Search results

1 – 10 of over 66000
Click here to view access options
Article
Publication date: 1 January 1979

G.H. Lawson and Richard Pike

Though of fairly recent origin, the capital‐asset pricing model (CAPM) is becoming a dominant influence in the analysis of financial and investment decisions. While…

Abstract

Though of fairly recent origin, the capital‐asset pricing model (CAPM) is becoming a dominant influence in the analysis of financial and investment decisions. While continuing to undergo stringent theoretical and empirical examination, the demonstrable explanatory and predictive ability of the CAPM have led to its widespread recognition as the foundation of modern financial management. Though usually attributed to Sharpe, Lintner and Mossin, the origins of the CAPM can be traced back to the celebrated work of Harry Markowitz on portfolio selection.

Details

Managerial Finance, vol. 5 no. 1
Type: Research Article
ISSN: 0307-4358

Click here to view access options
Article
Publication date: 1 October 1996

Sharman Lichtenstein

A risk assessment method is used to carry out a risk assessment for an organization’s information security. Currently, there are many risk assessment methods from which to…

Downloads
4478

Abstract

A risk assessment method is used to carry out a risk assessment for an organization’s information security. Currently, there are many risk assessment methods from which to choose, each exhibiting a variety of problems. For example, methods may take a long time to perform, may rely on subjective estimates for the security input data, may rely heavily on quantification of financial loss due to vulnerability, or may be costly to purchase and use. Discusses requirements for an ideal risk assessment method, and develops and evaluates factors to be considered in the selection method. Empirical research was carried out at two large, Australian organizations, in order to determine and validate factors. These factors should be of use to organizations in the evaluation, selection or development of a risk assessment method. Interesting conclusions are drawn about decision making in organizational information security.

Details

Information Management & Computer Security, vol. 4 no. 4
Type: Research Article
ISSN: 0968-5227

Keywords

Click here to view access options
Article
Publication date: 2 August 2018

Ksenia Chmutina, Peter Fussey, Andrew Dainty and Lee Bosher

A number of severe weather events have influenced a shift in UK policy concerning how climate-induced hazards are managed. Whist this shift has encouraged improvements in…

Abstract

Purpose

A number of severe weather events have influenced a shift in UK policy concerning how climate-induced hazards are managed. Whist this shift has encouraged improvements in emergency management and preparedness, the risk of climate change is increasingly becoming securitised within policy discourses, and enmeshed with broader agendas traditionally associated with human-induced threats. Climate change is seen as a security risk because it can impede development of a nation. The purpose of this paper is to explore the evolution of the securitisation of climate change, and interrogates how such framings influence a range of conceptual and policy focused approaches towards both security and climate change.

Design/methodology/approach

Drawing upon the UK context, the paper uses a novel methodological approach combining critical discourse analysis and focus groups with security experts and policymakers.

Findings

The resulting policy landscape appears inexorably skewed towards short-term decision cycles that do little to mitigate longer-term threats to the nation’s assets. Whilst a prominent political action on a global level is required in order to mitigate the root causes (i.e. GHG emissions), national level efforts focus on adaptation (preparedness to the impacts of climate-induced hazards), and are forming part of the security agenda.

Originality/value

These issues are not restricted to the UK: understanding the role of security and its relationship to climate change becomes more pressing and urgent, as it informs the consequences of securitising climate change risks for development-disaster risk system.

Details

Disaster Prevention and Management: An International Journal, vol. 27 no. 5
Type: Research Article
ISSN: 0965-3562

Keywords

Click here to view access options
Article
Publication date: 27 April 2012

Wu He

The purpose of this paper is to examine social media security risks and existing mitigation techniques in order to gather insights and develop best practices to help…

Downloads
5546

Abstract

Purpose

The purpose of this paper is to examine social media security risks and existing mitigation techniques in order to gather insights and develop best practices to help organizations address social media security risks more effectively.

Design/methodology/approach

This paper begins by reviewing the disparate discussions in literature on social media security risks and mitigation techniques. Based on an extensive review, some key insights were identified and summarized to help organizations more effectively address social media security risks.

Findings

Many organizations do not have effective social media security policy in place and are unsure of how to develop effective social media security strategies to mitigate social media security risks. This paper provides guidance to organizations to mitigate social media security risks that may threaten the organizations.

Originality/value

The paper consolidates the fragmented discussion in literature and provides an in‐depth review of social media security risks and mitigation techniques. Practical insights are identified and summarized from an extensive literature review. Sharing these insights has the potential to encourage more discussion on best practices for reducing the risks of social media to organizations.

Click here to view access options
Article
Publication date: 13 June 2016

Reza Alavi, Shareeful Islam and Haralambos Mouratidis

The purpose of this paper is to introduce a risk-driven investment process model for analysing human factors that allows information security managers to capture possible…

Downloads
1235

Abstract

Purpose

The purpose of this paper is to introduce a risk-driven investment process model for analysing human factors that allows information security managers to capture possible risk–investment relationships and to reason about them. The overall success of an information security system depends on analysis of the risks and threats so that appropriate protection mechanism can be in place to protect them. However, lack of appropriate analysis of risks may potentially results in failure of information security systems. Existing literature does not provide adequate guidelines for a systematic process or an appropriate modelling language to support such analysis. This work aims to fill this gap by introducing the process and reason about the risks considering human factors.

Design/methodology/approach

To develop risk-driven investment model along with the activities that support the process. These objectives were achieved through the collection of quantitative and qualitative data utilising requirements engineering and secure tropos methods.

Findings

The proposed process and model lead to define a clear relationship between risks, incidents and investment and allows organisations to calculate them based on their own figures.

Research limitations/implications

One of the major limitations of this model is that it only supports incident-based investment. This creates some sort of difficulties to be presented to the executive board. Secondly, because of the nature of human factors, quantification does not exactly reflect the monetary value of the factors.

Practical implications

Applying the information security risk-driven investment model in a real case study shows that this can help organisations apply and use it in other incidents, and more importantly, to the incidents which critical human factors are a grave concern of organisations. The importance of providing a financial justification is clearly highlighted and provided for seeking investment in information security.

Social implications

It has a big social impact that technically could lead for cost justifications and decision-making process. This would impact the whole society by helping individuals to keep their data safe.

Originality/value

The novel contribution of this work is to analyse specific critical human factors which have subjective natures in an objective and dynamic domain of risk, security and investment.

Click here to view access options
Article
Publication date: 12 July 2013

Stefan Taubenberger, Jan Jürjens, Yijun Yu and Bashar Nuseibeh

In any information security risk assessment, vulnerabilities are usually identified by information‐gathering techniques. However, vulnerability identification errors …

Abstract

Purpose

In any information security risk assessment, vulnerabilities are usually identified by information‐gathering techniques. However, vulnerability identification errors – wrongly identified or unidentified vulnerabilities – can occur as uncertain data are used. Furthermore, businesses' security needs are not considered sufficiently. Hence, security functions may not protect business assets sufficiently and cost‐effectively. This paper aims to resolve vulnerability errors by analysing the security requirements of information assets in business process models.

Design/methodology/approach

Business process models have been selected for use, because there is a close relationship between business process objectives and risks. Security functions are evaluated in terms of the information flow of business processes regarding their security requirements. The claim that vulnerability errors can be resolved was validated by comparing the results of a current risk assessment approach with the proposed approach. The comparison is conducted both at three entities of an insurance company, as well as through a controlled experiment within a survey among security professionals.

Findings

Vulnerability identification errors can be resolved by explicitly evaluating security requirements in the course of business; this is not considered in current assessment methods.

Originality/value

It is shown that vulnerability identification errors occur in practice. With the explicit evaluation of security requirements, identification errors can be resolved. Risk assessment methods should consider the explicit evaluation of security requirements.

Details

Information Management & Computer Security, vol. 21 no. 3
Type: Research Article
ISSN: 0968-5227

Keywords

Click here to view access options
Article
Publication date: 8 October 2018

Nikolaos Argyropoulos, Konstantinos Angelopoulos, Haralambos Mouratidis and Andrew Fish

The selection of security configurations for complex information systems is a cumbersome process. Decision-making regarding the choice of security countermeasures has to…

Abstract

Purpose

The selection of security configurations for complex information systems is a cumbersome process. Decision-making regarding the choice of security countermeasures has to take into consideration a multitude of, often conflicting, functional and non-functional system goals. Therefore, a structured method to support crucial security decisions during a system’s design that can take account of risk whilst providing feedback on the optimal decisions within specific scenarios would be valuable.

Design/methodology/approach

Secure Tropos is a well-established security requirements engineering methodology, but it has no concepts of Risk, whilst Constrained Goal Models are an existing method to support relevant automated reasoning tasks. Hence we bridge these methods, by extending Secure Tropos to incorporate the concept of Risk, so that the elicitation and analysis of security requirements can be complimented by a systematic risk assessment process during a system’s design time and supporting the reasoning regarding the selection of optimal security configurations with respect to multiple system objectives and constraints, via constrained goal models.

Findings

As a means of conceptual evaluation, to give an idea of the applicability of the approach and to check if alterations may be desirable, a case study of its application to an e-government information system is presented. The proposed approach is able to generate security mechanism configurations for multiple optimisation scenarios that are provided, whilst there are limitations in terms of a natural trade-off of information levels of risk assessment that are required to be elicited.

Originality/value

The proposed approach adds additional value via its flexibility in permitting the consideration of different optimisation scenarios by prioritising different system goals and the automated reasoning support.

Details

Information & Computer Security, vol. 26 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

Click here to view access options
Article
Publication date: 11 May 2015

Palaniappan Shamala, Rabiah Ahmad, Ali Hussein Zolait and Shahrin bin Sahib

Information security has become an essential entity for organizations across the globe to eliminate the possible risks in their organizations by conducting information…

Downloads
2206

Abstract

Purpose

Information security has become an essential entity for organizations across the globe to eliminate the possible risks in their organizations by conducting information security risk assessment (ISRA). However, the existence of numerous different types of risk assessment methods, standards, guidelines and specifications readily available causes the organizations to face the daunting tasks in determining the most suitable method that would augur well in meeting their needs. Therefore, to overcome this tedious process, this paper suggests collective information structure model for ISRA.

Design/methodology/approach

The proposed ISRA model was developed by deploying a questionnaire using close-ended questions administrated to a group of information security practitioners in Malaysia (N = 80). The purpose of the survey was to strengthen and add more relevant additional features to the existing framework, as it was developed based on secondary data.

Findings

Previous comparative and analyzed studies reveals that all the six types of ISRA methodologies have features of the same kind of information with a slight difference in form. Therefore, questionnaires were designed to insert additional features to the research framework. All the additional features chosen were based on high frequency of more than half percentage agreed responses from respondents. The analyses results inspire in generating a collective information structure model which more practical in the real environment of the workplace.

Practical implications

Generally, organizations need to make comparisons between methodologies and decide on the best due to the inexistence of agreed reference benchmark in ISRA methodologies. This tedious process leads to unwarranted time, money and energy consumption.

Originality/value

The collective information structure model for ISRA aims to assist organizations in getting a general view of ISRA flow and gathering information on the requirements to be met before risk assessment can be conducted successfully. This model can be conveniently used by organizations to complete all the required planning as well as to select the suitable methods to complete the ISRA.

Details

Journal of Systems and Information Technology, vol. 17 no. 2
Type: Research Article
ISSN: 1328-7265

Keywords

Click here to view access options
Article
Publication date: 10 November 2014

Stefan Fenz, Johannes Heurix, Thomas Neubauer and Fabian Pechstein

The purpose of this paper is to give an overview of current risk management approaches and outline their commonalities and differences, evaluate current risk management…

Downloads
10223

Abstract

Purpose

The purpose of this paper is to give an overview of current risk management approaches and outline their commonalities and differences, evaluate current risk management approaches regarding their capability of supporting cost-efficient decisions without unnecessary security trade-offs, outline current fundamental problems in risk management based on industrial feedback and academic literature and provide potential solutions and research directions to address the identified problems. Despite decades of research, the information security risk management domain still faces numerous challenges which hinder risk managers to come up with sound risk management results.

Design/methodology/approach

To identify the challenges in information security risk management, existing approaches are compared against each other, and as a result, an abstracted methodology is derived to align the problem and solution identification to its generic phases. The challenges have been identified based on literature surveys and industry feedback.

Findings

As common problems at implementing information security risk management approaches, we identified the fields of asset and countermeasure inventory, asset value assignment, risk prediction, the overconfidence effect, knowledge sharing and risk vs. cost trade-offs. The reviewed risk management approaches do not explicitly provide mechanisms to support decision makers in making an appropriate risk versus cost trade-offs, but we identified academic approaches which fulfill this need.

Originality/value

The paper provides a reference point for professionals and researchers by summing up the current challenges in the field of information security risk management. Therefore, the findings enable researchers to focus their work on the identified real-world challenges and thereby contribute to advance the information security risk management domain in a structured way. Practitioners can use the research results to identify common weaknesses and potential solutions in information security risk management programs.

Details

Information Management & Computer Security, vol. 22 no. 5
Type: Research Article
ISSN: 0968-5227

Keywords

Click here to view access options
Article
Publication date: 2 December 2019

Abhijeet Ghadge, Maximilian Weiß, Nigel D. Caldwell and Richard Wilding

In spite of growing research interest in cyber security, inter-firm based cyber risk studies are rare. Therefore, this study aims to investigate cyber risk management in…

Downloads
2880

Abstract

Purpose

In spite of growing research interest in cyber security, inter-firm based cyber risk studies are rare. Therefore, this study aims to investigate cyber risk management in supply chain contexts.

Design/methodology/approach

Adapting a systematic literature review process, papers from interdisciplinary areas published between 1990 and 2017 were selected. Different typologies, developed for conducting descriptive and thematic analysis, were established using data mining techniques to conduct a comprehensive, replicable and transparent review.

Findings

The review identifies multiple future research directions for cyber security/resilience in supply chains. A conceptual model is developed, which indicates a strong link between information technology, organisational and supply chain security systems. The human/behavioural elements within cyber security risk are found to be critical; however, behavioural risks have attracted less attention because of a perceived bias towards technical (data, application and network) risks. There is a need for raising risk awareness, standardised policies, collaborative strategies and empirical models for creating supply chain cyber-resilience.

Research limitations/implications

Different types of cyber risks and their points of penetration, propagation levels, consequences and mitigation measures are identified. The conceptual model developed in this study drives an agenda for future research on supply chain cyber security/resilience.

Practical implications

A multi-perspective, systematic study provides a holistic guide for practitioners in understanding cyber-physical systems. The cyber risk challenges and the mitigation strategies identified support supply chain managers in making informed decisions.

Originality/value

To the best of the authors’ knowledge, this is the first systematic literature review on managing cyber risks in supply chains. The review defines supply chain cyber risk and develops a conceptual model for supply chain cyber security systems and an agenda for future studies.

1 – 10 of over 66000