Search results
1 – 10 of over 78000W.J. Brooks, M.J. Warren and W. Hutchinson
Computer security is now recognised as an important consideration in modern business, with a variety of guidelines and standards currently available to enable different business…
Abstract
Computer security is now recognised as an important consideration in modern business, with a variety of guidelines and standards currently available to enable different business environments to be properly protected. However, financial and operational constraints often exist which influence the practicality of these recommendations. New baseline security methods such as Australian and New Zealand Standard (AS/NZS) 4444 and British Standard (BS) 7799 represent minimal standards which organisations can use to improve their security. The aim of the paper is to look at the effectiveness of baseline security standards through the use of an evaluation criteria, which assesses their effectiveness.
Details
Keywords
Stefan Fenz, Stefanie Plieschnegger and Heidi Hobel
The purpose of this paper is to increase the degree of automation within information security compliance projects by introducing a formal representation of the ISO 27002 standard…
Abstract
Purpose
The purpose of this paper is to increase the degree of automation within information security compliance projects by introducing a formal representation of the ISO 27002 standard. As information is becoming more valuable and the current businesses face frequent attacks on their infrastructure, enterprises need support at protecting their information-based assets.
Design/methodology/approach
Information security standards and guidelines provide baseline knowledge for protecting corporate assets. However, the efforts to check whether the implemented measures of an organization adhere to the proposed standards and guidelines are still significantly high.
Findings
This paper shows how the process of compliance checking can be supported by using machine-readable ISO 27002 control descriptions in combination with a formal representation of the organization’s assets.
Originality/value
The authors created a formal representation of the ISO 27002 standard and showed how a security ontology can be used to increase the efficiency of the compliance checking process.
Details
Keywords
The aim of the paper is to highlight gaps in compliance environments regarding information privacy and provide recommendations for global information privacy standards.
Abstract
Purpose
The aim of the paper is to highlight gaps in compliance environments regarding information privacy and provide recommendations for global information privacy standards.
Design/methodology/approach
The paper draws conceptually upon an existing security standard's framework and omissions in information privacy compliance frameworks are recognized. As a result, an extended framework of information security and privacy standards is developed. Moreover, taking into account the different attributes and focus of information privacy as compared to information security, the elicitation of usability criteria for web applications and interfaces that will assist users to protect their privacy, is being proposed.
Findings
Within ICT standards numerous information security standards exist, which enable a common understanding of security requirements and promote global rules and practices for security mechanisms. Through their usage, designed information systems ultimately reach a commonly accepted security level and interoperate with other systems in an efficient and secure way. Nevertheless, a similar compliance environment is missing with regard to information privacy. Often security controls are seen as the solution to privacy protection and security compliance frameworks are regarded as guidance to information privacy as well. This is clearly the wrong approach since the main security and privacy attributes are different; information security refers to information stored, processed and transmitted for completing the information system's functions and purpose, while information privacy is the protection of the information's subject identity.
Research limitations/implications
The identified gaps in compliance environments are based on extensive literature review, while the proposed enhancements for the information privacy standards are, at this stage, an opinion‐based piece of work.
Originality/value
Currently, information privacy is treated mostly as a legal compliance requirement and thus is not adequately handled by security standards. The paper provides recommendations and further guidance in managerial, procedural and technical level for handling information privacy.
Details
Keywords
Aggeliki Tsohou, Spyros Kokolakis, Costas Lambrinoudakis and Stefanos Gritzalis
Recent information security surveys indicate that both the acceptance of international standards and the relative certifications increase continuously. However, it is noted that…
Abstract
Purpose
Recent information security surveys indicate that both the acceptance of international standards and the relative certifications increase continuously. However, it is noted that still the majority of organizations does not know the dominant security standards or does not fully implement them. The aim of this paper is to facilitate the awareness of information security practitioners regarding globally known and accepted security standards, and thus, contribute to their adoption.
Design/methodology/approach
The paper adopts a conceptual approach and results in a classification framework for categorizing available information security standards. The classification framework is built in four layers of abstraction, where the initial layer is founded in ISO/IEC 27001:2005 information security management system.
Findings
The paper presents a framework for conceptualizing, categorizing and interconnecting available information security standards dynamically.
Research limitations/implications
The completeness of the information provided in the paper relies on the pace of standards' publications; thus the information security standards that have been classified in this paper need to be updated when new standards are published. However, the proposed framework can be utilized for this constant effort.
Practical implications
Information security practitioners can benefit by the proposed framework for available security standards and effectively invoke the relevant standard each time. Guidelines for utilizing the proposed framework are presented through a case study.
Originality/value
Although the practices proposed are not innovative by themselves, the originality of this work lies on the best practices' linkage into a coherent framework that can facilitate the standards diffusion and systematic adoption.
Details
Keywords
Lemma Lessa and Daniel Gebrehawariat
This study is aimed at assessing the information security management practice with a focus on banking card security in selected financial institutions in Ethiopia, using an…
Abstract
Purpose
This study is aimed at assessing the information security management practice with a focus on banking card security in selected financial institutions in Ethiopia, using an international information security standard as a benchmark. It is to identify the gaps and recommend best security practices to help financial institutions meet the required security compliance.
Design/methodology/approach
Two financial sectors were purposively selected. A total of twenty-five respondents (IT executives and IT staff) were included in the study. Quantitative data was collected using the PCI-DSS (Payment Card Industry Data Security Standard) security standard questionnaire. In addition, observation and document analysis were made.
Findings
The result shows that most of the essential security management activities in the financial sectors do not comply with the international security standard. Similarly, the level of most of the indispensable security requirements that should be in place is found to be below the acceptable level. The study also revealed major security factors that prohibit the financial sectors from PCI-DSS security standard compliance.
Originality/value
This study assessed the information security management practice with a focus on banking card security and tried to figure out the limitations of security practices of the organizations surveyed based on the standard adopted. The topic has not been well explored especially in the Ethiopia context. Hence, the result can positively influence security policies, particularly in the banking sector.
Details
Keywords
Mohamed Saad Saleh, Abdullah Alrabiah and Saad Haj Bakry
With the widespread of e‐services, provided by different organizations at the internal intranet level, the business extranet level, and the public internet level, compliance with…
Abstract
Purpose
With the widespread of e‐services, provided by different organizations at the internal intranet level, the business extranet level, and the public internet level, compliance with international information security management standards is becoming of increasing importance for establishing a common and safe environment for such services. The purpose of this paper is to examine the development of a mathematical model that enables the investigation of compliance of organizations with the widely acknowledged international information security management standard ISO 17799‐2005.
Design/methodology/approach
The model is based on the strategy, technology, organization, people and environment – STOPE – framework that provides an integrated well‐structured view of the various factors involved. The paper addresses the use of the model for practical investigations; it describes a practical example illustrating possible practical results.
Findings
The results show the strengths and the weaknesses of compliance, with the standard, at different levels: from the level of the measures associated with each of the “131” standard protection controls, up to the level of the STOPE domains.
Originality/value
The paper addresses the use of a mathematical model for practical investigations of compliance with the international information security management standard.
Details
Keywords
Lam‐for Kwok and Dennis Longley
Information security management has been placed on a firmer footing with the publication of standards by national bodies. These standards provide an opportunity for security…
Abstract
Information security management has been placed on a firmer footing with the publication of standards by national bodies. These standards provide an opportunity for security managers to gain senior management recognition of the importance of procedures and mechanisms to enhance information security. They may also place demands on security managers to provide convincing demonstration of conformance to the standards. The risk data repository (RDR) computer model described in this paper was developed to manage organisational information security data and facilitate risk analysis studies. The RDR provides a form of computer documentation that can assist the security officer to maintain a continuous record of the organisational information security scenario and facilitate system security development, business continuity planning and standards conformance audits.
Details
Keywords
Abel Yeboah-Ofori and Francisca Afua Opoku-Boateng
Various organizational landscapes have evolved to improve their business processes, increase production speed and reduce the cost of distribution and have integrated their…
Abstract
Purpose
Various organizational landscapes have evolved to improve their business processes, increase production speed and reduce the cost of distribution and have integrated their Internet with small and medium scale enterprises (SMEs) and third-party vendors to improve business growth and increase global market share, including changing organizational requirements and business process collaborations. Benefits include a reduction in the cost of production, online services, online payments, product distribution channels and delivery in a supply chain environment. However, the integration has led to an exponential increase in cybercrimes, with adversaries using various attack methods to penetrate and exploit the organizational network. Thus, identifying the attack vectors in the event of cyberattacks is very important in mitigating cybercrimes effectively and has become inevitable. However, the invincibility nature of cybercrimes makes it challenging to detect and predict the threat probabilities and the cascading impact in an evolving organization landscape leading to malware, ransomware, data theft and denial of service attacks, among others. The paper explores the cybercrime threat landscape, considers the impact of the attacks and identifies mitigating circumstances to improve security controls in an evolving organizational landscape.
Design/methodology/approach
The approach follows two main cybercrime framework design principles that focus on existing attack detection phases and proposes a cybercrime mitigation framework (CCMF) that uses detect, assess, analyze, evaluate and respond phases and subphases to reduce the attack surface. The methods and implementation processes were derived by identifying an organizational goal, attack vectors, threat landscape, identification of attacks and models and validation of framework standards to improve security. The novelty contribution of this paper is threefold: first, the authors explore the existing threat landscapes, various cybercrimes, models and the methods that adversaries are deploying on organizations. Second, the authors propose a threat model required for mitigating the risk factors. Finally, the authors recommend control mechanisms in line with security standards to improve security.
Findings
The results show that cybercrimes can be mitigated using a CCMF to detect, assess, analyze, evaluate and respond to cybercrimes to improve security in an evolving organizational threat landscape.
Research limitations/implications
The paper does not consider the organizational size between large organizations and SMEs. The challenges facing the evolving organizational threat landscape include vulnerabilities brought about by the integrations of various network nodes. Factor influencing these vulnerabilities includes inadequate threat intelligence gathering, a lack of third-party auditing and inadequate control mechanisms leading to various manipulations, exploitations, exfiltration and obfuscations.
Practical implications
Attack methods are applied to a case study for the implementation to evaluate the model based on the design principles. Inadequate cyber threat intelligence (CTI) gathering, inadequate attack modeling and security misconfigurations are some of the key factors leading to practical implications in mitigating cybercrimes.
Social implications
There are no social implications; however, cybercrimes have severe consequences for organizations and third-party vendors that integrate their network systems, leading to legal and reputational damage.
Originality/value
The paper’s originality considers mitigating cybercrimes in an evolving organization landscape that requires strategic, tactical and operational management imperative using the proposed framework phases, including detect, assess, analyze, evaluate and respond phases and subphases to reduce the attack surface, which is currently inadequate.
Details
Keywords
This study aims to identify the implications of security behaviour determinants for security management to propose respective guidelines which can be integrated with current…
Abstract
Purpose
This study aims to identify the implications of security behaviour determinants for security management to propose respective guidelines which can be integrated with current security management practices, including those following the widely adopted information security standards ISO 27001, 27002, 27003 and 27005.
Design/methodology/approach
Based on an exhaustive analysis of related literature, the authors identify critical factors influencing employee security behaviour and ISP compliance. The authors use these factors to perform a gap analysis of widely adopted information security standards ISO 27001, 27002, 27003 and 27005 and identify issues not covered or only partially addressed. Drawing on the implications of security behaviour determinants and the identified gaps, the authors provide guidelines which can enhance security management practices.
Findings
The authors uncover the factors shaping security behaviour barely or partly considered in the ISO information security standards ISO 27001, 27002, 27003 and 27005, including top management participation, accommodating individual characteristics, embracing the cultural context, encouraging employees to comply out of habit and considering the cost of compliance. Furthermore, the authors provide guidelines to security managers on enhancing their security management practices when implementing the above ISO Standards.
Practical implications
This study offers guidelines on how to create and design security management practices whilst implementing ISO standards (ISO 27001, ISO 27002, ISO 27003, ISO 27005) so as to enhance ISP compliance.
Originality/value
This study analyses the role and implications of security behaviour determinants, discusses discrepancies and conflicting findings in related literature, provides a gap analysis of commonly used information security standards (ISO 27001, 27002, 27003 and 27005) and proposes guidelines on enhancing security management practices towards improving ISP compliance.
Details
Keywords
Traditionally, information security management standards listing generic means of protection have received a lot of attention in the field of information security management. In…
Abstract
Traditionally, information security management standards listing generic means of protection have received a lot of attention in the field of information security management. In the background a few information security management‐oriented maturity criteria have been laid down. These criteria can be regarded as the latest promising innovations on the information security checklist‐standard family tree. Whereas information security maturity criteria have so far received inadequate attention in information security circles, software maturity endeavours have been the focus of constructive debate in software engineering circles. Aims to analyze what the alternative maturity criteria for developing secure information systems (IS) and software can learn from these debates on software engineering maturity criteria. First, advances a framework synthesized from the information systems (IS) and software engineering literatures, including six lessons that information security maturity criteria can learn from. Second, pores over the existing information security maturity criteria in the light of this framework. Third, presents, on the basis of results of this analysis, implications for practice and research.
Details