Search results

The aim of this paper is to present the first diffusion analysis of ISO/IEC 27001, the fourth most popular ISO certification at global level and the most important standard for information security.

To achieve the purposes, the authors applied Grey Models (GM) – Even GM (1,1), Even GM (1,1,α,θ), Discrete GM (1,1), Discrete GM (1,1,α) – complemented by the relative growth rate and the doubling time indexes on the six most important countries in terms of issued certificates.

Results show that a growing trend is likely to be expected in the years to come and that China will lead at country level.

The study contributes to the scientific debate by presenting the first diffusive analysis of ISO/IEC 27001 and by proposing a forecasting approach that to date has found little application in the field of international standards.

Information systems' security is more critical than ever before since security threats are rapidly growing. Before putting in place information systems' security measures, organizations are required to determine the maturity level of their information security governance. Literature review reveals that there is no recent study on information systems' security maturity level of banks in Ethiopia. This study thus seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators.

Four private banks are selected as a representative sample. The system security engineering capability maturity model (SSE-CMM) is used as the maturity measurement criteria, and the measurement was based on ISO/IEC 27001 information security control areas. The data for the study were gathered using a questionnaire.

A total of 93 valid questionnaires were gathered from 110 participants in the study. Based on the SSE-CMM maturity model assessment criteria the private banking industry's current maturity level is level 2 (repeatable but intuitive). Institutions have a pattern that is repeated when completing information security operations but its existence was not thoroughly proven and institutional inconsistency still exists.

This study seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators. This topic has not been attempted previously in the context of Ethiopian financial sector.

Augmentation of an ISO 10001 code system for healthcare worker (HW) satisfaction with ISO/IEC 27701 and ISO/IEC 29184 privacy-related subsystems is shown. Four specific codes regarding the privacy of HWs using electronic devices for hand hygiene (HH) monitoring and the related activities are presented.

HWs’ concerns involving automated hand hygiene monitoring technologies were identified through a literature review and classified. Privacy codes (PCs) that deal with such concerns were developed. ISO/IEC 27701 requirements for privacy information were mapped to the elements of these codes, labelled as “Healthcare Workers’ Hand Hygiene Privacy Codes (HW-HH-PCs)”. Both ISO/IEC 27701 and ISO/IEC 29184 guidelines for Privacy Notices and consent were linked with the activities for preparing the code resources.

Components of an ISO/IEC 27701 system, the guidance of ISO/IEC 29184 and the definitions provided in ISO/IEC 29100 can assist the preparation of HW-HH-PCs and the required resources. An ISO/IEC 29184 Privacy Notice can be used as input for developing an Informed Consent Form, which can be implemented to suit two of the four developed HW-HH-PCs.

HW-HH-PCs and the supporting resources, which healthcare organizations could implement to potentially increase quality assurance of an automated HH monitoring service, are illustrated.

Integrative augmentation of ISO 10001:2018, ISO/IEC 27701:2019 and ISO/IEC 29184:2020 within an underlying framework from ISO/IEC 20000–1:2018 for information technology service, together with the related examples of privacy-related customer satisfaction codes and the corresponding resources, is introduced.

This paper aims to explore key management actions for implementing security on the cloud, which is a critical issue as many organizations are moving business processes and data on it. The cloud is a flexible, low cost and highly available technology, but it comes with increased complexity in maintaining the cloud consumer’s security. In this research, a model was built to assist strategic decision-makers in choosing from a diverse range of actions that can be taken to manage cloud security.

Published research from 2010 to 2022 was reviewed to identify alternatives to management actions pertaining to cloud security. Analytical hierarchical process (AHP) was applied to rate the most important action(s). For this, the alternatives, along with selection criteria, were summarized through thematic analysis. To gauge the relative importance of the alternatives, a questionnaire was distributed among cloud security practitioners to poll their opinion. AHP was then applied to the aggregated survey responses.

It was found that the respondents gave the highest importance to aligning information security with business needs. Building a cloud-specific risk management framework was rated second, while the actions: enforce and monitor contractual obligations, and update organizational structure, were rated third and fourth, respectively.

The research takes a general view without catering to specialized industry-based scenarios.

This paper highlights the role of management actions when implementing cloud security. It presents an AHP-based multi-criteria decision-making model that can be used by strategic decision-makers in selecting the optimum mode of action. Finally, the criteria used in the AHP model highlight how each alternative contributes to cloud security.

This work aims to present existing management system standards (MSSs) published by the International Organization for Standardization (ISO) through a bibliometric analysis, thereby outlining their academic research status and highlighting their relation to the Sustainable Development Goals (SDGs) as well as to environmental, social and governance (ESG) themes.

The study firstly retrieves a preliminary set of MSSs standards from ISO and filters it in accordance with certain exclusion/inclusion criteria. Secondly, a bibliometric search is performed in the database Scopus. Thirdly, performance analysis is conducted to quantitatively measure the scientific output in academia, and science mapping of co-occurrences of keywords is applied to identify related topics. Thereby, the standards’ relationships to sustainability are outlined. Eventually, the work discusses future research opportunities.

The findings reveal that whereas research on MSSs focuses predominantly on only a few standards by now, there are actually numerous further standards that address sustainability-relevant topics, which are getting increasing attention among scholars as measured by the number of publications. Therefore, an action plan for future research is derived. Moreover, the findings support the argument of integrating MSSs to cover a broad range of corporate sustainability issues.

The paper connects the concepts of MSSs and sustainability, an upcoming research branch yet characterized by shortage of academic studies (given that research continues to focus on a few standards such as ISO 9001, ISO 14001 and ISO 45001). The work therefore opens up the line for more in-detail research on less known but nevertheless sustainability-relevant ISO MSSs.

The research explores the shift to Quality 4.0, examining the move towards a data-focussed transformation within organizational frameworks. This transition is characterized by incorporating Industry 4.0 technological innovations into existing quality management frameworks, signifying a significant evolution in quality control systems. Despite the evident advantages, the practical deployment in the Indian manufacturing sector encounters various obstacles. This research is dedicated to a thorough examination of these impediments. It is structured around a set of pivotal research questions: First, it seeks to identify the key barriers that impede the adoption of Quality 4.0. Second, it aims to elucidate these barriers' interrelations and mutual dependencies. Thirdly, the research prioritizes these barriers in terms of their significance to the adoption process. Finally, it contemplates the ramifications of these priorities for the strategic advancement of manufacturing practices and the development of informed policies. By answering these questions, the research provides a detailed understanding of the challenges faced. It offers actionable insights for practitioners and policymakers implementing Quality 4.0 in the Indian manufacturing sector.

Employing Interpretive Structural Modelling and Matrix Impact of Cross Multiplication Applied to Classification, the authors probe the interdependencies amongst fourteen identified barriers inhibiting Quality 4.0 adoption. These barriers were categorized according to their driving power and dependence, providing a richer understanding of the dynamic obstacles within the Technology–Organization–Environment (TOE) framework.

The study results highlight the lack of Quality 4.0 standards and Big Data Analytics (BDA) tools as fundamental obstacles to integrating Quality 4.0 within the Indian manufacturing sector. Additionally, the study results contravene dominant academic narratives, suggesting that the cumulative impact of organizational barriers is marginal, contrary to theoretical postulations emphasizing their central significance in Quality 4.0 assimilation.

This research provides concrete strategies, such as developing a collaborative platform for sharing best practices in Quality 4.0 standards, which fosters a synergistic relationship between organizations and policymakers, for instance, by creating a joint task force, comprised of industry leaders and regulatory bodies, dedicated to formulating and disseminating comprehensive guidelines for Quality 4.0 adoption. This initiative could lead to establishing industry-wide standards, benefiting from the pooled expertise of diverse stakeholders. Additionally, the study underscores the necessity for robust, standardized Big Data Analytics tools specifically designed to meet the Quality 4.0 criteria, which can be developed through public-private partnerships. These tools would facilitate the seamless integration of Quality 4.0 processes, demonstrating a direct route for overcoming the barriers of inadequate standards.

This research delineates specific obstacles to Quality 4.0 adoption by applying the TOE framework, detailing how these barriers interact with and influence each other, particularly highlighting the previously overlooked environmental factors. The analysis reveals a critical interdependence between “lack of standards for Quality 4.0” and “lack of standardized BDA tools and solutions,” providing nuanced insights into their conjoined effect on stalling progress in this field. Moreover, the study contributes to the theoretical body of knowledge by mapping out these novel impediments, offering a more comprehensive understanding of the challenges faced in adopting Quality 4.0.

One of the most important Information Security (IS) concerns nowadays is data theft or data leakage. To mitigate this type of risk, organisations use a solid infrastructure and deploy multiple layers of security protection technology and protocols such as firewalls, VPNs and IPsec VPN. However, these technologies do not guarantee data protection, and especially from insiders. Insider threat is a critical risk that can cause harm to the organisation through data theft. The main purpose of this study was to investigate and identify the threats related to data theft caused by insiders in organisations and explore the efforts made by them to control data leakage.

The study proposed a conceptual model to protect organisations’ data by preventing data theft by malicious insiders. The researchers conducted a comprehensive literature review to achieve the objectives of this study. The collection of the data for this study is based on earlier studies conducted by several researchers from January 2011 to December 2020. All the selected literature is from journal articles, conference articles and conference proceedings using various databases.

The study revealed three main findings: first, the main risks inherent in data theft are financial fraud, intellectual property theft, and sabotage of IT infrastructure. Second, there are still some organisations that are not considering data theft by insiders as being a severe risk that should be well controlled. Lastly, the main factors motivating the insiders to perform data leakage activities are financial gain, lack of fairness and justice in the workplace, the psychology or characteristics of the insiders, new technologies, lack of education and awareness and lack of management tools for understanding insider threats.

The study provides a holistic view of data theft by insiders, focusing on the problem from an organisational point of view. Organisations can therefore take into consideration our recommendations to reduce the risks of data leakage by their employees.

This paper aims to propose a new method to derive custom dynamic cyber risk metrics based on the well-known Goal, Question, Metric (GQM) approach. A framework that complements it and makes it much easier to use has been proposed too. Both, the method and the framework, have been validated within two challenging application domains: continuous risk assessment within a smart farm and risk-based adaptive security to reconfigure a Web application firewall.

The authors have identified a problem and provided motivation. They have developed their theory and engineered a new method and a framework to complement it. They have demonstrated the proposed method and framework work, validating them in two real use cases.

The GQM method, often applied within the software quality field, is a good basis for proposing a method to define new tailored cyber risk metrics that meet the requirements of current application domains. A comprehensive framework that formalises possible goals and questions translated to potential measurements can greatly facilitate the use of this method.

The proposed method enables the application of the GQM approach to cyber risk measurement. The proposed framework allows new cyber risk metrics to be inferred by choosing between suggested goals and questions and measuring the relevant elements of probability and impact. The authors’ approach demonstrates to be generic and flexible enough to allow very different organisations with heterogeneous requirements to derive tailored metrics useful for their particular risk management processes.

This study explores the link between ISO 9001 certification, personal data protection and firm performance using financial balance sheet and survey data. The security aspect of data protection is analyzed based on the major requirements of the General Data Protection Regulation and mapped to the relevant controls of the ISO/IEC 27001/27002 standards.

The research analysis is based on 96 ISO 9001–certified and non-certified publicly traded manufacturing and service firms that responded to a structured questionnaire. The authors develop and empirically test their theoretical model using the structural equation modeling technique and follow a difference-in-differences econometric modeling approach to estimate financial performance differences between certified and non-certified firms accounting for the level of data protection.

The estimates indicate three core dimensions in the areas of “policies, procedures and responsibilities,” “access control management” and “risk-reduction techniques” as desirable components in establishing the concept of data security. The estimates also suggest that the data protection level has significantly impacted the performance of certified firms relative to the non-certified. Controlling for the effect of industry-level factors reveals a positive relationship between data security and high-technological intensity.

The results imply that improving the level of compliance to data protection enhances the link between certification and firm performance.

This study fills a gap in the literature by empirically testing the influence of data protection on the relationship between quality certification and firm performance.

Purpose: Small and medium enterprises (SMEs) are the most significant contributors to maximum employment generation, the gross domestic product (GDP) of many countries, and the overall global economy. It is also evident that cyber threats are becoming a big challenge for SMEs, which is directly impacting global economy.

Methodology: Existing research inputs were accessed to understand current cyber threats for SMEs and their cybersecurity posture. Additionally, this research has collected the latest insights by taking direct inputs from SMEs and conducting a well-designed research survey. It has provided a few direct inputs to designing solutions for the SME segment. For analysis and recommendations, cybersecurity best practices and core cybersecurity concepts are considered at the centre of the solution.

Findings: Implementing existing cybersecurity standards or frameworks is not easy for SMEs, as they generally have limited resources and different priorities for their business when it comes to the implementation of any cybersecurity controls. Currently, many cybersecurity standards are not able to support the implementation of business domain-specific controls.

Practical implications: Along with the research findings shared in this chapter, as a resolution to the problems faced by SMEs, the authors will propose a new framework as a solution. This framework is designed using core concepts of cybersecurity such as confidentiality, integrity, and availability (CIA triad) as well as defence in depth (DiD) mechanisms in each layer of organisation. The authors will also share a high-level idea about how reliable artificial intelligence-based software can help identify recommended controls for particular SMEs.