Search results
1 – 10 of 102Hayretdin Bahşi, Ulrik Franke and Even Langfeldt Friberg
This paper aims to describe the cyber-insurance market in Norway but offers conclusions that are interesting to a wider audience.
Abstract
Purpose
This paper aims to describe the cyber-insurance market in Norway but offers conclusions that are interesting to a wider audience.
Design/methodology/approach
The study is based on semi-structured interviews with supply-side actors: six general insurance companies, one marine insurance company and two insurance intermediaries.
Findings
The Norwegian cyber-insurance market supply-side has grown significantly in the past two years. The General Data Protection Regulation (GDPR) is found to have had a modest effect on the market so far but has been used by the supply-side as an icebreaker to discuss cyber-insurance with customers. The NIS Directive has had little or no impact on the Norwegian cyber-insurance market until now. Informants also indicate that Norway is still the least mature of the four Nordic markets.
Practical implications
Some policy lessons for different stakeholders are identified.
Originality/value
Empirical investigation of cyber-insurance is still rare, and the paper offers original insights on market composition and actor motivations, ambiguity of coverage, the NIS Directive and GDPR.
Details
Keywords
V. Gerard Comizio, Behnam Dayanim and Laura Bain
To provide financial institutions an overview of the developments in cybersecurity regulation of financial institutions during 2015 by the United States, the United Kingdom, and…
Abstract
Purpose
To provide financial institutions an overview of the developments in cybersecurity regulation of financial institutions during 2015 by the United States, the United Kingdom, and the European Union, as well as guidance for developing effective cyber-risk management programs in light of evolving cyber-threats and cyber-regulatory expectations.
Design/methodology/approach
Reviews US, UK and EU regulatory developments in the cybersecurity area and provides several best practice tips financial institutions should consider and implement to improve their cybersecurity compliance programs.
Findings
While cyber-threats and financial regulators’ expectations for cyber-security are constantly evolving, recent guidance and enforcement efforts by the US, UK and EU illustrate the need for financial institutions to develop effective cybersecurity programs that address current regulatory compliance requirements and prepare for emergency cyber responses.
Practical implications
Financial institutions should utilize the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool to assess their cyber-risk profile and cyber-preparedness.
Originality/value
Practical guidance from experienced financial regulatory and privacy lawyers that provides a survey of the current regulatory environment and recommendations for cyber-security compliance.
Details
Keywords
Krunoslav Arbanas, Mario Spremic and Nikolina Zajdela Hrustek
The objective of this research was to propose and validate a holistic framework for information security culture evaluation, built around a novel approach, which includes…
Abstract
Purpose
The objective of this research was to propose and validate a holistic framework for information security culture evaluation, built around a novel approach, which includes technological, organizational and social issues. The framework's validity and reliability were determined with the help of experts in the information security field and by using multivariate statistical methods.
Design/methodology/approach
The conceptual framework was constructed upon a detailed literature review and validated using a range of methods: first, measuring instrument was developed, and then content and construct validity of measuring instrument was confirmed via experts' opinion and by closed map sorting method. Convergent validity was confirmed by factor analysis, while the reliability of the measuring instrument was tested using Cronbach's alpha coefficient to measure internal consistency.
Findings
The proposed framework was validated based upon the results of empirical research and the usage of multivariate analysis. The resulting framework ultimately consists of 46 items (manifest variables), describing eight factors (first level latent variables), grouped into three categories (second level latent variables). These three categories were built around technological, organizational and social issues.
Originality/value
This paper contributes to the body of knowledge in information security culture by developing and validating holistic framework for information security culture evaluation, which does not observe information security culture in only one aspect but takes into account its organizational, sociological and technical component.
Details
Keywords
The issue of cybersecurity has been cast as the focal point of a fight between two conflicting governance models: the nation-state model of national security and the global…
Abstract
Purpose
The issue of cybersecurity has been cast as the focal point of a fight between two conflicting governance models: the nation-state model of national security and the global governance model of multi-stakeholder collaboration, as seen in forums like IGF, IETF, ICANN, etc. There is a strange disconnect, however, between this supposed fight and the actual control over cybersecurity “on the ground”. This paper aims to reconnect discourse and control via a property rights approach, where control is located first and foremost in ownership.
Design/methodology/approach
This paper first conceptualizes current governance mechanisms through ownership and property rights. These concepts locate control over internet resources. They also help us understand ongoing shifts in control. Such shifts in governance are actually happening, security governance is being patched left and right, but these arrangements bear little resemblance to either the national security model of states or the global model of multi-stakeholder collaboration. With the conceptualization in hand, the paper then presents case studies of governance that have emerged around specific security externalities.
Findings
While not all mechanisms are equally effective, in each of the studied areas, the author found evidence of private actors partially internalizing the externalities, mostly on a voluntary basis and through network governance mechanisms. No one thinks that this is enough, but it is a starting point. Future research is needed to identify how these mechanisms can be extended or supplemented to further improve the governance of cybersecurity.
Originality/value
This paper bridges together the disconnected research communities on governance and (technical) cybersecurity.
Details
Keywords
Ali Katouzian Bolourforoush and Hamid Jahankhani
Banking traces back to 2000 BC in Assyria, India and Sumeria. Merchants used to give grain loans to farmers and traders to carry goods between cities. In ancient Greece and Roman…
Abstract
Banking traces back to 2000 BC in Assyria, India and Sumeria. Merchants used to give grain loans to farmers and traders to carry goods between cities. In ancient Greece and Roman Empire, lenders in temples, provided loans, and accepted deposits while performed change of money. The archaeological evidence uncovered in India and China corroborates this. The major development in banking came predominantly in the mediaeval, Renaissance Italy, with the major cities Florence, Venice and Genoa being the financial centres. Technology has become an inherent and integral part of our lives. We are generating a huge amount of data in transfer, storage and usage, with greater demands of ubiquitous accessibility, inducing an enormous impact on industry and society. With the emergence of smarter cities and societies, the security challenges pertinent to data become greater, impending impact on the consumer protection and security. The aim of this chapter is to highlight if SSI and passwordless authentication using FIDO-2 protocol assuage security concerns such as authentication and authorisation while preserving the individual's privacy.
Details
Keywords
This study aims to assess the essential elements of internal organisational capability that influence the cybersecurity effectiveness of a construction firm. An extended McKinsey…
Abstract
Purpose
This study aims to assess the essential elements of internal organisational capability that influence the cybersecurity effectiveness of a construction firm. An extended McKinsey 7S model is used to analyse the relationship between a construction firm's cybersecurity effectiveness and nine internal capability elements: shared values, strategy, structure, systems, staff, style, skills, relationships with third parties and regulatory compliance.
Design/methodology/approach
Based on a quantitative research strategy, this study collected data through a cross-sectional survey of professionals working in the construction sector in the United Kingdom (UK). The collected data was analysed using descriptive and inferential statistical methods.
Findings
The findings underlined systems, regulatory compliance, staff and third-party relationships as the most significant elements of internal organisational capability influencing a construction firm's cybersecurity effectiveness, organised in order of importance.
Research limitations/implications
Future research possibilities are proposed including the extension of the proposed diagnostic model to consider additional external factors, examining it under varying industrial relationship conditions and developing a dynamic framework that helps improve cybersecurity capability levels while overseeing execution outcomes to ensure success.
Practical implications
The extended McKinsey 7S model can be used as a diagnostic tool to assess the organisation's internal capabilities and evaluate the effectiveness of implemented changes. This can provide specific ways for construction firms to enhance their cybersecurity effectiveness.
Originality/value
This study contributes to the field of cybersecurity in the construction industry by empirically assessing the effectiveness of cybersecurity in UK construction firms using an extended McKinsey 7S model. The study highlights the importance of two additional elements, third-party relationships and construction firm regulatory compliance, which were overlooked in the original McKinsey 7S model. By utilising this model, the study develops a concise research model of essential elements of internal organisational capability that influence cybersecurity effectiveness in construction firms.
Details
Keywords
Fabio Ramazzini Bechara and Samara Bueno Schuch
This study aims to define objectively what are the elements that should be considered in the repositioning of international cooperation, less under its value, which is…
Abstract
Purpose
This study aims to define objectively what are the elements that should be considered in the repositioning of international cooperation, less under its value, which is unquestionable, but more under the optics of the procedure, how can it be operationalized. International cooperation goes beyond the regulatory effort, which, although an important step, is insufficient. It is inserted in an environment in which there is a multiplicity of forces and instances, non-converging and tensioned. At the same time, in the authors’ view, it is not about cooperation between states or between states and international organizations only, it must understand the private sector equally, which has the expressive property of the technologies used.
Design/methodology/approach
The study uses an interdisciplinary approach, and the method of analysis is the typothetical deductive.
Findings
Cybersecurity as a global and complex issue demands cooperation between nations, but also the private sector and civil society engagement. It also demands a good governance in the decision making process, more integrated, accurated and precised.
Originality/value
This study is original, and it represents a special concern and vision from professional and academic fields.
Details
Keywords
The development of technologies for the conduct of cyber operations represents an opportunity for states to defend their interests in international relations but also bears risks…
Abstract
Purpose
The development of technologies for the conduct of cyber operations represents an opportunity for states to defend their interests in international relations but also bears risks and challenges. Since the early 2000s, the United Nations “group of governmental experts (GGE) on developments in the field of information and telecommunications in the context of international security” debates on this issue. This paper aims to investigate how states are challenged in the development of international cyber norms and where capacity to act is idle, i.e. to assess how much has been reached in the international community’s debate on cyber threats and malicious behaviors in the international security context and to identify directions to move GGE work further.
Design/methodology/approach
The methodology uses an extensive text-based desk research and relies on a thorough collection, analysis and interpretation of the United Nations (UNs) documents. When specific substantial topics are addressed in the GGE, the content of the debate was confronted with issue-specific academic literature on those matters.
Findings
The results highlight that the GGE managed to gather consensus on a number of cooperation and normative measures in this politically highly sensitive topic and more deliverables are expected during this and next year. The paper identifies a weakness in terms of operational implementation though. The paper proposes a few examples of concrete headways that could complement existing consensus, especially on the implementation side.
Originality/value
Because of its political sensitivity, the GGE has worked with discretion and has attracted little academic attention. This paper is an original and timely attempt to assess the achievements and possible outlook of this endeavor of the international community, including the incipient work of a recently established open-ended working group. It also attempts to connect the subject matter discussed in the UN with related academic literature, including in respect of definitional and conceptual issues.
Details
Keywords
Brenden Kuerbis and Farzaneh Badiei
There is growing contestation between states and private actors over cybersecurity responsibilities, and its governance is ever more susceptible to nationalization. The authors…
Abstract
Purpose
There is growing contestation between states and private actors over cybersecurity responsibilities, and its governance is ever more susceptible to nationalization. The authors believe these developments are based on an incomplete picture of how cybersecurity is actually governed in practice and theory. Given this disconnect, this paper aims to attempt to provide a cohesive understanding of the cybersecurity institutional landscape.
Design/methodology/approach
Drawing from institutional economics and using extensive desk research, the authors develop a conceptual model and broadly sketch the activities and contributions of market, networked and hierarchical governance structures and analyze how they interact to produce and govern cybersecurity.
Findings
Analysis shows a robust market and networked governance structures and a more limited role for hierarchical structures. Ex ante efforts to produce cybersecurity using purely hierarchical governance structures, even buttressed with support from networked governance structures, struggle without market demand like in the case of secure internet identifiers. To the contrary, ex post efforts like botnet mitigation, route monitoring and other activities involving information sharing seem to work under a variety of combinations of governance structures.
Originality/value
The authors’ conceptual framework and observations offer a useful starting point for unpacking how cybersecurity is produced and governed; ultimately, we need to understand if and how these governance structure arrangements actually impact variation in observed levels of cybersecurity.
Details
Keywords
Eline Punt, Jochen Monstadt, Sybille Frank and Patrick Witte
Cyber resilience has emerged as an approach for seaports to deal with cyberattacks; it emphasizes ports’ ability to prepare for an attack and to keep operating and recover…
Abstract
Purpose
Cyber resilience has emerged as an approach for seaports to deal with cyberattacks; it emphasizes ports’ ability to prepare for an attack and to keep operating and recover quickly. However, little research has been undertaken on the challenges of governing cyber risks in seaports. This study aims to address this gap.
Design/methodology/approach
Governing cyber resilience is shaped by distributed responsibilities, uncertainties and ambiguities. The authors use this conceptualization to explore the governance of cyber risks in seaports, taking the Port of Rotterdam as a case study and analyzing semistructured interviews with stakeholders, participatory observation and policy documents and legislation.
Findings
The authors found that many strategies for governing cyber risks remain dedicated to protecting computer systems against cyberattacks. Nevertheless, port stakeholders have also developed strategies in anticipation of disruptions. However, these strategies appear informal and uncoordinated due to a lack of information exchange, insufficient knowledge regarding cyber risks and disagreement about how to make the Port of Rotterdam cyber resilient. What mainly hampers the cyber resilience of the port is the lack of a comprehensive regulatory framework and economic incentives. The authors conclude that resilience is merely an ideal at the Port of Rotterdam, meaning related governance strategies remain incremental and await institutionalization.
Originality/value
This paper offers insights into the cyber resilience of critical socio-technical systems, which have been underexposed in cyber resilience debates, but, when exploited, can manifest in large-scale disruptions.
Details