’s theory of three levels of thinking. It is a meta-theory because it suggests that IS security training has certain fundamental characteristics which separate it from other forms of training, and it advances pedagogical requirements for the design and evaluation of IS security training approaches. After sketching this meta-theory, including four pedagogical requirements for IS security training approaches, we show that no existing IS security training approach meets all of these requirements. To this end, we put forth an IS security training approach which meets all these requirements.For scholars, this study offers new theoretical insights into the fundamental characteristics of IS security training; a set of principles for designing and evaluating IS security training approaches; and an agenda for future research on IS security training. For practitioners designing and implementing IS security training at organisations, this study offers principles for designing effective IS security training approaches in practice

Usability and Trust in Information Systems

The need for people to protect themselves and their assets is as old as humankind. People's physical safety and their possessions have always been at risk from deliberate attack or accidental damage. The advance of information technology means that many individuals, as well as corporations, have an additional range of physical (equipment) and electronic (data) assets that are at risk. Furthermore, the increased number and types of interactions in cyberspace has enabled new forms of attack on people and their possessions. Consider grooming of minors in chat-rooms, or Nigerian email cons: minors were targeted by paedophiles before the creation of chat-rooms, and Nigerian criminals sent the same letters by physical mail or fax before there was email. But the technology has decreased the cost of many types of attacks, or the degree of risk for the attackers. At the same time, cyberspace is still new to many people, which means they do not understand risks, or recognise the signs of an attack, as readily as they might in the physical world. The IT industry has developed a plethora of security mechanisms, which could be used to mitigate risks or make attacks significantly more difficult. Currently, many people are either not aware of these mechanisms, or are unable or unwilling or to use them. Security experts have taken to portraying people as "the weakest link" in their efforts to deploy effective security [e.g. Schneier, 2000]. However, recent research has revealed at least some of the problem may be that security mechanisms are hard to use, or be ineffective. The review summarises current research on the usability of security mechanisms, and discusses options for increasing their usability and effectiveness

Contextualizing Secure Information System Design: A Socio-Technical Approach

Secure Information Systems (SIS) design paradigms have evolved in generations to adapt to IS security needs. However, modern IS are still vulnerable and are far from secure. The development of an underlying IS cannot be reduced to “technological fixes” neither is the design of SIS. Technical security cannot ensure IS security. Generations of SIS design paradigms have evolved, all with their own sets of shortcomings. A SIS design paradigm must meet well-defined requirements, yet contemporary paradigms do not meet all these requirements. Current SIS design paradigms are not easily applicable to IS. They lack a comprehensive modeling support and ignore the socio-technical organizational role of IS security. This research introduced the use of action research in design science research. Design science paradigm was leveraged to introduce a meta-design artifact explaining how IS requirements including security requirements can be incorporated in the design of SIS. The introduced artifact CSIS provided design comprehensiveness to emergent and changing requirements to IS from a socio-technical perspective. The CSIS artifact meets secure system meta-design requirements. This study presented a secure IS design principle that ensures IS security