Moving Towards Information System Security Accreditation within Australian State Government Agencies

This paper investigates the current status of Information System Security (ISS) within New South Wales State government agencies in Australia. A 3-year longitudinal survey was used to increase awareness and motivate ISS managers. In addition, the survey was used as a management tool to monitor compliance with ISS standard’s controls (AS/NZS17799:2001). In 2004 an amendment to the standard added critical success factors (CSFs) as being necessary for an agency’s movement to accreditation. An analysis of the CSFs results was undertaken to determine the status of an independently acting agency’s security readiness and they were summarized to then provide an overall measure. This measure provided a ‘benchmark’ for an agency’s security readiness to the standard’s CSFs (AS/NZS17799:2004.AMDT). While the process for improving security based on CSFs is adequate, actual improvement in ISS across government requires further effort. This research contributes to the level of understanding of ISS compliance within e-Government

Information Security in Nonprofits: A First Glance at the State of Security in Two Illinois Regions

Information security is a hot button topic across all industries and new reports of security incidents and data breaches is a near daily occurrence. Much is known about recent trends and shortcomings in information security in the public and private sectors, but relatively little research examines the state of information security in nonprofit organizations. The underlying missions of nonprofit organizations, composition of their workforce, and their reliance on grants and donations for revenue generation streams set nonprofits apart from private business. These facts warrant an examination of information security of nonprofit organizations separate from private or commercial groups. This paper examines the state of information security in nonprofit organizations with results obtained by surveying volunteers or employees at nonprofit groups in two areas of Illinois. A qualitative discussion using observations gained from direct analysis of the security status of three organizations as part of student service learning projects is presented as well

Investigating the Impact of Institutional Pressures on Information Security Compliance in Organizations

Abstract: The increasing threat to information security has created institutional pressures on organizations to comply with information security policies and standards. This paper presents an empirical study to investigate the impact of institutional pressures (coercive, normative, and mimetic) on information security compliance in organizations. The results show that coercive pressures that are manifested by regulatory agencies, normative pressures that are exerted through social pressures, and mimetic pressures that are manifested by security benefits positively influence information security compliance in public organizations. Furthermore, the results reveal that regulation and security benefits generate pressures on management to strengthen their commitments towards information security compliance in organizations. It is, however, worthwhile to notice that social pressures do not have a significant impact on management commitments towards information security compliance. The implications of this study indicate the criticality of institutional pressures for enhancing information security compliance in public organizations both directly and indirectly

Investigating the Role of Socio-organizational Factors in the Information Security Compliance in Organizations

The increase reliance on information systems has created unprecedented challenges for organizations to protect their critical information from different security threats that have direct consequences on the corporate liability, loss of credibility, and monetary damage. As a result, the security of information has become critical in many organizations. This study investigates the role of socio-organizational factors by drawing the insights from the organizational theory literature in the adoption of information security compliance in organizations. Based on the analysis of the survey data collected from 294 employees, the study indicates management commitment, awareness and training, accountability, technology capability, technology compatibility, processes integration, and audit and monitoring have a significant positive impact on the adoption of information security compliance in organizations. The study contributes to the information security compliance research by exploring the criticality of socio-organizational factors at the organizational level for information security compliance

Organisational Security Culture and Information Security Compliance for E-Government Development: The Moderating Effect of Social Pressure

Rapid development of e-government has exposed critical public information to the possibility of cybercrime. Information security has become a critical issue that needs to be adequately addressed in e-government development. This paper develops an information security compliance model by drawing insights from organizational and institutional theory literature to examine how organizational security culture influences information security compliance in public organizations for e-government development. It also investigates the role of social pressure in moderating the relationship between information security culture and information security compliance. The study explores three specific dimensions of information security culture: management commitments, accountability and information security awareness. The result of a hierarchical regression analysis indicates that management commitments, accountability, information security awareness, and social pressure have a significant positive impact on information security compliance in public organizations. The moderating role of social pressure, however, is only significant in augmenting the relationship between accountability and information security compliance. This study contributes to the information security compliance research by highlighting the criticality of establishing an information security culture within public organisations to promote information security compliance

Information Security Perceptions of Users, Levels of Engagement and Developer Resistance

This paper reports on a case study considering the propensity for a range of stakeholders to engage with information security issues during a major development project as part of a project considering the user involvement with the elicitation of information security requirements. Also examined were the attitudes of IT managers and project team members. The research found that many users have an interest in being involved with information security issue, but their concerns meant they would need to be supported during any information security requirements gathering process. While business areas were interested in being involved, there was resistance from developers and this would require careful management. It was found that most users had a simplistic view of information security, largely limited to issues around access privileges

A theoretical model for participation by stakeholders concerned with information security issues in systems development processes

After discussing the general issues with user participation in information systems development and aspect of user awareness with information security processes, this article raises a series of issues concerned with user participation with the information security aspects of the user requirements during information systems development processes. These issues are then developed into a theoretical model concerned with user participation in the elicitation of information security requirements during systems development processes. While most of these issues are known in the general systems development context, when they arise in the information security context, they are easily overlooked or neglected. The theoretical model and the associated issues presented are candidates further research work within the information security domain

IMPLEMENTATION CHALLENGES FOR INFORMATION SECURITY AWARENESS INITIATIVES IN E-GOVERNMENT

With the widespread adoption of electronic government services, there has been a need to ensure a seamless flow of information across public sector organizations, while at the same time, maintaining confidentiality, integrity and availability. Governments have put in place various initiatives and programs including information security awareness to provide the needed understanding on how public sector employees can maintain security and privacy. Nonetheless, the implementation of such initiatives often faces a number of challenges that impede further take-up of e-government services. This paper aims to provide a better understanding of the challenges contributing towards the success of information security awareness initiatives implementation in the context of e-government. Political, organizational, social as well as technological challenges have been utilized in a conceptual framework to signify such challenges in e-government projects. An empirical case study conducted in a public sector organization in Greece was exploited in this research to reflect on these challenges. While, the results from this empirical study confirm the role of the identified challenges for the implementation of security awareness programs in e-government, it has been noticed that awareness programmers often pursue different targets of preserving security and privacy, which sometimes results in adding more complexity to the organization