Kitsios,Chatzidimitriou,Kamariotou

DOI: https://doi.org/10.3390/su15075828

IF: 3.9

2023-03-28

Sustainability

Abstract:In order to handle their regulatory and legal responsibilities and to retain trustworthy strategic partnerships, enterprises need to be dedicated to guaranteeing the privacy, accessibility, and authenticity of the data at their disposal. Companies can become more resilient in the face of information security threats and cyberattacks by effectively integrating security strategies. The goal of this article is to describe a plan that a corporation has implemented in the information technology industry in order to ensure compliance with International Organization for Standardization (ISO) 27001. This research demonstrates an examination of the reasons that force enterprises to make a investment in ISO 27001 in addition to the incentives that might be acquired from having undergone this process. In addition, the research examines the reasons that push firms to make an investment in ISO 27001. More particularly, the research investigates an international IT consulting services institution that is responsible for the implementation of large-scale business assistance insertion and projects. It demonstrates the risk management framework and the administrative structure of the appropriate situations so that its procedures are adequate and also in line with the guidelines founded by ISO 27001. In conclusion, it discusses the problems and difficulties that were experienced.

environmental sciences,environmental studies,green & sustainable science & technology

Samuel Cris Ayo,Bonaventure Ngala,Olasunkanmi Amzat,Robin Lal Khoshi,Samarappulige Isuru Madusanka

DOI: https://doi.org/10.48550/arXiv.1812.04659

2018-12-12

Abstract:Owing to recorded incidents of Information technology inclined organisations failing to respond effectively to threat incidents, this project outlines the benefits of conducting a comprehensive risk assessment which would aid proficiency in responding to potential threats. The ultimate goal is primarily to identify, quantify and control the key threats that are detrimental to achieving business objectives. This project carries out a detailed risk assessment for a case study organisation. It includes a comprehensive literature review analysing several professional views on pressing issues in Information security. In the risk register, five prominent assets were identified in respect to their owners. The work is followed by a qualitative analysis methodology to determine the magnitude of the potential threats and vulnerabilities. Collating these parameters enabled the valuation of individual risk per asset, per threat and vulnerability. Evaluating a risk appetite aided in prioritising and determining acceptable risks. From the analysis, it was deduced that human being posed the greatest Information security risk through intentional/ unintentional human error. In conclusion, effective control techniques based on defence in-depth were devised to mitigate the impact of the identified risks from risk register.

Computers and Society,Cryptography and Security

Abdullah Al Hayajneh,Hasnain Nizam Thakur,Kutub Thakur

DOI: https://doi.org/10.5539/cis.v16n4p1

2023-11-20

Computer and Information Science

Abstract:In the contemporary era marked by the extensive utilization of data, information systems have been extensively embraced by global organizations and also hold a pivotal position in national defense and various other domains. The growing interconnectedness between individuals and diverse information systems has resulted in an intensified emphasis on the evaluation of potential risks. The mitigation of these dangers extends beyond simple technological solutions and includes established standards, legal structures, and policies, adopting a complete approach based on safety engineering concepts. This study aims to develop a robust framework for the harmonization of Information Technology Security Standards. It will explore prevalent techniques for conducting risk assessments and differentiate between quantitative and qualitative approaches to evaluation. Moreover, this study illustrates the combination of quantitative and qualitative evaluation methodologies, providing a comprehensive framework for the analysis and design of risk assessment. In addition, this study advances our understanding of INFOSEC risk assessment and contributes to the advancement of more efficient information security strategies by sharing global perspectives, addressing challenges in classification, clarifying the incorporation of Information Security Management Systems (ISMS), and highlighting the significance of Artificial Intelligence in the domain of Information Security (INFOSEC).

Knut Haufe,Ricardo Colomo-Palacios,Srdan Dzombeta,Knud Brandis,Vladimir Stantchev

DOI: https://doi.org/10.12821/ijispm040402

2022-02-02

International Journal of Information Systems and Project Management

Abstract:Securing sensitive organizational data has become increasingly vital to organizations. An Information Security Management System (ISMS) is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security. Key elements of the operation of an ISMS are ISMS processes. However, and in spite of its importance, an ISMS process framework with a description of ISMS processes and their interaction as well as the interaction with other management processes is not available in the literature. Cost benefit analysis of information security investments regarding single measures protecting information and ISMS processes are not in the focus of current research, mostly focused on economics. This article aims to fill this research gap by proposing such an ISMS process framework as the main contribution. It is based on a set of agreed upon ISMS processes in existing standards like ISO 27000 series, COBIT and ITIL. Within the framework, identified processes are described and their interaction and interfaces are specified. This framework helps to focus on the operation of the ISMS, instead of focusing on measures and controls. By this, as a main finding, the systemic character of the ISMS consisting of processes and the perception of relevant roles of the ISMS is strengthened.

Gliner Dias Alencar,Hermano Perrelli de Moura,Ivaldir Honório de Farias Júnior,José Gilson de Almeida Teixeira Filho

DOI: https://doi.org/10.48550/arXiv.1807.06184

2018-07-17

Cryptography and Security

Abstract:The lack of security in information systems has caused numerous financial and moral losses to several organizations. The organizations have a series of information security measures recommended by literature and international standards. However, the implementation of policies, actions, and adjustment to such standards is not simple and must be addressed by specific needs identified by the Information Security Governance in each organization. There are many challenges in effectively establishing, maintaining, and measuring information security in a way that adds value. Those challenges demonstrate a need for further investigations which address the problem. This paper presents a strategy to measure the maturity in information security aiming, also, to assist in the application and prioritization of information security actions in the corporate environment. For this, a survey was used as the main methodological instrument, reaching 157 distinct companies. As a result, it was possible to classify the ISO/IEC 27001 and 27002 controls in four stages according to the importance given by the companies. The COBIT maturity levels and a risk analysis matrix were also used. Finally, the adaptable strategy was successfully tested in a company

Mir Mehedi Rahman,Naresh Kshetri,Sayed Abu Sayeed,Md Masud Rana

2024-10-03

Abstract:In today's digitally driven landscape, robust Information Technology (IT) risk assessment practices are essential for safeguarding systems, digital communication, and data. This paper introduces 'AssessITS', an actionable method designed to provide organizations with comprehensive guidelines for conducting IT and cybersecurity risk assessments. Drawing extensively from NIST 800-30 Rev 1, COBIT 5, and ISO 31000, 'AssessITS' bridges the gap between high-level theoretical standards and practical implementation challenges. The paper outlines a step-by-step methodology that organizations can simply adopt to systematically identify, analyze, and mitigate IT risks. By simplifying complex principles into actionable procedures, this framework equips practitioners with the tools needed to perform risk assessments independently, without too much reliance on external vendors. The guidelines are developed to be straightforward, integrating practical evaluation metrics that allow for the precise quantification of asset values, threat levels, vulnerabilities, and impacts on confidentiality, integrity, and availability. This approach ensures that the risk assessment process is not only comprehensive but also accessible, enabling decision-makers to implement effective risk mitigation strategies customized to their unique operational contexts. 'AssessITS' aims to enable organizations to enhance their IT security strength through practical, actionable guidance based on internationally recognized standards.

Cryptography and Security

Sayed Amir Reza Mortazavi,Faramarz Safi-Esfahani

DOI: https://doi.org/10.1007/s41870-019-00302-0

2019-04-22

International Journal of Information Technology

Abstract:Today, information is rapidly increasing. For most of this information, data security and protection from unauthorized access are of great importance. Maybe information is created by an individual or a few people, but creating security for the information should be done by all assets of hardware, software and people. This entails organizing all elements of the system, and training and monitoring the performance of the people. One of the standards provided for the creation of security is ISMS. This standard is intended to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a system in terms of security. ISMS receives several parameters from users, assesses the risks and offers some controls (guidelines) to improve them. Collecting primary parameters is also very important in ISMS. Usually these parameters are collected personally, which result in getting inaccurate outcomes. The most important parameters include confidentiality, integrity, availability, threat and vulnerability. This paper tries to provide a method based on checklists so that by assessing the users’ responses to these checklists, one can more accurately insert the vulnerability parameter value as a standard input of ISMS, in order to gain better outcomes, and more accurately perform choice of controls. In the assessment, the standard deviation method is calculated, and comparison between the common mode of ISMS and the proposed method shows that the latter works 30% better than the conventional method. People may refuse to respond sincerely due to different reasons, and the percentage of the results may differ, since the results are obtained as cross-sectional at a certain time.

Michael Matthias Naumann,Stelian Mircea Olaru,Georg Sven Lampe,Fabian Pitz

DOI: https://doi.org/10.2478/picbe-2024-0043

2024-06-01

Proceedings of the International Conference on Business Excellence

Abstract:Abstract In the current global context, companies need a defined minimum level of information security to recognize and deal with related threats and risks. Due to market, customer or legal requirements, specifications and requirements for information security are implemented uniformly according to standards such as the information security management standard ISO/IEC 27001 or industry-specific standards such as Trusted Information Security Assessment Exchange - TISAX, ISO IEC 27019 Energy Utility Information Security Standard. The conformity to these standard requirements within the established management system is checked during periodically required audits. However, there are various reasons for which, even after many years of audits in companies, there are still insufficient process implementations for information security requirements. The aim of the paper is to analyze the status of conformity and thus also the process maturity in selected samples of companies that have already had information security management systems (ISMS) implemented for several years. In detail, the reasons for deviations from the minimum requirements with associated risks for the security of information in companies were analyzed, which allow conclusions to be drawn about possible process improvements. The paper also analyzes why, despite established measures and existing expertise, only a limited level of process maturity is achieved on average. Other possible approaches to the implementation procedure for dealing with non-conformities in information security are also considered. The results of this research show that there is a need for an adjusted continuous improvement process, which makes risks resulting from insufficient process maturity more visible. Proposals for such improvements are listed.

Sabine Goldes,Ralf Schneider,Christian M. Schweda,Jawed Zamani

DOI: https://doi.org/10.1109/cybconf.2017.7985763

2017-06-01

Abstract:Information Security is a topic of increasing importance for organizations today. The triad of professionalization and industrialization of cyber-crime, globalization and digitalization of business models, and increasing regulatory focus on data protection exerts pressure on organizations and enterprises to implement sophisticated Information Security Management Systems (ISMS). Best-practices for implementing such systems are given by multiple de-facto standards, whereas blueprints for ISMS are relatively scarce. In this paper we discuss design requirements for a modern Information Security Management System, derive a blueprint for such a system based on the viable system approach, and exemplify constituents of the blueprint from the environment of an insurance enterprise.

Khalifa AL-Dosari,Noora Fetais

DOI: https://doi.org/10.3390/electronics12173629

IF: 2.9

2023-08-29

Electronics

Abstract:Information-technology (IT) security standards are regularly updated in a rapidly changing technological world to maintain pace with advanced technologies. This study was motivated by the realization that established IT risk-management frameworks might provide an adequate defence for small- and medium-sized enterprises (SMEs), especially those actively adopting new technologies. We reviewed that a dynamic IT risk-management framework, updated to reflect emerging technological changes, would offer improved security and privacy for SMEs. To evaluate this, we conducted a systematic literature review spanning 2016 to 2021, focusing on IT risk-management research in various application areas. This study revealed that, while established frameworks like NIST have their benefits, they need to be better suited to the unique needs of SMEs due to their high degree of abstractness, vague guidelines, and lack of adaptability to technological advancements. The findings suggest a pressing need to evolve IT risk-management frameworks, particularly by incorporating advanced methods such as system dynamics, machine learning, and technoeconomic and sociotechnological models. These innovative approaches provide a more dynamic, responsive, and holistic approach to risk management, thereby significantly improving the IT security of SMEs. The study's implications underscore the urgency of developing flexible, dynamic, and technology-informed IT risk-management strategies, offering novel insights into a more practical approach to IT risk management.

engineering, electrical & electronic,computer science, information systems,physics, applied

Fitri Wijayanti,Dana Indra Sensuse,Arief Anthadi Putera,Andy Syahrizal

DOI: https://doi.org/10.1109/ic2ie50715.2020.9274574

2020-09-15

Abstract:The DRC of the Ministry XYZ has suffered from a system breach. The DRC's problem will lead to a lack of system information security, availability, and an increasing threat to the whole system of Ministry XYZ. In 2019, the KAMI Index assessment of the Ministry XYZ stated that the level of maturity and completeness of the application of ISO 27001 standards of the XYZ Ministry were at the level of fulfillment of the basic framework. There is a gap between the assessment result and the operational problem within the DRC of Ministry XYZ due to the lack of an information security management system. Therefore, this study conducts the same KAMI Index assessment within the scope of the DRC only and aims to offer a recommendation based on ISO 27001 as the basis of the KAMI Index assessment. This study used discussion, observation, and KAMI Index assessment tools for collecting data and analyze the result. The assessment result of the DRC showed that the maturity level of the ISO 27001 standard on the DRC is on the application of the basic framework. The suggested recommendations to improve the information security management system of the DRC were mostly in the aspect of the information security framework and assets management.

Ellena Ike

DOI: https://doi.org/10.47941/ejikm.2063

2024-07-12

Abstract:Purpose: The general objective of the study was to analyze information security and knowledge management. Methodology: The study adopted a desktop research methodology. Desk research refers to secondary data or that which can be collected without fieldwork. Desk research is basically involved in collecting data from existing resources hence it is often considered a low cost technique as compared to field research, as the main cost is involved in executive’s time, telephone charges and directories. Thus, the study relied on already published studies, reports and statistics. This secondary data was easily accessed through the online journals and library. Findings: The findings reveal that there exists a contextual and methodological gap relating to information security and knowledge management. Preliminary empirical review revealed that integrating IS and KM was crucial for enhancing organizational performance, protecting intellectual assets, and fostering innovation. It emphasized the need for a holistic approach combining technological solutions, robust policies, and a culture of security awareness. The research found that this integration led to significant improvements in operational efficiency and innovation, with continuous evaluation and adaptation being essential. The study highlighted the importance of advanced security technologies, regular updates, and employee training to maintain effective IS and KM practices, ultimately ensuring the secure and effective utilization of knowledge assets for sustainable growth. Unique Contribution to Theory, Practice and Policy: The Socio-Technical Systems Theory, Knowledge-Based View of the Firm and Information Systems Success Model may be used to anchor future studies on information security and knowledge management. The study provided significant contributions to theory, practice, and policy by integrating various theoretical frameworks and emphasizing the need for a multi-layered approach to IS that includes advanced technology, strong policies, and employee training. It recommended the development of regulatory standards to enforce robust IS practices, the alignment of IS and KM with organizational strategies, and the implementation of continuous improvement programs. Additionally, it highlighted the importance of comprehensive training for employees and fostering a collaborative environment that balances security with innovation.

Heru Susanto,Mohammad Nabil Almunawar,Yong Chee Tuan,Mehmet Sabih Aksoy,Wahyudin P. Syam

DOI: https://doi.org/10.48550/arXiv.1203.6214

2012-03-28

Abstract:Actually Information security becomes a very important part for the organization's intangible assets, so level of confidence and stakeholder trusted are performance indicator as successes organization. Since information security has a very important role in supporting the activities of the organization, we need a standard or benchmark which regulates governance over information security. The main objective of this paper is to implement a novel practical approach framework to the development of information security management system (ISMS) assessment and monitoring software, called by I-SolFramework. System / software is expected to assist stakeholders in assessing the level of their ISO27001 compliance readiness, the software could help stakeholders understood security control or called by compliance parameters, being shorter and more structured. The case study illustrated provided to the reader with a set of guidelines, that aims easy understood and applicable as measuring tools for ISMS standards (ISO27001) compliance.

Cryptography and Security

Mohammed El-Hajj,Zuhayr Aamir Mirza

DOI: https://doi.org/10.3390/electronics13193910

IF: 2.9

2024-10-03

Electronics

Abstract:As the number of Small and Medium Enterprises (SMEs) rises in the world, the amount of sensitive data used also increases, making them targets for cyberattacks. SMEs face a host of issues such as a lack of resources and poor cybersecurity talent, resulting in multiple vulnerabilities that increase overall risk. Cybersecurity risk assessment frameworks have been developed by multiple organizations such as the National Institute of Science and Technology (NIST) and the International Organization for Standardization (ISO), but they are complicated to understand and challenging to implement. This research aimed to create an effective cybersecurity risk assessment framework specifically for SMEs while considering their limitations. This was achieved by first identifying common threats and vulnerabilities and categorizing them according to their importance and risk. Secondly, popular frameworks like the NIST CSF and ISO 27001/2 were analyzed for their proficiencies and deficiencies while identifying relevant areas for SMEs. Finally, novel techniques catered to SMEs were explored and incorporated to create an effective framework for SMEs. This framework was also developed in the form of a tool, providing an interactive and dynamic environment. The tool was effective, and the framework is a promising start but requires more quantitative analysis.

engineering, electrical & electronic,computer science, information systems,physics, applied

June Wei,Yuan Liu,June Lu,Milos Slaninka,Kristie Abston

DOI: https://doi.org/10.1504/ijmc.2021.114313

2021-01-01

International Journal of Mobile Communications

Abstract:This paper proposed an indexed matrix to assess information security risks' impacts on mobile social media to help organisations address security risks effectively and efficiently. It developed and integrated a static social media information security risk model and a dynamic social media information flow model in the mobile environment to investigate the potential security risks in social networks. The pattern of security risks with three levels was identified using cluster analysis. An indexed matrix is also proposed to assess the information security impacts on social media via the relative-weigh quantitative method. The results can help to develop an effective and safe way to transmit information through social media. This research is the first attempt to integrate static information security threats into the dynamic social media information flow processes to assess the information security risk levels by developing a new indexed method. The theoretical and practical implications are presented.

Charlette Donalds,Corlane Barclay

DOI: https://doi.org/10.1080/0960085X.2021.1978344

2021-09-23

European Journal of Information Systems

Abstract:The evolving sophistication of threats and the impact of security breaches have caused managers to continually grapple with strategies to reduce these risks. One common security control is the adoption of information security policies (ISPs) geared at improving employees' compliance behaviour. However, there is mounting empirical evidence that shows that ISP compliance is a challenging undertaking with less than satisfactory outcomes. Further, little attention is placed on developing economies in the study of this phenomenon. This research adopts a values-based methodology to determine fundamental and means objectives in maximising employees' compliance with ISPs in a developing economy context. The research identifies 30 objectives and demonstrates that risk mitigation, people, technical and organisational factors are essential to improving compliance. The results contribute objectives, contextualised to the people for whom the results are relevant, thus promoting deeper understanding. The research offers utility to managers in the design and implementation of InfoSec strategies and policies. The findings can also inform investment decisions regarding compliance tools, methods and technologies. Recognising that security (information and cyber) threats are a global dilemma, we contend that investigating forms of security risks and potential solutions can mitigate the social and economic costs of security incidents.

information science & library science,management,computer science, information systems

Heru Susanto,Mohammad Nabil Almunawar,Yong Chee Tuan,Mehmet Sabih Aksoy,Wahyudin P Syam

DOI: https://doi.org/10.48550/arXiv.1204.0240

2012-04-02

Abstract:Actually Information security becomes a very important part for the organization's intangible assets, so level of confidence and stakeholder trusted are performance indicator as successes organization. Since information security has a very important role in supporting the activities of the organization, we need a standard or benchmark which regulates governance over information security. The main objective of this paper is to implement a novel practical approach framework to the development of information security management system (ISMS) assessment and monitoring software, called by I-SolFramework. System / software is expected to assist stakeholders in assessing the level of their ISO27001 compliance readiness, the software could help stakeholders understood security control or called by compliance parameters, being shorter and more structured. The case study illustrated provided to the reader with a set of guidelines, that aims easy understood and applicable as measuring tools for ISMS standards (ISO27001) compliance.

Cryptography and Security,Software Engineering

Amar Y. El-Bably,Amar Yasser El-Bably

DOI: https://doi.org/10.26735/wlpw6121

2021-06-01

Journal of Information Security and Cybercrimes Research

Abstract:Information security is the practice of protecting information by mitigating the risk of cyber-attack, and typically includes preventing or reducing the possibility of unauthorized/inappropriate access to data, unlawful use, disclosure, disruption. This concept of information security covers as well various procedures aiming at minimizing the negative effects of such incidents and threats. These threats might be originated from the human behavior which may lead to a wide damage of the organization data assets. Thus, the primary focus of information security is on the balanced protection of confidentiality, integrity and availability of data while maintaining an effective use of the organizations' systems. International standards related to information security such as ISO/IEC 27001 emphasis on effective implementation of the information security policies and applications without hampering the productivity of the organization. This research seeks to draw a set of practical rules to be established within an organization to preserve cybersecurity objectives and protect dada specifically from human errors incidents. The drawn rules are based on ISO/IEC 27001 and its application within organizations will rise the employee’s awareness about their behavior to reduce the impact of such incidents on the organization' systems and data.

Athena Roumboutsos,Nikitas Nikitakos,Stefanos Gritzalis

DOI: https://doi.org/10.1080/03088830500301501

2005-10-01

Abstract:Shipping companies are high-vulnerability information handling organizations (HIHOs). In the past, such companies used exclusively HIHO private communication networks and own satellite resources in order to share and transport sensitive information. In recent years, the ability for the HIHO network users to exploit the advantages of the low-vulnerability information handling organizations’ (LIHOs) value added networks, has led to the need for augmentation of the HIHO networks. In the maritime sector, a push-and-pull effect on the need and demand to transfer information onboard and ashore has led many companies to experiment with interconnected HIHO and LIHO open distributed systems and networks, for their ship-to-shore communications. Security then becomes an issue in a domain, onboard–ashore data transmissions, where little information on the level of risk is available. This paper proposes a risk assessment and management framework to assist in countermeasure selection and level of LIHO network use definition. The model is ultimately applicable where information on potential risks and their impact is minimum and simultaneously changeable. The model is connected to a security profile for interconnected HIHO and LIHO open distributed systems and networks.

transportation

Harrison Stewart,Jan Jürjens

DOI: https://doi.org/10.1108/ics-07-2016-0054

2017-11-13

Information and Computer Security

Abstract:Purpose The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset. Design/methodology/approach Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B. Findings Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own. Research limitations/implications The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings. Practical implications In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed. Social implications The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps. Originality/value The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.