Ahmed I. Al-Darwish,Pilsung Choe

DOI: https://doi.org/10.1007/978-3-030-22351-9_15

2019-01-01

Abstract: Information systems support organizations to achieve strategic competitiveness over other organizations and assist senior management in the decision-making process. In addition, they help organizations in timely implementation of projects and effective risk management. A reliable and coherent Information System requires a solid security framework that ensures Confidentiality, Integrity, Availability, Authenticity and Auditability of the critical information assets; therefore, managing security is essential for organizations doing business in a globally networked and competitive environment whilst seeking to achieve their objectives and goals and ensuring the continuity of business. This paper provides an integrated framework that classifies and holistic view of challenges in Information Security Systems, and their interrelationships. The framework is expected to provide a basis that can be used to evaluate individual organizational members’ behavior and the adequateness of existing security measures.

Ahmed Alkalbani,Hepu Deng,Booi Kam

DOI: https://doi.org/10.48550/arXiv.1606.00875

2016-05-28

Computers and Society

Abstract:The increase reliance on information systems has created unprecedented challenges for organizations to protect their critical information from different security threats that have direct consequences on the corporate liability, loss of credibility, and monetary damage. As a result, the security of information has become a top priority in many organizations. This study investigates the role of socio-organizational factors by drawing the insights from the organizational theory literature in the adoption of information security compliance in organizations. Based on the analysis of the survey data collected from 294 employees from different organizations, the study indicates management commitment, awareness and training, accountability, technology capability, technology compatibility, processes integration, and audit and monitoring have a significant positive impact on the adoption of information security compliance in organizations. The study contributes to the information security compliance research by exploring the criticality of socio-organizational factors at the organizational level for information security compliance.

Abdullah Al Hayajneh,Hasnain Nizam Thakur,Kutub Thakur

DOI: https://doi.org/10.5539/cis.v16n4p1

2023-11-20

Computer and Information Science

Abstract:In the contemporary era marked by the extensive utilization of data, information systems have been extensively embraced by global organizations and also hold a pivotal position in national defense and various other domains. The growing interconnectedness between individuals and diverse information systems has resulted in an intensified emphasis on the evaluation of potential risks. The mitigation of these dangers extends beyond simple technological solutions and includes established standards, legal structures, and policies, adopting a complete approach based on safety engineering concepts. This study aims to develop a robust framework for the harmonization of Information Technology Security Standards. It will explore prevalent techniques for conducting risk assessments and differentiate between quantitative and qualitative approaches to evaluation. Moreover, this study illustrates the combination of quantitative and qualitative evaluation methodologies, providing a comprehensive framework for the analysis and design of risk assessment. In addition, this study advances our understanding of INFOSEC risk assessment and contributes to the advancement of more efficient information security strategies by sharing global perspectives, addressing challenges in classification, clarifying the incorporation of Information Security Management Systems (ISMS), and highlighting the significance of Artificial Intelligence in the domain of Information Security (INFOSEC).

Harrison Stewart,Jan Jürjens

DOI: https://doi.org/10.1108/ics-07-2016-0054

2017-11-13

Information and Computer Security

Abstract:Purpose The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset. Design/methodology/approach Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B. Findings Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own. Research limitations/implications The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings. Practical implications In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed. Social implications The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps. Originality/value The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

Abdullah M. Albarrak

DOI: https://doi.org/10.3390/su16188144

IF: 3.9

2024-09-19

Sustainability

Abstract:The energy sector is a critical contributor to the growth and development of any country's economy. However, ensuring robust cybersecurity within the context of smart energy services presents persistent usability challenges in an increasingly digital environment. This study explores the intersection of human-computer interaction (HCI), cybersecurity, and usability to identify and address issues that impact the overall security of smart energy management systems. By analyzing the complex relationships between users and security protocols, this research aims to enhance the security framework, promote better user adherence, and improve system usability. The study focuses on three primary objectives: (1) identifying the most prevalent usability issues in current cybersecurity practices; (2) examining the relationship between HCI and user compliance with security measures; and (3) proposing strategies to improve cybersecurity usability by leveraging HCI principles. Hybrid approaches utilizing artificial intelligence facilitate empirical analysis and framework evaluation. Additionally, a comparative study with six existing models has been conducted. By envisioning a future where security measures not only ensure enhanced protection but also integrate seamlessly into user experiences, this approach seeks to provide valuable insights into ongoing cybersecurity discussions and contribute to a more resilient security landscape against evolving digital threats.

environmental sciences,environmental studies,green & sustainable science & technology

Haider Abbas,Christer Magnusson,Louise Yngstrom,Ahmed Hemani

DOI: https://doi.org/10.1108/09685221111115836

2011-03-22

Abstract:Purpose The purpose of this paper is to address three main problems resulting from uncertainty in information security management: dynamically changing security requirements of an organization; externalities caused by a security system; and obsolete evaluation of security concerns. Design/methodology/approach In order to address these critical concerns, a framework based on options reasoning borrowed from corporate finance is proposed and adapted to evaluation of security architecture and decision making for handling these issues at organizational level. The adaptation as a methodology is demonstrated by a large case study validating its efficacy. Findings The paper shows through three examples that it is possible to have a coherent methodology, building on options theory to deal with uncertainty issues in information security at an organizational level. Practical implications To validate the efficacy of the methodology proposed in this paper, it was applied to the Spridnings‐och Hämtningssystem (SHS: dissemination and retrieval system) system. The paper introduces the methodology, presents its application to the SHS system in detail and compares it to the current practice. Originality/value This research is relevant to information security management in organizations, particularly issues on changing requirements and evaluation in uncertain circumstances created by progress in technology.

Joshua Nterful,Ibrahim Osman Adam,Muftawu Dzang Alhassan,Abdallah Abdul-Salam,Abubakar Gbambegu Umar

DOI: https://doi.org/10.1108/ics-11-2022-0174

2024-03-01

Information and Computer Security

Abstract:Purpose This paper aims to identify the critical success factors in improving information security in Ghanaian firms. Design/methodology/approach Through an exploratory study of both public and private Ghanaian organizations. The study relied on a research model based on the technology–organization–environment (TOE) framework and a survey instrument to collect data from 525 employees. The data was analyzed using partial least squares-structural equation modeling (PLS-SEM). Findings The findings confirm the role of the technological, organizational and environmental contexts as significant determinants in the implementation of information security in Ghanaian organizations. Results from PLS-SEM analysis demonstrated a positive correlation between the technology component of information security initiative, organization's internal efforts toward its acceptance and a successful implementation of information security in Ghanaian firms. Top management support and fund allocation among others will result in positive information security initiatives and positive attitudes toward securing the organization's information assets. Research limitations/implications The authors discussed the implications of the authors' findings for research, practice and policy. Social implications The results of this study will be useful for both governmental and non-governmental organizations in terms of best practices for increasing information security. Results from this study will aid organizations in developing countries to better understand their information security needs and identify the necessary procedures to address them. Originality/value This study contributes to filling the knowledge gap in organizational information security research and the TOE framework. Despite the TOE framework being one of the most influential theories in contemporary research of information system domains in an organizational context, there is not enough research linking the domains of information security and the TOE model.

Rao Faizan Ali,PDD Dominic

DOI: https://doi.org/10.1177/01655515221087680

2022-04-06

Journal of Information Science

Abstract:Information security is one of the most crucial considerations in digitising Oil and Gas (O&G) organisations. For ensuring information security policy compliance, O&G organisations enforce heavy security requirements. The purpose of this article is to assess how O&G employees cope with stressful information security tasks and how security-related stress (SRS) is related to information security policy violations among O&G employees in developing countries. Based on the coping theory, this article develops a theoretical framework to examine O&G employees’ intention to violate information security policies. The framework is tested using a survey of 270 managers/executives from 150 Malaysian O&G organisations. The results indicated that O&G employees perceive security requirements as stressful to follow and adopt avoidance coping strategies that lead them to violate organisational information security policies. For practitioners, the study findings demonstrate the prevalence of technostress in O&G organisations and suggest alternative mechanisms to address the stressful effects of information security requirements. This article contributes to the information system security literature by testing procrastination and psychological detachment with SRS in the context of developing countries' O&G organisations’ employees and provides an understanding of how O&G employees adopt avoidance coping.

computer science, information systems,information science & library science

Kwo‐Shing Hong,Yen‐Ping Chi,Louis R. Chao,Jih‐Hsing Tang

DOI: https://doi.org/10.1108/09685220310500153

2003-12-01

Abstract:With the popularity of electronic commerce, many organizations are facing unprecedented security challenges. Security techniques and management tools have caught a lot of attention from both academia and practitioners. However, there is lacking a theoretical framework for information security management. This paper attempts to integrate security policy theory, risk management theory, control and auditing theory, management system theory and contingency theory in order to build a comprehensive theory of information security management (ISM). This paper suggests that an integrated system theory is useful for understanding information security management, explaining information security management strategies, and predicting management outcomes. This theory may lay a solid theoretical foundation for further empirical research and application.

Yongho Kim,Boyoung Kim

DOI: https://doi.org/10.3390/info12110446

2021-10-27

Information

Abstract:In the Fourth Industrial Revolution era, data-based business management activities among enterprises proliferated are mainly based on digital transformation. In this change, the information security system and its operation are emphasized as essential business activities of enterprises the research aims to verify the relationship among the influence factors of corporate information security management based on the TOE framework. This study analyzes the effects of technical, organizational, and environmental factors on the intention, strengthening, and continuity of information security management. To this, a survey was conducted on professional individuals who are working in areas related to information security in organizations, and 107 questionnaires were collected and analyzed. According to major results of the analysis on adopted hypotheses. In results, as to the intention of information security management, organization and environment factors were influential. In the other side, technology and environment factors were affected to the strengthening of information security management. Hence this study pointed out that the environmental factors are most significant for the information security administration of an organization. In addition, it turned out that the strengthening of information security management was influential on the continuity of information security management more significantly than the intention of information security management.

Samuel Cris Ayo,Bonaventure Ngala,Olasunkanmi Amzat,Robin Lal Khoshi,Samarappulige Isuru Madusanka

DOI: https://doi.org/10.48550/arXiv.1812.04659

2018-12-12

Abstract:Owing to recorded incidents of Information technology inclined organisations failing to respond effectively to threat incidents, this project outlines the benefits of conducting a comprehensive risk assessment which would aid proficiency in responding to potential threats. The ultimate goal is primarily to identify, quantify and control the key threats that are detrimental to achieving business objectives. This project carries out a detailed risk assessment for a case study organisation. It includes a comprehensive literature review analysing several professional views on pressing issues in Information security. In the risk register, five prominent assets were identified in respect to their owners. The work is followed by a qualitative analysis methodology to determine the magnitude of the potential threats and vulnerabilities. Collating these parameters enabled the valuation of individual risk per asset, per threat and vulnerability. Evaluating a risk appetite aided in prioritising and determining acceptable risks. From the analysis, it was deduced that human being posed the greatest Information security risk through intentional/ unintentional human error. In conclusion, effective control techniques based on defence in-depth were devised to mitigate the impact of the identified risks from risk register.

Computers and Society,Cryptography and Security

Irfan Syamsuddin,Junseok Hwang

DOI: https://doi.org/10.48550/arXiv.1007.0302

2010-07-02

Computers and Society

Abstract:Changes in technology have resulted in new ways for bankers to deliver their services to costumers. Electronic banking systems in various forms are the evidence of such advancement. However, information security threats also evolving along this trend. This paper proposes the application of Analytic Hierarchy Process (AHP) methodology to guide decision makers in banking industries to deal with information security policy. The model is structured according aspects of information security policy in conjunction with information security elements. We found that cultural aspect is valued on the top priority among other security aspects, while confidentiality is considered as the most important factor in terms of information security elements.

Ellena Ike

DOI: https://doi.org/10.47941/ejikm.2063

2024-07-12

Abstract:Purpose: The general objective of the study was to analyze information security and knowledge management. Methodology: The study adopted a desktop research methodology. Desk research refers to secondary data or that which can be collected without fieldwork. Desk research is basically involved in collecting data from existing resources hence it is often considered a low cost technique as compared to field research, as the main cost is involved in executive’s time, telephone charges and directories. Thus, the study relied on already published studies, reports and statistics. This secondary data was easily accessed through the online journals and library. Findings: The findings reveal that there exists a contextual and methodological gap relating to information security and knowledge management. Preliminary empirical review revealed that integrating IS and KM was crucial for enhancing organizational performance, protecting intellectual assets, and fostering innovation. It emphasized the need for a holistic approach combining technological solutions, robust policies, and a culture of security awareness. The research found that this integration led to significant improvements in operational efficiency and innovation, with continuous evaluation and adaptation being essential. The study highlighted the importance of advanced security technologies, regular updates, and employee training to maintain effective IS and KM practices, ultimately ensuring the secure and effective utilization of knowledge assets for sustainable growth. Unique Contribution to Theory, Practice and Policy: The Socio-Technical Systems Theory, Knowledge-Based View of the Firm and Information Systems Success Model may be used to anchor future studies on information security and knowledge management. The study provided significant contributions to theory, practice, and policy by integrating various theoretical frameworks and emphasizing the need for a multi-layered approach to IS that includes advanced technology, strong policies, and employee training. It recommended the development of regulatory standards to enforce robust IS practices, the alignment of IS and KM with organizational strategies, and the implementation of continuous improvement programs. Additionally, it highlighted the importance of comprehensive training for employees and fostering a collaborative environment that balances security with innovation.

Amar Y. El-Bably,Amar Yasser El-Bably

DOI: https://doi.org/10.26735/wlpw6121

2021-06-01

Journal of Information Security and Cybercrimes Research

Abstract:Information security is the practice of protecting information by mitigating the risk of cyber-attack, and typically includes preventing or reducing the possibility of unauthorized/inappropriate access to data, unlawful use, disclosure, disruption. This concept of information security covers as well various procedures aiming at minimizing the negative effects of such incidents and threats. These threats might be originated from the human behavior which may lead to a wide damage of the organization data assets. Thus, the primary focus of information security is on the balanced protection of confidentiality, integrity and availability of data while maintaining an effective use of the organizations' systems. International standards related to information security such as ISO/IEC 27001 emphasis on effective implementation of the information security policies and applications without hampering the productivity of the organization. This research seeks to draw a set of practical rules to be established within an organization to preserve cybersecurity objectives and protect dada specifically from human errors incidents. The drawn rules are based on ISO/IEC 27001 and its application within organizations will rise the employee’s awareness about their behavior to reduce the impact of such incidents on the organization' systems and data.

Oyelami Julius Olusegun,Norafida Binti Ithnin

DOI: https://doi.org/10.48550/arXiv.1309.0189

2013-09-01

Computers and Society

Abstract:Information sharing in organization has been considered as an important approach in increasing organizational efficiency, performance and decision making. With the present and advances in information and communication technology, sharing information and exchanging of data across organizations has become more feasible in organization. However, information sharing has been a complex task over the years and identifying factors that influence information sharing across organization has becomes crucial and critical. Researchers have taken several methods and approaches to resolve problems in information sharing at all levels without a lasting solution, as sharing is best understood as a practice that reflects behavior, social, economic, legal and technological influences. Due to the limitation of the conventional ISM3 standards to address culture, social, legislation and human behavior, the findings in this paper suggest that, a centralized information structure without human practice, distribution of information and coordination is not effective. This paper reviews the previous information sharing research, outlines the factors affecting information sharing and the different practices needed to improve the management of information security by recommending several combinations of information security and coordination mechanism for reducing uncertainty during sharing of information .This thesis proposes information security management protocol (ISMP) as an enhancement towards ISM3 to resolve the above problems. This protocol provides a means for practitioners to identify key factors involved in successful information sharing.....

W. Alec Cram,Jeffrey G. Proudfoot,John D’Arcy

DOI: https://doi.org/10.1057/s41303-017-0059-9

2017-11-01

European Journal of Information Systems

Abstract:A major stream of research within the field of information systems security examines the use of organizational policies that specify how users of information and technology resources should behave in order to prevent, detect, and respond to security incidents. However, this growing (and at times, conflicting) body of research has made it challenging for researchers and practitioners to comprehend the current state of knowledge on the formation, implementation, and effectiveness of security policies in organizations. Accordingly, the purpose of this paper is to synthesize what we know and what remains to be learned about organizational information security policies, with an eye toward a holistic understanding of this research stream and the identification of promising paths for future study. We review 114 influential security policy-related journal articles and identify five core relationships examined in the literature. Based on these relationships, we outline a research framework that synthesizes the construct linkages within the current literature. Building on our analysis of these results, we identify a series of gaps and draw on additional theoretical perspectives to propose a revised framework that can be used as a basis for future research.

information science & library science,management,computer science, information systems

Fotis Kitsios,Elpiniki Chatzidimitriou,Maria Kamariotou

DOI: https://doi.org/10.3390/su14031269

IF: 3.9

2022-01-24

Sustainability

Abstract:Organizations must be committed to ensuring the confidentiality, availability, and integrity of the information in their possession to manage legal and regulatory obligations and to maintain trusted business relationships. Information security management systems (ISMSs) support companies to better deal with information security risks and cyber-attacks. Although there are many different approaches to successfully implementing an ISMS in a company, the most important and time-consuming part of establishing an ISMS is a risk assessment. The purpose of this paper was to develop a risk assessment framework that a company followed in the information technology sector to conduct the risk assessment process to comply with International Organization for Standardization (ISO) 27001. The findings analyze the conditions that force organizations to invest in protecting information and the benefits they can derive from this process. In particular, the paper delves into a multinational IT consulting services company that undertakes and implements large business support installation and customization projects. It explains the risk assessment process and the management of the necessary configurations so that its functions are acceptable and in line with information security standards. Finally, it presents the difficulties and challenges encountered.

environmental sciences,environmental studies,green & sustainable science & technology

Knut Haufe,Ricardo Colomo-Palacios,Srdan Dzombeta,Knud Brandis,Vladimir Stantchev

DOI: https://doi.org/10.12821/ijispm040402

2022-02-02

International Journal of Information Systems and Project Management

Abstract:Securing sensitive organizational data has become increasingly vital to organizations. An Information Security Management System (ISMS) is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security. Key elements of the operation of an ISMS are ISMS processes. However, and in spite of its importance, an ISMS process framework with a description of ISMS processes and their interaction as well as the interaction with other management processes is not available in the literature. Cost benefit analysis of information security investments regarding single measures protecting information and ISMS processes are not in the focus of current research, mostly focused on economics. This article aims to fill this research gap by proposing such an ISMS process framework as the main contribution. It is based on a set of agreed upon ISMS processes in existing standards like ISO 27000 series, COBIT and ITIL. Within the framework, identified processes are described and their interaction and interfaces are specified. This framework helps to focus on the operation of the ISMS, instead of focusing on measures and controls. By this, as a main finding, the systemic character of the ISMS consisting of processes and the perception of relevant roles of the ISMS is strengthened.

Yiyang Jia,Hanyan Wu,Dongxing Jiang

DOI: https://doi.org/10.1109/CyberC.2015.47

2015-01-01

Abstract:Security situation assessment is an effective way to analyze the situation of an information system, which helps administrator understand the current system risk status and make policy to response in time. However, the existing researches for security situation assessment mostly focus on network. The proposed methods for network are not so suitable for information systems. This paper proposes a hierarchical security situation analysis framework for information system, based on a classical NSSA [1] (network security situation analysis) model. The framework provides a standard flow for analyzing the security situation of information system. It consists a security situation analysis model of information system, an index system used in the model proposed, and a quantitative index fusion method to calculate a security situational value. We divided information system into 3 levels: sub-system level, composition level and index level. The collected information from the index level can be combined with grey model to determine the correlation degree between each major index and secondary index. Finally we calculate the whole system security situational value level by level. We use data from Tsinghua University information system to verify the proposed model and method. The result shows that this model can reflect the current security situation of information system comprehensively.