Towards a business analytics capability maturity model

Business analytics (BA) systems are an important strategic investment for many organisations and can potentially contribute significantly to firm performance. Establishing strong BA capabilities is currently one of the major concerns of chief information officers. This research project aims to develop a BA capability maturity model (BACMM). The BACMM will help organisations to scope and evaluate their BA initiatives. This research-in-progress paper describes the current BACMM, relates it to existing capability maturity models and explains its theoretical base. It also discusses the design science research approach being used to develop the BACMM and provides details of further work within the research project. Finally, the paper concludes with a discussion of how the BACMM might be used in practice.<br /

Teaching Information Security Management in Postgraduate Tertiary Education: The Case of Horizon Automotive Industries

Teaching cases based on stories about real organizations are a powerful means of storytelling. These cases closely parallel real-world situations and can deliver on pedagogical objectives as writers can use their creative license to craft a storyline that better focuses on the specific principles, concepts, and challenges they want to address in their teaching. The method instigates critical discussion, draws out relevant experiences from students, encourages questioning of accepted practices, and creates dialogue between theory and practice We present ‘Horizon’, a case study of a firm that suffers a catastrophic incident of Intellectual Property (IP) theft. The case study was developed to teach information security management (ISM) principles in key areas such as strategy, risk, policy and training to postgraduate Information Systems and Information Technology students at the University of Melbourne, Australia

The Chief Information Security Officer and the Five Dimensions of a Strategist

The modern organisation operates within a sophisticated and evolving security threat landscape that exposes its information infrastructure to a range of security risks. Unsurprisingly, despite the existence of industry ‘best-practice’ security standards and unprecedented levels of investment in security technology, the rate of incidents continues to escalate. Furthermore, a review of security literature reveals an apparent lack of strategic perspective in the field of information security management (ISM) which results in a number of strategic challenges for ISM function in organisations. The level of sophistication and dynamism of threat requires organisations to develop novel security strategies that draw on creative and lateral thinking approaches. Such a security campaign requires the Chief Information Security Officer (CISO) to function as a ‘strategist’. However, there is little or no evidence in security literature to show that the security leader is required to function as a strategist. In this research, we set out to identify the specific competencies required by CISOs to become effective strategists by performing a systematic literature review of both security and strategic management literature. We thematically analysed and coded the characteristics extracted from strategic management literature into the five dimensions of the strategist. We discuss these macro competencies in the context of ISM, and argue that CISOs with these five dimensions of a strategist will be able to overcome the existing strategic challenges facing ISM in organisations

Defining the Strategic Role of the Chief Information Security Officer

The level of sophistication and dynamism of the security threat environment requires modern organizations to develop novel security strategies. The responsibility to strategize falls to the Chief Information Security Officer (CISO). A review of the security literature shows there has been little emphasis on understanding the role of the CISO as a strategist. In this research, we conduct a systematic literature review from the disciplines of information security and strategic management to identify specific attributes required by CISOs to become effective strategists. We discuss these attributes in the context of Information Security Management and argue that CISOs with these attributes or capabilities are better positioned to overcome the existing strategic security challenges facing organizations. Available at: https://aisel.aisnet.org/pajais/vol10/iss3/3

Dynamic Information Security Management Capability: Strategising for Organisational Performance

The increasing frequency, impact, consequence and sophistication of cybersecurity attacks is becoming a strategic concern for boards and executive management of organisations. Consequently, in addition to focusing on productivity and performance, organisations are prioritizing Information Security Management (ISM). However, research has revealed little or no conceptualisation of a dynamic ISM capability and its link to organisational performance. In this research, we set out to 1) define and describe an organisational level dynamic ISM capability, 2) to develop a strategic model that links resources with this dynamic capability, and then 3) empirically demonstrate how dynamic ISM capability contributes to firm performance. By drawing on Resource-Based Theory (RBT) and Dynamic Capabilities View (DCV), we have developed the Dynamic ISM Capability model to address the identified gap. As we develop this research, we will empirically test this model to demonstrate causality between ISM capability and organisational performance

Evaluating the Utility of Research Articles for Teaching Information Security Management

Research articles can support teaching by introducing the latest expert thinking on relevant topics and trends and describing practical real-world case studies to encourage discussion and analysis. However, from the point of view of the instructor, a common challenge is identifying the most suitable papers for classroom teaching amongst a very large pool of potential candidates that are not typically written for teaching purposes. Further, even in practice-oriented disciplines such as Information Security Management (ISM), high-quality journals emphasise theoretical contribution and research method rather than relevance to practice. Our review of the relevant literature did not find a comprehensive set of criteria to assist instructors in evaluating the suitability of research articles to teaching. Therefore, this research-in-progress paper presents a framework to support academics in the process of evaluating the suitability of research articles for their teaching programs

A Comparison of Information Security Curricula in China and the USA

Information Security (InfoSec) education varies in its content, focus and level of technicality across the world. In this paper we investigate the differences between graduate InfoSec programs in top universities in China and in the United States of America (USA). In China, curriculum emphasises Telecommunication, Computer Science and InfoSec Technology, whilst in the USA in addition to Computer Science and InfoSec Technology the curriculum also emphasises Enterprise‐level Security Strategy and Policy, InfoSec Management, and Cyber Law. The differences are significant and will have a profound impact on both the perceptions and capabilities of future generations of information security professionals on the one hand, and the management of information security in public and private organizations in the respective countries on the other

Factors influencing the organizational decision to outsource IT security

IT security outsourcing is the process of contracting a third-party security service provider to perform, the full or partial IT security functions of an organization. Little is known about the factors influencing organizational decisions in outsourcing such a critical function. Our review of the research and practice literature identified several managerial factors (e.g., cost-benefit, inability to cope with the threat environment) and legal factors (e.g., regulatory/legal compliance). We found research in IT security outsourcing to be immature and the focus areas not addressing the critical issues facing industry practice. We, therefore, present a research agenda consisting of fifteen questions to address five key gaps relating to knowledge of IT security outsourcing – i.e., the effectiveness of the outcome, lived experience of the practice, the temporal dimension, multi-stakeholder perspectives, and the impact on IT security practices, particularly agility in incident response

A Framework for Mitigating Leakage of Competitively Sensitive Knowledge in Start-ups

The current wave of digitalization has important implications for many organizations. In this article, we study how manufacturing companies can apply value co-creation as a comprehensive approach to embrace the potential of digitalization trends. By means of two case examples, we show the potential of better integrating shopfloor workers in the shaping of digital solutions and managerial actions. The improved consideration of cognitive needs and the provision of opportunities for social connection to a community of workers makes them feel more valued, confident, empowered and integrated. This can balance other forms of frustrations and negative emotions, leading to a better perception of the overall relationship experience at the shopfloor

The Dark Web Phenomenon: A Review and Research Agenda

The internet can be broadly divided into three parts: surface, deep and dark. The dark web has become notorious in the media for being a hidden part of the web where all manner of illegal activities take place. This review investigates how the dark web is being utilised with an emphasis on cybercrime, and how law enforcement plays the role of its adversary. The review describes these hidden spaces, sheds light on their history, the activities that they harbour – including cybercrime, the nature of attention they receive, and methodologies employed by law enforcement in an attempt to defeat their purpose. More importantly, it is argued that these spaces should be considered a phenomenon and not an isolated occurrence to be taken as merely a natural consequence of technology. This paper contributes to the area of dark web research by serving as a reference document and by proposing a research agenda