Search results
1 – 10 of over 14000Security assurance evaluation (SAE) is a well-established approach for assessing the effectiveness of security measures in systems. However, one aspect that is often overlooked in…
Abstract
Purpose
Security assurance evaluation (SAE) is a well-established approach for assessing the effectiveness of security measures in systems. However, one aspect that is often overlooked in these evaluations is the assurance context in which they are conducted. This paper aims to explore the role of assurance context in system SAEs and proposes a conceptual model to integrate the assurance context into the evaluation process.
Design/methodology/approach
The conceptual model highlights the interrelationships between the various elements of the assurance context, including system boundaries, stakeholders, security concerns, regulatory compliance and assurance assumptions and regulatory compliance.
Findings
By introducing the proposed conceptual model, this research provides a framework for incorporating the assurance context into SAEs and offers insights into how it can influence the evaluation outcomes.
Originality/value
By delving into the concept of assurance context, this research seeks to shed light on how it influences the scope, methodologies and outcomes of assurance evaluations, ultimately enabling organizations to strengthen their system security postures and mitigate risks effectively.
Details
Keywords
The purpose of this paper is to highlight the potential of cyber-testing techniques in assessing the effectiveness of cyber-security controls and obtaining audit evidence.
Abstract
Purpose
The purpose of this paper is to highlight the potential of cyber-testing techniques in assessing the effectiveness of cyber-security controls and obtaining audit evidence.
Design/methodology/approach
The paper starts with an identification of the applicable cyber-testing techniques and evaluates their applicability to generally accepted assurance schemes and cyber-security guidelines.
Findings
Cyber-testing techniques are providing insight in the effectiveness of the actual implementation of cyber-security controls, which may significantly deviate from the conceptual designs of these controls. Furthermore, cyber-testing techniques could provide concise input for cyber-risk management and improvement recommendations.
Originality/value
The presented cyber-testing techniques could complement traditional process-oriented assurance techniques with specialized technical analyses of real-world implementations that focus on the adversaries’ viewpoint.
Details
Keywords
Ahmed H. Al-Dmour, Masam Abood and Hani H. Al-Dmour
This study aims at investigating the extent of SysTrust’s framework (principles and criteria) as an internal control approach for assuring the reliability of accounting…
Abstract
Purpose
This study aims at investigating the extent of SysTrust’s framework (principles and criteria) as an internal control approach for assuring the reliability of accounting information system (AIS) were being implemented in Jordanian business organizations.
Design/methodology/approach
The study is based on primary data collected through a structured questionnaire from 239 out of 328 shareholdings companies. The survey units were the shareholding companies in Jordan, and the single key respondents approach was adopted. The extents of SysTrust principles were also measured. Previously validated instruments were used where required. The data were analysed using t-test and ANOVA.
Findings
The results indicated that the extent of SysTrust being implemented could be considered to be moderate at this stage. This implies that there are some variations among business organizations in terms of their level of implementing of SysTrust principles and criteria. The results also showed that the extent of SysTrust principles being implemented was varied among business organizations based on their business sector. However, there were not found varied due to their size of business and a length of time in business (experience).
Research limitations/implications
This study is only conducted in Jordan as a developing country. Although Jordan is a valid indicator of prevalent factors in the wider MENA region and developing countries, the lack of external validity of this research means that any generalization of the research findings should be made with caution. Future research can be orientated to other national and cultural settings and compared with the results of this study.
Practical implications
The study provides evidence of the need for management to recognize the importance of the implementation of SysTrust principles and criteria as an internal control for assuring the reliability of AIS within their organizations and be aware which of these principles are appropriate to their size and industry sector.
Originality/value
The findings would be valuable for academic researchers, managers and professional accounting to acquire a better undemanding of the current status of the implementation of the SysTrust principles (i.e., availability, security, integrity processing, confidentiality, and privacy) as an internal control method for assuring the reliability of AIS by testing the phenomenon in Jordan as a developing country.
Details
Keywords
Hamada Elsaid Elmaasrawy and Omar Ikbal Tawfik
This paper aims to examine the impact of the assurance and advisory role of internal audit (ADRIA) on organisational, human and technical proactive measures to enhance…
Abstract
Purpose
This paper aims to examine the impact of the assurance and advisory role of internal audit (ADRIA) on organisational, human and technical proactive measures to enhance cybersecurity (CS).
Design/methodology/approach
The questionnaire was used to collect data for 97 internal auditors (IAu) from the Gulf Cooperation Council countries. The authors used partial least squares (PLS) to test the hypotheses.
Findings
The results show a positive effect of the ADRIA on each of the organisational proactive measures, human proactive measures and technical proactive measures to enhance CS. The study also found a positive effect of the confirmatory role of IA on both human proactive measures and technical proactive measures to enhance CS. No effect of the confirmatory role of IA on the organisational proactive measures is found.
Research limitations/implications
This study focused on only three proactive measures to enhance CS, and this study was limited to the opinions of IAu. In addition, the study was limited to using regression analysis according to the PLS method.
Practical implications
The results of this study show that managers need to consider the influential role of IA as a value-adding activity in reducing CS risks and activating proactive measures. Also, IAu must expand its capabilities, skills and knowledge in CS auditing to provide a bold view of cyber threats. At the same time, the institutions responsible for preparing IA standards should develop standards and guidelines that help IAu to play assurance and advisory roles.
Originality/value
To the best of the authors’ knowledge, this is the first study of its kind that deals with the impact of the assurance and ADRIA on proactive measures to enhance CS. In addition, the study determines the nature of the advisory role and the assurance role of IA to strengthen CS.
Details
Keywords
Zauwiyah Ahmad, Thian Song Ong, Tze Hui Liew and Mariati Norhashim
The purpose of this research is to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour. Security…
Abstract
Purpose
The purpose of this research is to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour. Security assurance behaviour represents employees’ intentional and effortful actions aimed towards protecting information systems. The behaviour is highly desired as it tackles the human factor within the information security framework. The authors posited that security assurance behaviour is a learned behaviour that can be enhanced by the implementation of information security monitoring.
Design/methodology/approach
Theoretical framework underlying this study with six constructs, namely, subjective norm, outcome expectation, information security monitoring, information security policy, self-efficacy and perceived inconvenience, were identified as significant in determining employees’ security assurance behaviour (SAB). The influence of these constructs on SAB could be explained by social cognitive theory and is empirically supported by past studies. An online questionnaire survey as the main research instrument is adopted to elicit information on the six constructs tested in this study. Opinion from industry and academic expert panels on the relevance and face validity of the questionnaire were obtained prior to the survey administration.
Findings
Findings from this research indicate that organisations will benefit from information security monitoring by encouraging security behaviours that extend beyond the security policy. This study also demonstrates that employees tend to abandon security behaviour when the behaviour is perceived as inconvenient. Hence, organisations must find ways to reduce the perceived inconvenience using various security automation methods and specialised security training. Reducing perceived inconvenience is a challenge to information security practitioners.
Research limitations/implications
There are some limitations in the existing work that could be addressed in future studies. One of them is the possible social desirability bias due to the self-reported measure adopted in the study. Even though the authors have made every effort possible to collect representative responses via anonymous survey, it is still possible that the respondents may not reveal true behaviour as good conduct is generally desired. This may lead to a bias towards favourable behaviour.
Practical implications
In general, the present research provides a number of significant insights and valuable information related to security assurance behaviour among employees. The major findings could assist security experts and organisations to develop better strategies and policies for information security protection. Findings of this research also indicate that organisations will benefit from information security monitoring by encouraging security behaviours that extend beyond the security policy.
Social implications
In this research, the social cognitive learning theory is used to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour; the finding implies that monitoring emphases expected behaviours and helps to reinforce organisational norms. Monitoring may also accelerate learning when employees become strongly mindful of their behaviours. Hence, it is important for organisations to communicate the monitoring practices implemented, even more imperative whenever security monitoring employed is unobtrusive in nature. Nonetheless, care must be taken in this communication to avoid resentment and mistrust among employees.
Originality/value
This study is significant in a number of ways. First, this study highlights significant antecedents of security assurance behaviour, which helps organisations to assess their current practices, which may nurture or suppress information security. Second, using users’ perspective, this study provides recommendations pertaining to monitoring as a form of information security measure. Third, this study provides theoretical contribution to the existing information security literature via the application of the social cognitive learning theory.
Details
Keywords
Thembekile Mayayise and Isaac Olusegun Osunmakinde
The internet provides a mechanism by which buyers and sellers meet in order to exchange goods and services online with the utmost convenience. However, there are many risks…
Abstract
Purpose
The internet provides a mechanism by which buyers and sellers meet in order to exchange goods and services online with the utmost convenience. However, there are many risks associated with the internet which, if left unattended, could continue deterring the adoption of e-commerce. These risks ultimately diminish online consumer trust in e-commerce. Web assurance models have been designed in an attempt to encourage online consumer trust through assurance. Unfortunately, many of these models have been inadequate in certain areas and this research aims to improve on them.
Design/methodology/approach
It presents a comprehensive empirical survey on trustworthiness issues and e-commerce assurance models and proposes a new compliance-based e-commerce assurance model that integrates adaptive legislation, adaptive e-commerce-related standards and cooperative rating. The intelligent cooperative rating is based on the analytic hierarchy process and page-ranking techniques.
Findings
Some findings of this research study influence the thinking that some of the untrustworthy sites are posing as trustworthy sites because they display web seals. The findings can be used as a reference guide to understand e-commerce assurance models, as well as the effectiveness of ensuring the trustworthiness of these models.
Practical implications
The research presents deployment analysis on the use of the proposed compliance model through real life scenarios categorized as trustworthy and untrustworthy e-commerce web sites.
Originality/value
This research is relevant to information management and computer security in e-commerce as a development of a newly proposed e-commerce assurance model for trustworthiness safety inspections and knowledge generation as a reference guide to understand e-commerce trustworthiness in general and e-commerce assurance models in particular detail.
Details
Keywords
Since the outbreak of the COVID-19 pandemic, the demand for online services has risen, with e-payment emerging as a prominent option for customers seeking faster and more…
Abstract
Purpose
Since the outbreak of the COVID-19 pandemic, the demand for online services has risen, with e-payment emerging as a prominent option for customers seeking faster and more convenient transactions to complete their online purchases. Nevertheless, e-payment adoption in Egypt remains a challenge that requires further investigation. Thus, this study aims to investigate the factors influencing online customers’ attitudes and intentions towards adopting e-payment for online transactions, social influence, perceived ease of use, perceived usefulness, perceived trust, structural assurance and perceived privacy/security risk.
Design/methodology/approach
The data were gathered from 302 customers in Egypt and structurally analysed based on partial least squares structural equation modelling (PLS-SEM).
Findings
The findings revealed that social influence, perceived usefulness and perceived trust are significant antecedents of attitude. Furthermore, perceived usefulness, perceived trust, perceived privacy/security risk and attitude directly influence behavioural intention. Structural assurance and perceived trust directly influence perceived privacy/security risk. Moreover, perceived usefulness, perceived trust and attitude were found to have several mediating roles.
Research limitations/implications
This study adds new empirical evidence from a developing country regarding the adoption of e-payment among online customers. In addition, its findings can help the government, practitioners and policymakers understand how to promote customers’ positive attitudes and encourage their intentions towards using e-payment.
Originality/value
The findings of this study can contribute to the digital transformation strategy in Egypt by providing insights into enhancing online shoppers’ attitudes and intentions towards e-payment adoption. This, in turn, can boost Egyptian e-commerce and the country's digital economy as a whole.
Details
Keywords
Uchenna Daniel Ani, Hongmei He and Ashutosh Tiwari
As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within the…
Abstract
Purpose
As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within the current highly competitive environment. Many recorded industrial cyber-attacks have successfully beaten technical security solutions by exploiting human-factor vulnerabilities related to security knowledge and skills and manipulating human elements into inadvertently conveying access to critical industrial assets. Knowledge and skill capabilities contribute to human analytical proficiencies for enhanced cybersecurity readiness. Thus, a human-factored security endeavour is required to investigate the capabilities of the human constituents (workforce) to appropriately recognise and respond to cyber intrusion events within the industrial control system (ICS) environment.
Design/methodology/approach
A quantitative approach (statistical analysis) is adopted to provide an approach to quantify the potential cybersecurity capability aptitudes of industrial human actors, identify the least security-capable workforce in the operational domain with the greatest susceptibility likelihood to cyber-attacks (i.e. weakest link) and guide the enhancement of security assurance. To support these objectives, a Human-factored Cyber Security Capability Evaluation approach is presented using conceptual analysis techniques.
Findings
Using a test scenario, the approach demonstrates the capacity to proffer an efficient evaluation of workforce security knowledge and skills capabilities and the identification of weakest link in the workforce.
Practical implications
The approach can enable organisations to gain better workforce security perspectives like security-consciousness, alertness and response aptitudes, thus guiding organisations into adopting strategic means of appropriating security remediation outlines, scopes and resources without undue wastes or redundancies.
Originality/value
This paper demonstrates originality by providing a framework and computational approach for characterising and quantify human-factor security capabilities based on security knowledge and security skills. It also supports the identification of potential security weakest links amongst an evaluated industrial workforce (human agents), some key security susceptibility areas and relevant control interventions. The model and validation results demonstrate the application of action research. This paper demonstrates originality by illustrating how action research can be applied within socio-technical dimensions to solve recurrent and dynamic problems related to industrial environment cyber security improvement. It provides value by demonstrating how theoretical security knowledge (awareness) and practical security skills can help resolve cyber security response and control uncertainties within industrial organisations.
Details
Keywords
Ruey‐Dang Chang, Chun‐Ju Fang and Yee‐Chy Tseng
The purpose of this paper is to examine the effects of WebTrust assurance, issued by Certified Public Accountant (CPA) firms, on web purchase behaviour and to examine such effects…
Abstract
Purpose
The purpose of this paper is to examine the effects of WebTrust assurance, issued by Certified Public Accountant (CPA) firms, on web purchase behaviour and to examine such effects provided by different‐sized CPA firms.
Design/methodology/approach
In an experiment, several scenarios were manipulated to simulate a number of web purchase environments in which participants make decisions online.
Findings
The results indicate that the WebTrust assurance seal has a significant effect on consumers' web purchase willingness. An “ordering effect” was also found, in that, removing the seal has more impact than obtaining the seal, and an assurance seal issued by big firms has greater impact than one issued by smaller firms.
Originality/value
This study contributes to the existing literature by focusing on an important yet rarely addressed issue of brand assurance services. The paper helps to understand this phenomenon in a global sense. Compared to the student participants used in the previous literature, this experiment provides a practical addition to the prevalent framework of trust in e‐commerce studies. Finally the research went a further step to test whether the web assurance provided by different‐sized auditors affects web consumers' purchase decisions.
Details
Keywords
A recent study of 50 Australian information systems developmentenvironments highlights a continuing lack of corporate security measuresby Australian business organizations…
Abstract
A recent study of 50 Australian information systems development environments highlights a continuing lack of corporate security measures by Australian business organizations. Project managers and developers are battling the rising surge of computer‐related crime with little support from their corporate management. This has occurred in spite of refinements in software development and the subsequent constraints on access to these systems at a working plane. Outlines, for corporate management, the results regarding lack of corporate commitment to the security of information systems in Australia and recommends actions to rectify the current predicament.
Details