Betsy Uchendu,Jason R.C. Nurse,Maria Bada,Steven Furnell

DOI: https://doi.org/10.1016/j.cose.2021.102387

2021-10-01

Abstract:<p>While the creation of a strong security culture has been researched and discussed for decades, it continues to elude many businesses. Part of the challenge faced is distilling pertinent, recent academic findings and research into useful guidance. In this article, we aim to tackle this issue by conducting a state-of-the-art study into organisational cyber security culture research. This work investigates four questions, including how cyber security culture is defined, what factors are essential to building and maintaining such a culture, the frameworks proposed to cultivate a security culture and the metrics suggested to assess it. Through the application of the PRISMA systematic literature review technique, we identify and analyse 58 research articles from the last 10 years (2010-2020). Our findings demonstrate that while there have been notable changes in the use of terms (e.g., information security culture and cyber security culture), many of the most influential factors across papers are similar. Top management support, policy and procedures, and awareness for instance, are critical in engendering cyber security culture. Many of the frameworks reviewed revealed common foundations, with organisational culture playing a substantial role in crafting appropriate cyber security culture models. Questionnaires and surveys are the most used tool to measure cyber security culture, but there are also concerns as to whether more dynamic measures are needed. For practitioners, this article highlights factors and models essential to the creation and management of a robust security culture. For research, we produce an up-to-date characterisation of the field and also define open issues deserving of further attention such as the role of change management processes and national culture in an enterprise's cyber security culture.</p>

computer science, information systems

Amy Ertan,Georgia Crossland,Claude Heath,David Denny,Rikke Jensen

DOI: https://doi.org/10.48550/arXiv.2004.11768

2020-04-24

Abstract:This review explores the academic and policy literature in the context of everyday cyber security in organisations. In so doing, it identifies four behavioural sets that influences how people practice cyber security. These are compliance with security policy, intergroup coordination and communication, phishing/email behaviour, and password behaviour. However, it is important to note that these are not exhaustive and they do not exist in isolation. In addition, the review explores the notion of security culture as an overarching theme that overlaps and frames the four behavioural sets. The aim of this review is therefore to provide a summary of the existing literature in the area of everyday cyber security within the social sciences, with a particular focus on organisational contexts. In doing so, it develops a series of suggestions for future research directions based on existing gaps in the literature. The review also includes a theoretical lens that will aid the understanding of existing studies and wider literatures. Where possible, the review makes recommendations for organisations in relation to everyday cyber security.

Computers and Society

Sunil Chaudhary

DOI: https://doi.org/10.1016/j.cose.2024.103858

IF: 5.105

2024-04-27

Computers & Security

Abstract:Organisations implementing cybersecurity awareness (CSA) should strive to positively change employees' attitudes and behaviours. In practice, though, most of such initiatives only manage to increase employees' knowledge. In cybersecurity, knowledge on its own will have no significant value unless it is used to guide decisions and inspire actions. This study, therefore, has investigated the attributes that could influence and contribute to positive changes in employees' cybersecurity behaviours. The study used a literature review for questionnaire design and then employed the Delphi method with 22 experts, which consequently identified seven such attributes. These attributes are as follows: i) obtain senior management support and participation in CSA activities; ii) consider CSA as a continuous process that needs to be updated and improved on a regular basis; iii) cultivate and spread 'cybersecurity' as a norm in the organisation; iv) encourage cybersecurity activities and behaviours through incentives; v) craft and use persuasive CSA messages; vi) employ innovative and effective approaches to disseminate CSA messages; and vii) recommend security activities that are achievable and pertinent for the audience.

computer science, information systems

Aristotle Onumo,Irfan Ullah-Awan,Andrea Cullen

DOI: https://doi.org/10.1145/3424282

2021-06-01

ACM Transactions on Management Information Systems

Abstract:The increase in cybersecurity threats and the challenges for organisations to protect their information technology assets has made adherence to organisational security control processes and procedures a critical issue that needs to be adequately addressed. Drawing insight from organisational theory literature, we develop a multi-theory model, combining the elements of the theory of planned behaviour, competing value framework, and technology—organisational and environmental theory to examine how the organisational mechanisms interact with espoused cultural values and employee cognitive belief to influence cybersecurity control procedures. Using a structured questionnaire, we deployed structural equation modelling (SEM) to analyse the survey data obtained from public sector information technology organisations in Nigeria to test the hypothesis on the relationship of socio-organisational mechanisms and techno-cultural factors with other key determinants of employee security behaviour. The results showed that knowledge of cybersecurity and employee cognitive belief significantly influence the employees’ intentions to comply with organisational cybersecurity control mechanisms. The research further noted that the influence of organisational elements such as leadership on employee security behaviour is mediated by espoused cultural values while the impact of employee cognitive belief is moderated by security technologies. For effective cybersecurity compliance, leaders and policymakers are therefore to promote organisational security initiatives that ensure incorporation of cybersecurity principles and practices into job descriptions, routines, and processes. This study contributes to behavioural security research by highlighting the critical role of leadership and cultural values in fostering organisational adherence to prescribed security control mechanisms.

Marten de Bruin,Konstantinos Mersinas

2024-05-29

Abstract:Cyber security incidents are increasing and humans play an important role in reducing their likelihood and impact. We identify a skewed focus towards technical aspects of cyber security in the literature, whereas factors influencing the secure behaviour of individuals require additional research. These factors span across both the individual level and the contextual level in which the people are situated. We analyse two datasets of a total of 37,075 records from a) self-reported security behaviours across the EU, and b) observed phishing-related behaviours from the industry security awareness training programmes. We identify that national culture, industry type, and organisational security culture play are influential Variables (antecedents) of individuals' security behaviour at contextual level. Whereas, demographics (age, gender, and level or urbanisation) and security-specific factors (security awareness, security knowledge, and prior experience with security incidents) are found to be influential variables of security behaviour at individual level. Our findings have implications for both research and practice as they fill a gap in the literature and provide concrete statistical evidence on the variables which influence security behaviour. Moreover, findings provides practical insights for organisations regarding the susceptibility of groups of people to insecure behaviour. Consequently, organisations can tailor their security training and awareness efforts (e.g., through behaviour change interventions and/or appropriate employee group profiles), adapt their communications (e.g., of information security policies), and customise their interventions according to national culture characteristics to improve security behaviour.

Cryptography and Security

Maria Bada,Angela M. Sasse,Jason R. C. Nurse

DOI: https://doi.org/10.48550/arXiv.1901.02672

2019-01-09

Abstract:The present paper focuses on Cyber Security Awareness Campaigns, and aims to identify key factors regarding security which may lead them to failing to appropriately change people's behaviour. Past and current efforts to improve information-security practices and promote a sustainable society have not had the desired impact. It is important therefore to critically reflect on the challenges involved in improving information-security behaviours for citizens, consumers and employees. In particular, our work considers these challenges from a Psychology perspective, as we believe that understanding how people perceive risks is critical to creating effective awareness campaigns. Changing behaviour requires more than providing information about risks and reactive behaviours - firstly, people must be able to understand and apply the advice, and secondly, they must be motivated and willing to do so - and the latter requires changes to attitudes and intentions. These antecedents of behaviour change are identified in several psychological models of behaviour. We review the suitability of persuasion techniques, including the widely used 'fear appeals'. From this range of literature, we extract essential components for an awareness campaign as well as factors which can lead to a campaign's success or failure. Finally, we present examples of existing awareness campaigns in different cultures (the UK and Africa) and reflect on these.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Temitayo Oluwaseun Abrahams,Oluwatoyin Ajoke Farayola,Simon Kaggwa,Prisca Ugomma Uwaoma,Azeez Olanipekun Hassan,Samuel Onimisi Dawodu

DOI: https://doi.org/10.51594/csitrj.v5i1.708

2024-01-11

Computer Science & IT Research Journal

Abstract:As organizations continue to grapple with the escalating threat landscape of cyber-attacks, the imperative to fortify their cybersecurity defenses becomes increasingly paramount. This review delves into the critical realm of cybersecurity awareness and education programs, focusing on the pivotal factors of employee engagement and accountability. The effectiveness of these programs in cultivating a cyber-resilient workforce is scrutinized through an extensive examination of existing literature, empirical studies, and industry practices. The review begins by exploring the foundational elements of cybersecurity awareness programs, elucidating the significance of imparting knowledge and instilling a culture of vigilance among employees. It examines the diverse methodologies employed in these programs, ranging from interactive workshops and simulated phishing exercises to online modules and gamified learning platforms. A comparative analysis of these approaches sheds light on their respective strengths and limitations. A central theme of this review revolves around the nexus between employee engagement and cybersecurity resilience. It delves into the psychological and behavioral aspects of engagement, assessing how motivational factors and tailored learning experiences contribute to heightened cybersecurity awareness. The impact of organizational culture and leadership support on fostering a sense of responsibility among employees is also explored, emphasizing the need for a holistic approach that transcends mere compliance. Furthermore, the review investigates the role of accountability in sustaining the efficacy of cybersecurity initiatives. It examines the mechanisms employed by organizations to enforce adherence to security policies and protocols, emphasizing the role of robust monitoring systems, clear communication channels, and consequence management. Case studies and real-world examples are integrated to illustrate instances of successful accountability frameworks and their influence on overall cybersecurity posture. This review synthesizes key findings and identifies emerging trends in cybersecurity awareness and education programs, with a particular focus on optimizing employee engagement and fostering a culture of accountability. The insights gleaned from this analysis provide a roadmap for organizations seeking to fortify their defenses against evolving cyber threats by cultivating a vigilant and proactive workforce. Keywords: Cybersecurity, Education, Cyber threat, Employee engagement, Accountability.

Noor Suhani Sulaiman,Muhammad Ashraf Fauzi,Walton Wider,Jegatheesan Rajadurai,Suhaidah Hussain,Siti Aminah Harun

DOI: https://doi.org/10.3390/socsci11090386

2022-08-30

Social Sciences

Abstract:Cyber and information security (CIS) is an issue of national and international interest. Despite sophisticated security systems and extensive physical countermeasures to combat cyber-attacks, organisations are vulnerable due to the involvement of the human factor. Humans are regarded as the weakest link in cybersecurity systems as development in digital technology advances. The area of cybersecurity is an extension of the previously studied fields of information and internet security. The need to understand the underlying human behavioural factors associated with CIS policy warrants further study, mainly from theoretical perspectives. Based on these underlying theoretical perspectives, this study reviews literature focusing on CIS compliance and violations by personnel within organisations. Sixty studies from the years 2008 to 2020 were reviewed. Findings suggest that several prominent theories were used extensively and integrated with another specific theory. Protection Motivation Theory (PMT), the Theory of Planned Behaviour (TPB), and General Deterrence Theory (GDT) were identified as among the most referred-to theories in this area. The use of current theories is discussed based on their emerging importance and their suitability in future CIS studies. This review lays the foundation for future researchers by determining gaps and areas within the CIS context and encompassing employee compliance and violations within an organisation.

English Else

Rohani Rohan,Debajyoti Pal,Jari Hautamäki,Suree Funilkul,Wichian Chutimaskul,Himanshu Thapliyal

DOI: https://doi.org/10.1016/j.heliyon.2023.e14234

IF: 3.776

2023-03-01

Heliyon

Abstract:Information Security Awareness (ISA) is a significant concept that got considerable attention recently and can assist in minimizing the risks associated with information security breaches. Several measurement scales have been developed in this regard, as measuring users&#x27; ISA is paramount. Although ISA specific scales are very important, yet what methodological rigor they use in terms of initial conceptualization of ISA, data collection and analysis during the development, and scale validation of such scales are some unknown aspects. Therefore, we provide a comprehensive review of the existing ISA specific scales to address all the above concerns. A popular method, PRISMA, is utilized, and a total of 24 articles that match with criteria of this research are included for the final in-depth analysis. Also, a holistic evaluation framework is developed containing three phases and 19 criteria. Findings revealed that most studies treat ISA as a multi-dimensional construct, and ISA researchers rarely conduct both pilot testing and pre-text evaluation while validating and refining the initial scales. Additionally, several articles did not report some of the essential elements used for checking the rigor of factor analysis, and evidence for validities of the identified scales is inadequate. Consequently, existing ISA specific scales must be improved both in terms of the methodological thoroughness of the scale development procedure and their validities. Moreover, not only justifying why the development of a new scale is necessary, but also improving the quality of the existing scales by doing multiple iterations is significant in the future. Likewise, the inclusion of all the dimensions of ISA, while generating the initial items pool is an important aspect to be considered. A thorough discussion, recommendations for future research, conclusions, and study limitations are provided.

Kelsey R. Ciagala,Sydney L. Reichin,Katherine Parsons,Samuel T. Hunter

DOI: https://doi.org/10.1016/j.ssci.2024.106518

IF: 6.392

2024-03-25

Safety Science

Abstract:Those tasked with protecting soft targets, including organizations, have tried to counteract threats against them by increasing security, yet the effectiveness of these measures remains largely unknown. Organizations, researchers, and practitioners can gain a more holistic understanding of how, when, why, and where security measures are effective (or ineffective) by examining organizational culture. The purpose of this paper more specifically is to build upon the current security culture models (i.e., Security Culture: Hofreiter et al., 2020: Nuclear Security Culture, IAEA, 2017) to propose a more comprehensive framework and nomological network of physical security culture that can be applied to organizations and soft targets. This article reviews the current understanding of physical security culture. Further, this article looks to the more developed information security culture and safety culture literatures to better understand how physical security culture may impact security outcomes in soft targets. This article also explores multiple avenues for future research that is needed to understand how physical security culture develops and how to best promote it for the health, safety, and security of employees.

engineering, industrial,operations research & management science

Anna Georgiadou,Spiros Mouzakitis,Dimitris Askounis

DOI: https://doi.org/10.3390/s21093267

IF: 3.9

2021-05-09

Sensors

Abstract:The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework provides a rich and actionable repository of adversarial tactics, techniques, and procedures. Its innovative approach has been broadly welcomed by both vendors and enterprise customers in the industry. Its usage extends from adversary emulation, red teaming, behavioral analytics development to a defensive gap and SOC (Security Operations Center) maturity assessment. While extensive research has been done on analyzing specific attacks or specific organizational culture and human behavior factors leading to such attacks, a holistic view on the association of both is currently missing. In this paper, we present our research results on associating a comprehensive set of organizational and individual culture factors (as described on our developed cyber-security culture framework) with security vulnerabilities mapped to specific adversary behavior and patterns utilizing the MITRE ATT&CK framework. Thus, exploiting MITRE ATT&CK’s possibilities towards a scientific direction that has not yet been explored: security assessment and defensive design, a step prior to its current application domain. The suggested cyber-security culture framework was originally designed to aim at critical infrastructures and, more specifically, the energy sector. Organizations of these domains exhibit a co-existence and strong interaction of the IT (Information Technology) and OT (Operational Technology) networks. As a result, we emphasize our scientific effort on the hybrid MITRE ATT&CK for Enterprise and ICS (Industrial Control Systems) model as a broader and more holistic approach. The results of our research can be utilized in an extensive set of applications, including the efficient organization of security procedures as well as enhancing security readiness evaluation results by providing more insights into imminent threats and security risks.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Richard Knight,Jason R.C. Nurse

DOI: https://doi.org/10.1016/j.cose.2020.102036

2020-12-01

Abstract:<p>A major cyber security incident can represent a cyber crisis for an organisation, in particular because of the associated risk of substantial reputational damage. As the likelihood of falling victim to a cyberattack has increased over time, so too has the need to understand exactly what is effective corporate communication after an attack, and how best to engage the concerns of customers, partners and other stakeholders. This research seeks to tackle this problem through a critical, multi-faceted investigation into the efficacy of crisis communication and public relations following a data breach. It does so by drawing on academic literature, obtained through a systematic literature review, and real-world case studies. Qualitative data analysis is used to interpret and structure the results, allowing for the development of a new, comprehensive framework for corporate communication to support companies in their preparation and response to such events. The validity of this framework is demonstrated by its evaluation through interviews with senior industry professionals, as well as a critical assessment against relevant practice and research. The framework is further refined based on these evaluations, and an updated version defined. This research represents the first grounded, comprehensive and evaluated proposal for characterising effective corporate communication after cyber security incidents.</p>

computer science, information systems

Cyril Onwubiko,Karim Ouazzane

DOI: https://doi.org/10.48550/arXiv.2202.02537

2022-02-05

Cryptography and Security

Abstract:Cybersecurity is now at the forefront of most organisational digital transformative agendas and National economic, social and political programmes. Hence its impact to society can no longer be seen to be one dimensional. The rise in National cybersecurity laws and regulations is a good indicator of its perceived importance to nations. And the recent awakening for social and ethical transparency in society and coupled with sustainability issues demonstrate the need for a paradigm shift in how cybersecurity discourses can now happen. In response to this shift, a multidimensional cybersecurity framework for strategic foresight underpinned on situational awareness is proposed. The conceptual cybersecurity framework comprising six domains such as Physical, Cultural, Economic, Social, Political and Cyber, is discussed. The guiding principles underpinning the framework are outlined, followed by in-depth reflection on the Business, Operational, Technological and Human (BOTH) factors and their implications for strategic foresight for cybersecurity.

Angelo Corallo,Mariangela Lazoi,Marianna Lezzi,Angela Luperto

DOI: https://doi.org/10.1016/j.compind.2022.103614

IF: 10

2022-05-01

Computers in Industry

Abstract:Cybersecurity is one of the main challenges faced by companies in the context of the Industrial Internet of Things (IIoT), in which a number of smart devices associated with machines, computers and people are networked and communicate with each other. In this connected industrial scenario, personnel need to be aware of cybersecurity issues in order to prevent or minimise the occurrence of cybersecurity incidents and corporate data breaches, and thus to make companies resilient to cyber-attacks. In addition, the recent increase in smart working due to the COVID-19 pandemic means that the need for cybersecurity awareness is more relevant than ever. In this study, we carry out a systematic literature review in order to analyse how the existing state of the art deals with cybersecurity awareness in the context of IIoT, and to provide a comprehensive overview of this topic. Four areas of analysis are considered: (i) definitions of the concepts of cybersecurity awareness and information security awareness, with keyword extrapolation (e.g. cybersecurity control level, information and responsibility); (ii) the industrial context of the analysed studies (e.g. manufacturing, critical infrastructure); (iii) the techniques adopted to raise company awareness of cybersecurity (e.g. serious games, online questionnaires); and (iv) the main benefits of a large-scale campaign of cybersecurity awareness (e.g. the effectiveness of employees in terms of managing cybersecurity issues, identification of cyber-attacks). Practitioners and researchers can benefit from our analysis of the features of each area in their future research and applications.

computer science, interdisciplinary applications

Temitayo Oluwaseun Abrahams,Sarah Kuzankah Ewuga,Samuel Onimisi Dawodu,Abimbola Oluwatoyin Adegbite,Azeez Olanipekun Hassan

DOI: https://doi.org/10.51594/csitrj.v5i1.699

2024-01-09

Computer Science & IT Research Journal

Abstract:In an era where digital threats are increasingly pervasive, understanding the evolution and efficacy of cybersecurity strategies in modern organizations is paramount. This study provides a comprehensive analysis of the dynamic landscape of cybersecurity, exploring its progression from traditional methods to innovative, technology-driven approaches. The digital age has ushered in complex cyber threats, necessitating robust cybersecurity measures. This study examines cybersecurity strategies' historical development, current trends, and future directions across different organizational contexts and industries. The primary aim is to assess the evolution and effectiveness of cybersecurity measures, identify existing gaps, and understand the interplay between human behavior, technology, and policy in cybersecurity. The paper encompasses a comprehensive methodological framework for cybersecurity analysis, exploring the effectiveness of traditional versus modern approaches, the role of AI and ML, and the impact of international policies. It also presents case studies to illustrate successes and failures in cybersecurity implementation. Key findings reveal a significant shift towards advanced technologies like AI and ML in cybersecurity, the critical role of human factors in shaping cybersecurity outcomes, and the influence of international policies in standardizing cybersecurity practices. The study concludes that effective cybersecurity strategies require a balanced approach, combining technological advancements with understanding human factors and adherence to international standards. Recommendations include continuous education and training, adopting holistic cybersecurity strategies, and aligning with international policies. Keywords: Cybersecurity, Artificial Intelligence, Machine Learning, International Policies, Human Factors, Cyber Threats.

Bilgin Metin,Fatma Gül Özhan,Martin Wynn

DOI: https://doi.org/10.3390/electronics13214226

IF: 2.9

2024-10-29

Electronics

Abstract:As businesses increasingly adopt digital processes and solutions to enhance efficiency and productivity, they face heightened cybersecurity threats. Through a systematic literature review and concept development, this article examines the intersection of digitalisation and cybersecurity. It identifies the methodologies and tools used for cybersecurity assessments, factors influencing the adoption of cybersecurity measures, and the critical success factors for implementing these measures. The article also puts forward the concept of cybersecurity governance process categories, which are used to classify the factors uncovered in the research. Findings suggest that current information security standards tend to be too broad and not adequately tailored to the specific needs of small and medium-sized enterprises (SMEs) when implementing emerging technologies, like Internet of Things (IoT), blockchain, and artificial intelligence (AI). Additionally, these standards often employ a top-down approach, which makes it challenging for SMEs to effectively implement them, as they require more scalable solutions tailored to their specific risks and limited resources. The study thus proposes a new framework based on the Plan-Do-Check model, built around the cybersecurity governance process categories and the three core pillars of governance, culture and standards. This is essentially a bottom-up approach that complements current top-down methods, and will be of value to both information technology (IT) professionals as an operational guide, and to researchers as a basis for future research in this field.

engineering, electrical & electronic,computer science, information systems,physics, applied

Franz T. Lohrke,Cynthia Frownfelter-Lohrke

DOI: https://doi.org/10.1177/03063070231200512

2023-09-08

Journal of General Management

Abstract:Journal of General Management, Ahead of Print. Firms continue to face increasing threats of financial and reputational damage from cybersecurity events. Despite increasing scholarly attention, our 25-year review of studies published in leading academic business journals demonstrates that extant research has generally examined antecedents (e.g., technological defenses), with more limited research focusing on managerial responses to or long-term performance outcomes from these events. Accordingly, we chronicle the current state of knowledge of these threats from a management (rather than from an information systems) perspective. We then highlight important future research opportunities for management scholars interested in developing or testing theory related to critical cybersecurity issues.

Areej Alyami,David Sammon,Karen Neville,Carolanne Mahony

DOI: https://doi.org/10.1108/ics-08-2022-0133

2023-07-30

Information and Computer Security

Abstract:Purpose Cyber security has never been more important than it is today in an ever more connected and pervasive digital world. However, frequently reported shortages of suitably skilled and trained information system (IS)/cyber security professionals elevate the importance of delivering effective Security Education,Training and Awareness (SETA) programmes within organisations. Therefore, the purpose of this study is the questionable effectiveness of SETA programmes at changing employee behaviour and an absence of empirical studies on the critical success factors (CSFs) for SETA programme effectiveness. Design/methodology/approach This exploratory study follows a three-stage research design to give voice to practitioners with SETA programme expertise. Data is gathered in Stage 1 using semi-structured interviews with 20 key informants (the emergence of the CSFs), in Stage 2 from 65 respondents to a short online survey (the ranking of the CSFs) and in Stage 3 using semi-structured interviews with nine IS/cyber security practitioners (the emergence of the guiding principles). Using a multi-stage research design allows the authors to propose and evaluate the 11 CSFs for SETA programme effectiveness. Findings This study conducted a mean score analysis to evaluate the level of importance of each CSF within two independent groups of IS/cyber security professionals. This multi-stage analysis produces a ranked list of 11 CSFs for SETA programme effectiveness, while the difference in the rankings leads to the emergence of five CSF-specific guiding principles (to increase the likelihood of delivering an effective SETA programme within an organisational context). This analysis also reveals that most of the contradictions/differences in CSF rankings between IS/cyber security practitioners are linked to the design phase of the SETA programme life cycle. While two CSFs, "maintain quarterly evaluation of employee performance" (CSF-DS6) and "build security awareness campaigns" (CSF-EV1), represent the most significant contradiction in this study. Originality/value The 11 CSFs for SETA programme effectiveness, along with the five CSF-specific guiding principles, provide a greater depth of knowledge contributing to both theory and practice and lays the foundation for future studies. Therefore, the outputs of this study provide valuable insights on the areas that practice needs to get right to deliver effective SETA programmes.

Mark Evans,Leandros A. Maglaras,Ying He,Helge Janicke

DOI: https://doi.org/10.48550/arXiv.1601.03921

2016-01-15

Cryptography and Security

Abstract:There continue to be numerous breaches publicised pertaining to cyber security despite security practices being applied within industry for many years. This article is intended to be the first in a number of articles as research into cyber security assurance processes. This article is compiled based on current research related to cyber security assurance and the impact of the human element on it. The objective of this work is to identify elements of cyber security that would benefit from further research and development based on the literature review findings. The results outlined in this article present a need for the cyber security field to look in to established industry areas to benefit from effective practices such as human reliability assessment, along with improved methods of validation such as statistical quality control in order to obtain true assurance. The article proposes the development of a framework that will be based upon defined and repeatable quantification, specifically relating to the range of human aspect tasks that provide, or are intended not to negatively affect cyber security posture.

W. Alec Cram,Jeffrey G. Proudfoot,John D’Arcy

DOI: https://doi.org/10.1057/s41303-017-0059-9

2017-11-01

European Journal of Information Systems

Abstract:A major stream of research within the field of information systems security examines the use of organizational policies that specify how users of information and technology resources should behave in order to prevent, detect, and respond to security incidents. However, this growing (and at times, conflicting) body of research has made it challenging for researchers and practitioners to comprehend the current state of knowledge on the formation, implementation, and effectiveness of security policies in organizations. Accordingly, the purpose of this paper is to synthesize what we know and what remains to be learned about organizational information security policies, with an eye toward a holistic understanding of this research stream and the identification of promising paths for future study. We review 114 influential security policy-related journal articles and identify five core relationships examined in the literature. Based on these relationships, we outline a research framework that synthesizes the construct linkages within the current literature. Building on our analysis of these results, we identify a series of gaps and draw on additional theoretical perspectives to propose a revised framework that can be used as a basis for future research.

information science & library science,management,computer science, information systems