Survey of information security risk management models

Information security in a current and urgent issue for government and industry with the increasing frequency of cyber security breaches that have occurred in terms of hacking and information theft. To address such issues several approaches have been and continue to be devised to keep abreast with the advances in technology and the skills of those intending harm. To manage the risk inherent in information security several strategies and frameworks are explored. There have been three generations of security risk management strategies as well as governing standards and processes that have been put into place with varying success. Additionally, three security risk management frameworks are analyzed in terms of their effectiveness, policy and legislative relevance and alignment to security and control processes

ISO 17799: Best Practices in Information Security Management?

To protect the information assets of organizations, many different standards and guidelines have been proposed. Among them, International standard ISO 17799 is one of the most prominent international efforts on information security. This standard provides both an authoritative statement on information security and the procedures to be adopted by organizations to ensure information security. Security professionals claim ISO 17799 to be a suitable model for information security management and an appropriate vehicle for addressing information security management issues in the modern organization. However, to our knowledge, no empirical studies have been conducted to validate this standard. Based on a survey of information security professionals, we found that ISO 17799 is comprehensive, but not parsimonious

Enabling information security culture : influences and challenges for Australian SMEs

An effective information security culture is vital to the success of information systems governance, risk management and compliance. Small and medium size enterprises (SMEs) face special challenges developing an information security culture as they may lack the information security knowledge, skills and behaviours of large organisations. This paper reports the main findings from an interpretive study of key influences enabling an effective information security culture for Australian SMEs. The paper provides a framework depicting external and internal influences on SME information security culture and a set of key challenges in the Australian context. The findings highlight that SME owner attitudes and behaviour &ndash; in turn influenced by government involvement - strongly influence information security culture for Australian SMEs. A surprising finding is the potential influence of the Australian culture. Practical and theoretical implications are discussed.<br /

Control priorization model for improving information security risk assessment

Evaluating particular assets for information security risk assessment should take into consideration the availability of adequate resources and return on investments (ROI). Despite the need for a good risk assessment framework, many of the existing frameworks lack of granularity guidelines and mostly depend on qualitative methods. Hence, they require additional time and cost to test all the information security controls. Further, the reliance on human inputs and feedback will increase subjective judgment in organizations. The main goal of this research is to design an efficient Information Security Control Prioritization (ISCP) model in improving the risk assessment process. Case studies based on penetration tests and vulnerability assessments were performed to gather data. Then, Technique for Order Performance by Similarity to Ideal Solution (TOPSIS) was used to prioritize them. A combination of sensitivity analysis and expert interviews were used to test and validate the model. Subsequently, the performance of the model was evaluated by the risk assessment experts. The results demonstrate that ISCP model improved the quality of information security control assessment in the organization. The model plays a significant role in prioritizing the critical security technical controls during the risk assessment process. Furthermore, the model’s output supports ROI by identifying the appropriate controls to mitigate risks to an acceptable level in the organizations. The major contribution of this research is the development of a model which minimizes the uncertainty, cost and time of the information security control assessment. Thus, the clear practical guidelines will help organizations to prioritize important controls reliably and more efficiently. All these contributions will minimize resource utilization and maximize the organization’s information security

Cloud Security Engineering: Theory, Practice and Future Research

The eleven papers in this special issue address security and privacy concerns associated with cloud computing. This special issue is dedicated to the identification of techniques that enable security mechanisms to be engineered and implemented in cloud services and cloud systems. A key focus is on the integration of theoretical foundations with practical deployment of security strategies that make cloud systems more secure for both end users and providers – enabling end users to increase the level of trust they have in cloud service providers – and conversely for cloud service providers to provide greater guarantees to end users about the security of their services and data

Analysis of Digital Preservation Course Offerings in ALA Accredited Graduate Programs

This study seeks to determine which ALA-accredited institutions offer digital preservation courses and analyze the syllabi to identify what is being taught about digital preservation, whether there are any commonalities, and evaluate the curriculum according to the five areas of digital preservation as outlined by the National Digital Stewardship Alliance (NDSA)

Are People Really Concerned About Their Privacy?: Privacy Paradox In Mobile Environment

The wide spread of mobile devices enables people to use the Internet everywhere. It provides people convenience in various aspects. However, they also are exposed to the risk of personal information leakage and privacy invasion. No previous study has examined whether the behaviors of people are influenced by their awareness of privacy in a mobile environment. With the ever-increasing importance of privacy issues, our study examines the critical relationship between individual privacy concerns and its behavior. The data is the media diary or 10,174 individuals’ media usage for three days, collected by the Korea Information Society Development Institute (KISDI) in 2014. Our result suggests that privacy concern has a positive influence on the smartphone usage, mobile application purchase and in-app purchase. It implies that the individual privacy concern does not correspond to his or her actual behaviors, which is paradoxical