Search results

1 – 10 of 704
To view the access options for this content please click here
Article

Adenekan Dedeke and Katherine Masterson

This paper aims to explore the evolution of a trend in which countries are developing or adopting cybersecurity implementation frameworks that are intended to be used…

Abstract

Purpose

This paper aims to explore the evolution of a trend in which countries are developing or adopting cybersecurity implementation frameworks that are intended to be used nationally. This paper contrasts the cybersecurity frameworks that have been developed in three countries, namely, Australia, UK and USA.

Design/methodology/approach

The paper uses literature review and qualitative document analysis for the study. The paper developed and used an assessment matrix as its coding protocol. The contents of the three cybersecurity frameworks were then scored to capture the degree to which they covered the themes/items of the cybersecurity assessment matrix.

Findings

The analysis found that the three cybersecurity frameworks are oriented toward the risk management approach. However, the frameworks also had notable differences with regard to the security domains that they cover. For example, one of the frameworks did not offer guidelines with regard to what to do to respond to attacks or to plan for recovery.

Originality/value

The results of this study are beneficial to policymakers in the three countries targeted, as they are able to gain insights about how their cybersecurity frameworks compares to those of the other two countries. Such knowledge would be useful as decision-makers take steps to improve their existing frameworks. The results of this study are also beneficial to executives who have branches in all three countries. In such cases, security professionals could deploy the most comprehensive framework across all three countries and then extend the deployment in each location to meet country-specific requirements.

To view the access options for this content please click here
Article

Rajni Goel, Anupam Kumar and James Haddow

This study aims to develop a framework for cybersecurity risk assessment in an organization. Existing cybersecurity frameworks are complex and implementation oriented. The…

Abstract

Purpose

This study aims to develop a framework for cybersecurity risk assessment in an organization. Existing cybersecurity frameworks are complex and implementation oriented. The framework can be systematically used to assess the strategic orientation of a firm with respect to its cybersecurity posture. The goal is to assist top-management-team with tailoring their decision-making about security investments while managing cyber risk at their organization.

Design/methodology/approach

A thematic analysis of existing publications using content analysis techniques generates the initial set of keywords of significance. Additional factor analysis using the keywords provides us with a framework comprising of five pillars comprising prioritize, resource, implement, standardize and monitor (PRISM) for assessing a firm’s strategic cybersecurity orientation.

Findings

The primary contribution is the development of a novel PRISM framework, which enables cyber decision-makers to identify and operationalize a tailored approach to address risk management and cybersecurity problems. PRISM framework evaluation will help organizations identify and implement the most tailored risk management and cybersecurity approach applicable to their problem(s).

Originality/value

The new norm is for companies to realize that data stratification in cyberspace extends throughout their organizations, intertwining their need for cybersecurity within business operations. This paper fulfills an identified need improve the ability of company leaders, as CIOs and others, to address the growing problem of how organizations can better handle cyber threats by using an approach that is a methodology for cross-organization cybersecurity risk management.

Details

Information & Computer Security, vol. 28 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article

Masike Malatji, Sune Von Solms and Annlizé Marnewick

This paper aims to identify and appropriately respond to any socio-technical gaps within organisational information and cybersecurity practices. This culminates in the…

Abstract

Purpose

This paper aims to identify and appropriately respond to any socio-technical gaps within organisational information and cybersecurity practices. This culminates in the equal emphasis of both the social, technical and environmental factors affecting security practices.

Design/methodology/approach

The socio-technical systems theory was used to develop a conceptual process model for analysing organisational practices in terms of their social, technical and environmental influence. The conceptual process model was then applied to specifically analyse some selected information and cybersecurity frameworks. The outcome of this exercise culminated in the design of a socio-technical systems cybersecurity framework that can be applied to any new or existing information and cybersecurity solutions in the organisation. A framework parameter to help continuously monitor the mutual alignment of the social, technical and environmental dimensions of the socio-technical systems cybersecurity framework was also introduced.

Findings

The results indicate a positive application of the socio-technical systems theory to the information and cybersecurity domain. In particular, the application of the conceptual process model is able to successfully categorise the selected information and cybersecurity practices into either social, technical or environmental practices. However, the validation of the socio-technical systems cybersecurity framework requires time and continuous monitoring in a real-life environment.

Practical implications

This research is beneficial to chief security officers, risk managers, information technology managers, security professionals and academics. They will gain more knowledge and understanding about the need to highlight the equal importance of both the social, technical and environmental dimensions of information and cybersecurity. Further, the less emphasised dimension is posited to open an equal but mutual security vulnerability gap as the more emphasised dimension. Both dimensions must, therefore, equally and jointly be emphasised for optimal security performance in the organisation.

Originality/value

The application of socio-technical systems theory to the information and cybersecurity domain has not received much attention. In this regard, the research adds value to the information and cybersecurity studies where too much emphasis is placed on security software and hardware capabilities.

Details

Information & Computer Security, vol. 27 no. 2
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article

Christine Sund

The purpose of this paper is to show that the full potential of the internet has not yet been realised. One of the key reasons for this is users' declining trust in the…

Abstract

Purpose

The purpose of this paper is to show that the full potential of the internet has not yet been realised. One of the key reasons for this is users' declining trust in the internet. Over the past two decades, the internet has transformed many aspects of modern life. With an estimated four million users worldwide at the end of 2006, the use of the internet continues to grow. Building trust and confidence is one of the main enablers for the future growth and use of the internet. The paper aims to review some of the reasons behind the declining trust, the changing nature of cyber‐threats, and aims to look at cybersecurity in the context of developing countries and the specific problems these countries are facing when dealing with growing number of cyber‐threats.

Design/methodology/approach

This contribution gives an overview of some of the evolving cyber‐threats and their potential impact in order to determine whether the growth of the information society is really at risk. It further considers what the different stakeholders can do to build a safer and more secure information society. The paper poses questions, outlines possible options for a way forward and based on this gives the readers a better understanding of the issues and challenges involved in building confidence and security in the use of ICTs. The paper proposes a framework with increased co‐operation, collaboration, and information sharing, to connect the individual cybersecurity communities and single initiatives, in order to allow stakeholders to build together a roadmap for cybersecurity.

Findings

During the discussions leading up to and during the two phases of the World Summit on the information society, country representative participants re‐affirmed their commitment to deal effectively with the significant and growing problems posed by spam and other cyber‐threats. As no single country or entity can alone create trust, confidence and security in the use of ICTs, it is clear that increased international action is needed to address the issues involved.

Practical implications

This paper tries to provide readers with a simple overview of the state of cybersecurity, and with a framework for further considering how new technologies and the growing use of the internet will impact upon stakeholders' trust in the use of ICTs.

Originality/value

Along with increasing dependency on ICTs, new threats to network and information security have emerged. These include growing misuse of electronic networks for criminal purposes or for objectives that can furthermore adversely affect the integrity of critical infrastructures within states. This paper puts forward some concrete suggestions on how countries could look at the issues related to cybersecurity.

Details

Online Information Review, vol. 31 no. 5
Type: Research Article
ISSN: 1468-4527

Keywords

To view the access options for this content please click here
Article

Zuopeng (Justin) Zhang, Wu He, Wenzhuo Li and M'Hammed Abdous

Employees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks…

Abstract

Purpose

Employees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks. However, many cybersecurity awareness training (CSAT) programs fall short due to their misaligned training focuses.

Design/methodology/approach

To help organizations develop effective CSAT programs, we have developed a theoretical framework for conducting a cost–benefit analysis of those CSAT programs. We differentiate them into three types of CSAT programs (constant, complementary and compensatory) by their costs and into four types of CSAT programs (negligible, consistent, increasing and diminishing) by their benefits. Also, we investigate the impact of CSAT programs with different costs and the benefits on a company's optimal degree of security.

Findings

Our findings indicate that the benefit of a CSAT program with different types of cost plays a disparate role in keeping, upgrading or lowering a company's existing security level. Ideally, a CSAT program should spend more of its expenses on training employees to deal with the security threats at a lower security level and to reduce more losses at a higher security level.

Originality/value

Our model serves as a benchmark that will help organizations allocate resources toward the development of successful CSAT programs.

Details

Industrial Management & Data Systems, vol. 121 no. 3
Type: Research Article
ISSN: 0263-5577

Keywords

To view the access options for this content please click here
Article

Hassan Younies and Tareq Na'el Al-Tawil

The purpose of this paper is to explore the extent to which cybercrime laws protect citizens and businesses in the United Arab Emirates (UAE). Pertinent questions over the…

Abstract

Purpose

The purpose of this paper is to explore the extent to which cybercrime laws protect citizens and businesses in the United Arab Emirates (UAE). Pertinent questions over the lax regulatory environment and incomprehensible cybersecurity policies have influenced the discussions.

Design/methodology/approach

This paper will first offer a global outlook of cybersecurity laws and legislation. The global outlook will present the basis for examining best practices that the UAE could emulate. The paper will then examine the legislative landscape of cyber laws in the UAE, including cross-country comparisons. The comparisons are critical, as the country’s cybercrime laws are in their infancy phase.

Findings

The UAE has taken decisive and proactive measures to deter the threat of cybercrimes and cyberattacks. The UAE strategy comprehensive strategy has been effective in protecting the economy and populations from the adverse effects of cybercrimes. The success lies in the enactment of comprehensive and streamlines laws and regulations with harsher penalties. The stringent legal measures, including longer jail terms, stiffer fines and deportation of foreigners, have ensured robust deterrence to cybercriminals.

Originality/value

The analysis has shown that the UAE has a higher score of preparedness against cybercrimes and cyberattacks. The UAE has specifically crafted a broader and effective legislative framework of cybercrime laws. Although the UAE has comprehensive cybercrime laws, the remarkable level of technological advances in the country makes citizens and businesses lucrative targets. The UAE now has the burden of doubling down its legal efforts to deter emerging cybersecurity risks.

Details

Journal of Financial Crime, vol. 27 no. 4
Type: Research Article
ISSN: 1359-0790

Keywords

To view the access options for this content please click here
Article

Sezer Bozkus Kahyaoglu and Kiymet Caliyurt

The purpose of this study is to analyze the cybersecurity assurance approaches to determine the key issues and weaknesses within the internal audit and risk management…

Abstract

Purpose

The purpose of this study is to analyze the cybersecurity assurance approaches to determine the key issues and weaknesses within the internal audit and risk management perspective. Organizations increasingly rely on digital data to drive their growth and they are interconnected in a complex web to a multitude of stakeholders.

Design/methodology/approach

In this paper, cybersecurity is defined, and cybersecurity assurance model is explained based on the relevant literature. In addition, the role of internal auditing is introduced within this new business landscape. Finally, recommendations are made to provide best practices for stakeholders.

Findings

There are four major cyber-focused standards and frameworks in the current literature, namely, Control Objectives for Information and Related Technology, International Organization for Standardization, The American Institute of Certified Public Accountants and National Institute of Standards and Technology. In addition, there are many mechanisms in existence and operation currently which support cybersecurity assurance to prevent major threats. These include risk assessment, risk treatment, risk management, security assurance and auditing.

Research limitations/implications

Cyber risk is not something that can be avoided; instead, it must be managed. Hence, it is very important to maintain formal documentation on related cyber controls. Internal audit should be an integral part of cybersecurity assurance process, as internal audit have a unique position to look across organizations. The contribution of internal audit also provides comfort to the Board and Audit Committee.

Practical implications

A model is introduced how the internal audit and information security functions could work together to support organizations accomplish a cost-effective level of information security. The key issues and approaches are explained for how to become a trusted cybersecurity advisor and a sample cybersecurity awareness program checklist is provided at Appendix 1.

Social implications

Considering cybersecurity threats grow with speed, complexity, and impact, organizations are no longer satisfied with an answer to a question like “are we secure?” instead, they need the answer for such a question like “how to give a reasonable assurance that our business will be secure enough?”. In that respect, the role of internal audit is discussed based on the relevant literature and the current condition of the business environment.

Originality/value

A model is introduced how the internal audit and information security functions could work together to support organizations accomplish a cost-effective level of information security. The key issues and approaches are explained for how to become a trusted cybersecurity advisor and a sample cybersecurity awareness program checklist is provided at Appendix 1.

Details

Managerial Auditing Journal, vol. 33 no. 4
Type: Research Article
ISSN: 0268-6902

Keywords

To view the access options for this content please click here
Article

Hiep Cong Pham, Linda Brennan, Lukas Parker, Nhat Tram Phan-Le, Irfan Ulhaq, Mathews Zanda Nkhoma and Minh Nhat Nguyen

Understanding the behavioral change process of system users to adopt safe security practices is important to the success of an organization’s cybersecurity program. This…

Abstract

Purpose

Understanding the behavioral change process of system users to adopt safe security practices is important to the success of an organization’s cybersecurity program. This study aims to explore how the 7Ps (product, price, promotion, place, physical evidence, process and people) marketing mix, as part of an internal social marketing approach, can be used to gain an understanding of employees’ interactions within an organization’s cybersecurity environment. This understanding could inform the design of servicescapes and behavioral infrastructure to promote and maintain cybersecurity compliance.

Design/methodology/approach

This study adopted an inductive qualitative approach using in-depth interviews with employees in several Vietnamese organizations. Discussions were centered on employee experiences and their perceptions of cybersecurity initiatives, as well as the impact of initiatives on compliance behavior. Responses were then categorized under the 7Ps marketing mix framework.

Findings

The study shows that assessing a cybersecurity program using the 7P mix enables the systematic capture of users’ security compliance and acceptance of IT systems. Additionally, understanding the interactions between system elements permits the design of behavioral infrastructure to enhance security efforts. Results also show that user engagement is essential in developing secure systems. User engagement requires developing shared objectives, localized communications, co-designing of efficient processes and understanding the “pain points” of security compliance. The knowledge developed from this research provides a framework for those managing cybersecurity systems and enables the design human-centered systems conducive to compliance.

Originality/value

The study is one of the first to use a cross-disciplinary social marketing approach to examine how employees experience and comply with security initiatives. Previous studies have mostly focused on determinants of compliance behavior without providing a clear platform for management action. Internal social marketing using 7Ps provides a simple but innovative approach to reexamine existing compliance approaches. Findings from the study could leverage proven successful marketing techniques to promote security compliance.

Details

Information & Computer Security, vol. 28 no. 2
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Book part

Saeed J. Roohani and Xiaochuan Zheng

With recent increases in cybersecurity incidents, it is imperative to supplement current accounting curriculum, equip accounting graduates with sufficient knowledge and…

Abstract

With recent increases in cybersecurity incidents, it is imperative to supplement current accounting curriculum, equip accounting graduates with sufficient knowledge and skills to assess cybersecurity risk, and learn about controls to mitigate such risks. In this chapter, the authors describe 10 teaching modules, supported by 10 professionally produced video series. The authors developed these videos for educating students on cybersecurity and the videos are available free to instructors from other institutions who wish to use them. The videos are filled with insights and advice from our two experts – one a former hacker and the other an experienced cybersecurity professional. This dialogue between two different sides provides a rich discussion that leads to answering many questions that people often have about cybersecurity. Further, in Exhibit 1, this chapter offers a framework for characterizing and analyzing some recent publicized data-breach cases, which can supplement discussion on cybersecurity modules. Instructors can add more cases to this source overtime. Finally, the authors share the analysis of feedback from students who went through the series. The results suggest that the students show interest in the topic, and videos helped them better understand the complexity of cybersecurity risk and controls.

Details

Advances in Accounting Education: Teaching and Curriculum Innovations
Type: Book
ISBN: 978-1-78973-394-5

Keywords

To view the access options for this content please click here
Article

Dejan Kosutic and Federico Pigni

The purpose of this paper is to help companies address the problem of ever-increasing cybersecurity investment that does not produce tangible business value – this is…

Abstract

Purpose

The purpose of this paper is to help companies address the problem of ever-increasing cybersecurity investment that does not produce tangible business value – this is achieved by explaining the relationship between cybersecurity and competitive advantage.

Design/methodology/approach

The impact of cybersecurity on competitive advantage was explored through a qualitative research study – the authors conducted an extensive literature review and conducted two rounds of semi-structured interviews with executives and security professionals from companies in four countries, from the financial, IT and security industries.

Findings

The analysis of the findings enabled the conceptualization of the Cybersecurity Competitive Advantage Model that explains how to build up cybersecurity dynamic capabilities to achieve long-term competitive advantage.

Research limitations/implications

The research presents the theorization of the model based on an extensive literature review, gathered information, insight from qualified respondents and the authors’ experience in the field. While we controlled for saturation and rigorously collected and analyzed the data, the inductive approach followed may limit the generalizability of the findings.

Practical implications

The proposed model helps explain to executives how to differentiate their company in a novel way and how to retain that competitive advantage; security professionals can use the model to organize cybersecurity and communicate to their superiors more effectively.

Originality/value

The presented model differs from existing literature, cybersecurity frameworks and industry standards by presenting a method of avoiding technological bias and for achieving competitive advantage.

Details

Journal of Business Strategy, vol. ahead-of-print no. ahead-of-print
Type: Research Article
ISSN: 0275-6668

Keywords

1 – 10 of 704