Search results

1 – 10 of 15
Open Access
Article
Publication date: 30 March 2023

Areej Alyami, David Sammon, Karen Neville and Carolanne Mahony

This study explores the critical success factors (CSFs) for Security Education, Training and Awareness (SETA) program effectiveness. The questionable effectiveness of SETA…

3011

Abstract

Purpose

This study explores the critical success factors (CSFs) for Security Education, Training and Awareness (SETA) program effectiveness. The questionable effectiveness of SETA programs at changing employee behavior and an absence of empirical studies on the CSFs for SETA program effectiveness is the key motivation for this study.

Design/methodology/approach

This exploratory study follows a systematic inductive approach to concept development. The methodology adopts the “key informant” approach to give voice to practitioners with SETA program expertise. Data are gathered using semi-structured interviews with 20 key informants from various geographic locations including the Gulf nations, Middle East, USA, UK and Ireland.

Findings

In this study, the analysis of these key informant interviews, following an inductive open, axial and selective coding approach, produces 11 CSFs for SETA program effectiveness. These CSFs are mapped along the phases of a SETA program lifecycle (design, development, implementation and evaluation) and nine relationships identified between the CSFs (within and across the lifecycle phases) are highlighted. The CSFs and CSFs' relationships are visualized in a Lifecycle Model of CSFs for SETA program effectiveness.

Originality/value

This research advances the first comprehensive conceptualization of the CSFs for SETA program effectiveness. The Lifecycle Model of CSFs for SETA program effectiveness provides valuable insights into the process of introducing and sustaining an effective SETA program in practice. The Lifecycle Model contributes to both theory and practice and lays the foundation for future studies.

Details

Information Technology & People, vol. 36 no. 8
Type: Research Article
ISSN: 0959-3845

Keywords

Open Access
Article
Publication date: 14 August 2017

Jassim Happa and Michael Goldsmith

Several attack models attempt to describe behaviours of attacks with the intent to understand and combat them better. However, all models are to some degree incomplete. They may…

1227

Abstract

Purpose

Several attack models attempt to describe behaviours of attacks with the intent to understand and combat them better. However, all models are to some degree incomplete. They may lack insight about minor variations about attacks that are observed in the real world (but are not described in the model). This may lead to similar attacks being classified as the same type of attack, or in some cases the same instance of attack. The appropriate solution would be to modify the model or replace it entirely. However, doing so may be undesirable as the model may work well for most cases or time and resource constraints may factor in as well. This paper aims to explore the potential value of adding information about attacks and attackers to existing models.

Design/methodology/approach

This paper investigates used cases of minor variations in attacks and how it may and may not be appropriate to communicate subtle differences in existing attack models through the use of annotations. In particular, the authors investigate commonalities across a range of existing models and identify where and how annotations may be helpful.

Findings

The authors propose that nuances (of attack properties) can be appended as annotations to existing attack models. Using annotations appropriately should enable analysts and researchers to express subtle but important variations in attacks that may not fit the model currently being used.

Research limitations/implications

This work only demonstrated a few simple, generic examples. In the future, the authors intend to investigate how this annotation approach can be extended further. Particularly, they intend to explore how annotations can be created computationally; the authors wish to obtain feedback from security analysts through interviews, identify where potential biases may arise and identify other real-world applications.

Originality/value

The value of this paper is that the authors demonstrate how annotations may help analysts communicate and ask better questions during identification of unknown aspects of attacks faster,e.g. as a means of storing mental notes in a structured manner, especially while facing zero-day attacks when information is incomplete.

Details

PSU Research Review, vol. 1 no. 2
Type: Research Article
ISSN: 2399-1747

Keywords

Open Access
Article
Publication date: 20 July 2023

Martina Neri, Federico Niccolini and Luigi Martino

Cyberattacks are becoming increasingly widespread, and cybersecurity is therefore increasingly important. Although the technological aspects of cybersecurity are its best-known…

1876

Abstract

Purpose

Cyberattacks are becoming increasingly widespread, and cybersecurity is therefore increasingly important. Although the technological aspects of cybersecurity are its best-known characteristics, the cybersecurity phenomenon goes beyond the detection of technological impacts, and encompasses all the dimensions of an organization. This study thus focusses on an additional set of organizational elements. The key elements of cybersecurity organizational readiness depicted here are cybersecurity awareness, cybersecurity culture and cybersecurity organizational resilience (OR). This study aims to qualitatively assess small and medium enterprises’ (SMEs) overall level of organizational cybersecurity readiness.

Design/methodology/approach

This study focused on conducting a cybersecurity organizational readiness assessment using a sample of 53 Italian SMEs from the information and communication technology sector. Informed mixed method research, this study was conducted consistent with the principles of the explanatory sequential mixed method design, and adopting a quanti-qualitative methodology. The quantitative data were collected through a questionnaire. Qualitative data were subsequently collected through semi-structured interviews.

Findings

Although many elements of the technical aspects of cybersecurity OR have yielded very encouraging results, there are still some areas that require improvement. These include those facets that constitute the foundation of cybersecurity awareness, and, thus, a cybersecurity culture. This result highlights that the areas in need of improvement are exactly those that are most important in fighting against cyber threats via organizational cybersecurity readiness.

Originality/value

Although the importance of SMEs is obvious, evidence of such organizations’ attitudes to cybersecurity are still limited. This research is an attempt to depict the organizational issue related to cybersecurity, i.e. overall cybersecurity organizational readiness.

Open Access
Article
Publication date: 8 January 2020

Elham Rostami, Fredrik Karlsson and Ella Kolkowska

The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been…

1391

Abstract

Purpose

The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about.

Design/methodology/approach

The results are based on a literature review of ISP management research published between 1990 and 2017.

Findings

Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare.

Research limitations/implications

Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process.

Practical implications

The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners.

Originality/value

Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.

Details

Information & Computer Security, vol. 28 no. 2
Type: Research Article
ISSN: 2056-4961

Keywords

Open Access
Article
Publication date: 6 March 2019

Betsy Stringam and John Gerdes

The purpose of this paper is to investigate how well hotel website load time performance compared against customer expectation benchmarks. In a competitive market, service…

6113

Abstract

Purpose

The purpose of this paper is to investigate how well hotel website load time performance compared against customer expectation benchmarks. In a competitive market, service interactions are important. As customers move to mobile devices, the time to load a website is a critical part of the service delivery. Long load times can lead to poor service experiences, customer frustration and lost business. Hotel website load times on both mobile and desktop devices were examined and compared to service expectations.

Design/methodology/approach

The study used an online service to assess and compare website load performance using both desktop and mobile devices for 259 international hotel company and sub-brand websites.

Findings

The time to load hotel websites was significantly slower on mobile devices compared to desktops. Load times on both platforms exceeded 3 s, which is considered best practice. Long load times represent a service gap and can cause dissatisfaction resulting in a potential customer abandoning the website for a competitor’s site, thus affecting sales.

Research limitations/implications

While the population for the study was robust in size and contained most of the major hotel companies worldwide, it was not exhaustive. Data also represent a snapshot and will change over time. Load times vary based on test location, access device and network traffic. Additionally, web page load times and customer expectations will change as technology evolves.

Originality/value

Increased use of mobile devices for hotel reservations increases the importance of mobile service delivery. This is the first known study to measure hotel website load times for mobile devices, and to examine both mobile and desktop performance against best practice. The results of this study highlight a service gap, which can lead to loss of business. Given the consistency of the results, the authors suspect that this is an issue that has not been recognized within the industry. This study is valuable because it exposes an issue of website design not generally addressed in the hospitality industry, even though tools are available to monitor site performance.

Details

International Hospitality Review, vol. 33 no. 1
Type: Research Article
ISSN: 2516-8142

Keywords

Open Access
Article
Publication date: 5 October 2023

Peter Dornheim and Ruediger Zarnekow

The human factor is the most important defense asset against cyberattacks. To ensure that the human factor stays strong, a cybersecurity culture must be established and cultivated…

Abstract

Purpose

The human factor is the most important defense asset against cyberattacks. To ensure that the human factor stays strong, a cybersecurity culture must be established and cultivated in a company to guide the attitudes and behaviors of employees. Many cybersecurity culture frameworks exist; however, their practical application is difficult. This paper aims to demonstrate how an established framework can be applied to determine and improve the cybersecurity culture of a company.

Design/methodology/approach

Two surveys were conducted within eight months in the internal IT department of a global software company to analyze the cybersecurity culture and the applied improvement measures. Both surveys comprised the same 23 questions to measure cybersecurity culture according to six dimensions: cybersecurity accountability, cybersecurity commitment, cybersecurity necessity and importance, cybersecurity policy effectiveness, information usage perception and management buy-in.

Findings

Results demonstrate that cybersecurity culture maturity can be determined and improved if accurate measures are derived from the results of the survey. The first survey showed potential for improving the dimensions of cybersecurity accountability, cybersecurity commitment and cybersecurity policy effectiveness, while the second survey proved that these dimensions have been improved.

Originality/value

This paper proves that practical application of cybersecurity culture frameworks is possible if they are appropriately tailored to a given organization. In this regard, scientific research and practical application combine to offer real value to researchers and cybersecurity executives.

Details

Information & Computer Security, vol. ahead-of-print no. ahead-of-print
Type: Research Article
ISSN: 2056-4961

Keywords

Open Access
Article
Publication date: 21 December 2021

Martin Karlsson, Fredrik Karlsson, Joachim Åström and Thomas Denk

This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.

3698

Abstract

Purpose

This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.

Design/methodology/approach

The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy.

Findings

The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance.

Research limitations/implications

The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance.

Practical implications

Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations.

Originality/value

Few information security policy compliance studies exist on the consequences of different organizational/information cultures.

Open Access
Article
Publication date: 20 April 2023

Kristian Kannelønning and Sokratis K. Katsikas

Cybersecurity attacks on critical infrastructures, businesses and nations are rising and have reached the interest of mainstream media and the public’s consciousness. Despite this…

5096

Abstract

Purpose

Cybersecurity attacks on critical infrastructures, businesses and nations are rising and have reached the interest of mainstream media and the public’s consciousness. Despite this increased awareness, humans are still considered the weakest link in the defense against an unknown attacker. Whatever the reason, naïve-, unintentional- or intentional behavior of a member of an organization, the result of an incident can have a considerable impact. A security policy with guidelines for best practices and rules should guide the behavior of the organization’s members. However, this is often not the case. This paper aims to provide answers to how cybersecurity-related behavior is assessed.

Design/methodology/approach

Research questions were formulated, and a systematic literature review (SLR) was performed by following the recommendations of the Preferred Reporting Items for Systematic Reviews and Meta-Analyses statement. The SLR initially identified 2,153 articles, and the paper reviews and reports on 26 articles.

Findings

The assessment of cybersecurity-related behavior can be classified into three components, namely, data collection, measurement scale and analysis. The findings show that subjective measurements from self-assessment questionnaires are the most frequently used method. Measurement scales are often composed based on existing literature and adapted by the researchers. Partial least square analysis is the most frequently used analysis technique. Even though useful insight and noteworthy findings regarding possible differences between manager and employee behavior have appeared in some publications, conclusive answers to whether such differences exist cannot be drawn.

Research limitations/implications

Research gaps have been identified, that indicate areas of interest for future work. These include the development and employment of methods for reducing subjectivity in the assessment of cybersecurity-related behavior.

Originality/value

To the best of the authors’ knowledge, this is the first SLR on how cybersecurity-related behavior can be assessed. The SLR analyzes relevant publications and identifies current practices as well as their shortcomings, and outlines gaps that future research may bridge.

Details

Information & Computer Security, vol. 31 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

Open Access
Article
Publication date: 16 October 2019

Gabriela Scur, Adriana Marotti de Mello, Lilian Schreiner and Fernando José das Neves

The purpose of this paper is to investigate how technology-forcing regulations affect the product development process in the supply chain of heavyweight vehicles.

1305

Abstract

Purpose

The purpose of this paper is to investigate how technology-forcing regulations affect the product development process in the supply chain of heavyweight vehicles.

Design/methodology/approach

Through a case study, this paper seeks to understand how one of the leading companies in heavyweight vehicles manufacturing industry and its engine supplier in Brazil introduce eco-design practices into its engine development process.

Findings

Through case studies conducted in a heavyweight vehicle producer and its engine supplier, this study shows that, in addition to meeting the standards and legislation, the automaker uses ecodesign practices during the product development cycle such as a design that eliminates harmful and hazardous materials and a project that allows recycling, the reuse of parts and energy efficiency, thereby reducing the environmental impact. However, without the mandatory requirements imposed by federal legislation, products with lower environmental impacts would rarely be developed, as environmental performance is not demanded by customers, who are mainly cost driven. Technology-forcing regulations play an important role in enhancing the adoption of ecodesign practices, but market and competitive conditions also play an important role.

Originality/value

Several studies on the impacts of public policies and development for the automobile sector have been conducted, but there is a lack of studies in the area of commercial vehicles, especially in Brazil. Therefore, this research is justified by new demands of society, in addition to the necessity of complying with legal requirements and the adoption of good practices related to eco-design.

Details

Innovation & Management Review, vol. 16 no. 4
Type: Research Article
ISSN: 2515-8961

Keywords

Open Access
Article
Publication date: 4 December 2020

Špela Orehek and Gregor Petrič

The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on…

3635

Abstract

Purpose

The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on organizational security. Different measurement instruments have been developed to measure and assess information security culture using survey-based tools. However, the content, breadth and face validity of these scales vary greatly. This study aims to identify and provide an overview of the scales that are used to measure information security culture and to evaluate the rigor of reported scale development and validation procedures.

Design/methodology/approach

Papers that introduce a new or adapt an existing scale of information security culture were systematically reviewed to evaluate scales of information security culture. A standard search strategy was applied to identify 19 relevant scales, which were evaluated based on the framework of 16 criteria pertaining to the rigor of reported operationalization and the reported validity and reliability of the identified scales.

Findings

The results show that the rigor with which scales of information security culture are validated varies greatly and that none of the scales meet all the evaluation criteria. Moreover, most of the studies provide somewhat limited evidence of the validation of scales, indicating room for further improvement. Particularly, critical issues seem to be the lack of evidence regarding discriminant and criterion validity and incomplete documentation of the operationalization process.

Research limitations/implications

Researchers focusing on the human factor in information security need to reach a certain level of agreement on the essential elements of the concept of information security culture. Future studies need to build on existing scales, address their limitations and gain further evidence regarding the validity of scales of information security culture. Further research should also investigate the quality of definitions and make expert assessments of the content fit between concepts and items.

Practical implications

Organizations that aim to assess the level of information security culture among employees can use the results of this systematic review to support the selection of an adequate measurement scale. However, caution is needed for scales that provide limited evidence of validation.

Originality/value

This is the first study that offers a critical evaluation of existing scales of information security culture. The results have decision-making value for researchers who intend to conduct survey-based examinations of information security culture.

1 – 10 of 15