Search results

The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on organizational security. Different measurement instruments have been developed to measure and assess information security culture using survey-based tools. However, the content, breadth and face validity of these scales vary greatly. This study aims to identify and provide an overview of the scales that are used to measure information security culture and to evaluate the rigor of reported scale development and validation procedures.

Papers that introduce a new or adapt an existing scale of information security culture were systematically reviewed to evaluate scales of information security culture. A standard search strategy was applied to identify 19 relevant scales, which were evaluated based on the framework of 16 criteria pertaining to the rigor of reported operationalization and the reported validity and reliability of the identified scales.

The results show that the rigor with which scales of information security culture are validated varies greatly and that none of the scales meet all the evaluation criteria. Moreover, most of the studies provide somewhat limited evidence of the validation of scales, indicating room for further improvement. Particularly, critical issues seem to be the lack of evidence regarding discriminant and criterion validity and incomplete documentation of the operationalization process.

Researchers focusing on the human factor in information security need to reach a certain level of agreement on the essential elements of the concept of information security culture. Future studies need to build on existing scales, address their limitations and gain further evidence regarding the validity of scales of information security culture. Further research should also investigate the quality of definitions and make expert assessments of the content fit between concepts and items.

Organizations that aim to assess the level of information security culture among employees can use the results of this systematic review to support the selection of an adequate measurement scale. However, caution is needed for scales that provide limited evidence of validation.

This is the first study that offers a critical evaluation of existing scales of information security culture. The results have decision-making value for researchers who intend to conduct survey-based examinations of information security culture.

Information systems' security is more critical than ever before since security threats are rapidly growing. Before putting in place information systems' security measures, organizations are required to determine the maturity level of their information security governance. Literature review reveals that there is no recent study on information systems' security maturity level of banks in Ethiopia. This study thus seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators.

Four private banks are selected as a representative sample. The system security engineering capability maturity model (SSE-CMM) is used as the maturity measurement criteria, and the measurement was based on ISO/IEC 27001 information security control areas. The data for the study were gathered using a questionnaire.

A total of 93 valid questionnaires were gathered from 110 participants in the study. Based on the SSE-CMM maturity model assessment criteria the private banking industry's current maturity level is level 2 (repeatable but intuitive). Institutions have a pattern that is repeated when completing information security operations but its existence was not thoroughly proven and institutional inconsistency still exists.

This study seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators. This topic has not been attempted previously in the context of Ethiopian financial sector.

This study aims to cover issues regarding traveling to a tourist destination which has seen war and terrorism. These problems can be addressed altogether, as they are interrelated. Based on tourists’ opinions, this paper aims to focus on measures or steps that can be taken to ensure changing their perceptions about a certain destination.

This study targets tourism experts for their opinions regarding the measures most necessary to change the perceptions of tourists. Their opinions were extracted through a questionnaire based on three criteria with four alternatives. Furthermore, raw data extracted are studied using the Fuzzy-VIKOR technique to rank the alternatives in order of importance. Moreover, the questionnaire also aims to know the perception of participants by asking them what would make them trust a destination with a history of terrorism.

The problems captivate the attention of government, guiding them to ensure that they need to focus more on physical security of tourists if they expect tourism industry to thrive. It was found that the steps needed to be taken are in the areas of international trade, cultural exchange programs and social media advertising.

Research based on improving tourist perception of Pakistan to develop Pakistan as a tourist destination is scarce. The study takes four different alternatives into account for image recovery and based on those alternatives, it provides a unique solution to the government in this regard with the necessary steps they need to take and attempts to help the government ensure tourism expansion in the country.

Though logistics security only took care of trading phase in the past, many countries in the world have begun to introduce logistics security system as its coverage has been extended from production stage to delivery at the final destination. Logistics security system has become indispensable element for global corporations involved in international trading and studies on logistics security keep going on. Most of the studies, however, are focused on discussion of system, cost and influence of logistics security and few of them have been specifically dealing with substantial effectiveness thereof. This study developed the models of supply chain security activities and their outcome by means of using Balanced Scorecard (BCS) which is a well known performance indicator to identify relationship between supply chain security activities and their accomplishment. In this study we have presented 8 supply chain frameworks, human resources management, information system management, facilities/freight management, security process, crisis management capability, relationship with partners, sharing of logistics information and logistics security accomplishment, with reference to standards of C-TPAT and AEO based on WCO framework, 10 supply chain security capabilities. This study further indicates that relationship with partners has more effect on logistics security accomplishment than sharing of logistic information. Just as relationship between corporations in chain of supply and sharing of information among them are important elements in management of supply chain, relationship with partners and sharing of logistic information will have positive effect on supply chain security accomplishment and raise its effectiveness.

The Black Sea region has become as an important energy transit route for Caspian and Russian oil and natural gas to western markets. Since 1996 the quantity of oil exported from the Black Sea through the Turkish Straits and the number of transiting tankers has doubled and will continue to expand. However, these are also two waterways where the risk of either an accidental or intentional disaster is significant bringing serious repercussions for energy supply security. This paper will analyze measures taken by Black Sea coastal States to provide for secure ports and shipping against accidental and intentional disasters. The paper will examine the role of technology, such as satellite based VTS providers in the Black Sea, implementation of the ISPS Code, the role of the relatively new BlackSeaFor in providing both port and navigational security. The paper will further make recommendations for further improvements for enhancement of security emergency response planning. In addition, the paper will examine current security measures taken by the Turkish Administration for oil transportation through the Turkish Straits.

This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.

The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy.

The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance.

The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance.

Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations.

Few information security policy compliance studies exist on the consequences of different organizational/information cultures.

As evident from the literature review, the research on cyber security performance is centered on security metrics, maturity models, etc. Essentially, all these are helpful for evaluating the efficiency of cyber security organization but what matters is how the factors of internal efficiency affect the business performance, i.e. the external effectiveness. The purpose of this research paper is to derive the factors of internal efficiency and external effectiveness of cyber security and develop impact model to identify the most and least preferred parameters of internal efficiency with respect to all the parameters of external effectiveness.

There are two objectives for this research: Deriving the factors of internal efficiency and external effectiveness of cyber security; Developing a model to identify the impact of internal efficiency factors on the external effectiveness of cyber security since there is not much evidence of research in defining the factors of internal efficiency and external effectiveness of cyber security, the authors have chosen grounded theory methodology (GTM) to derive the parameters. In this study emic approach of GTM is followed and an algorithm is developed for administering the grounded theory research process. For the second research objective survey methodology and rank order was used to formulate the impact model. Two different samples and questionnaires were designed for each of the objectives.

For the objective 1, 11 factors of efficiency and 10 factors of effectiveness were derived. These are used as independent and dependent variable respectively in the later part of the research for the second objective. For the objective 2 the impact models among independent and dependent variables were formulated to find out the following. Most and least preferred parameters lead to internal efficiency of cyber security organization to identify the most and least preferred parameters of internal efficiency with respect to all the parameters external effectiveness.

The factors of internal efficiency and external effectiveness constructed by using grounded theory cannot remain constant in the long run, because of dynamism of the domain itself. Over and above this, there are inherent limitations of the tools like grounded theory, used in the research. Few important limitations of GTM are as below in grounded theory, it is comparatively difficult to maintain and demonstrate the rigors of research discipline. The sheer volume of data makes the analysis and interpretation complex, and lengthy time consuming. The researchers’ presence during data gathering, which is often unavoidable and desirable too in qualitative research, may affect the subjects’ responses. The subjectivity of the data leads to difficulties in establishing reliability and validity of approaches and information. It is difficult to detect or to prevent researcher-induced bias.

The internal efficiency and external effectiveness factors of cyber security can be further correlated by the future researchers to understand the correlations among all the factors and predict cyber security performance. The grounded theory algorithm developed by us can be further used for qualitative research for deriving theory through abstractions in the areas where there is no sufficient availability of data. Practitioners of cyber security can use this research to focus on relevant areas depending on their respective business objective/requirements. The models developed by us can be used by the future researchers to for various sectoral validations and correlations.

Though the financial costs of a cyber-attack are steep, the social impact of cyber security failures is less readily apparent but can cause lasting damage to customers, employees and the company. Therefore, it is always important to be mindful of how the impact of cyber security affects society as well as the bottom line when they are calculating the potential impact of a breach. Underestimating either impact can destroy a brand. The factor of internal efficiency and external effectiveness derived by us will help stakeholder in focusing on relevant area depending on their business. The impact model developed in this research is very useful for focusing a particular business requirement and accordingly tune the efficiency factor.

During literature study the authors did not find any evidence of application of grounded theory approach in cyber security research. While the authors were exploring research literature to find out some insight into the factor of internal efficiency and external effectiveness of cyber security, the authors did not find concrete and objective research on this. This motivated us to use grounded theory to derive these factors. This, in the authors’ opinion is one of the pioneering and unique contribution to the research as to the authors’ knowledge no researchers have ever tried to use this methodology for the stated purpose and cyber security domain in general. In this process the authors have also developed an algorithm for administering GTM. Further developing impact models using factors of internal efficiency and external effectiveness has lots of managerial and practical implication.

This paper aims to update the cybersecurity-related accounting literature by synthesizing 39 recent theoretical and empirical studies on the topic. Furthermore, the paper provides a set of categories into which the studies fit.

This is a synthesis paper that summarizes the research literature on cybersecurity, introducing knowledge from the extant research and revealing areas requiring further examination.

This synthesis identifies a research framework that consists of the following research themes: cybersecurity and information sharing, cybersecurity investments, internal auditing and controls related to cybersecurity, disclosure of cybersecurity activities and security threats and security breaches.

Academics, practitioners and the public would benefit from a research framework that categorizes the research topics related to cybersecurity in the accounting field. This type of analysis is vital to enhance the understanding of the academic research on cybersecurity and can be used to support the identification of new lines for future research.

This is the first literature analysis of cybersecurity in the accounting field, and it has significant implications for research and practice by detailing, for example, the benefits of and obstacles to information sharing. This synthesis also highlights the importance of the model for cybersecurity investments. Further, the review emphasizes the role of internal auditing and controls to improve cybersecurity.

The starting point for the considerations the authors make in this paper are the special features of family businesses in the area of management discussed in the literature. It has been established here that family businesses sometimes choose different organizational setups than nonfamily businesses. This has not yet been investigated for cybersecurity. In the context of cybersecurity, there has been little theoretical or empirical work addressing the question of whether the qualitative characteristics of family businesses have an impact on the understanding of cybersecurity and the organization of cyber risk defense in the companies. Based on theoretically founded hypotheses, a quantitative empirical study was conducted in German companies.

The article is based on a quantitative-empirical survey of 184 companies, the results of which were analyzed using statistical-empirical methods.

The article asked – based on the subjective perception of cybersecurity and cyber risks – to what extent family businesses are sensitized to the topic and what conclusions they draw from it. An interesting tension emerges: family businesses see their employees more as a security risk, but do less than nonfamily businesses in terms of both training and organizational establishment. Whether this is due to a lack of technical or managerial expertise, or whether family businesses simply think they can prevent cybersecurity with less formal methods such as trust, is open to conjecture, but cannot be demonstrated with the research approach taken here. Qualitative follow-up studies are needed here.

This paper represents the first quantitative survey on cybersecurity with a specific focus on family businesses. It shows tension between awareness, especially of risks emanating from employees, and organizational routines that have not been implemented or established.

The purpose of this paper is to analyze firms and employees’ strategies in illegitimate institutional contexts in which non-governmental armed groups enforce illegitimate activities in firms and civil society. The aim is to recognize employees as key and effective players in implementing ambidextrous organizational and human resource management (HRM) strategies. We know little regarding employee norms and behaviors in complying with global market standards while surviving in environments characterized by high levels of civil violence and crime.

This paper presents an explorative, qualitative study based on 65 semi-structured interviews and conversations with employees in Colombia and Mexico over four years.

The findings of this paper indicate that the presence of non-governmental armed groups forces firms, HR departments and front-line managers to strategically exploit security measures inspired by employees’ informal institutions to protect firm assets while implementing innovative exploration strategies to improve employee work conditions, survive in unsafe environments and remain internationally competitive.

The findings suggest that organization, HRM and employee ambidexterity are organizational advantages in illegitimate institutional contexts. This study contributes to the literature linking ambidexterity and institutional theory by emphasizing informal institutions when examining employment relationships in unsafe environments.

o objetivo deste trabalho é fazer uma análise das estratégias de empresas e empregados em contextos institucionais ilegítimos onde grupos armados afetam empresas e sociedade civil através da implementação de atividades fora da lei. O objetivo é reconhecer aos empregados como funcionários-chave e efetivos na implementação de estratégias de ambidestria organizacional e da gestão de recursos humanos (HRM). Conhecemos poucas informações sobre as políticas, estratégias, práticas e comportamentos dos funcionários para cumprir com os padrões globais, as suas responsabilidades e funções no cargo, enquanto procuram sobreviver em simultâneo em contextos que têm um alto nível de violência e criminalidade contra a população.

Este artigo apresenta um estudo exploratório sob uma abordagem qualitativa com base em 65 entrevistas semiestruturadas e conversas com funcionários na Colômbia e no México ao longo de um período de quatro anos.

Nossas descobertas indicam que os grupos armados não governamentais têm forçado organizações, setores de recursos humanos e gerentes da linha de frente a explorar estrategicamente medidas de segurança inspiradas nas instituições informais para proteger os ativos da empresa. Além disso, as empresas têm adotado estratégias exploratórias inovadoras para melhorar as condições de trabalho dos funcionários, lidar e sobreviver em ambientes de risco e continuar sendo competitivas internacionalmente.

Nossas descobertas sugerem que a organização, a gestão dos recursos humanos e ambidestria dos funcionários são uma vantagem organizacional em contextos institucionais ilegitimos. Nosso estudo tem como objetivo contribuir para a literatura que liga a ambidestria com a teoria institucional com o fim de destacar o papel das instituições informais na análise das relações de trabalho em ambientes inseguros.

Instituições Informais, instituições ilegítimas, Ambidestria, Gupos armados não-governamentais, Colômbia, México

Tipo de artículo – Trabajo de pesquisa

el propósito de este trabajo es analizar las estrategias de las empresas y los empleados en contextos institucionales ilegítimos en los que los grupos armados afectan a las empresas y la sociedad civil mediante la implementación de actividades al margen de la ley. El objetivo es reconocer a los empleados como actores clave y efectivos en la implementación de estrategias de ambidestreza organizacional y de gestión de recursos humanos (HRM). Sabemos poco sobre las políticas, estrategias, prácticas y comportamientos de los empleados para cumplir con los estándares mundiales, sus responsabilidades y funciones en el cargo y al mismo tiempo sobrevivir en entornos caracterizados por un alto grado de delincuencia y violencia hacia la población civil.

este documento presenta un estudio exploratorio bajo una perspectiva cualitativo basado en 65 entrevistas semiestructuradas y conversacionales con empleados en Colombia y México durante un período de cuatro años.

nuestros hallazgos indican que grupos armados al margen de la ley han obligado a organizaciones, departamentos de recursos humanos y gerentes de primera línea a explotar estratégicamente medidas de seguridad inspiradas en instituciones informales para proteger activos de la empresa mientras implementan estrategias exploratorias innovadoras para mejorar las condiciones de trabajo de los empleados, sobrellevar y sobrevivir en entornos de riesgo e inseguros y, a la par, seguir siendo competitivos en el plano internacional.

nuestros hallazgos sugieren que la organización, la gestión de recursos humanos y la ambidestreza de los empleados son una ventaja organizativa en contextos institucionales ilegítimos. Nuestro estudio tiene como objetivo contribuir a la literatura que vincula la ambidestreza y la teoría institucional destacando las instituciones informales para examinar las relaciones en entornos inseguros.

Instituciones informales, Instituciones ilegítimas, Ambidestreza, Grupos armados no gubernamentales, Colombia, México

Trabalho de investigação