Cybercrime Post-Incident Leadership Model

Cybercrimes are facts of the modern technological society. While extant literature proposes a variety of prescriptive practices to combat cybercrimes, there is scant research to address how organizational leaders should minimize the impact of cybercrimes on their companies and the community after they have occurred. This study addresses the steps leaders should take in the aftermath of cybercrimes and proposes a four-stage leadership model consisting of best practices to guide leaders in preparing, responding, and recovering from a digital or cybersecurity attack

Cybersecurity Risk-Responsibility Taxonomy: The Role of Cybersecurity Social Responsibility in Small Enterprises on Risk of Data Breach

With much effort being placed on the physical, procedural, and technological solutions for Information Systems (IS) cybersecurity, research studies tend to focus their efforts on large organizations while overlooking very smaller organizations (below 50 employees). This study addressed the failure to prevent data breaches in Very Small Enterprises (VSEs). VSEs contribute significantly to the economy, however, are more prone to cyber-attacks due to the limited risk mitigations on their systems and low cybersecurity skills of their employees. VSEs utilize Point-of-Sale (POS) systems that are exposed to cyberspace, however, they are often not equipped to prevent complex cybersecurity issues that can result in them being at risk to a data breach. In addition, the absence of federal laws that force VSEs to adhere to standards such as the Payment Card Industry Data Security Standard (PCI-DSS) leaves it up to the discretion of the VSEs to invest in cybersecurity countermeasures aimed at preventing a data breach. Therefore, this study investigated the role that cybersecurity social responsibility plays in motivating the owners of these companies to engage in cybersecurity measures geared at preventing data breaches.This study developed and validated using Subject Matter Experts (SMEs) a cybersecurity risk-responsibility taxonomy using the constructs of VSEs’ owners’ perceived cybersecurity social responsibility (CySR) and risk of data breach (RDB) in order to better understand their level of exposure to a data breach. Exploratory Factor Analysis (EFA) using Principal Component Analysis (PCA) was conducted to extract the significant factors for CySR and RDB. The study also addressed whether there were significant differences in VSEs owners’ perceived RDB and perceived CySR based on three demographics: (1) type of industry, (2) implementation of chip technology, (3) compliance with PCI-DSS. This study was conducted in three phases. Phase 1 utilized a panel of 13 information security SMEs and used the Delphi technique to review characteristics for RDB and CySR that were derived from literature. The results of the expert review were subjected to further validation by means of a pilot study using a small sample of the study population (Phase 2). The pilot study population included 20 organizations with number of employees ranging from less than five to 50 total employees across seven different industries. Phase 3 of the study included the main data collection using the modified survey instrument from the pilot study. 105 VSEs anonymously participated in the main data collection phase of the study. The collected data was subjected data EFA which identified three factors comprised of 15 items for RDB and two factors comprised of 13 items for CySR. In addition, descriptive statistics was obtained and evaluated to determine if significant differences exist in VSEs owners’ perceived RDB based on type of industry, implementation of Europay, Mastercard and Visa (EMV) chip technology and, compliance with PCI-DSS. One-way Analysis of variance (ANOVA) was used to evaluate whether significant differences existed based on the VSEs demographics. The results of the study indicated that there was a statistically significant difference in both RDB and CySR for industry, use of EMV Chip and, PCI-DSS compliance. This study demonstrates that there is a relationship between CySR and cybersecurity and that the CySR instrument could be used to assess cybersecurity practices in small businesses. In addition, this study may assist organizations in understanding and mitigating cybersecurity data breaches

Transformational Leadership Principles within Small Businesses

Small businesses in the United States experience a high rate of failure. The purpose of this phenomenological study was to identify and explore consistent strategies small business owners in Harrisburg, Pennsylvania used to lead successful companies. Transformational leadership theory formed the conceptual framework for this study. A mixed purposive sample of 20 small business owners participated in semistructured face- to-face and telephone interviews. Each of the participants possessed a minimum of 3 years of successful business operation and employed fewer than 500 individuals. Using Moustakas\u27 modified van Kaam analyses, 6 main themes emerged: characteristics and experiences, leadership behaviors, managing operations, managing employees, employee behaviors, and achieving success. The study findings highlighted the need for small business owners to nurture the leader-follower relationship to inspire and motivate employees. Further, the results indicated the importance of utilizing integrated business practices to influence employee and business performance. The findings in this study promote positive social change by identifying strategies to empower nascent and existing entrepreneurs. Small business owners can apply these results to improve the leader- follower relationship within their organizations, and boost overall business success

Influence of Leadership Style on Leaders\u27 Transition from Private to Public Sector

Leadership can improve the quality of work through motivation or degrade work through pressure. Leadership effectiveness depends on style and work environment. Differences in work environment may create challenges for leaders transitioning from private to public organizations. The purpose of this quantitative correlational study was to examine the relationship between leadership styles and ease of transition from private to public organizations. The study included the full-range leadership model as the theoretical foundation. Seventy-seven public sector employees in Ontario, Canada, participated in a survey to measure leadership style and effectiveness of transition from private to public sector. Results of multiple linear regression analysis indicated that only the transactional leadership style had a significant positive relationship with the ease of transition from private to public sector. The study indicated that ease of transition of leaders moving from the private to the public sector would be higher for leaders who practice the transactional style of leadership more frequently. The results of this study might effect positive social change for public sector organizations in improving their hiring, orientation, and training of leaders transitioning from the private sector, resulting in better led and more effective public organizations. The result of this study could also positively affect leaders by providing a better understanding about how their styles might help or hinder their transition from the private sector, and enable them to succeed after their transition to the public sector

Flashlight in a Dark Room: A Grounded Theory Study on Information Security Management at Small Healthcare Provider Organizations

Healthcare providers have a responsibility to protect patient’s privacy and a business motivation to properly secure their assets. These providers encounter barriers to achieving these objectives and limited academic research has been conducted to examine the causes and strategies to overcome them. A subset of this demographic, businesses with less than 10 providers, compose a majority 57% of provider organizations in the United States. This grounded theory study provides exploratory findings, discovering these small healthcare provider organizations (SHPO) have limited knowledge on information technology (IT) and information security that results in assumptions and misappropriations of information security implementation, who is responsible for security, and what the scope of security is to address organizational cyber risk. A theory conveying the interrelationship among concepts, illustrating these barriers, is visually communicated. This research can be leveraged by researchers to further understand the dimensions of the identified barriers and by practitioners to develop strategies to improve organizational information security for this demographic. The study’s findings may apply to SHPOs in other states as the criteria of South Carolina based SHPOs did not seem to influence the findings. Intensive interviewing was conducted on nine SHPOs in the state of South Carolina to elicit their thoughts and perspectives on information security at their business, how decisions are made regarding information security, how threats and risks to their business are perceived, and to understand financial activities associated with providing information security at their organization. The concepts and categories, and how they interrelate to each other compose the “flashlight in a dark room” theory. This theory claims the current IT and information security knowledge of staff responsible for information security at these SHPOs produces a narrow scope of what is required for proper information security and informs their perceived cyber risk exposure. These personnel are only “seeing” what the flashlight illuminates in a dark room full of cyber risk. They are committed to secure their organization appropriately and are confident in their current cyber security posture. This causes an organizational cyber risk reality versus perception misalignment, resulting in unknown, accepted risk exposure. SHPOs support information security and are motivated to be ‘as secure as possible’ with a strong emphasis on protecting their patient’s protected health information. This suggests if ‘the “overhead light in the dark room” could be turned on, and illuminate the scope of cyber risk, these organizations would begin to work toward implementing security controls that align to their actual cyber risk

An Empirical Assessment of Cybersecurity Readiness and Resilience in Small Businesses

A cyber-attack can become costly if small businesses are not prepared to protect their information systems or lack the ability to recover from a cybersecurity incident. Small businesses that are not ready to deal with cyber threats are risking significant disruption and loss. In many cases the small business decision makers, owners or managers, do not have a strategy to improve their cybersecurity posture despite the known risk to their business. This research study focused on the relationship between two constructs that are associated with readiness and resilience of small businesses based on their cybersecurity planning, implementation, as well as response and recovery activities. An empirical assessment was conducted on small businesses’ level preparedness relative to their decision makers’ perceived risk of cyber-attack (perceived likelihood x perceived impact). Subject matter experts (SMEs) were used to validate a set of cybersecurity preparedness activities for the construct of cybersecurity preparedness. The SMEs approved 70 cybersecurity preparedness activities among the five functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework to assess the level of cybersecurity preparedness of small businesses. The SMEs then assigned weights to the validated preparedness activities to enable an aggregated benchmark cybersecurity preparedness score (CPS). The construct the decision maker’s perceived risk of cyberattack (DMPRCA) was updated with a set of common cyber threat vectors and using simple definitions from the SMEs. A Cybersecurity Preparedness-Risk Taxonomy (CyPRisT) was then developed using the theoretical foundation of prospect theory and status quo bias. The four quadrants of cybersecurity risk postures were defined as indifference, susceptible, aversive, and strategic. The aggregated scores of CPSs and DMPRCA were positioned on the CyPRisT for each of the 216 small businesses who participated in this study. Statistical differences were found in the CPSs and DMPRCA by demographics industry, size (number of employees), and Information Technology (IT) budget (%). The findings of the quantitative analysis are presented along with the position on the CyPRisT for each demographic indicator of the businesses. The Cybersecurity Assessment of Risk Management to optimize Readiness and Resilience (cyberARMoRR) program for small businesses was developed as a cybersecurity strategy planning guide and collection of resources. The cyberARMoRR program was administered to 50 small business decision makers. The CPSs and DMPRCA were evaluated before and after participation in cyberARMoRR program and positioned on the CyPRisT to assess differences in the small businesses’ cybersecurity posture. The results of the paired sample t-test showed no significant differences between the pretest and posttest groups. However, there was an observed increase in both the CPSs and DMPRCA that moved the position toward the risk-aversive quadrant of the CyPRisT. An analysis of the empirical data was conducted on the cybersecurity preparedness activities that participants identified as most challenging to implement and their explanations of why. Data were collected from 15 semi-structured interviews and 50 surveys with five open-ended questions, one per each function of the NIST Cybersecurity Framework. A two-cycle thematic analysis was performed using the responses that described the challenges of cybersecurity preparedness activities. The results of the qualitative analysis suggest that small business decision makers are more likely to improve their ability to mitigate cyber threats when the applicable technologies are uncomplicated, technical expertise is accessible, and cybersecurity educational material is easy to understand. The small business owners and managers also indicated that the cybersecurity preparedness activities are more attainable when the demand of their time did not change their focus away from business operations. Conversely, the small businesses that were able to improve their cybersecurity posture had committed to incorporating many of the cybersecurity preparedness activities into their routine business processes, such as allocating a budget for cybersecurity and performing vulnerability assessments. The effects of prospect theory and status quo bias are discussed in the context of the CyPRisT positions for the small businesses

Understanding variety in small firm internationalization : the decison-making process of small manufacturing firms in Indonesia

Research on small firm internationalization has been conducted intensively over the last few decades. However, knowledge of small firm internationalization varied. This research addresses the question of this variety in small firm internationalization applying the stage models theory, network theory, resource-based theory and international new venture. As the more recent studies showed that researchers have inclined towards one conclusive finding of the central role of the manager in internationalization, the key explanation of the inconclusive knowledge about small firm internationalization possibly resides in the decision made by the manager. Thus, this research explored the process of making an internationalization decision using rational decision-making process theory. To give a different perspective from the existing internationalization theories that have been developed around manufacturing firms in developed countries, this research was conducted on manufacturing firms in a developing country, Indonesia. A mixed-method approach was used to generate a model of internationalization decision-making process. The results showed that internationalization decision was a manager-centred activity and the manager’s capability and learning processes were essential in determining the decision. Accordingly, variety in managers’ capability was likely the cause of variety in small firm internationalization. Future research should be directed to the individual level of the manager instead of the firm or industry level if understanding internationalization of small firms is the aim. To be effectiveness, policy and programs addressing internationalization of small firms should consequently also be directed to increasing managerial capabilities and to providing real-life experience for learning

Beyond the Enclave: Success Strategies of Immigrant Entrepreneurs

In the United States, immigrant entrepreneurs start almost one third of all new businesses. However, many immigrant entrepreneurs lack the knowledge or expertise to evolve their businesses beyond the ethnic enclave where the businesses are located. This multiple case study captured the strategies used by 5 Latino immigrant business owners who successfully expanded their business beyond their ethnic enclave. The conceptual framework for this study was dynamic capabilities theory. Data were collected from interviews, company documents, and observations of the operation of businesses and owners. Member checking and transcript reviews were used to enhance the reliability and credibility of the data. Miles, Huberman, and Saldana\u27s data analysis method was used to identify 6 themes that yielded 3 possible strategies to help Latino immigrant business owners expand outside of their enclave: (a) adopt a multicultural hybridism model changing the internal make-up of the employee base to include more interethnic labor and managerial resources; (b) achieve language and cultural proficiency of the host community; and (c) seek and nurture professional development and mentorship relationships to obtain access to advice, opportunities, and financial resources. Also noted was the importance of individual readiness to seize opportunities and being tenacious in their business efforts. The study findings may contribute to positive social change because strategies that help immigrant entrepreneurs succeed have benefits that extend beyond their immediate family to the broader communities in which they operate by increasing job creation, wealth accumulation, and the development of society

Strategies for Cybercrime Prevention in Information Technology Businesses

Cybercrime continues to be a devastating phenomenon, impacting individuals and businesses across the globe. Information technology (IT) businesses need solutions to defend and secure their data and networks from cyberattacks. Grounded in general systems theory and transformational leadership theory, the purpose of this qualitative multiple case study was to explore strategies IT business leaders use to protect their systems from a cyberattack. The participants included six IT business leaders with experience in cybersecurity or system security in the Midlands region of South Carolina. Data were collected using semistructured interviews and reviews of government standards documents; data were analyzed using thematic analysis. Three themes emerged from the study: (a) cybercrime prevention strategy; (b) cybersecurity awareness, training, and education; and (c) effective leadership. A key recommendation is for IT business leaders to ensure employees are current on cybersecurity awareness and defense techniques through regular training and education, use third-party vendors that are subject matter experts where they lack talent, and develop leaders with a transformational mindset. The implications for positive social change include the potential for IT business leaders and employees to become more proactive in learning and implementing effective cybercrime prevention strategies to keep their businesses profitable and support the needs of stakeholders and clients

A framework for information security governance in SMMEs

It has been found that many small, medium and micro-sized enterprises (SMMEs) do not comply with sound information security governance principles, specifically the principles involved in drafting information security policies and monitoring compliance, mainly as a result of restricted resources and expertise. Research suggests that this problem occurs worldwide and that the impact it has on SMMEs is great. The problem is further compounded by the fact that, in our modern-day information technology environment, many larger organisations are providing SMMEs with access to their networks. This results not only in SMMEs being exposed to security risks, but the larger organisations as well. In previous research an information security management framework and toolbox was developed to assist SMMEs in drafting information security policies. Although this research was of some help to SMMEs, further research has shown that an even greater problem exists with the governance of information security as a result of the advancements that have been identified in information security literature. The aim of this dissertation is therefore to establish an information security governance framework that requires minimal effort and little expertise to alleviate governance problems. It is believed that such a framework would be useful for SMMEs and would result in the improved implementation of information security governance