Information Security Models are a Solution or Puzzle for SMEs? A Systematic Literature Review

Effective information security management is necessary in the success of any organisation, including Small-and-Medium-Sized Enterprises (SMEs). Nonetheless, keeping their security needs met is always a challenge for SMEs. One of the proven ways to manage information security is through applying available international standards, frameworks and best practices. However, choosing a suitable model that addresses the SMEs holistic needs may be an overwhelming task. This systematic literature review formed the initial phase of a larger analytical project of existing models in three categories: risk management models, standards-based models and ‘other’ models. The review showed that most of models are theoretically conceived but have not been further tested empirically. Hence, their usability is unknown. More in-depth research is required to find a suitable model that may be applicable to all SMEs

The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda

Purpose \u2013 After 15 years of research, this paper aims to present a review of the academic literature on the ISO/ IEC 27001, the most renowned standard for information security and the third most widespread ISO certification. Emerging issues are reframed through the lenses of social systems thinking, deriving a theorybased research agenda to inspire interdisciplinary studies in the field. Design/methodology/approach \u2013 The study is structured as a systematic literature review. Findings \u2013 Research themes and sub-themes are identified on five broad research foci: relation with other standards, motivations, issues in the implementation, possible outcomes and contextual factors. Originality/value \u2013The study presents a structured overview of the academic body of knowledge on ISO/IEC 27001, providing solid foundations for future research on the topic. A set of research opportunities is outlined, with the aim to inspire future interdisciplinary studies at the crossroad between information security and quality management. Managers interested in the implementation of the standard and policymakers can find an overview of academic knowledge useful to inform their decisions related to implementation and regulatory activities

APPRAISE: a framework for managing AI compliance

As AI systems increasingly impact society, the EU AI Act (AIA) is the first serious attempt to contain its less desired effects. Among others the act proposes audit as a mechanism and compliance products as tools for organizations to demonstrate compliance. In this paper, a framework for managing AI compliance, APPRAISE, is proposed. The framework is built upon the rationale that driving a balance between generating shareholder value through innovation in AI systems and managing compliance through organizational processes will eventually result in value that is responsible. By adhering to AIA compliance products, the framework operationalizes and hence safeguards compliance. Furthermore, a two-phase experiment with a limited scope is presented. The experiment aims to measure the extent to which companies coordinate technical elements of AI systems to ultimately comply with the AIA. In the first phase a survey is conducted and in the second phase the survey results are validated with a couple of respondents to generate additional in-depth insights and root causes

A Study on E-Taiwan Promotion Information Security Governance Programs with E-government Implementation of Information Security Management Standardization

Abstract The promotion of Information Security Governance (ISG) has become an important factor in the implementation of e-government and information security management within the "National Information and Communications Technology Security Development Program (2009˜2012)" in continuing the "Plan for Establishment of Information and Communication Technology Infrastructure Security Mechanism (2001˜2008)" in Taiwan; in July 2013, the working outline of the project was adjusted. And, it was asked all departments of Executive Yuan and local government to process aggressively by regulation on December 25, 2013. This study examines information security development program, and strategies for meeting e-government and information security management requirements within the implementation of information security development programs through information security management systems (ISMS). Moreover, an action program for improved ISMS performance, using an approach combining ISG and ISMS, is proposed. Based on this, this research employs history analysis and in-depth interview methodologies to develop insights into e-Taiwan information security management. Furthermore, the research objective is to examine the relevance between the execution of e-government and information security management framework and ISMS implementation by using the ISG project approach

Risk Assessment of Information System of Faculty of Engineering University Diponegoro Using Failure Mode Effect and Analysis Method based on Framework ISO 27001

The data leakage and misuse of information by unauthorized parties that had happened forces the protection of security of information system in the Faculty of Engineering Diponegoro University (SIFT UNDIP) to be improved. This research aims to identify the risks, to analyze security of information system management, and to  determine risk priority in SIFT UNDIP. This research is conducted using Failure Mode Effect and Analysis method based on ISO 27001 framework. Analysis results show that there are 25 risk agents in SIFT UNDIP which are categorized into four types of assets. The highest risk in High Level Risk category is the risk of dependence on employees which has Risk Priority Number value of 80

The moderating effect of information technology capability on the relationship between business continuity management factors and organizational performance

Despite the enormous acknowledgement of the importance of Business Continuity Management (BCM) in sustaining organization survival, very limited studies have focused on the effects of BCM on organizational performance. Hence, the purpose of this study is to provide the empirical evidences that support the relationships that exist between BCM Factors and Organizational Performance with the moderating effects of Information Technology Capability (IT Capability) in organizations from various sectors in Malaysia. Based on the existing literature, BCM Factors are operationalized by Management Support, External Requirement, Organization Preparedness, and Embeddedness of Continuity Practices. A combination of selfadministered and mail survey was deployed involving 147 ISO 27001 and ISO 22301 certified organizations representing both public and private sectors. These organizations were selected as they are deemed to possess a considerably higher sense of commitment towards embracing BCM best practices to enhance their business resilience. At the end of the data collection phase, the study managed to obtain 77 usable responses constituting an effective response rate of 55 percent. The findings indicate that BCM Factors namely External Requirement and Embeddedness of Continuity Practices are significantly related to Overall Organizational Performance and Non-Financial Performance. However, only External Requirement is found significantly related to Financial Performance. The results also reveal that fully supported relationships are found between IT Capability and all Organizational Performance dimensions. In addition, the findings show that IT Capability moderates the relationship between BCM Factors and Organizational Performance. These results provide valuable insights to both practitioners and academia for further understanding the effects of BCM Factors and IT Capability on Organizational Performance. Finally, the research limitations are discussed and suggestions on extended area of research are recommended for future researchers