Search results

1 – 10 of 571
To view the access options for this content please click here
Article

Adenekan Dedeke and Katherine Masterson

This paper aims to explore the evolution of a trend in which countries are developing or adopting cybersecurity implementation frameworks that are intended to be used…

Abstract

Purpose

This paper aims to explore the evolution of a trend in which countries are developing or adopting cybersecurity implementation frameworks that are intended to be used nationally. This paper contrasts the cybersecurity frameworks that have been developed in three countries, namely, Australia, UK and USA.

Design/methodology/approach

The paper uses literature review and qualitative document analysis for the study. The paper developed and used an assessment matrix as its coding protocol. The contents of the three cybersecurity frameworks were then scored to capture the degree to which they covered the themes/items of the cybersecurity assessment matrix.

Findings

The analysis found that the three cybersecurity frameworks are oriented toward the risk management approach. However, the frameworks also had notable differences with regard to the security domains that they cover. For example, one of the frameworks did not offer guidelines with regard to what to do to respond to attacks or to plan for recovery.

Originality/value

The results of this study are beneficial to policymakers in the three countries targeted, as they are able to gain insights about how their cybersecurity frameworks compares to those of the other two countries. Such knowledge would be useful as decision-makers take steps to improve their existing frameworks. The results of this study are also beneficial to executives who have branches in all three countries. In such cases, security professionals could deploy the most comprehensive framework across all three countries and then extend the deployment in each location to meet country-specific requirements.

To view the access options for this content please click here
Article

Tara Kissoon

This purpose of this paper is to provide insight through analysis of the data collected from a pilot study, into the decision-making process used by organizations in…

Abstract

Purpose

This purpose of this paper is to provide insight through analysis of the data collected from a pilot study, into the decision-making process used by organizations in cybersecurity investments. Leveraging the review of literature, this paper aims to explore the strategic decisions made by organizations when implementing cybersecurity controls, and identifies economic models and theories from the economics of information security, and information security investment decision-making process. Using a survey study method, this paper explores the feasibility for development of a strategic decision-making framework that may be used when evaluating and implementing cybersecurity measures.

Design/methodology/approach

A pilot study was conducted to evaluate the ways in which decisions are made as it relates to cybersecurity spending. The purpose of the pilot study was to determine the feasibility for developing a strategic framework to minimize cybersecurity risks. Phase 1 – Interview Study: The qualitative approach focused on seven participants who provided input to refine the survey study questionnaire. Phase 2 – Survey Study: The qualitative approach focused on information gathered through an online descriptive survey study using a five-point Likert scale.

Findings

The literature review identified that there is limited research in the area of information security decision making. One paper was identified within this area, focusing on the research completed by Dor and Elovici [22]. This exploratory research demonstrates that although organizations have actively implemented cybersecurity frameworks, there is a need to enhance the decision-making process to reduce the number and type of breaches, along with strengthening the cybersecurity framework to facilitate a preventative approach.

Research limitations/implications

The partnership research design could be expanded to facilitate quantitative and qualitative techniques in parallel with equal weight, leveraging qualitative techniques, an interview study, case study and grounded theory. In-depth data collection and analysis can be completed to facilitate a broader data collection which will provide a representative sample and achieve saturation to ensure that adequate and quality data are collected to support the study. Quantitative analysis through statistical techniques (i.e. regression analysis) taking into account, the effectiveness of cybersecurity frameworks, and the effectiveness of decisions made by stakeholders on implementing cybersecurity measures.

Practical implications

This exploratory research demonstrates that organizations have actively implemented cybersecurity measure; however, there is a need to reduce the number and type of breaches, along with strengthening the cybersecurity framework to facilitate a preventative approach. In addition, factors that are used by an organization when investing in cybersecurity controls are heavily focused on compliance with government and industry regulations along with opportunity cost. Lastly, the decision-making process used when evaluating, implementing and investing in cybersecurity controls is weighted towards the technology organization and, therefore, may be biased based on competing priorities.

Social implications

The outcome of this study provides greater insight into how an organization makes decisions when implementing cybersecurity controls. This exploratory research shows that most organizations are diligently implementing security measures to effectively monitor and detect cyber security attacks. The pilot study revealed that the importance given to the decisions made by the CIO and Head of the Business Line have similar priorities with regard to funding the investment cost, implementing information security measures and reviewing the risk appetite statement. This parallel decision-making process may potentially have an adverse impact on the decision to fund cybersecurity measures, especially in circumstances where the viewpoints are vastly different .

Originality/value

Cybersecurity spend is discussed across the literature, and various approaches, methodologies and models are used. The aim of this paper is to explore the strategic decision-making approach that is used by organizations when evaluating and implementing cybersecurity measures. Using a survey study method, this paper explores the feasibility for development of a strategic decision-making framework that may be used when evaluating and implementing cybersecurity measures.

Details

Transforming Government: People, Process and Policy, vol. 14 no. 3
Type: Research Article
ISSN: 1750-6166

Keywords

To view the access options for this content please click here
Article

Filip Caron

The purpose of this paper is to highlight the potential of cyber-testing techniques in assessing the effectiveness of cyber-security controls and obtaining audit evidence.

Abstract

Purpose

The purpose of this paper is to highlight the potential of cyber-testing techniques in assessing the effectiveness of cyber-security controls and obtaining audit evidence.

Design/methodology/approach

The paper starts with an identification of the applicable cyber-testing techniques and evaluates their applicability to generally accepted assurance schemes and cyber-security guidelines.

Findings

Cyber-testing techniques are providing insight in the effectiveness of the actual implementation of cyber-security controls, which may significantly deviate from the conceptual designs of these controls. Furthermore, cyber-testing techniques could provide concise input for cyber-risk management and improvement recommendations.

Originality/value

The presented cyber-testing techniques could complement traditional process-oriented assurance techniques with specialized technical analyses of real-world implementations that focus on the adversaries’ viewpoint.

Details

Managerial Auditing Journal, vol. ahead-of-print no. ahead-of-print
Type: Research Article
ISSN: 0268-6902

Keywords

To view the access options for this content please click here
Article

Rajni Goel, Anupam Kumar and James Haddow

This study aims to develop a framework for cybersecurity risk assessment in an organization. Existing cybersecurity frameworks are complex and implementation oriented. The…

Abstract

Purpose

This study aims to develop a framework for cybersecurity risk assessment in an organization. Existing cybersecurity frameworks are complex and implementation oriented. The framework can be systematically used to assess the strategic orientation of a firm with respect to its cybersecurity posture. The goal is to assist top-management-team with tailoring their decision-making about security investments while managing cyber risk at their organization.

Design/methodology/approach

A thematic analysis of existing publications using content analysis techniques generates the initial set of keywords of significance. Additional factor analysis using the keywords provides us with a framework comprising of five pillars comprising prioritize, resource, implement, standardize and monitor (PRISM) for assessing a firm’s strategic cybersecurity orientation.

Findings

The primary contribution is the development of a novel PRISM framework, which enables cyber decision-makers to identify and operationalize a tailored approach to address risk management and cybersecurity problems. PRISM framework evaluation will help organizations identify and implement the most tailored risk management and cybersecurity approach applicable to their problem(s).

Originality/value

The new norm is for companies to realize that data stratification in cyberspace extends throughout their organizations, intertwining their need for cybersecurity within business operations. This paper fulfills an identified need improve the ability of company leaders, as CIOs and others, to address the growing problem of how organizations can better handle cyber threats by using an approach that is a methodology for cross-organization cybersecurity risk management.

Details

Information & Computer Security, vol. 28 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article

Masike Malatji, Sune Von Solms and Annlizé Marnewick

This paper aims to identify and appropriately respond to any socio-technical gaps within organisational information and cybersecurity practices. This culminates in the…

Abstract

Purpose

This paper aims to identify and appropriately respond to any socio-technical gaps within organisational information and cybersecurity practices. This culminates in the equal emphasis of both the social, technical and environmental factors affecting security practices.

Design/methodology/approach

The socio-technical systems theory was used to develop a conceptual process model for analysing organisational practices in terms of their social, technical and environmental influence. The conceptual process model was then applied to specifically analyse some selected information and cybersecurity frameworks. The outcome of this exercise culminated in the design of a socio-technical systems cybersecurity framework that can be applied to any new or existing information and cybersecurity solutions in the organisation. A framework parameter to help continuously monitor the mutual alignment of the social, technical and environmental dimensions of the socio-technical systems cybersecurity framework was also introduced.

Findings

The results indicate a positive application of the socio-technical systems theory to the information and cybersecurity domain. In particular, the application of the conceptual process model is able to successfully categorise the selected information and cybersecurity practices into either social, technical or environmental practices. However, the validation of the socio-technical systems cybersecurity framework requires time and continuous monitoring in a real-life environment.

Practical implications

This research is beneficial to chief security officers, risk managers, information technology managers, security professionals and academics. They will gain more knowledge and understanding about the need to highlight the equal importance of both the social, technical and environmental dimensions of information and cybersecurity. Further, the less emphasised dimension is posited to open an equal but mutual security vulnerability gap as the more emphasised dimension. Both dimensions must, therefore, equally and jointly be emphasised for optimal security performance in the organisation.

Originality/value

The application of socio-technical systems theory to the information and cybersecurity domain has not received much attention. In this regard, the research adds value to the information and cybersecurity studies where too much emphasis is placed on security software and hardware capabilities.

Details

Information & Computer Security, vol. 27 no. 2
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article

Sezer Bozkus Kahyaoglu and Kiymet Caliyurt

The purpose of this study is to analyze the cybersecurity assurance approaches to determine the key issues and weaknesses within the internal audit and risk management…

Abstract

Purpose

The purpose of this study is to analyze the cybersecurity assurance approaches to determine the key issues and weaknesses within the internal audit and risk management perspective. Organizations increasingly rely on digital data to drive their growth and they are interconnected in a complex web to a multitude of stakeholders.

Design/methodology/approach

In this paper, cybersecurity is defined, and cybersecurity assurance model is explained based on the relevant literature. In addition, the role of internal auditing is introduced within this new business landscape. Finally, recommendations are made to provide best practices for stakeholders.

Findings

There are four major cyber-focused standards and frameworks in the current literature, namely, Control Objectives for Information and Related Technology, International Organization for Standardization, The American Institute of Certified Public Accountants and National Institute of Standards and Technology. In addition, there are many mechanisms in existence and operation currently which support cybersecurity assurance to prevent major threats. These include risk assessment, risk treatment, risk management, security assurance and auditing.

Research limitations/implications

Cyber risk is not something that can be avoided; instead, it must be managed. Hence, it is very important to maintain formal documentation on related cyber controls. Internal audit should be an integral part of cybersecurity assurance process, as internal audit have a unique position to look across organizations. The contribution of internal audit also provides comfort to the Board and Audit Committee.

Practical implications

A model is introduced how the internal audit and information security functions could work together to support organizations accomplish a cost-effective level of information security. The key issues and approaches are explained for how to become a trusted cybersecurity advisor and a sample cybersecurity awareness program checklist is provided at Appendix 1.

Social implications

Considering cybersecurity threats grow with speed, complexity, and impact, organizations are no longer satisfied with an answer to a question like “are we secure?” instead, they need the answer for such a question like “how to give a reasonable assurance that our business will be secure enough?”. In that respect, the role of internal audit is discussed based on the relevant literature and the current condition of the business environment.

Originality/value

A model is introduced how the internal audit and information security functions could work together to support organizations accomplish a cost-effective level of information security. The key issues and approaches are explained for how to become a trusted cybersecurity advisor and a sample cybersecurity awareness program checklist is provided at Appendix 1.

Details

Managerial Auditing Journal, vol. 33 no. 4
Type: Research Article
ISSN: 0268-6902

Keywords

To view the access options for this content please click here
Article

Zuopeng (Justin) Zhang, Wu He, Wenzhuo Li and M'Hammed Abdous

Employees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks…

Abstract

Purpose

Employees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks. However, many cybersecurity awareness training (CSAT) programs fall short due to their misaligned training focuses.

Design/methodology/approach

To help organizations develop effective CSAT programs, we have developed a theoretical framework for conducting a cost–benefit analysis of those CSAT programs. We differentiate them into three types of CSAT programs (constant, complementary and compensatory) by their costs and into four types of CSAT programs (negligible, consistent, increasing and diminishing) by their benefits. Also, we investigate the impact of CSAT programs with different costs and the benefits on a company's optimal degree of security.

Findings

Our findings indicate that the benefit of a CSAT program with different types of cost plays a disparate role in keeping, upgrading or lowering a company's existing security level. Ideally, a CSAT program should spend more of its expenses on training employees to deal with the security threats at a lower security level and to reduce more losses at a higher security level.

Originality/value

Our model serves as a benchmark that will help organizations allocate resources toward the development of successful CSAT programs.

Details

Industrial Management & Data Systems, vol. 121 no. 3
Type: Research Article
ISSN: 0263-5577

Keywords

To view the access options for this content please click here
Article

Md. Shariful Islam, Nusrat Farah and Thomas F. Stafford

The purpose of the study is to explore the factors associated with the extent of security/cybersecurity audit by the internal audit function (IAF) of the firm…

Abstract

Purpose

The purpose of the study is to explore the factors associated with the extent of security/cybersecurity audit by the internal audit function (IAF) of the firm. Specifically, the authors focused on whether IAF/CAE (certified audit executive [CAE]) characteristics, board involvement related to governance, role of the audit committee (or equivalent) and the chief risk officer (CRO) and IAF tasked with enterprise risk management (ERM) are associated with the extent to which the firm engages in security/cybersecurity audit.

Design/methodology/approach

For analysis, the paper uses responses of 970 CAEs as compiled in the Common Body of Knowledge database (CBOK, 2015) developed by the Institute of Internal Auditors Research Foundation (IIARF).

Findings

The results of the study suggest that the extent of security/cybersecurity audit by IAF is significantly and positively associated with IAF competence related to governance, risk and control. Board support regarding governance is also significant and positive. However, the Audit Committee (AC) or equivalent and the CRO role are not significant across the regions studied. Comprehensive risk assessment done by IAF and IAF quality have a significant and positive effect on security/cybersecurity audit. Unexpectedly, CAEs with security certification and IAFs tasked with ERM do not have a significant effect on security/cybersecurity audit; however, other certifications such as CISA or CPA have a marginal or mixed effect on the extent of security/cybersecurity audit.

Originality/value

This study is the first to describe IAF involvement in security/cybersecurity audit. It provides insights into the specific IAF/CAE characteristics and corporate governance characteristics that can lead IAF to contribute significantly to security/cybersecurity audit. The findings add to the results of prior studies on the IAF involvement in different IT-related aspects such as IT audit and XBRL implementation and on the role of the board and the audit committee (or its equivalent) in ERM and the detection and correction of security breaches.

Details

Managerial Auditing Journal, vol. 33 no. 4
Type: Research Article
ISSN: 0268-6902

Keywords

To view the access options for this content please click here
Article

Kane J. Smith and Gurpreet Dhillon

Blockchain holds promise as a potential solution to the problem of cybersecurity in financial transactions. However, difficulty exists for both the industry and…

Abstract

Purpose

Blockchain holds promise as a potential solution to the problem of cybersecurity in financial transactions. However, difficulty exists for both the industry and organizations in assessing this potential solution. Hence, it is important to understand how organizations in the financial sector can address these concerns by exploring blockchain implementation for financial transactions in the context of cybersecurity. To do this, the problem question is threefold: first, what objectives are important based on the strategic values of an organization for evaluating cybersecurity to improve the security of financial transactions? Second, how can they be used to ensure the cybersecurity of financial transactions in a financial organization? Third, how can these objectives be used to evaluate blockchain as a potential solution for enhancing the cybersecurity of organizations in the financial sector relative to existing cybersecurity methods? The paper aims to discuss this issue.

Design/methodology/approach

To accomplish this goal we utilize Keeney’s (1992) multi-objective decision analytics technique, termed value-focused thinking (VFT), to demonstrate how organizations can assess a blockchain solution’s value to maximize value-add within financial organization.

Findings

The presented model clearly demonstrates the viability of using Keeney’s (1992) VFT technique as a multi-criteria decision analysis tool for assessing blockchain technology. Further, a clear explanation of how this model can be extended and adapted for individual organizational use is provided.

Originality/value

This paper engages both the academic literature as well as an expert panel to develop an assessment model for blockchain technology related to financial transactions by providing a useful method for structuring the decision-making process of organizations around blockchain technology.

Details

Managerial Finance, vol. 46 no. 6
Type: Research Article
ISSN: 0307-4358

Keywords

To view the access options for this content please click here
Article

Christine Sund

The purpose of this paper is to show that the full potential of the internet has not yet been realised. One of the key reasons for this is users' declining trust in the…

Abstract

Purpose

The purpose of this paper is to show that the full potential of the internet has not yet been realised. One of the key reasons for this is users' declining trust in the internet. Over the past two decades, the internet has transformed many aspects of modern life. With an estimated four million users worldwide at the end of 2006, the use of the internet continues to grow. Building trust and confidence is one of the main enablers for the future growth and use of the internet. The paper aims to review some of the reasons behind the declining trust, the changing nature of cyber‐threats, and aims to look at cybersecurity in the context of developing countries and the specific problems these countries are facing when dealing with growing number of cyber‐threats.

Design/methodology/approach

This contribution gives an overview of some of the evolving cyber‐threats and their potential impact in order to determine whether the growth of the information society is really at risk. It further considers what the different stakeholders can do to build a safer and more secure information society. The paper poses questions, outlines possible options for a way forward and based on this gives the readers a better understanding of the issues and challenges involved in building confidence and security in the use of ICTs. The paper proposes a framework with increased co‐operation, collaboration, and information sharing, to connect the individual cybersecurity communities and single initiatives, in order to allow stakeholders to build together a roadmap for cybersecurity.

Findings

During the discussions leading up to and during the two phases of the World Summit on the information society, country representative participants re‐affirmed their commitment to deal effectively with the significant and growing problems posed by spam and other cyber‐threats. As no single country or entity can alone create trust, confidence and security in the use of ICTs, it is clear that increased international action is needed to address the issues involved.

Practical implications

This paper tries to provide readers with a simple overview of the state of cybersecurity, and with a framework for further considering how new technologies and the growing use of the internet will impact upon stakeholders' trust in the use of ICTs.

Originality/value

Along with increasing dependency on ICTs, new threats to network and information security have emerged. These include growing misuse of electronic networks for criminal purposes or for objectives that can furthermore adversely affect the integrity of critical infrastructures within states. This paper puts forward some concrete suggestions on how countries could look at the issues related to cybersecurity.

Details

Online Information Review, vol. 31 no. 5
Type: Research Article
ISSN: 1468-4527

Keywords

1 – 10 of 571