Search results

The purpose of this research is to study how compliance evaluation becomes performed in practice. Compliance evaluation is a common practice among organizations that need to evaluate their posture against a set of criteria (e.g. a standard, legislative framework and “best practices”). The results of these evaluations have significant importance for organizations, especially in the context of information security and continuity. The author argues that how these evaluations become performed is not merely a “social” activity but shaped by the materiality of the evaluation criteria

The authors adopt a sociomaterial practice-based view to study the compliance evaluation through in situ participant observations from compliance evaluation workshops to evaluate organizational compliance against a information security and business continuity criteria. The empirical material was analyzed to construct vignettes that serve to illustrate the practice of compliance evaluation.

The research analysis shows how the information security and business continuity criteria themselves partake in the compliance evaluations by operating through (ventriloqually) the evaluators on three strata: the material, the textual and the structural. The author also provides a conceptualization of a hybrid agency.

This research contributes to lack of studies on the organizational-level compliance. Further, the research is an original contribution to information security and business continuity management by focusing on the practices of compliance evaluation. Further, the research has theoretical novelty by adopting the ventriloqual agency as a hybrid agency to study the sociomateriality of a phenomenon.

Security education, training and awareness (SETA) programs are the key to addressing “people problems” in information systems (IS) security. Contrary to studies using conventional methods, the present study leveraged an “event” lens and dimensionalized employees' perceptions into three sub-dimensions: perceived novelty, perceived disruption and perceived criticality. Moreover, this research went a step further by examining how pedagogical and communication approaches to a SETA program affect employees' perceptions of the program. This study then investigated whether – and if so, how – these approaches impact employees' perceptions of the SETA program and their subsequent commitment to it.

Utilizing a factorial-based scenario survey, this study empirically tested a model of the above relationships via covariance-based structural equation modeling.

The results of this research showed that pedagogical approaches were more effective than communication approaches and that employees' perceptions of the SETA program accounted for a large variance in their commitment to SETA.

First, this research deepens understanding of the protection of information assets by elaborating on the different approaches that organizations can take to encourage employees' commitment to SETA. Second, the study enriches the SETA literature by theorizing a SETA program as an organizational “event”, which represents a major shift from the conventional approach. Third, the study adds to the theoretical knowledge of the event lens by extending it to the SETA context and investigating the relationship among three event strength components.

This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts.

The articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis.

The starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation.

This paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.

IT security compliance is critical to the organization’s success, and such compliance depends largely on IT leadership. Considering the prevalence of unconscious gender biases and stereotyping at the workplace and growing female leadership in IT, the authors examine how the internalization of stereotype beliefs, in the form of the employee’s gender, impacts the relationships between leadership characteristics and IT security compliance intentions.

A controlled experiment using eight different vignettes manipulating Chief Information Officer (CIO) gender (male/female), Information Technology (IT) expertise (low/high) and leadership style (transactional/transformational) was designed in Qualtrics. Data were gathered from MTurk workers from all over the US.

The findings suggest that both CIOs' and employees' gender play an important role in how IT leadership characteristics – perceived expertise and leadership style – influence the employees' intentions and reactance to comply with CIO security recommendations.

This study's findings enrich the security literature by examining the role of leadership styles on reactance and compliance intentions. They also provide important theoretical implications based on gender stereotype theory alone: First, the glass ceiling effects can be witnessed in how men and women employees demonstrate prejudice against women CIO leaders through their reliance on perceived quadratic CIO IT expertise in forming compliance intentions. Secondly, this study's findings related to gender role internalization show men and women have a prejudice against gender-incongruent roles wherein women employees are least resistive to transactional male CIOs, and men employees are less inclined to comply with transactional female CIOs confirm the findings related to gender internationalization from Hentschel et al. (2019).

This study highlights the significance of organizations and individuals actively promoting gender equality and fostering environments that recognize women's achievements. It also underscores the importance of educating men and women about the societal implications of stereotyping gender roles that go beyond the organizational setting. This research demonstrates that a continued effort is required to eradicate biases stemming from gender stereotypes and foster social inclusion. Such efforts can positively influence how upcoming IT leaders and employees internalize gender-related factors when shaping their identities.

This study shows that more work needs to be done to eliminate gender stereotype biases and promote social inclusion to positively impact how future IT leaders and employees shape their identities through internalization.

This study redefines the concept of “sticky floors” to explain how subordinates can hinder and undermine female leaders, thereby contributing to the glass ceiling effect. In addition, the study elucidates how gender roles shape employees' responses to different leadership styles through gender stereotyping and internalization.

Blockchain, a groundbreaking technology that recently surfaced, is under thorough scrutiny due to its prospective utility across different sectors. This research aims to delve into and assess the cognitive elements that impact the integration of blockchain technology (BT) within library environments.

Utilizing the Stimulus–Organism–Response (SOR) theory, this research aims to facilitate the implementation of BT within academic institution libraries and provide valuable insights for managerial decision-making. A two-staged deep learning structural equation modelling artificial neural network (ANN) analysis was conducted on 583 computer experts affiliated with academic institutions across various countries to gather relevant information.

The research model can correspondingly expound 71% and 60% of the variance in trust and adoption intention of BT in libraries, where ANN results indicate that perceived possession is the primary predictor, with a technical capability factor that has a normalized significance of 84%. The study successfully identified the relationship of each variable of our conceptual model.

Unlike the SOR theory framework that uses a linear model and theoretically assumes that all relationships are significant, to the best of the authors’ knowledge, it is the first study to validate ANN and SEM in a library context successfully. The results of the two-step PLS–SEM and ANN technique demonstrate that the usage of ANN validates the PLS–SEM analysis. ANN can represent complicated linear and nonlinear connections with higher prediction accuracy than SEM approaches. Also, an importance-performance Map analysis of the PLS–SEM data offers a more detailed insight into each factor's significance and performance.

This paper aims to investigate the cooperative governance mechanisms for personal information security, which can help enrich digital governance research and provide a reference for the formulation of protection policies for personal information security.

This paper constructs an evolutionary game model consisting of regulators, digital enterprises and consumers, which is combined with the simulation method to examine the influence of different factors on personal information protection and governance.

The results reveal seven stable equilibrium strategies for personal information security within the cooperative governance game system. The non-compliant processing of personal information by digital enterprises can damage the rights and interests of consumers. However, the combination of regulatory measures implemented by supervisory authorities and the rights protection measures enacted by consumers can effectively promote the self-regulation of digital enterprises. The reputation mechanism exerts a restricting effect on the opportunistic behaviour of the participants.

The authors focus on the regulation of digital enterprises and do not consider the involvement of malicious actors such as hackers, and the authors will continue to focus on the game when assessing the governance of malicious actors in subsequent research.

This study's results enhance digital governance research and offer a reference for developing policies that protect personal information security.

This paper builds an analytical framework for cooperative governance for personal information security, which helps to understand the decision-making behaviour and motivation of different subjects and to better address issues in the governance for personal information security.

The purpose of this paper, therefore, is to amplify the imperativeness for a re-oriented regulatory approach that prioritizes constructive engagement with the regulated communities, harnessing the existing pool of savings and retention of market participation.

The paper adopts a doctrinal legal research design with data drawn from primary and secondary sources of law. The primary sources include case laws and statutes, and the secondary sources include book chapters, journal articles and other internet-sourced materials.

The paper finds that the status quo in Nigeria if left to continue would spell severe economic disaster for Nigeria’s securities administration, but a well-structured realignment of the regulations would boost the country’s securities market effectiveness.

The research’s conclusions and suggestions might only be applicable to Nigeria’s particular situation with regard to capital market development and securities regulation. Other nations or locations with distinct regulatory systems, market structures and economic situations may not be able to immediately adapt it. When extending the research results outside of the Nigerian environment, caution should be exercised. For regulatory agencies and policymakers, the research offers insightful suggestions. The analysis may pinpoint certain areas where policy changes are required to address reoccurring problems and improve the chances for a healthy capital market.

For Nigeria’s regulatory frameworks controlling securities to be strengthened, this paper would be crucial. To make sure they are in line with global best practices, this entails examining and revising current laws, rules and standards. A stronger regulatory environment may also result from the implementation of harsher enforcement procedures and consequences for noncompliance. It is also required for creating market infrastructure, fostering market integration and cooperation, facilitating access to capital, monitoring and evaluation. It would also benefit investor education and protection.

Addressing these persistent issues and potential remedies in Nigeria’s capital market development and securities regulation would have various advantageous social effects. These include improved market infrastructure, more financial inclusion, improved investment protection for investors and improved market openness and integrity. Such results will help Nigerian society as a whole by fostering economic expansion, job creation, wealth distribution and general social progress.

This paper is the original work of the authors and has not been published anywhere nor submitted to another journal for publication.

Compliance risk management in the banking sector is crucial because of its multifaceted nature and its potential repercussions on reputation and financial stability. This study aims to present a systematic approach to mapping compliance risks, leveraging the risk self-control assessment (RSCA) method. Integrating quantitative and qualitative assessment techniques and drawing on human expertise and industry best practices.

The authors followed a methodology that involves conducting semistructured interviews with banking compliance professionals and analyzing professional frameworks to gather pertinent information. This comprehensive approach allows to obtain a holistic view of the risks involved and to refine the risk analysis process.

A step-by-step guide to map compliance risk within banks is proposed. The authors offer a rigorous process to enhance compliance risk management practices within the banking sector, providing actionable insights to effectively navigate regulatory complexities and safeguard financial stability.

The insights from this paper will guide compliance officers and risk managers to better assess and monitor compliance risk within their organizations.

To the best of the authors’ knowledge, this may be the first thorough paper that tackles the topic of mapping compliance risk in banks, from identifying areas of risk to corrective measures after drawing up the risk map, using the RSCA approach.

This paper aims to investigate how congruent keywords are used in information security policies (ISPs) to pinpoint and guide clear actionable advice and suggest a metric for measuring the quality of keyword use in ISPs.

A qualitative content analysis of 15 ISPs from public agencies in Sweden was conducted with the aid of Orange Data Mining Software. The authors extracted 890 sentences from these ISPs that included one or more of the analyzed keywords. These sentences were analyzed using the new metric – keyword loss of specificity – to assess to what extent the selected keywords were used for pinpointing and guiding actionable advice. Thus, the authors classified the extracted sentences as either actionable advice or other information, depending on the type of information conveyed.

The results show a significant keyword loss of specificity in relation to pieces of actionable advice in ISPs provided by Swedish public agencies. About two-thirds of the sentences in which the analyzed keywords were used focused on information other than actionable advice. Such dual use of keywords reduces the possibility of pinpointing and communicating clear, actionable advice.

The suggested metric provides a means to assess the quality of how keywords are used in ISPs for different purposes. The results show that more research is needed on how keywords are used in ISPs.

The authors recommended that ISP designers exercise caution when using keywords in ISPs and maintain coherency in their use of keywords. ISP designers can use the suggested metrics to assess the quality of actionable advice in their ISPs.

The keyword loss of specificity metric adds to the few quantitative metrics available to assess ISP quality. To the best of the authors’ knowledge, applying this metric is a first attempt to measure the quality of actionable advice in ISPs.

Protection motivation theory (PMT) explains that the intention to cope with information security risks is based on informed threat and coping appraisals. However, people cannot always make appropriate assessments due to possible ignorance and cognitive biases. This study proposes a research model that introduces four antecedent factors from ignorance and bias perspectives into the PMT model and empirically tests this model with data from a survey of electronic waste (e-waste) handling.

The data collected from 356 Chinese samples are analyzed via structural equation modeling (SEM).

The results revealed that for threat appraisal, optimistic bias leads to a lower perception of risks. However, factual ignorance (lack of knowledge of risks) does not significantly affect the perceived threat. For coping appraisal, practical ignorance (lack of knowledge of coping with risks) leads to low response efficacy and self-efficacy and high perceptions of coping cost, but the illusion of control overestimates response efficacy and self-efficacy.

First, this study addresses a new type of information security problem in e-waste handling. Second, this study extends the PMT model by exploring the roles of ignorance and bias as antecedents. Finally, the authors reinvestigate the basic constructs of PMT to identify how rational threat and coping assessments affect user intentions to cope with data security risks.