An annotated bibliography of multidisciplinary information security resources, for the purpose of maintaining privacy and confidentiality in New Zealand government records management

Research Problem Maintaining privacy and confidentiality of data in an age of e-government and electronic recordkeeping is one of the key challenges for records management staff today. In New Zealand this issue has attracted negative attention through several recent public sector privacy and security breaches, raising questions about systemic issues, accountability, and a disconnect between strategy and implementation. How government responds will depend in large measure on the advice received regarding solutions to information security. A bibliographic gap on the relationship between records management and information security has been identified in the academic literature. Methodology Using targeted search strategies this annotated bibliography draws together articles from a range of journals with the aim of developing a consolidated resource for practitioners to become acquainted with the multifaceted and multidisciplinary nature of information security. The outcome is a resource directly relevant to the New Zealand context, which identifies key perspectives, relationships, technical issues, and shortcomings in research. Results Key findings relate to publishing trends, divided disciplines, and shortcomings in research pertaining to records management relationships with IT groups and engagement in e-government. Implications Includes the development of more comprehensive e-government information and security strategies, the re-examination and utilisation of existing relationships, and the strengthening of records management's position as a contributor to research and leadership in the array of possible responses to information security

Scientific Knowledge of the Human Side of Information Security as a Basis for Sustainable Trainings in Organizational Practices

Comprehensive digitization leads to new chal-lenges because of cybercrime and related security countermeasures. There is no doubt that this will fundamentally affect our lives and is leading to an increase in the importance of information security (IS). However, technology solutions alone are not sufficient to ensure IS countermeasures. The human side of security is important to protect organizational assets like user information and systems. The paper illustrates these relationships in terms of information security awareness (ISA), examining its goals and the factors influencing it through the systematic analysis and review of scientific literature and the transfer of scientific knowledge for practical purposes. We reviewed the publications of leading academic journals in the field of IS over the past decade

The impact of e-service quality on atitude toward online shopping

The research was designed to fill the gap in the existing body of knowledge regarding attitudes toward online shopping and differences in electronic service quality perception between two different geographical and cultural countries. In addition, this research extended previous effort done in an online shopping context by providing evidence that high service quality increase consumers’ trust perception, which in turn results in favorable attitude toward online shopping, with risk perception moderating the impact on consumer’s trust. Cluster random sampling was used to select respondents with previous online shopping experience. Correlation and hierarchical regression was used to analyze the direct and indirect relationship between service quality, risk, trust and attitude, while t-test was used to compare the two cultures in e-service quality perception. The present study demonstrates that e-service quality is affected by consumer’s culture. This research also provides evidence that trust in Internet shopping is built on high service quality. Notably, risk moderates the effect of e-service quality on trust toward online retailer. Finally, the research highlights the significant effect of trust on the attitude towards online shopping

An analysis of insider dysfunctional behavours in an accounting information system environment

Insider deviant behaviour in Accounting Information Systems (AIS) has long been recognised as a threat to organisational AIS assets. The literature abounds with a plethora of perspectives in attempts to better understand the phenomenon, however, practitioners and researchers have traditionally focussed on technical approaches, which, although they form part of the solution, are insufficient to address the problem holistically. Managing insider threats requires an understanding of the interconnectedness between the human and contextual factors in which individuals operate, since technical methodologies in isolation have the potential to increase rather than reduce insider threats. This dilemma led many scholars to examine the behaviour of individuals, to further their understanding of the issues and in turn, control insider threats. Despite promising findings, some of these behavioural studies have inherent methodological limitations, and no attempt has been made to differentiate between apparently similar, yet fundamentally different, negative behaviours. Using the theory of planned behaviour (TPB) and actor network theory (ANT) as a foundation, the current study addresses the first concern by integrating AIS complexity and organisational culture, and identifies the contextual factors influencing behaviours that lead to insider threats. Secondly, the study addresses concerns regarding methodological approaches, by categorising various deviant insider behaviours using the concept of dysfunctional behaviour, based on two-dimensional behaviour taxonomy. Partial least square structural equation modelling (PLS-SEM) revealed that TPB‘s predictor variables: attitude (ATT), subjective norm (SN) and perceived behavioural control (PBC), together with the moderator variables of organisational culture (CULTURE) and AIS complexity (COMPLEX), accounted for substantial variations in intention (INTENT) to engage in dysfunctional behaviour. The findings also indicated that PBC is a dual-factor construct. Changes in predictors at the behavioural subset level were highlighted, and the findings of previous studies, that ATT is a salient predictor of intention, were confirmed. This was significant across all four dysfunctional behaviour categories. These findings add to the body of knowledge by contributing a theory that explains insider threats in AIS by deciphering dysfunctional behaviour using a predictive model. The study also provides a methodological foundation for future research to account for behavioural factors. Moreover, the findings have implications for managerial practices who want to reduce insider threats to an acceptable level by strengthening organisational culture, moderating AIS complexity, and focussing on management programs with sufficient momentum to impact attitudinal change

An Empirical Assessment of Cybersecurity Readiness and Resilience in Small Businesses

A cyber-attack can become costly if small businesses are not prepared to protect their information systems or lack the ability to recover from a cybersecurity incident. Small businesses that are not ready to deal with cyber threats are risking significant disruption and loss. In many cases the small business decision makers, owners or managers, do not have a strategy to improve their cybersecurity posture despite the known risk to their business. This research study focused on the relationship between two constructs that are associated with readiness and resilience of small businesses based on their cybersecurity planning, implementation, as well as response and recovery activities. An empirical assessment was conducted on small businesses’ level preparedness relative to their decision makers’ perceived risk of cyber-attack (perceived likelihood x perceived impact). Subject matter experts (SMEs) were used to validate a set of cybersecurity preparedness activities for the construct of cybersecurity preparedness. The SMEs approved 70 cybersecurity preparedness activities among the five functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework to assess the level of cybersecurity preparedness of small businesses. The SMEs then assigned weights to the validated preparedness activities to enable an aggregated benchmark cybersecurity preparedness score (CPS). The construct the decision maker’s perceived risk of cyberattack (DMPRCA) was updated with a set of common cyber threat vectors and using simple definitions from the SMEs. A Cybersecurity Preparedness-Risk Taxonomy (CyPRisT) was then developed using the theoretical foundation of prospect theory and status quo bias. The four quadrants of cybersecurity risk postures were defined as indifference, susceptible, aversive, and strategic. The aggregated scores of CPSs and DMPRCA were positioned on the CyPRisT for each of the 216 small businesses who participated in this study. Statistical differences were found in the CPSs and DMPRCA by demographics industry, size (number of employees), and Information Technology (IT) budget (%). The findings of the quantitative analysis are presented along with the position on the CyPRisT for each demographic indicator of the businesses. The Cybersecurity Assessment of Risk Management to optimize Readiness and Resilience (cyberARMoRR) program for small businesses was developed as a cybersecurity strategy planning guide and collection of resources. The cyberARMoRR program was administered to 50 small business decision makers. The CPSs and DMPRCA were evaluated before and after participation in cyberARMoRR program and positioned on the CyPRisT to assess differences in the small businesses’ cybersecurity posture. The results of the paired sample t-test showed no significant differences between the pretest and posttest groups. However, there was an observed increase in both the CPSs and DMPRCA that moved the position toward the risk-aversive quadrant of the CyPRisT. An analysis of the empirical data was conducted on the cybersecurity preparedness activities that participants identified as most challenging to implement and their explanations of why. Data were collected from 15 semi-structured interviews and 50 surveys with five open-ended questions, one per each function of the NIST Cybersecurity Framework. A two-cycle thematic analysis was performed using the responses that described the challenges of cybersecurity preparedness activities. The results of the qualitative analysis suggest that small business decision makers are more likely to improve their ability to mitigate cyber threats when the applicable technologies are uncomplicated, technical expertise is accessible, and cybersecurity educational material is easy to understand. The small business owners and managers also indicated that the cybersecurity preparedness activities are more attainable when the demand of their time did not change their focus away from business operations. Conversely, the small businesses that were able to improve their cybersecurity posture had committed to incorporating many of the cybersecurity preparedness activities into their routine business processes, such as allocating a budget for cybersecurity and performing vulnerability assessments. The effects of prospect theory and status quo bias are discussed in the context of the CyPRisT positions for the small businesses

Best Practices to Minimize Data Security Breaches for Increased Business Performance

In the United States, businesses have reported over 2,800 data compromises of an estimated 543 million records, with security breaches costing firms approximately $7.2 million annually. Scholars and industry practitioners have indicated a significant impact of security breaches on consumers and organizations. However, there are limited data on the best practices for minimizing the impact of security breaches on organizational performance. The purpose of this qualitative multicase study was to explore best practices technology leaders use to minimize data security breaches for increased business performance. Systems theory served as the conceptual framework for this study. Fourteen participants were interviewed, including 2 technology executives and 5 technical staff, each from a banking firm in the Northcentral United States and a local government agency in the Southcentral United States. Data from semistructured interviews, in addition to security and privacy policy statements, were analyzed for methodological triangulation. Four major themes emerged: a need for implementation of security awareness education and training to mitigate insider threats, the necessity of consistent organization security policies and procedures, an organizational culture promoting data security awareness, and an organizational commitment to adopt new technologies and innovative processes. The findings may contribute to the body of knowledge regarding best practices technology leaders can use for securing organizational data and contribute to social change since secure organizational data might reduce consumer identity theft