49 research outputs found

    Disclosure of Organizational Information by Employees on Facebook: Looking at the Potential for Information Security Risks

    Get PDF
    Online social networking (OSN) is a global phenomenon and its use by employees has been reported to be detrimental to organizations. Nevertheless, OSN impacts on organizational information security are rarely discussed in academic literature. This study investigates the use of OSN sites by employees and work-related information disclosed on their personal pages that may jeopardize the security of organizational information. The paper presents the characteristics of work-related information that can be disclosed on Facebook, possibly has the potential to open the doorway for information security threats. It also discusses the qualitative findings from four Malaysian-based organizations under study. Across these four organizations, 22 employees who were active users of Facebook were interviewed to obtain their OSN experience, to explore information they disclosed online and the underlying reasons for doing so. The findings will facilitate our recommendation for organizations to minimize this issue by understanding the behavioural facets of information security

    Information Leakage through Online Social Networking: Opening the Doorway for Advanced Persistence Threats

    Get PDF
    The explosion of online social networking (OSN) in recent years has caused damages to organisations due to leakage of information by their employees. Employeesโ€™ social networking behaviour, whether accidental or intentional, provides an opportunity for advanced persistent threats (APT) attackers to realise their social engineering techniques and undetectable zero-day exploits. APT attackers use a spear-phishing method that targeted on key employees of victim organisations through social media in order to conduct reconnaissance and theft of confidential proprietary information. This conceptual paper posits OSN as the most challenging channel of information leakage and provides an explanation about the underlying factors of employees leaking information via this channel through a theoretical lens from information systems. It also describes how OSN becomes an attack vector of APT owing to employeesโ€™ social networking behaviour, and finally, recommends security education, training and awareness (SETA) for organisations to combat these threats

    Exploring The Use Of Online Social Networking By Employees: Looking At The Potential For Information Leakage

    Get PDF
    The proliferation of online social networking (OSN) in recent years has caused organizations information security threats due to disclosure of information by their employees on their sites. The accessibility of OSN to anyone, at any time, using any devices, causes confidential and sensitive organizational information to be disclosed to unauthorised individuals, whether accidentally or intentionally. This study aims to explore this current phenomenon by investigating OSN use behaviour among employees that leads to information leakage through the lens of Decomposed Theory of Planned Behavior. It also seeks to investigate the strategies utilized by organizations to control such use and propose a control framework that effectively safeguards organizational information security from this threat

    Advanced persistent threats awareness and readiness: a case study in Malaysian financial institutions

    Get PDF
    Advanced Persistent Threats (APT) has targeted the financial institutions (FI) for intelligence gathering on sensitive customer information and monetize the attack. APT could cause disastrous impact to the targeted FI and the country's economy if there is a lack of preparation to confront these challenges and attacks. A case study on local FI was carried out to examine the influencing factors of APT awareness among FI's cybersecurity practitioners and to investigate the security strategies employed by FI to protect them from APT attacks. Feedback from CyberSecurity Malaysia (CSM) was sought to validate the findings. It was found that the factors that influence APT awareness in local FI include the emphasis on informal learning on APT, attackers' financial motivation, the FI's reputational risks and the availability of financial regulatory requirements to combat any cybersecurity risks. The awareness has led cybersecurity practitioners in local FI to implement advanced security technologies and integrated security controls as their readiness to defend FI against APT attacks

    Persuasive technology from Islamic perspective

    Get PDF
    The effective use of persuasive technology in health, computing, sales, education, environment, etc is rapidly expanding. Persuasive technology is efficient in changing the attitudes and behaviours of end users. This paper demonstrates how persuasive technology and its design factors proposed in FBM are associated with the Islamic perspective from the Quran and Hadith. This paper starts by explaining the ethics of persuasive technology and discussing persuasive technology and its principal design factors in the Islamic perspective. The paper also discusses the extent to which Islamic principles enhance the concept of persuasive technology as an interactive computing system that could change attitudes and behaviours. In particular, this paper discusses how practices and principles of the design factors of persuasive technology were identified and applied in early Islamic era. The conceptual findings assert that Islamic principles are a universal and contemporary religion that cares for persuasive technology concepts

    A case analysis of securing organisations against information leakage through online social networking

    Get PDF
    The inadvertent leakage of sensitive information through Online Social Networking (OSN) represents a significant source of security risk to organisations. Leakage of sensitive information such as trade secrets, intellectual property and personal details of employees can result in a loss of competitive advantage, loss of reputation, and erosion of client trust. We present 4 case studies which examine drivers for employee leakage behaviour and corresponding security management strategies. Drawing on these case studies, we present a maturity framework for organisational OSN Leakage Mitigation Capability (OSN-LMC) and lessons learned from the case analysis

    Responsibility-value alignment in information security governance

    Get PDF
    This paper contributes by discussing the categorization of responsibilities of top management in information security to the four (4) leadership characteristics in Islam as defined and showed by the Prophet Muhammad (PBUH). Contemporary studies, mostly from the West explores the responsibilities of the top management in information security. However, without binding the responsibilities to a specific set of virtue ethics, it will only become a set of tasks rather than responsibilities. Therefore, based on the literature review, this paper introduces a conceptual model that describe the categorization of managementโ€™s responsibilities in information security governance to the four (4) Islamic leadership principles โ€“ Truthfulness, Trustworthiness, Advocacy and Wisdom. This model allows researchers and practitioners to understand and appreciate the accountability of top management in steering information security initiatives in their organizations from Islamic perspective

    Persuasive technology in the Islamic perspective: the principles and strategies

    Get PDF
    The employment of persuasive technology in education, computing, sales, health, and environment is dramatically increasing. Persuasive technology is powerful in changing the attitudes and behaviours of end users. This paper begins by presenting the ethics of persuasive technology which are relevant to Islamic values and beliefs, and how the concept of persuasion had been applied in Islam practices to influence people. It explores how persuasive technology and its design factors presented in FBM are related to the Islamic practices proven in the Quran and Hadith. Additionally, this paper discusses persuasive technology strategy tools and their activities from Islamic prospective. The paper also examines in depth how Islamic concepts improve the perception of persuasive technology as an interactive computing system which is able to modify attitudes and behaviours. Essentially, this paper also demonstrates how practices and principles of the design factors and strategy tools of persuasive technology have been identified and utilized in early Islamic age. Those principles and strategies are further analyzed from Quran verses and Hadith that are of particular relevance. The conceptual results claim that Islamic principles are a contemporary and universal religion that takes care of the persuasive technology aspects and view of the critically of persuasive technology to Muslim society

    Persuasive technology for improving information security awareness and behavior: literature review

    Get PDF
    The use of Persuasive Technology in various fields is rapidly increasing. It can be applied in many fields such as computing, marketing, sales, environment, education, and health. Persuasive Technology has been found effective in bringing a required change in users' behaviors and attitudes. However, the use of persuasive technology is scarce in the field of Information Security awareness. This paper reviews extensive literature review which focuses on a perspective on how to create awareness among users for good information security practices by applying Persuasive Technology techniques and approaches. The conceptual findings suggest there is a tremendous potential of Persuasive Technology to be applied to persuade users to change their behavior and perception toward Information Security practices

    Risk assessment model for organizational information security

    Get PDF
    Information security risk assessment (RA) plays an important role in the organizationโ€™s future strategic planning. Generally there are two types of RA approaches: quantitative RA and qualitative RA. The quantitative RA is an objective study of the risk that use numerical data. On the other hand, the qualitative RA is a subjective evaluation based on judgment and experiences which does not operate on numerical data. It is difficult to conduct a purely quantitative RA method, because of the difficulty to comprehend numerical data alone without a subjective explanation. However, the qualitative RA does not necessarily demand the objectivity of the risks, although it is possible to conduct RA that is purely qualitative in nature. If implemented in silos, the limitations of both quantitative and qualitative methods may increase the likelihood of direct and indirect losses of an organization. This paper suggests a combined RA model from both quantitative and qualitative RA methods to be used for assessing information security risks. In order to interpret and apply the model, a prototype of RA for information security risks will be developed. This prototype will be evaluated by information security risk management experts from the industry. Feedback from the experts will be used to improve the proposed RA model. The implementation of an appropriate model ensures a successful RA method and prevent the organization from the natural and causal risks that are related to securing information assets
    corecore