A process model for implementing information systems security governance

Purpose; ; ; ; ; The frequent and increasingly potent cyber-attacks because of lack of an optimal mix of technical as well as non-technical IT controls has led to increased adoption of security governance controls by organizations. The purpose of this paper, thus, is to construct and empirically validate an information security governance (ISG) process model through the plan “do “check “act (PDCA) cycle model of Deming.; ; ; ; ; Design/methodology/approach; ; ; ; ; This descriptive research using an interpretive paradigm follows a qualitative methodology using expert interviews of five respondents working in the ISG domain in United Arab Emirates (UAE) to validate the theoretical model.; ; ; ; ; Findings; ; ; ; ; The findings of this paper suggest the primacy of the PDCA Deming cycle for initiating ISG through a risk-based approach assisted by industry-wide best practices in ISG. Regarding selection of ISG frameworks, respondents preferred to have ISO 27K supported by NIST as the core framework with other relevant ISG frameworks/standards forming the peripheral layer. The implementation focus of the ISG model is on mapping ISO 27K/NIST IT controls relevant IT controls selected from ISG frameworks from a horizontal and vertical perspective. Respondents asserted the automation of measurement and control mechanism through automation to assist in the feedback loop of the PDCA cycle.; ; ; ; ; Originality/value; ; ; ; ; The validated model helps academics and practitioners gain insight into the methodology of the phased implementation of an information systems governance process through the PDCA model, as well as the positioning of ITG and ITG frameworks in ISG. Practitioners can glean valuable insights from the empirical section of the research where experts detail the success factors, the sequential steps and justification of these factors in the ISG implementation process

An Optimized Dynamic Process Model of IS Security Governance Implementation

The year 2011 has witnessed a lot of high profiles data breaches despite the availability of IS security and governance controls, frameworks, standards and models for organisations to choose from; and the technical advances made in intrusion prevention and detection. Taking this issue into account the objective of this paper is to identify and analyse the weaknesses in the IS security defences of organisations from a holistic perspective, and propose a dynamic IS security governance process model for the implementation of appropriate controls and mechanisms for optimised IS security. Optimization is achieved through the strategic overlap of security and governance frameworks implemented in a prioritized phased manner for efficiency and effectiveness in cost, time and effort. The paper starts with the analysis of data breaches to identify the weaknesses in the organisational information system. This is followed by the analysis of recommended requirements and dimensions of effective IS security architecture, IS governance, concepts and models to identify relevant frameworks used in IS security and governance. Thereafter, the best practices for implementing the model is evaluated and finally the frameworks and IS entities are integrated into an optimized Information Systems Security and Governance (ISSG) process model

Information technology audit: systems alignment and effectiveness measures

Information technology audit has proven to be a relatively new, less researched and rapidly expanding field among large, medium and even small businesses (commercial and non-commercial organisations). The implementation rate has grown rapidly and presents a huge growth market for audit consultants due to the need for transparency and compliance with regulation (for example: Sarbanes Oxley Act) and the need to be competitive in the marketplace. The audit process is being conducted mainly by consultants following a traditional process but using different proprietary approaches and mostly done manually. The purpose of this study is to present a scientific method to attach a purely measurement focus to the auditing process so as to provide an auditing as well as a quantitative outcome of the performance to the various IS entities that are audited using a novel automated method that can save organisations considerable resources in terms of time, cost and effort. The nature of the topic directed the researcher to three domains of information system (IS) namely studies on IS measurement, IT governance and software engineering. These areas provided information on the nature of IS measurement and the models used; the process of auditing/measurement and the corresponding frameworks used; the principles and methodology of measurement of IS entities; and measurement models used both in the software engineering and information systems domain. The review of the literature gave rise to the research question and the COBIT-GQM (Control Objectives for Information Technology Audit) – Goal Question Metrics) model. The research question that had emerged out of the four propositions “How can an IT audit or governance framework be used to measure the effectiveness of IS entities in a scientific manner using customised and goal oriented metrics” along with the nature of data sought (positivist), guided the researcher to qualitative research using multiple case studies to test the theoretical model (grounded theory) that had emerged out of the literature review. The theoretical model was automated (with a front end interface and a back-end database) and initially tested for usability issues. Then the common COBIT control objective that was obtained through an initial survey was entered into the database along with a set of questions and metrics (developed by the researcher by following the given GQM guidelines). This application that was demonstrated, and given for evaluation in four organisations gave rise to expected and surprising results. While the respondents expressed their desire to incorporate a customised and goal oriented measurement perspective to their IT audit/performance functions, that would save them time, effort and cost, numerous suggestions were provided that need to be incorporated into the model to make it fully functional. Notable among them are the need to embed a multiple contextual qualifying layer, incorporating benchmarking feature to the model, and the need to link this with the maturity model. These were incorporated into the model and a comprehensive model incorporating all the suggestions was created. The qualitative case study method being used here more to evaluate a theory, provided a sound base for future studies to generate hypothesis that can be evaluated using quantitative survey methods for the model to be generalised. IT auditing being a relatively new, less researched, conventional and high growth oriented field, the use of an innovative, comprehensive, automated and scientific method of audit and measurement method will satisfy the implied need for organisations to incorporate the diverse audit/measurement/ control/standards into one comprehensive method and this research is a major step in this direction. Since the new model is comprehensive and can be automated organisations can economise in terms of time, cost and effort. Irrespective of the nature of economic cycle the need for economising in terms of cost, time and effort is universal for all organisations

Bypassing Multiple Security Layers Using Malicious USB Human Interface Device

The Universal Serial Bus (USB) enabled devices acts as a trusted tool for data interchange, interface, and storage for the computer systems through Human Interface Devices (HID) namely the keyboard, mouse, headphone, storage media and peripherals that use the USB port. However, with billions of USB enabled devices currently in use today, the attacker’s potential to seamlessly leverage this device to perform malicious activities by bypassing security layers presents serious risk to systems administrators. The paper thus presents a comprehensive review of the multiple attacks that can be leveraged using USB devices and the corresponding vulnerabilities including countermeasures. This is followed by the demonstration of five attacks to validate the threat and the associated vulnerabilities by bypassing four security layers namely (1) two server operating system (OS) controls, (2) one group policy control, and (3) antivirus. The attack was performed by plugging in a USB that is connected with the Arduino Micro board to install three differently crafted malwares into the victim machine (Windows Server 2012). As a result, the Arduino device that has been programmed to act like a Human Interaction Device (HID) was able to bypass all the four layers successfully, with execution on the first three layers. The attack-vulnerability theoretical model, the demonstration of the five attacks, and the subsequent analysis of the attacks provide academics with multiple domains (countermeasures) for further research, as well as practitioners to focus on critical IT controls

IT governance measurement tools and its application in IT-business alignment.

The purpose of this exploratory research paper is to evaluate the deployment and assessment methodology of the information technology governance (ITG) measurement tools, with the purpose of gaining deeper insight into the ITG initiation process, the nature of tools employed, measurement processes, and the implementation methodology, using case studies. Analysis of the available academic and non-academic literature sources showed measurement issues being the most dominant and ironically the most neglected domain in ITG implementations. We view ITG measurement tools and it subsequent deployment through the two theoretical ITG models namely the Integrated IT Governance model, and the Structures, Processes, and Relational ITG model. To validate these findings and to get a deeper insight into the ITG measurement domain, we conducted four case studies of measurement tools usage and processes in commonly used ITG frameworks in four organisations in New Zealand and United Arab Emirates. The results indicate that the IT governance initiatives differ in the manner of positioning in the integrated ITG framework, and objectivity of measurement is more evident and emphasized in UAE than in New Zealand. The result of these findings provides practitioners with guidance on the contextual usage of ITG measurement practices

Evaluating Machine Learning Methods for Intrusion Detection in IoT

Cyber-attacks in IoT enabled devices have grown at an alarming rate since the start of the Covid-19 pandemic due to cyber physical digital transformation enabled through widespread deployment of low cost sensor embedded IoT devices in consumer and industrial IOT, as well as increase in computing power. Consequently, this adoption trend had led to 1.51 billion breaches on IoT devices during the first half of 2021 alone. This highlights the critical importance of being prepared for IoT vulnerabilities (IoT manufacturing and deployment sector) and attacks (malicious actors). In this respect machine learning (ML) especially deep learning (DL) strategies has emerged as the preferred methods to secure IoT devices from attacks. In this paper, we propose three deep learning algorithms for IoT intrusion detection based on mapping of IoT attacks to ML/DL methods. Our paper thus provides two contributions. First, we present a model that maps extant research on the application of ML/DL to specific IoT attacks. Second, through an optimal selection of the mapping, we present three algorithms (naïve Bayes, convolu- tional neural network and autoencoder) for detection of intrusion in IoT attacks. This provides a review of research opportunities and research gaps in the IoT IDS domain

Systems Dynamics Modeling for Evaluating Socio-Technical Vulnerabilities in Advanced Persistent Threats

The paper focus on the application of Systems Dynamics Modelling (SDM) for simulating socio-technical vulnerabilities of Advanced Persistent Threats (APT) to unravel Human Computer Interaction (HCI) for strategic visibility of threat actors. SDM has been widely applied to analyze nonlinear, complex, and dynamic systems in social sciences and technology. However, its application in the cyber security domain especially APT that involve complex and dynamic human computer interaction is a promising but scant research domain. While HCI deals with the interaction between one or more humans and between one or more computers for greater usability, this same interactive process is exploited by the APT actor. In this respect, using a data breach case study, we applied the socio-technical vulnerabilities classification as a theoretical lens to model socio and technical vulnerabilities on systems dynamics using Vensim software. The variables leading to the breach were identified, entered into Vensim software, and simulated to get the results. The results demonstrated an optimal interactive mix of one or more of the six socio variables and three technical variables leading to the data breach. SDM approach thus provides insights into the dynamics of the threat as well as throw light on the strategies to undertake for minimizing APT risks. This can assist in the reduction of the attack surface and reinforce mitigation efforts (prior to exfiltration) should an APT attack occur. In this paper, we thus propose and validate the application of system dynamics approach for designing a dynamic threat assessment framework for socio-technical vulnerabilities of APT

Human and organizational factors of healthcare data breaches: The swiss cheese model of data breach causation and prevention

© 2016 by IGI Global. All rights reserved. Over the past few years, concerns related to healthcare data privacy have been mounting since healthcare information has become more digitized, distributed and mobile. However, very little is known about the root cause of data breach incidents; making it difficult for healthcare organizations to establish proper security controls and defenses. Through a systematic review and synthesis of data breaches literature, and using databases of earlier reported healthcare data breaches, the authors re-examine and analyze the causal factors behind healthcare data breaches. The authors then use the Swiss Cheese Model (SCM) to shed light on the technical, organizational and human factors of these breaches. The author\u27s research suggests that incorporating the SCM concepts into the healthcare security policies and procedures can assist healthcare providers in assessing the vulnerabilities and risks associated with the maintenance and transmission of protected health information

Towards a Taxonomy of Challenges in an Integrated IT Governance Framework Implementation

The rapid adoption of IT governance (ITG) frameworks in organizations worldwide, along with the subsequent need to select and integrate overlapping ITG frameworks has presented practitioners with challenges in choice and integration of frameworks. In this respect, the purpose of this study was to explore the ITG frameworks integration (ITGFI) challenges faced by organizations worldwide; develop and test a theory-based integrated ITG challenges (IIC) taxonomy model created from extant literature; and validate and compare these with those empirically extracted from three case studies in the United Arab Emirates (UAE). The results present the audience with a taxonomy of a prioritized set of common global and region-specific (UAE) ITGFI challenges. The study thus aids practitioners to prioritize and focus on these areas of an integrated ITG frameworks implementation

IT governance practices in the Gulf Cooperation Council region

© 2019, IGI Global. The adoption of IT governance (ITG) frameworks in organizations worldwide, along with the subsequent need to comply with regulations and standards, has placed ITG implementation decisions firmly with the boards and executives of organizations. With diverse board and executive level cultures evident in various parts of the world, the adoption of ITG frameworks depends on the ITG practices followed in each cultural context. Through an online survey, this study thus examines the existing ITG practices through the structures, processes and relational mechanisms (SPR) practices model, followed by senior management in the GCC region. In this respect, this study evaluates effective baseline ITG practices at the board and executive levels and suggests ITG structures, processes, and relational mechanisms that ITG consultants in the Gulf Co-operation Council region can follow for effective ITG implementation