Systematic Literature Review of Soft System Method Use in Information Systems Field

Information system (IS) papers are published in different Journals and conferences using various methods focusing on different problems. IS is an interdisciplinary field and contains information related to technology, human and organizational issues. Problems related to this are most of the time messy and confused ones and these needs soft system methodology (SSM) uses because this methodology basically emphases on activities inside the organization and allows a participation of heterogeneous groups like IS discipline do. Therefore, the study focuses on how SSM uses in IS field. SSM help to construct complex structural and governmental conditions and delivers a possible change. It uses extensive interviews to recognize the problem situations using “rich picture” and creating a “root definition” by ‘CATWOE’ (Customers, Actors, Transformation process, World view, Owner, Environmental constraint) principles. These are inputs to create a conceptual model and leads to desirable change and for implementing actions on the ground. The general objective of the study is to analyze SSM use in IS field using a systematic literature review method. The specific objectives are: To identify soft system method use in IS field To identify the use of systematic literature review method in IS To review literatures concerning SSM use To understand conceptual model constructions The search process in this study includes publications from international IS journals and also specific SSM related journals and conference papers. For the searching process, the inclusion words are soft system method or (its use) and information or (IS) or (organization). The systematic literature review method finally produced four main SSM uses in IS field. These are organizational systems, education, e-service and security functionalities. Generally, one should use SSM for innovative purpose since it mostly related with new technology and product development and to change the working habit of the organization. SSM helps to define the unstructured difficult conditions and focuses on complicated managerial activities, investigating unorganized problems extensively. The benefits of applying SSM allows to make it easy for organizational set up and structure of problem conditions of complex institutions and can be used in a very difficult security problems. So combining other methodologies with SSM will create a meaningful result for solving complicated problems and the diverse view of customers’ complaints in a more innovative and systematic way used to restructure organizations

Standardizing Instructional Definition and Content Supporting Information Security Compliance Requirements

Information security (IS)-related risks affect global public and private organizations on a daily basis. These risks may be introduced through technical or human-based activities, and can include fraud, hacking, malware, insider abuse, physical loss, mobile device misconfiguration or unintended disclosure. Numerous and diverse regulatory and contractual compliance requirements have been mandated to assist organizations proactively prevent these types of risks. Two constants are noted in these requirements. The first constant is requiring organizations to disseminate security policies addressing risk management through secure behavior. The second constant is communicating policies through IS awareness, training and education (ISATE) programs. Compliance requirements direct that these policies provide instruction about making compliant and positive security decisions to reduce risk. Policy-driven and organizationally-relevant ISATE content is understood to be foundational and critical to prevent security risk. The problem identified for investigation is inconsistency of the terms awareness, training and education as found in security-related regulatory, contractual and policy compliance requirements. Organizations are mandated to manage a rapidly increasing portfolio of inconsistent ISATE compliance requirements generated from many sources. Since there is no one set of common guidance for compliance, organizations struggle to meet global, diverse and inconsistent compliance requirements. Inconsistent policy-related content and instructions, generated from differing sources, may cause incorrect security behavior that can present increased security risk. Traditionally, organizations were required to provide only internally-developed programs, with content left to business, regulatory/contractual, and cultural discretion. Updated compliance requirements now require organizations to disseminate externally-developed content in addition to internally-provided content. This real-world business requirement may cause compliance risks due to inconsistent instruction, guidance gaps and lack of organizational relevance. The problem has been experienced by industry practitioners within the last five years due to increased regulatory and contractual compliance requirements. Prior studies have not yet identified specific impacts of multiple and differing compliance requirements on organizations. The need for organizational relevance in ISATE content has been explored in literature, but the amount of organizationally-relevant content has not been examined in balance of newer compliance mandates.The goal of the research project was to develop a standard content definition and framework. Experienced practitioners responsible for ISATE content within their organizations participated in a survey to validate definitions, content, compliance and organizational relevance requirements imposed on their organizations. Fifty-five of 80 practitioners surveyed (68.75% participation rate) provided responses to one or more sections of the survey. This research is believed to be the first to suggest a standardized content definition for ISATE program activities based on literature review, assessment of existing regulatory, contractual, standard and framework definitions and information obtained from specialized practitioner survey data. It is understood to be the first effort to align and synthesize cross-industry compliance requirements, security awareness topics and organizational relevance within information security awareness program content. Findings validated that multiple and varied regulatory and contractual compliance requirements are imposed on organizations. A lower number of organizations were impacted by third party program requirements than was originally expected. Negative and positive impacts of third party compliance requirements were identified. Program titles and content definitions vary in respondent organizations and are documented in a variety of organizational methods. Respondents indicated high acceptance of a standard definition of awareness, less so for training and education. Organizationally-relevant program content is highly important and must contain traditional and contemporary topics. Results are believed to be an original contribution to information/cyber security practitioners, with findings of interest to academic researchers, standards/framework bodies, auditing/risk management practitioners and learning/development specialists

Tietoturvan hallintajärjestelmän toteuttaminen : Onnistumistekijät toteutusprojekteissa

Työn tavoitteena on syventää ymmärrystä tietoturvan hallintajärjestelmän toteutusprojekteista sekä lisätä ymmärrystä tietoturvan hallintajärjestelmästä kohdeyrityksessä. Työssä tehtävän tutkimuksen tarkoituksena on tunnistaa integroivan kirjallisuuskatsauksen avulla tekijöitä, jotka edesauttavat toteutusprojektien onnistumista sekä ymmärtää syitä, joiden takia hallintajärjestelmän toteutusprojekti onnistui kohdeyrityksessä. Lisäksi työssä tehtävän kirjallisuuskatsauksen löydösten ja toteutusprojektista tunnistettujen onnistumistekijöiden perusteella luodaan malli, jota muut tietoturvan hallintajärjestelmän toteutusta harkitsevat organisaatiot voivat hyödyntää. Työ aloitetaan esittelemällä tietoturvan ja tietoturvan hallintajärjestelmän teoriaa, kuten ISO/IEC 27000 -standardiperhettä sekä riskienhallintaan liittyviä menetelmiä. Työtä jatketaan tekemällä integroiva kirjallisuuskatsaus, jossa tutkitaan tietoturvaan ja IT:n hallintaan liittyvien projektien onnistumistekijöitä. Työn empiirisessä osuudessa toteutetaan tietoturvan hallintajärjestelmä kohdeyritykselle tapaustutkimuksena, minkä jälkeen esitellään malli, joka sisältää kirjallisuuskatsauksen ja tapaustutkimuksen perusteella tunnistettuja onnistumistekijöitä. Kirjallisuuskatsauksen tuloksissa korostuivat johdon rooli sekä tietoturvakoulutusten merkitys. Erityisesti johdon tuki, taloudellinen tuki sekä tietoturvan tärkeyden ymmärtäminen että sen strateginen yhdenmukaisuus liiketoiminnan välillä vaikuttavat toteutusprojektien onnistumiseen. Kohdeyrityksessä tehty toteutusprojekti onnistui ja tärkeimmiksi onnistumistekijöiksi todettiin johdon tuki, tietoturvamyönteinen organisaatiokulttuuri ja aiemmat panostukset tietoturvaan. Lisäksi henkilöstö on kiinnostunut tietoturva-asioista ja henkilöstöä osallistettiin projektiin. Työssä kehitetyn mallin tärkeimmiksi onnistumistekijöiksi todettiin johdon rooli, valmistelutyö, projektinhallinta sekä motiivit hallintajärjestelmän toteuttamiselle.The aim of the work is to deepen the understanding of the implementation projects of the information security management system and to increase the understanding of the information security management system in the target company. The purpose of the research carried out in the work is to identify factors that contribute to the success of implementation projects and to understand the reasons why the implementation project of the management system was successful in the target company with the help of an integrated literature review. In addition, based on the findings of the literature review and the success factors identified from the implementation project, a model is be created that can be used by other organizations considering the implementation of an information security management system. The work begins by introducing the theory of information security and the information security management system, such as the ISO/IEC 27000 family of standards and methods related to risk management. The work is continued by conducting an integrative literature review, which examines the success factors of projects related to information security and IT governance. In the empirical part of the work, an information security management system is implemented for the target company as a case study, after which a model is presented that includes the success factors identified based on the literature review and the case study. The results of the literature review highlighted the role of management and the importance of information security training. In particular, management support, financial support as well as understanding the importance of information security and its strategic alignment between businesses affect the success of implementation projects. The implementation project at the target company was successful and the most important success factors were found to be management support, an information security-friendly organizational culture and previous investments in information security. In addition, the personnel is interested in information security issues and the personnel was involved in the project. The most important success factors of the model developed in the work were found to be the role of management, preparatory work, project management and motives for implementing the management system

A descriptive review and classification of organizational information security awareness research

Information security awareness (ISA) is a vital component of information security in organizations. The purpose of this research is to descriptively review and classify the current body of knowledge on ISA. A sample of 59 peer-reviewed academic journal articles, which were published over the last decade from 2008 to 2018, were analyzed. Articles were classified using coding techniques from the grounded theory literature-review method. The results show that ISA research is evolving with behavioral research studies still being explored. Quantitative empirical research is the dominant methodology and the top three theories used are general deterrence theory, theory of planned behavior, and protection motivation theory. Future research could focus on qualitative approaches to provide greater depth of ISA understanding

Applying Real Options Thinking to Information Security in Networked Organizations

An information security strategy of an organization participating in a networked business sets out the plans for designing a variety of actions that ensure confidentiality, availability, and integrity of company’s key information assets. The actions are concerned with authentication and nonrepudiation of authorized users of these assets. We assume that the primary objective of security efforts in a company is improving and sustaining resiliency, which means security contributes to the ability of an organization to withstand discontinuities and disruptive events, to get back to its normal operating state, and to adapt to ever changing risk environments. When companies collaborating in a value web view security as a business issue, risk assessment and cost-benefit analysis techniques are necessary and explicit part of their process of resource allocation and budgeting, no matter if security spendings are treated as capital investment or operating expenditures. This paper contributes to the application of quantitative approaches to assessing risks, costs, and benefits associated with the various components making up the security strategy of a company participating in value networks. We take a risk-based approach to determining what types of security a strategy should include and how much of each type is enough. We adopt a real-options-based perspective of security and make a proposal to value the extent to which alternative components in a security strategy contribute to organizational resiliency and protect key information assets from being impeded, disrupted, or destroyed

A Systematic Review on Using Hacker Forums on the Dark Web for Cyber Threat Intelligence

Urgent warnings for private businesses and public organizations to monitor and predict disruptive cyberattacks have been on the rise. The annual cost of cyber-attacks in the worldwide economy is expected to be more than $10.5 trillion in 2025. To that end, new methods are being developed to fight cyberattacks. One such method builds upon leveraging cybercriminal/hacker forums on the dark web to design ‘cyberthreat intelligence’ solutions. The dark web, which is not accessible by the conventional browsers that are normally used to access the surface web, is the part of the web where most of the illegal and illicit content is hosted. It is a major market resource for cybercriminal-hackers for trading and developing cyberthreat content (e.g., malware; novel hacking methods; malicious source code). Therefore, the study of designing cyber threat intelligence solutions (i.e., methods; artifacts) based upon analyzing hacker forums has been undertaken in the literature. To enhance this structured inquiry and to formulate new research directions, we conduct a systematic literature review on leveraging hacker forums and designing ‘threat intelligence’ solutions. In our systematic review, we report our findings based on the PRISMA - Preferred Reporting Items for Systematic Reviews and Meta-Analyses - checklist. We conducted our search on Scopus and Ebscohost, and our search query was the following: (“dark web” OR “dark net” OR “darknet” OR “hacker* forum” OR “underground forum ) AND ( security OR threat intelligence ). Our search included abstracts and English-language documents published in peer-reviewed journals and conferences. We extracted a total of 295 papers and retained 69 papers. Our findings indicate the proposed threat intelligence solutions have been built upon the analysis of different forms of unstructured data, including text, videos, and images. Different solutions had different objectives, including: (1) key actor (hacker) identification (i.e., identifying the key active hackers on the forum who actively engage in and lead discussions and posts), (2) hacker ranking according to expertise (i.e., ranking the forum participant hackers based on their hacking domain-knowledge expertise reflected in their posts), (3) malware identification (i.e., identifying novel malware from hackers’ posts on the forums), and (4) organizational information security risk management and mitigation (i.e., identifying organizational vulnerabilities and developing strategies to mitigate them based on the knowledge retrieved from hacker forums). We found that as of now, the proposed solutions do not consider the factor of temporality, or temporal-based dynamism, in the forums. Key hackers may change, expertise may change, and vulnerabilities may evolve in organizations. We hope that our review catalyzes future research in this area

Securing intellectual capital:an exploratory study in Australian universities

Purpose – To investigate the links between IC and the protection of data, information and knowledge in universities, as organizations with unique knowledge-related foci and challenges.Design/methodology/approach – We gathered insights from existing IC-related research publications to delineate key foundational aspects of IC, identify and propose links to traditional information security that impact the protection of IC. We conducted interviews with key stakeholders in Australian universities in order to validate these links.Findings – Our investigation revealed two kinds of embeddedness characterizing the organizational fabric of universities: (1) vertical and (2) horizontal, with an emphasis on the connection between these and IC-related knowledge protection within these institutions.Research implications – There is a need to acknowledge the different roles played by actors within the university, and the relevance of information security to IC-related preservation.Practical implications – Framing information security as an IC-related issue can help IT security managers communicate the need for knowledge security with executives in higher education, and secure funding to preserve and secure such IC-related knowledge, once its value is recognized.Originality/value – This is one of the first studies to explore the connections between data and information security and the three core components of IC’s knowledge security in the university context

Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach

Highly skilled with time on their handsbest practices for using the newly retired in volunteering

Includes bibliographical references

ERP implementation methodologies and frameworks: a literature review

Enterprise Resource Planning (ERP) implementation is a complex and vibrant process, one that involves a combination of technological and organizational interactions. Often an ERP implementation project is the single largest IT project that an organization has ever launched and requires a mutual fit of system and organization. Also the concept of an ERP implementation supporting business processes across many different departments is not a generic, rigid and uniform concept and depends on variety of factors. As a result, the issues addressing the ERP implementation process have been one of the major concerns in industry. Therefore ERP implementation receives attention from practitioners and scholars and both, business as well as academic literature is abundant and not always very conclusive or coherent. However, research on ERP systems so far has been mainly focused on diffusion, use and impact issues. Less attention has been given to the methods used during the configuration and the implementation of ERP systems, even though they are commonly used in practice, they still remain largely unexplored and undocumented in Information Systems research. So, the academic relevance of this research is the contribution to the existing body of scientific knowledge. An annotated brief literature review is done in order to evaluate the current state of the existing academic literature. The purpose is to present a systematic overview of relevant ERP implementation methodologies and frameworks as a desire for achieving a better taxonomy of ERP implementation methodologies. This paper is useful to researchers who are interested in ERP implementation methodologies and frameworks. Results will serve as an input for a classification of the existing ERP implementation methodologies and frameworks. Also, this paper aims also at the professional ERP community involved in the process of ERP implementation by promoting a better understanding of ERP implementation methodologies and frameworks, its variety and history