Search results
21 – 30 of 168Felicitas Hoppe, Nadine Gatzert and Petra Gruner
This article aims to gain insights on the current state of small- and medium-sized enterprises’ (SMEs’) cyber risk management process and to derive future research directions.
Abstract
Purpose
This article aims to gain insights on the current state of small- and medium-sized enterprises’ (SMEs’) cyber risk management process and to derive future research directions.
Design/methodology/approach
This is done by collecting market insights from 37 recent industry surveys and structuring them based on the steps of the risk management process. From this analysis, major challenges are derived and future fields of research identified.
Findings
The results indicate that deficiencies in risk culture as well as the strained market for IT experts are the major obstacles with respect to the implementation of cyber risk management in SMEs, and that these challenges are similar across countries. The findings suggest that especially the relationship between cyber security culture and cyber risk management should be investigated further, and that a stronger link between the research streams on enterprise risk management and cyber risk management would be desirable.
Originality/value
This paper contributes to the literature by providing a systematic overview on the current state of SMEs' cyber risk management from a market perspective. The findings provide support for the existing academic literature by emphasizing the central role of cyber security culture (perception, knowledge, attitude) for a successful cyber risk management, which however should be addressed in more depth in future (empirical) research.
Details
Keywords
Hayretdin Bahşi, Ulrik Franke and Even Langfeldt Friberg
This paper aims to describe the cyber-insurance market in Norway but offers conclusions that are interesting to a wider audience.
Abstract
Purpose
This paper aims to describe the cyber-insurance market in Norway but offers conclusions that are interesting to a wider audience.
Design/methodology/approach
The study is based on semi-structured interviews with supply-side actors: six general insurance companies, one marine insurance company and two insurance intermediaries.
Findings
The Norwegian cyber-insurance market supply-side has grown significantly in the past two years. The General Data Protection Regulation (GDPR) is found to have had a modest effect on the market so far but has been used by the supply-side as an icebreaker to discuss cyber-insurance with customers. The NIS Directive has had little or no impact on the Norwegian cyber-insurance market until now. Informants also indicate that Norway is still the least mature of the four Nordic markets.
Practical implications
Some policy lessons for different stakeholders are identified.
Originality/value
Empirical investigation of cyber-insurance is still rare, and the paper offers original insights on market composition and actor motivations, ambiguity of coverage, the NIS Directive and GDPR.
Details
Keywords
Patrick Sven Ulrich, Alice Timmermann and Vanessa Frank
The starting point for the considerations the authors make in this paper are the special features of family businesses in the area of management discussed in the literature. It…
Abstract
Purpose
The starting point for the considerations the authors make in this paper are the special features of family businesses in the area of management discussed in the literature. It has been established here that family businesses sometimes choose different organizational setups than nonfamily businesses. This has not yet been investigated for cybersecurity. In the context of cybersecurity, there has been little theoretical or empirical work addressing the question of whether the qualitative characteristics of family businesses have an impact on the understanding of cybersecurity and the organization of cyber risk defense in the companies. Based on theoretically founded hypotheses, a quantitative empirical study was conducted in German companies.
Design/methodology/approach
The article is based on a quantitative-empirical survey of 184 companies, the results of which were analyzed using statistical-empirical methods.
Findings
The article asked – based on the subjective perception of cybersecurity and cyber risks – to what extent family businesses are sensitized to the topic and what conclusions they draw from it. An interesting tension emerges: family businesses see their employees more as a security risk, but do less than nonfamily businesses in terms of both training and organizational establishment. Whether this is due to a lack of technical or managerial expertise, or whether family businesses simply think they can prevent cybersecurity with less formal methods such as trust, is open to conjecture, but cannot be demonstrated with the research approach taken here. Qualitative follow-up studies are needed here.
Originality/value
This paper represents the first quantitative survey on cybersecurity with a specific focus on family businesses. It shows tension between awareness, especially of risks emanating from employees, and organizational routines that have not been implemented or established.
Details
Keywords
Caner Asbaş and Şule Tuzlukaya
A cyberattack is an attempt by cybercriminals as individuals or organizations with unauthorized access using one or more computers and computer systems to steal, expose, change…
Abstract
A cyberattack is an attempt by cybercriminals as individuals or organizations with unauthorized access using one or more computers and computer systems to steal, expose, change, disable or eliminate information, or to breach computer information systems, computer networks, and computer infrastructures. Cyberattackers gain a benefit from victims, which may be criminal such as stealing data or money, or political or personal such as revenge. In cyberattacks, various targets are possible. Some potential targets for businesses include business and customer financial data, customer lists, trade secrets, and login credentials.
Cyberattackers use a variety of methods to gain access to data, including malware such as viruses, worms, and spyware and phishing methods, man-in-the-middle attacks, denial-of-service attacks, SQL injection, zero-day exploit, and DNS tunneling.
Related to cyberattack, the term cyberwarfare is gaining popularity nowadays. Cyberwarfare is the use of cyberattacks by a state or an organization to cause harm as in warfare against another state's or organization's computer information systems, networks, and infrastructures.
Military, civil, and ideological motivations, or hacktivism can be used to launch a cyberwarfare. For these reasons, cyberwarfare may be used to conduct espionage, sabotage, propaganda, and economic disruption.
Considering highly digitalized business processes such as e-mails, digital banking, online conference, and digital manufacturing methods, damage of cyberwarfare to businesses and countries are unavoidable. As a result, developing strategies for defending against cyberattacks and cyberwarfare is critical for businesses. The concepts of cyberattack and cyberwarfare, as well as business strategies to be protected against them will be discussed in this chapter.
Details
Keywords
The WannaCry malware spread worldwide, affecting the healthcare, manufacturing, telecommunications, utilities, transportation and education sectors. On June 27, another ransomware…
Details
DOI: 10.1108/OXAN-DB223720
ISSN: 2633-304X
Keywords
Geographic
Topical
Saurabh Kumar, Baidyanath Biswas, Manjot Singh Bhatia and Manoj Dora
The present study aims to identify and investigate the antecedents of enhanced level of cyber-security at the organisational level from both the technical and the human resource…
Abstract
Purpose
The present study aims to identify and investigate the antecedents of enhanced level of cyber-security at the organisational level from both the technical and the human resource perspective using human–organisation–technology (HOT) theory.
Design/methodology/approach
The study has been conducted on 151 professionals who have expertise in dealing with cyber-security in organisations in sectors such as retail, education, healthcare, etc. in India. The analysis of the data is carried out using partial least squares based structural equation modelling technique (PLS-SEM).
Findings
The results from the study suggest that “legal consequences” and “technical measures” adopted for securing cyber-security in organisations are the most important antecedents for enhanced cyber-security levels in the organisations. The other significant antecedents for enhanced cyber-security in organisations include “role of senior management” and “proactive information security”.
Research limitations/implications
This empirical study has significant implications for organisations as they can take pre-emptive measures by focussing on important antecedents and work towards enhancing the level of cyber-security.
Originality/value
The originality of this research is combining both technical and human resource perspective in identifying the determinants of enhanced level of cyber-security in the organisations.
Details
Keywords
Eylem Thron, Shamal Faily, Huseyin Dogan and Martin Freer
Railways are a well-known example of complex critical infrastructure, incorporating socio-technical systems with humans such as drivers, signallers, maintainers and passengers at…
Abstract
Purpose
Railways are a well-known example of complex critical infrastructure, incorporating socio-technical systems with humans such as drivers, signallers, maintainers and passengers at the core. The technological evolution including interconnectedness and new ways of interaction lead to new security and safety risks that can be realised, both in terms of human error, and malicious and non-malicious behaviour. This study aims to identify the human factors (HF) and cyber-security risks relating to the role of signallers on the railways and explores strategies for the improvement of “Digital Resilience” – for the concept of a resilient railway.
Design/methodology/approach
Overall, 26 interviews were conducted with 21 participants from industry and academia.
Findings
The results showed that due to increased automation, both cyber-related threats and human error can impact signallers’ day-to-day operations – directly or indirectly (e.g. workload and safety-critical communications) – which could disrupt the railway services and potentially lead to safety-related catastrophic consequences. This study identifies cyber-related problems, including external threats; engineers not considering the human element in designs when specifying security controls; lack of security awareness among the rail industry; training gaps; organisational issues; and many unknown “unknowns”.
Originality/value
The authors discuss socio-technical principles through a hexagonal socio-technical framework and training needs analysis to mitigate against cyber-security issues and identify the predictive training needs of the signallers. This is supported by a systematic approach which considers both, safety and security factors, rather than waiting to learn from a cyber-attack retrospectively.
Details
Keywords
Lloyd Waller, Stephen Christopher Johnson, Nicola Satchell, Damion Gordon, Gavin Leon Kirkpatrick Daley, Howard Reid, Kimberly Fender, Paula Llewellyn, Leah Smyle and Patrick Linton
This paper aims to investigate the potential challenges that governments in the Commonwealth Caribbean are likely to face combating crimes facilitated by the dark Web.
Abstract
Purpose
This paper aims to investigate the potential challenges that governments in the Commonwealth Caribbean are likely to face combating crimes facilitated by the dark Web.
Design/methodology/approach
The “lived experience” methodology guided by a contextual systematic literature review was used to ground the investigation of the research phenomena in the researchers’ collective experiences working in, living in and engaging in research with governments in the Commonwealth Caribbean.
Findings
The two major findings emerging from the analysis are that jurisdictional and technical challenges are producing major hindrances to the creation of an efficient and authoritative legislative framework and the building of the capacity of governments in the Commonwealth Caribbean to confront the technicalities that affect systematic efforts to manage problems created by the dark Web.
Practical implications
The findings indicate the urgency that authorities in the Caribbean region must place on reevaluating their administrative, legislative and investment priorities to emphasize cyber-risk management strategies that will enable their seamless and wholesome integration into this digital world.
Originality/value
The research aids in developing and extending theory and praxis related to the problematization of the dark Web for governments by situating the experiences of Small Island Developing States into the ongoing discourse.
Details
Keywords
This article surveys why libraries are vulnerable to social engineering attacks and how to manage risks of human-caused cyber threats on organizational level; investigates…
Abstract
Purpose
This article surveys why libraries are vulnerable to social engineering attacks and how to manage risks of human-caused cyber threats on organizational level; investigates Estonian library staff awareness of information security and shares recommendations concerning focus areas that should be given more attention in the future.
Design/methodology/approach
The data used in this paper is based on an overview of relevant literature highlighting the theoretical points and giving the reasons why human factor is considered the weakest link in information security and cyber security and studying how to mitigate the related risks in the organisation. To perform the survey, a web questionnaire was designed which included 63 sentences and was developed based on the knowledge-attitude-behaviour (KAB) model supported by Kruger and Kearney and Human Aspects of Information Security Questionnaire (HAIS-Q) designed by Parsons et al.
Findings
The research results show that the information security awareness of library employees is at a good level; however, awareness in two focus areas needs special attention and should be improved. The output of this study is the mapping of seven focus areas of information security policy in libraries based on the HAIS-Q framework and the KAB model.
Originality/value
The cyber awareness of library employees has not been studied in the world using HAIS-Q and KAB model, and to the best of the authors’ knowledge, no research has been previously carried out in the Estonian library context into cyber security awareness.
Details
Keywords
It empowers the Cybersecurity and Infrastructure Security Agency (CISA) to develop detailed regulations about when and how cybersecurity incidents must be reported to the…