Search results

The purpose of this research is to study how compliance evaluation becomes performed in practice. Compliance evaluation is a common practice among organizations that need to evaluate their posture against a set of criteria (e.g. a standard, legislative framework and “best practices”). The results of these evaluations have significant importance for organizations, especially in the context of information security and continuity. The author argues that how these evaluations become performed is not merely a “social” activity but shaped by the materiality of the evaluation criteria

The authors adopt a sociomaterial practice-based view to study the compliance evaluation through in situ participant observations from compliance evaluation workshops to evaluate organizational compliance against a information security and business continuity criteria. The empirical material was analyzed to construct vignettes that serve to illustrate the practice of compliance evaluation.

The research analysis shows how the information security and business continuity criteria themselves partake in the compliance evaluations by operating through (ventriloqually) the evaluators on three strata: the material, the textual and the structural. The author also provides a conceptualization of a hybrid agency.

This research contributes to lack of studies on the organizational-level compliance. Further, the research is an original contribution to information security and business continuity management by focusing on the practices of compliance evaluation. Further, the research has theoretical novelty by adopting the ventriloqual agency as a hybrid agency to study the sociomateriality of a phenomenon.

The human factor is the most important defense asset against cyberattacks. To ensure that the human factor stays strong, a cybersecurity culture must be established and cultivated in a company to guide the attitudes and behaviors of employees. Many cybersecurity culture frameworks exist; however, their practical application is difficult. This paper aims to demonstrate how an established framework can be applied to determine and improve the cybersecurity culture of a company.

Two surveys were conducted within eight months in the internal IT department of a global software company to analyze the cybersecurity culture and the applied improvement measures. Both surveys comprised the same 23 questions to measure cybersecurity culture according to six dimensions: cybersecurity accountability, cybersecurity commitment, cybersecurity necessity and importance, cybersecurity policy effectiveness, information usage perception and management buy-in.

Results demonstrate that cybersecurity culture maturity can be determined and improved if accurate measures are derived from the results of the survey. The first survey showed potential for improving the dimensions of cybersecurity accountability, cybersecurity commitment and cybersecurity policy effectiveness, while the second survey proved that these dimensions have been improved.

This paper proves that practical application of cybersecurity culture frameworks is possible if they are appropriately tailored to a given organization. In this regard, scientific research and practical application combine to offer real value to researchers and cybersecurity executives.

This paper aims to investigate the relationship of female participation in labor force with the cybersecurity maturity of nations and the enabling role of e-government development in moderating the same.

The authors have conducted fixed-effects regression using archival data for 149 countries taken from secondary sources. Furthermore, the authors have grouped the sample countries into four levels of cybersecurity maturity (unprepared, reactive, anticipatory and innovative) using clustering techniques, and studied the influence of their interest variables for individual groups.

Results show that female participation in labor force positively influences national cybersecurity maturity, and e-government development positively moderates the said relationship, thereby enabling the empowerment of women.

Encouraging broader participation of women in the labor force and prioritizing investments in e-government development are essential steps that organizations and governments may take to enhance a country’s cybersecurity maturity level.

This study empirically demonstrates the impact of the nuanced interplay between female participation in labor force and the e-government development of a nation on its cybersecurity maturity.

Cyber risk has significantly increased over the past twenty years. In many organizations, data and operations are managed through a complex technology stack underpinned by an Enterprise Resource Planning (ERP) system such as systemanalyse programmentwicklung (SAP). The ERP environment by itself can be overwhelming for a typical ERP Manager, coupled with increasing cybersecurity issues that arise creating periods of intense time pressure, stress and workload, increasing risk to the organization. This paper aims to identify a pragmatic approach to prioritize vulnerabilities for the ERP Manager.

Applying attention-based theory, a pragmatic approach is developed to prioritize an organization’s response to the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) vulnerabilities using a Classification and Regression Tree (CART).

The application of classification and regression tree (CART) to the National Institute of Standards and Technology’s National Vulnerability Database identifies prioritization unavailable within the NIST’s categorization.

The ERP Manager is a role between technology, functionality, centralized control and organization data. Without CART, vulnerabilities are left to a reactive approach, subject to overwhelming situations due to intense time pressure, stress and workload.

To the best of the authors’ knowledge, this work is original and has not been published elsewhere, nor is it currently under consideration for publication elsewhere. CART has previously not been applied to the prioritizing cybersecurity vulnerabilities.

The reform and opening-up of capital market is valued for promoting sustainable development, while its impact presented as the form of deregulation of short-selling on the green innovation of enterprises in developing countries remains unclear. The purpose of this study is to outline the significance of gradual reform of financial markets in developing countries for low-carbon transformation and provide implications for achieving carbon peaking and carbon neutrality goals.

Based on the green subdivided patent data and financial data of China’s A-share listed companies, this paper takes the implementation of securities margin trading program as a quasi-natural experiment and applies the difference-in-differences (DID) model to examine the impact of deregulation of short-selling constraints on the enterprises’ green transformation.

The findings reveal that the initiating securities margin trading program significantly enhances the green innovation performance of enterprises. These findings are valid after performing a series of robustness tests such as the parallel trend test, the placebo test and the methods to exclude other policy interference. Mechanism analyses demonstrate a two-faceted effect of the securities margin trading program on the green innovation of enterprises, in which short-selling policy increases the pressure on capital market deregulation and meanwhile induces the environmental protection investment. The heterogeneity results demonstrate that the impulsive effect imposed by securities margin trading program is more significant in experimental group samples with characteristics of lower financing constraints, belonging to heavy polluting industries and possessing better environmental supervision capability.

First, previous studies have focused on the impact of financial policies implemented by banking institutions on the green innovation of enterprises, but few literatures have explored the validity of relaxing short-selling restrictions or opening the capital market in the field of enterprise’s green transformation in developing country. From the view of securities market reform, this paper broadens the incentive and supervision effects of the relaxation of short-selling control on enterprise’s green innovation performance after the implementation of securities financing and securities lending policy in China’s capital market. Second, previous studies have explored the impact of command-and-control environmental regulations, as well as market-incentivized environmental regulations such as green finance, low-carbon pilots and environmental tax reform, on the green transition of enterprises. Recently the role of the securities market in the green development of enterprises has received more attention in academia. The pilot of margin financing and securities lending is essentially a market-incentivized regulatory tool, but there is few in-depth research on how it affects the green innovation of enterprises. This paper enriches the research on whether the market incentive financial regulation policy can contribute to the green transformation of enterprises under the Porter hypothesis. Third, some previous studies used the ordinary panel regression model to explore the impact of financial policy on enterprise’s innovation performance. However, due to the potential endogenous problems of the estimated model, it might get biased conclusions. Therefore, based on the method of quasi-natural experiment, this paper selects the margin trading pilot policy as an exogenous shock to solve the endogenous or reverse causality problem in traditional measurement model and applies the DID model to study the relationship between core indicator variables.

This study explores the critical success factors (CSFs) for Security Education, Training and Awareness (SETA) program effectiveness. The questionable effectiveness of SETA programs at changing employee behavior and an absence of empirical studies on the CSFs for SETA program effectiveness is the key motivation for this study.

This exploratory study follows a systematic inductive approach to concept development. The methodology adopts the “key informant” approach to give voice to practitioners with SETA program expertise. Data are gathered using semi-structured interviews with 20 key informants from various geographic locations including the Gulf nations, Middle East, USA, UK and Ireland.

In this study, the analysis of these key informant interviews, following an inductive open, axial and selective coding approach, produces 11 CSFs for SETA program effectiveness. These CSFs are mapped along the phases of a SETA program lifecycle (design, development, implementation and evaluation) and nine relationships identified between the CSFs (within and across the lifecycle phases) are highlighted. The CSFs and CSFs' relationships are visualized in a Lifecycle Model of CSFs for SETA program effectiveness.

This research advances the first comprehensive conceptualization of the CSFs for SETA program effectiveness. The Lifecycle Model of CSFs for SETA program effectiveness provides valuable insights into the process of introducing and sustaining an effective SETA program in practice. The Lifecycle Model contributes to both theory and practice and lays the foundation for future studies.

In recent years, the frequency and severity of cybersecurity incidents have prompted customers to seek out specialized insurance products. However, this has also presented insurers with operational challenges and increased costs. The assessment of risks for health systems and cyber–physical systems (CPS) necessitates a heightened degree of attention. The significant values of potential damages and claims request a solid insurance system, part of cyber-resilience. This research paper focuses on the emerging cyber insurance market that is currently in the process of standardizing and improving its risk analysis concerning the potential insured entity.

The authors' approach involves a quantitative analysis utilizing a Likert-style questionnaire designed to survey cyber insurance professionals. The authors' aim is to identify the current methods used in gathering information from potential clients, as well as the manner in which this information is analyzed by the insurers. Additionally, the authors gather insights on potential improvements that could be made to this process.

The study the authors elaborated it has a particularly important cyber and risk components for insurance area, because it addresses a “niche” area not yet proper addressed in specialized literature – cyber insurance. Cyber risk management approaches are not uniform at the international level, nor at the insurer level. Also, not all insurers can perform solid assessments, especially since their companies should first prove that they are fully compliant with international cyber security standards.

This research has concentrated on analyzing the current practices in terms of gathering information about the insured entity before issuing the cyber insurance policy, level of details concerning the cyber security posture of the insured entity and way such information should be analyzed in a standardized and useful manner. The novelty of this research resides in the analysis performed as detailed above and the proposals in terms of information gathered, depth of analysis and standardization of approach made. Future work on the topic can focus on the standardization process for analyzing cyber risk for insurance clients, to improve the proposal based also on historical elements and trends in the market. Thus, future research can further refine the standardization process to analyze in more depth the way this can be implemented and included in relevant legislation at the EU level.

Proposed improvements include proposals in terms of the level of detail and the usefulness of an independent centralized approach for information gathering and analysis, especially given the re-insurance and brokerage activities. The authors also propose a common practical procedural approach in risk management, with the involvement of insurance companies and certification institutions of cyber security auditors.

The study investigates the information gathered by insurers from potential clients of cyber insurance and the way this is analyzed and updated for issuance of the insurance policy.

This paper aims to explore the factors affecting cybersecurity implementation in organizations in various countries and develop a cybersecurity framework to improve cybersecurity practices within organizations for cybersecurity risk management through a systematic literature review (SLR) approach.

This SLR adhered to RepOrting Standards for Systematics Evidence Syntheses (ROSES) publication standards and used various research approaches. The study’s article selection process involved using Scopus, one of the most important scientific databases, to review articles published between 2014 and 2023.

This review identified the four main themes: individual factors, organizational factors, technological factors and governmental role. In addition, nine subthemes that relate to these primary topics were established.

This research sheds light on the multifaceted nature of cybersecurity by exploring factors influencing implementation and developing an improvement framework, offering valuable insights for researchers to advance theoretical developments, assisting industry practitioners in tailoring cybersecurity strategies to their needs and providing policymakers with a basis for creating more effective cybersecurity regulations and standards.

A research line has emerged that is concerned with investigating human factors in information systems and cyber-security in organizations using various behavioural and socio-cognitive theories. This study aims to explore human and contextual factors influencing cyber security behaviour in organizations while drawing implications for cyber-security in higher education institutions.

A systematic literature review has been implemented. The reviewed studies have revealed various human and contextual factors that influence cyber-security behaviour in organizations, notably higher education institutions.

This review study offers practical implications for constructing and keeping a robust cyber-security organizational culture in higher education institutions for the sustainable development goals of cyber-security training and education.

The value of the current review arises in that it presents a comprehensive account of human factors affecting cyber-security in organizations, a topic that is rarely investigated in previous related literature. Furthermore, the current review sheds light on cyber-security in higher education from the weakest link perspective. Simultaneously, the study contributes to relevant literature by gaining insight into human factors and socio-technological controls related to cyber-security in higher education institutions.