Managing of Information Systems Risks in Extended Enterprises: The Case of Outsourcing

IT security issues and outsourcing of business processes are common but largely disjoint themes in the literature; common consideration is rare even though information security risk becomes a shared risk both through IS-based processes at outsourcing partners and potentially tightly-integrated IS systems. This paper explores this lack of an integrated model combining IT risk management view with the outsourcing process. Towards the development of an integrated model outsourcing and risk managing process phases are detailed; common phases of each serve as the basis for the introduction of an integrated model. Finally the paper suggests some points for future research

The impact of organizational insiders\u27 psychological capital on information security

This dissertation research seeks to examine the role of organizational insiders\u27 psychological capital (PsyCap) on the performance of protection motivated behaviors (PMBs). The dissertation examines the role of PsyCap through three studies which were conducted for this research. Using structural equation modeling (SEM), the responses from four distinct samples were analyzed. The results largely support the significant role of PsyCap in information security. The first study takes an expectancy theory (Vroom, 1964) approach and found that PsyCap was a significant consequence of insiders\u27 security-related expectancy dimensions. Additionally, expectancy theory was found to be an appropriate frame-work for promoting PMBs. The expectancy dimensions were found to be trainable through security, education, training, and awareness (SETA) programs, and were significantly related to the performance of PMBs. The second study draws upon the broaden-and-build theory (Fredrickson, 2004) to examine the role of PsyCap within an emotional security framework. The second study found that the broaden-and-build theory explained the performance of PMBs through a direct relationship between emotion and behavior as well as through an indirect relationship between emotions and an insider\u27s PsyCap. Finally, the dissertation examines the role of PsyCap in information security from a framework of behavioral complexity (Wu et al., 2010) in the third study. The results of the third study indicate that PsyCap is a significant contributor to a model of security behavioral complexity which is shown to effectively influence insiders\u27 performance of PMBs. Implications of the results on both practice and research are discussed along with limitations to the current studies. The overall contributions of the dissertation are highlighted and areas of future research evidenced by the findings are raised

Red Skies in the Morning—Professional Ethics at the Dawn of Cloud Computing

The article evaluates risks to clients’ confidential and privileged information when lawyers or law firms store such information in any cloud computing “space” against the requirements of the Model Rules of Professional Conduct and the New York Rules of Professional Conduct. It also evaluates pertinent liability provisions of some of the more commonly used cloud computing services (Amazon.com and Google) against the lawyer’s responsibilities. An interesting portion covers the latest thinking from NIST on cloud computing benefits and risks

To What Extent Has Information Security Professionalism Achieved Recognition?

The practice of securing information was until recently associated strongly with securing the Information Technology systems which store and process it. As it has developed as a specialised area of work however, particularly as the critical importance of human and social factors has increasingly been recognised, it has acquired an identity separate from that of computing. The separation has been sufficient for the formation of a new, distinct occupation, with specialised credentialing bodies being established to attest to practitioners’ professional competence. This study is the first empirical academic investigation into the professionalisation of UK Information Security. It considers attitudes towards professional status, the desirability and practicality of licensing, the current standing of the occupation and its prospects for the future. The analysis draws heavily from the substantial Sociology of the Professions, both from the structural and procedural theory of profession-forming and the later critiques of motivation, class and power. Semi-structured interviews were undertaken with twenty-seven individuals comprising security analysts, managers, academics, professional bodies and the UK Government. Interviews took place between November 2012 and March 2015. Results are presented in two stages of analysis, using Actor–Network Theory as a theoretical lens. Whilst significant progress has been made towards forming a recognisable Information Security profession, its status is not yet comparable to more established peers. Aligned with US National Research Council findings but using a broader basis in professionalisation theory, the UK occupation was found to be too diffusely demarcated both internally and with respect to its bordering professions. It has yet to coalesce around distinct internal specialities with discrete qualification routes and establish the hierarchical arrangement of its major branches. Without such stratification of roles and a well-accepted claim to controlling a clearly demarcated body of knowledge, it is not possible to establish the boundaries of a graduate profession superior to any supporting para-professions, and thus position itself as requiring an advanced abstract education comparable to its peers. A rationalisation of credentials and institutions is required to produce a strong professional body which can advance the cause of the profession and properly establish and embed these roles. At present however – contrary to the tenor of much of the relevant sociology – neither the pursuit of professional status nor the exclusion of unqualified workers were found to be major motivators for current practitioners. By contrast government, the final arbiter of professional monopoly, is attempting urgently to increase the appeal of the profession to address a national skills shortfall, but is wary of direct market intervention in the form of licensing. Therefore, whilst change is rapid, significant impediments to full professional recognition remain

“Access denied”? Barriers for staff accessing, using and sharing published information online within the National Health Service (NHS) in England: technology, risk, culture, policy and practice

The overall aim of the study was to investigate barriers to online professional information seeking, use and sharing occurring within the NHS in England, their possible effects (upon education, working practices, working lives and clinical and organisational effectiveness), and possible explanatory or causative factors. The investigation adopted a qualitative case study approach, using semi-structured interviews and documentary analysis as its methods, with three NHS Trusts of different types (acute - district general hospital, mental health / community, acute – teaching) as the nested sites of data collection. It aimed to be both exploratory and explanatory. A stratified sample of participants, including representatives of professions whose perspectives were deemed to be relevant, and clinicians with educational or staff development responsibilities, was recruited for each Trust. Three non-Trust specialists (the product manager of a secure web gateway vendor, an academic e-learning specialist, and the senior manager at NICE responsible for the NHS Evidence electronic content and web platform) were also interviewed. Policy documents, statistics, strategies, reports and quality accounts for the Trusts were obtained via public websites, from participants or via Freedom of Information requests. Thematic analysis following the approach of Braun and Clarke (2006) was adopted as the analytic method for both interviews and documents. The key themes of the results that emerged are presented: barriers to accessing and using information, education and training, professional cultures and norms, information governance and security, and communications policy. The findings are discussed under three main headings: power, culture, trust and risk in information security; use and regulation of Web 2.0 and social media, and the system of professions. It became evident that the roots of problems with access to and use of such information lay deep within the culture and organisational characteristics of the NHS and its use of IT. A possible model is presented to explain the interaction of the various technical and organisational factors that were identified as relevant. A number of policy recommendations are put forward to improve access to published information at Trust level, as well as recommendations for further research