Heru Susanto,Mohammad Nabil Almunawar,Yong Chee Tuan,Mehmet Sabih Aksoy,Wahyudin P Syam

DOI: https://doi.org/10.48550/arXiv.1204.0240

2012-04-02

Abstract:Actually Information security becomes a very important part for the organization's intangible assets, so level of confidence and stakeholder trusted are performance indicator as successes organization. Since information security has a very important role in supporting the activities of the organization, we need a standard or benchmark which regulates governance over information security. The main objective of this paper is to implement a novel practical approach framework to the development of information security management system (ISMS) assessment and monitoring software, called by I-SolFramework. System / software is expected to assist stakeholders in assessing the level of their ISO27001 compliance readiness, the software could help stakeholders understood security control or called by compliance parameters, being shorter and more structured. The case study illustrated provided to the reader with a set of guidelines, that aims easy understood and applicable as measuring tools for ISMS standards (ISO27001) compliance.

Cryptography and Security,Software Engineering

Heru Susanto,Mohammad Nabil Almunawar,Yong Chee Tuan,Mehmet Sabih Aksoy,Wahyudin P. Syam

DOI: https://doi.org/10.48550/arXiv.1203.6214

2012-03-28

Abstract:Actually Information security becomes a very important part for the organization's intangible assets, so level of confidence and stakeholder trusted are performance indicator as successes organization. Since information security has a very important role in supporting the activities of the organization, we need a standard or benchmark which regulates governance over information security. The main objective of this paper is to implement a novel practical approach framework to the development of information security management system (ISMS) assessment and monitoring software, called by I-SolFramework. System / software is expected to assist stakeholders in assessing the level of their ISO27001 compliance readiness, the software could help stakeholders understood security control or called by compliance parameters, being shorter and more structured. The case study illustrated provided to the reader with a set of guidelines, that aims easy understood and applicable as measuring tools for ISMS standards (ISO27001) compliance.

Cryptography and Security

Gliner Dias Alencar,Hermano Perrelli de Moura,Ivaldir Honório de Farias Júnior,José Gilson de Almeida Teixeira Filho

DOI: https://doi.org/10.48550/arXiv.1807.06184

2018-07-17

Cryptography and Security

Abstract:The lack of security in information systems has caused numerous financial and moral losses to several organizations. The organizations have a series of information security measures recommended by literature and international standards. However, the implementation of policies, actions, and adjustment to such standards is not simple and must be addressed by specific needs identified by the Information Security Governance in each organization. There are many challenges in effectively establishing, maintaining, and measuring information security in a way that adds value. Those challenges demonstrate a need for further investigations which address the problem. This paper presents a strategy to measure the maturity in information security aiming, also, to assist in the application and prioritization of information security actions in the corporate environment. For this, a survey was used as the main methodological instrument, reaching 157 distinct companies. As a result, it was possible to classify the ISO/IEC 27001 and 27002 controls in four stages according to the importance given by the companies. The COBIT maturity levels and a risk analysis matrix were also used. Finally, the adaptable strategy was successfully tested in a company

Oluwatoyin Esther Akinbowale,Heinz Eckart Klingelhöfer,Mulatu Fekadu Zerihun

DOI: https://doi.org/10.1016/j.heliyon.2022.e12054

IF: 3.776

2022-12-05

Heliyon

Abstract:The main objective of this study is to employ the four perspectives of the Balanced Scorecard (BSC) for the analysis of cyberfraud in the South African Banking industry. In addition, this study develops a BSC strategic management control framework for mitigating the effect of cyberfraud in the South African Banking industry. To achieve these objectives, a qualitative approach involving the use of a structured questionnaire for data collection was used. The structured questionnaire made available to the staff of 17 licensed banks in South Africa in charge of management, administration and operations sections. Then the four perspectives of BSC i.e., the financial, internal business processes, customer as well as learning and growth perspectives were captured. The analysis of the responses obtained from primary data was carried out using a bar chart, and this led to the development of a BSC strategic management control framework for mitigating the effects of cyberfraud. The findings from this study show that the customer perspective, has 90.47% percent response from the indicators followed by learning and growth which relates to the employees (85.71%). The internal business processes are ranked in the third position with 57.26% while the financial perspective has the least with a percent response of 39.97%. This implies that the South African banking sector pays more attention to the non-financial than the financial measures. The implementation of the proposed BSC framework may help to promote cyberfraud reduction, improve management control systems, performance measurements, as well as customers' and shareholders' satisfaction.

M.M Eloff,S.H von Solms

DOI: https://doi.org/10.1016/s0167-4048(00)88613-7

2000-03-01

Abstract:The present article is aimed at clarifying the oft-times confusing terminology and at elucidating the various approaches obtaining to the realm of Information Security (IS) management. The IS management approaches selected for discussion in this article will specifically address those rudiments and concepts that play a key role in the assessment of the IS status of an organization. Following, a hierarchical framework will be developed in terms of which to elucidate ill-defined terms and concepts. By so doing, issues such as certification, benchmarking, guidelines and codes of practice will come under consideration. IS management approaches widely accepted in the international arena will also be mapped onto the said hierarchical framework.

computer science, information systems

Jitender Kumar,Neha Prince,H. Kent Baker

DOI: https://doi.org/10.1177/23197145211049625

2021-11-07

FIIB Business Review

Abstract:This study provides a systematic literature review on the balanced scorecard (BSC), highlights gaps in the literature and identifies areas for further research. We review a sample of 114 BSC articles published in 14 accounting and 56 management journals between 1992 and 2021. Each article must either be in the Australian Business Deans Council (ABDC), Scopus-indexed or Academic Journal Guide (AJG) list, or receive at least 100 citations, as reported by Google Scholar. We separate the BSC literature into 11 major themes, examine the research methods, statistical tools used and identify the country affiliated with the authors. Companies typically use the BSC as a performance measurement system instead of a management control system. The BSC is more compatible with private versus public sector organizations. Successful implementation of the BSC requires support from the top management and effective communication and coordination. Additionally, a cause-and-effect relationship should exist among its four perspectives—customers, internal business, innovation and learning, and financial. BSC’s critics question its superiority over other performance measurement tools. But the number of supporters is much higher than the opponents. Articles mainly focus on developed, not developing, countries and tend to be conceptual papers rather than data-based empirical studies. The most commonly used statistical tool used is regression analysis. Our review of BSC articles provides insights about BSC strategy, implementation, execution and control that should be of interest to researchers and managers. However, this qualitative study uses judgment to identify BSC themes.

Ankur Shukla,Basel Katt,Livinus Obiora Nweke,Prosper Kandabongee Yeng,Goitom Kahsay Weldehawaryat

DOI: https://doi.org/10.1016/j.cosrev.2022.100496

2022-07-29

Abstract:System security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediate and enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of security assurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding information protection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challenges due to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used for security evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts have been made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physical systems (CPS) in a wide range of domains. We conducted a systematic review of requirements, processes, and activities involved in system security assurance including security requirements, security metrics, system and environments and assurance methods. We highlighted the challenges and gaps that have been identified by the existing literature related to system security assurance and corresponding solutions. Finally, we discussed the limitations of the present methods and future research directions.

Cryptography and Security,Software Engineering

Mohamed Hegazy,Karim Hegazy,Mohamed Eldeeb

DOI: https://doi.org/10.1177/0148558X20962915

2020-10-17

Journal of Accounting, Auditing and Finance

Abstract:The purpose of this article is to establish a framework with its related measures for the development of a balanced scorecard (BSC) for auditing firms. A BSC was developed providing the detailed measures for performance evaluation comprising five key elements: learning and growth, clients, internal business processes, financials, and audit-related perspectives of corporate ethics. A survey was undertaken along with descriptive statistics and confirmatory factor analysis in four auditing firms, to assess the external auditors' opinions for the proposed BSC measures. The results suggest that the development and use of the proposed BSC measures will enhance audit firms' performance. Audit firms would have a better understanding of the various drivers of performance and strategies thereby creating a competitive advantage. The results are valuable to not only audit firms but also auditing oversight boards who could direct the design of their monitoring process by understanding performance systems in different size audit firms.

Sabine Goldes,Ralf Schneider,Christian M. Schweda,Jawed Zamani

DOI: https://doi.org/10.1109/cybconf.2017.7985763

2017-06-01

Abstract:Information Security is a topic of increasing importance for organizations today. The triad of professionalization and industrialization of cyber-crime, globalization and digitalization of business models, and increasing regulatory focus on data protection exerts pressure on organizations and enterprises to implement sophisticated Information Security Management Systems (ISMS). Best-practices for implementing such systems are given by multiple de-facto standards, whereas blueprints for ISMS are relatively scarce. In this paper we discuss design requirements for a modern Information Security Management System, derive a blueprint for such a system based on the viable system approach, and exemplify constituents of the blueprint from the environment of an insurance enterprise.

Knut Haufe,Ricardo Colomo-Palacios,Srdan Dzombeta,Knud Brandis,Vladimir Stantchev

DOI: https://doi.org/10.12821/ijispm040402

2022-02-02

International Journal of Information Systems and Project Management

Abstract:Securing sensitive organizational data has become increasingly vital to organizations. An Information Security Management System (ISMS) is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security. Key elements of the operation of an ISMS are ISMS processes. However, and in spite of its importance, an ISMS process framework with a description of ISMS processes and their interaction as well as the interaction with other management processes is not available in the literature. Cost benefit analysis of information security investments regarding single measures protecting information and ISMS processes are not in the focus of current research, mostly focused on economics. This article aims to fill this research gap by proposing such an ISMS process framework as the main contribution. It is based on a set of agreed upon ISMS processes in existing standards like ISO 27000 series, COBIT and ITIL. Within the framework, identified processes are described and their interaction and interfaces are specified. This framework helps to focus on the operation of the ISMS, instead of focusing on measures and controls. By this, as a main finding, the systemic character of the ISMS consisting of processes and the perception of relevant roles of the ISMS is strengthened.

Yassine Rdiouat,Samir Bahsani,Mouhsine Lakhdissi,Alami Semma

DOI: https://doi.org/10.48550/arXiv.2109.07281

2021-09-13

Software Engineering

Abstract:Facing an environment increasingly complex, uncertain and changing, even in crisis, organizations are driven to be agile in order to survive. Agility, at the core heart of business strategy, represents the ability to grow in a competitive environment of continuous and unpredictable changes with information systems perceived as one of its main enablers. In other words, to be agile, organizations must be able to rely on agile enterprise information systems/information technology (IT/IS). Since, the agility needs are not the same among stakeholders, the objective of this research is to develop a conceptual model for the achievement and assessment of IT/IS agility from balanced perspectives to support agile organizations. Several researches have indicated that the IT balanced scorecard (BSC) approach is an appropriate technique for evaluating IT performance. This paper provides a balanced-scorecard based framework to evaluate the IS agility through four perspectives: business contribution, user orientation, operation excellence and innovation and competitiveness. The proposed framework, called IS Agility BSC, propose a three layer structure for each of the four perspectives: mission, key success factors, and agility evaluation criteria. According to this conceptual model, enterprise information systems agility is measured according to 14 agility key success factors, over the four BSC Perspectives, using 42 agility evaluation criteria that are identified based on literature survey methodology. This paper explores agility in the broader context of the enterprise information systems. The findings will provide, for both researchers and practitioners, a practical approach for achieving and measuring IS agility performance to support organizations in attempt to become agile as a new condition of surviving in the new business world.

Mikko Siponen,Robert Willison

DOI: https://doi.org/10.1016/j.im.2008.12.007

2009-06-01

Abstract:International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.

information science & library science,management,computer science, information systems

Charlette Donalds,Corlane Barclay

DOI: https://doi.org/10.1080/0960085X.2021.1978344

2021-09-23

European Journal of Information Systems

Abstract:The evolving sophistication of threats and the impact of security breaches have caused managers to continually grapple with strategies to reduce these risks. One common security control is the adoption of information security policies (ISPs) geared at improving employees' compliance behaviour. However, there is mounting empirical evidence that shows that ISP compliance is a challenging undertaking with less than satisfactory outcomes. Further, little attention is placed on developing economies in the study of this phenomenon. This research adopts a values-based methodology to determine fundamental and means objectives in maximising employees' compliance with ISPs in a developing economy context. The research identifies 30 objectives and demonstrates that risk mitigation, people, technical and organisational factors are essential to improving compliance. The results contribute objectives, contextualised to the people for whom the results are relevant, thus promoting deeper understanding. The research offers utility to managers in the design and implementation of InfoSec strategies and policies. The findings can also inform investment decisions regarding compliance tools, methods and technologies. Recognising that security (information and cyber) threats are a global dilemma, we contend that investigating forms of security risks and potential solutions can mitigate the social and economic costs of security incidents.

information science & library science,management,computer science, information systems

Punto Widharto,Zaldy Suhatman,Rizal Fathoni Aji

DOI: https://doi.org/10.12928/telkomnika.v20i2.21668

2022-04-01

TELKOMNIKA (Telecommunication Computing Electronics and Control)

Abstract:The very close involvement of technology in the banking industry makes almost all banking activities and products currently dependent on information technology (IT). PT BPRS Bhakti Sumekar (PT BBS Bank) is one of the banks that realizes the importance of IT in the digital era and has included IT as part of the company's strategic plan. The company states that compliance with regulations, best practices, and standards is key to a successful IT implementation. In this study, the measurement of the capability level of corporate IT governance was conducted to determine what IT priorities were based on the company's strategic objectives and what recommendations could be given based on best practices to improve IT services in support of the company's strategic goals. The framework to be used is control objective for information and related technology (COBIT); the most widely used framework suitable for service-oriented organizations. The results of research using COBIT 2019 show how IT governance is needed by the company and what should be prioritized. The measurement results found that there is still a gap between management's expectations and the current level of capability and provide recommendations on what companies need to improve performance in order to meet expectations.

Hossein Moinzad,Mohammad H Akbarzadeh

DOI: https://doi.org/10.1002/hsr2.926

2022-11-18

Abstract:Background and aims: Although many health strategic plans have been developed by scholars and organizations, they still suffer from a limited view. Since most health-related strategies in the future will depend on information technology (IT), as the main driver of today's industry, technology, and society, IT merits attention in health strategic plans. While the majority of the health strategic plan developed based on the interviews and questioner and these plans didn't consider the role of IT in their actions, this research will develop a framework to integrate risk and maturity analysis with the strategic planning process in health information technology strategic plan. Methods: The present research introduces an integrated framework based on a balanced scorecard (BSC) and control objectives for information and related technologies (COBIT). Also, The American Productivity & Quality Centre framework and COBIT were employed in this model to define the processes and activities of health IT (HIT) organizations. The organization's maturity and risk are analyzed in terms of information and management criteria using BSC, COBIT, and the analytical hierarchy process. Results: Later this model was implemented in a Remote Health care System to improve the strategic management process for this technology. Using this framework, 17 business goals have been developed and presented for the case. Also, the total related risk was 48% and the maturity level was at 1/18. The results are presented as decision-making parameters and strategies for successful IT implementation. Conclusion: The presented framework provides deeper insight for the decision-maker through integrating risk and maturity analysis in the HIT strategic planning process. The results are presented as decision-making parameters and strategies for successful IT implementation. These strategies help investors decide about resource allocation based on the risk-taking capability, certainty, and uncertainty results of the plan.

Raibagkar, Shirish S.

DOI: https://doi.org/10.1007/s11115-022-00646-5

2022-06-29

Public Organization Review

Abstract:This paper, presents the case of the South African Revenue Service (SARS), whose strategic planning reflects features of the balanced scorecard (BSC) approach. The strategic plan documents of the SARS were examined. Applying manifest and latent content analysis it is highlighted how the mission, vision, and strategy have been translated into objectives that have key performance indicators, targets, and initiatives. Some of its recent performance achievements are proof of the potential that a tool like BSC holds. The SARS strategic plan is a motivating case and a learning input for government organizations dealing with the intricacies of the BSC systematically. Other revenue collecting and government agencies can consider adopting of a similar approach.

Rishi Dwivedi,,Kanika Prasad,Nabankur Mandal,Shweta Singh,Mayank Vardhan,Dragan Pamucar,,,,,

DOI: https://doi.org/10.31181/dmame2104033d

2020-12-13

Abstract:Recent economy and financial business environment is undergoing a quick and accelerating revolution and paradigm shift, resulting in growing uncertainty and complexity. Therefore, the need for an all-inclusive and far-reaching performance measurement model is universally felt as it can provide management-oriented information and act as a supporting tool in developing, inspecting, and interpreting policy-making strategies of an enterprise to achieve competitive advantages. Hence, this paper proposes an application of the balanced scorecard (BSC) model in an insurance organization for coordinating and regulating its corporate vision, mission, and strategy with organizational performance through the interrelation of different layers of business perspectives. In the next stage, a framework to unify both BSC and best-worst method (BWM) models is implemented for the very first time in the insurance domain to assess its performance over two-time periods. The integrated BSC-BWM model can help managers and decision-makers to figure out and interpret competing strength of the said enterprise and consecutively expedite inefficient and compelling decision making. Nevertheless, this integrated model is embraced and selected for a certain categorical business and there is enough future scope for its application to distinct industries.

Kaja Prislan,Anže Mihelič,Igor Bernik

DOI: https://doi.org/10.1371/journal.pone.0238739

IF: 3.7

2020-09-08

PLoS ONE

Abstract:Measuring the performance of information security is an essential part of the information security management system within organisations. Studies in the past mainly focused on establishing qualitative measurement approaches. Since these can lead to ambiguous conclusions, quantitative metrics are being increasingly proposed as a useful alternative. Nevertheless, the literature on quantitative approaches remains scarce. Thus, studies on the evaluation of information security performance are challenging, especially since many approaches are not tested in organisational settings. The paper aims to validate the model used for evaluating the performance of information security management system through a multidimensional socio-technical approach, in a real-world settings among medium-sized enterprises in Slovenia. The results indicate that information security is strategically defined and compliant, however, measures are primarily implemented at technical and operational levels, while its strategic management remains underdeveloped. We found that the biggest issues are related to information resources and risk management, where information security measurement-related activities proved to be particularly problematic. Even though enterprises do possess certain information security capabilities and are aware of the importance of information security, their current practices make it difficult for them to keep up with the fast-paced technological and security trends.

Harrison Stewart,Jan Jürjens

DOI: https://doi.org/10.1108/ics-07-2016-0054

2017-11-13

Information and Computer Security

Abstract:Purpose The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset. Design/methodology/approach Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B. Findings Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own. Research limitations/implications The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings. Practical implications In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed. Social implications The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps. Originality/value The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

Šarūnas Grigaliūnas,Rasa Brūzgienė,Michael Schmidt,Panayiota Smyrli,Stephanos Andreou,Audrius Lopata

DOI: https://doi.org/10.3390/electronics13193955

IF: 2.9

2024-10-09

Electronics

Abstract:The growing complexity of cybersecurity threats demands a robust framework that integrates various security domains, addressing the issue of disjointed security practices that fail to comply with evolving regulations. This paper introduces a novel information security management and compliance framework that integrates operational, technical, human, and physical security domains. The aim of this framework is to enable organizations to identify the requisite information security controls and legislative compliance needs effectively. Unlike traditional approaches, this framework systematically aligns with both current and emerging security legislation, including GDPR, NIS2 Directive, and the Artificial Intelligence Act, offering a unified approach to comprehensive security management. The experimental methodology involves evaluating the framework against five distinct risk scenarios to test its effectiveness and adaptability. Each scenario assesses the framework's capability to manage and ensure compliance with specific security controls and regulations. The results demonstrate that the proposed framework not only meets compliance requirements across multiple security domains but also provides a scalable solution for adapting to new threats and regulations efficiently. These findings represent a significant step forward in holisticsecurity management, indicating that organizations can enhance their security posture and legislative compliance simultaneously through this integrated framework.

engineering, electrical & electronic,computer science, information systems,physics, applied