Deliver security awareness training, then repeat:{deliver; measure efficacy}

Organisational information security policy contents are disseminated by awareness and training drives. Its success is usually judged based on immediate post-training self-reports which are usually subject to social desirability bias. Such self-reports are generally positive, but they cannot act as a proxy for actual subsequent behaviours.This study aims to formulate and test a more comprehensive way of measuring the efficacy of these awareness and training drives, called ASTUTE. We commenced by delivering security training. We then assessed security awareness (post-training), and followed up by measuring actual behaviours. When we measured actual behaviours after a single delivery of security awareness training, the conversion from intention to behaviour was half of the desired 100%. We then proceeded to deliver the training again, another two times.The repeated training significantly reduced the gap between self-reported intention and actual secure behaviours

A revised framework of information security principles

Confidentiality, Integrity and Availability are referred to as the basic principles of Information Security. These principles have remained virtually un-changed over time, but several authors argue they are clearly insufficient to pro-tect information. Others go a step further and propose new security principles, to update and complement the traditional ones. Prompt by this context, the aim of this work is to revise the framework of Information Security principles, making it more current, complete, and comprehensive. Based on a systematic literature re-view, a set of Information Security principles is identified, defined and character-ized, which, subsequently, leads to a proposal of a Revised Framework of Infor-mation Security Principles. This framework was evaluated in terms of completeness and wholeness by intersecting it with a catalog of threats, which re-sulted from the merger of four existing catalogs. An initial set of security metrics, applied directly to the principles that constitute the framework, is also suggested, allowing, in case of adverse events, to assess the extent to which each principle was compromised and to evaluate the global effectiveness of the information pro-tection efforts.Programa Operacional Fatores de Competitividade – COMPETE and National funds by FCT – Fundação para a Ciência e Tecnologia under Project FCOMP-01-0124-FEDER-022674

‘Breaching’ Auditor Judgments of Information Security Effectiveness

In this in-progress study we explore whether aspects of a prior data security breach, along with prior audit performance, work to decrease auditor objectivity of information security (InfoSec) weaknesses in the subsequent audit period. We use SOX Section 404 as the contextual setting and our analysis is based on a unique dataset from publicly available sources. Preliminary results suggest that not only does former audit performance influence auditor judgments of InfoSec performance, but also the strength of this relationship changes based on public attention. We found no evidence for the influence of past breach severity on auditors’ judgments nor did we find that the influence of public attention is direct. Instead, it appears that auditors can be lured toward decreased objectivity in an indirect manner, based on the weight of public attention that increases their desire to validate past audit evaluations. Implications and plans for future research are discussed

Deployment of Information Security Practices: The High Reliability Theory Perspective

Drawing on high reliability theory, this study investigates how a firm’s information security (InfoSec) practices as practical proficiencies form its organisational security culture. We tested the model using survey data from 602 professional managers in Australia and New Zealand who are aware of the InfoSec programmes within their respective organisations, the findings of which suggest a security culture is influenced by a firm’s practical proficiencies in the form of InfoSec practices namely prevention, detection and response practices. Our findings also emphasise the importance of organisational supportive proficiencies as organisational structure for improving the impact of InfoSec preventive practices on organisational security culture in a firm. The results of this study provide both academics and practitioners an understanding of the vital organisational dynamics necessary to establish a culture of security

Examination of Corporate Investments in Privacy: An Event Study

The primary objective of any corporate entity is generating as much wealth as possible. Investing financially in technology domains has historically been a successful strategy for generating increased corporate and shareholder wealth. However, investments in Information Technology (IT), Information Systems (IS) and Information Security (InfoSec) to specifically generate increased wealth must be implemented carefully. Shareholders reacting to corporate investments perceive financial value from individual investments. The investment’s perceived value is then reflected in the corporation’s updated stock market value. IS, IT, and InfoSec investments perceived to possess positive financial value, indicating strong potential for increased wealth, are rewarded by shareholders through increased stock market value; conversely, investments perceived to possess negative financial value, likely to decrease corporate wealth, are punished by shareholders through decreased stock market value. Previous research utilizing Event Study Methodology (ESM) determined financial impact that investments had on corporate stock market value after press release announcements identifying the investment. Based on early success across various domains, additional Event Study Research (ESR) was further conducted within IS, IT, and InfoSec. Most studies aligned into one of three categories: 1) Investments in IT, 2) Information Security Breaches, and 3) IT Outsourcing, and similarly measured changes in market value from corporate investments in related IS, IT, and InfoSec products and services. Examination of the extant body of literature identified a gap within the Privacy domain; minimal ESR examining privacy and the financial impact from corporate investments in privacy. While financial loss associated with a breach incident is identified as the motivating force driving increased corporate investments in defensive measures, “privacy” is identified as a singular construct with little concern for the associated invasion of privacy. As such, little is known about privacy, potential financial risks associated with a privacy breach, nor an understanding of why corporations are not investing in privacy. This research extends the body of literature and makes an academic contribution by: 1) using ESM to identify the financial and overall stock market implications from corporate investments in privacy, 2) identifying the economic incentives motivating corporate investments in privacy, and 3) gaining a better overall understating of corporate investments in privacy, and why corporations are not investing in privacy

Learning Outcomes for Cyber Defense Competitions

Cyber defense competitions (CDCs) simulate a real-world environment, where the competitors must protect the information assets of a fictional organization. These competitions are becoming popular at the high school and college levels, as well as in industry and governmental settings. However, there is little research to date on the learning outcomes associated with CDCs or the long-term benefits to the participants as they pursue future educational, employment or military goals. For this exploratory research project, we surveyed 11 judges and mentors participating in a well-established high school CDC held in the southeastern United States. Then we developed a set of recommended learning outcomes for CDCs, based on importance of the topic and participant preparedness for future information-security related endeavors. While most previous research has focused on technology issues, we analyzed technological, human, and social topics, to develop a comprehensive set of recommendations for future CDCs

Towards a framework to promote the development of secure and usable online information security applications

The proliferation of the internet and associated online activities exposes users to numerous information security (InfoSec) threats. Such online activities attract a variety of online users who include novice computer users with no basic InfoSec awareness knowledge. Information systems that collect and use sensitive and confidential personal information of users need to provide reliable protection mechanisms to safeguard this information. Given the constant user involvement in these systems and the notion of users being the weakest link in the InfoSec chain, technical solutions alone are insufficient. The usability of online InfoSec systems can play an integral role in making sure that users use the applications effectively, thereby improving the overall security of the applications. The development of online InfoSec systems calls for addressing the InfoSec problem as a social problem, and such development must seek to find a balance between technical and social aspects. The research addressed the problem of usable security in online InfoSec applications by using an approach that enabled the consideration of both InfoSec and usability in viewing the system as a socio-technical system with technical and social sub-systems. Therefore, the research proposed a socio-technical framework that promotes the development of usable security for online information systems using online banking as a case study. Using a convergent mixed methods research (MMR) design, the research collected data from online banking users through a survey and obtained the views of online banking developers through unstructured interviews. The findings from the two research methods contributed to the selection of 12 usable security design principles proposed in the sociotechnical information security (STInfoSec) framework. The research contributed to online InfoSec systems theory by developing a validated STInfoSec framework that went through an evaluation process by seven field experts. Although intended for online banking, the framework can be applied to other similar online InfoSec applications, with minimum adaptation. The STInfoSec framework provides checklist items that allow for easy application during the development process. The checklist items can also be used to evaluate existing online banking websites to identify possible usable security problems.Computer ScienceD. Phil. (Computer Science

Network and Database Security: Regulatory Compliance, Network, and Database Security - A Unified Process and Goal

Database security has evolved; data security professionals have developed numerous techniques and approaches to assure data confidentiality, integrity, and availability. This paper will show that the Traditional Database Security, which has focused primarily on creating user accounts and managing user privileges to database objects are not enough to protect data confidentiality, integrity, and availability. This paper is a compilation of different journals, articles and classroom discussions will focus on unifying the process of securing data or information whether it is in use, in storage or being transmitted. Promoting a change in Database Curriculum Development trends may also play a role in helping secure databases. This paper will take the approach that if one make a conscientious effort to unifying the Database Security process, which includes Database Management System (DBMS) selection process, following regulatory compliances, analyzing and learning from the mistakes of others, Implementing Networking Security Technologies, and Securing the Database, may prevent database breach

The Effects of Computer Crimes on the Management of Disaster Recovery

The effects of a technology disaster on an organization can include a prolonged disruption, loss of reputation, monetary damages, and the inability to remain in business. Although much is known about disaster recovery and business continuance, not much research has been produced on how businesses can leverage other technology frameworks to assist information technology disaster recovery. The problem was the lack of organizational knowledge to recover from computer crime interruptions given the maturity level of existing disaster recovery programs. The purpose of this Delphi study was to understand how disaster recovery controls and processes can be modified to improve response to a computer crime caused business interruption. The overarching research question in this study was to understand what factors emerge relative to the ability of disaster recovery programs to respond to disasters caused by computer crimes. The conceptual framework included a maturity model to look at how programs might be improved to respond to the computer crimes threat. Research data were collected from a 3 round Delphi study of 22 disaster recovery experts in the fields of disaster recovery and information security. Results from the Delphi encompass a consensus by the panel. Key findings included the need for planning for cyber security, aligning disaster recovery with cyber security, providing cyber security training for managers and staff, and applying lessons learned from experience. Implications for positive social change include the ability for organizations to return to an acceptable level of operation and continue their service benefiting employees, customers, and other stakeholders