Studying SCADA Organisations Information Security Goals: An Integrated System Theory Approach

Security awareness and its implementation within an organisation is crucial for preventing deliberate attacks or/and minimise system failures on organisation’s system especially where critical infrastructure is involved including energy, water, gas and etc. This study is based on Integrated System Theory (IST) and focuses on measuring and assessing security goals including policies, risk management, internal control and contingency management implemented in 101 organisations that operate Supervisory Control and Data Acquisition (SCADA) Systems. The data collected were analysed using structural equation modelling to test the structural and measurement model. The major finding of this study is that organisational information security goals are strongly related to the key measurement indicators, which include items assessing security policies, risk management, internal controls and contingency management

It is not my job: exploring the disconnect between corporate security policies and actual security practices in SMEs

Purpose: This paper aims to present empirical results exemplifying challenges related to information security faced by small and medium enterprises (SMEs). It uses guidelines based on work system theory (WST) to frame the results, thereby illustrating why the mere existence of corporate security policies or general security training often is insufficient for establishing and maintaining information security. Design/methodology/approach: This research was designed to produce a better appreciation and understanding of potential issues or gaps in security practices in SMEs. The research team interviewed 187 employees of 39 SMEs in the UK. All of those employees had access to sensitive information. Gathering information through interviews (instead of formal security documentation) made it possible to assess security practices from employees’ point of view. Findings: Corporate policies that highlight information security are often disconnected from actual work practices and routines and often do not receive high priority in everyday work practices. A vast majority of the interviewed employees are not involved in risk assessment or in the development of security practices. Security practices remain an illusory activity in their real-world contexts. Research limitations/implications: This paper focuses only on closed-ended questions related to the following topics: awareness of existing security policy; information security practices and management and information security involvement. Practical implications: The empirical findings show that corporate information security policies in SMEs often are insufficient for maintaining security unless those policies are integrated with visible and recognized work practices in work systems that use or produce sensitive information. The interpretation based on WST provides guidelines for enhancing information system security. Originality/value: Beyond merely reporting empirical results, this research uses WST to interpret the results in a way that has direct implications for practitioners and for researchers

Supporting and Securing Personal Mobile Devices Within an Existing Information Technology Environment

Personal mobile devices are becoming integrated into the daily operations of business. Managers are realizing that employees who are allowed to use personal mobile devices to access corporate information systems may reduce costs as users buy their own devices. The problem was that managers have a limited understanding of the need to secure or support personal mobile devices. The purpose of this survey study was to examine the relationship between employees\u27 desire to use personal mobile devices and corporation needs for security and support. Hypotheses were tested by examining the relationships between the requirement to support and secure personal mobile devices as the independent variables and the desire to use personal mobile devices as the dependent variable. The theoretical framework for the study included the IT product life-cycle management theory, IT security-management theory, and IT strategic-management theory. Survey data were collected from a convenience sample of 108 employees at the study-site organization from an estimated population of 170. Basic linear regression analyses performed found a correlation coefficient of 0.905 indicating the variables are highly correlated. This finding indicates that if personal mobile devices are given access to corporate information systems, then support and security will be necessary for successful operations. If the relationship between internal factors and operational success is clearly documented, organizations may be able to use the data to justify incorporating personal mobile devices within their own corporate information system to reduce costs, improve productivity, and increase employee satisfaction, thereby making a positive contribution to society

Tietoturvan hallintajärjestelmän toteuttaminen : Onnistumistekijät toteutusprojekteissa

Työn tavoitteena on syventää ymmärrystä tietoturvan hallintajärjestelmän toteutusprojekteista sekä lisätä ymmärrystä tietoturvan hallintajärjestelmästä kohdeyrityksessä. Työssä tehtävän tutkimuksen tarkoituksena on tunnistaa integroivan kirjallisuuskatsauksen avulla tekijöitä, jotka edesauttavat toteutusprojektien onnistumista sekä ymmärtää syitä, joiden takia hallintajärjestelmän toteutusprojekti onnistui kohdeyrityksessä. Lisäksi työssä tehtävän kirjallisuuskatsauksen löydösten ja toteutusprojektista tunnistettujen onnistumistekijöiden perusteella luodaan malli, jota muut tietoturvan hallintajärjestelmän toteutusta harkitsevat organisaatiot voivat hyödyntää. Työ aloitetaan esittelemällä tietoturvan ja tietoturvan hallintajärjestelmän teoriaa, kuten ISO/IEC 27000 -standardiperhettä sekä riskienhallintaan liittyviä menetelmiä. Työtä jatketaan tekemällä integroiva kirjallisuuskatsaus, jossa tutkitaan tietoturvaan ja IT:n hallintaan liittyvien projektien onnistumistekijöitä. Työn empiirisessä osuudessa toteutetaan tietoturvan hallintajärjestelmä kohdeyritykselle tapaustutkimuksena, minkä jälkeen esitellään malli, joka sisältää kirjallisuuskatsauksen ja tapaustutkimuksen perusteella tunnistettuja onnistumistekijöitä. Kirjallisuuskatsauksen tuloksissa korostuivat johdon rooli sekä tietoturvakoulutusten merkitys. Erityisesti johdon tuki, taloudellinen tuki sekä tietoturvan tärkeyden ymmärtäminen että sen strateginen yhdenmukaisuus liiketoiminnan välillä vaikuttavat toteutusprojektien onnistumiseen. Kohdeyrityksessä tehty toteutusprojekti onnistui ja tärkeimmiksi onnistumistekijöiksi todettiin johdon tuki, tietoturvamyönteinen organisaatiokulttuuri ja aiemmat panostukset tietoturvaan. Lisäksi henkilöstö on kiinnostunut tietoturva-asioista ja henkilöstöä osallistettiin projektiin. Työssä kehitetyn mallin tärkeimmiksi onnistumistekijöiksi todettiin johdon rooli, valmistelutyö, projektinhallinta sekä motiivit hallintajärjestelmän toteuttamiselle.The aim of the work is to deepen the understanding of the implementation projects of the information security management system and to increase the understanding of the information security management system in the target company. The purpose of the research carried out in the work is to identify factors that contribute to the success of implementation projects and to understand the reasons why the implementation project of the management system was successful in the target company with the help of an integrated literature review. In addition, based on the findings of the literature review and the success factors identified from the implementation project, a model is be created that can be used by other organizations considering the implementation of an information security management system. The work begins by introducing the theory of information security and the information security management system, such as the ISO/IEC 27000 family of standards and methods related to risk management. The work is continued by conducting an integrative literature review, which examines the success factors of projects related to information security and IT governance. In the empirical part of the work, an information security management system is implemented for the target company as a case study, after which a model is presented that includes the success factors identified based on the literature review and the case study. The results of the literature review highlighted the role of management and the importance of information security training. In particular, management support, financial support as well as understanding the importance of information security and its strategic alignment between businesses affect the success of implementation projects. The implementation project at the target company was successful and the most important success factors were found to be management support, an information security-friendly organizational culture and previous investments in information security. In addition, the personnel is interested in information security issues and the personnel was involved in the project. The most important success factors of the model developed in the work were found to be the role of management, preparatory work, project management and motives for implementing the management system

Analysis of Problem Components in the Organization of Economic Security Management on the Example of Aviation Enterprises

The article reviewed the range of current problems in the field of economic security in aviation enterprises. The methodological basis of the research conducted in the article is based on the provisions of the theory of crisis management organization, transport production efficiency, the theory of hierarchy of systems, methods, and techniques of system analysis of economic and management problems, legal and regulatory materials of federal bodies of the Ministry of Transport of the Russian Federation. The information base of the study is built on the use of statistical and industry reporting data. The relevance of the topic chosen for the study is confirmed by the factor that in the context of increasing integration between Russian aviation enterprises, as well as within the boundaries of the organization of interstate cooperation on key innovative aircraft projects, the development of emerging links between aviation enterprises contains significant risks that may have a certain impact on the economic security of enterprises in general and the practical implementation of projects in the field of aviation engineering in particular. The author's view on solving the problem in the field of security management organization is to present it in the framework of an integrated system of production risk management of aviation enterprises. The substantiation of the place and role of risk management system in the procedure of organizing and ensuring economic security, as well as the effective development of the aviation enterprise considering the specific features of the multi-component risk management system present in the enterprises of the aviation sector, is given. The solution to the problem in the sphere of ensuring economic security at the internal level of the enterprise has a high priority since, at present many methodological aspects of this process are not fully studied

A Distributed Security Architecture for Large Scale Systems

This thesis describes the research leading from the conception, through development, to the practical implementation of a comprehensive security architecture for use within, and as a value-added enhancement to, the ISO Open Systems Interconnection (OSI) model. The Comprehensive Security System (CSS) is arranged basically as an Application Layer service but can allow any of the ISO recommended security facilities to be provided at any layer of the model. It is suitable as an 'add-on' service to existing arrangements or can be fully integrated into new applications. For large scale, distributed processing operations, a network of security management centres (SMCs) is suggested, that can help to ensure that system misuse is minimised, and that flexible operation is provided in an efficient manner. The background to the OSI standards are covered in detail, followed by an introduction to security in open systems. A survey of existing techniques in formal analysis and verification is then presented. The architecture of the CSS is described in terms of a conceptual model using agents and protocols, followed by an extension of the CSS concept to a large scale network controlled by SMCs. A new approach to formal security analysis is described which is based on two main methodologies. Firstly, every function within the system is built from layers of provably secure sequences of finite state machines, using a recursive function to monitor and constrain the system to the desired state at all times. Secondly, the correctness of the protocols generated by the sequences to exchange security information and control data between agents in a distributed environment, is analysed in terms of a modified temporal Hoare logic. This is based on ideas concerning the validity of beliefs about the global state of a system as a result of actions performed by entities within the system, including the notion of timeliness. The two fundamental problems in number theory upon which the assumptions about the security of the finite state machine model rest are described, together with a comprehensive survey of the very latest progress in this area. Having assumed that the two problems will remain computationally intractable in the foreseeable future, the method is then applied to the formal analysis of some of the components of the Comprehensive Security System. A practical implementation of the CSS has been achieved as a demonstration system for a network of IBM Personal Computers connected via an Ethernet LAN, which fully meets the aims and objectives set out in Chapter 1. This implementation is described, and finally some comments are made on the possible future of research into security aspects of distributed systems.IBM (United Kingdom) Laboratories Hursley Park, Winchester, U

Strategies for Reducing the Risk of Data Breach Within the Internet Cloud

Businesses are increasingly incorporating cloud computing into their current business models. With this increase, security breach exposure has also increased, causing business leaders to be concerned with financial hardship, operational disruption, customer turnover, and customer confidence loss due to personal data exposure. Grounded in the integrated system theory of information security management, the purpose of this qualitative multiple case study was to explore successful strategies some information security leaders in the aerospace and defense contractor industry use to protect cloud-based data from security breaches. The participants were 7 information security leaders from 7 different aerospace and defense contractor companies located in the United States mid-Atlantic region. Data from semistructured interviews were analyzed and compared with 8 publicly available data sources for data triangulation. Emergent themes narrowing this knowledge gap was extracted through an analysis technique such as coding and then triangulated. The recurring themes were (a) strong authentication methods, (b) encryption, and (c) personnel training and awareness. A key recommendation includes information security leaders implementing preventative security measures while improving an organization\u27s ability to protect data lost within the Internet cloud. The implications for positive social change include the potential to increase consumers confidence while protecting confidential consumer data and organizational resources, protecting customers from the costs, lost time, and recovery efforts associated with identity theft

Towards an integrated model for citizen adoption of E-government services in developing countries: A Saudi Arabia case study

This paper considers the challenges that face the widespread adoption of E-government in developing countries, using Saudi Arabian our case study. E-government can be defined based on an existing set of requirements. In this paper we define E-government as a matrix of stakeholders; governments to governments, governments to business and governments to citizens using information and communications technology to deliver and consume services. E-government has been implemented for a considerable time in developed countries. However E-government services still faces many challenges their implemented and general adoption in developing countries. Therefore, this paper presents an integrated model for ascertaining the intention to adopt E-government services and thereby aid governments in accessing what is required to increase adoption

Post-Westgate SWAT : C4ISTAR Architectural Framework for Autonomous Network Integrated Multifaceted Warfighting Solutions Version 1.0 : A Peer-Reviewed Monograph

Police SWAT teams and Military Special Forces face mounting pressure and challenges from adversaries that can only be resolved by way of ever more sophisticated inputs into tactical operations. Lethal Autonomy provides constrained military/security forces with a viable option, but only if implementation has got proper empirically supported foundations. Autonomous weapon systems can be designed and developed to conduct ground, air and naval operations. This monograph offers some insights into the challenges of developing legal, reliable and ethical forms of autonomous weapons, that address the gap between Police or Law Enforcement and Military operations that is growing exponentially small. National adversaries are today in many instances hybrid threats, that manifest criminal and military traits, these often require deployment of hybrid-capability autonomous weapons imbued with the capability to taken on both Military and/or Security objectives. The Westgate Terrorist Attack of 21st September 2013 in the Westlands suburb of Nairobi, Kenya is a very clear manifestation of the hybrid combat scenario that required military response and police investigations against a fighting cell of the Somalia based globally networked Al Shabaab terrorist group.Comment: 52 pages, 6 Figures, over 40 references, reviewed by a reade