Critical infrastructure protection status and action items of Turkey

Critical infrastructures are the physical and virtual systems essential to the minimum operations of the economy and the government. Critical Infrastructure Protection (CIP) is a critical agenda item for governments in the developed countries. In these countries, policies and procedures on CIP are already in place and required laws are in action as well. In Turkey, some official introductory studies have been performed in 2009. However, there are a number of steps that Turkey still has to take. In this study, key definitions are provided firstly. After the definitions, the efforts of USA, EU, OECD and NATO are summarized. The last two sections of the paper are dedicated to the steps taken by Turkey and the challenges still ahead Turkey

A Collaborative Process Based Risk Analysis for Information Security Management Systems

Today, many organizations quote intent for ISO/IEC 27001:2005 certification. Also, some organizations are en route to certification or already certified. Certification process requires performing a risk analysis in the specified scope. Risk analysis is a challenging process especially when the topic is information security. Today, a number of methods and tools are available for information security risk analysis. The hard task is to use the best fit for the certification. In this work we have proposed a process based risk analysis method which is suitable for ISO/IEC 27001:2005 certifications. Our risk analysis method allows the participation of staff to the determination of the scope and provides a good fit for the certification process. The proposed method has been conducted for an organization and the results of the applications are shared with the audience. The proposed collaborative risk analysis method allows for the participation of staff and managers while still being manageable in a timely manner to uncover crucial information security risks

Collaborative risk method for information security management practices: A case context within Turkey

In this case study, a collaborative risk method for information security management has been analyzed considering the common problems encountered during the implementation of ISO standards in eight Turkish public organizations. This proposed risk method has been applied within different public organizations and it has been demonstrated to be effective and problem-free. The fundamental issue is that there is no legislation that regulates the information security liabilities of the public organizations in Turkey. The findings and lessons learned presented in this case provide useful insights for practitioners when implementing information security management projects in other international public sector organizations

Assessing Hospital Information Systems Processes: A Validation of PRISE Information Systems Success Model in Healthcare

Although there is limited research and evidence base, it is reasonable to expect that high quality information technology is an integral factor in the success of today’s health care sector. However, the health care sector is considered to be low level investor in Information Technology (IT) when compared to other sectors. There are studies that look at the sums spent on health IT as a basis for determining how effective the IT systems are. We support the idea that the effectiveness of IT systems, is not an exact measure and a more systematic approach needs to be taken when evaluating success of an IT system. In this study, we have evaluated an assessment method, which is, “Process Based Information Systems (IS) Effectiveness (PRISE)” based on a novel model of IS effectiveness in the health care sector. The results of our case series provide specific implications concerning the applicability of a general “IS assessment” approach, in the medical context

Investigating Continuous Security Compliance Behavior: Insights from Information Systems Continuance Model

Modern organizations have to utilize proper methods for ensuring the employees’ compliance with security policies. Investigating the employees’ compliance behavior is important issue for IS security management success. Several researchers have studied the compliance behavior by using different conceptual models including technology acceptance model (TAM), theory of planned behavior (TPB), deterrence, neutralization and etc. However, there is no study for investigating continuance of the security compliance. It is very important for organizations that employees comply with IS security policies and continue complying. This study aims to fill this gap on IS security research and to probe the important factors that lead employees to have continuous security compliance behavior by using IS continuance model. The analysis of data collected from 270 employees in banking organizations shows that employees’ perceived satisfaction, perceived usefulness, security awareness and normative believes directly influence continuance intention to comply with IS security policies

Regulatory approaches for cyber security of critical infrastructures: The case of Turkey

Critical infrastructures are vital assets for public safety, economic welfare and/or national security of countries. Today, cyber systems are extensively used to control and monitor critical infrastructures. A considerable amount of the infrastructures are connected to the Internet over corporate networks. Therefore, cyber security is an important item for the national security agendas of several countries. The enforcement of security principles on the critical infrastructure operators through the regulations is a still-debated topic. There are several academic and governmental studies that analyze the possible regulatory approaches for the security of the critical infrastructures. Although most of them favor the market-oriented approaches, some argue the necessity of government interventions. This paper presents a three phased-research to identify the suitable regulatory approach for the critical infrastructures of Turkey. First of all, the data of the critical infrastructures of Turkey are qualitatively analyzed, by using grounded theory method, to extract the vulnerabilities associated with the critical infrastructures. Secondly, a Delphi survey is conducted with six experts to extract the required regulations to mitigate the vulnerabilities. Finally, a focus group interview is conducted with the employees of the critical infrastructures to specify the suitable regulatory approaches for the critical infrastructures of Turkey. The results of the research show that the critical infrastructure operators of Turkey, including privately held operators, are mainly in favor of regulations

A vulnerability-driven cyber security maturity model for measuring national critical infrastructure protection preparedness

Critical infrastructures are vital assets for the public safety, economic welfare and national security of countries. Cyber systems are used extensively to monitor and control critical infrastructures. A number of infrastructures are connected to the Internet via corporate networks. Cyber security is, therefore, an important item of the national security agenda of a country. The intense interest in cyber security has initiated research focusing on national cyber security maturity assessments. However, little, if any, research is dedicated to maturity assessments of national critical infrastructure protection efforts. Instead, the vast majority of studies merely examine diverse national-level security best practices ranging from cyber crime response to privacy protection. This paper proposes a maturity model for measuring the readiness levels of national critical infrastructure protection efforts. The development of the model involves two steps. The first step analyzes data pertaining to national cyber security projects using grounded theory to extract the root causes of the susceptibility of critical infrastructures to cyber threats. The second step determines the maturity criteria by introducing the root causes to subject-matter experts polled in a Delphi survey. The resulting survey-based maturity model is applied to assess the critical infrastructure protection efforts in Turkey. The results are realistic and intuitively appealing, demonstrating that the maturity model is useful for evaluating the national critical infrastructure protection preparedness of developing countries such as Turkey