Search results
1 – 10 of over 4000Issa Atoum, Ahmed Otoom and Amer Abu Ali
The purpose of this paper is to propose a holistic cyber security implementation framework (HCS-IF) that lays out the ground for a conceptual, coherent, systematic, overarching…
Abstract
Purpose
The purpose of this paper is to propose a holistic cyber security implementation framework (HCS-IF) that lays out the ground for a conceptual, coherent, systematic, overarching and consolidated approach to implement cyber security strategies (CSSs).
Design/methodology/approach
The HCS-IF is conceptually proposed to address the actual needs that are extracted from literature review. The HCS-IF uses and integrates a set of high-level conceptual security controls, solutions, processes, entities, tools, techniques or mechanisms that are already known in the domains of information security management, software engineering and project management to address the identified needs.
Findings
The HCS-IF components and controls collectively interact and cooperate to implement CSSs. The proposed framework is compared with other related frameworks, and the results show that the HCS-IF outperforms other frameworks on most of the suggested comparison criteria.
Originality/value
From a practical standpoint, governments and practitioners alike stand to gain from the findings of this research. Governments who want to implement CSSs on a national level will find the proposed framework useful in overseeing cyber security implementation. Practitioners will be prepared to address the anticipated cyber security implementation challenges and the required controls needed to facilitate cyber-security implementation in a holistic overarching manner.
Details
Keywords
Karen Renaud and Jacques Ophoff
There is widespread concern about the fact that small- and medium-sized enterprises (SMEs) seem to be particularly vulnerable to cyberattacks. This is perhaps because smaller…
Abstract
Purpose
There is widespread concern about the fact that small- and medium-sized enterprises (SMEs) seem to be particularly vulnerable to cyberattacks. This is perhaps because smaller businesses lack sufficient situational awareness to make informed decisions in this space, or because they lack the resources to implement security controls and precautions.
Design/methodology/approach
In this paper, Endsley’s theory of situation awareness was extended to propose a model of SMEs’ cyber situational awareness, and the extent to which this awareness triggers the implementation of cyber security measures. Empirical data were collected through an online survey of 361 UK-based SMEs; subsequently, the authors used partial least squares modeling to validate the model.
Findings
The results show that heightened situational awareness, as well as resource availability, significantly affects SMEs’ implementation of cyber precautions and controls.
Research limitations/implications
While resource limitations are undoubtedly a problem for SMEs, their lack of cyber situational awareness seems to be the area requiring most attention.
Practical implications
The findings of this study are reported and recommendations were made that can help to improve situational awareness, which will have the effect of encouraging the implementation of cyber security measures.
Originality/value
This is the first study to apply the situational awareness theory to understand why SMEs do not implement cyber security best practice measures.
Details
Keywords
The purpose of this paper is to highlight the potential of cyber-testing techniques in assessing the effectiveness of cyber-security controls and obtaining audit evidence.
Abstract
Purpose
The purpose of this paper is to highlight the potential of cyber-testing techniques in assessing the effectiveness of cyber-security controls and obtaining audit evidence.
Design/methodology/approach
The paper starts with an identification of the applicable cyber-testing techniques and evaluates their applicability to generally accepted assurance schemes and cyber-security guidelines.
Findings
Cyber-testing techniques are providing insight in the effectiveness of the actual implementation of cyber-security controls, which may significantly deviate from the conceptual designs of these controls. Furthermore, cyber-testing techniques could provide concise input for cyber-risk management and improvement recommendations.
Originality/value
The presented cyber-testing techniques could complement traditional process-oriented assurance techniques with specialized technical analyses of real-world implementations that focus on the adversaries’ viewpoint.
Details
Keywords
Călin Mihail Rangu, Leonardo Badea, Mircea Constantin Scheau, Larisa Găbudeanu, Iulian Panait and Valentin Radu
In recent years, the frequency and severity of cybersecurity incidents have prompted customers to seek out specialized insurance products. However, this has also presented…
Abstract
Purpose
In recent years, the frequency and severity of cybersecurity incidents have prompted customers to seek out specialized insurance products. However, this has also presented insurers with operational challenges and increased costs. The assessment of risks for health systems and cyber–physical systems (CPS) necessitates a heightened degree of attention. The significant values of potential damages and claims request a solid insurance system, part of cyber-resilience. This research paper focuses on the emerging cyber insurance market that is currently in the process of standardizing and improving its risk analysis concerning the potential insured entity.
Design/methodology/approach
The authors' approach involves a quantitative analysis utilizing a Likert-style questionnaire designed to survey cyber insurance professionals. The authors' aim is to identify the current methods used in gathering information from potential clients, as well as the manner in which this information is analyzed by the insurers. Additionally, the authors gather insights on potential improvements that could be made to this process.
Findings
The study the authors elaborated it has a particularly important cyber and risk components for insurance area, because it addresses a “niche” area not yet proper addressed in specialized literature – cyber insurance. Cyber risk management approaches are not uniform at the international level, nor at the insurer level. Also, not all insurers can perform solid assessments, especially since their companies should first prove that they are fully compliant with international cyber security standards.
Research limitations/implications
This research has concentrated on analyzing the current practices in terms of gathering information about the insured entity before issuing the cyber insurance policy, level of details concerning the cyber security posture of the insured entity and way such information should be analyzed in a standardized and useful manner. The novelty of this research resides in the analysis performed as detailed above and the proposals in terms of information gathered, depth of analysis and standardization of approach made. Future work on the topic can focus on the standardization process for analyzing cyber risk for insurance clients, to improve the proposal based also on historical elements and trends in the market. Thus, future research can further refine the standardization process to analyze in more depth the way this can be implemented and included in relevant legislation at the EU level.
Practical implications
Proposed improvements include proposals in terms of the level of detail and the usefulness of an independent centralized approach for information gathering and analysis, especially given the re-insurance and brokerage activities. The authors also propose a common practical procedural approach in risk management, with the involvement of insurance companies and certification institutions of cyber security auditors.
Originality/value
The study investigates the information gathered by insurers from potential clients of cyber insurance and the way this is analyzed and updated for issuance of the insurance policy.
Details
Keywords
Saurabh Kumar, Baidyanath Biswas, Manjot Singh Bhatia and Manoj Dora
The present study aims to identify and investigate the antecedents of enhanced level of cyber-security at the organisational level from both the technical and the human resource…
Abstract
Purpose
The present study aims to identify and investigate the antecedents of enhanced level of cyber-security at the organisational level from both the technical and the human resource perspective using human–organisation–technology (HOT) theory.
Design/methodology/approach
The study has been conducted on 151 professionals who have expertise in dealing with cyber-security in organisations in sectors such as retail, education, healthcare, etc. in India. The analysis of the data is carried out using partial least squares based structural equation modelling technique (PLS-SEM).
Findings
The results from the study suggest that “legal consequences” and “technical measures” adopted for securing cyber-security in organisations are the most important antecedents for enhanced cyber-security levels in the organisations. The other significant antecedents for enhanced cyber-security in organisations include “role of senior management” and “proactive information security”.
Research limitations/implications
This empirical study has significant implications for organisations as they can take pre-emptive measures by focussing on important antecedents and work towards enhancing the level of cyber-security.
Originality/value
The originality of this research is combining both technical and human resource perspective in identifying the determinants of enhanced level of cyber-security in the organisations.
Details
Keywords
Qais Saif Qassim, Norziana Jamil, Maslina Daud, Ahmed Patel and Norhamadi Ja’affar
The common implementation practices of modern industrial control systems (ICS) has left a window wide open to various security vulnerabilities. As the cyber-threat landscape…
Abstract
Purpose
The common implementation practices of modern industrial control systems (ICS) has left a window wide open to various security vulnerabilities. As the cyber-threat landscape continues to evolve, the ICS and their underlying architecture must be protected to withstand cyber-attacks. This study aims to review several ICS security assessment methodologies to identify an appropriate vulnerability assessment method for the ICS systems that examine both critical physical and cyber systems so as to protect the national critical infrastructure.
Design/methodology/approach
This paper reviews several ICS security assessment methodologies and explores whether the existing methodologies are indeed sufficient to meet the cyber security assessment exercise required to validate the security of electrical power control systems.
Findings
The study showed that most of the examined methodologies seem to concentrate on vulnerability identification and prioritisation techniques, whilst other security techniques received noticeably less attention. The study also showed that the least attention is devoted to patch management process due to the critical nature of the SCADA system. Additionally, this review portrayed that only two security assessment methodologies exhibited absolute fulfilment of all NERC-CIP security requirements, whilst the others only partially fulfilled the essential requirements.
Originality/value
This paper presents a review and a comparative analysis of several standard SCADA security assessment methodologies and guidelines published by internationally recognised bodies. In addition, it explores the adequacy of the existing methodologies in meeting cyber security assessment practices required for electrical power networks.
Details
Keywords
Hassan Jamil, Tanveer Zia, Tahmid Nayeem, Monica T. Whitty and Steven D'Alessandro
The current advancements in technologies and the internet industry provide users with many innovative digital devices for entertainment, communication and trade. However…
Abstract
Purpose
The current advancements in technologies and the internet industry provide users with many innovative digital devices for entertainment, communication and trade. However, simultaneous development and the rising sophistication of cybercrimes bring new challenges. Micro businesses use technology like how people use it at home, but face higher cyber risks during riskier transactions, with human error playing a significant role. Moreover, information security researchers have often studied individuals’ adherence to compliance behaviour in response to cyber threats. The study aims to examine the protection motivation theory (PMT)-based model to understand individuals’ tendency to adopt secure behaviours.
Design/methodology/approach
The study focuses on Australian micro businesses since they are more susceptible to cyberattacks due to the least security measures in place. Out of 877 questionnaires distributed online to Australian micro business owners through survey panel provider “Dynata,” 502 (N = 502) complete responses were included. Structural equational modelling was used to analyse the relationships among the variables.
Findings
The results indicate that all constructs of the protection motivation, except threat susceptibility, successfully predict the user protective behaviours. Also, increased cybersecurity costs negatively impact users’ safe cyber practices.
Originality/value
The study has critical implications for understanding micro business owners’ cyber security behaviours. The study contributes to the current knowledge of cyber security in micro businesses through the lens of PMT.
Details
Keywords
Kristiina Ahola, Marcus Butavicius, Agata McCormac and Daniel Sturman
Cyber security incidents pose a major threat to organisations. Reporting cyber security incidents and providing organisations with information about their true nature, type and…
Abstract
Purpose
Cyber security incidents pose a major threat to organisations. Reporting cyber security incidents and providing organisations with information about their true nature, type and volume, is crucial to inform risk-based decisions. Despite the importance of reporting cyber security incidents, little research has addressed employees’ motivations to do so. Therefore, the purpose of this study is to investigate the factors that influence employees to report cyber security incidents using the theory of planned behaviour as a theoretical framework.
Design/methodology/approach
Survey data were collected from a sample of 549 working Australian adults. Demographics were gathered, in addition to data using the Cyber Security Incident Reporting Inventory (CSIRI; pronounced, “Siri”).
Findings
Attitude towards reporting, subjective norms and perceived behavioural control each significantly predicted intention-to-report cyber security incidents. Perceived behavioural control also significantly predicted actual reporting behaviour.
Research limitations/implications
The results of this study validate the application of the theory of planned behaviour to the cyber security incident reporting context, also indicating that the relationship between intention to report a cyber security incident and actual reporting behaviour may be facilitated by perceived behavioural control.
Practical implications
These findings can be applied to inform the development of strategies that increase employees’ cyber security incident reporting behaviour.
Originality/value
This study outlines the development of a new tool to measure attitudes, subjective norms and perceived behavioural control in relation to the reporting of cyber security incidents. To the best of the authors’ knowledge, this is the first study of its kind to identify the relationship between these factors and intentions to report cyber security incidents.
Details
Keywords
Vivek Soni, Rashmi Anand, Prasanta Kumar Dey, Ambika Prasad Dash and Devinder Kumar Banwet
The purpose of this research paper is to assess efficacy of e-governance implementation, influenced under the Indian-EU (European Union – EU) strategic dialogue. For the same…
Abstract
Purpose
The purpose of this research paper is to assess efficacy of e-governance implementation, influenced under the Indian-EU (European Union – EU) strategic dialogue. For the same purpose, this study aims to analyse and measure penetration level of information and communication technology (ICT) applications across ten select gross domestic product-dependent sectors (gross domestic product – GDP) in Indian economy.
Design/methodology/approach
Multi-criteria decision-making (MCDM) approach of PROMETHEE, using its partial and complete versions in fuzzy environment, is applied. The approach assesses e-governance efficacy in various sectors, which is chosen based on their contribution to GDP, where criteria values are assigned by expert opinions, feedback is received and lessons are learnt from training and initiatives taken under the Digital India programme launched by the Government of India. These criteria related to IT policy implementation, cyber security breaches, IT infrastructure development initiatives in select sectors are identified. Later, sectors outranking results have been highlighted using both fuzzy set theory along with PROMETHEE (F-PROMETHEE) and its visual application.
Findings
On applying F-PROMETHEE, studies found that industrial, railways, health and finance and education sectors outrank in their high merit orders. Contrary, outranking shows that agriculture, defence and aerospace sectors should be more open and accessible to adopt ICT applications in order to promote e-governance processes and their implementation to make e-services available to common citizens. For better interpretation of results, graphical analysis for interactive aid is used to present the analyses.
Research limitations/implications
Research study was found useful in the assessment of ICT penetration level in to support Indo-EU relations, where PROMETHEE method is used to outrank sectors alternatives. Criteria are also weighted using fuzzy scale, and the impact of criteria on all alternatives has also been assessed. MCDM framework addresses that subjectivity lies in sectors to implement ICTs bases services. However, few other MCDM frameworks, methods such as COPRAS, GST, GRA, SAW and SWARA, can be used for the same purpose.
Practical implications
Sectors alternative involve high degree of complexity to adopt ICT applications for smooth e-governance and seek effective decision-making for investment prioritization and future development. This study also aims to address cyber security concerns of policymakers. Outranking methods of F-PROMETHEE are able to address the criteria-to-criteria impact and support decision-making in a more precise way.
Social implications
This study is inspired from the strategic implementation of the framework of the e-Government Action Plan 2016-2020 of the EU. The findings from the paper can provide referential support to the Indian Government and policymakers to support information delivery, implement cyber security policies and various sector developments.
Originality/value
This research study can act as a strong base in the decision-making process in conflicting situations of e-governance in India. This study not only can synergize conflicting ideas of various stakeholders, academicians in the Indian IT-sector but also can act as support to administrators and the policymakers to monitor the status of the India-EU Information Society Dialogue.
Details
Keywords
Ahmed Ali Otoom, Issa Atoum, Heba Al-Harahsheh, Mahmoud Aljawarneh, Mohammed N. Al Refai and Mahmoud Baklizi
The purpose of this paper is to present the educational computer emergency response team (EduCERT) framework, an integrated response mechanism to bolster national cybersecurity…
Abstract
Purpose
The purpose of this paper is to present the educational computer emergency response team (EduCERT) framework, an integrated response mechanism to bolster national cybersecurity through collaborative efforts in the higher education sector. The EduCERT framework addresses this gap by enhancing cyber security and mitigating cybercrime through collaborative incident management, knowledge sharing and university awareness campaigns.
Design/methodology/approach
The authors propose an EduCERT framework following the design science methodology. The framework is developed based on literature and input from focus group experts. Moreover, it is grounded in the principles of the technology-organization-environment framework, organizational learning and diffusion of innovations theory.
Findings
The EduCERT has eight components: infrastructure, governance, knowledge development, awareness, incident management, evaluation and continuous improvement. The framework reinforces national cybersecurity through cooperation between universities and the National Computer Emergency Response Team. The framework has been implemented in Jordan to generate a cybersecurity foundation for higher education. Evaluating the EduCERT framework’s influence on national cybersecurity highlights the importance of adopting comprehensive cyber-security policies and controls. The framework application shows its relevance, effectiveness, adaptability and alignment with best practices.
Research limitations/implications
Despite the impact of applying the framework in the Jordanian context, it is essential to acknowledge that the proposed EduCERT framework’s practical implementation may encounter challenges specific to diverse international educational environment sectors. However, framework customization for global applicability could address varied educational institutions in other countries.
Practical implications
Furthermore, the proposed EduCERT framework is designed with universal applicability that extends beyond the specific country’s context. The principles and components presented in the framework can serve as valuable design advice for establishing collaborative and resilient cybersecurity frameworks in educational settings worldwide. Therefore, the research enhances the proposed framework’s practical utility and positions it as an invaluable contribution to the broader discourse on global cybersecurity in academia.
Originality/value
This paper enhances national cybersecurity in the higher education sector, addressing the need for a more integrated response mechanism. The EduCERT framework demonstrates its effectiveness, adaptability and alignment with best practices, offering valuable guidance for global educational institutions.
Details