Search results

This paper aims to explore key management actions for implementing security on the cloud, which is a critical issue as many organizations are moving business processes and data on it. The cloud is a flexible, low cost and highly available technology, but it comes with increased complexity in maintaining the cloud consumer’s security. In this research, a model was built to assist strategic decision-makers in choosing from a diverse range of actions that can be taken to manage cloud security.

Published research from 2010 to 2022 was reviewed to identify alternatives to management actions pertaining to cloud security. Analytical hierarchical process (AHP) was applied to rate the most important action(s). For this, the alternatives, along with selection criteria, were summarized through thematic analysis. To gauge the relative importance of the alternatives, a questionnaire was distributed among cloud security practitioners to poll their opinion. AHP was then applied to the aggregated survey responses.

It was found that the respondents gave the highest importance to aligning information security with business needs. Building a cloud-specific risk management framework was rated second, while the actions: enforce and monitor contractual obligations, and update organizational structure, were rated third and fourth, respectively.

The research takes a general view without catering to specialized industry-based scenarios.

This paper highlights the role of management actions when implementing cloud security. It presents an AHP-based multi-criteria decision-making model that can be used by strategic decision-makers in selecting the optimum mode of action. Finally, the criteria used in the AHP model highlight how each alternative contributes to cloud security.

This paper aims to examine the impact of the assurance and advisory role of internal audit (ADRIA) on organisational, human and technical proactive measures to enhance cybersecurity (CS).

The questionnaire was used to collect data for 97 internal auditors (IAu) from the Gulf Cooperation Council countries. The authors used partial least squares (PLS) to test the hypotheses.

The results show a positive effect of the ADRIA on each of the organisational proactive measures, human proactive measures and technical proactive measures to enhance CS. The study also found a positive effect of the confirmatory role of IA on both human proactive measures and technical proactive measures to enhance CS. No effect of the confirmatory role of IA on the organisational proactive measures is found.

This study focused on only three proactive measures to enhance CS, and this study was limited to the opinions of IAu. In addition, the study was limited to using regression analysis according to the PLS method.

The results of this study show that managers need to consider the influential role of IA as a value-adding activity in reducing CS risks and activating proactive measures. Also, IAu must expand its capabilities, skills and knowledge in CS auditing to provide a bold view of cyber threats. At the same time, the institutions responsible for preparing IA standards should develop standards and guidelines that help IAu to play assurance and advisory roles.

To the best of the authors’ knowledge, this is the first study of its kind that deals with the impact of the assurance and ADRIA on proactive measures to enhance CS. In addition, the study determines the nature of the advisory role and the assurance role of IA to strengthen CS.

This paper aims to examine the conditions under which small and medium enterprises (SMEs) invest in security services when they migrate their e-commerce applications to the cloud environment. Using a risk management perspective, the paper assesses the impact of security service pricing, security incident prevalence and virulence to estimate SME security spending at the market level and draw out implications for SMEs and security service providers.

Security risks are inherently characterized by uncertainty. This study uses a Monte Carlo approach to understand the role of uncertainty in the decision to adopt security services. A model relating key security constructs is assembled based on key constructs from the domain. By manipulating security service costs and security incident types, the model estimates the market-level adoption of services, security incidents and damages incurred, along with measures of their relative dispersion.

Three key findings emerge from this study. First, adoption of services and protection is higher when tiered security services are provided, indicating that SMEs prefer to choose their security services rather than accept uniformly priced products. Second, SMEs are considered price-sensitive, resulting in a maximum level of spending in the market. Third, results indicate that security incidents and damages can be much higher than the mean in some cases, and this should serve as a cautionary note to SMEs.

Security spending has been modeled at the firm level. Adopting a market-level perspective represents a novel contribution. Additionally, the Monte Carlo approach provides managers with tangible measures of uncertainty, affording additional information and insight when making security service adoption decisions.

This paper aims to develop a framework for critical information infrastructure (CII) protection in smart government, an alternative measure for common cybersecurity frameworks such as NIST Cybersecurity Framework and ISO 27001. Smart government is defined as the government administration sector of CII due to its similarity as a core of smart technology.

To ensure the validity of the data, the research methodology used in this paper follows the predicting malfunctions in socio-technical systems (PreMiSTS) approach, a variation of the socio-technical system (STS) approach specifically designed to predict potential issues in the STS. In this study, PreMiSTS was enriched with observation and systematic literature review as its main data collection method, thematic analysis and validation by experts using fuzzy Delphi method (FDM).

The proposed CII protection framework comprises several dimensions: objectives, interdependency, functions, risk management, resources and governance. For all those dimensions, there are 20 elements and 41 variables.

This framework can be an alternative guideline for CII protection in smart government, particularly in government administration services.

The author uses PreMiSTS, a socio-technical approach combined with thematic analysis and FDM, to design a security framework for CII protection. This combination was designed as a mixed-method approach to improve the likelihood of success in an IT project.

This paper aims to explore the factors affecting cybersecurity implementation in organizations in various countries and develop a cybersecurity framework to improve cybersecurity practices within organizations for cybersecurity risk management through a systematic literature review (SLR) approach.

This SLR adhered to RepOrting Standards for Systematics Evidence Syntheses (ROSES) publication standards and used various research approaches. The study’s article selection process involved using Scopus, one of the most important scientific databases, to review articles published between 2014 and 2023.

This review identified the four main themes: individual factors, organizational factors, technological factors and governmental role. In addition, nine subthemes that relate to these primary topics were established.

This research sheds light on the multifaceted nature of cybersecurity by exploring factors influencing implementation and developing an improvement framework, offering valuable insights for researchers to advance theoretical developments, assisting industry practitioners in tailoring cybersecurity strategies to their needs and providing policymakers with a basis for creating more effective cybersecurity regulations and standards.

This study aims to examine the relationship between blockchain technology (BCT) adoption and firm performance (FIP) mediated by cyber-security risk management (CSRM) in the context of Vietnam, a developing country. Besides, the mediating effect of risk-taking tendency (RTT) has been considered in the BCT–CSRM nexus.

Data is collected using a survey questionnaire of Vietnamese financial firms through strict screening steps to ensure the representativeness of the population. The ending pattern of 449 responses has been used for analysis.

The findings of partial least squares structural equation modeling demonstrated that CSRM has a positive effect on FIP and acts as a mediator in the BCT–FIP nexus. Furthermore, RTT moderates the relationship between BCT and CSRM significantly.

This study introduces the attractive attributes of applying BCT to CSRM. Accordingly, managers should rely on BCT and take advantage of it to improve investment resources, business activities and functional areas to enhance their firm's CSRM. Especially, managers should pay attention to enhancing their RTT, which improves FIP.

This study supplements the previous literature in the context of CSRM by indicating favorable effects of BCT and RTT. Additionally, this study identifies the effectiveness of RTT as well as its moderating role. Ultimately, this paper has been managed as a pioneering empirical study that integrates BCT, RTT and CSRM in the same model in a developing country, specifically Vietnam.

This paper aims to identify the critical success factors in improving information security in Ghanaian firms.

Through an exploratory study of both public and private Ghanaian organizations. The study relied on a research model based on the technology–organization–environment (TOE) framework and a survey instrument to collect data from 525 employees. The data was analyzed using partial least squares-structural equation modeling (PLS-SEM).

The findings confirm the role of the technological, organizational and environmental contexts as significant determinants in the implementation of information security in Ghanaian organizations. Results from PLS-SEM analysis demonstrated a positive correlation between the technology component of information security initiative, organization’s internal efforts toward its acceptance and a successful implementation of information security in Ghanaian firms. Top management support and fund allocation among others will result in positive information security initiatives and positive attitudes toward securing the organization’s information assets.

The authors discussed the implications of the authors’ findings for research, practice and policy.

The results of this study will be useful for both governmental and non-governmental organizations in terms of best practices for increasing information security. Results from this study will aid organizations in developing countries to better understand their information security needs and identify the necessary procedures to address them.

This study contributes to filling the knowledge gap in organizational information security research and the TOE framework. Despite the TOE framework being one of the most influential theories in contemporary research of information system domains in an organizational context, there is not enough research linking the domains of information security and the TOE model.

The purpose of this paper is to explore the current practices in security convergence among and between corporate security and cybersecurity processes in commercial enterprises.

This paper is the first phase in a planned multiphase project to better understand current practices in security optimization efforts being implemented by commercial organizations exploring means and methods to operate securely while reducing operating costs. The research questions being examined are: What are the general levels of interest in cybersecurity and corporate security convergence? How well do the perspectives on convergence align between organizations? To what extent are organizations pursuing convergence? and How are organizations achieving the anticipated outcomes from convergence?

In organizations, the evolution to a more optimized security structure, either merged or partnered, was traditionally due to unplanned or unforeseen events; e.g. a spin-off/acquisition, new security leadership or a negative security incident was the initiator. This is in contrast to a proactive management decision or formal plan to change or enhance the security structure for reasons that include reducing costs of operations and/or improving outcomes to reduce operational risks. The dominant exception was in response to regulatory requirements. Preliminary findings suggest that outcomes from converged organizations are not necessarily more optimized in situations that are organizationally merged under a single leader. Optimization may ultimately depend on the strength of relationships and openness to collaboration between management, cybersecurity and corporate security personnel.

This report and the number of respondents to its survey do not support generalizable findings. There are too few in each category to make reliable predictions and in analysis, there was an insufficient quantity of responses in most categories to allow supportable conclusions to be drawn.

Practitioners may find useful contextual clues to their needs for convergence or in response to directives for convergence from this report on what is found in some other organizations.

Improved effectiveness and/or reduced costs for organizational cybersecurity would be a useful social outcome as organizations become more efficient in the face of increasing levels of cyber security threats.

Convergence as a concept has been around for some time now in both the practice and research communities. It was initially promoted formally by ASIS International and ISACA in 2005. Yet there is no universally agreed-upon definition for the term or the practices undertaken to achieve it. In addition, the business drivers and practices undertaken to achieve it are still not fully understood. If convergence or optimization of converged operations offers a superior operational construct compared to other structures, it is incumbent to discover if there are measurable benefits. This research hopes to define the concept of security collaboration optimization more fully. The eventual goal is to develop and promote a tool useful for organizations to measure where they are on such a continuum.

This paper aims to propose a new method to derive custom dynamic cyber risk metrics based on the well-known Goal, Question, Metric (GQM) approach. A framework that complements it and makes it much easier to use has been proposed too. Both, the method and the framework, have been validated within two challenging application domains: continuous risk assessment within a smart farm and risk-based adaptive security to reconfigure a Web application firewall.

The authors have identified a problem and provided motivation. They have developed their theory and engineered a new method and a framework to complement it. They have demonstrated the proposed method and framework work, validating them in two real use cases.

The GQM method, often applied within the software quality field, is a good basis for proposing a method to define new tailored cyber risk metrics that meet the requirements of current application domains. A comprehensive framework that formalises possible goals and questions translated to potential measurements can greatly facilitate the use of this method.

The proposed method enables the application of the GQM approach to cyber risk measurement. The proposed framework allows new cyber risk metrics to be inferred by choosing between suggested goals and questions and measuring the relevant elements of probability and impact. The authors’ approach demonstrates to be generic and flexible enough to allow very different organisations with heterogeneous requirements to derive tailored metrics useful for their particular risk management processes.

A research line has emerged that is concerned with investigating human factors in information systems and cyber-security in organizations using various behavioural and socio-cognitive theories. This study aims to explore human and contextual factors influencing cyber security behaviour in organizations while drawing implications for cyber-security in higher education institutions.

A systematic literature review has been implemented. The reviewed studies have revealed various human and contextual factors that influence cyber-security behaviour in organizations, notably higher education institutions.

This review study offers practical implications for constructing and keeping a robust cyber-security organizational culture in higher education institutions for the sustainable development goals of cyber-security training and education.

The value of the current review arises in that it presents a comprehensive account of human factors affecting cyber-security in organizations, a topic that is rarely investigated in previous related literature. Furthermore, the current review sheds light on cyber-security in higher education from the weakest link perspective. Simultaneously, the study contributes to relevant literature by gaining insight into human factors and socio-technological controls related to cyber-security in higher education institutions.