Search results
1 – 10 of over 3000Hassan Jamil, Tanveer Zia, Tahmid Nayeem, Monica T. Whitty and Steven D'Alessandro
The current advancements in technologies and the internet industry provide users with many innovative digital devices for entertainment, communication and trade. However…
Abstract
Purpose
The current advancements in technologies and the internet industry provide users with many innovative digital devices for entertainment, communication and trade. However, simultaneous development and the rising sophistication of cybercrimes bring new challenges. Micro businesses use technology like how people use it at home, but face higher cyber risks during riskier transactions, with human error playing a significant role. Moreover, information security researchers have often studied individuals’ adherence to compliance behaviour in response to cyber threats. The study aims to examine the protection motivation theory (PMT)-based model to understand individuals’ tendency to adopt secure behaviours.
Design/methodology/approach
The study focuses on Australian micro businesses since they are more susceptible to cyberattacks due to the least security measures in place. Out of 877 questionnaires distributed online to Australian micro business owners through survey panel provider “Dynata,” 502 (N = 502) complete responses were included. Structural equational modelling was used to analyse the relationships among the variables.
Findings
The results indicate that all constructs of the protection motivation, except threat susceptibility, successfully predict the user protective behaviours. Also, increased cybersecurity costs negatively impact users’ safe cyber practices.
Originality/value
The study has critical implications for understanding micro business owners’ cyber security behaviours. The study contributes to the current knowledge of cyber security in micro businesses through the lens of PMT.
Details
Keywords
Eylem Thron, Shamal Faily, Huseyin Dogan and Martin Freer
Railways are a well-known example of complex critical infrastructure, incorporating socio-technical systems with humans such as drivers, signallers, maintainers and passengers at…
Abstract
Purpose
Railways are a well-known example of complex critical infrastructure, incorporating socio-technical systems with humans such as drivers, signallers, maintainers and passengers at the core. The technological evolution including interconnectedness and new ways of interaction lead to new security and safety risks that can be realised, both in terms of human error, and malicious and non-malicious behaviour. This study aims to identify the human factors (HF) and cyber-security risks relating to the role of signallers on the railways and explores strategies for the improvement of “Digital Resilience” – for the concept of a resilient railway.
Design/methodology/approach
Overall, 26 interviews were conducted with 21 participants from industry and academia.
Findings
The results showed that due to increased automation, both cyber-related threats and human error can impact signallers’ day-to-day operations – directly or indirectly (e.g. workload and safety-critical communications) – which could disrupt the railway services and potentially lead to safety-related catastrophic consequences. This study identifies cyber-related problems, including external threats; engineers not considering the human element in designs when specifying security controls; lack of security awareness among the rail industry; training gaps; organisational issues; and many unknown “unknowns”.
Originality/value
The authors discuss socio-technical principles through a hexagonal socio-technical framework and training needs analysis to mitigate against cyber-security issues and identify the predictive training needs of the signallers. This is supported by a systematic approach which considers both, safety and security factors, rather than waiting to learn from a cyber-attack retrospectively.
Details
Keywords
Yoel Raban and Aharon Hauptman
The cyber security industry emerged rapidly in recent years due to mounting cyber threats and increasing cyber hacking activities. Research on emerging technologies emphasizes the…
Abstract
Purpose
The cyber security industry emerged rapidly in recent years due to mounting cyber threats and increasing cyber hacking activities. Research on emerging technologies emphasizes the risks and sometimes neglects to address the potential positive contribution to cyber security. The purpose of this study is to conduct a relatively balanced long-term foresight study to elicit major significant threat drivers and to identify emerging technologies that are likely to have a significant impact on defense and attack capabilities in cyber security.
Design/methodology/approach
The main instruments used in this study were horizon scanning and an online survey among subject-matter experts that assessed emerging threats and the potential impact of several emerging technologies on cyber defense capabilities and cyber attack capabilities.
Findings
An expert survey shows that cyber resilience, homomorphic encryption and blockchain may be considered as technologies contributing mainly to defense capabilities. On the other hand, Internet of Things, biohacking and human machine interface (HMI) and autonomous technologies add mainly to attack capabilities. In the middle, we find autonomous technologies, quantum computing and artificial intelligence that contribute to defense, as well as to attack capabilities, with roughly similar impact on both.
Originality/value
This study adds to the current research a balanced long-term view and experts’ assessment of negative and positive impacts of emerging technologies, including their time to maturity and consensus levels. Two new Likert scale measures were applied to measure the potential impact of emerging technologies on cyber security, thus enabling the classification of the results into four groups (net positive, net negative, positive-positive and negative-negative).
Giddeon Njamngang Angafor, Iryna Yevseyeva and Leandros Maglaras
This paper aims to discuss the experiences designing and conducting an experiential learning virtual incident response tabletop exercise (VIRTTX) to review a business's security…
Abstract
Purpose
This paper aims to discuss the experiences designing and conducting an experiential learning virtual incident response tabletop exercise (VIRTTX) to review a business's security posture as it adapts to remote working because of the Coronavirus 2019 (COVID-19). The pandemic forced businesses to move operations from offices to remote working. Given that this happened quickly for many, some firms had little time to factor in appropriate cyber-hygiene and incident prevention measures, thereby exposing themselves to vulnerabilities such as phishing and other scams.
Design/methodology/approach
The exercise was designed and facilitated through Microsoft Teams. The approach used included a literature review and an experiential learning method that used scenario-based, active pedagogical strategies such as case studies, simulations, role-playing and discussion-focused techniques to develop and evaluate processes and procedures used in preventing, detecting, mitigating, responding and recovering from cyber incidents.
Findings
The exercise highlighted the value of using scenario-based exercises in cyber security training. It elaborated that scenario-based incident response (IR) exercises are beneficial because well-crafted and well-executed exercises raise cyber security awareness among managers and IT professionals. Such activities with integrated operational and decision-making components enable businesses to evaluate IR and disaster recovery (DR) procedures, including communication flows, to improve decision-making at strategic levels and enhance the technical skills of cyber security personnel.
Practical implications
It maintained that the primary implication for practice is that they enhance security awareness through practical experiential, hands-on exercises such as this VIRTTX. These exercises bring together staff from across a business to evaluate existing IR/DR processes to determine if they are fit for purpose, establish existing gaps and identify strategies to prevent future threats, including during challenging circumstances such as the COVID-19 outbreak. Furthermore, the use of TTXs or TTEs for scenario-based incident response exercises was extremely useful for cyber security practice because well-crafted and well-executed exercises have been found to serve as valuable and effective tools for raising cyber security awareness among senior leadership, managers and IT professionals (Ulmanová, 2020).
Originality/value
This paper underlines the importance of practical, scenario-based cyber-IR training and reports on the experience of conducting a virtual IR/DR tabletop exercise within a large organisation.
Details
Keywords
Abel Yeboah-Ofori, Cameron Swart, Francisca Afua Opoku-Boateng and Shareeful Islam
Cyber resilience in cyber supply chain (CSC) systems security has become inevitable as attacks, risks and vulnerabilities increase in real-time critical infrastructure systems…
Abstract
Purpose
Cyber resilience in cyber supply chain (CSC) systems security has become inevitable as attacks, risks and vulnerabilities increase in real-time critical infrastructure systems with little time for system failures. Cyber resilience approaches ensure the ability of a supply chain system to prepare, absorb, recover and adapt to adverse effects in the complex CPS environment. However, threats within the CSC context can pose a severe disruption to the overall business continuity. The paper aims to use machine learning (ML) techniques to predict threats on cyber supply chain systems, improve cyber resilience that focuses on critical assets and reduce the attack surface.
Design/methodology/approach
The approach follows two main cyber resilience design principles that focus on common critical assets and reduce the attack surface for this purpose. ML techniques are applied to various classification algorithms to learn a dataset for performance accuracies and threats predictions based on the CSC resilience design principles. The critical assets include Cyber Digital, Cyber Physical and physical elements. We consider Logistic Regression, Decision Tree, Naïve Bayes and Random Forest classification algorithms in a Majority Voting to predicate the results. Finally, we mapped the threats with known attacks for inferences to improve resilience on the critical assets.
Findings
The paper contributes to CSC system resilience based on the understanding and prediction of the threats. The result shows a 70% performance accuracy for the threat prediction with cyber resilience design principles that focus on critical assets and controls and reduce the threat.
Research limitations/implications
Therefore, there is a need to understand and predicate the threat so that appropriate control actions can ensure system resilience. However, due to the invincibility and dynamic nature of cyber attacks, there are limited controls and attributions. This poses serious implications for cyber supply chain systems and its cascading impacts.
Practical implications
ML techniques are used on a dataset to analyse and predict the threats based on the CSC resilience design principles.
Social implications
There are no social implications rather it has serious implications for organizations and third-party vendors.
Originality/value
The originality of the paper lies in the fact that cyber resilience design principles that focus on common critical assets are used including Cyber Digital, Cyber Physical and physical elements to determine the attack surface. ML techniques are applied to various classification algorithms to learn a dataset for performance accuracies and threats predictions based on the CSC resilience design principles to reduce the attack surface for this purpose.
Details
Keywords
Magnus Osahon Igbinovia and Bolanle Clifford Ishola
Technological expansion and adoption in university libraries have precipitated cybercrimes and the need to equip library personnel with the required knowledge to combat this…
Abstract
Purpose
Technological expansion and adoption in university libraries have precipitated cybercrimes and the need to equip library personnel with the required knowledge to combat this menace. Consequently, this study aims to examine cyber security in university libraries and its implication for Library and Information Science education.
Design/methodology/approach
The study adopted descriptive research design, while questionnaire and interview were used to elicit data from library personnel and heads of library schools, respectively. A total of 134 responses were elicited through structured questionnaire (administered online due to the closure of universities) while six heads of library schools were interviewed, one from each of the six geopolitical zones in Nigeria.
Findings
The data from the questionnaire which were descriptively analysed revealed that the perceived knowledge of cyber security among the librarians was moderately low. Also, the university libraries were exposed to various cyber threats, with cyber security/guideline been one of the critical measures to combat cybercrime. Also, the result showed that librarians displayed high level of adherence to cyber ethics. However, the disposition of library management towards cyber security issues was revealed to be the main challenge to the deployment of cyber security in university libraries, follow by poor password management. Majority of the librarians possess basic knowledge of cyber security, though with serious interest to learn more about it. They were not taught cyber security in library school and they indicated enthusiasm to learn about it. The result of the interview with heads of library schools showed majority of these schools do not offer cyber security course due to dearth in skilled manpower.
Originality/value
The study presents cybercrime as a menace, if not tackled, would affect the university libraries’ sustainability as information institution, compromising their ability to deliver quality services.
Details
Keywords
Shipra Pandey, Rajesh Kumar Singh, Angappa Gunasekaran and Anjali Kaushik
The purpose of this study is to examine cyber security risks in globalized supply chains (SCs). It has been seen to have a greater impact on the performance of SCs. The…
Abstract
Purpose
The purpose of this study is to examine cyber security risks in globalized supply chains (SCs). It has been seen to have a greater impact on the performance of SCs. The information and communication technology of a firm, which enhances the efficiency and effectiveness in the SC, could simultaneously be the cause of vulnerabilities and exposure to security threats. Researchers have primarily focussed on the cyber-physical system (CPS) vulnerabilities impacting SC. This paper tries to categorize the cyber security risks occurring because of the SCs operating in CPS.
Design/methodology/approach
Based on the flow of information along the upstream and downstream SC, this paper tries to identify cyber security risks in the global SCs. It has further tried to categorize these cyber security risks from a strategic point of view.
Findings
This paper tries to identify the various cyber security risk and cyber-attacks in globalized SC for improving the performance. The 16 cyber security risks have been categorized into three categories, namely, supply risk, operational risk and demand risk. The paper proposes a framework consisting of different cyber-attacks across the information that flows in global SCs along-with suitable mitigation strategies.
Research limitations/implications
The paper presents the conceptual model of cyber security risks and cyber-attacks in globalized SCs based on literature review and industry experts. Further validation and scale development of these risks can be done through empirical study.
Practical implications
This paper provides significant managerial insights by developing a framework for understanding the cyber security risks in terms of the drivers of these risks and how to deal with them. From a managerial perspective, this framework can be used as a decision-making process while considering different cyber security risks across the stages of globalized SCs.
Originality/value
The major contribution of this study is the identification and categorization of cyber security risks across the global SCs in the digital age. Thus, this paper introduces a new phenomenon to the field of management that has the potential to investigate new areas of future research. Based on the categorization, the paper provides insights on how cyber security risks impact the continuity of SC operations.
Details
Keywords
A research line has emerged that is concerned with investigating human factors in information systems and cyber-security in organizations using various behavioural and…
Abstract
Purpose
A research line has emerged that is concerned with investigating human factors in information systems and cyber-security in organizations using various behavioural and socio-cognitive theories. This study aims to explore human and contextual factors influencing cyber security behaviour in organizations while drawing implications for cyber-security in higher education institutions.
Design/methodology/approach
A systematic literature review has been implemented. The reviewed studies have revealed various human and contextual factors that influence cyber-security behaviour in organizations, notably higher education institutions.
Research limitations/implications
This review study offers practical implications for constructing and keeping a robust cyber-security organizational culture in higher education institutions for the sustainable development goals of cyber-security training and education.
Originality/value
The value of the current review arises in that it presents a comprehensive account of human factors affecting cyber-security in organizations, a topic that is rarely investigated in previous related literature. Furthermore, the current review sheds light on cyber-security in higher education from the weakest link perspective. Simultaneously, the study contributes to relevant literature by gaining insight into human factors and socio-technological controls related to cyber-security in higher education institutions.
Details
Keywords
Uchenna Daniel Ani, Hongmei He and Ashutosh Tiwari
As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within the…
Abstract
Purpose
As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within the current highly competitive environment. Many recorded industrial cyber-attacks have successfully beaten technical security solutions by exploiting human-factor vulnerabilities related to security knowledge and skills and manipulating human elements into inadvertently conveying access to critical industrial assets. Knowledge and skill capabilities contribute to human analytical proficiencies for enhanced cybersecurity readiness. Thus, a human-factored security endeavour is required to investigate the capabilities of the human constituents (workforce) to appropriately recognise and respond to cyber intrusion events within the industrial control system (ICS) environment.
Design/methodology/approach
A quantitative approach (statistical analysis) is adopted to provide an approach to quantify the potential cybersecurity capability aptitudes of industrial human actors, identify the least security-capable workforce in the operational domain with the greatest susceptibility likelihood to cyber-attacks (i.e. weakest link) and guide the enhancement of security assurance. To support these objectives, a Human-factored Cyber Security Capability Evaluation approach is presented using conceptual analysis techniques.
Findings
Using a test scenario, the approach demonstrates the capacity to proffer an efficient evaluation of workforce security knowledge and skills capabilities and the identification of weakest link in the workforce.
Practical implications
The approach can enable organisations to gain better workforce security perspectives like security-consciousness, alertness and response aptitudes, thus guiding organisations into adopting strategic means of appropriating security remediation outlines, scopes and resources without undue wastes or redundancies.
Originality/value
This paper demonstrates originality by providing a framework and computational approach for characterising and quantify human-factor security capabilities based on security knowledge and security skills. It also supports the identification of potential security weakest links amongst an evaluated industrial workforce (human agents), some key security susceptibility areas and relevant control interventions. The model and validation results demonstrate the application of action research. This paper demonstrates originality by illustrating how action research can be applied within socio-technical dimensions to solve recurrent and dynamic problems related to industrial environment cyber security improvement. It provides value by demonstrating how theoretical security knowledge (awareness) and practical security skills can help resolve cyber security response and control uncertainties within industrial organisations.
Details
Keywords
Abhijeet Ghadge, Maximilian Weiß, Nigel D. Caldwell and Richard Wilding
In spite of growing research interest in cyber security, inter-firm based cyber risk studies are rare. Therefore, this study aims to investigate cyber risk management in supply…
Abstract
Purpose
In spite of growing research interest in cyber security, inter-firm based cyber risk studies are rare. Therefore, this study aims to investigate cyber risk management in supply chain contexts.
Design/methodology/approach
Adapting a systematic literature review process, papers from interdisciplinary areas published between 1990 and 2017 were selected. Different typologies, developed for conducting descriptive and thematic analysis, were established using data mining techniques to conduct a comprehensive, replicable and transparent review.
Findings
The review identifies multiple future research directions for cyber security/resilience in supply chains. A conceptual model is developed, which indicates a strong link between information technology, organisational and supply chain security systems. The human/behavioural elements within cyber security risk are found to be critical; however, behavioural risks have attracted less attention because of a perceived bias towards technical (data, application and network) risks. There is a need for raising risk awareness, standardised policies, collaborative strategies and empirical models for creating supply chain cyber-resilience.
Research limitations/implications
Different types of cyber risks and their points of penetration, propagation levels, consequences and mitigation measures are identified. The conceptual model developed in this study drives an agenda for future research on supply chain cyber security/resilience.
Practical implications
A multi-perspective, systematic study provides a holistic guide for practitioners in understanding cyber-physical systems. The cyber risk challenges and the mitigation strategies identified support supply chain managers in making informed decisions.
Originality/value
To the best of the authors’ knowledge, this is the first systematic literature review on managing cyber risks in supply chains. The review defines supply chain cyber risk and develops a conceptual model for supply chain cyber security systems and an agenda for future studies.
Details