Search results

1 – 10 of 957
To view the access options for this content please click here
Article

Noluxolo Gcaza, Rossouw von Solms, Marthie M. Grobler and Joey Jansen van Vuuren

The purpose of this paper is to define and delineate cyber security culture. Cyber security has been a concern for many years. In an effort to mitigate the cyber security

Abstract

Purpose

The purpose of this paper is to define and delineate cyber security culture. Cyber security has been a concern for many years. In an effort to mitigate the cyber security risks, technology-centred measures were deemed to be the ultimate solution. Nowadays, however, it is accepted that the process of cyber security requires much more than mere technical controls. On the contrary, it now demands a human-centred approach, including a cyber security culture. Although the role of cultivating a culture in pursuing cyber security is well appreciated, research focusing intensely on cyber security culture is still in its infancy. Additionally, knowledge on the subject is not clearly bounded and defined.

Design/methodology/approach

General morphological analysis (GMA) is used to define, structure and analyse the cyber security environment culture.

Findings

This paper identifies the most important variables in cultivating a cyber security culture.

Research implications

The delineation of the national cyber security domain will contribute to the relatively new domain of cyber security culture. They contribute to the research community by means of promoting a shared and common understanding of terms. It is a step in the right direction towards eliminating the ambiguity of domain assumptions.

Practical implications

Practically, the study can assist developing nations in constructing strategies that addresses the key factors that need to be apparent in lieu to cultivating its envisaged national culture of cyber security. Additionally, the GMA will contribute to the development of solutions or means that do not overlook interrelations of such factors.

Originality/value

Delineating and defining the cyber security culture domain more precisely could greatly contribute to realizing the elements that collectively play a role in cultivating such a culture for a national perspective.

Details

Information & Computer Security, vol. 25 no. 3
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article

Manmohan Chaturvedi, Abhishek Narain Singh, Manmohan Prasad Gupta and Jaijit Bhattacharya

The purpose of this paper is to attempt to fill the need to identify critical information security issues at national level, both technical and social in the Indian…

Abstract

Purpose

The purpose of this paper is to attempt to fill the need to identify critical information security issues at national level, both technical and social in the Indian context, and create a framework of these issues to provide interesting managerial insights about their hierarchy. Current literature advocates relevance of both technical and social issues in a potential framework to address national and organizational information security concerns. Such a framework can guide users in developing insight for strategy in the maize of important information security issues and their intricate interdependency.

Design/methodology/approach

Delphi methodology is used to identify a set of topical issues with help from members of a cyber security group. These issues are further analyzed using Interpretive Structural Modeling (ISM) to impose order and direction to the complex relationships among them.

Findings

The analysis using ISM creates a framework of these issues and provides interesting managerial insights about their hierarchy. These insights are used to recommend prioritized action for information security at national and organizational levels.

Research limitations/implications

The highlight of this research is ingenious deployment of two idea engineering methods in developing interpretable structural model of 25 information security issues. This model provides valuable insights and can guide the policy formulation. This is the key contribution of this paper. It needs hardly any emphasis on the need for continuous search of all technical and social issues and formulating policies and programs using experts” judgment in a rigorous manner. Subsequent research may scale up to the global level for extension and validation by empanelling Delphi experts from nations belonging to different regions. Time-variant analysis can be attempted with the help of System Dynamics Modeling using causal-loop diagrams to account for the supportive and inhibiting influences of various issues. This approach has the potential to generate more realistic insights that can inform policy formulation.

Practical implications

It brings about key information security issues connected with its various facets, viz. national/organizational level initiatives, supportive processes, capabilities and objectives. These issues, identified by Indian experts in the Indian context, offer a method that one could apply in other national contexts and see whether substantial differences occur, and how other experts prioritize these issues. The analysis of social issues along with technical issues using the ISM tool provides us insights that are considered applicable to a larger context than India. The policy and program formulations in other nations can benefit from the insights generated by this research. The fast-paced proliferation of technology and its resultant vulnerabilities have given birth to an underground economy of malware trading by criminals, terrorists and hostile nation states. Secure cyber space for legitimate use by the globalized world can only be achieved by international cooperation.

Social implications

A “digital divide” in cyber defense cannot be afforded. As explained earlier, cyber security is a challenge for both developed and developing nations. Prioritization of resources in a sequence suggested by ISM analysis would help face the challenge of cyber security better. The methodology suggested in this paper would ensure adequate response to cyber threats and eliminate knee-jerk reaction.

Originality/value

This research emphasizes identification of hierarchical relationship among the identified topical issues of information security rather than using them as a flat checklist. It helps us segregate the end objectives from root issues and highlights the necessity of addressing these root issues to achieve those objectives.

Details

Transforming Government: People, Process and Policy, vol. 8 no. 3
Type: Research Article
ISSN: 1750-6166

Keywords

To view the access options for this content please click here
Article

Muktesh Chander, Sudhir K. Jain and Ravi Shankar

The purpose of this paper is to identify various information security management parameters and develop a conceptual framework for it.

Abstract

Purpose

The purpose of this paper is to identify various information security management parameters and develop a conceptual framework for it.

Design/methodology/approach

Interpretive Structural Modeling (ISM) and MICMAC approaches have been used to identify and classify the key factors of information security management based on the direct and indirect relationship of these factors.

Findings

The research presents a classification of key parameters according to their driving power and dependence which enable information security management in an organization. It also suggests parameters on which management should pay more attention.

Research limitations/implications

In the paper, 12 parameters were identified based on a literature study and expert help. It is possible to identify some more parameters for ISM development. The help of experts was also used to identify the contextual relationship among the variables for the ISM model. This may introduce some element of bias. Although a relationship model using ISM has been developed, it has not been validated statistically. For future research, it is suggested that the structural equation modelling (SEM) technique may be used to corroborate the findings of ISM. Some of the variables have been grouped together, being a part of a subset due to their similar nature; but it is possible to treat them as independent variables. Future researches may establish their interrelationships also.

Practical implications

The paper has tremendous practical utility for organizations which want to reap the benefits of information and communication technology for their growth but are struggling to find a right approach to deal with information security breach incidents.

Originality/value

Development of a framework for information security management in an organization is the major contribution of this paper. This would be of help to strategic managers in managing information security with emphasis on key parameters identified here.

Details

Journal of Modelling in Management, vol. 8 no. 2
Type: Research Article
ISSN: 1746-5664

Keywords

To view the access options for this content please click here
Article

Malcolm Pattinson, Marcus Butavicius, Meredith Lillie, Beau Ciccarello, Kathryn Parsons, Dragana Calic and Agata McCormac

This paper aims to introduce the concept of a framework of cyber-security controls that are adaptable to different types of organisations and different types of employees…

Abstract

Purpose

This paper aims to introduce the concept of a framework of cyber-security controls that are adaptable to different types of organisations and different types of employees. One of these adaptive controls, namely, the mode of training provided, is then empirically tested for its effectiveness.

Design/methodology/approach

In total, 1,048 working Australian adults completed the human aspects of the information security questionnaire (HAIS-Q) to determine their individual information security awareness (ISA). This included questions relating to the various modes of cyber-security training they had received and how often it was provided. Also, a set of questions called the cyber-security learning-styles inventory was used to identify their preferred learning styles for training.

Findings

The extent to which the training that an individual received matched their learning preferences was positively associated with their information security awareness (ISA) level. However, the frequency of such training did not directly predict ISA levels.

Research limitations/implications

Further research should examine the influence of matching cyber-security learning styles to training packages more directly by conducting a controlled trial where the training packages provided differ only in the mode of learning. Further research should also investigate how individual tailoring of aspects of an adaptive control framework (ACF), other than training, may improve ISA.

Practical implications

If cyber-security training is adapted to the preferred learning styles of individuals, their level of ISA will improve, and therefore, their non-malicious behaviour, whilst using a digital device to do their work, will be safer.

Originality/value

A review of the literature confirmed that ACFs for cyber-security does exist, but only in terms of hardware and software controls. There is no evidence of any literature on frameworks that include controls that are adaptable to human factors within the context of information security. In addition, this is the first study to show that ISA is improved when cyber-security training is provided in line with an individual’s preferred learning style. Similar improvement was not evident when the training frequency was increased suggesting real-world improvements in ISA may be possible without increasing training budgets but by simply matching individuals to their desired mode of training.

To view the access options for this content please click here
Article

Georgios I. Zekos

Aim of the present monograph is the economic analysis of the role of MNEs regarding globalisation and digital economy and in parallel there is a reference and examination…

Abstract

Aim of the present monograph is the economic analysis of the role of MNEs regarding globalisation and digital economy and in parallel there is a reference and examination of some legal aspects concerning MNEs, cyberspace and e‐commerce as the means of expression of the digital economy. The whole effort of the author is focused on the examination of various aspects of MNEs and their impact upon globalisation and vice versa and how and if we are moving towards a global digital economy.

Details

Managerial Law, vol. 45 no. 1/2
Type: Research Article
ISSN: 0309-0558

Keywords

To view the access options for this content please click here
Article

Kenneth Albert Saban, Stephen Rau and Charles A. Wood

Information security has increasingly been in the headlines as data breaches continue to occur at alarming rates. This paper aims to propose an Information Security

Abstract

Purpose

Information security has increasingly been in the headlines as data breaches continue to occur at alarming rates. This paper aims to propose an Information Security Preparedness Model that was developed to examine how SME executives’ perceptions of security importance, implementation challenges and external influences impact their awareness and commitment to security preparedness.

Design/methodology/approach

Funded by the Department of Justice, a national survey of SME executives’ perceptions of information security preparedness was conducted. Using PLS-SEM, the survey responses were used to test the proposed Information Security Preparedness Model.

Findings

The results indicate that as perceptions of security importance and external influences increase, SME executives’ awareness and commitment to information security also increases. In addition, as implementation challenges increase, awareness and commitment to information security decreases. Finally, as security importance and awareness and commitment to information security increases, executives’ perception of security preparedness also increases.

Research limitations/implications

Executive perceptions of information security were measured and not the actual level of security. Further research that examines the agreement between executive perceptions and the true state of information security within the organization is warranted.

Originality/value

Prior information security studies using Roger’s (1975, 1983) Protection Motivation Theory have produced mixed results. This paper develops and tests the Information Security Preparedness Model to more fully explain SME executive’s perceptions of information security.

To view the access options for this content please click here
Article

Andrew R. Gillam and Alina M. Waite

The purpose of this paper is to examine gender differences in predictors of technology threat avoidance motivation and behavior among working US adults. Implications were…

Abstract

Purpose

The purpose of this paper is to examine gender differences in predictors of technology threat avoidance motivation and behavior among working US adults. Implications were considered in regard to cybersecurity awareness training motivation and perceptions of need for protective cybersecurity behavior in the workplace.

Design/methodology/approach

A single-shot regression-based study used ordinal regression supported by K-means clustering to evaluate the moderating effects of gender on predictors of technology threat avoidance motivation and behavior on a sample of n = 206 US adult workers.

Findings

The regression model explained 47.5% of variance in avoidance motivation and 39% of avoidance behavior variance. Gender moderated predictive associations between several independent variables and avoidance motivation: perceived susceptibility, perceived effectiveness, perceived cost and self-efficacy. Gender also moderated the association between avoidance motivation and avoidance behavior.

Research limitations/implications

The predictive impact of gender extends beyond the main effects in technology threat avoidance. Data frequency distributions and inter-variable relationships should be routinely considered in threat avoidance studies, especially if sample variables exhibit non-normal frequency distributions and nonlinear associations.

Practical implications

Gender was significantly associated with threat avoidance motivation and avoidance behavior and exhibited notable associations with antecedents of avoidance motivation. Related insights can inform the design and delivery of training content relating to technology threat avoidance as organizations strive to more effectively leverage information technology end-users as protective assets for the enterprise.

Originality/value

The uniqueness of this study derives from its focus and findings regarding the moderating effects of gender on technology threat avoidance factors and techniques used to measure and evaluate the associations between them.

Details

Information & Computer Security, vol. ahead-of-print no. ahead-of-print
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article

Md. Shariful Islam, Nusrat Farah and Thomas F. Stafford

The purpose of the study is to explore the factors associated with the extent of security/cybersecurity audit by the internal audit function (IAF) of the firm…

Abstract

Purpose

The purpose of the study is to explore the factors associated with the extent of security/cybersecurity audit by the internal audit function (IAF) of the firm. Specifically, the authors focused on whether IAF/CAE (certified audit executive [CAE]) characteristics, board involvement related to governance, role of the audit committee (or equivalent) and the chief risk officer (CRO) and IAF tasked with enterprise risk management (ERM) are associated with the extent to which the firm engages in security/cybersecurity audit.

Design/methodology/approach

For analysis, the paper uses responses of 970 CAEs as compiled in the Common Body of Knowledge database (CBOK, 2015) developed by the Institute of Internal Auditors Research Foundation (IIARF).

Findings

The results of the study suggest that the extent of security/cybersecurity audit by IAF is significantly and positively associated with IAF competence related to governance, risk and control. Board support regarding governance is also significant and positive. However, the Audit Committee (AC) or equivalent and the CRO role are not significant across the regions studied. Comprehensive risk assessment done by IAF and IAF quality have a significant and positive effect on security/cybersecurity audit. Unexpectedly, CAEs with security certification and IAFs tasked with ERM do not have a significant effect on security/cybersecurity audit; however, other certifications such as CISA or CPA have a marginal or mixed effect on the extent of security/cybersecurity audit.

Originality/value

This study is the first to describe IAF involvement in security/cybersecurity audit. It provides insights into the specific IAF/CAE characteristics and corporate governance characteristics that can lead IAF to contribute significantly to security/cybersecurity audit. The findings add to the results of prior studies on the IAF involvement in different IT-related aspects such as IT audit and XBRL implementation and on the role of the board and the audit committee (or its equivalent) in ERM and the detection and correction of security breaches.

Details

Managerial Auditing Journal, vol. 33 no. 4
Type: Research Article
ISSN: 0268-6902

Keywords

To view the access options for this content please click here
Article

Uchenna Daniel Ani, Hongmei He and Ashutosh Tiwari

As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within…

Abstract

Purpose

As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within the current highly competitive environment. Many recorded industrial cyber-attacks have successfully beaten technical security solutions by exploiting human-factor vulnerabilities related to security knowledge and skills and manipulating human elements into inadvertently conveying access to critical industrial assets. Knowledge and skill capabilities contribute to human analytical proficiencies for enhanced cybersecurity readiness. Thus, a human-factored security endeavour is required to investigate the capabilities of the human constituents (workforce) to appropriately recognise and respond to cyber intrusion events within the industrial control system (ICS) environment.

Design/methodology/approach

A quantitative approach (statistical analysis) is adopted to provide an approach to quantify the potential cybersecurity capability aptitudes of industrial human actors, identify the least security-capable workforce in the operational domain with the greatest susceptibility likelihood to cyber-attacks (i.e. weakest link) and guide the enhancement of security assurance. To support these objectives, a Human-factored Cyber Security Capability Evaluation approach is presented using conceptual analysis techniques.

Findings

Using a test scenario, the approach demonstrates the capacity to proffer an efficient evaluation of workforce security knowledge and skills capabilities and the identification of weakest link in the workforce.

Practical implications

The approach can enable organisations to gain better workforce security perspectives like security-consciousness, alertness and response aptitudes, thus guiding organisations into adopting strategic means of appropriating security remediation outlines, scopes and resources without undue wastes or redundancies.

Originality/value

This paper demonstrates originality by providing a framework and computational approach for characterising and quantify human-factor security capabilities based on security knowledge and security skills. It also supports the identification of potential security weakest links amongst an evaluated industrial workforce (human agents), some key security susceptibility areas and relevant control interventions. The model and validation results demonstrate the application of action research. This paper demonstrates originality by illustrating how action research can be applied within socio-technical dimensions to solve recurrent and dynamic problems related to industrial environment cyber security improvement. It provides value by demonstrating how theoretical security knowledge (awareness) and practical security skills can help resolve cyber security response and control uncertainties within industrial organisations.

Details

Journal of Systems and Information Technology, vol. 21 no. 1
Type: Research Article
ISSN: 1328-7265

Keywords

To view the access options for this content please click here
Book part

Chun Kit Lok

Smart card-based E-payment systems are receiving increasing attention as the number of implementations is witnessed on the rise globally. Understanding of user adoption…

Abstract

Smart card-based E-payment systems are receiving increasing attention as the number of implementations is witnessed on the rise globally. Understanding of user adoption behavior of E-payment systems that employ smart card technology becomes a research area that is of particular value and interest to both IS researchers and professionals. However, research interest focuses mostly on why a smart card-based E-payment system results in a failure or how the system could have grown into a success. This signals the fact that researchers have not had much opportunity to critically review a smart card-based E-payment system that has gained wide support and overcome the hurdle of critical mass adoption. The Octopus in Hong Kong has provided a rare opportunity for investigating smart card-based E-payment system because of its unprecedented success. This research seeks to thoroughly analyze the Octopus from technology adoption behavior perspectives.

Cultural impacts on adoption behavior are one of the key areas that this research posits to investigate. Since the present research is conducted in Hong Kong where a majority of population is Chinese ethnicity and yet is westernized in a number of aspects, assuming that users in Hong Kong are characterized by eastern or western culture is less useful. Explicit cultural characteristics at individual level are tapped into here instead of applying generalization of cultural beliefs to users to more accurately reflect cultural bias. In this vein, the technology acceptance model (TAM) is adapted, extended, and tested for its applicability cross-culturally in Hong Kong on the Octopus. Four cultural dimensions developed by Hofstede are included in this study, namely uncertainty avoidance, masculinity, individualism, and Confucian Dynamism (long-term orientation), to explore their influence on usage behavior through the mediation of perceived usefulness.

TAM is also integrated with the innovation diffusion theory (IDT) to borrow two constructs in relation to innovative characteristics, namely relative advantage and compatibility, in order to enhance the explanatory power of the proposed research model. Besides, the normative accountability of the research model is strengthened by embracing two social influences, namely subjective norm and image. As the last antecedent to perceived usefulness, prior experience serves to bring in the time variation factor to allow level of prior experience to exert both direct and moderating effects on perceived usefulness.

The resulting research model is analyzed by partial least squares (PLS)-based Structural Equation Modeling (SEM) approach. The research findings reveal that all cultural dimensions demonstrate direct effect on perceived usefulness though the influence of uncertainty avoidance is found marginally significant. Other constructs on innovative characteristics and social influences are validated to be significant as hypothesized. Prior experience does indeed significantly moderate the two influences that perceived usefulness receives from relative advantage and compatibility, respectively. The research model has demonstrated convincing explanatory power and so may be employed for further studies in other contexts. In particular, cultural effects play a key role in contributing to the uniqueness of the model, enabling it to be an effective tool to help critically understand increasingly internationalized IS system development and implementation efforts. This research also suggests several practical implications in view of the findings that could better inform managerial decisions for designing, implementing, or promoting smart card-based E-payment system.

Details

E-services Adoption: Processes by Firms in Developing Nations
Type: Book
ISBN: 978-1-78560-709-7

Keywords

1 – 10 of 957