Security Planning in IT Systems

Security planning is a necessity nowadays. Planning involves policies, controls, timetable and a continuing attention. Policies are the foundation of effective information security. Security policies challenge users to change the way they think about their own responsibility for protecting corporate information. The paper presents the compulsive elements of security planning.security planning, policy, business continuity, timetable

The information security policy unpacked: A critical study of the content of university policies

Ensuring the security of corporate information, that is increasingly stored, processed and disseminated using information and communications technologies [ICTs], has become an extremely complex and challenging activity. This is a particularly important concern for knowledge-intensive organisations, such as Universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of security breaches, and in so doing, protecting corporate information, is through the formulation and application of a formal information security policy (InSPy). Whilst a great deal has now been written about the importance and role of the information security policy, and approaches to its formulation and dissemination, there is relatively little empirical material that explicitly addresses the structure or content of security policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and content of authentic information security policies, rather than simply making general prescriptions about what they ought to contain. Having established the structure and key features of the reviewed policies, the paper critically explores the underlying conceptualization of information security embedded in the policies. There are two important conclusions to be drawn from this study: 1) the wide diversity of disparate policies and standards in use is unlikely to foster a coherent approach to security management; and 2) the range of specific issues explicitly covered in university policies is surprisingly low, and reflects a highly techno-centric view of information security management

Managerial Control Effects on Information Security Policy Compliance Intentions: Considerations of Formal and Informal Modes of Control

With the continued advancement in computer and digital technologies, companies, institutions, and organizations worldwide have leveraged new information technology to increase efficiency and effectiveness for all aspects of their business functions. Oftentimes, the information processed and stored on information systems poses an information security risk to the organization, employees, and clients alike. Therefore, a comprehensive and effective information security management program is essential to protecting data from accidental or intentional exposure to actors who wish to gain access to data to make a profit by selling the information to the highest bidder, utilize the stolen data for their own internal research and development, or use the data to damage a targeted institution for nefarious motives. Employees’ compliance with corporate information security policies is a necessary component to the success of the corporate information security management program. In this study, I adopted the control theory and developed a research model to explain how formal and informal organizational controls affect employees’ intentions to comply with information security policies. To test the model, I collected data from 303 respondents about their perceptions of their organizations’ formal and informal control modes along with their respective intentions to comply with information security policies. SEM-PLS analysis provided results that were only partially in consonance with previous studies and showed some additive effects when control modes were combined into a single model. I found clan control (informal) to have a significant and positive effect. I also found that adding the informal control modes into the model resulted in a different effect by rendering input control (formal) and self-control (informal) insignificant and changing the direction of the relationship of outcome control (formal) and behavior control (formal). In turn, these findings can help organizations set up proper controls to protect themselves from cyber threats and establish the most effective methods of control based on organizational context and control theory to ensure employees’ compliance with the established information security policies of their organizations

Reinforcing the security of corporate information resources: a critical review of the role of the acceptable use policy

Increasingly users are seen as the weak link in the chain, when it comes to the security of corporate information. Should the users of computer systems act in any inappropriate or insecure manner, then they may put their employers in danger of financial losses, information degradation or litigation, and themselves in danger of dismissal or prosecution. This is a particularly important concern for knowledge-intensive organisations, such as Universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of inappropriate behaviours, and in so doing, protecting corporate information, is through the formulation and application of a formal ‘acceptable use policy (AUP). Whilst the AUP has attracted some academic interest, it has tended to be prescriptive and overly focussed on the role of the Internet, and there is relatively little empirical material that explicitly addresses the purpose, positioning or content of real acceptable use policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and composition of a sample of authentic policies – taken from the higher education sector - rather than simply making general prescriptions about what they ought to contain. There are two important conclusions to be drawn from this study: 1) the primary role of the AUP appears to be as a mechanism for dealing with unacceptable behaviour, rather than proactively promoting desirable and effective security behaviours, and 2) the wide variation found in the coverage and positioning of the reviewed policies is unlikely to be fostering a coherent approach to security management, across the higher education sector

New technologies: one of the key strategic factors of the Serbian corporate governance practice harmonisation with eu requirements

New technologies have been changing the world for centuries. Innovations have been the strongest tool for development and recovery of world economy. Today information is the most valuable asset and global markets and global companies are depending on relevant data and information security. Tech-intelligent processes are fundamental for the European corporate governance environment. The stability of corporate governance as a system with the prime aim to protect investors and take care of stakeholders linked to public companies is based on quality of information and relevant access. When corporate governance is good, then also the process of collecting and disseminating information is good as well. This paper presents the potentials of information technology to be used for better corporate governance and to help Serbian companies to position themselves on European capital markets. Public company as well as of capital markets can be controlled in more efficient way by using IT. Shareholders rights and activities, board of directors` duties and responsibilities, settling of disputes, disclosure and transparency, stakeholders’ protection and other important issues in corporate governance can be provided and organized in a better way. This paper mostly deals with tree main segments of corporate governance policy: protection of shareholders rights, effective board of directors and efficient resolution of disputes. Proper use of technology and right policies and procedures for information security can help public company to improve the efficiency of corporate governance by supporting diligence, restrict abuse and reduce corruption and bribery. Destructive nature of any dispute arising within or out of company has potential to spoil reputation of company and the trust of investors. On the other hand, the dispute, can be solved and even be a tool for better relationship between parties in a dispute in the future. If discovered at the early beginning, the dispute can be handled effectively by mediation. There, information technology and communication can be of great help

A study of information security awareness program effectiveness in predicting end-user security behavior

As accessibility to data increases, so does the need to increase security. For organizations of all sizes, information security (IS) has become paramount due to the increased use of the Internet. Corporate data are transmitted ubiquitously over wireless networks and have increased exponentially with cloud computing and growing end-user demand. Both technological and human strategies must be employed in the development of an information security awareness (ISA) program. By creating a positive culture that promotes desired security behavior through appropriate technology, security policies, and an understanding of human motivations, ISA programs have been the norm for organizational end-user risk mitigation for a number of years (Peltier, 2013; Tsohou, Karyda, Kokolakis, & Kiountouzis, 2015; Vroom & Solms, 2004). By studying the human factors that increase security risks, more effective security frameworks can be implemented. This study focused on testing the effectiveness of ISA programs on enduser security behavior. The study included the responses of 99/400 employees at a mid-size corporation. The theory of planned behavior was used as model to measure the results of the tool. Unfortunately, while data collected indicated that ISA does cause change in security behavior, the data also showed no significance. Thus, we fail to reject the null hypothesis

Why Individual Employees Commit Malicious Computer Abuse: A Routine Activity Theory Perspective

Prior information security studies have largely focused on understanding employee security behavior from a policy compliance perspective. We contend that there is a pressing need to develop a comprehensive understanding of the circumstances that lead to employee commitment of deliberate and malicious acts against organizational digital assets. Drawing on routine activity theory (RAT), we seek to establish a comprehensive model of employee-committed malicious computer abuse (MCA) by investigating the motivations of the offenders, the suitability of the desired targets, and the effect of security guardianship in organizational settings. Specifically, we delineate the effects of the individual characteristics of self-control, hacking self-efficacy, and moral beliefs, as well as the organizational aspects of deterrence based on the routine activity framework of crime. We tested this research model using research participants holding a wide range of corporate positions and possessing varying degrees of computer skills. Our findings offer fresh insights on insider security threats, identify new directions for future research, and provide managers with prescriptive guidance for formulating effective security policies and management programs for preventing MCA in organizations

Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach

Examining the Behavioral Intention of Individuals\u27 Compliance with Information Security Policies

Target Corporation experienced an information security breach resulting in compromising customers\u27 financial information. Management is responsible for implementing adequate information security policies that protect corporate data and minimize financial losses. The purpose of this experimental study was to examine the effect of a fear appeal communication on an individual\u27s information security policy behavioral intention. The sample population involved information technology professionals randomly selected from the SurveyMonkey audience. A research model, developed using constructs from deterrence theory and protection motivation theory, became the structural model used for partial least squares-structural equation modeling (PLS-SEM) analysis of the survey response data, which indicated that self-efficacy was statistically significant. The remaining model variables, perceived threat vulnerability, perceived threat severity, response efficacy, informal sanction certainty, informal sanction severity, formal sanction certainty, and formal sanction severity, were not statistically significant. A statistically significant self-efficacy result could indicate confidence among the population to comply with information security policies. The nonsignificant results could indicate the fear appeal treatment did not motivate a change in behavior or information security policy awareness bias was introduced by selecting information technology professionals. Social change in information security could be achieved by developing an effective information security policy compliance fear appeal communication, which could change information security compliance behavior and contribute to securing the nation\u27s critical cyber infrastructure and protecting data