Search results

This paper aims to propose a conceptual model of policy components for software that supports modularizing and tailoring of information security policies (ISPs).

This study used a design science research approach, drawing on design knowledge from the field of situational method engineering. The conceptual model was developed as a unified modeling language class diagram using existing ISPs from public agencies in Sweden.

This study’s demonstration as proof of concept indicates that the conceptual model can be used to create free-standing modules that provide guidance about information security in relation to a specific work task and that these modules can be used across multiple tailored ISPs. Thus, the model can be considered as a step toward developing software to tailor ISPs.

The proposed conceptual model bears several short- and long-term implications for research. In the short term, the model can act as a foundation for developing software to design tailored ISPs. In the long term, having software that enables tailorable ISPs will allow researchers to do new types of studies, such as evaluating the software's effectiveness in the ISP development process.

Practitioners can use the model to develop software that assist information security managers in designing tailored ISPs. Such a tool can offer the opportunity for information security managers to design more purposeful ISPs.

The proposed model offers a detailed and well-elaborated starting point for developing software that supports modularizing and tailoring of ISPs.

This paper aims to investigate how congruent keywords are used in information security policies (ISPs) to pinpoint and guide clear actionable advice and suggest a metric for measuring the quality of keyword use in ISPs.

A qualitative content analysis of 15 ISPs from public agencies in Sweden was conducted with the aid of Orange Data Mining Software. The authors extracted 890 sentences from these ISPs that included one or more of the analyzed keywords. These sentences were analyzed using the new metric – keyword loss of specificity – to assess to what extent the selected keywords were used for pinpointing and guiding actionable advice. Thus, the authors classified the extracted sentences as either actionable advice or other information, depending on the type of information conveyed.

The results show a significant keyword loss of specificity in relation to pieces of actionable advice in ISPs provided by Swedish public agencies. About two-thirds of the sentences in which the analyzed keywords were used focused on information other than actionable advice. Such dual use of keywords reduces the possibility of pinpointing and communicating clear, actionable advice.

The suggested metric provides a means to assess the quality of how keywords are used in ISPs for different purposes. The results show that more research is needed on how keywords are used in ISPs.

The authors recommended that ISP designers exercise caution when using keywords in ISPs and maintain coherency in their use of keywords. ISP designers can use the suggested metrics to assess the quality of actionable advice in their ISPs.

The keyword loss of specificity metric adds to the few quantitative metrics available to assess ISP quality. To the best of the authors’ knowledge, applying this metric is a first attempt to measure the quality of actionable advice in ISPs.

The impact of stress on personal and work-related outcomes has been studied in the information systems (IS) literature across several professions. However, the cybersecurity profession has received little attention despite numerous reports suggesting stress is a leading cause of various adverse professional outcomes. Cybersecurity professionals work in a constantly changing adversarial threat landscape, are focused on enforcement rather than compliance, and are required to adhere to ever-changing industry mandates – a work environment that is stressful and has been likened to a war zone. Hence, this literature review aims to reveal gaps and trends in the current extant general workplace and IS-specific stress literature and illuminate potentially fruitful paths for future research focused on stress among cybersecurity professionals.

Using the systematic literature review process (Okoli and Schabram, 2010), the authors examined the current IS research that studies stress in organizations. A disciplinary corpus was generated from IS journals and conferences encompassing 30 years. The authors analyzed 293 articles from 21 journals and six conferences to retain 77 articles and four conference proceedings for literature review.

The findings reveal four key research opportunities. First, the demands experienced by cybersecurity professionals are distinct from the demands experienced by regular information technology (IT) professionals. Second, it is crucial to identify the appraisal process that cybersecurity professionals follow in assessing security demands. Third, there are many stress responses from cybersecurity professionals, not just negative responses. Fourth, future research should focus on stress-related outcomes such as employee productivity, job satisfaction, job turnover, etc., and not only security compliance among cybersecurity professionals.

This study is the first to provide a systematic synthesis of the IS stress literature to reveal gaps, trends and opportunities for future research focused on stress among cybersecurity professionals. The study presents several novel trends and research opportunities. It contends that the demands experienced by cybersecurity professionals are distinct from those experienced by regular IT professionals and scholars should seek to identify the key characteristics of these demands that influence their appraisal process. Also, there are many stress responses, not just negative responses, deserving increased attention and future research should focus on unexplored stress-related outcomes for cybersecurity professionals.

Research on employee non-/compliance to information security policies suffers from inconsistent results and there is an ongoing discussion about the dominating survey research methodology and its potential effect on these results. This study aims to add to this discussion by investigating discrepancies between what the authors claim to measure (theoretical properties of variables) and what they actually measure (respondents’ interpretations of the operationalized variables). This study asks: How well do respondents’ interpretations of variables correspond to their theoretical definitions? What are the characteristics of any discrepancies between variable definitions and respondent interpretations?

This study is based on in-depth interviews with 17 respondents from the Swedish public sector to understand how they interpret questionnaire measurement items operationalizing the variables Perceived Severity from Protection Motivation Theory and Attitude from Theory of Planned Behavior.

The authors found that respondents’ interpretations in many cases differ substantially from the theoretical definitions. Overall, the authors found four principal ways in which respondents interpreted measurement items – referred to as property contextualization, extension, alteration and oscillation – each implying more or less (dis)alignment with the intended theoretical properties of the two variables examined.

The qualitative method used proved vital to better understand respondents’ interpretations which, in turn, is key for improving self-reporting measurement instruments. To the best of the authors’ knowledge, this study is a first step toward understanding how precise and uniform definitions of variables’ theoretical properties can be operationalized into effective measurement items.

Cybersecurity attacks on critical infrastructures, businesses and nations are rising and have reached the interest of mainstream media and the public’s consciousness. Despite this increased awareness, humans are still considered the weakest link in the defense against an unknown attacker. Whatever the reason, naïve-, unintentional- or intentional behavior of a member of an organization, the result of an incident can have a considerable impact. A security policy with guidelines for best practices and rules should guide the behavior of the organization’s members. However, this is often not the case. This paper aims to provide answers to how cybersecurity-related behavior is assessed.

Research questions were formulated, and a systematic literature review (SLR) was performed by following the recommendations of the Preferred Reporting Items for Systematic Reviews and Meta-Analyses statement. The SLR initially identified 2,153 articles, and the paper reviews and reports on 26 articles.

The assessment of cybersecurity-related behavior can be classified into three components, namely, data collection, measurement scale and analysis. The findings show that subjective measurements from self-assessment questionnaires are the most frequently used method. Measurement scales are often composed based on existing literature and adapted by the researchers. Partial least square analysis is the most frequently used analysis technique. Even though useful insight and noteworthy findings regarding possible differences between manager and employee behavior have appeared in some publications, conclusive answers to whether such differences exist cannot be drawn.

Research gaps have been identified, that indicate areas of interest for future work. These include the development and employment of methods for reducing subjectivity in the assessment of cybersecurity-related behavior.

To the best of the authors’ knowledge, this is the first SLR on how cybersecurity-related behavior can be assessed. The SLR analyzes relevant publications and identifies current practices as well as their shortcomings, and outlines gaps that future research may bridge.

Information security awareness (ISA) mainly refers to those aspects that need to be addressed to effectively respond to information security challenges. This research used focus groups to empirically investigate the main ISA dimensions that emerge from the Italian public health-care sector. This study aims to identify the most critical dimension of ISA and to evaluate the diffusion and maturity of information security policies (ISPs) of health-care infrastructure and training programs.

This research adopted a qualitative research design and focus groups as a research methodology. Data analysis was conducted using the NVIVO 14 software package and followed the principles of thematic analysis.

The focus group results highlighted that health-care personnel find it difficult to comply with the main ISA dimensions, a situation that leads to risky behaviors. Password management, data storage and transfer and instant messaging applications emerged as the most critical of the main ISA dimensions in the context of this research. It also transpired that ISPs are not all-encompassing as they mainly focus on privacy problems but neglect security concerns. Finally, training programs are not fully implemented in the investigated context, thus undermining their positive enhancing role for ISA.

The public health-care sector emerged as a critical yet still under-investigated context. The need for an in-depth investigation of organizational sciences approaches to overcoming information security challenges is also recommended in several prior research studies.

This paper proposes a holistic, proactive and adaptive approach to cybersecurity from a service lens, given the continuously evolving cyber-attack techniques, threat and vulnerability landscape that often overshadow existing cybersecurity approaches.

Through an extensive literature review of relevant concepts and analysis of existing cybersecurity frameworks, standards and best practices, a logical argument is made to produce a dynamic end-to-end cybersecurity service system model.

Cyberspace has provided great value for businesses and individuals. The COVID-19 pandemic has significantly motivated the move to cyberspace by organizations. However, the extension to cyberspace comes with additional risks as traditional protection techniques are insufficient and isolated, generally focused on an organization's perimeter with little attention to what is out there. More so, cyberattacks continue to grow in complexity creating overwhelming consequences. Existing cybersecurity approaches and best practices are limited in scope, and implementation strategies, differing in strength and focus, at different levels of granularity. Nevertheless, the need for a proactive, adaptive and responsive cybersecurity solution is recognized.

This paper presents a model that promises proactive, adaptive and responsive end-to-end cybersecurity. The proposed cybersecurity continuity and management model premised on a service system, leveraging on lessons learned from existing solutions, takes a holistic analytical view of service activities from source (service provider) to destination (Customer) to ensure end-to-end security, whether internally (within an organization) or externally.

This paper aims to examine the effect of dividend regulation on cost stickiness (i.e. the asymmetric change in firm expense between sales increase and sales decrease) and explore the underlying mechanism.

Based on the quasi-natural experiment of the Guideline for Dividend Policy of Listed Companies issued by the Shanghai Stock Exchange (SSE) in 2013, the authors employ a difference-in-difference model to investigate the impact of dividend regulation on cost stickiness.

The authors find that the cost stickiness of treatment group firms has decreased significantly when compared with control group firms after the dividend regulation. Moreover, this effect is more pronounced among firms in lower marketization regions, in lower competition industries and those with less analyst coverage and lower cash flow levels. Further analyses show that dividend regulation reduces the cost stickiness of firms by mitigating agency problems. Finally, the conclusion holds after several robust tests, including controlling for firm fixed effect, propensity score matching (PSM), placebo test and reconstruction of expense variable.

This paper confirms that dividend regulation serves an important role in corporate governance, which reduces firms' agency costs and thereby decreases cost stickiness. The conclusions shed light on the dividend policies of listed companies and capital market regulation in the future.

The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about.

The results are based on a literature review of ISP management research published between 1990 and 2017.

Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare.

Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process.

The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners.

Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.

Amidst the scarcity of resources, it is undisputable that an effective public procurement performance measurement system (PMS) is required particularly in county governments, especially for Kenya to realize its ambitions in devolved governance system. County governments cannot be effectively evaluated on their performance if the long-term, strategic impact of public procurement processes and projects is not captured. Arising from this backdrop, this study aims to determine the predictors of strategic procurement performance metrics (SPPM) adoption in public procurement PMS of county governments.

Anchored on institutional theory and public sector scorecard model, a survey research design was adopted where data were collected through census from 115 respondents working in procurement, finance and stores department of Kakamega county government. Data were collected using questionnaire (75.56% response rate) and key informant interviews, and analyzed by using multiple regression model and ordinal logistic regression models.

Multiple regression model and ordinal logistics regression revealed that national government support negatively and significantly, and regulatory framework positively and significantly affects the adoption of SPPM.

There is need for formal mechanism that will enable the national government in partnership with the council of governors to be proactively involved in developing procurement performance measurement capacity of county governments. This study’s findings also provide suggestions for a working regulatory framework required for the adoption of SPPM by county governments.

This work adds value to the prevailing body of knowledge on public procurement PMS in the public sector.