Search results

1 – 10 of over 4000
Article
Publication date: 8 July 2014

Issa Atoum, Ahmed Otoom and Amer Abu Ali

The purpose of this paper is to propose a holistic cyber security implementation framework (HCS-IF) that lays out the ground for a conceptual, coherent, systematic, overarching…

4652

Abstract

Purpose

The purpose of this paper is to propose a holistic cyber security implementation framework (HCS-IF) that lays out the ground for a conceptual, coherent, systematic, overarching and consolidated approach to implement cyber security strategies (CSSs).

Design/methodology/approach

The HCS-IF is conceptually proposed to address the actual needs that are extracted from literature review. The HCS-IF uses and integrates a set of high-level conceptual security controls, solutions, processes, entities, tools, techniques or mechanisms that are already known in the domains of information security management, software engineering and project management to address the identified needs.

Findings

The HCS-IF components and controls collectively interact and cooperate to implement CSSs. The proposed framework is compared with other related frameworks, and the results show that the HCS-IF outperforms other frameworks on most of the suggested comparison criteria.

Originality/value

From a practical standpoint, governments and practitioners alike stand to gain from the findings of this research. Governments who want to implement CSSs on a national level will find the proposed framework useful in overseeing cyber security implementation. Practitioners will be prepared to address the anticipated cyber security implementation challenges and the required controls needed to facilitate cyber-security implementation in a holistic overarching manner.

Details

Information Management & Computer Security, vol. 22 no. 3
Type: Research Article
ISSN: 0968-5227

Keywords

Open Access
Article
Publication date: 16 July 2021

Karen Renaud and Jacques Ophoff

There is widespread concern about the fact that small- and medium-sized enterprises (SMEs) seem to be particularly vulnerable to cyberattacks. This is perhaps because smaller…

6510

Abstract

Purpose

There is widespread concern about the fact that small- and medium-sized enterprises (SMEs) seem to be particularly vulnerable to cyberattacks. This is perhaps because smaller businesses lack sufficient situational awareness to make informed decisions in this space, or because they lack the resources to implement security controls and precautions.

Design/methodology/approach

In this paper, Endsley’s theory of situation awareness was extended to propose a model of SMEs’ cyber situational awareness, and the extent to which this awareness triggers the implementation of cyber security measures. Empirical data were collected through an online survey of 361 UK-based SMEs; subsequently, the authors used partial least squares modeling to validate the model.

Findings

The results show that heightened situational awareness, as well as resource availability, significantly affects SMEs’ implementation of cyber precautions and controls.

Research limitations/implications

While resource limitations are undoubtedly a problem for SMEs, their lack of cyber situational awareness seems to be the area requiring most attention.

Practical implications

The findings of this study are reported and recommendations were made that can help to improve situational awareness, which will have the effect of encouraging the implementation of cyber security measures.

Originality/value

This is the first study to apply the situational awareness theory to understand why SMEs do not implement cyber security best practice measures.

Details

Organizational Cybersecurity Journal: Practice, Process and People, vol. 1 no. 1
Type: Research Article
ISSN: 2635-0270

Keywords

Article
Publication date: 7 January 2019

Filip Caron

The purpose of this paper is to highlight the potential of cyber-testing techniques in assessing the effectiveness of cyber-security controls and obtaining audit evidence.

1086

Abstract

Purpose

The purpose of this paper is to highlight the potential of cyber-testing techniques in assessing the effectiveness of cyber-security controls and obtaining audit evidence.

Design/methodology/approach

The paper starts with an identification of the applicable cyber-testing techniques and evaluates their applicability to generally accepted assurance schemes and cyber-security guidelines.

Findings

Cyber-testing techniques are providing insight in the effectiveness of the actual implementation of cyber-security controls, which may significantly deviate from the conceptual designs of these controls. Furthermore, cyber-testing techniques could provide concise input for cyber-risk management and improvement recommendations.

Originality/value

The presented cyber-testing techniques could complement traditional process-oriented assurance techniques with specialized technical analyses of real-world implementations that focus on the adversaries’ viewpoint.

Details

Managerial Auditing Journal, vol. 36 no. 2
Type: Research Article
ISSN: 0268-6902

Keywords

Article
Publication date: 16 January 2024

Călin Mihail Rangu, Leonardo Badea, Mircea Constantin Scheau, Larisa Găbudeanu, Iulian Panait and Valentin Radu

In recent years, the frequency and severity of cybersecurity incidents have prompted customers to seek out specialized insurance products. However, this has also presented…

Abstract

Purpose

In recent years, the frequency and severity of cybersecurity incidents have prompted customers to seek out specialized insurance products. However, this has also presented insurers with operational challenges and increased costs. The assessment of risks for health systems and cyber–physical systems (CPS) necessitates a heightened degree of attention. The significant values of potential damages and claims request a solid insurance system, part of cyber-resilience. This research paper focuses on the emerging cyber insurance market that is currently in the process of standardizing and improving its risk analysis concerning the potential insured entity.

Design/methodology/approach

The authors' approach involves a quantitative analysis utilizing a Likert-style questionnaire designed to survey cyber insurance professionals. The authors' aim is to identify the current methods used in gathering information from potential clients, as well as the manner in which this information is analyzed by the insurers. Additionally, the authors gather insights on potential improvements that could be made to this process.

Findings

The study the authors elaborated it has a particularly important cyber and risk components for insurance area, because it addresses a “niche” area not yet proper addressed in specialized literature – cyber insurance. Cyber risk management approaches are not uniform at the international level, nor at the insurer level. Also, not all insurers can perform solid assessments, especially since their companies should first prove that they are fully compliant with international cyber security standards.

Research limitations/implications

This research has concentrated on analyzing the current practices in terms of gathering information about the insured entity before issuing the cyber insurance policy, level of details concerning the cyber security posture of the insured entity and way such information should be analyzed in a standardized and useful manner. The novelty of this research resides in the analysis performed as detailed above and the proposals in terms of information gathered, depth of analysis and standardization of approach made. Future work on the topic can focus on the standardization process for analyzing cyber risk for insurance clients, to improve the proposal based also on historical elements and trends in the market. Thus, future research can further refine the standardization process to analyze in more depth the way this can be implemented and included in relevant legislation at the EU level.

Practical implications

Proposed improvements include proposals in terms of the level of detail and the usefulness of an independent centralized approach for information gathering and analysis, especially given the re-insurance and brokerage activities. The authors also propose a common practical procedural approach in risk management, with the involvement of insurance companies and certification institutions of cyber security auditors.

Originality/value

The study investigates the information gathered by insurers from potential clients of cyber insurance and the way this is analyzed and updated for issuance of the insurance policy.

Details

The Journal of Risk Finance, vol. 25 no. 2
Type: Research Article
ISSN: 1526-5943

Keywords

Article
Publication date: 14 October 2020

Saurabh Kumar, Baidyanath Biswas, Manjot Singh Bhatia and Manoj Dora

The present study aims to identify and investigate the antecedents of enhanced level of cyber-security at the organisational level from both the technical and the human resource…

1831

Abstract

Purpose

The present study aims to identify and investigate the antecedents of enhanced level of cyber-security at the organisational level from both the technical and the human resource perspective using human–organisation–technology (HOT) theory.

Design/methodology/approach

The study has been conducted on 151 professionals who have expertise in dealing with cyber-security in organisations in sectors such as retail, education, healthcare, etc. in India. The analysis of the data is carried out using partial least squares based structural equation modelling technique (PLS-SEM).

Findings

The results from the study suggest that “legal consequences” and “technical measures” adopted for securing cyber-security in organisations are the most important antecedents for enhanced cyber-security levels in the organisations. The other significant antecedents for enhanced cyber-security in organisations include “role of senior management” and “proactive information security”.

Research limitations/implications

This empirical study has significant implications for organisations as they can take pre-emptive measures by focussing on important antecedents and work towards enhancing the level of cyber-security.

Originality/value

The originality of this research is combining both technical and human resource perspective in identifying the determinants of enhanced level of cyber-security in the organisations.

Details

Journal of Enterprise Information Management, vol. 34 no. 6
Type: Research Article
ISSN: 1741-0398

Keywords

Article
Publication date: 7 February 2019

Qais Saif Qassim, Norziana Jamil, Maslina Daud, Ahmed Patel and Norhamadi Ja’affar

The common implementation practices of modern industrial control systems (ICS) has left a window wide open to various security vulnerabilities. As the cyber-threat landscape…

1566

Abstract

Purpose

The common implementation practices of modern industrial control systems (ICS) has left a window wide open to various security vulnerabilities. As the cyber-threat landscape continues to evolve, the ICS and their underlying architecture must be protected to withstand cyber-attacks. This study aims to review several ICS security assessment methodologies to identify an appropriate vulnerability assessment method for the ICS systems that examine both critical physical and cyber systems so as to protect the national critical infrastructure.

Design/methodology/approach

This paper reviews several ICS security assessment methodologies and explores whether the existing methodologies are indeed sufficient to meet the cyber security assessment exercise required to validate the security of electrical power control systems.

Findings

The study showed that most of the examined methodologies seem to concentrate on vulnerability identification and prioritisation techniques, whilst other security techniques received noticeably less attention. The study also showed that the least attention is devoted to patch management process due to the critical nature of the SCADA system. Additionally, this review portrayed that only two security assessment methodologies exhibited absolute fulfilment of all NERC-CIP security requirements, whilst the others only partially fulfilled the essential requirements.

Originality/value

This paper presents a review and a comparative analysis of several standard SCADA security assessment methodologies and guidelines published by internationally recognised bodies. In addition, it explores the adequacy of the existing methodologies in meeting cyber security assessment practices required for electrical power networks.

Details

Information & Computer Security, vol. 27 no. 1
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 17 April 2024

Hassan Jamil, Tanveer Zia, Tahmid Nayeem, Monica T. Whitty and Steven D'Alessandro

The current advancements in technologies and the internet industry provide users with many innovative digital devices for entertainment, communication and trade. However…

Abstract

Purpose

The current advancements in technologies and the internet industry provide users with many innovative digital devices for entertainment, communication and trade. However, simultaneous development and the rising sophistication of cybercrimes bring new challenges. Micro businesses use technology like how people use it at home, but face higher cyber risks during riskier transactions, with human error playing a significant role. Moreover, information security researchers have often studied individuals’ adherence to compliance behaviour in response to cyber threats. The study aims to examine the protection motivation theory (PMT)-based model to understand individuals’ tendency to adopt secure behaviours.

Design/methodology/approach

The study focuses on Australian micro businesses since they are more susceptible to cyberattacks due to the least security measures in place. Out of 877 questionnaires distributed online to Australian micro business owners through survey panel provider “Dynata,” 502 (N = 502) complete responses were included. Structural equational modelling was used to analyse the relationships among the variables.

Findings

The results indicate that all constructs of the protection motivation, except threat susceptibility, successfully predict the user protective behaviours. Also, increased cybersecurity costs negatively impact users’ safe cyber practices.

Originality/value

The study has critical implications for understanding micro business owners’ cyber security behaviours. The study contributes to the current knowledge of cyber security in micro businesses through the lens of PMT.

Details

Information & Computer Security, vol. ahead-of-print no. ahead-of-print
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 16 August 2024

Kristiina Ahola, Marcus Butavicius, Agata McCormac and Daniel Sturman

Cyber security incidents pose a major threat to organisations. Reporting cyber security incidents and providing organisations with information about their true nature, type and…

Abstract

Purpose

Cyber security incidents pose a major threat to organisations. Reporting cyber security incidents and providing organisations with information about their true nature, type and volume, is crucial to inform risk-based decisions. Despite the importance of reporting cyber security incidents, little research has addressed employees’ motivations to do so. Therefore, the purpose of this study is to investigate the factors that influence employees to report cyber security incidents using the theory of planned behaviour as a theoretical framework.

Design/methodology/approach

Survey data were collected from a sample of 549 working Australian adults. Demographics were gathered, in addition to data using the Cyber Security Incident Reporting Inventory (CSIRI; pronounced, “Siri”).

Findings

Attitude towards reporting, subjective norms and perceived behavioural control each significantly predicted intention-to-report cyber security incidents. Perceived behavioural control also significantly predicted actual reporting behaviour.

Research limitations/implications

The results of this study validate the application of the theory of planned behaviour to the cyber security incident reporting context, also indicating that the relationship between intention to report a cyber security incident and actual reporting behaviour may be facilitated by perceived behavioural control.

Practical implications

These findings can be applied to inform the development of strategies that increase employees’ cyber security incident reporting behaviour.

Originality/value

This study outlines the development of a new tool to measure attitudes, subjective norms and perceived behavioural control in relation to the reporting of cyber security incidents. To the best of the authors’ knowledge, this is the first study of its kind to identify the relationship between these factors and intentions to report cyber security incidents.

Details

Information & Computer Security, vol. ahead-of-print no. ahead-of-print
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 16 October 2017

Vivek Soni, Rashmi Anand, Prasanta Kumar Dey, Ambika Prasad Dash and Devinder Kumar Banwet

The purpose of this research paper is to assess efficacy of e-governance implementation, influenced under the Indian-EU (European Union – EU) strategic dialogue. For the same…

Abstract

Purpose

The purpose of this research paper is to assess efficacy of e-governance implementation, influenced under the Indian-EU (European Union – EU) strategic dialogue. For the same purpose, this study aims to analyse and measure penetration level of information and communication technology (ICT) applications across ten select gross domestic product-dependent sectors (gross domestic product – GDP) in Indian economy.

Design/methodology/approach

Multi-criteria decision-making (MCDM) approach of PROMETHEE, using its partial and complete versions in fuzzy environment, is applied. The approach assesses e-governance efficacy in various sectors, which is chosen based on their contribution to GDP, where criteria values are assigned by expert opinions, feedback is received and lessons are learnt from training and initiatives taken under the Digital India programme launched by the Government of India. These criteria related to IT policy implementation, cyber security breaches, IT infrastructure development initiatives in select sectors are identified. Later, sectors outranking results have been highlighted using both fuzzy set theory along with PROMETHEE (F-PROMETHEE) and its visual application.

Findings

On applying F-PROMETHEE, studies found that industrial, railways, health and finance and education sectors outrank in their high merit orders. Contrary, outranking shows that agriculture, defence and aerospace sectors should be more open and accessible to adopt ICT applications in order to promote e-governance processes and their implementation to make e-services available to common citizens. For better interpretation of results, graphical analysis for interactive aid is used to present the analyses.

Research limitations/implications

Research study was found useful in the assessment of ICT penetration level in to support Indo-EU relations, where PROMETHEE method is used to outrank sectors alternatives. Criteria are also weighted using fuzzy scale, and the impact of criteria on all alternatives has also been assessed. MCDM framework addresses that subjectivity lies in sectors to implement ICTs bases services. However, few other MCDM frameworks, methods such as COPRAS, GST, GRA, SAW and SWARA, can be used for the same purpose.

Practical implications

Sectors alternative involve high degree of complexity to adopt ICT applications for smooth e-governance and seek effective decision-making for investment prioritization and future development. This study also aims to address cyber security concerns of policymakers. Outranking methods of F-PROMETHEE are able to address the criteria-to-criteria impact and support decision-making in a more precise way.

Social implications

This study is inspired from the strategic implementation of the framework of the e-Government Action Plan 2016-2020 of the EU. The findings from the paper can provide referential support to the Indian Government and policymakers to support information delivery, implement cyber security policies and various sector developments.

Originality/value

This research study can act as a strong base in the decision-making process in conflicting situations of e-governance in India. This study not only can synergize conflicting ideas of various stakeholders, academicians in the Indian IT-sector but also can act as support to administrators and the policymakers to monitor the status of the India-EU Information Society Dialogue.

Details

Transforming Government: People, Process and Policy, vol. 11 no. 4
Type: Research Article
ISSN: 1750-6166

Keywords

Article
Publication date: 12 September 2024

Ahmed Ali Otoom, Issa Atoum, Heba Al-Harahsheh, Mahmoud Aljawarneh, Mohammed N. Al Refai and Mahmoud Baklizi

The purpose of this paper is to present the educational computer emergency response team (EduCERT) framework, an integrated response mechanism to bolster national cybersecurity…

Abstract

Purpose

The purpose of this paper is to present the educational computer emergency response team (EduCERT) framework, an integrated response mechanism to bolster national cybersecurity through collaborative efforts in the higher education sector. The EduCERT framework addresses this gap by enhancing cyber security and mitigating cybercrime through collaborative incident management, knowledge sharing and university awareness campaigns.

Design/methodology/approach

The authors propose an EduCERT framework following the design science methodology. The framework is developed based on literature and input from focus group experts. Moreover, it is grounded in the principles of the technology-organization-environment framework, organizational learning and diffusion of innovations theory.

Findings

The EduCERT has eight components: infrastructure, governance, knowledge development, awareness, incident management, evaluation and continuous improvement. The framework reinforces national cybersecurity through cooperation between universities and the National Computer Emergency Response Team. The framework has been implemented in Jordan to generate a cybersecurity foundation for higher education. Evaluating the EduCERT framework’s influence on national cybersecurity highlights the importance of adopting comprehensive cyber-security policies and controls. The framework application shows its relevance, effectiveness, adaptability and alignment with best practices.

Research limitations/implications

Despite the impact of applying the framework in the Jordanian context, it is essential to acknowledge that the proposed EduCERT framework’s practical implementation may encounter challenges specific to diverse international educational environment sectors. However, framework customization for global applicability could address varied educational institutions in other countries.

Practical implications

Furthermore, the proposed EduCERT framework is designed with universal applicability that extends beyond the specific country’s context. The principles and components presented in the framework can serve as valuable design advice for establishing collaborative and resilient cybersecurity frameworks in educational settings worldwide. Therefore, the research enhances the proposed framework’s practical utility and positions it as an invaluable contribution to the broader discourse on global cybersecurity in academia.

Originality/value

This paper enhances national cybersecurity in the higher education sector, addressing the need for a more integrated response mechanism. The EduCERT framework demonstrates its effectiveness, adaptability and alignment with best practices, offering valuable guidance for global educational institutions.

Details

Information & Computer Security, vol. ahead-of-print no. ahead-of-print
Type: Research Article
ISSN: 2056-4961

Keywords

1 – 10 of over 4000