Enhancing Key Digital Literacy Skills: Information Privacy, Information Security, and Copyright/Intellectual Property

Key Messages Background Knowledge and skills in the areas of information security, information privacy, and copyright/intellectual property rights and protection are of key importance for organizational and individual success in an evolving society and labour market in which information is a core resource. Organizations require skilled and knowledgeable professionals who understand risks and responsibilities related to the management of information privacy, information security, and copyright/intellectual property. Professionals with this expertise can assist organizations to ensure that they and their employees meet requirements for the privacy and security of information in their care and control, and in order to ensure that neither the organization nor its employees contravene copyright provisions in their use of information. Failure to meet any of these responsibilities can expose the organization to reputational harm, legal action and/or financial loss. Context Inadequate or inappropriate information management practices of individual employees are at the root of organizational vulnerabilities with respect to information privacy, information security, and information ownership issues. Users demonstrate inadequate skills and knowledge coupled with inappropriate practices in these areas, and similar gaps at the organizational level are also widely documented. National and international regulatory frameworks governing information privacy, information security, and copyright/intellectual property are complex and in constant flux, placing additional burden on organizations to keep abreast of relevant regulatory and legal responsibilities. Governance and risk management related to information privacy, security, and ownership are critical to many job categories, including the emerging areas of information and knowledge management. There is an increasing need for skilled and knowledgeable individuals to fill organizational roles related to information management, with particular growth in these areas within the past 10 years. Our analysis of current job postings in Ontario supports the demand for skills and knowledge in these areas. Key Competencies We have developed a set of key competencies across a range of areas that responds to these needs by providing a blueprint for the training of information managers prepared for leadership and strategic positions. These competencies are identified in the full report. Competency areas include: conceptual foundations risk assessment tools and techniques for threat responses communications contract negotiation and compliance evaluation and assessment human resources management organizational knowledge management planning; policy awareness and compliance policy development project managemen

Risk assessment of email accounts: Difference between perception and reality

The use of Internet is associated with a growing number of security threats. This thesis analyzes how users perceive the security of their email account based on the email account provider. With our study, we aim to contribute to the information security systems literature in three ways: First, by taking a more complete view on security online, and reviewing the concept of usable security, usability, human-computer interaction, trust and user perception. Second, by performing an analysis of providers of online services specifically emails. Third, by applying a renowned risk analysis method called Information Security Risk Analysis Method (ISRAM) for risk assessment. The ISRAM analysis revealed that Hotmail, Gmail and Yahoo email accounts have a medium risk level, while the reality analysis demonstrated no clearly more secure account provider with only low level risk counts

An analysis of insider dysfunctional behavours in an accounting information system environment

Insider deviant behaviour in Accounting Information Systems (AIS) has long been recognised as a threat to organisational AIS assets. The literature abounds with a plethora of perspectives in attempts to better understand the phenomenon, however, practitioners and researchers have traditionally focussed on technical approaches, which, although they form part of the solution, are insufficient to address the problem holistically. Managing insider threats requires an understanding of the interconnectedness between the human and contextual factors in which individuals operate, since technical methodologies in isolation have the potential to increase rather than reduce insider threats. This dilemma led many scholars to examine the behaviour of individuals, to further their understanding of the issues and in turn, control insider threats. Despite promising findings, some of these behavioural studies have inherent methodological limitations, and no attempt has been made to differentiate between apparently similar, yet fundamentally different, negative behaviours. Using the theory of planned behaviour (TPB) and actor network theory (ANT) as a foundation, the current study addresses the first concern by integrating AIS complexity and organisational culture, and identifies the contextual factors influencing behaviours that lead to insider threats. Secondly, the study addresses concerns regarding methodological approaches, by categorising various deviant insider behaviours using the concept of dysfunctional behaviour, based on two-dimensional behaviour taxonomy. Partial least square structural equation modelling (PLS-SEM) revealed that TPB‘s predictor variables: attitude (ATT), subjective norm (SN) and perceived behavioural control (PBC), together with the moderator variables of organisational culture (CULTURE) and AIS complexity (COMPLEX), accounted for substantial variations in intention (INTENT) to engage in dysfunctional behaviour. The findings also indicated that PBC is a dual-factor construct. Changes in predictors at the behavioural subset level were highlighted, and the findings of previous studies, that ATT is a salient predictor of intention, were confirmed. This was significant across all four dysfunctional behaviour categories. These findings add to the body of knowledge by contributing a theory that explains insider threats in AIS by deciphering dysfunctional behaviour using a predictive model. The study also provides a methodological foundation for future research to account for behavioural factors. Moreover, the findings have implications for managerial practices who want to reduce insider threats to an acceptable level by strengthening organisational culture, moderating AIS complexity, and focussing on management programs with sufficient momentum to impact attitudinal change

Identifying Factors Contributing Towards Information Security Maturity in an Organization

Information security capability maturity (ISCM) is a journey towards accurate alignment of business and security objectives, security systems, processes, and tasks integrated with business-enabled IT systems, security enabled organizational culture and decision making, and measurements and continuous improvements of controls and governance comprising security policies, processes, operating procedures, tasks, monitoring, and reporting. Information security capability maturity may be achieved in five levels: performing but ad-hoc, managed, defined, quantitatively governed, and optimized. These five levels need to be achieved in the capability areas of information integrity, information systems assurance, business enablement, security processes, security program management, competency of security team, security consciousness in employees, and security leadership. These areas of capabilities lead to achievement of technology trustworthiness of security controls, integrated security, and security guardianship throughout the enterprise, which are primary capability domains for achieving maturity of information security capability in an organization. There are many factors influencing the areas of capabilities and the capability domains for achieving information security capability maturity. However, there is little existing study done on identifying the factors that contribute to achievement of the highest level of information security capability maturity (optimized) in an organization. This research was designed to contribute to this area of research gap by identifying the factors contributing to the areas of capabilities for achieving the highest level of information security capability maturity. The factors were grouped under the eight capability areas and the three capability domains in the form of an initial structural construct. This research was designed to collect data on all the factors using an online structured questionnaire and analyzing the reliability and validity of the initial structural construct following the methods of principal components analysis (PCA), Cronbach Alpha reliability analysis, confirmatory factor analysis (CFA), and structural equation modeling. A number of multivariate statistical tests were conducted on the data collected regarding the factors to achieve an optimal model reflecting statistical significance, reliability, and validity. The research was conducted in four phases: expert panel and pilot study (first phase), principal component analysis (PCA) and reliability analysis (RA) of the factor scales (second phase), confirmatory factor analysis (CFA) using LISREL (third phase), and structural equation modeling (SEM) using LISREL (fourth phase). The final model subsequent to completing the four phases reflected acceptance or rejection of the eleven hypotheses defined in the initial structural construct of this study. The final optimized model was obtained with the most significant factors loading on the capability areas of information integrity, information security assurance, business enablement, security process maturity, security program management, competency of security team, security conscious employees, and security leadership, including the most significant factors loading the three capability domains of security technology trustworthiness, security integration, and security guardianship. All the eleven hypotheses were accepted as part of the optimal structural construct of the final model. The model provides a complex integrated framework of information security maturity requiring multi-functional advancements and maturity in processes, people, and technology, and organized security program management and communications fully integrated with the business programs and communications. Information security maturity is concluded as a complex function of multiple maturity programs in an organization leading to organized governance structures, multiple maturity programs, leadership, security consciousness, and risk-aware culture of employees