The duality of Information Security Management: fighting against predictable and unpredictable threats

Information systems security is a challenging research area in the context of Information Systems. In fact, it has strong practical implications for the management of IS and, at the same time, it gives very interesting insights into understanding the process of social phenomena when communication information technologies are deployed in organizations. Current standards and best practices for the design and management of information systems security, recommend structured and mechanistic approaches, such as risk management methods and techniques, in order to address security issues. However, risk analysis and risk evaluation processes have their limitations, when security incidents occur, they emerge in a context, and their rarity and even their uniqueness give rise to unpredictable threats. The analysis of these phenomena which are characterized by breakdowns, surprises and side-effects, requires a theoretical approach which is able to examine and interpret subjectively the detail of each incident. The aim of this paper is to highlight the duality of information systems security, providing an alternative view on the management of those aspects already defined in the literature as intractable problems and this is pursued through a formative context (Ciborra, Lanzara, 1994) that supports bricolage, hacking and improvisation.Information systems security is a challenging research area in the context of Information Systems. In fact, it has strong practical implications for the management of IS and, at the same time, it gives very interesting insights into understanding the process of social phenomena when communication information technologies are deployed in organizations. Current standards and best practices for the design and management of information systems security, recommend structured and mechanistic approaches, such as risk management methods and techniques, in order to address security issues. However, risk analysis and risk evaluation processes have their limitations, when security incidents occur, they emerge in a context, and their rarity and even their uniqueness give rise to unpredictable threats. The analysis of these phenomena which are characterized by breakdowns, surprises and side-effects, requires a theoretical approach which is able to examine and interpret subjectively the detail of each incident. The aim of this paper is to highlight the duality of information systems security, providing an alternative view on the management of those aspects already defined in the literature as intractable problems and this is pursued through a formative context (Ciborra, Lanzara, 1994) that supports bricolage, hacking and improvisation.Articles published in or submitted to a Journal without IF refereed / of international relevanc

Risk mitigation decisions for it security

Enterprises must manage their information risk as part of their larger operational risk management program. Managers must choose how to control for such information risk. This article defines the flow risk reduction problem and presents a formal model using a workflow framework. Three different control placement methods are introduced to solve the problem, and a comparative analysis is presented using a robust test set of 162 simulations. One year of simulated attacks is used to validate the quality of the solutions. We find that the math programming control placement method yields substantial improvements in terms of risk reduction and risk reduction on investment when compared to heuristics that would typically be used by managers to solve the problem. The contribution of this research is to provide managers with methods to substantially reduce information and security risks, while obtaining significantly better returns on their security investments. By using a workflow approach to control placement, which guides the manager to examine the entire infrastructure in a holistic manner, this research is unique in that it enables information risk to be examined strategically. © 2014 ACM

Impact of Implementation of Information Security Risk Management and Security Controls on Cyber Security Maturity (A Case Study at Data Management Applications of XYZ Institute)

Information security is an important concern for governments and industry due to the increase in cyber attacks during Covid-19. The government is obliged to maintain information security in implementing an Electronic-Based Government System following Presidential Regulation of the Republic of Indonesia Number 95 of 2018. To overcome this problem, the XYZ Institute needs an approach to implementing information security risk management and information security controls. This study aims to risk identification, risk analysis, risk evaluation, risk treatment, risk acceptance, risk control, and analysis of cyber security maturity gaps in the domain of governance, identification, protection, detection, and response. ISO/IEC 27005:2018 as guidance for conducting risk assessments. The code of practice for information security control uses the ISO/IEC 27002:2013 standard and assessing maturity using the cyber security maturity model version 1.10 developed by the National Cyber and Crypto Agency of the Republic of Indonesia. The results show that the cyber maturity value increased from 3.19 to 4.06 after implementing 12 new security controls

The Economics of Natural Disasters - Implications and Challenges for Food Security

A large and growing share of the world's poor lives under conditions in which high hazard risk coincides with high vulnerability. In the last decade, natural disasters claimed 79,000 lives each year and affected more than 200 million people, with damages amounting to almost US $ 70 billion annually. Experts predict that disasters will become even more frequent and their impact more severe, expecting a five-fold global cost increase over the next fifty years, mainly due to climate change and a further concentration of the world's population in vulnerable habitats. The paper argues that in order to mitigate disaster impact on poor population groups, development policy and disaster management need to become mutually supportive. Focusing on challenges disasters pose to food security, it proposes that in disaster-prone locations measures to improve disaster resilience should be an integral part of food security policies and strategies. It expands the twin-track approach to hunger reduction to a "triple track approach", giving due attention to cross-cutting disaster risk management measures. Practical areas requiring more attention include risk information and analysis; land use planning; upgrading physical infrastructures; diversification and risk transfer mechanisms. Investments in reducing disaster risk will be most needed where both hazard risk and vulnerability are high. As agriculture is particularly vulnerable to disaster risk, measures to reduce this vulnerability, i. e. protecting agricultural lands, water and other assets, should get greater weight in development strategies and food security policies. Investing in disaster resilience involves trade-offs. Identifying the costs, benefits and trade -offs involved will be a prominent task of agricultural economists.Food Security and Poverty, Resource /Energy Economics and Policy,

Risk homeostasis and security fatigue:a case study of data specialists

Purpose: Organisations use a variety of technical, formal and informal security controls but also rely on employees to safeguard information assets. This relies heavily on compliance and constantly challenges employees to manage security-related risks. The purpose of this research is to explore the homeostatic mechanism proposed by risk homeostasis theory (RHT), as well as security fatigue, in an organisational context. Design/methodology/approach: A case study approach was used to investigate the topic, focusing on data specialists who regularly work with sensitive information assets. Primary data was collected through semi-structured interviews with 12 data specialists in a large financial services company. Findings: A thematic analysis of the data revealed risk perceptions, behavioural adjustments and indicators of security fatigue. The findings provide examples of how these concepts manifest in practice and confirm the relevance of RHT in the security domain. Originality/value: This research illuminates homeostatic mechanisms in an organisational security context. It also illustrates links with security fatigue and how this could further impact risk. Examples and indicators of security fatigue can assist organisations with risk management, creating “employee-friendly” policies and procedures, choosing appropriate technical security solutions and tailoring security education, training and awareness activities.</p

A socio-organizational approach to information systems security management in the context of internet banking

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.This thesis takes a social and organizational point of view for studying information systems security in the context of internet banking. While the internet provides opportunities for businesses to extend their public network infrastructure, reduce transaction costs, and sell a wide range of products and services worldwide, security threats impede the business. Although, a number of valuable information systems security approaches have been developed through the years they tend to offer narrow, technically oriented solutions and they ignore the social aspects of risks and the informal structures of organizations. To this end, there is an emphasis in the literature to adopt a socio-organizational approach to information systems security (ISs) management. This thesis is based on the assumption that information systems security in the context of internet banking can be efficiently investigated and understood through a systematic and comprehensive study of various social organizational aspects in the goal setting context. To this end, the thesis presents a novel approach to the management of information systems security based on the use of the performance pyramid model. Using previous research in the social organizational literature this work examines the interrelationship of trust, culture, and risk communication and their possible effect on the level of goal setting within the context of information systems security management with a focus on internet banking. It explores and discusses the process of goal setting in the context of risk management. Based on the proposed performance pyramid model this research identifies the determinants of trust, culture, and risk communication as well as the determinants of goal commitment at macro level. The thesis contributes to interpretive information systems research with the in-depth analysis and study of the social organizational concepts in a security management context and its grounding within an interpretive epistemology. It emphasises the importance and interrelationship between different socio-organizational aspects of goal setting theory and demonstrates the values of each aspect in the information systems security domain thus contributing to a rich insight in the particular empirical research context

ANALYSIS OF RELIGIOUS COURT INFORMATION SECURITY RISK MANAGEMENT USING THE OCTAVE ALLEGRO METHOD (CASE STUDY OF KEDIRI CITY)

Ease of access can be pros and cons for all information system applications, because it increases the possibility of someone hacking the information system. Therefore, a risk assessment or risk assessment of information systems is needed to identify and understand the risks involved in accessing them. One of the risk assessment methods that analyzes the risk profile of information assets using the OCTAVE Allegro method. The purpose of this study was to determine the results of the analysis of security risk management on information systems at the Religious Courts of the City of Kediri. The recommendation process is a follow-up to the risk assessment in the form of controls in ISO/IEC 27002:2013 which focuses on clause 9. Access Control. This research uses a literature study approach . The literature review was carried out by looking for references to information security risk management analysis using the OCTAVE Allegro method, research material books and research journals to assist in the preparation of this research proposal. The theory taken from the reference mainly refers to the OCTAVE Allegro method. Based on the results of the research conducted, the researchers got 10 areas of attention that will be given control recommendations based on ISO/IEC 27002:2013

Assessing Challenges Facing Implementation of Information Security Critical Success Factors: A Case of National Examination Council, Tanzania

Aim of this study was to assess challenges facing implementation of information security critical success factors. The study employed quantitative research approach and survey research design where case study design was used. A sample of 79 respondents derived from the population sample of 372 were used by using Slovin’s formula sampling technique, 86% of respondents questionnaire filled effectively were used. Descriptive data analysis was used to analyze variables based on research questions while, statistical tables and figures were used in data presentation. Results of this study indicate that, there are challenges in implementation of information security critical success factors such as security training program, security policy, risk assessment, regular system update, system auditing and committed of top management. The study found reasons for challenges of implementation from respondent views as availability of limited resources, weak financial support from top management, lack of understanding of needed technology from information technology professionals; poor security awareness program for top management who may think that information security is the issue of information technology department only and not the whole organization. It is therefore concluded that organization should identify their specific information security critical success factors to enhance useful of organization limited resource, without investing in generalization and give solutions based on risk priority, in order to make organization secure also utilization of information security critical success factors holds significant importance in ensuring security of an organization's data. It is crucial to address and eliminate any challenges that are within the scope of affordability or manageability