Search results

The level of security of home information systems can be described as their capacity to resist all the accidental or deliberate malicious activities based on the evaluation assurance levels (EAL) as defined in international standards. The purpose of this paper is to propose a security guideline tool for home users based on the implementation of a protection profile (PP) for home user systems.

The application was developed in three basic steps. First, a PP for home user systems was created on the basis of the international standard ISO/IEC 15408. Then, the paper created a knowledge base including the PP information, as well as a security policy including other international standards, as mentioned above. Finally, the paper created a web application tool to be used as a security guideline for home users.

This tool is developed in order to support users to understand the threats which affect their environment and select the appropriate security policy. By using this tool, users can access information about international standards in accordance to their level of knowledge.

The authors created a tool based on EAL4. In the future, tools based on EAL1, EAL2, and EAL3 can be created easily on the basis of the present model.

This PP specifies the security requirements for home user information technology (IT) environments, and makes use of the Department of Defense information assurance guidelines and policies as a basis for establishing the requirements necessary for meeting the security objectives. This PP is constructed for use as a reference for home users to create safe home IT environments. Operating systems evaluated against this PP can operate at EAL4.

Since the emergence of the Internet in the twentieth century and the rapid growth of different types of information technologies (IT), our lives, either personal or professional, have become digitised. Adoption and diffusion of IT enhance individuals and organisational performance, yet scholars discovered a dual nature of IT in which IT usage may have negative aspects too. First, the inability to cope with IT in a healthy manner creates stress in users, termed technostress. Second, digitisation and adoption of new technologies (e.g. IoT and multi-cloud environments) have increased vulnerabilities to information security (InfoSec) threats. Although organisations utilise counteraction strategies (e.g., security systems, security policies), end-users remain the top source of security incidents. Existing behavioural research has approached technostress and InfoSec independently. However, it is not clear how technology-stressors influence employees’ security-related behaviours. This chapter reviews the interaction effect of these concepts in detail by proposing a conceptual model that explains that technostress is the main reason for employees’ non-compliance with security policies in which users with high-level perceptions of technostress are more likely to violate InfoSec policies. Counteraction strategies to mitigate technostress and security threats are also discussed.

Protection motivation theory (PMT) explains that the intention to cope with information security risks is based on informed threat and coping appraisals. However, people cannot always make appropriate assessments due to possible ignorance and cognitive biases. This study proposes a research model that introduces four antecedent factors from ignorance and bias perspectives into the PMT model and empirically tests this model with data from a survey of electronic waste (e-waste) handling.

The data collected from 356 Chinese samples are analyzed via structural equation modeling (SEM).

The results revealed that for threat appraisal, optimistic bias leads to a lower perception of risks. However, factual ignorance (lack of knowledge of risks) does not significantly affect the perceived threat. For coping appraisal, practical ignorance (lack of knowledge of coping with risks) leads to low response efficacy and self-efficacy and high perceptions of coping cost, but the illusion of control overestimates response efficacy and self-efficacy.

First, this study addresses a new type of information security problem in e-waste handling. Second, this study extends the PMT model by exploring the roles of ignorance and bias as antecedents. Finally, the authors reinvestigate the basic constructs of PMT to identify how rational threat and coping assessments affect user intentions to cope with data security risks.

The objective of this study is to investigate perceived security threats of Computerized Accounting Information Systems (CAIS) that face Jordanian domestic banks. An empirical survey using self‐administrated questionnaire has been carried out to achieve the above‐mentioned objective. The study results reveal that accidental entry of “bad” data by employees, accidental destruction of data by employees; intentional entry of “bad” data by employees and employees’ sharing passwords are the top four security threats that face domestic banks. The paper concludes that most security threats that face domestic banks are internally generated and unintentional.

Electronic waste (e-waste) such as discarded computers and smartphones may contain large amounts of confidential data. Improper handling of remaining information in e-waste can, therefore, drive information security risk. This risk, however, is not always properly assessed and managed. The authors take the protection motivation theory (PMT) lens of analysis to understand intentions to protect one's discarded electronic assets.

By applying structural equation modeling, the authors empirically tested the proposed model with survey data from 348 e-waste handling users.

Results highlight that (1) protection intention is influenced by the perceived threat of discarding untreated e-waste (a threat appraisal) and self-efficacy to treat the discarded e-waste (a coping appraisal) and (2) optimism bias plays a dual-role in a direct and moderating way to reduce the perceived threat of untreated e-waste and its effect on protection intentions.

Results support the assertions and portray a unique theoretical account of the processes that underline people's motivation to protect their data when discarding e-waste. As such, this study explains a relatively understudied information security risk behavior in the e-waste context, points to the role of optimism bias in such decisions and highlights potential interventions that can help to alleviate this information security risk behavior.

The objective of this paper is to investigate the perceived threats of computerized accounting information systems (CAIS) in Saudi organizations.

An empirical survey using a self‐administered questionnaire has been carried out to achieve this objective. Four hundred questionnaires have been randomly distributed to different types of Saudi organizations and covered seven Saudi cities. Two hundred and eight questionnaires had been collected. After excluding the incomplete and invalid responses, the study ended with 136 valid and usable questionnaires, representing a 34 percent response rate. This response rate is acceptable in this kind of empirical surveys. The collected data has been analyzed using the statistical package for social sciences (SPSS) version 12.

The survey results reveal that almost half of the responded Saudi organizations are suffering financial losses due to internal and external CAIS security breaches. The results also reveal that accidental and intentional entry of bad data; accidental destruction of data by employees; employees' sharing of passwords; introduction of computer viruses to CAIS; suppression and destruction of output; unauthorized document visibility; and directing prints and distributed information to people who are not entitled to receive are the most significant perceived security threats to CAIS in Saudi organizations.

Accordingly, it is recommended to strengthen the security controls over the above weaken security areas and to enhance the awareness of CAIS security issues among Saudi organizations to manage the security risks and to achieve better protection to their CAIS. The results of the study enable managers and practitioners to champion information technology developments for success of their businesses.

This paper presents the process of constructing a language tailored to describing insider threat incidents, for the purposes of mitigating threats originating from legitimate users in an IT infrastructure.

Various information security surveys indicate that misuse by legitimate (insider) users has serious implications for the health of IT environments. A brief discussion of survey data and insider threat concepts is followed by an overview of existing research efforts to mitigate this particular problem. None of the existing insider threat mitigation frameworks provide facilities for systematically describing the elements of misuse incidents, and thus all threat mitigation frameworks could benefit from the existence of a domain specific language for describing legitimate user actions.

The paper presents a language development methodology which centres upon ways to abstract the insider threat domain and approaches to encode the abstracted information into language semantics. The language construction methodology is based upon observed information security survey trends and the study of existing insider threat and intrusion specification frameworks.

This paper summarizes the picture of the insider threat in IT infrastructures and provides a useful reference for insider threat modeling researchers by indicating ways to abstract insider threats.

Cyber resilience in cyber supply chain (CSC) systems security has become inevitable as attacks, risks and vulnerabilities increase in real-time critical infrastructure systems with little time for system failures. Cyber resilience approaches ensure the ability of a supply chain system to prepare, absorb, recover and adapt to adverse effects in the complex CPS environment. However, threats within the CSC context can pose a severe disruption to the overall business continuity. The paper aims to use machine learning (ML) techniques to predict threats on cyber supply chain systems, improve cyber resilience that focuses on critical assets and reduce the attack surface.

The approach follows two main cyber resilience design principles that focus on common critical assets and reduce the attack surface for this purpose. ML techniques are applied to various classification algorithms to learn a dataset for performance accuracies and threats predictions based on the CSC resilience design principles. The critical assets include Cyber Digital, Cyber Physical and physical elements. We consider Logistic Regression, Decision Tree, Naïve Bayes and Random Forest classification algorithms in a Majority Voting to predicate the results. Finally, we mapped the threats with known attacks for inferences to improve resilience on the critical assets.

The paper contributes to CSC system resilience based on the understanding and prediction of the threats. The result shows a 70% performance accuracy for the threat prediction with cyber resilience design principles that focus on critical assets and controls and reduce the threat.

Therefore, there is a need to understand and predicate the threat so that appropriate control actions can ensure system resilience. However, due to the invincibility and dynamic nature of cyber attacks, there are limited controls and attributions. This poses serious implications for cyber supply chain systems and its cascading impacts.

ML techniques are used on a dataset to analyse and predict the threats based on the CSC resilience design principles.

There are no social implications rather it has serious implications for organizations and third-party vendors.

The originality of the paper lies in the fact that cyber resilience design principles that focus on common critical assets are used including Cyber Digital, Cyber Physical and physical elements to determine the attack surface. ML techniques are applied to various classification algorithms to learn a dataset for performance accuracies and threats predictions based on the CSC resilience design principles to reduce the attack surface for this purpose.

The purpose of this study is to find out whether efforts to improve the information security of government agencies and homeland information security have paid off and also different incentives (internal/external) impact s on the improvement of information security of the government agencies?

This study examines the information security status of 24 federal agencies in the USA over the period 2002 through 2007 using latent growth modeling. The information security status of these agencies was tracked with the grades revealed in the Federal Computer Security Report Cards. In addition, the number of employees (internal threat incentives) and budgets incentives of federal agencies were gathered from the agencies and other governmental websites for the same period of time.

Results indicated that high critical‐information agencies even though they have an overall low performance in information security, they are performing better than the low critical‐information agencies regarding solving external threats. Results also revealed that whereas agencies have generally paid more attention to information security over the years, their performances are more pertinent to change in budget incentives than other incentives.

The outcomes reported are confined to the data presented by the Federal Computer Security Report Cards. Another limitation is the number of employees that counts the total number of employees in the agencies whether they are related to the systems of the agencies or not. Finally, using a time‐lag analysis of budget to predict the current security score would be more straightforward, but this could not be applied in this study due to the insufficient sample size, as “the House Committee on Oversight and Government Reform” no longer released the report cards after 2007.

The results should be of interest for the federal agencies that are included in this study, as well as for the organizations that are responsible for the information security of government agencies at different levels. Policy makers, IT managers, software developers and security specialists can also use the outcomes reported in this study for the better decision making that can enhance the information security in the public sector. The theoretical and methodological framework used in this study may also contribute to the current literature of homeland information security incentives and be helpful for future studies on its critical success factors.

This study examines fundamental issues that have not yet to be established. To our knowledge, this is the first study that assesses different incentives that have an effect on the Federal agencies' information security performance because of the lack of data in this domain. Also, the statistical techniques used to test the research propositions fit the objective of the study. Not only this, but the results found in this research assure the importance of one of the incentives that has been identified in the literature as a crucial element that affects the information security performance of the organizations.

Information systems' security is more critical than ever before since security threats are rapidly growing. Before putting in place information systems' security measures, organizations are required to determine the maturity level of their information security governance. Literature review reveals that there is no recent study on information systems' security maturity level of banks in Ethiopia. This study thus seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators.

Four private banks are selected as a representative sample. The system security engineering capability maturity model (SSE-CMM) is used as the maturity measurement criteria, and the measurement was based on ISO/IEC 27001 information security control areas. The data for the study were gathered using a questionnaire.

A total of 93 valid questionnaires were gathered from 110 participants in the study. Based on the SSE-CMM maturity model assessment criteria the private banking industry's current maturity level is level 2 (repeatable but intuitive). Institutions have a pattern that is repeated when completing information security operations but its existence was not thoroughly proven and institutional inconsistency still exists.

This study seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators. This topic has not been attempted previously in the context of Ethiopian financial sector.