Search results

In recent years, the frequency and severity of cybersecurity incidents have prompted customers to seek out specialized insurance products. However, this has also presented insurers with operational challenges and increased costs. The assessment of risks for health systems and cyber–physical systems (CPS) necessitates a heightened degree of attention. The significant values of potential damages and claims request a solid insurance system, part of cyber-resilience. This research paper focuses on the emerging cyber insurance market that is currently in the process of standardizing and improving its risk analysis concerning the potential insured entity.

The authors' approach involves a quantitative analysis utilizing a Likert-style questionnaire designed to survey cyber insurance professionals. The authors' aim is to identify the current methods used in gathering information from potential clients, as well as the manner in which this information is analyzed by the insurers. Additionally, the authors gather insights on potential improvements that could be made to this process.

The study the authors elaborated it has a particularly important cyber and risk components for insurance area, because it addresses a “niche” area not yet proper addressed in specialized literature – cyber insurance. Cyber risk management approaches are not uniform at the international level, nor at the insurer level. Also, not all insurers can perform solid assessments, especially since their companies should first prove that they are fully compliant with international cyber security standards.

This research has concentrated on analyzing the current practices in terms of gathering information about the insured entity before issuing the cyber insurance policy, level of details concerning the cyber security posture of the insured entity and way such information should be analyzed in a standardized and useful manner. The novelty of this research resides in the analysis performed as detailed above and the proposals in terms of information gathered, depth of analysis and standardization of approach made. Future work on the topic can focus on the standardization process for analyzing cyber risk for insurance clients, to improve the proposal based also on historical elements and trends in the market. Thus, future research can further refine the standardization process to analyze in more depth the way this can be implemented and included in relevant legislation at the EU level.

Proposed improvements include proposals in terms of the level of detail and the usefulness of an independent centralized approach for information gathering and analysis, especially given the re-insurance and brokerage activities. The authors also propose a common practical procedural approach in risk management, with the involvement of insurance companies and certification institutions of cyber security auditors.

The study investigates the information gathered by insurers from potential clients of cyber insurance and the way this is analyzed and updated for issuance of the insurance policy.

This article surveys why libraries are vulnerable to social engineering attacks and how to manage risks of human-caused cyber threats on organizational level; investigates Estonian library staff awareness of information security and shares recommendations concerning focus areas that should be given more attention in the future.

The data used in this paper is based on an overview of relevant literature highlighting the theoretical points and giving the reasons why human factor is considered the weakest link in information security and cyber security and studying how to mitigate the related risks in the organisation. To perform the survey, a web questionnaire was designed which included 63 sentences and was developed based on the knowledge-attitude-behaviour (KAB) model supported by Kruger and Kearney and Human Aspects of Information Security Questionnaire (HAIS-Q) designed by Parsons et al.

The research results show that the information security awareness of library employees is at a good level; however, awareness in two focus areas needs special attention and should be improved. The output of this study is the mapping of seven focus areas of information security policy in libraries based on the HAIS-Q framework and the KAB model.

The cyber awareness of library employees has not been studied in the world using HAIS-Q and KAB model, and to the best of the authors’ knowledge, no research has been previously carried out in the Estonian library context into cyber security awareness.

This paper aims to explore key management actions for implementing security on the cloud, which is a critical issue as many organizations are moving business processes and data on it. The cloud is a flexible, low cost and highly available technology, but it comes with increased complexity in maintaining the cloud consumer’s security. In this research, a model was built to assist strategic decision-makers in choosing from a diverse range of actions that can be taken to manage cloud security.

Published research from 2010 to 2022 was reviewed to identify alternatives to management actions pertaining to cloud security. Analytical hierarchical process (AHP) was applied to rate the most important action(s). For this, the alternatives, along with selection criteria, were summarized through thematic analysis. To gauge the relative importance of the alternatives, a questionnaire was distributed among cloud security practitioners to poll their opinion. AHP was then applied to the aggregated survey responses.

It was found that the respondents gave the highest importance to aligning information security with business needs. Building a cloud-specific risk management framework was rated second, while the actions: enforce and monitor contractual obligations, and update organizational structure, were rated third and fourth, respectively.

The research takes a general view without catering to specialized industry-based scenarios.

This paper highlights the role of management actions when implementing cloud security. It presents an AHP-based multi-criteria decision-making model that can be used by strategic decision-makers in selecting the optimum mode of action. Finally, the criteria used in the AHP model highlight how each alternative contributes to cloud security.

This paper aims to provide a maturity model for information security awareness (MMISA), based on the literature, expert interviews and feedback. In addition to developing the MMISA, the authors investigate the role of the three decisive factors that affect ISA maturity level: risk management mechanism, organizational structure and ISA.

The research methodology is a combined one; qualitative and quantitative methods were applied, including surveying the literature, interviews and developing a survey to collect quantitative data about decisive factors that affect ISA maturity level. The authors perform a variance-based partial least squares-structural equation modeling (PLS-SEM) investigation of the relationships between these factors.

The investigation of decisive factors of ISA maturity levels revealed that if the authors identify a strong risk assessment mechanism (through a documented methodology and reliable results), the authors can expect a high level of ISA. If there is a well-defined organizational structure with clear responsibilities, this supports the linking of a risk management mechanism with the level of ISA. The connection between organizational structure and ISA maturity level is supported by ISA activities: an increased level of awareness actions strengthens an organizational structure via the best practices learned by the staff.

The main contribution of the proposed MMISA model is that the model offers controls and audit evidence for maturity levels. Beyond that, the authors distinguish in the MMISA model controls supporting knowledge and controls supporting attitude, emphasizing that this is not enough to know what to do, but the proper attitude is required too. The authors didn't find any other ISA maturity model which has a similar feature. The contribution of the authors' work is that the authors provide a method for solving this complex measurement problem via the MMISA, which also offers direct guidance for the daily practices of organizations.

Security assurance evaluation (SAE) is a well-established approach for assessing the effectiveness of security measures in systems. However, one aspect that is often overlooked in these evaluations is the assurance context in which they are conducted. This paper aims to explore the role of assurance context in system SAEs and proposes a conceptual model to integrate the assurance context into the evaluation process.

The conceptual model highlights the interrelationships between the various elements of the assurance context, including system boundaries, stakeholders, security concerns, regulatory compliance and assurance assumptions and regulatory compliance.

By introducing the proposed conceptual model, this research provides a framework for incorporating the assurance context into SAEs and offers insights into how it can influence the evaluation outcomes.

By delving into the concept of assurance context, this research seeks to shed light on how it influences the scope, methodologies and outcomes of assurance evaluations, ultimately enabling organizations to strengthen their system security postures and mitigate risks effectively.

This study explores the critical success factors (CSFs) for Security Education, Training and Awareness (SETA) program effectiveness. The questionable effectiveness of SETA programs at changing employee behavior and an absence of empirical studies on the CSFs for SETA program effectiveness is the key motivation for this study.

This exploratory study follows a systematic inductive approach to concept development. The methodology adopts the “key informant” approach to give voice to practitioners with SETA program expertise. Data are gathered using semi-structured interviews with 20 key informants from various geographic locations including the Gulf nations, Middle East, USA, UK and Ireland.

In this study, the analysis of these key informant interviews, following an inductive open, axial and selective coding approach, produces 11 CSFs for SETA program effectiveness. These CSFs are mapped along the phases of a SETA program lifecycle (design, development, implementation and evaluation) and nine relationships identified between the CSFs (within and across the lifecycle phases) are highlighted. The CSFs and CSFs' relationships are visualized in a Lifecycle Model of CSFs for SETA program effectiveness.

This research advances the first comprehensive conceptualization of the CSFs for SETA program effectiveness. The Lifecycle Model of CSFs for SETA program effectiveness provides valuable insights into the process of introducing and sustaining an effective SETA program in practice. The Lifecycle Model contributes to both theory and practice and lays the foundation for future studies.

The Cloud of Things (IoT) that refers to the integration of the Cloud Computing (CC) and the Internet of Things (IoT), has dramatically changed the way treatments are done in the ubiquitous computing world. This integration has become imperative because the important amount of data generated by IoT devices needs the CC as a storage and processing infrastructure. Unfortunately, security issues in CoT remain more critical since users and IoT devices continue to share computing as well as networking resources remotely. Moreover, preserving data privacy in such an environment is also a critical concern. Therefore, the CoT is continuously growing up security and privacy issues. This paper focused on security and privacy considerations by analyzing some potential challenges and risks that need to be resolved. To achieve that, the CoT architecture and existing applications have been investigated. Furthermore, a number of security as well as privacy concerns and issues as well as open challenges, are discussed in this work.

The purpose of this paper is to explore the current practices in security convergence among and between corporate security and cybersecurity processes in commercial enterprises.

This paper is the first phase in a planned multiphase project to better understand current practices in security optimization efforts being implemented by commercial organizations exploring means and methods to operate securely while reducing operating costs. The research questions being examined are: What are the general levels of interest in cybersecurity and corporate security convergence? How well do the perspectives on convergence align between organizations? To what extent are organizations pursuing convergence? and How are organizations achieving the anticipated outcomes from convergence?

In organizations, the evolution to a more optimized security structure, either merged or partnered, was traditionally due to unplanned or unforeseen events; e.g. a spin-off/acquisition, new security leadership or a negative security incident was the initiator. This is in contrast to a proactive management decision or formal plan to change or enhance the security structure for reasons that include reducing costs of operations and/or improving outcomes to reduce operational risks. The dominant exception was in response to regulatory requirements. Preliminary findings suggest that outcomes from converged organizations are not necessarily more optimized in situations that are organizationally merged under a single leader. Optimization may ultimately depend on the strength of relationships and openness to collaboration between management, cybersecurity and corporate security personnel.

This report and the number of respondents to its survey do not support generalizable findings. There are too few in each category to make reliable predictions and in analysis, there was an insufficient quantity of responses in most categories to allow supportable conclusions to be drawn.

Practitioners may find useful contextual clues to their needs for convergence or in response to directives for convergence from this report on what is found in some other organizations.

Improved effectiveness and/or reduced costs for organizational cybersecurity would be a useful social outcome as organizations become more efficient in the face of increasing levels of cyber security threats.

Convergence as a concept has been around for some time now in both the practice and research communities. It was initially promoted formally by ASIS International and ISACA in 2005. Yet there is no universally agreed-upon definition for the term or the practices undertaken to achieve it. In addition, the business drivers and practices undertaken to achieve it are still not fully understood. If convergence or optimization of converged operations offers a superior operational construct compared to other structures, it is incumbent to discover if there are measurable benefits. This research hopes to define the concept of security collaboration optimization more fully. The eventual goal is to develop and promote a tool useful for organizations to measure where they are on such a continuum.

This paper aims to measure the trade price impact of a recent regulatory disclosure intervention in municipal securities secondary markets, which required broker-dealers to disclose securities trading information on a near-real-time and continuing basis.

The author analyzes trade price outcomes in the preintervention and postintervention regimes using a suite of time series estimations that give heteroskedasticity-robust standard errors (Prais–Winsten and Cochrain–Orcutt), accommodate higher-order lag structure in the error term (autoregressive integrated moving average) and account for volatility clustering in the time series (generalized autoregressive conditional heteroskedasticity).

Results show that regulatory disclosure intervention significantly improved trade price efficiency in municipal securities secondary markets as daily trade price differential and volatility both declined market-wide after the disclosure intervention.

The sample consists of trades in State of California general obligation bonds; therefore, empirical findings may not be generalizable to other states, local governments and different types of bonds.

The findings highlight voluntary information disclosure as a practical and effective mechanism in disclosure regulation of municipal securities secondary markets.

Only a small body of work exists that examines information disclosure regulation in municipal securities secondary markets; therefore, this paper expands knowledge on the topic and should provide renewed impetus for regulatory efforts aimed at improving the efficiency of municipal capital markets.

The frequency and sophistication of cybercrimes are increasing. These cybercrimes are impacting government and private organizations as well as individuals. One of the countermeasures is to improve the cyber hygiene of the end-users. Serious games or game-based learning has emerged as a promising approach for implementing security education, training and awareness program. In this paper, the researchers propose a tabletop card game called Cyber Suraksha to increase threat awareness and motivate users to adopt recommended security controls for smartphone users. Cyber Suraksha provides an active learning environment for the players. This paper aims to provide the details of the design and evaluation of the game using a between-subjects design.

The researchers have used constructive learning theory and the Fogg behaviour model (FBM) to design a tabletop card game called Cyber Suraksha. The researchers evaluated the game using a between-subjects design. The participants' responses in the control and intervention groups were collected using the risk behaviour diagnosis scale. Pearson’s Chi-Square test with a 5% significance level was used to test the hypotheses.

The results indicate that the game is enjoyable and fun. Cyber Suraksha game effectively motivates users to adopt the recommended security control for the targeted behaviour. The results indicate that the participants in the intervention group are 2.65 times more likely to adopt recommended behaviour. The findings of this study provide evidence for the effectiveness of hope and fear appeals in improving cybersecurity awareness.

The generalizability of the study is limited because the sample size is small compared to the total number of smartphone users in India, and only students from computer/IT UG programs in India are used as participants in this study.

This study uses hope and a fear appeal to design an effective serious game. It also demonstrates using the FBM and constructive learning principles for effective serious game design. Cyber Suraksha is effective for the student group and may be tested with other age groups.

To the researchers' knowledge, there are no serious games for cybersecurity awareness focusing on the threats faced by smartphone users based on FBM and constructive learning theory. This research used hope along with a fear appeal to motivate smartphone users to adopt recommended security controls.