Search results

The frequent and increasingly potent cyber-attacks because of lack of an optimal mix of technical as well as non-technical IT controls has led to increased adoption of security governance controls by organizations. The purpose of this paper, thus, is to construct and empirically validate an information security governance (ISG) process model through the plan–do–check–act (PDCA) cycle model of Deming.

This descriptive research using an interpretive paradigm follows a qualitative methodology using expert interviews of five respondents working in the ISG domain in United Arab Emirates (UAE) to validate the theoretical model.

The findings of this paper suggest the primacy of the PDCA Deming cycle for initiating ISG through a risk-based approach assisted by industry-wide best practices in ISG. Regarding selection of ISG frameworks, respondents preferred to have ISO 27K supported by NIST as the core framework with other relevant ISG frameworks/standards forming the peripheral layer. The implementation focus of the ISG model is on mapping ISO 27K/NIST IT controls relevant IT controls selected from ISG frameworks from a horizontal and vertical perspective. Respondents asserted the automation of measurement and control mechanism through automation to assist in the feedback loop of the PDCA cycle.

The validated model helps academics and practitioners gain insight into the methodology of the phased implementation of an information systems governance process through the PDCA model, as well as the positioning of ITG and ITG frameworks in ISG. Practitioners can glean valuable insights from the empirical section of the research where experts detail the success factors, the sequential steps and justification of these factors in the ISG implementation process.

The purpose of this study is to develop theoretically grounded and empirically derived organizational security governance (OSG) objectives. Developing organizational security governance (OSG) objectives pose significant challenges for organizations considering the ever-increasing vulnerability from lack of or misuse of appropriate controls. In recent years, there have been several cases of colossal losses to businesses due to inadequate security governance measure. In many cases, organizations do not even know as to what their ISG objectives might be. Following an extensive empirical study, this paper proposes 6 fundamental and 17 means objectives for designing security governance. The objectives were developed from individual values of information technology and security executives across a wide range of firms. The study comprised 52 interview respondents across 9 firms, which resulted in 23 OSG objectives. Theoretically, the study was grounded in Catton’s (1959) value theory and Keeney’s (1992) value-focused thinking. The objectives provide a useful basis for strategic planning for information security governance.

This research is grounded in value-focused thinking methodology. Step 1: develop a comprehensive list of personal values underlying the problem being explored. The researcher undertakes extensive interviews, using relevant probes, to elicit underlying values of respondents. Step 2: change the values enlisted to a common form and convert them into objectives. The data collected in Step 1 is collated and presented in a common form, which enables cross-comparison and easy interpretation. Step 3: classify the objectives as means and fundamental for the decision context. Objectives are clustered into groups and then classified into fundamental and means.

This study uses a value-focused approach to develop OSG objectives. Incorporating individual values in developing governance objectives would facilitate alignment of individual and organizational values about OSG. This study proposes 6 fundamental and 17 means objectives for OSG. The study provides a comprehensive list of OSG that is rooted in values of stakeholders in an organization.

The main contributions study can be classified in two categories. First, it represents a collective set of OSG objectives which touch upon technical, formal, informal, moral and ethical dimensions of governance. This is a unique, synthesized and cohesive framework for OSG, which incorporates several aspects of OSG into one platform, thus allowing the development of a comprehensive security management program. Second, some of the objectives developed in this research (“establish corporate control strategy”, “establish punitive structure”, “establish clear control development process”, “ensure formal control assessment functionality” and “maximize group cohesiveness”) have not been emphasized enough in security governance literature.

Digital India, the flagship programme of Government of India (GoI) originated from National e-Governance Project (NeGP) in the year 2014. The programme has important aspect of information security and implementation of IT policy which supports e-Governance in a focused approach of Mission Mode. In this context, there is a need to assess situation of the programme which covers a study of initiatives and actions taken by various actor involved and processes which are responsible for overall e-Governance. Therefore, the purpose of this case study is to develop a Situation-Actor-Process (SAP), Learning-Action-Performance (LAP) based inquiry model to synthesize situation of information security governance, IT policy and overall e-Governance.

In this case study both systematic inquiry and matrices based SAP-LAP models are developed. Actors are classified who are found responsible and engaged in IT policy framing, infrastructure development and also in e-Governance implementation. Based on a synthesis of SAP components, various LAP elements were then synthesized then which further led to learning from the case study. Suitable actions and performance have also been highlighted, followed by a statement of the impact of the efficacy i.e. transformation of information security, policy and e-Governance on the Digital India programme.

On developing the SAP-LAP framework, it was found that actors like the Ministry of Electronics and Information Technology of the Govt. of India secures a higher rank in implementing various initiatives and central sector schemes to accelerate the agenda of e-Governance. Actions of other preferred actors include more investments in IT infrastructure, policy development and a mechanism to address cyber security threats for effective implementation of e-Governance. It was found that actors should be pro-active on enhancing technical skills, capacity building and imparting education related to ICT applications and e-Governance. Decision making should be based on the sustainable management practices of e-Governance projects implementation to manage change, policy making and the governmental process of the Indian administration and also to achieve Sustainable Development Goals by the Indian economy.

The SAP-LAP synthesis is used to develop the case study. However, few other qualitative and quantitative multi criteria decision making approaches could also be explored for the development of IT security based e-Governance framework in the Indian context.

The synthesis of SAP leads to LAP components which can bridge the gaps between information security, IT policy governance and e-Governance process. Based on the learning from the Situation, it is said that the case study can provide decision making support and has impact on the e-Governance process i.e. may enhance awareness about e-services available to the general public. Such work is required to assess the transparency and accountability on the Government.

Learning based on the SAP-LAP framework could provide decision making support to the administrators, policy makers and IT sector stakeholders. Thus, the case study would further help in addressing the research gaps, accelerating e-Governance initiatives and in capturing cyber threats.

The SAP-LAP model is found as an intuitive approach to analyze the present status of information security governance, IT policy and e-Governance in India in a single unitary model.

Policing in much of the developing world has always been, in many respects, both dominated by the nonstate and pluralised. Yet, plurality and the nonstate are predominantly conceptualised, by scholars and practitioners alike, as problematic, noninclusive and/or undemocratic. Yet the reality is far more complex than this. In this chapter, we turn the tables on conventional wisdom by looking to the positive features of plural or polycentric forms of security governance by asking how these features might be utilised to provide for more inclusive forms of security governance in the Global South. Drawing on empirical research in South Africa on plural policing arrangements, this chapter considers how Sustainable Development Goal 16 which seeks to ‘promote peaceful and inclusive societies’ might be realised within plural governance systems. This chapter seeks to demonstrate that certain conditions need to be in place for plural or polycentric systems of security governance to coprovide effective and inclusive security for the collective good and, furthermore, that the positive features of the nonstate can be harnessed to give effect to the SDGs.

Information security is a growing concern in society, across businesses and government. As the offshore IT services market continues to grow providing numerous benefits, there are also perceived risks with respect to the quality of information security delivered in the supply chain. This paper aims to examine, as a case, the perceptions of Indian software services provider (service provider) employees with respect to information security governance and its impact on information security service quality that is delivered to customers.

The paper provides a framework built upon the existing dimensions and instruments for total quality management and service quality, suitably modified to reflect the context of information security. SmartPLS, a structural equation modelling technique, has been used to analyse field survey data collected from across various Indian cities and companies.

Significant finding is that information security governance in an IT outsourcing company providing software services has a highly significant impact on the information security service quality, which can be predicted. The paper also establishes that there is a positive relationship collectively between elements of information security governance and information security service quality.

Since data used in this study were taken solely from the responses of employees of outsourced service companies in India, it does not show if this translates into service improvements as perceived by the customer.

Information security governance should be made an integral part of corporate governance and is an effective strategic technique, if software outsourcing business enterprises want to achieve a competitive edge, provide client satisfaction and create trust.

The paper presents empirical data validation of the connection between information security governance and quality of service.

This paper seeks to empirically examine the existence and implementation of information security governance (ISG) in Saudi organizations.

An empirical survey, using a self‐administered questionnaire, is conducted to explore and evaluate the current status and the main features of ISG in the Saudi environment. The questionnaire is developed based on ISG guidelines for boards of directors and executive management issued by the Information Technology (IT) Governance Institute and other related materials available in the literature. A total of 167 valid questionnaires are collected and processed using the Statistical Package for Social Sciences, version 16.

The results of the study reveal that although the majority of Saudi organizations recognize the importance of ISG as an integrant factor for the success of IT and corporate governance, most of them have no clear information security strategies or written information security policy statements. The majority of Saudi organizations have no disaster recovery plans to deal with information security incidents and emergencies; information security roles and responsibilities are not clearly defined and communicated. The results also show that alignment between ISG and the organization's overall business strategy is relatively poor and not adequately implemented. The results also show that risk assessment procedures are not adequately and effectively implemented, ISG is not a regular item in the board's agenda, and there are no properly functioning ISG processes or performance‐measuring systems in the majority of Saudi organizations. Accordingly, appropriate actions should be taken to improve implementing and measuring the ISG performance in Saudi organizations.

From a practical standpoint, managers and practitioners alike stand to gain from the findings of this study. The results of the paper enable them to better understand and evaluate ISG and to champion IT development for business success in Saudi organizations.

The purpose of this paper is to position the preservation and protection of intellectual capital as a cyber security concern. The paper outlines the security requirements of intellectual capital to help boards of directors (BoDs) and executive management teams to understand their responsibilities and accountabilities in this respect.

The research methodology is desk research. In other words, we gathered facts and existing research publications that helped us to define key terms, to formulate arguments to convince BoDs of the need to secure their intellectual capital and to outline actions to be taken by BoDs to do so.

Intellectual capital, as a valuable business resource, is related to information, knowledge and cyber security. Hence, preservation thereof is also related to cyber security governance and merits attention from BoDs.

This paper clarifies BoDs intellectual capital governance responsibilities, which encompass information, knowledge and cyber security governance.

The authors hope that BoDs will benefit from the clarifications, and especially from the positioning of intellectual capital in cyber space.

If BoDs know how to embrace their intellectual capital governance responsibilities, this will help to ensure that such intellectual capital is preserved and secured.

This paper extends a previous paper published by Von Solms and Von Solms, which clarified the key terms of information and cyber security, and the governance thereof. The originality and value is the focus on the securing of intellectual capital, a topic that has not yet received a great deal of attention from security researchers.

The issue of cybersecurity has been cast as the focal point of a fight between two conflicting governance models: the nation-state model of national security and the global governance model of multi-stakeholder collaboration, as seen in forums like IGF, IETF, ICANN, etc. There is a strange disconnect, however, between this supposed fight and the actual control over cybersecurity “on the ground”. This paper aims to reconnect discourse and control via a property rights approach, where control is located first and foremost in ownership.

This paper first conceptualizes current governance mechanisms through ownership and property rights. These concepts locate control over internet resources. They also help us understand ongoing shifts in control. Such shifts in governance are actually happening, security governance is being patched left and right, but these arrangements bear little resemblance to either the national security model of states or the global model of multi-stakeholder collaboration. With the conceptualization in hand, the paper then presents case studies of governance that have emerged around specific security externalities.

While not all mechanisms are equally effective, in each of the studied areas, the author found evidence of private actors partially internalizing the externalities, mostly on a voluntary basis and through network governance mechanisms. No one thinks that this is enough, but it is a starting point. Future research is needed to identify how these mechanisms can be extended or supplemented to further improve the governance of cybersecurity.

This paper bridges together the disconnected research communities on governance and (technical) cybersecurity.

The purpose of this paper is to define cybersecurity and cybersecurity governance in simplified terms – to explain to the boards of directors and executive management their responsibilities and accountabilities in this regard.

The primary research methodology utilized in this paper is desk research. A literature study is followed by some discussion in terms of the contribution made.

Clearly define the relationship between cybersecurity and information security, especially from a governance perspective.

The paper is based predominantly on an ISO standard.

The simplification of terminology to be used in the governance of cybersecurity, together with assistance to the guiding of boards of directors regarding their duties and responsibilities as far as cybersecurity is concerned.

Boards of Directors and other organisational leaders make decisions about the information security governance systems to implement in their companies. The increasing number of cyber-breaches targeting businesses makes this activity inescapable. Recently, researchers have published comprehensive lists of recommended cyber measures, specifically to inform organisational boards. However, the young cybersecurity industry has still to confirm and refine these guidelines. As a starting point, it would be helpful for organisational leaders to know what other organisations are doing in terms of using these guidelines. In an ideal world, bespoke surveys would be developed to gauge adherence to guidelines, but this is not always feasible. What we often do have is data from existing cybersecurity surveys. The authors argue that such data could be repurposed to quantify adherence to existing information security guidelines, and this paper aims to propose, and test, an original methodology to do so.

The authors propose a quantification mechanism to measure the degree of adherence to a set of published information security governance recommendations and guidelines targeted at organisational leaders. The authors test their quantification mechanism using a data set collected in a survey of 156 Italian companies on information security and privacy.

The evaluation of the proposed mechanism appears to align with findings in the literature, indicating the validity of the present approach. An analysis of how different industries rank in terms of their adherence to the selected set of recommendations and guidelines confirms the usability of our repurposed data set to measure adherence.

To the best of the authors’ knowledge, a quantification mechanism as the one proposed in this study has never been proposed, and tested, in the literature. It suggests a way to repurpose survey data to determine the extent to which companies are implementing measures recommended by published cybersecurity guidelines. This way, the proposed mechanism responds to increasing calls for the adoption of research practices that minimise waste of resources and enhance research sustainability.