Search results

This study explores the critical success factors (CSFs) for Security Education, Training and Awareness (SETA) program effectiveness. The questionable effectiveness of SETA programs at changing employee behavior and an absence of empirical studies on the CSFs for SETA program effectiveness is the key motivation for this study.

This exploratory study follows a systematic inductive approach to concept development. The methodology adopts the “key informant” approach to give voice to practitioners with SETA program expertise. Data are gathered using semi-structured interviews with 20 key informants from various geographic locations including the Gulf nations, Middle East, USA, UK and Ireland.

In this study, the analysis of these key informant interviews, following an inductive open, axial and selective coding approach, produces 11 CSFs for SETA program effectiveness. These CSFs are mapped along the phases of a SETA program lifecycle (design, development, implementation and evaluation) and nine relationships identified between the CSFs (within and across the lifecycle phases) are highlighted. The CSFs and CSFs' relationships are visualized in a Lifecycle Model of CSFs for SETA program effectiveness.

This research advances the first comprehensive conceptualization of the CSFs for SETA program effectiveness. The Lifecycle Model of CSFs for SETA program effectiveness provides valuable insights into the process of introducing and sustaining an effective SETA program in practice. The Lifecycle Model contributes to both theory and practice and lays the foundation for future studies.

At the substantive level, there exists a gap in knowledge about the position of security risk management (i.e. SRM) during the terminals’ operations and management; particularly when there is potential for deliberate anti-security acts. Correspondingly, the purpose of this paper is a need for more practical research to find out the justification for the existence of the SRM and different techniques for its appropriate execution on these logistics infrastructures principally with due regard to the potential requirements in the near future.

Both qualitative and quantitative techniques are used in this study incorporating fuzzy set theory and risk assessment matrix to achieve the research objective.

A designed SRM framework tailored for Qalhat liquefied petroleum gas (LNG) terminal in Sultanate of Oman was established to manage the security threats which can be resulted from any probable terrorist attacks.

The limited numbers of experts for the purpose of the addressed SRM are causing challenges in data collection.

The pressures for enhanced attention to critical infrastructure security have fostered new challenges for petrochemical seaports and terminals (PSTs). These tendencies dictate to maintain comprehensive security regimens that can be integrated with national and international strategies to support the country’s security against terrorism.

The development of the security risk factor table model in the case of Qalhat LNG Terminal.

Cyber security has never been more important than it is today in an ever more connected and pervasive digital world. However, frequently reported shortages of suitably skilled and trained information system (IS)/cyber security professionals elevate the importance of delivering effective Security Education,Training and Awareness (SETA) programmes within organisations. Therefore, the purpose of this study is the questionable effectiveness of SETA programmes at changing employee behaviour and an absence of empirical studies on the critical success factors (CSFs) for SETA programme effectiveness.

This exploratory study follows a three-stage research design to give voice to practitioners with SETA programme expertise. Data is gathered in Stage 1 using semi-structured interviews with 20 key informants (the emergence of the CSFs), in Stage 2 from 65 respondents to a short online survey (the ranking of the CSFs) and in Stage 3 using semi-structured interviews with nine IS/cyber security practitioners (the emergence of the guiding principles). Using a multi-stage research design allows the authors to propose and evaluate the 11 CSFs for SETA programme effectiveness.

This study conducted a mean score analysis to evaluate the level of importance of each CSF within two independent groups of IS/cyber security professionals. This multi-stage analysis produces a ranked list of 11 CSFs for SETA programme effectiveness, while the difference in the rankings leads to the emergence of five CSF-specific guiding principles (to increase the likelihood of delivering an effective SETA programme within an organisational context). This analysis also reveals that most of the contradictions/differences in CSF rankings between IS/cyber security practitioners are linked to the design phase of the SETA programme life cycle. While two CSFs, “maintain quarterly evaluation of employee performance” (CSF-DS6) and “build security awareness campaigns” (CSF-EV1), represent the most significant contradiction in this study.

The 11 CSFs for SETA programme effectiveness, along with the five CSF-specific guiding principles, provide a greater depth of knowledge contributing to both theory and practice and lays the foundation for future studies. Therefore, the outputs of this study provide valuable insights on the areas that practice needs to get right to deliver effective SETA programmes.

Information systems' security is more critical than ever before since security threats are rapidly growing. Before putting in place information systems' security measures, organizations are required to determine the maturity level of their information security governance. Literature review reveals that there is no recent study on information systems' security maturity level of banks in Ethiopia. This study thus seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators.

Four private banks are selected as a representative sample. The system security engineering capability maturity model (SSE-CMM) is used as the maturity measurement criteria, and the measurement was based on ISO/IEC 27001 information security control areas. The data for the study were gathered using a questionnaire.

A total of 93 valid questionnaires were gathered from 110 participants in the study. Based on the SSE-CMM maturity model assessment criteria the private banking industry's current maturity level is level 2 (repeatable but intuitive). Institutions have a pattern that is repeated when completing information security operations but its existence was not thoroughly proven and institutional inconsistency still exists.

This study seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators. This topic has not been attempted previously in the context of Ethiopian financial sector.

There is widespread concern about the fact that small- and medium-sized enterprises (SMEs) seem to be particularly vulnerable to cyberattacks. This is perhaps because smaller businesses lack sufficient situational awareness to make informed decisions in this space, or because they lack the resources to implement security controls and precautions.

In this paper, Endsley’s theory of situation awareness was extended to propose a model of SMEs’ cyber situational awareness, and the extent to which this awareness triggers the implementation of cyber security measures. Empirical data were collected through an online survey of 361 UK-based SMEs; subsequently, the authors used partial least squares modeling to validate the model.

The results show that heightened situational awareness, as well as resource availability, significantly affects SMEs’ implementation of cyber precautions and controls.

While resource limitations are undoubtedly a problem for SMEs, their lack of cyber situational awareness seems to be the area requiring most attention.

The findings of this study are reported and recommendations were made that can help to improve situational awareness, which will have the effect of encouraging the implementation of cyber security measures.

This is the first study to apply the situational awareness theory to understand why SMEs do not implement cyber security best practice measures.

As evident from the literature review, the research on cyber security performance is centered on security metrics, maturity models, etc. Essentially, all these are helpful for evaluating the efficiency of cyber security organization but what matters is how the factors of internal efficiency affect the business performance, i.e. the external effectiveness. The purpose of this research paper is to derive the factors of internal efficiency and external effectiveness of cyber security and develop impact model to identify the most and least preferred parameters of internal efficiency with respect to all the parameters of external effectiveness.

There are two objectives for this research: Deriving the factors of internal efficiency and external effectiveness of cyber security; Developing a model to identify the impact of internal efficiency factors on the external effectiveness of cyber security since there is not much evidence of research in defining the factors of internal efficiency and external effectiveness of cyber security, the authors have chosen grounded theory methodology (GTM) to derive the parameters. In this study emic approach of GTM is followed and an algorithm is developed for administering the grounded theory research process. For the second research objective survey methodology and rank order was used to formulate the impact model. Two different samples and questionnaires were designed for each of the objectives.

For the objective 1, 11 factors of efficiency and 10 factors of effectiveness were derived. These are used as independent and dependent variable respectively in the later part of the research for the second objective. For the objective 2 the impact models among independent and dependent variables were formulated to find out the following. Most and least preferred parameters lead to internal efficiency of cyber security organization to identify the most and least preferred parameters of internal efficiency with respect to all the parameters external effectiveness.

The factors of internal efficiency and external effectiveness constructed by using grounded theory cannot remain constant in the long run, because of dynamism of the domain itself. Over and above this, there are inherent limitations of the tools like grounded theory, used in the research. Few important limitations of GTM are as below in grounded theory, it is comparatively difficult to maintain and demonstrate the rigors of research discipline. The sheer volume of data makes the analysis and interpretation complex, and lengthy time consuming. The researchers’ presence during data gathering, which is often unavoidable and desirable too in qualitative research, may affect the subjects’ responses. The subjectivity of the data leads to difficulties in establishing reliability and validity of approaches and information. It is difficult to detect or to prevent researcher-induced bias.

The internal efficiency and external effectiveness factors of cyber security can be further correlated by the future researchers to understand the correlations among all the factors and predict cyber security performance. The grounded theory algorithm developed by us can be further used for qualitative research for deriving theory through abstractions in the areas where there is no sufficient availability of data. Practitioners of cyber security can use this research to focus on relevant areas depending on their respective business objective/requirements. The models developed by us can be used by the future researchers to for various sectoral validations and correlations.

Though the financial costs of a cyber-attack are steep, the social impact of cyber security failures is less readily apparent but can cause lasting damage to customers, employees and the company. Therefore, it is always important to be mindful of how the impact of cyber security affects society as well as the bottom line when they are calculating the potential impact of a breach. Underestimating either impact can destroy a brand. The factor of internal efficiency and external effectiveness derived by us will help stakeholder in focusing on relevant area depending on their business. The impact model developed in this research is very useful for focusing a particular business requirement and accordingly tune the efficiency factor.

During literature study the authors did not find any evidence of application of grounded theory approach in cyber security research. While the authors were exploring research literature to find out some insight into the factor of internal efficiency and external effectiveness of cyber security, the authors did not find concrete and objective research on this. This motivated us to use grounded theory to derive these factors. This, in the authors’ opinion is one of the pioneering and unique contribution to the research as to the authors’ knowledge no researchers have ever tried to use this methodology for the stated purpose and cyber security domain in general. In this process the authors have also developed an algorithm for administering GTM. Further developing impact models using factors of internal efficiency and external effectiveness has lots of managerial and practical implication.