Search results
1 – 10 of over 98000Hennie Kruger, Lynette Drevin and Tjaart Steyn
The dependence on human involvement and human behavior to protect information assets necessitates an information security awareness program to make people aware of their roles and…
Abstract
Purpose
The dependence on human involvement and human behavior to protect information assets necessitates an information security awareness program to make people aware of their roles and responsibilities towards information security. The purpose of this paper is to examine the feasibility of an information security vocabulary test as an aid to assess awareness levels and to assist with the identification of suitable areas or topics to be included in an information security awareness program.
Design/methodology/approach
A questionnaire has been designed to test and illustrate the feasibility of a vocabulary test. The questionnaire consists of two sections – a first section to perform a vocabulary test and a second one to evaluate respondents' behavior. Two different class groups of students at a university were used as a sample.
Findings
The research findings confirmed that the use of a vocabulary test to assess security awareness levels will be beneficial. A significant relationship between knowledge of concepts (vocabulary) and behavior was observed.
Originality/value
The paper introduces a new approach to evaluate people's information security awareness levels by employing an information security vocabulary test. This new approach can assist management to plan and evaluate interventions and to facilitate best practice in information security. Aspects of cognitive psychology and language were taken into account in this research project, indicating the interaction and influence between apparently different disciplines.
Details
Keywords
Introduces a series of contributions on computer security. Beginsby pointing out that information is an organizational asset which needsto be protected. Policies are the primary…
Abstract
Introduces a series of contributions on computer security. Begins by pointing out that information is an organizational asset which needs to be protected. Policies are the primary building blocks for every information security effort. In order to be successful with information security, every organization must have a set of policies which establishes both direction and management support. Discusses the role and function of the information security management specialist within the organization. Finally outlines possible exceptions to information security policies.
Details
Keywords
Kwo‐Shing Hong, Yen‐Ping Chi, Louis R. Chao and Jih‐Hsing Tang
With the popularity of electronic commerce, many organizations are facing unprecedented security challenges. Security techniques and management tools have caught a lot of…
Abstract
With the popularity of electronic commerce, many organizations are facing unprecedented security challenges. Security techniques and management tools have caught a lot of attention from both academia and practitioners. However, there is lacking a theoretical framework for information security management. This paper attempts to integrate security policy theory, risk management theory, control and auditing theory, management system theory and contingency theory in order to build a comprehensive theory of information security management (ISM). This paper suggests that an integrated system theory is useful for understanding information security management, explaining information security management strategies, and predicting management outcomes. This theory may lay a solid theoretical foundation for further empirical research and application.
Details
Keywords
In today's digital economy, information secrecy is one of the essential apprehensions for businesses. Because of the uncertainty and multiple interpretations, most of the reviewed…
Abstract
Purpose
In today's digital economy, information secrecy is one of the essential apprehensions for businesses. Because of the uncertainty and multiple interpretations, most of the reviewed literature regarding business decision‐making revealed that decisions tend to be more fluid, inaccurate, and informal. Recently, the number of organizations that have disclosed their information has been raised. The aim of this research is to theorize and empirically measure the effects of information disclosure on the accuracy of business decision‐making.
Design/methodology/approach
This study presents a proposed conceptual framework, which assists businesses in evaluating the extent to which information secrecy has a substantial effect on decision‐making accuracy. The primary research purpose is explanatory and the conceptual framework was empirically tested to measure the effects of the proposed five independent variables: information security rules and regulations, secured internal and external business communication, security consciousness management support, business security culture, and superior deterrent efforts on efficient information security, the consequences of which on accurate decision‐making processes are considered a dependent variable.
Findings
The results of this study, which are based on the use of the proposed conceptual framework, indicate that information security has a substantial effect on generating accurate, effective and efficient business decisions. Information security could undermine decision accuracy when information collected has little effect on the purpose and time of decisions.
Originality/value
The findings of this study present some insights into the strategic choices of any organizations and, to improve the efficiency of the decisions taken, they must improve the level and efficiency of information secrecy.
Details
Keywords
Clive Vermeulen and Rossouw Von Solms
Because of changes that have taken place in the way that IT is used in organisations, as well as the purposes for which it is used, traditional forms of computer security are no…
Abstract
Because of changes that have taken place in the way that IT is used in organisations, as well as the purposes for which it is used, traditional forms of computer security are no longer adequate. Today, information is more important than the IT systems which house it and effective information security management is required to adequately protect this information. The implementation of information security management is, however, a complex process and a methodology for its implementation provided in the form of an interactive software tool, featuring automation of certain steps, would prove valuable to modern organisations.
Details
Keywords
Mariana Gerber, Rossouw von Solms and Paul Overbeek
Risk analysis, concentrating on assets, threats and vulnerabilities, used to play a major role in helping to identify the most effective set of security controls to protect…
Abstract
Risk analysis, concentrating on assets, threats and vulnerabilities, used to play a major role in helping to identify the most effective set of security controls to protect information technology resources. To successfully protect information, the security controls must not only protect the infrastructure, but also instill and enforce certain security properties in the information resources. To accomplish this, a more modern top‐down approach is called for today, where security requirements driven by business needs dictate the level of protection required.
Details
Keywords
Lynn Futcher, Cheryl Schroder and Rossouw von Solms
The purpose of this paper is to argue that information security should be regarded as a critical cross‐field outcome (CCFO). This could assist in narrowing the evident “information…
Abstract
Purpose
The purpose of this paper is to argue that information security should be regarded as a critical cross‐field outcome (CCFO). This could assist in narrowing the evident “information security gap” that currently exists in undergraduate information technology/information systems/computer science (IT/IS/CS) curricula at South African universities.
Design/methodology/approach
This paper briefly reviews existing literature relating to outcomes‐based education in South Africa with a specific focus on CCFOs. A literature review was also carried out to determine existing approaches to education in information security. A survey was carried out to establish the extent to which information security is currently incorporated into the IT/IS/CS curricula at South African universities and a discussion group was used to provide insight into the current situation at undergraduate level.
Findings
Education in information security has matured much more rapidly in postgraduate than in undergraduate programmes at South African universities. In addition, the extent to which information security is addressed at undergraduate level is on an ad hoc basis, with isolated attention being paid to a few information security aspects. An integrated approach to information security education is therefore proposed by considering information security as a CCFO.
Research limitations/implications
Further research is required to determine how appropriate information security aspects can be seamlessly integrated into the various learning programmes at undergraduate level.
Practical implications
The proposed integrated approach to information security education will require that IT/IS/CS educators develop strategies to incorporate relevant information security aspects into their learning programmes.
Originality/value
This paper proposes an integrated approach to information security education by considering information security as a CCFO.
Details
Keywords
The protection of organisational information assets is a human problem. It is widely acknowledged that an organisation's employees are the weakest link in the protection of the…
Abstract
Purpose
The protection of organisational information assets is a human problem. It is widely acknowledged that an organisation's employees are the weakest link in the protection of the organisation's information assets. Most current approaches towards addressing this human problem focus on awareness and educational activities and do not necessarily view the problem from a holistic viewpoint. Combating employee apathy and motivating employees to see information security as their problem is often not adequately addressed by “isolated” awareness activities. The purpose of this paper is to show how employee apathy towards information security can be addressed through the use of existing theory from the social sciences.
Design/methodology/approach
By means of a literature study, three key organizational environments that could exist are identified and explored. Goal‐setting theory is then investigated. Finally, arguments are presented to show how goal‐setting theory could be used to actively foster an organizational environment in which employees will view their roles and responsibilities towards information security as prosocial behaviour.
Findings
The work in the paper is primarily of a conceptual nature. However, the authors believe that encouraging such prosocial behaviour could contribute towards an organizational culture of information security.
Originality/value
The paper examines the motivation of employees to actively contribute towards information security from an organisational science perspective.
Details
Keywords
Marcus Nohlberg and Johannes Bäckström
This paper aims to use user‐centred security development of a prototype graphical interface for a management information system dealing with information security with upper‐level…
Abstract
Purpose
This paper aims to use user‐centred security development of a prototype graphical interface for a management information system dealing with information security with upper‐level management as the intended users.
Design/methodology/approach
The intended users were studied in order to understand their needs. An iterative design process was used where the designs were first made on paper, then as a prototype interface and later as a final interface design. All was tested by subjects within the target user group.
Findings
The interface was perceived as being successful by the test subjects and the sponsoring organization, Siguru. The major conclusion of the study is that managers use knowledge of information security mainly for financial and strategic matters which focus more on risk issues than security issues. To facilitate the need of managers the study presents three heuristics for the design of management information security system interfaces.
Research limitations/implications
This interface was tested on a limited set of users and further tests could be done, especially of users with other cultural/professional backgrounds.
Practical implications
This paper presents a useful set of heuristics that can be used in development of management information systems as well as other practical tips for similar projects.
Originality/value
This paper gives an example of a successful user‐centred security development process. The lessons learned could be beneficial in software development in general and security products in particular.
Details
Keywords
Kwo‐Shing Hong, Yen‐Ping Chi, Louis R. Chao and Jih‐Hsing Tang
With the popularity of e‐commerce, information security is vital to most organizations. For managers, building and implementing an information security policy (ISP) has long been…
Abstract
Purpose
With the popularity of e‐commerce, information security is vital to most organizations. For managers, building and implementing an information security policy (ISP) has long been assumed to be an effective managerial measure to elevate an organization's security level. This paper attempts to investigate the dominant factors for an organization to build an ISP, and whether an ISP may elevate an organization's security level?
Design/methodology/approach
A survey was designed and the data were collected from 165 chief information officers in Taiwan.
Findings
The empirical results show that some organizational characteristics (business type and MIS/IS department size) might be good predictors for the ISP adoption and that the functions, contents, implementation and procedures of an ISP may significantly contribute to managers' perceived elevation of information security.
Practical implications
Building or adopting an ISP is examined empirically to be an effective managerial measure to elevate its security level in Taiwan, and that the building of an information security should focus on the comprehensiveness of its contents, procedures and implementation items, rather than on the documents only.
Originality/value
Few empirical studies have been conducted so far to examine the effectiveness of an ISP, thus the value of this paper is high.
Details