Dynamic Information Security Management Capability: Strategising for Organisational Performance

The increasing frequency, impact, consequence and sophistication of cybersecurity attacks is becoming a strategic concern for boards and executive management of organisations. Consequently, in addition to focusing on productivity and performance, organisations are prioritizing Information Security Management (ISM). However, research has revealed little or no conceptualisation of a dynamic ISM capability and its link to organisational performance. In this research, we set out to 1) define and describe an organisational level dynamic ISM capability, 2) to develop a strategic model that links resources with this dynamic capability, and then 3) empirically demonstrate how dynamic ISM capability contributes to firm performance. By drawing on Resource-Based Theory (RBT) and Dynamic Capabilities View (DCV), we have developed the Dynamic ISM Capability model to address the identified gap. As we develop this research, we will empirically test this model to demonstrate causality between ISM capability and organisational performance

Evaluating the Utility of Research Articles for Teaching Information Security Management

Research articles can support teaching by introducing the latest expert thinking on relevant topics and trends and describing practical real-world case studies to encourage discussion and analysis. However, from the point of view of the instructor, a common challenge is identifying the most suitable papers for classroom teaching amongst a very large pool of potential candidates that are not typically written for teaching purposes. Further, even in practice-oriented disciplines such as Information Security Management (ISM), high-quality journals emphasise theoretical contribution and research method rather than relevance to practice. Our review of the relevant literature did not find a comprehensive set of criteria to assist instructors in evaluating the suitability of research articles to teaching. Therefore, this research-in-progress paper presents a framework to support academics in the process of evaluating the suitability of research articles for their teaching programs

A Comparison of Information Security Curricula in China and the USA

Information Security (InfoSec) education varies in its content, focus and level of technicality across the world. In this paper we investigate the differences between graduate InfoSec programs in top universities in China and in the United States of America (USA). In China, curriculum emphasises Telecommunication, Computer Science and InfoSec Technology, whilst in the USA in addition to Computer Science and InfoSec Technology the curriculum also emphasises Enterprise‐level Security Strategy and Policy, InfoSec Management, and Cyber Law. The differences are significant and will have a profound impact on both the perceptions and capabilities of future generations of information security professionals on the one hand, and the management of information security in public and private organizations in the respective countries on the other

Factors influencing the organizational decision to outsource IT security

IT security outsourcing is the process of contracting a third-party security service provider to perform, the full or partial IT security functions of an organization. Little is known about the factors influencing organizational decisions in outsourcing such a critical function. Our review of the research and practice literature identified several managerial factors (e.g., cost-benefit, inability to cope with the threat environment) and legal factors (e.g., regulatory/legal compliance). We found research in IT security outsourcing to be immature and the focus areas not addressing the critical issues facing industry practice. We, therefore, present a research agenda consisting of fifteen questions to address five key gaps relating to knowledge of IT security outsourcing – i.e., the effectiveness of the outcome, lived experience of the practice, the temporal dimension, multi-stakeholder perspectives, and the impact on IT security practices, particularly agility in incident response

A Framework for Mitigating Leakage of Competitively Sensitive Knowledge in Start-ups

The current wave of digitalization has important implications for many organizations. In this article, we study how manufacturing companies can apply value co-creation as a comprehensive approach to embrace the potential of digitalization trends. By means of two case examples, we show the potential of better integrating shopfloor workers in the shaping of digital solutions and managerial actions. The improved consideration of cognitive needs and the provision of opportunities for social connection to a community of workers makes them feel more valued, confident, empowered and integrated. This can balance other forms of frustrations and negative emotions, leading to a better perception of the overall relationship experience at the shopfloor

The Dark Web Phenomenon: A Review and Research Agenda

The internet can be broadly divided into three parts: surface, deep and dark. The dark web has become notorious in the media for being a hidden part of the web where all manner of illegal activities take place. This review investigates how the dark web is being utilised with an emphasis on cybercrime, and how law enforcement plays the role of its adversary. The review describes these hidden spaces, sheds light on their history, the activities that they harbour – including cybercrime, the nature of attention they receive, and methodologies employed by law enforcement in an attempt to defeat their purpose. More importantly, it is argued that these spaces should be considered a phenomenon and not an isolated occurrence to be taken as merely a natural consequence of technology. This paper contributes to the area of dark web research by serving as a reference document and by proposing a research agenda

Towards Governance of Information Security Incident Response

Organizations are increasingly digitizing their business models to complement or even replace physical contact with customers and suppliers. With this shift online comes an increase in information security attacks, which are occurring more frequently due to the increased attack surface, vulnerabilities in security controls, and a target-rich environment. Organizations prevent attacks however some attacks are still successful and result in security incidents that degrade operations. When an organization is successfully breached, the organization must respond to the incident as quickly as possible to ensure continued operations and business resilience. However, guidance is lacking for governance of the response function. In a thematic review, we find good governance plays a key role in smooth and efficient incident response and this paper extends knowledge about governance of information security incident response by identifying key governance concepts that improve incident response efforts within organizations

Information Security Management: Factors that Influence Security Investments in SMES

In the modern information economy, the security of information is critically important to organizations. Information‐security risk assessments (ISRAs) allow organizations to identify key information assets and security risks so security expenditure can be directed cost‐effectively. Unfortunately conducting ISRAs requires special expertise and tends to be complex and costly for small to medium sized organizations (SMEs). Therefore, it remains unclear in practice, and unknown in literature, how SMEs address information security imperatives without the benefit of an ISRA process. This research makes a contribution to theory in security management by identifying the factors that influence key decision-makers in SMEs to address information security risks. The study has identified three key motivating factors from a series of case studies. Firstly, the need for sufficient information security to maintain reputation with external clients whilst conforming to the level of information security practices typical in industry culture. Secondly, (mis)perceptions of the existing state of information security and level of exposure to security threats in the organization. Thirdly, the perceived need to focus on higher corporate business priorities rather than on information security

A Theory on Information Security

This paper proposes a theory on information security. We argue that information security is imperfectly understood and aim to bring about an altered understanding of why efforts are made to engage in information security. The goal of information security is widely recognised as the confidentiality, integrity and availability of information however we argue that the goal is actually to simply create resources. This paper responds to calls for more theory in information systems, places the discussion in philosophical context and compares various definitions. It then identifies the key concepts of information security, describes the relationships between these concepts, as well as scope and causal explanations. The paper provides the theoretical base for understanding why information is protected, in addition to theoretical and practical implications and suggestions for future research

Mitigating BYOD Information Security Risks

Organisations that allow employees to Bring Your Own Device (BYOD) in the workplace trade off the convenience of allowing employees to use their own device against higher risks to the confidentiality, integrity, and availability of organisational information assets. While BYOD is a well-defined and accepted trend in some organisations, there is little research on how policies can address the information security risks posed by BYOD. This paper reviews the extant literature and develops a comprehensive list of information security risks that are associated with allowing BYOD in organisations. This list is then used to evaluate five BYOD policy documents to determine how comprehensively BYOD information security risks are addressed. The outcome of this research shows that of the 13 identified BYOD risks, only 8 were adequately addressed by most of the organisations