Samuel Cris Ayo,Bonaventure Ngala,Olasunkanmi Amzat,Robin Lal Khoshi,Samarappulige Isuru Madusanka

DOI: https://doi.org/10.48550/arXiv.1812.04659

2018-12-12

Abstract:Owing to recorded incidents of Information technology inclined organisations failing to respond effectively to threat incidents, this project outlines the benefits of conducting a comprehensive risk assessment which would aid proficiency in responding to potential threats. The ultimate goal is primarily to identify, quantify and control the key threats that are detrimental to achieving business objectives. This project carries out a detailed risk assessment for a case study organisation. It includes a comprehensive literature review analysing several professional views on pressing issues in Information security. In the risk register, five prominent assets were identified in respect to their owners. The work is followed by a qualitative analysis methodology to determine the magnitude of the potential threats and vulnerabilities. Collating these parameters enabled the valuation of individual risk per asset, per threat and vulnerability. Evaluating a risk appetite aided in prioritising and determining acceptable risks. From the analysis, it was deduced that human being posed the greatest Information security risk through intentional/ unintentional human error. In conclusion, effective control techniques based on defence in-depth were devised to mitigate the impact of the identified risks from risk register.

Computers and Society,Cryptography and Security

Ziniya Zahedi,Faisal Mahmud,Cesar Pinto

DOI: https://doi.org/10.3233/SHTI200016

2023-12-11

Abstract:Electronic patient data use and handling are critical issues in terms of privacy, confidentiality, security, and the Health Insurance Portability and Accountability Act (HIPAA) regulations. The risks associated with electronic patient data are not limited to identity theft but rather include a person's social, economic, and psychological well-being. However, there have not been many studies that have focused on the associated risk factors that could lead to these situations. This paper identifies those risks related to electronic patient data breaches by means of a grounded theory approach and develops a systemic risk management plan that enables engineering managers and risk managers to more effectively and efficiently overcome risks associated with electronic patient data. Purpose: The purpose of this paper is to identify the risks associated with electronic patient data breach using a grounded theory approach and also to recommend a set of guidelines to support a better, effective, and efficient system and thereby overcome these risks. Patients and methods: No patients were involved either to participate in this study or any of their opinions are reflected with this research.

Yudie Aprianto

DOI: https://doi.org/10.24258/jba.v17i3.927

2021-12-28

Jurnal Borneo Administrator

Abstract:Public information is one of the government's efforts to provide public information regarding their performance and activities. However, even some regulations guide them, practice in public information management has not been optimal considering the information risks and threats, such as disclosing inappropriate information. For this reason, the literature study seeks to explore some efforts that can be made in information management, especially in Indonesia. This qualitative study tries to categorize and describe the management of public information in risk management and public information security in terms of technological management, process management, and human resource management. Technological management is expected to have an information system capable of providing a sense of security from threats, both malware and in building an effective system. Process management includes procedures, auditing, and a holistic approach to realizing effective public information management. Finally, human resource management emphasizes the importance of improving the quality of agents through training and leadership to act not only as a leader but also as a navigator and a translator of public information management. This study proposes a conceptual model based on those themes to minimize the effects of risks and threats on public information. Limitations and suggestions for future research are also discussed.

Harrison Stewart,Jan Jürjens

DOI: https://doi.org/10.1108/ics-07-2016-0054

2017-11-13

Information and Computer Security

Abstract:Purpose The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset. Design/methodology/approach Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B. Findings Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own. Research limitations/implications The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings. Practical implications In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed. Social implications The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps. Originality/value The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

Joshua Nterful,Ibrahim Osman Adam,Muftawu Dzang Alhassan,Abdallah Abdul-Salam,Abubakar Gbambegu Umar

DOI: https://doi.org/10.1108/ics-11-2022-0174

2024-03-01

Information and Computer Security

Abstract:Purpose This paper aims to identify the critical success factors in improving information security in Ghanaian firms. Design/methodology/approach Through an exploratory study of both public and private Ghanaian organizations. The study relied on a research model based on the technology–organization–environment (TOE) framework and a survey instrument to collect data from 525 employees. The data was analyzed using partial least squares-structural equation modeling (PLS-SEM). Findings The findings confirm the role of the technological, organizational and environmental contexts as significant determinants in the implementation of information security in Ghanaian organizations. Results from PLS-SEM analysis demonstrated a positive correlation between the technology component of information security initiative, organization's internal efforts toward its acceptance and a successful implementation of information security in Ghanaian firms. Top management support and fund allocation among others will result in positive information security initiatives and positive attitudes toward securing the organization's information assets. Research limitations/implications The authors discussed the implications of the authors' findings for research, practice and policy. Social implications The results of this study will be useful for both governmental and non-governmental organizations in terms of best practices for increasing information security. Results from this study will aid organizations in developing countries to better understand their information security needs and identify the necessary procedures to address them. Originality/value This study contributes to filling the knowledge gap in organizational information security research and the TOE framework. Despite the TOE framework being one of the most influential theories in contemporary research of information system domains in an organizational context, there is not enough research linking the domains of information security and the TOE model.

Lam‐for Kwok,Dennis Longley

DOI: https://doi.org/10.1108/09685229910255179

1999-03-01

Abstract:Information security management has been placed on a firmer footing with the publication of standards by national bodies. These standards provide an opportunity for security managers to gain senior management recognition of the importance of procedures and mechanisms to enhance information security. They may also place demands on security managers to provide convincing demonstration of conformance to the standards. The risk data repository (RDR) computer model described in this paper was developed to manage organisational information security data and facilitate risk analysis studies. The RDR provides a form of computer documentation that can assist the security officer to maintain a continuous record of the organisational information security scenario and facilitate system security development, business continuity planning and standards conformance audits.

Peter Kennedy Otieno Mutula,Pamela Engairo,Doreen Kimathi

DOI: https://doi.org/10.61108/ijiir.v2i1.78

2024-02-19

Abstract:Projects are marred with various challenges and uncertainties from the onset of their inception to implementation and completion phases. These uncertainties if not mitigated properly affect subsequent delivery of project objectives thereby causing delays, cost overruns and sometimes may lead to project failures. Therefore, risk response planning are major features in project management that project managers, project teams and related stakeholders must effectively employ to deal with the risks and uncertainties that may interfere with the projects in order to realize the project success. This study therefore sought to analyze the effect of risk response planning on project implementation among faith-based organizations in Kenya. The study focused on the projects in the Catholic Diocese of Ngong. Contingency theories informed the foundation upon which the study variables were reviewed to establish their relationships. The study adopted a descriptive case design to analyze how risk management practices affect the implementation of projects in Catholic Diocese of Ngong. The target population involved 240 members that were drawn from the PPC and PEC. The sample size was 72 members whom were selected by simple random sampling and purposive sampling techniques to give each member in the population a chance of selection and ensure that only those with relevant information are involved in the study. A structured questionnaire aided in gathering primary data for the study. The questionnaires were issued to the respondents through a drop and pick method and data collected were analyzed with the help of statistical packages for social sciences (SPSS) version 23. Quantitative data were analyzed using descriptive analysis while qualitative data were analyzed through content analysis and data presented in frequency tables, pie charts and graphs. The study found a strong significant positive relationship between risk response planning and project implementation.. The study recommended that organizations should formulate and put in place elaborate risk response plans to enable them succeed in their project implementation. The researcher further recommends for more studies to be conducted on risk response plans other than the ones the study concentrated as they only accounted for 57.8%.

DOI: https://doi.org/10.47191/jefms/v5-i9-03

2022-09-03

Abstract:All public and private sector organizations are vulnerable to internal and external integrity risks, such as fraud and corruption and others. In the absence of mechanisms to identify, analyze and manage these risks, they can have negative consequences such as economic losses, security applications and reputational applications. In turn, these impacts can erode citizens' trust in public services and trust in government. In order to preserve the integrity of public sector organizations, effective risk management systems are essential, especially in high-risk areas, such as financial management, information technology, fraud and corruption among others. in a context characterized by an uncertain organizational environment. By adopting a risk-based approach, public sector organizations can apply laudable controls that strengthen oversight, without unduly burdening the organization or impairing efficiency. At the same time, it can reduce the perception of excessive control burden among staff and thus reinforce their full commitment to integrity. The objective of our article is to define new concepts relating to the study of risk and risk management in the public sector.

Jhon Arista Alarcon

DOI: https://doi.org/10.47909/dtr.05

2023-05-16

Abstract:A risk management model makes it possible to explore the organizational factors and risk management practices that affect or delay the achievement of the objectives that are considered strategic. The purpose of managing risks is to develop a detailed analysis of the organization, its operations, assets, processes and their existing interrelationships in order to establish a complete list of risks, which implies identifying, analyzing and providing alternative treatment to risks. actual and potential. Therefore, a risk management model obtains too much importance when focusing on the needs of the organization in a specific way, since it is not only about copying norms or policies of one organization to mitigate the risks of another, but each of these has different scenarios or contexts.

,Rinaldi Rinaldi,Sutrisno T,,Yeney Widya Prihatiningtias,

DOI: https://doi.org/10.32535/jcda.v7i3.3406

2024-09-20

Journal of The Community Development in Asia

Abstract:Risk management is essential in both private and public sectors to ensure financial stability and maximize stakeholder value. Despite Indonesia's National Medium-Term Development Plan mandating risk management in public organizations like the Ministry of Public Works and Housing (Ministry of PUPR), its implementation has faced challenges, including bribery and incomplete projects. This study examines the effects of human resources, budget allocation, and regulations on risk management effectiveness, with organizational culture as a moderating variable. Using a survey-based quantitative approach, data from employees in Echelon II Work Units at the Ministry of PUPR was analyzed through Structural Equation Modeling (SEM) with Partial Least Square (PLS). The findings reveal that human resources, budget, and regulations positively impact risk management effectiveness. However, organizational culture plays a mixed role, enhancing the impact of regulations while weakening the budget's effect and not significantly amplifying human resources on risk management. The study concludes that optimizing risk management requires focusing on human resources, aligning organizational culture with regulations, and managing budget impacts carefully

Gloria Atete,Eugenia Irechukwu,Osiemo Kengere

DOI: https://doi.org/10.47672/ajf.733

2021-06-19

American Journal of Finance

Abstract:Purpose: This research study generally assessed the relationship between Investment risk management and financial performance of Rwanda Social Security Board. It equally important assessed the effect of risk environment, analyzed the effect of risk control, and assessed the effect of risk monitoring on the financial performance of the Rwanda Social Security Board (RSSB). Materials and Methods: The used research design in this study was descriptive. A sample size of 125 respondents was drawn from 180 employees working in RSSB Headquarters. The study used a purposive sampling technique to select respondents. Information was collected using a structured questionnaire administered to respondents and statistically analysed using means, standard deviation and regression analysis via SPSS version 25.0. Results: Results from the first objective shown by a mean M=5.87 and standard deviation SD=2.77 strongly agreed with the statement that a formal risk management system is in place and overall investment objectives are defined and communicated to staff. The study agreed that RSSB Board of Directors approves all investment policies and ensures management takes necessary action. As shown by the mean M =5.45, S.D=1.96. The study concurred that guidelines governing investments are in place and RSSB stands on it, demonstrated by M= 5.67, S. D=0.499. From the results, the second objective demonstrated that the respondents strongly agreed that RSSB ensures that principles and procedures relating to investment and risk response is followed consistently. By M =5.87, S.D=2.77, duties are separated at different levels of management and the Board strongly agreed by M=5.58, SD=2.037, and testing, auditing, assessments of RSSB investment procedures are performed by independent personnel strongly agreed by M =5.85, S.D =2.07. A proactive way to deal with risk administration includes designating risk spending plans and setting risk resilience. Portfolio managers should practice vigilance inside plainly characterized boundaries as a component of their investment strategy. The result from the third objective revealed that there is a strong monitor of investment threshold and rating of sound investments by M =5.58, S.D =2.77. When the risks have been characterized and controls have been set around these risks, a methodical procedure of ordinary observing and detailing of these risks by a independent group guarantees approval and consistency of the approach. Regression analysis, a unit increment in risk environment may bring to increment in productivity by 2.008. A unit enhancement in risk control might bring an increase in productivity by 0.887. Recommendations: From the research findings presented, the study recommended the need to dissect the risk of administrations and consumptions. There is a requirement for the management to completely comprehend their commitments and take fundamental activities in guaranteeing money back, train workers to change their center convictions and help to guarantee the effective achievement of firm objectives. Management should work to improve cost and expenses risk management, even if the current ratio was better, management will need to significantly reduce expenses.

Enrico Bracci,Tallaki Mouhcine,Tarek Rana,Danture Wickramasinghe

DOI: https://doi.org/10.1080/09540962.2021.1963071

2021-08-23

Abstract:While it is becoming pervasive and unavoidable in every organization, risk management (RM) interacts with control systems in public sector organizations (PSOs). This article presents a literature review showing that PSOs design and implement risk-based control systems arbitrarily. This leads to the issue of appropriate integration of RM in management accounting and control systems (MACS). Despite the importance of integrated RM, the existing literature shows that issues of RM are not well integrated at the MACS level, and that a radical cultural shift is still required in PSOs. Future RM studies must provide empirical data about integration in practice.

public administration

Fitri Wijayanti,Dana Indra Sensuse,Arief Anthadi Putera,Andy Syahrizal

DOI: https://doi.org/10.1109/ic2ie50715.2020.9274574

2020-09-15

Abstract:The DRC of the Ministry XYZ has suffered from a system breach. The DRC's problem will lead to a lack of system information security, availability, and an increasing threat to the whole system of Ministry XYZ. In 2019, the KAMI Index assessment of the Ministry XYZ stated that the level of maturity and completeness of the application of ISO 27001 standards of the XYZ Ministry were at the level of fulfillment of the basic framework. There is a gap between the assessment result and the operational problem within the DRC of Ministry XYZ due to the lack of an information security management system. Therefore, this study conducts the same KAMI Index assessment within the scope of the DRC only and aims to offer a recommendation based on ISO 27001 as the basis of the KAMI Index assessment. This study used discussion, observation, and KAMI Index assessment tools for collecting data and analyze the result. The assessment result of the DRC showed that the maturity level of the ISO 27001 standard on the DRC is on the application of the basic framework. The suggested recommendations to improve the information security management system of the DRC were mostly in the aspect of the information security framework and assets management.

Ejiofor Oluomachi,Akinsola Ahmed,Wahab Ahmed,Edozie Samson

DOI: https://doi.org/10.29322/IJSRP.14.02.2023.p14610

2024-04-17

Abstract:This article assesses the effectiveness of current cybersecurity regulations and policies in the United States amidst the escalating frequency and sophistication of cyber threats. The focus is on the comprehensive framework established by the U.S. government, with a spotlight on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and key regulations such as HIPAA, GLBA, FISMA, CISA, CCPA, and the DOD Cybersecurity Maturity Model Certification. The study evaluates the impact of these regulations on different sectors and analyzes trends in cybercrime data from 2000 to 2022. The findings highlight the challenges, successes, and the need for continuous adaptation in the face of evolving cyber threats

Cryptography and Security,Computers and Society

Malaya Nayak,

DOI: https://doi.org/10.35940/ijeat.c5629.029320

2020-02-28

International Journal of Engineering and Advanced Technology

Abstract:In this paper we introduce a project risk control strategy that is developed regarding IT organizations, requiring them to operate their projects having further securities along with regular procedures. Successful completion of these projects is essential for their advancements, like process improvement, market adaptation and new regulation, including the integration of information and control systems, etc. Often, project managers are not real strategic planning experts, however, the projects will have to still be driven by limited paperwork with sufficient opportunity to be autonomous. This paper attempts to build a method with a comprehensive investigation throughout a large proportion of IT companies regarding the project risk reduction strategy described herein. This approach is focused on risk evaluation and management of IT projects within the organizations, which, provides easy, suggested steps as well as recommended methods, models and threat check-lists. Results were evaluated by5 successful IT project managers dealing in categories of IT business including software engineering firms from different attributes (creativity, software solutions as well as ICT frameworks).

Jeb Webb,Atif Ahmad,Sean B. Maynard,Graeme Shanks

DOI: https://doi.org/10.1016/j.cose.2014.04.005

2014-07-01

Abstract:Information security risk management (ISRM) is the primary means by which organizations preserve the confidentiality, integrity and availability of information resources. A review of ISRM literature identified deficiencies in the practice of information security risk assessment that inevitably lead to poor decision-making and inadequate or inappropriate security strategies. In this conceptual paper, we propose a situation aware ISRM (SA-ISRM) process model to complement the information security risk management process. Our argument is that the model addresses the aforementioned deficiencies through an enterprise-wide collection, analysis and reporting of risk-related information. The SA-ISRM model is adapted from Endsley's situation awareness model and has been refined using our findings from a case study of the US national security intelligence enterprise.

computer science, information systems

Ananda E S Setyadji,Arief R R Putrananda,Daffa H Permadi,Rais I Nustara,Reyhan B Pratama,Tegar A Masyhuda,Eva Hariyanti

DOI: https://doi.org/10.33387/jiko.v6i2.6182

2023-08-06

JIKO (Jurnal Informatika dan Komputer)

Abstract:Information Technology Governance is currently widely implemented in companies. One of the domains that can be of concern is risk management. The application of TKTI in this domain can help companies identify, evaluate, reduce, and manage risks related to their business to achieve company goals better. In this case, three frameworks can be considered, including NIST, ISO 27001, and Octave, but implementing these frameworks only sometimes goes as planned. This study aims to identify the factors that cause the ineffectiveness of implementing Information Technology Governance (ITG) in the risk management domain using the NIST, ISO 27001, and Octave frameworks. Through an analysis of existing literature and data processing, this study found that factors such as lack of understanding of the framework, lack of adequate resources, and implementation challenges play an essential role in ineffectiveness. This study concludes by providing valuable insights for organizations seeking to strengthen their risk management capabilities.

Tanvir Rahman Akash,Jafrin Reza,MD Ashraful Alam

DOI: https://doi.org/10.30574/wjarr.2024.23.1.2206

2024-07-30

World Journal of Advanced Research and Reviews

Abstract:Systemic risks are relevant to most segments of financial and economic activity, which creates the threat of financial instability of enterprises. Financial security, in this case, implies the state of financial soundness; it is expressed through various parameters including the level of solvency, financial stability, business activity, and efficiency of management. These questions are specific to each indicator, and this paper aims to understand their relations and how changes in them can result in risks. It elaborates the risk analysis and assessment procedure that uses a set of common financial analysis tools and determines key financial coefficients. Liquidity ratios, solvency ratios, profitability ratios, and the risk exposure metrics are the key areas that the research is based on. Correlating the financial indicators from a rich dataset from Yahoo’s Stock market data, regression analysis is used to determine these relationships between these indicators and risk management factors. A positive relationship between liquidity ratios and profitability is detected points to the fact that, firms with high liquidity levels are more capable of attaining good financial health and returns. It establishes the need for the development of a credible risk management structure that would lower threats to fiscal and economic activities. In light of this, the research shows that the liquidity and solvency management lowers financial risk and improves return for companies. The regression analysis was conducted to ascertain the degree of predictability of each independent variable to the dependent variable and the findings revealed that approximately 94 percent of each independent variable is predictable of the dependent variable that able to establish as much as 5% of the total variability in profitability, with the PE ratios being an indication of this aspect, was attributed to stock prices, as a result, the firm must be keen on its financials. This paper explores the employability of the proposed methods and models to assess the risks with high accuracy and supports optimum decision making in regard with the needed security of the enterprises. By adopting these methodologies, the businesses can observe and estimate risks which exist in the future which would help them to avoid certain issues or dangers and also pave the way for the improvements of the financial stability of the businesses. On this note, the study establishes the fact that incorporating the notion of total risk management into the framework of analyzing business and making financial decisions is inevitable in maintaining corporate financial stability and realizing perpetual economic solidity. This research enriches the literature on financial risk management, as it outlines viable strategies for the protection of enterprise financial sustainability.

Stanley Chege,Gregory Wanyembi,Constantine Nyamboga

DOI: https://doi.org/10.18775/jibrm.1849-8558.2015.81.3002

2023-04-01

Journal of International Business Research and Marketing

Abstract:Enterprise Risk Management (ERM) is a structured and coordinated approach for identifying, assessing, and managing risks faced by an organization. Implementing ERM standards and frameworks has several benefits, including improving focus and perspective on risk. ERM aids in developing leading indicators to detect potential risk events and provide early warning signals. ERM also incorporates key metrics and measurements of risk to improve reporting value and analysis and monitor possible changes in risk vulnerabilities or likelihood. An ERM facilitates an efficient risk management (RM) process, allowing businesses to manage risks efficiently across various departments through a robust risk management framework. This framework includes the related department’s team, working rules, and operational tools, covering all types of risks, including financial, strategic, operational, and accidental losses. The primary advantage of ERM is its ability to create a systematic and intentional process for identifying and addressing risks, treating risk management as a structured exercise where liabilities are addressed as part of a comprehensive framework rather than ad-hoc problem-solving. ISO 31000, NIST risk management framework, and COSO ERM framework are widely used frameworks for managing enterprise risks. Implementing a robust enterprise risk management standard has a positive relationship with business performance.

Craig A. Horne,Atif Ahmad,Sean B. Maynard

DOI: https://doi.org/10.48550/arXiv.1606.03528

2016-06-11

Abstract:Dependence on information, including for some of the world's largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these information-based activities. Clearly, more research is needed to better understand how organisations should formulate strategy to secure their information. Through a thematic review of academic security literature, we (1) analyse the antecedent conditions that motivate the potential adoption of a comprehensive information security strategy, (2) the current perspectives of strategy and (3) the yields and benefits that could be enjoyed post-adoption. Our contributions include a definition of information security strategy. We argue for a paradigm shift to extend from internally-focussed protection of organisation-wide information towards a strategic view that considers the inter-organisational level. Our findings are then used to suggest future research directions.

Computers and Society,Cryptography and Security