Search results

As evident from the literature review, the research on cyber security performance is centered on security metrics, maturity models, etc. Essentially, all these are helpful for evaluating the efficiency of cyber security organization but what matters is how the factors of internal efficiency affect the business performance, i.e. the external effectiveness. The purpose of this research paper is to derive the factors of internal efficiency and external effectiveness of cyber security and develop impact model to identify the most and least preferred parameters of internal efficiency with respect to all the parameters of external effectiveness.

There are two objectives for this research: Deriving the factors of internal efficiency and external effectiveness of cyber security; Developing a model to identify the impact of internal efficiency factors on the external effectiveness of cyber security since there is not much evidence of research in defining the factors of internal efficiency and external effectiveness of cyber security, the authors have chosen grounded theory methodology (GTM) to derive the parameters. In this study emic approach of GTM is followed and an algorithm is developed for administering the grounded theory research process. For the second research objective survey methodology and rank order was used to formulate the impact model. Two different samples and questionnaires were designed for each of the objectives.

For the objective 1, 11 factors of efficiency and 10 factors of effectiveness were derived. These are used as independent and dependent variable respectively in the later part of the research for the second objective. For the objective 2 the impact models among independent and dependent variables were formulated to find out the following. Most and least preferred parameters lead to internal efficiency of cyber security organization to identify the most and least preferred parameters of internal efficiency with respect to all the parameters external effectiveness.

The factors of internal efficiency and external effectiveness constructed by using grounded theory cannot remain constant in the long run, because of dynamism of the domain itself. Over and above this, there are inherent limitations of the tools like grounded theory, used in the research. Few important limitations of GTM are as below in grounded theory, it is comparatively difficult to maintain and demonstrate the rigors of research discipline. The sheer volume of data makes the analysis and interpretation complex, and lengthy time consuming. The researchers’ presence during data gathering, which is often unavoidable and desirable too in qualitative research, may affect the subjects’ responses. The subjectivity of the data leads to difficulties in establishing reliability and validity of approaches and information. It is difficult to detect or to prevent researcher-induced bias.

The internal efficiency and external effectiveness factors of cyber security can be further correlated by the future researchers to understand the correlations among all the factors and predict cyber security performance. The grounded theory algorithm developed by us can be further used for qualitative research for deriving theory through abstractions in the areas where there is no sufficient availability of data. Practitioners of cyber security can use this research to focus on relevant areas depending on their respective business objective/requirements. The models developed by us can be used by the future researchers to for various sectoral validations and correlations.

Though the financial costs of a cyber-attack are steep, the social impact of cyber security failures is less readily apparent but can cause lasting damage to customers, employees and the company. Therefore, it is always important to be mindful of how the impact of cyber security affects society as well as the bottom line when they are calculating the potential impact of a breach. Underestimating either impact can destroy a brand. The factor of internal efficiency and external effectiveness derived by us will help stakeholder in focusing on relevant area depending on their business. The impact model developed in this research is very useful for focusing a particular business requirement and accordingly tune the efficiency factor.

During literature study the authors did not find any evidence of application of grounded theory approach in cyber security research. While the authors were exploring research literature to find out some insight into the factor of internal efficiency and external effectiveness of cyber security, the authors did not find concrete and objective research on this. This motivated us to use grounded theory to derive these factors. This, in the authors’ opinion is one of the pioneering and unique contribution to the research as to the authors’ knowledge no researchers have ever tried to use this methodology for the stated purpose and cyber security domain in general. In this process the authors have also developed an algorithm for administering GTM. Further developing impact models using factors of internal efficiency and external effectiveness has lots of managerial and practical implication.

This study aims to examine the relationship between blockchain technology (BCT) adoption and firm performance (FIP) mediated by cyber-security risk management (CSRM) in the context of Vietnam, a developing country. Besides, the mediating effect of risk-taking tendency (RTT) has been considered in the BCT–CSRM nexus.

Data is collected using a survey questionnaire of Vietnamese financial firms through strict screening steps to ensure the representativeness of the population. The ending pattern of 449 responses has been used for analysis.

The findings of partial least squares structural equation modeling demonstrated that CSRM has a positive effect on FIP and acts as a mediator in the BCT–FIP nexus. Furthermore, RTT moderates the relationship between BCT and CSRM significantly.

This study introduces the attractive attributes of applying BCT to CSRM. Accordingly, managers should rely on BCT and take advantage of it to improve investment resources, business activities and functional areas to enhance their firm's CSRM. Especially, managers should pay attention to enhancing their RTT, which improves FIP.

This study supplements the previous literature in the context of CSRM by indicating favorable effects of BCT and RTT. Additionally, this study identifies the effectiveness of RTT as well as its moderating role. Ultimately, this paper has been managed as a pioneering empirical study that integrates BCT, RTT and CSRM in the same model in a developing country, specifically Vietnam.

Although risks are present in any organisation and the importance of their study is obvious, the authors find that risk analysis is an area still in its infancy, as reflected in the small number of existing publications on this topic. Human resources tend to understand risk in an elementary way. The ability of human resources to perceive risk is the ability and competence to identify a potential threat that does not always appear.

Aim: The aim of the this chapter was to provide additional knowledge on human resource competencies, in order to avoid the emergence and spread of risks at the organisational and cyber level.

Methodology: The authors used the quantitative–comparative analysis, by presenting all the details regarding the competencies of the human resource in order to manage the risks at organisational and cybernetic level.

Findings: The findings of this chapter show that the compulsory competencies of the human resource influence both the general competencies and the special competencies: information technology and communications, security ethics and economic ones. These, in turn, can improve or diminish cyber security competencies by almost 50%.

Originality of the Study: This study is highlighted by results obtained from the analysis of the capacity of human resources, to integrate theoretical knowledge and practical competencies on the perception of cyber risk. Of particular importance for this research are the analysis of data and the interpretation of results on human resources competencies. In this sense, throughout the chapter are assessed the skills of human resources, necessary for the management of cyber risks at the organisational level. In terms of future research implications, it could be important research to identify a method of assessing the competencies acquired by human resources applied from the perspective of cyber risk.

This study aims to examine whether the cyber supply chain risk management (CSCRM) practices adopted by manufacturing firms contribute to achieving cyber supply chain (CSC) visibility. Studies have highlighted the necessity of having visibility across interconnected supply chains. Thus, this study examines the extent of CSCRM practices enabling CSC visibility to act as a mediator in achieving CSC performance.

A survey method was used to obtain data from the electrical and electronics manufacturing firms registered with the Federations of Malaysian Manufacturers directory. Data from 130 respondents were analysed using IBM SPSS and PLS-SEM.

This study empirically proves a dedicated governance team's integral role in setting the security tone within its CSC. The result also confirms the significant role that CSC visibility plays in achieving CSC performance. As theorised in the literature, there is also a strong direct relationship between CSC visibility and CSC performance, assuring manufacturing firms that investments and policies devised to improve CSC visibility are fruitful.

The significance of supply chain visibility in an integrated supply chain is recognised and studied using analytical models, behavioural techniques and case studies. Substantial empirical evidence on the CSCRM practices which contributes towards achieving supply chain visibility is still elusive. This study's major contribution lies in identifying CSCRM practices that can contribute towards achieving CSC visibility, and the mediating role CSC visibility plays in achieving CSC performance.

This paper seeks to empirically examine the existence and implementation of information security governance (ISG) in Saudi organizations.

An empirical survey, using a self‐administered questionnaire, is conducted to explore and evaluate the current status and the main features of ISG in the Saudi environment. The questionnaire is developed based on ISG guidelines for boards of directors and executive management issued by the Information Technology (IT) Governance Institute and other related materials available in the literature. A total of 167 valid questionnaires are collected and processed using the Statistical Package for Social Sciences, version 16.

The results of the study reveal that although the majority of Saudi organizations recognize the importance of ISG as an integrant factor for the success of IT and corporate governance, most of them have no clear information security strategies or written information security policy statements. The majority of Saudi organizations have no disaster recovery plans to deal with information security incidents and emergencies; information security roles and responsibilities are not clearly defined and communicated. The results also show that alignment between ISG and the organization's overall business strategy is relatively poor and not adequately implemented. The results also show that risk assessment procedures are not adequately and effectively implemented, ISG is not a regular item in the board's agenda, and there are no properly functioning ISG processes or performance‐measuring systems in the majority of Saudi organizations. Accordingly, appropriate actions should be taken to improve implementing and measuring the ISG performance in Saudi organizations.

From a practical standpoint, managers and practitioners alike stand to gain from the findings of this study. The results of the paper enable them to better understand and evaluate ISG and to champion IT development for business success in Saudi organizations.

This paper aims to explore the factors affecting cybersecurity implementation in organizations in various countries and develop a cybersecurity framework to improve cybersecurity practices within organizations for cybersecurity risk management through a systematic literature review (SLR) approach.

This SLR adhered to RepOrting Standards for Systematics Evidence Syntheses (ROSES) publication standards and used various research approaches. The study’s article selection process involved using Scopus, one of the most important scientific databases, to review articles published between 2014 and 2023.

This review identified the four main themes: individual factors, organizational factors, technological factors and governmental role. In addition, nine subthemes that relate to these primary topics were established.

This research sheds light on the multifaceted nature of cybersecurity by exploring factors influencing implementation and developing an improvement framework, offering valuable insights for researchers to advance theoretical developments, assisting industry practitioners in tailoring cybersecurity strategies to their needs and providing policymakers with a basis for creating more effective cybersecurity regulations and standards.

The identification of the main risk triggers is essential for the hospital’s survival and performance with direct effects on its patients’ health and well-being. For this reason, in this paper some of the most important risk categories have been determined. While in a previous research a qualitative analysis has been done for determining which are the most important risks felt by the patient that are believed to affect their health through the usage of a questionnaire and through conducting a confirmatory factor analysis, the purpose of this paper is to analyze the quantitative side of these risks’ presence in a hospital.

On this purpose, four main categories of risks have been considered (the same as in the qualitative research) and they have been analyzed from the hospital’s point of view – through the usage of the hospital financial and internal documents. Therefore, a series of indicators have been determined for each risk category. After that, a representative indicator has been selected and the grey incidence analysis has been conducted.

By comparing the results gathered form this study with the qualitative analysis conducted among the patients (Delcea et al., 2016) it can be said that there can be seen a difference among the way a hospital and a patient perceive the risks within a medical activity. While for the hospital, the most affecting risk is the technological and hospital conditions risk, for the patients the most affecting risk seems to be the human resources and clinical risk. The mismanagement risk and inability to treat patients is the second in intensity for both the hospital and patients, with a smaller value in the patients’ case.

From here, the research can be extended for capturing the risks that are considered to be important for the medical stuff, which will permit us to have a global image over the healthcare risks. After that, a comparative analysis among the hospitals with different financial performance can be conducted in order to see how these risks are affecting their performance and to determine which can be the decisions that can fostering the reduction of these risks.

The present paper offers a quantitative analysis from the hospital’s point of view using the advantages offered by the grey systems theory. Combining this analysis with a qualitative one conducted on the patients, the managers of the hospital can a have a more adequate view over the risks that they are facing with. In this context, grey systems theory offers the needed methods for dealing with such situations.

Despite ongoing reports of insider-driven leakage of confidential data, both academic scholars and practitioners tend to focus on external threats and favour information technology (IT)-centric solutions to secure and strengthen their information security ecosystem. Unfortunately, they pay little attention to human resource management (HRM) solutions. This paper aims to address this gap and proposes an actionable human resource (HR)-centric and artificial intelligence (AI)-driven framework.

The paper highlights the dangers posed by insider threats and presents key findings from a Leximancer-based analysis of a rapid literature review on the role, nature and contribution of HRM for information security, especially in addressing insider threats. The study also discusses the limitations of these solutions and proposes an HR-in-the-loop model, driven by AI and machine learning to mitigate these limitations.

The paper argues that AI promises to offer many HRM-centric opportunities to fortify the information security architecture if used strategically and intelligently. The HR-in-the-loop model can ensure that the human factors are considered when designing information security solutions. By combining AI and machine learning with human expertise, this model can provide an effective and comprehensive approach to addressing insider threats.

The paper fills the research gap on the critical role of HR in securing and strengthening information security. It makes further contribution in identifying the limitations of HRM solutions in info security and how AI and machine learning can be leveraged to address these limitations to some extent.

Cybersecurity attacks on critical infrastructures, businesses and nations are rising and have reached the interest of mainstream media and the public’s consciousness. Despite this increased awareness, humans are still considered the weakest link in the defense against an unknown attacker. Whatever the reason, naïve-, unintentional- or intentional behavior of a member of an organization, the result of an incident can have a considerable impact. A security policy with guidelines for best practices and rules should guide the behavior of the organization’s members. However, this is often not the case. This paper aims to provide answers to how cybersecurity-related behavior is assessed.

Research questions were formulated, and a systematic literature review (SLR) was performed by following the recommendations of the Preferred Reporting Items for Systematic Reviews and Meta-Analyses statement. The SLR initially identified 2,153 articles, and the paper reviews and reports on 26 articles.

The assessment of cybersecurity-related behavior can be classified into three components, namely, data collection, measurement scale and analysis. The findings show that subjective measurements from self-assessment questionnaires are the most frequently used method. Measurement scales are often composed based on existing literature and adapted by the researchers. Partial least square analysis is the most frequently used analysis technique. Even though useful insight and noteworthy findings regarding possible differences between manager and employee behavior have appeared in some publications, conclusive answers to whether such differences exist cannot be drawn.

Research gaps have been identified, that indicate areas of interest for future work. These include the development and employment of methods for reducing subjectivity in the assessment of cybersecurity-related behavior.

To the best of the authors’ knowledge, this is the first SLR on how cybersecurity-related behavior can be assessed. The SLR analyzes relevant publications and identifies current practices as well as their shortcomings, and outlines gaps that future research may bridge.

This chapter critically evaluates opportunities and challenges associated with developing diversity and embracing inclusion of cyber security talent in a multinational consultancy firm and offers recommendations on how to optimize inclusion of young talent in this sensitive business area within a multinational company. Drawing on one of the author's experience as a young cyber security professional with a non-technical background, entering the profession through a consultancy graduate development programme, this paper offers a unique perspective on how to enhance cohesion in diversity across linear and non-linear routes into cyber security.

While the scope is limited to cyber security talent in early careers, the competency-based approach means that recommendations around developing diversity and embracing inclusion can be applied to young talent in other business competence areas. Each recommendation can be used as a building block to influence and shape future equality, diversity and inclusion (ED&I) strategy in consultancy.