Search results

The aim of this study is to advance research on the position of the CISO by investigating the role that CISOs play before and after an IT security breach. There is a dearth of academic research literature on the role of a chief information security officer (CISO) in the management of Information Technology (IT) security. The limited research literature exists despite the increasing number and complexity of IT security breaches that lead to significant erosions in business value.

The study makes use of content analysis and agency theory to explore a sample of US firms that experienced IT security breaches between 2009 and 2015 and how these firms reacted to the IT security breaches.

The results indicate that following the IT security breaches, a number of the impacted firms adopted a reactive plan that entailed a re-organization of the existing IT security strategy and the hiring of a CISO. Also, there is no consensus on the CISO reporting structure since most of the firms that hired a CISO for the first time had the CISO report either to the Chief Executive Officer or Chief Information Officer.

The findings will inform researchers, IT educators and industry practitioners on the roles of CISOs as well as advance research on how to mitigate IT security vulnerabilities.

The need for research that advances an understanding of how to effectively manage the security of IT resources is timely and is driven by the growing frequency and sophistication of the IT security breaches as well as the significant direct and indirect costs incurred by both the affected firms and their stakeholders.

This paper aims to explore the impact of organizational culture on information governance (IG) effectiveness at higher education institutions (HEIs). IT professionals, such as chef information officers, chief technology officers, chief information security officers and IT directors at HEIs were surveyed and interviewed to learn about whether organizational culture influences IG effectiveness. Several IG activities (processes) were identified, including information security, the function of an IG council, the presence of a Record Information Management department, the role of a compliance officer and information stewards and the use of an automated system or software to identify and maintain information life-cycle management.

This study was conducted using Cameron and Quinn’s (Cameron and Quinn, 2011) competing value framework. To evaluate organizational culture, using the competing value framework, four types of organizational culture profiles were used: collaboration, creation/innovation, controlling/hierarchy, and competition/result-oriented. The methodology included quantitative and qualitative techniques through the use of content analysis of data collected from participants. IT professionals, such as chef information officers, chief technology officers, chief information security officers and IT directors at HEIs were surveyed and interviewed to learn about whether organizational culture influences IG effectiveness.

Findings revealed organizational culture may influence IG effectiveness positively, especially from cultures of competition/result-oriented and control/hierarchy. Qualitatively, it also emerged that competition/result-oriented and control characteristics of organizational culture were perceived by IG professionals to produce more accurate information. One of the characteristics of organizational culture that became evident in the current study, coming from more than one subject, was the challenge in IG due to the presence of information silos. Trust, on the other hand, has been highlighted as the glue which can enable and drive governance processes in an organization.

The current study was conducted based on HEIs. While the current study serves as a baseline for studying IG in other institutions, its results cannot be generalized for other type of institutions. The results cannot be generalized for other types of not-for-profit or for-profit organizations. Many of the characteristics of the sample data were specific to HEIs. For instance, financial, manufacturing and health-care institutions present challenges inherent in those institutions.

Trust has been highlighted as the glue which can enable and drive governance processes in an organization. Respondents of current study have indicated that trust serving several different factors toward IG effectiveness, including freedom to speak freely in the meeting about impact of organizational culture on IG, wiliness of executives of administration, particularly the CIO, to communicate IG matters to institution, sharing information and being transparent, entrusting help desk staff and technical supervisors so users can communicate with them and share their concerns and perceiving “feeling of trust” in the organization, which would benefit the institution, allowing stakeholders to collaborate and work together to overcome issues when facing IG challenges.

This paper aims to present the evaluation of a self-paced tool, CyberSecurity Coach (CYSEC), and discuss the adoption of CYSEC for cybersecurity capability improvement in small- and medium-sized enterprises (SMEs). Cybersecurity is increasingly a concern for SMEs. Previous literature has explored the role of tools for awareness raising. However, few studies validated the effectiveness and usefulness of cybersecurity tools for SMEs in real-world practices.

This study is built on a qualitative approach to investigating how CYSEC is used in SMEs to support awareness raising and capability improvement. CYSEC was placed in operation in 12 SMEs. This study first conducted a survey study and then nine structured interviews with chief executive officers (CEOs) and chief information security officers (CISO).

The results emphasise that SMEs are heterogeneous. Thus, one cybersecurity solution may not suit all SMEs. The findings specify that the tool’s adoption varied quite widely. Four factors are primary determinants influencing the adoption of CYSEC: personalisation features, CEOs’ or CISOs’ awareness level, CEOs’ or CISOs’ cybersecurity and IT knowledge and skill and connection to cybersecurity expertise.

This empirical study provides new insights into how a self-paced tool has been used in SMEs. This study advances the understanding of cybersecurity activities in SMEs by studying the adoption of CYSEC. Moreover, this study proposes significant dimensions for future research.

This paper aims to identify and appropriately respond to any socio-technical gaps within organisational information and cybersecurity practices. This culminates in the equal emphasis of both the social, technical and environmental factors affecting security practices.

The socio-technical systems theory was used to develop a conceptual process model for analysing organisational practices in terms of their social, technical and environmental influence. The conceptual process model was then applied to specifically analyse some selected information and cybersecurity frameworks. The outcome of this exercise culminated in the design of a socio-technical systems cybersecurity framework that can be applied to any new or existing information and cybersecurity solutions in the organisation. A framework parameter to help continuously monitor the mutual alignment of the social, technical and environmental dimensions of the socio-technical systems cybersecurity framework was also introduced.

The results indicate a positive application of the socio-technical systems theory to the information and cybersecurity domain. In particular, the application of the conceptual process model is able to successfully categorise the selected information and cybersecurity practices into either social, technical or environmental practices. However, the validation of the socio-technical systems cybersecurity framework requires time and continuous monitoring in a real-life environment.

This research is beneficial to chief security officers, risk managers, information technology managers, security professionals and academics. They will gain more knowledge and understanding about the need to highlight the equal importance of both the social, technical and environmental dimensions of information and cybersecurity. Further, the less emphasised dimension is posited to open an equal but mutual security vulnerability gap as the more emphasised dimension. Both dimensions must, therefore, equally and jointly be emphasised for optimal security performance in the organisation.

The application of socio-technical systems theory to the information and cybersecurity domain has not received much attention. In this regard, the research adds value to the information and cybersecurity studies where too much emphasis is placed on security software and hardware capabilities.

The purpose of this paper is to contribute to a growing body of research on information systems security, by studying open source alternatives for cloud computing. Several questions have been raised about the reliability of these promising but ambiguous offers, as the adoption of a cloud solution within an enterprise is generally accompanied by a change in the chief information officer (CIOs) role and loss of expertise.

The research uses a mixed research methodology: a first step is based on a questionnaire survey to investigate the security aspects of open source and understand the role of CIOs in the migration process. The investigation involved nearly 800 companies operating in the cloud computing sector in 16 European countries between November 2015 and January 2016. Then, this paper completes the research with a qualitative study by examining the activity of two sample companies.

Research confirms that open source cloud solutions offer a higher level of security than proprietary solutions. It is also noted that the role of CIOs is delegated to a third external actor: a transition CIO. Transition CIO is the guarantor of the strategic and security choices of small and medium enterprises.

These findings have important implications and great value to managers and cloud computing providers, in terms of formulating better cloud computing solutions. This study can also assist in increasing their understanding of the new role of CIO in the migration process to cloud computing.

This study contributes to the body of research on cloud computing. It is first of its kind with its focus on open source alternatives. Another novelty of this research is that it suggests a new conception for the CIOs role in the migration to cloud computing. Finally, the findings of this study would serve as a European market study to different companies interested in cloud computing.

The role of emerging digital technologies is of growing strategic importance as it provides significant competitive advantage to organisations. The chief information officer (CIO) plays a pivotal role in facilitating the process of digital transformation. Whilst demand continues to increase, the supply of suitably qualified applicants is lacking, with many companies forced to choose information technology (IT) or marketing specialists instead. This research seeks to analyse the organisational capabilities required and the level of fit within the industry between CIO requirements and appointments via the resource-based view.

Job postings and CIO curriculum vitae were collected and analysed through the lens of organisational capability theory using the machine learning method of Latent Dirichlet Allocation (LDA).

This research identifies gaps between the capabilities demanded by organisations and supplied by CIOs. In particular, soft, general, non-specific capabilities are over-supplied, while rarer specific skills, qualifications and experience are under-supplied.

The research is useful for practitioners (e.g. potential CIO candidates) to understand current market requirements and for companies aiming to develop internal training that meet present and future skill gaps. It also could be useful for professional organisations (e.g. CIO Forum) to validate the need to develop mentoring schemes that help meet such high demand and relative undersupply of qualified CIOs.

By applying LDA, the paper provides a new research method and process for identifying competence requirements and gaps as well as ascertaining job fit. This approach may be helpful to other domains of research in the process of identifying specific competences required by organisations for particular roles as well as to understand the level of fit between such requirements and a potential pool of applicants. Further, the study provides unique insight into the current supply and demand for the role of CIO through the lens of resource-based view (RBV). This provides a contribution to the stream of information systems (IS) research focused on understanding CIO archetypes and how individual capabilities provide value to companies.

Grounded in the principal-agent theory, this study aims to develop and test hypotheses too, investigate how the firm’s strategic orientations, namely, innovation, growth, differentiation and cost leadership impact the chief information officer (CIO) reporting relationship and structure.

The study uses content analysis to analyze a data set of press releases collected from the LexisNexis Academic wire index. The press releases were issued by firms when they hired CIOs between 2003 and 2007, yielding 128 firms, which had specific information about the CIO reporting relationship and structure.

The results reveal that firms seeking an innovation, growth or differentiation strategy have their CIOs reporting to the chief executive officer.

The current study is motivated by the desire to replicate and extend the works of previous researchers who have assessed various CIO issues. Replication takes several forms such as the use of similar or different data sets, different research environments or reinvestigating research concepts through a different theoretical lens. This study makes use of a multi-firm data set spanning five years and the principal-agent theory as the theoretical framework to explore the CIO reporting relationship and structure. Although this study focuses on the hiring trends and the strategic orientations of the firms, future studies should explore other characteristics associated with the CIOs that might have an impact on the reporting relationship such as the years of experience, age, educational background of CIOs and information technology budgets.

The existing literature has not settled the debate as to whom the CIO should be reporting to and understanding the reporting relationships is important because, in many firms, the organizational structures and the reporting relationships are indicative of the power dynamics and how the organizational resources are controlled and shared.

Replication studies are important because they confirm, reinforce, extend and provide reliability to the paradigms and knowledge in the discipline, as well as offer reliability of the results upon which scientific progress is based.

This paper aims to explore the use of soft systems methodology (SSM) to analyse the socio-technical information security issues in a major bank.

Case study research was conducted on a major bank. Semi-structured interviews with a purposive sample of key stakeholders in the business, comprising senior managers, security professionals and branch employees were conducted.

SSM was particularly useful for exploring the holistic information security issues, enabling models to be constructed which were valuable analytical tools and easily understood by stakeholders, which increased the receptiveness of the bank, and assisted with member validation. Significant risks were apparent from internal sources with weaknesses in aspects of governance and security culture.

This research uses a single case study and whilst it cannot be generalised, it identifies potential security issues others may face and solutions they may apply.

Information security is complex and addresses technical, governance, management and cultural risks. Banking attacks are changing, with greater focus on employees and customers. A systemic approach is required for full consideration. SSM is a suitable approach for such analysis within large organisations.

This study demonstrates how important benefits can be obtained by using SSM alongside traditional risk assessment approaches to identify holistic security issues. A holistic approach is particularly important given the increasing complexity of the security threat surface. Banking was selected as a case study because it is both critical to society and is a prime target for attack. Furthermore, developing economies are under-represented in information security research, this paper adds to the evidence base. As global finance is highly interconnected, it is important that banks in such economies do not comprise a weak link, and hence, results from this case have value for the industry as a whole.

Effective information security management is a strategic issue for organizations to safeguard their information resources. Strategic value alignment is a proactive approach to manage value conflict in information security management. Applying a critical success factor (CSF) analysis approach, this paper aims to propose a CSF model based on a strategic alignment approach and test a model of the main factors that contributes to the success of information security management.

A theoretical model was proposed and empirically tested with data collected from a survey of managers who were involved in decision-making regarding their companies’ information security (N = 219). The research model was validated using partial least squares structural equation modeling approach.

Overall, the model was successful in capturing the main antecedents of information security management performance. The results suggest that with business alignment, top management support and organizational awareness of security risks and controls, effective information security controls can be developed, resulting in successful information security management.

Findings from this study provide several important contributions to both theory and practice. The theoretical model identifies and verifies key factors that impact the success of information security management at the organizational level from a strategic management perspective. It provides practical guidelines for organizations to make more effective information security management.

Cyber threats present constantly evolving and unique challenges to national security professionals at all levels of government. Public and private sector entities also face a constant stream of cyberattacks through varied methods by actors with myriad motivations. These threats are not expected to diminish in the near future. As a result, homeland security and national security professionals at all levels of government must understand the unique motivations and capabilities of malicious cyber actors in order to better protect against and respond to cyberattacks. This chapter outlines the most common cyberattacks; explains the motivations behind these attacks; and describes the federal, state, and local efforts to address these threats.