The Weakest Link Human Behaviour and the Corruption of Information Security Management in Organisations - an Analytical Framework

In this paper we introduce the norm-injection analysis framework, a construct which can be employed to aid analysis of processes that affect information security management (ISM) in organisations. The underpinnings of this framework draw on and evolve - theories about how apparently mundane organisational processes, particularly managerial demands on employees, may in some instances lead to undesired, perhaps calamitous, consequences. Because the mechanisms between input (demand) and the adverse consequences work by gradually accruing and multiplying Subtle communication "problemettes" into major problems, they are almost undetectable to the untrained eye. Breaches of ISM protocol may appear wholly mysterious to the crash investigators brought in to analyse, post-event, what went wrong. The norm-injection analysis framework is intended to shed light on these below-the-radar processes, and to supplement the tool set an organisation analyst has at his disposal when preparing or evaluating strategic ISM measures

Information Security Perceptions of Users, Levels of Engagement and Developer Resistance

This paper reports on a case study considering the propensity for a range of stakeholders to engage with information security issues during a major development project as part of a project considering the user involvement with the elicitation of information security requirements. Also examined were the attitudes of IT managers and project team members. The research found that many users have an interest in being involved with information security issue, but their concerns meant they would need to be supported during any information security requirements gathering process. While business areas were interested in being involved, there was resistance from developers and this would require careful management. It was found that most users had a simplistic view of information security, largely limited to issues around access privileges

Integrating Disaster Recovery Plan Activities Into The System Development Life Cycle

The development of an IS for an organization is a project of a strategic nature. The development process is a time-consuming and special budgeted project that follows the six stages of the System Development Life Cycle (SDLC). Integrating security within the SDLC is a very important issue. The security of an IS is designed at the very early stages of its development. A security object that is nowadays a must is the Disaster Recovery Plan. Security questions like “Is the Information System Security an issue that has to be a matter of concern for the organization from the start of Information System development?” and “At which stage of its development does an Information System begin to be at risk ?” concern both the organizations and the developers. This paper proposes the enhancement of the SDLC stages in order to reduce the risks from the start of a development, by integrating the development of the Disaster Recovery Plan into the SDLC process. Details are given on how to achieve this, as well as the reasons and the benefits to the organization and to the manufacturer

A Holistic Approach for Enriching Information Security Analysis and Security Policy Formation

Past literature has indicated the need for addressing information security from both the social and technical perspective. However, previous research has lacked in providing any clear direction for how these two perspectives can be brought together in a coherent or holistic manner to analyze information security in an organization. Thus, this paper develops a conceptual framework for identifying, bringing together, and interpreting the deep-rooted social and technical issues that pertain to information systems security. The framework is grounded in semiotics and is validated by the analysis of a specific case study. Findings in this research indicate that the social and technical elements of security can be brought together in a holistic manner via six layers of abstraction where each layer addresses deep-rooted issues that pertain to information security. The output of each layer is then used to inform other layers in a collaborative manner creating a final product that contains elements for enriching security analysis and enhancing security policy formation

A theoretical model for participation by stakeholders concerned with information security issues in systems development processes

After discussing the general issues with user participation in information systems development and aspect of user awareness with information security processes, this article raises a series of issues concerned with user participation with the information security aspects of the user requirements during information systems development processes. These issues are then developed into a theoretical model concerned with user participation in the elicitation of information security requirements during systems development processes. While most of these issues are known in the general systems development context, when they arise in the information security context, they are easily overlooked or neglected. The theoretical model and the associated issues presented are candidates further research work within the information security domain

Understanding And Measuring Information Security Culture

The purpose of the current paper was to develop a measurement of information security culture. Our literature analysis indicated a lack of clear conceptualization and distinction between factors that constitute information security culture and factors that influence information security culture. A sequential mixed method consisting of a qualitative phase to explore the conceptualisation of information security culture, and a quantitative phase to validate the model is adopted for this research. Eight interviews with information security experts in eight different Saudi organisations were conducted, revealing that security culture can be constituted as reflection of security awareness and security ownership. Additionally, the qualitative interviews have revealed that factors that influence security culture are top management involvement, policy enforcement, and training. These factors were confirmed formed the basis for our initial information security culture model, which was operationalised and tested in different Saudi Arabian organisations. Using data from two hundred and fifty-four valid responses, we demonstrated the validity and reliability of the information security culture model. We were further able to demonstrate the validity of the model in a nomological net, as well as provide some preliminary findings on the factors that influence information security culture

Cybersecurity Economics - Induced Risks, Latent Costs and Possible Controls

Financial decisions indirectly affect and are affected by the effort towards Information Security. The 'Economics of Cybersecurity' should thus constitute a significant part of the Information Security Posture Assessment process and should be directly addressed in this context. As the complexity and interdependency of Information Systems augments and new technologies lead to the de-materialization of Information Systems assets, it becomes progressively evident that the conflicting interests and incentives of the various stakeholders of an Information System affect its overall Information Security Posture, perhaps even more significantly than technical or policy limitations do. This paper examines economic considerations from an Information Systems Security/Cybersecurity viewpoint and proposes new directions that may both help reduce the problem from a collective point of view, as well as lead to the creation of methodologies to ultimately integrate economics, along with technical and non-technical issues, into an Organisation's Information Security Posture Assessment process.Institute for Corporate Citizenshi

A Proposed Framework for Understanding Information Security Culture and Practices in the Saudi Context

An examination of Information Security (IS) and Information Security Management (ISM) research in Saudi Arabia has shown the need for more rigorous studies focusing on the implementation and adoption processes involved with IS culture and practices. Overall, there is a lack of academic and professional literature about ISM and more specifically IS culture in Saudi Arabia. Therefore, the overall aim of this paper is to identify issues and factors that assist the implementation and the adoption of IS culture and practices within the Saudi environment. The goal of this paper is to identify the important conditions for creating an information security culture in Saudi Arabian organizations. We plan to use this framework to investigate whether security culture has emerged into practices in Saudi Arabian organizations