Kholekile L. Gwebu,Jing Wang,Michael Y. Hu

DOI: https://doi.org/10.1111/isj.12257

2020-01-01

Abstract:Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.

Sadaf Hina,P. Dhanapal Durai Dominic

DOI: https://doi.org/10.1080/08874417.2018.1432996

2018-03-30

Journal of Computer Information Systems

Abstract:This paper provides a systematic literature review in the information security policies’ compliance (ISPC) field, with respect to information security culture, information security awareness, and information security management exploring in various settings the research designs, methodologies, and frameworks that have evolved over the last decade. Studies conducted from 2006 to 2016 reporting results from data collected through diverse means have been explored; however, only a few studies have focused primarily on a sensitive infrastructure under risk, as is the case with higher education institutions (HEIs). This study reports that ISPC in HEIs remains scarce, as is the realization of security threats and dissemination of information security policies to end users (employees). This research makes a novel contribution to the body of knowledge as a unique study that has reviewed the influence of institutional governance in HEIs on protection motivation leading towards ISPC.

computer science, information systems

Huifang Li

DOI: https://doi.org/10.61360/bonicetr232014840904

2023-09-25

Contemporary Education and Teaching Research

Abstract:In the context of information technology and the digital era, people's life has been inseparable from the support of information technology, contemporary college students are using cell phones and the Internet every moment. However, information technology is a double-edged sword, in bringing convenience to our study, life, and work, there are also information security risks, especially college students have a low sense of precaution, and they may face all kinds of information security threats in the process of surfing the Internet. In the face of information technology security risks and threats, the Teaching Department of universities must take active measures to strengthen information technology security education and training to protect the privacy and rights of teachers and students, enhance the competitiveness of students' future careers, and safeguard the reputation of colleges and universities and the quality of teaching. The article first introduces the significance of information technology security education and training in the teaching department of colleges and universities and then gives effective strategies for information technology security education and training in the teaching department of colleges and universities.

Muhammed Sabo,,Zake Muwanga,Manjula V.S.,Saleh Auwal,,,

DOI: https://doi.org/10.59568/jasic-2023-4-1-06

2023-07-10

Abstract:The security of information technology, specifically web applications, has become an area of concern today. Computer cybercrime is now a significant problem that affects more than just businesses and organizations. Higher education institutions also began to experience computer threats that revealed their information assets. Universities, polytechnics, colleges of education, research centers, and other postsecondary institutions are probably the most vulnerable because they house sensitive data on their faculty, staff, and students, as well as academic records of scientific and technological advancements and research. The first step in an information system security strategy is risk analysis management It helps in assessing the risk of information assets to know their security level or status, and assist in define a security control measures and implementation of technical plan to avoid threats that exploit some vulnerability that could cause severe damage to an asset or infrastructure of institutions higher education (IHEs). This article presents some recommendations to perform a risk analysis management in IHEs to accessed threats and vulnerability that helps to lower the risk of their information assets. This article presents existing educational threat and vulnerability on their web applications. Ensuring security is a goal of every organization regardless of its size or purpose and also proposed a risk management model. With the information technology, an organization may be considered secure when it ensures the confidentiality, integrity, and availability of information and IT assets. Confidentiality may be broken due to theft of sensitive information such as trade secrets, clients’ personal information.

Harrison Stewart,Jan Jürjens

DOI: https://doi.org/10.1108/ics-07-2016-0054

2017-11-13

Information and Computer Security

Abstract:Purpose The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset. Design/methodology/approach Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B. Findings Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own. Research limitations/implications The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings. Practical implications In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed. Social implications The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps. Originality/value The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

Regner Sabillon,Juan Ramon Bermejo Higuera,Jeimy Cano,Javier Bermejo Higuera,Juan Antonio Sicilia Montalvo

DOI: https://doi.org/10.3390/electronics13163257

IF: 2.9

2024-08-18

Electronics

Abstract:This study validates a comprehensive cybersecurity audit model through empirical analysis in three higher education institutions in Canada. The research aims to enhance cybersecurity resilience by assessing the effectiveness of cybersecurity controls across diverse educational environments. Given the increasing frequency and sophistication of cyberattacks targeting educational institutions, this research is essential to ensure the protection of sensitive academic and personal data. Data were collected through detailed audits involving system vulnerabilities, compliance with security policies, and incident response management at each institution. The findings underscore the importance of tailored cybersecurity strategies and continuous auditing to mitigate cyber risks in the Canadian higher education sector. This study contributes to the field by validating a versatile audit tool that can be adapted to various institutional contexts, promoting enhanced cybersecurity practices and evaluating the effectiveness of cybersecurity safeguards across the higher education sector in Canada. The results of the audit model validations provide the cybersecurity maturity rating of each institution. Further research is recommended to refine the model and explore its application in other industries and sectors.

engineering, electrical & electronic,computer science, information systems,physics, applied

Maria Schuett,Syed,M. Rahman

DOI: https://doi.org/10.5121/ijnsa.2011.3501

2011-11-08

Abstract:Information assurance is at the core of every initiative that an organization executes. For online universities, a common and complex initiative is maintaining user lifecycle and providing seamless access using one identity in a large virtual infrastructure. To achieve information assurance the management of user privileges affected by events in the user's identity lifecycle needs to be the determining factor for access control. While the implementation of identity and access management systems makes this initiative feasible, it is the construction and maintenance of the infrastructure that makes it complex and challenging. The objective of this paper1 is to describe the complexities, propose a practical approach to building a foundation for consistent user experience and realizing security synthesis in online universities.

Cryptography and Security,Computers and Society,Social and Information Networks

Craig A. Horne,Atif Ahmad,Sean B. Maynard

DOI: https://doi.org/10.48550/arXiv.1606.03528

2016-06-11

Abstract:Dependence on information, including for some of the world's largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these information-based activities. Clearly, more research is needed to better understand how organisations should formulate strategy to secure their information. Through a thematic review of academic security literature, we (1) analyse the antecedent conditions that motivate the potential adoption of a comprehensive information security strategy, (2) the current perspectives of strategy and (3) the yields and benefits that could be enjoyed post-adoption. Our contributions include a definition of information security strategy. We argue for a paradigm shift to extend from internally-focussed protection of organisation-wide information towards a strategic view that considers the inter-organisational level. Our findings are then used to suggest future research directions.

Computers and Society,Cryptography and Security

Elissa Mollakuqe,Vesna Dimitrova

DOI: https://doi.org/10.12688/openreseurope.16634.2

2024-07-29

Abstract:Background: This research delves into the critical aspects of identity management, access control, and authorization practices within the domains of public and private universities. Identity management involves the meticulous management and control of user identities, encompassing the establishment and maintenance of user profiles, role assignments, and access privileges. Access control is the practice of defining and enforcing policies that govern who can access an IT system or application and which resources they can interact with. Authorization, meanwhile, determines the specific actions and privileges granted to users based on their roles and permissions. Methods: To understand the variances in identity management and access control approaches, we conducted a comparative analysis between public and private universities. Our investigation scrutinized the user populations with access to university systems, the enforcement of access limitations, authentication methods, and password policies. Additionally, we examined the nuances of authorization processes, levels of authorization, access approval authorities, user status and role changes, unique user account management, account deletion procedures, user authentication methods, password complexity and expiration policies, password storage methods, and session termination policies. Results: This study revealed that both public and private universities prioritize these security measures, with a common categorization of these processes. Nevertheless, there exist disparities, such as the inclusion of contractors and vendors in the user population at private universities, the manual deletion of user accounts in private institutions, and variations in password policies and storage methods. Private universities tend to enforce stricter password policies, employ more secure password storage methods, and implement automatic session termination features. Conclusions: This research provides valuable insights into the practices and approaches adopted by public and private universities to safeguard their digital environments. The findings serve as a valuable resource for enhancing identity management, access control, and authorization protocols, enabling institutions to fortify their cybersecurity defenses in an ever-evolving threat landscape.

Mansour Naser Alraja,Usman Javed Butt,Maysam Abbod

DOI: https://doi.org/10.1016/j.cose.2023.103208

IF: 5.105

2023-06-01

Computers & Security

Abstract:Information security threats have a severe negative impact on enterprises. Organizations rely on employee compliance with information security policies to eliminate or reduce these hazards. The Unified Model of Information Security Policies Compliance (UMISPC) is employed to identify the factors that may affect employees' intention towards compliance with information systems security policy and reactance in a global setting. The study was assessed in two phases. The model's validity and measurement reliability were evaluated in the first phase, while in the second phase, all preliminary model relationships were appraised. This was achieved utilizing structural equation modelling to establish whether the proposed constructs, i.e. neutralization, response efficacy, fear, threat, habit and role values were good predictors for intention or reactance towards compliance with information systems security policy. Participants included 348 employees from 7 nations, i.e. the USA, the UK, Oman, India, Pakistan, Malaysia, and the Philippines. SmartPLS v. 3.3.9 was used for data analysis. The models' measurement reliability and validity were affirmed. Fear and role values have a significant influence on intention toward ISPC. RE significantly predicted threat which in turn significantly predicted fear, and the latter demonstrated a significant effect on reactance as well as Neutralization predicted reactance. In contrast, habit failed to reach a significant influence on intention towards ISPC. The implications are presented, together with proposals for further studies. Our findings are helpful for ISS literature and application by supporting the crucial functions of role values in encouraging employees to behave in a compliant manner. Additionally, it is regarded as the first empirical attempt to estimate intended compliance concerning ISPs in higher education from a worldwide viewpoint.

computer science, information systems

Easton Kelso,Ananta Soneji,Sazzadur Rahaman,Yan Soshitaishvili,Rakibul Hasan

2024-09-05

Abstract:The education technology (EdTech) landscape is expanding rapidly in higher education institutes (HEIs). This growth brings enormous complexity. Protecting the extensive data collected by these tools is crucial for HEIs as data breaches and misuses can have dire security and privacy consequences on the data subjects, particularly students, who are often compelled to use these tools. This urges an in-depth understanding of HEI and EdTech vendor dynamics, which is largely understudied. To address this gap, we conducted a semi-structured interview study with 13 participants who are in EdTech leadership roles at seven HEIs. Our study uncovers the EdTech acquisition process in the HEI context, the consideration of security and privacy issues throughout that process, the pain points of HEI personnel in establishing adequate protection mechanisms in service contracts, and their struggle in holding vendors accountable due to a lack of visibility into their system and power-asymmetry, among other reasons. We discuss certain observations about the status quo and conclude with recommendations for HEIs, researchers, and regulatory bodies to improve the situation.

Computers and Society

Alexei Arina

DOI: https://doi.org/10.24989/ocg.v341.24

2022-03-17

Central and Eastern European eDem and eGov Days

Abstract:The Covid-19 pandemic has significantly changed the way higher education institutions (HEIs) operate around the world. Distance learning has become the unique opportunity that the process further education in conditions where most economic activities were put on hold. To ensure the quality of distance learning have been implemented and used extensively online learning platforms, applications, video conferencing and cloud computing facilities in HEIs. However, this has increased the threats to information security, so that in 2020, in the field of education in general, and HEIs in particular, the number of cyber-attacks has increased, which has led to significant financial losses but also to activity interruption and theft of personal data or intellectual property. In order to identify the biggest threats of the 2020 year, for HEIs, several security reports and scientific articles related to the studied field were analyzed, in order to identify the most common security threats. As a result, of the research conducted, the top Cyber threats of HEIs are: malware attacks, DoS / DDos attacks and phishing attacks. Securing university networks in 2020 was a challenge for specialists in this field.

Viktor Sarancha,Viktoriia Shabunina,Oksana Tur

DOI: https://doi.org/10.32461/2409-9805.3.2023.290991

2023-11-15

Abstract:The purpose of the article is a comprehensive analysis of the American concept of threats to information security and determination of priority areas of the US’s activity in creating a secure national cyberspace. The methodological basis of the study is general scientific and special methods of cognition, in particular, systemic approach, analysis, synthesis, and logical method. Methods of content analysis, comparative and analytical monitoring of Internet resources of US government bodies responsible for information security are also used. The scientific novelty of the study consists in the expansion of ideas about theoretical aspects in the field of information security and the systematic analysis of instrumental, conceptual foundations and practical aspects of information security in the United States. Conclusions. The globalisation of information systems has created a completely new situation in the security field. In cyberspace the main threat to the US national security comes from states and intermediaries acting in their interests. They have the necessary skills and technologies to carry out destructive cyberattacks for military and political purposes, and also effectively use cyberespionage methods, which not only entails economic losses, but also causes great damage to strategically important industries for the US. The American concept covers such three key levels of cyber security as the state, private business and individual users. There are such defence priorities for the United States as ensuring the protection of critical infrastructure, information networks and systems; quality control of used IT equipment; formation of effective mechanisms of interlevel communication and raising awareness at all levels. An important component of the US National Cyber Strategy is international cooperation on information security issues. In this regard, at the international level the United States seeks to implement such opportunities as to encourage countries to increase responsibility for ensuring the security of information systems and networks at the national and global level; to create the legal regime necessary to ensure cross-border access to information; to form a regime of collective cyber defence within the framework of NATO and other bilateral and multilateral agreements with strategic partners; to preserve the maximum possible freedom of action in cyberspace in order to conduct all types of information operations both during military conflicts and in peacetime. Keywords: cyberspace, information threat, information war, information security, information management, informatisation, ICT.

Wu Haiyan,Miao Chunyu,Jiang Dongxing

DOI: https://doi.org/10.3969/j.issn.1002-4956.2009.05.055

2009-01-01

Abstract:Information security is an important guarantee for sustainable development.The information security has experienced in three phases,such as the technology wave,the management wave,and the institutional wave.Gaining information security by means of architectural ways has been recognized by industry.The name,organization,management,content and technical measures of some well-known U. S. university's information security management department are introduced,and several special features,which China's colleges and universities information security managers can use for reference,are summarized.

W. Alec Cram,Jeffrey G. Proudfoot,John D’Arcy

DOI: https://doi.org/10.1057/s41303-017-0059-9

2017-11-01

European Journal of Information Systems

Abstract:A major stream of research within the field of information systems security examines the use of organizational policies that specify how users of information and technology resources should behave in order to prevent, detect, and respond to security incidents. However, this growing (and at times, conflicting) body of research has made it challenging for researchers and practitioners to comprehend the current state of knowledge on the formation, implementation, and effectiveness of security policies in organizations. Accordingly, the purpose of this paper is to synthesize what we know and what remains to be learned about organizational information security policies, with an eye toward a holistic understanding of this research stream and the identification of promising paths for future study. We review 114 influential security policy-related journal articles and identify five core relationships examined in the literature. Based on these relationships, we outline a research framework that synthesizes the construct linkages within the current literature. Building on our analysis of these results, we identify a series of gaps and draw on additional theoretical perspectives to propose a revised framework that can be used as a basis for future research.

information science & library science,management,computer science, information systems

Ahmed Alkalbani,Hepu Deng,Booi Kam

DOI: https://doi.org/10.48550/arXiv.1606.00875

2016-05-28

Computers and Society

Abstract:The increase reliance on information systems has created unprecedented challenges for organizations to protect their critical information from different security threats that have direct consequences on the corporate liability, loss of credibility, and monetary damage. As a result, the security of information has become a top priority in many organizations. This study investigates the role of socio-organizational factors by drawing the insights from the organizational theory literature in the adoption of information security compliance in organizations. Based on the analysis of the survey data collected from 294 employees from different organizations, the study indicates management commitment, awareness and training, accountability, technology capability, technology compatibility, processes integration, and audit and monitoring have a significant positive impact on the adoption of information security compliance in organizations. The study contributes to the information security compliance research by exploring the criticality of socio-organizational factors at the organizational level for information security compliance.

Huahui Lv,Zhe Ming,Aidong Xu,Hang Yang

DOI: https://doi.org/10.1109/CISCE.2019.00100

2019-07-05

Abstract:Social development has driven the rapid development of computer technology and networks and computers and networks have become "universal" from "rare". But the security instability that followed has also become a major problem in testing individuals and society. Therefore, in the fast and stable establishment of the computer system, how to improve the computer security defense capability has become a difficult problem that we urgently need to study and explore. This paper first analyzes the basic concepts of information security, refines related issues and puts forward suggestions on how to prevent and measure methods based on actual conditions, hoping to help the governance business.

Computer Science

Khairunnisak Nur Isnaini,Siti Alvi Solikhatin

DOI: https://doi.org/10.26555/jifo.v14i2.a14434

2020-05-09

Jurnal Informatika

Abstract:The threat of physical security can be from human factors, natural disasters, and information technology itself. Therefore, to prevent threats, we need the right tools to control current activities, evaluate potential impacts, and make appropriate plans so that business processes at X University will not be affected. This research starts by analyzing the problems that arise, followed by collecting the data needed, discussing the results, and making conclusions and recommendations that can be given. The method uses quantitative descriptive research. The research instrument uses interviews and questionnaire techniques. COBIT 5 is used as a framework for measuring the performance that is being implemented and will be achieved. Maturity models are used to measure current and future activities. The goal to be achieved is that the organization can create a physical security environment by the CIA principle (confidentiality, integrity, & availability). Positioning results are at level 3, meaning that the process is currently running in two main standard operating procedures. However, this evaluation specifically on the DSS5.5.5 subdomain (Providing Service Support-Managing physical security for IT Assets) in COBIT 5, and the results are still below the level 3 standard (Established Process), at 2.9 points. So, the right suggestion is to keep activities safe, one of which is to improve facilities and infrastructure, one of which is the use of biometric control in data center management rooms or other rooms with limited access.

Atif Ahmad,Sean Maynard

DOI: https://doi.org/10.1108/imcs-08-2013-0058

2014-11-10

Abstract:Purpose – The purpose of this paper is to describe the development, design, delivery and evaluation of a postgraduate information security subject that focuses on a managerial, rather than the more frequently reported technical perspective. The authors aimed to create an atmosphere of intellectual excitement and discovery so that students felt empowered by new ideas, tools and techniques and realized the potential value of what they were learning in the industry. Design/methodology/approach – The paper develops fundamental principles and arguments that inform the design and development of the teaching curriculum. The curriculum is aimed at security management professionals in general and consultants in particular. The paper explains the teaching method in detail including the specific topics of lectures, representative reading material, assessment tasks and feedback mechanisms. Finally, lessons learned by the authors and their conclusions are presented as a form of reflection. Findings – The instructors recognized four key factors that played a role in the atmosphere of intellectual excitement and motivation. These were new concepts and ideas, an increased level of engagement, opportunities for students to make their own discoveries and knowledge presented in a practical context. Maintaining a high quality of teaching resources, catering for diverse student needs and incorporating learning cycles of assessment in a short period of time were additional challenges. Originality/value – Most “information security” curricula described in research literature take a technology-oriented perspective. This paper presents a much-needed management point of view. The teaching curriculum (including assessment tasks) and experiences will be useful to existing and future teaching and research academics in “information security management”. Those interested in developing their own teaching material will benefit from the discussion on potential topic areas, choice of assessment tasks and selection of recommended reading material.

Noah Apthorpe,Boen Beavers,Yan Shvartzshnaider,Brett Frischmann

2024-09-01

Abstract:We examine the authentication practices of a diverse set of 101 colleges and universities in the United States and Canada to determine compliance with five standards in NIST Special Publication 800-63-3 Digital Identity Guidelines. We find widespread noncompliance with standards for password expiration, password composition rules, and knowledge-based authentication. Many institutions still require or recommend noncompliant practices despite years of expert advice and standards to the contrary. Furthermore, we observe that regional and liberal arts colleges have generally lower documented compliance rates than national and global universities, motivating further investment in authentication security at these institutions. These results are a wake-up call that expert cybersecurity recommendations are not sufficiently influencing the policies of higher education institutions, leaving the sector vulnerable to increasingly prevalent ransomware and other cyberattacks.

Cryptography and Security,Computers and Society