Search results

This paper aims to discuss the need for management control system for information security management that encapsulates the technical, formal and informal systems. This motivated the conceptualization of supply chain information security from a management controls perspective. Extant literature on information security mostly focused on technical security and managerial nuances in implementing and enforcing technical security through formal policies and quality standards at an organizational level. However, most of the security mechanisms are difficult to differentiate between businesses, and there is no one common platform to resolve the security issues pertaining to varied organizations in the supply chain.

The paper was conceptualized based on the review of literature pertaining to information security domain.

This study analyzed the need and importance of having a higher level of control above the already existing levels so as to cover the inter-organizational context. Also, it is suggested to have a management controls perspective for an all-encompassing coverage to the information security discipline in organizations that are in the global supply chain.

This paper have conceptualized the organizational and inter-organizational challenges that need to be addressed in the context of information security management. It would be difficult to contain the issues of information security management with the existing three levels of controls; hence, having a higher level of security control, namely, the management control that can act as an umbrella to the existing domains of security controls was suggested.

The present study aims to identify and investigate the antecedents of enhanced level of cyber-security at the organisational level from both the technical and the human resource perspective using human–organisation–technology (HOT) theory.

The study has been conducted on 151 professionals who have expertise in dealing with cyber-security in organisations in sectors such as retail, education, healthcare, etc. in India. The analysis of the data is carried out using partial least squares based structural equation modelling technique (PLS-SEM).

The results from the study suggest that “legal consequences” and “technical measures” adopted for securing cyber-security in organisations are the most important antecedents for enhanced cyber-security levels in the organisations. The other significant antecedents for enhanced cyber-security in organisations include “role of senior management” and “proactive information security”.

This empirical study has significant implications for organisations as they can take pre-emptive measures by focussing on important antecedents and work towards enhancing the level of cyber-security.

The originality of this research is combining both technical and human resource perspective in identifying the determinants of enhanced level of cyber-security in the organisations.

The purpose of this paper is to propose and describe a concept for multilevel security (MLS) that may be advantageous in information systems with a limited number of security levels. The concept should also adapt to information systems with limited capacities.

Assuming that confidentiality, integrity and availability are mutually independent security attributes of a generic information object, security requirements are modelled as a multidimensional vector space. Each axis represents one dimension of security. An axis is divided into an arbitrary number of levels. The paper shows how rules from the classic MLS models may enforce one‐directional information flow simultaneously and independently along each axis. By controlling flow this way, insecure or undefined states cannot be reached.

Handling different MLS properties independently enables an effective verification algorithm based on simple logical or binary operations. Verification of rights can be executed within a few clock cycles.

Future research includes formal in‐depth studies of potential applications in databases, sensor information, operating systems and communication networks.

Simple logical port circuits may implement the proposed verification method. The method is well suited for tamper proof devices immune to software‐based attacks.

The paper describes a MLS concept that combines dimensions of security, like confidentiality, integrity and availability. The concept intends to be a “light‐weight” alternative to classic MLS models.

This paper seeks to investigate which factors influence user attitudes toward different levels of security measures for protecting data of differing importance. The paper also examines user characteristics including IT proficiency and risk propensity, which give rise to individual differences in such attitudes.

To capture user attitudes toward a security measure, a construct called “information security readiness” (ISR) and its corresponding measurement items were developed. Observations were collected from a laboratory experiment based on a 2×3 factorial design, with data criticality and security level as the treatment variables. The participants were undergraduate students of a major American university. The moderating effect of data criticality on the relationship between security level and ISR was tested with multi‐group structural equation modeling. In addition to the treatment variables, IT proficiency and risk propensity were included as covariates in the analysis.

The results revealed a nonlinear relationship between security level and ISR. For data of high criticality, enhancing security level had a positive impact on ISR, but only up to the point perceived as appropriate by the participants. For data of low criticality, the enhancement of security level was perceived as unnecessary. In addition, IT proficiency was found to be a significant covariate, especially when data criticality was high.

In practice, the specification of a security measure requires a trade‐off between the utility of the data protected and the usability of the security method. The measure of ISR provides a means to locate the equilibrium by examining user attitudes across different security levels in relation to a particular level of data criticality. The significance of IT proficiency demonstrates the importance of user training.

This study introduces the ISR construct to capture evaluation, power, and activity dimensions underlying an individual's cognitive beliefs, affective responses, and behavioral inclinations toward the adoption of security measures. The results provide interesting insights into the role of interaction between security level and data criticality in influencing ISR.

Criteria to determine in which level of security forensic patients should receive treatment are currently non-existent in Belgium. Research regarding the assessment of security level is minimal and few instruments are available. The DUNDRUM toolkit is a structured clinical judgement instrument that can be used to provide support when determining security level. The purpose of this paper is to investigate the applicability and validity of the DUNDRUM-1 in Flanders.

The DUNDRUM-1 was scored for 50 male patients admitted at the forensic units in the public psychiatric hospital Rekem. Some files were rated by three researchers who were blind to participants’ security status, resulting in 33 double measurements.

Almost all files (96 per cent) contained enough information to score the DUNDRUM-1. Average DUNDRUM-1 final judgement scores were concordant with a medium security profile. No difference was found between the current security levels and the DUNDRUM-1 final judgement scores. Inter-rater reliability was excellent for the DUNDRUM-1 final judgement scores. On item level, all items had excellent to good inter-rater reliability with the exception of one item institutional behaviour which had an average inter-rater reliability.

The DUNDRUM-1 can be a useful tool in Flemish forensic settings. It has good psychometric properties. More research is needed to investigate the relationship between DUNDRUM-1 scores and security level decisions by the courts.

This is the first study that investigated the applicability of the DUNDRUM-1 in a Belgian setting, also a relative large number of repeated measurements were available to investigate the inter-rater reliability of the DUNDRUM-1.

Information security is an integral part of all outsourcing activities and it is important for both the outsourcing company and the vendor to reach agreement as regards what type and what level of information security will be provided by the vendor in relation to the outsourced activities. The purpose of this paper is to evaluate the potential risks and information system (IS) security needs when outsourcing takes place and analyse the different security level in outsourcing agreements.

This paper is primarily based on a review of the literature. International security standards and best security practices are analysed and discussed. A multiple level security framework as an effective approach in outsourcing domain is addressed.

It is found that IS security risks can be effectively identified, monitored and evaluated by the concept of a layered security model that fits best in the complex outsourcing domain. There are three levels of security, first guidelines of technical security, second risk analysis and, third compliance and evaluation criteria, including managing information security.

The approach could be used to integrate IS security with service level agreements. Outsourcing vendors with security certifications, strong security adherence systems and optimal disaster recover plans will have a competitive edge in the industry.

The purpose of this study is to define the interactions that determine how secure a society is from terrorism and to propose a method for measuring the threat of terrorism in an objective and spatio-temporally comparable manner.

Game-theoretic analysis of the determinants of security and discussion of how to implement these interactions into a measure of security.

We show that governments concerned with popularity have an incentive to over-invest in security and that, in certain situations, this leads to a deterioration in net security position. Our discussion provides an implementable means for measuring the levels of threat and protection, as well as individuals’ perceptions of both, which we propose can be combined into an objective and scientific measure of security.

The implication for researchers is the suggestion that efficiency, as well as scale of counter-terrorism, is important in determining a country’s overall security position. Furthermore, we suggest that individuals’ perceptions are at least as important in determining suitable counter-terrorism policy as objective measures of protection and threat. The limitations of this research are found in the vast data requirements that any attempt to measure security will need.

We propose the first method for objectively measuring the net security position of a country, using economic and econometric means.

Information systems' security is more critical than ever before since security threats are rapidly growing. Before putting in place information systems' security measures, organizations are required to determine the maturity level of their information security governance. Literature review reveals that there is no recent study on information systems' security maturity level of banks in Ethiopia. This study thus seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators.

Four private banks are selected as a representative sample. The system security engineering capability maturity model (SSE-CMM) is used as the maturity measurement criteria, and the measurement was based on ISO/IEC 27001 information security control areas. The data for the study were gathered using a questionnaire.

A total of 93 valid questionnaires were gathered from 110 participants in the study. Based on the SSE-CMM maturity model assessment criteria the private banking industry's current maturity level is level 2 (repeatable but intuitive). Institutions have a pattern that is repeated when completing information security operations but its existence was not thoroughly proven and institutional inconsistency still exists.

This study seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators. This topic has not been attempted previously in the context of Ethiopian financial sector.

Previous research leads to contrasting hypotheses about the relationship between extra effort of employees and the level of job security. According to agency theory, job security leads to lower levels of extra effort and social exchange theory argues that extra effort requires job security. The purpose of this paper is to formulate a set of hypotheses based on these theories. Besides considering them as mutually exclusive, they are integrated into a single theoretical framework that argues that both theories can apply, depending on the conditions and social context (in terms of the social security system).

Data from the International Social Survey Program (2005) including 22 countries from around the globe are analyzed using multilevel analysis.

The study provides evidence that social security moderates the relationship between job security and extra effort.

This study differs from previous research as it focuses on two sides of insecurity in the workplace and because it analyzes a large data set to include institutional factors.

Information security has become very important in most organizations. The main reason for this is that access to information and the associated resources has become easier because of the developments in distributed processing, for example the Internet and electronic commerce. The result is that organizations need to ensure that their information is properly protected and that they maintain a high level of information security. In many cases, organizations demand some proof of adequate information security from business partners before electronic commerce can commence. In this paper, one of the building blocks for a secure IT infrastructure is discussed, namely trusted computer products and systems. A high level explanation of the TCSEC and ITSEC standards forms the latter part of the paper.