Search results

The purpose of this paper is to investigate the human-based information security (InfoSec) vulnerabilities in three Australian government organisations.

A Web-based survey was developed to test attitudes, knowledge and behaviour across eight policy-based focus areas. It was completed by 203 participants across the three organisations. This was complemented by interviews with senior management from these agencies.

Overall, management and employees had reasonable levels of InfoSec awareness. However, weaknesses were identified in the use of wireless technology, the reporting of security incidents and the use of social networking sites. These weaknesses were identified in the survey data of the employees and corroborated in the management interviews.

As with all such surveys, responses to the questions on attitude and behaviour (but not knowledge) may have been influenced by the social desirability bias. Further research should establish more extensive baseline data for the survey and examine its effectiveness in assessing the impact of training and risk communication interventions.

A new survey tool is presented and tested which is of interest to academics as well as management and IT systems (security) auditors.

Since the emergence of the Internet in the twentieth century and the rapid growth of different types of information technologies (IT), our lives, either personal or professional, have become digitised. Adoption and diffusion of IT enhance individuals and organisational performance, yet scholars discovered a dual nature of IT in which IT usage may have negative aspects too. First, the inability to cope with IT in a healthy manner creates stress in users, termed technostress. Second, digitisation and adoption of new technologies (e.g. IoT and multi-cloud environments) have increased vulnerabilities to information security (InfoSec) threats. Although organisations utilise counteraction strategies (e.g., security systems, security policies), end-users remain the top source of security incidents. Existing behavioural research has approached technostress and InfoSec independently. However, it is not clear how technology-stressors influence employees’ security-related behaviours. This chapter reviews the interaction effect of these concepts in detail by proposing a conceptual model that explains that technostress is the main reason for employees’ non-compliance with security policies in which users with high-level perceptions of technostress are more likely to violate InfoSec policies. Counteraction strategies to mitigate technostress and security threats are also discussed.

Malicious attackers frequently breach information systems by exploiting disclosed software vulnerabilities. Knowledge of these vulnerabilities over time is essential to decide the use of software products by organisations. The purpose of this paper is to propose a novel G-RAM framework for business organisations to assess and mitigate risks arising out of software vulnerabilities.

The G-RAM risk assessment module uses GARCH to model vulnerability growth. Using 16-year data across 1999-2016 from the National Vulnerability Database, the authors estimate the model parameters and validate the prediction accuracy. Next, the G-RAM risk mitigation module designs optimal software portfolio using Markowitz’s mean-variance optimisation for a given IT budget and preference.

Based on an empirical analysis, this study establishes that vulnerability follows a non-linear, time-dependent, heteroskedastic growth pattern. Further, efficient software combinations are proposed that optimise correlated risk. The study also reports the empirical evidence of a shift in efficient frontier of software configurations with time.

Existing assumption of independent and identically distributed residuals after vulnerability function fitting is incorrect. This study applies GARCH technique to measure volatility clustering and mean reversal. The risk (or volatility) represented by the instantaneous variance is dependent on the immediately previous one, as well as on the unconditional variance of the entire vulnerability growth process.

The volatility-based estimation of vulnerability growth is a risk assessment mechanism. Next, the portfolio analysis acts as a risk mitigation activity. Results from this study can decide patch management cycle needed for each software – individual or group patching. G-RAM also ranks them into a 2×2 risk-return matrix to ensure that the correlated risk is diversified. Finally the paper helps the business firms to decide what to purchase and what to avoid.

Contrary to the existing techniques which either analyse with statistical distributions or linear econometric methods, this study establishes that vulnerability growth follows a non-linear, time-dependent, heteroskedastic pattern. The paper also links software risk assessment to IT governance and strategic business objectives. To the authors’ knowledge, this is the first study in IT security to examine and forecast volatility, and further design risk-optimal software portfolios.

Collaborative-based national cybersecurity incident management benefits from the huge size of incident information, large-scale information security devices and aggregation of security skills. However, no existing collaborative approach has been able to cater for multiple regulators, divergent incident views and incident reputation trust issues that national cybersecurity incident management presents. This paper aims to propose a collaborative approach to handle these issues cost-effectively.

A collaborative-based national cybersecurity incident management architecture based on ITU-T X.1056 security incident management framework is proposed. It is composed of the cooperative regulatory unit with cooperative and third-party management strategies and an execution unit, with incident handling and response strategies. Novel collaborative incident prioritization and mitigation planning models that are fit for incident handling in national cybersecurity incident management are proposed.

Use case depicting how the collaborative-based national cybersecurity incident management would function within a typical information and communication technology ecosystem is illustrated. The proposed collaborative approach is evaluated based on the performances of an experimental cyber-incident management system against two multistage attack scenarios. The results show that the proposed approach is more reliable compared to the existing ones based on descriptive statistics.

The approach produces better incident impact scores and rankings than standard tools. The approach reduces the total response costs by 8.33% and false positive rate by 97.20% for the first attack scenario, while it reduces the total response costs by 26.67% and false positive rate by 78.83% for the second attack scenario.

This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts.

The articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis.

The starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation.

This paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.

This study aims to determine the extent to which information security management (ISM) practices impact the organisational agility by examining the relationship between both concepts.

A quantitative method research design has been used in this study. This study was conducted throughout Malaysia with a total of 250 valid questionnaires obtained from managers and executives from the Multimedia Super Corridor (MSC)-status companies. Structural equation modelling (SEM) using partial least square was used to analyse the data and to test all nine hypotheses developed in this study.

Findings from this study indicate that operational agility (OA) is significantly related to ISM practices in MSC-status companies. The validation of the structural model of nine hypotheses developed for this study has demonstrated satisfactory results, exhibited six significant direct relationships and three insignificant relationships.

This study has addressed the needs for a comprehensive, coherent and empirically tested ISM practices and organisational agility framework. The current theoretical framework used in this study emphasised on the ISM–organisational agility dimensions that are predominantly important to ascertain high level of ISM practices and perceived agility level among the information technology (IT) business companies in Malaysia. With the application of SEM for powerful analysis, the empirical-based framework established in this study was validated by the empirical findings, thus contributing significantly to the field of information security (InfoSec).

This study has filled the research gap between different constructs of ISM practices and OA. The model put forth in this study contributes in several ways to the InfoSec research community. The recognition of InfoSec practices that could facilitate organisational agility in the IT industry in Malaysia is vital and contributes to more value creation for the organisations.

The aim of this study was first to confirm that a specific bank’s employees were generally more information security-aware than employees in other Australian industries and second to identify the major factors that contributed to this bank’s high levels of information security awareness (ISA).

A Web-based questionnaire (the Human Aspects of Information Security Questionnaire – HAIS-Q) was used in two separate studies to assess the ISA of individuals who used computers at their workplace. The first study assessed 198 employees at an Australian bank and the second study assessed 500 working Australians from various industries. Both studies used a Qualtrics-based questionnaire that was distributed via an email link.

The results showed that the average level of ISA among bank employees was consistently 20 per cent higher than that among general workforce participants in all focus areas and overall. There were no significant differences between the ISA scores for those who received more frequent training compared to those who received less frequent training. This result suggests that the frequency of training is not a contributing factor to an employee’s level of ISA.

This current research did not investigate the information security (InfoSec) culture that prevailed within the bank in question because the objective of the research was to compare a bank’s employees with general workforce employees rather than compare organisations. The Research did not include questions relating to the type of training participants had received at work.

This study provided the bank’s InfoSec management with evidence that their multi-channelled InfoSec training regime was responsible for a substantially higher-than-average ISA for their employees. Future research of this nature should examine the effectiveness of various ISA programmes in light of individual differences and learning styles. This would form the basis of an adaptive control framework that would complement many of the current international standards, such as ISO’s 27000 series, NIST’s SP800 series and ISACA’s COBIT5.

The purpose of this literature review is to analyze current trends in information security and suggest future directions for research.

The authors used literature review to analyze 1,588 papers from 23 journals and 5 conferences.

The authors identified 164 different theories used in 684 publications. Distribution of research methods showed that the subjective-argumentative category accounted for 81 per cent, whereas other methods got very low focus. This research offers implications for future research directions on information security. They also identified existing knowledge gaps and how the existing themes are studied in academia.

The literature review did not include some dedicated security journals (i.e. Cryptography).

The study reveals future directions and trend that the academia should consider.

Information security is top concern for organizations, and this research analyzed how academia dealt with the topic since 1977. Also, the authors suggest future directions for research suggesting new research streams.

The purpose of this paper is to report on the use of two studies that assessed the attitudes of typical computer users. The aim of the research was to compare a self-reporting online survey with a set of one-on-one repertory grid technique interviews. More specifically, this research focussed on participant attitudes toward naive and accidental information security behaviours.

In the first study, 23 university students responded to an online survey within a university laboratory setting that captured their attitudes toward behaviours in each of seven focus areas. In the second study, the same students participated in a one-on-one repertory grid technique interview that elicited their attitudes toward the same seven behaviours. Results were analysed using Spearman correlations.

There were significant correlations for three of the seven behaviours, although attitudes relating to password management, use of social networking sites, information handling and reporting of security incidents were not significantly correlated.

The small sample size (n = 23) and the fact that participants were not necessarily representative of typical employees, may have impacted on the results.

This study contributes to the challenge of developing a reliable instrument that will assess individual InfoSec awareness. Senior management will be better placed to design intervention strategies, such as training and education of employees, if individual attitudes are known. This, in turn, will reduce risk-inclined behaviour and a more secure organisation.

The literature review indicates that this study addresses a genuine gap in the research.

Based on the literature on information security (InfoSec) education and uses and gratifications theory, the purpose of this paper is to propose and test a research model to examine the impact of InfoSec education on social media usage.

The authors employed structural equation modeling to test the research model, with a survey data set of 293 valid subjects from a WeChat subscription about InfoSec education named secrecy view.

The results reveal the significant impacts of perceived content quality, perceived social influence and perceived entertainment on user satisfaction in the context of security education and social media. User satisfaction is significantly associated with user stickiness and security knowledge improvement. Additionally, the authors found that user’s security awareness moderated the effect of perceived entertainment on user satisfaction.

Using a single sample might constrain the contributions of this study.

The authors suggest practical guidelines for InfoSec education on social media by enhancing perceived content quality. Moreover, due to diverse user attributes, the social media operators should recommend targeted content to different users.

This study contributes to studies on InfoSec education of social media usage and identifies factors that affect user satisfaction with social media. Furthermore, the study enriches the security education practices by uncovering differences in security awareness with regard to user satisfaction.