Search results

Cyber security has never been more important than it is today in an ever more connected and pervasive digital world. However, frequently reported shortages of suitably skilled and trained information system (IS)/cyber security professionals elevate the importance of delivering effective Security Education,Training and Awareness (SETA) programmes within organisations. Therefore, the purpose of this study is the questionable effectiveness of SETA programmes at changing employee behaviour and an absence of empirical studies on the critical success factors (CSFs) for SETA programme effectiveness.

This exploratory study follows a three-stage research design to give voice to practitioners with SETA programme expertise. Data is gathered in Stage 1 using semi-structured interviews with 20 key informants (the emergence of the CSFs), in Stage 2 from 65 respondents to a short online survey (the ranking of the CSFs) and in Stage 3 using semi-structured interviews with nine IS/cyber security practitioners (the emergence of the guiding principles). Using a multi-stage research design allows the authors to propose and evaluate the 11 CSFs for SETA programme effectiveness.

This study conducted a mean score analysis to evaluate the level of importance of each CSF within two independent groups of IS/cyber security professionals. This multi-stage analysis produces a ranked list of 11 CSFs for SETA programme effectiveness, while the difference in the rankings leads to the emergence of five CSF-specific guiding principles (to increase the likelihood of delivering an effective SETA programme within an organisational context). This analysis also reveals that most of the contradictions/differences in CSF rankings between IS/cyber security practitioners are linked to the design phase of the SETA programme life cycle. While two CSFs, “maintain quarterly evaluation of employee performance” (CSF-DS6) and “build security awareness campaigns” (CSF-EV1), represent the most significant contradiction in this study.

The 11 CSFs for SETA programme effectiveness, along with the five CSF-specific guiding principles, provide a greater depth of knowledge contributing to both theory and practice and lays the foundation for future studies. Therefore, the outputs of this study provide valuable insights on the areas that practice needs to get right to deliver effective SETA programmes.

Railways are a well-known example of complex critical infrastructure, incorporating socio-technical systems with humans such as drivers, signallers, maintainers and passengers at the core. The technological evolution including interconnectedness and new ways of interaction lead to new security and safety risks that can be realised, both in terms of human error, and malicious and non-malicious behaviour. This study aims to identify the human factors (HF) and cyber-security risks relating to the role of signallers on the railways and explores strategies for the improvement of “Digital Resilience” – for the concept of a resilient railway.

Overall, 26 interviews were conducted with 21 participants from industry and academia.

The results showed that due to increased automation, both cyber-related threats and human error can impact signallers’ day-to-day operations – directly or indirectly (e.g. workload and safety-critical communications) – which could disrupt the railway services and potentially lead to safety-related catastrophic consequences. This study identifies cyber-related problems, including external threats; engineers not considering the human element in designs when specifying security controls; lack of security awareness among the rail industry; training gaps; organisational issues; and many unknown “unknowns”.

The authors discuss socio-technical principles through a hexagonal socio-technical framework and training needs analysis to mitigate against cyber-security issues and identify the predictive training needs of the signallers. This is supported by a systematic approach which considers both, safety and security factors, rather than waiting to learn from a cyber-attack retrospectively.

Cyberattacks are becoming increasingly widespread, and cybersecurity is therefore increasingly important. Although the technological aspects of cybersecurity are its best-known characteristics, the cybersecurity phenomenon goes beyond the detection of technological impacts, and encompasses all the dimensions of an organization. This study thus focusses on an additional set of organizational elements. The key elements of cybersecurity organizational readiness depicted here are cybersecurity awareness, cybersecurity culture and cybersecurity organizational resilience (OR). This study aims to qualitatively assess small and medium enterprises’ (SMEs) overall level of organizational cybersecurity readiness.

This study focused on conducting a cybersecurity organizational readiness assessment using a sample of 53 Italian SMEs from the information and communication technology sector. Informed mixed method research, this study was conducted consistent with the principles of the explanatory sequential mixed method design, and adopting a quanti-qualitative methodology. The quantitative data were collected through a questionnaire. Qualitative data were subsequently collected through semi-structured interviews.

Although many elements of the technical aspects of cybersecurity OR have yielded very encouraging results, there are still some areas that require improvement. These include those facets that constitute the foundation of cybersecurity awareness, and, thus, a cybersecurity culture. This result highlights that the areas in need of improvement are exactly those that are most important in fighting against cyber threats via organizational cybersecurity readiness.

Although the importance of SMEs is obvious, evidence of such organizations’ attitudes to cybersecurity are still limited. This research is an attempt to depict the organizational issue related to cybersecurity, i.e. overall cybersecurity organizational readiness.

The human factor is the most important defense asset against cyberattacks. To ensure that the human factor stays strong, a cybersecurity culture must be established and cultivated in a company to guide the attitudes and behaviors of employees. Many cybersecurity culture frameworks exist; however, their practical application is difficult. This paper aims to demonstrate how an established framework can be applied to determine and improve the cybersecurity culture of a company.

Two surveys were conducted within eight months in the internal IT department of a global software company to analyze the cybersecurity culture and the applied improvement measures. Both surveys comprised the same 23 questions to measure cybersecurity culture according to six dimensions: cybersecurity accountability, cybersecurity commitment, cybersecurity necessity and importance, cybersecurity policy effectiveness, information usage perception and management buy-in.

Results demonstrate that cybersecurity culture maturity can be determined and improved if accurate measures are derived from the results of the survey. The first survey showed potential for improving the dimensions of cybersecurity accountability, cybersecurity commitment and cybersecurity policy effectiveness, while the second survey proved that these dimensions have been improved.

This paper proves that practical application of cybersecurity culture frameworks is possible if they are appropriately tailored to a given organization. In this regard, scientific research and practical application combine to offer real value to researchers and cybersecurity executives.

The purpose of the study is to identify cybersecurity threats that hinder the adoption of digital banking and provide sustainable strategies to combat cybersecurity risks in the banking industry.

Systematic literature review guidelines were used to conduct a quantitative synthesis of empirical evidence regarding the impact of cybersecurity threats and risks on the adoption of digital banking.

A total of 84 studies were initially examined, and after applying the selection and eligibility criteria for this systematic review, 58 studies were included. These selected articles consistently identified identity theft, malware attacks, phishing and vishing as significant cybersecurity threats that hinder the adoption of digital banking.

With the country’s banking sector being new in this area, this study contributes to the scant literature on cyber security, which is mostly in need due to the myriad breaches that the industry has already suffered thus far.

Research on online user privacy shows that empirical evidence on how privacy literacy relates to users' information privacy empowerment is missing. To fill this gap, this paper investigated the respective influence of two primary dimensions of online privacy literacy – namely declarative and procedural knowledge – on online users' information privacy empowerment.

An empirical analysis is conducted using a dataset collected in Europe. This survey was conducted in 2019 among 27,524 representative respondents of the European population.

The main results show that users' procedural knowledge is positively linked to users' privacy empowerment. The relationship between users' declarative knowledge and users' privacy empowerment is partially supported. While greater awareness about firms and organizations practices in terms of data collections and further uses conditions was found to be significantly associated with increased users' privacy empowerment, unpredictably, results revealed that the awareness about the GDPR and user’s privacy empowerment are negatively associated. The empirical findings reveal also that greater online privacy literacy is associated with heightened users' information privacy empowerment.

While few advanced studies made systematic efforts to measure changes occurred on websites since the GDPR enforcement, it remains unclear, however, how individuals perceive, understand and apply the GDPR rights/guarantees and their likelihood to strengthen users' information privacy control. Therefore, this paper contributes empirically to understanding how online users' privacy literacy shaped by both users' declarative and procedural knowledge is likely to affect users' information privacy empowerment. The study empirically investigates the effectiveness of the GDPR in raising users' information privacy empowerment from user-based perspective. Results stress the importance of greater transparency of data tracking and processing decisions made by online businesses and services to strengthen users' control over information privacy. Study findings also put emphasis on the crucial need for more educational efforts to raise users' awareness about the GDPR rights/guarantees related to data protection. Empirical findings also show that users who are more likely to adopt self-protective approaches to reinforce personal data privacy are more likely to perceive greater control over personal data. A broad implication of this finding for practitioners and E-businesses stresses the need for empowering users with adequate privacy protection tools to ensure more confidential transactions.

This study aimed to identify and analyse the key factors influencing the adoption of e-government services and to discern their implications for various stakeholders, from policymakers to platform developers.

Through a comprehensive review of existing literature and detailed analysis of multiple studies, this research organised the influential factors based on their effect: highest, direct and indirect. The study also integrated findings to present a consolidated view of e-government adoption drivers.

The research found that users' behaviour, attitude, optimism bias and subjective norms significantly shape their approach to e-government platforms. Trust in e-Government (TEG) emerged as a critical determinant, with security perceptions being of paramount importance. Additionally, non-technical factors, such as cultural, religious and social influences, play a substantial role in e-government adoption decisions. The study also highlighted the importance of performance expectancy, effect expectancy and other determinants influencing e-government adoption.

While numerous studies have explored e-government adoption, this research offers a novel classification based on the relative effects of each determinant. Integrating findings from diverse studies and emphasising non-technical factors introduce an interdisciplinary approach, bridging the gap between information technology and fields like sociology, anthropology and behavioural sciences. This integrative lens provides a fresh perspective on the topic, encouraging more holistic strategies for enhancing e-government adoption globally.

This paper examines whether following a health crisis the use of health and safety protocols and hotel brand awareness influences hotel perceived value and intention to visit.

Using an experimental design, the study evaluates the effectiveness of the use of health and safety protocols and the moderating effect of brand awareness on perceived value and intention to visit.

The results show that the hotels using health and safety protocols (compared to those that do not use them) will achieve a higher perceived value and intention to visit. In addition, the awareness of brand does not moderate the effect of the health and safety protocols on perceived value and intention to visit.

This research identifies mechanisms for future consideration by hotel companies to promote the recovery of their activity after a health crisis. Specifically, using health and safety protocols will result in the market evaluating the brand more highly and produce a greater intention to visit. At the same time, the research indicates that regardless of whether the brand is well-known or not, the use of a health and safety protocol is advantageous.

This study offers new insights that can be useful for developing a resilient hotel sector in the face of future health crises. Specifically, the results show progress in understanding the effects that the use of health and safety protocols and brand awareness have on key consumer variables for the recovery of the sector in a post-pandemic context.

This study investigated the attitudes and concerns of Saudi higher educational institution (HEI) academics about privacy and security in online teaching during the COVID-19 pandemic.

Online Questionnaire questionnaire was designed to explore Saudi HEI academic’s attitudes and concerns about privacy and security issues in online teaching. The questionnaire asked about attitudes and concerns held before the pandemic and since the pandemic. The questionnaire included four sections. At the beginning of the questionnaire, participants were asked what the phrase “online privacy and security” meant to them, to gain an initial understanding of what it meant to academics. A definition for what we intended for the survey was then provided: “that a person’s data, including their identity, is not accessible to anyone other than themselves and others whom they have authorised and that their computing devices work properly and are free from unauthorised interference” (based on my reading of a range of sources, e.g. Schatz et al., 2017; Steinberg, 2019; NCS; Windley, 2005). This was to ensure that participants did understand what I was asking about in subsequent sections.

This study investigated the attitudes and concerns of Saudi HEI academics about privacy and security in online teaching during the COVID-19 pandemic. The findings provide several key insights: Key aspects of online privacy and security for Saudi HEI academics: Saudi HEI academic’s notion of online privacy and security is about the protection of personal data, preventing unauthorized access to data and ensuring the confidentiality and integrity of data. This underscores the significance of robust measures to safeguard sensitive information in online teaching, but also the need to make academics aware of the other aspects of online privacy and security. Potential to improve policies and training about online privacy and security in Saudi HEIs: Although many participants were aware of the online privacy and security policies of their HEI, only a small percentage had received training in this area. Thus, there is a need to improve the development and dissemination of policies and to provide academics with appropriate training in this area and encourage them to take available training. Use of videoconferencing and chat technologies and cultural sensitivities: The study highlighted moderate levels of concern among Saudi HEI academics regarding the use of videoconferencing and online chat technologies, and their concerns about cultural factors around the use of these technologies. This emphasizes the need for online teaching and the growing use of technologies in such teaching to respect cultural norms and preferences, highlighting the importance of fostering a culturally sensitive approach to technology deployment and use. Surprising low webcam use: An unexpected finding is the low use of webcams by both academics and students during online teaching sessions, prompting a need for a deeper understanding of the dynamics surrounding webcam engagement in such sessions. This calls for a reevaluation of the effectiveness of webcam use in the teaching process and underscores the importance of exploring methods for enhancing engagement and interaction in online teaching. In summary, this paper investigated the attitudes and concerns about privacy and security in the online teaching of Saudi HEI academics during the coronavirus pandemic. The study reveals areas where further research and policy development can enhance the online teaching experience. As the education landscape continues to evolve, institutions must remain proactive in addressing the concerns of their academics while fostering a culturally sensitive approach to technology deployment.

One limitation of this study is the relatively small qualitative data sample, despite the adequate size of the sample including 36 academics from various Saudi Arabian HEIs for quantitative analysis. It was necessary to make the most of the open-ended questions optional – participants did not have to answer about concerns if they did not want to, as we did not want to make the questionnaire too long and onerous to complete. Consequently, the number of academics responding to the open-ended questions was limited, emphasizing the need for additional data and alternative research methods to further these issues. The study was focused on investigating the concerns of HEI Saudi academics, recognizing that the attitudes and concerns of academics in other countries may differ. Furthermore, the research also includes an exploration of the changes in academic attitudes and concerns before and since the COVID-19 pandemic, which will be the subject of further data analysis.

This research delves into Saudi HEI academics' perceptions and concerns regarding privacy and security in online education during the COVID-19 Pandemic. Notably, it highlights the moderate priority placed on online privacy and security, the unexpectedly low usage of webcams and the potential for enhancing policies and training. The study emphasizes the necessity for comprehensive measures to protect sensitive data and the importance of tailored policies for educators. It also underscores the need for a more nuanced understanding of webcam usage dynamics, offering valuable insights for institutions aiming to improve online education and address educators' concerns amidst evolving educational landscapes.

Data protection requirements heavily increased due to the rising awareness of data security, legal requirements and technological developments. Today, NoSQL databases are increasingly used in security-critical domains. Current survey works on databases and data security only consider authorization and access control in a very general way and do not regard most of today’s sophisticated requirements. Accordingly, the purpose of this paper is to discuss authorization and access control for relational and NoSQL database models in detail with respect to requirements and current state of the art.

This paper follows a systematic literature review approach to study authorization and access control for different database models. Starting with a research on survey works on authorization and access control in databases, the study continues with the identification and definition of advanced authorization and access control requirements, which are generally applicable to any database model. This paper then discusses and compares current database models based on these requirements.

As no survey works consider requirements for authorization and access control in different database models so far, the authors define their requirements. Furthermore, the authors discuss the current state of the art for the relational, key-value, column-oriented, document-based and graph database models in comparison to the defined requirements.

This paper focuses on authorization and access control for various database models, not concrete products. This paper identifies today’s sophisticated – yet general – requirements from the literature and compares them with research results and access control features of current products for the relational and NoSQL database models.