Search results

The information security policy document of an organization needs to be translated into controls and procedures at the implementation level. The technical and business personnel in‐charge of implementing the controls and procedures need to consider a large number of security‐related statements from a heterogeneous pool of security documentation and decide on the implementation plan. The purpose of this paper is to propose an approach to analyze a set of security statements to establish an implicit hierarchy and relative importance among them.

A set of statements relevant to e‐mail service security is chosen from the classified documentation of an IT firm. The authors contacted the technical person who was the owner of this service to obtain a one‐on‐one comparison between the policies. These policies and their inter‐relationships are represented as a graph. Centrality measures based on the in and out degrees of a node are used to calculate the relative importance of a policy. The authors present an improved approach based on DEMATEL, which considers the level of influence of one policy on another.

Security statements fall into different categories based on their relative intensity and nature. They could be of high importance or low on one axis and of driving or receiving nature on the other. The driver policies are the action items that could be implemented to satisfy a large number of other security requirements. The policies that are predominantly receiver in nature, for their fulfillment, need many other requirements to be satisfied.

The intense driver policies are the ones to be considered for immediate implementation so as to achieve maximum benefits. If such an action item cannot be implemented at the level of consideration, it needs to be communicated to the appropriate level where it could be addressed effectively. An orphaned policy statement can indicate to a high‐level requirement left without any action plan or an unnecessary control. Establishing clear linkages between the implemented controls and the organization's security policy document could be very effective in convincing the employees to adhere to security practices.

Analyzing a set of informal security statements to identify the linkages between them is a novel idea. While other works establish the need for translating the security policy to lower levels of implementation, the authors propose an approach to identify the existence or absence of an effective translation. The graph representation with associated centrality measures, and the application of DEMATEL technique to deduce the nature and intensity of security statements are not yet found in literature.

The purpose of this study was to determine how security statement certainty (overconfident, underconfident and realistic) and behavioral intentions of potential consumers impact the perceptions of companies in the presence or absence of a past security breach.

The study exposed participants to three types of security statements and randomly assigned them to the presence or absence of a previous breach. Participants then evaluated the company and generated a hypothetical password for that company.

This study found that the presence or absence of a previous breach had a large impact on company perceptions, but a minimal impact on behavioral intentions to be personally more secure.

The authors found that the presence or absence of a previous breach had a large impact on company perceptions, but minimal impact on behavioral intentions to be personally more secure.

Companies need to be cautious about how much confidence they convey to consumers. Companies should not rely on consumers engaging in secure online practices, even following a breach.

Companies need to communicate personal security behaviors to consumers in a way that still instills confidence in the company but encourages personal responsibility.

The confidence of company security statements and presence of a previous breach were examined for their impact on company perception and a novel dependent variable of password complexity.

Reports a study which investigated the attitudes, knowledge and practices of CEOs in the computer security area. It was found that a relationship exists between CEO review of policies and the presence or absence of a “well‐designed security programme”. These data suggest that large numbers of corporations remain unprepared to deal adequately with computer crime.

To explain the US Securities and Exchange Commission’s (SEC’s) June 29, 2017 announcement (as updated August 17, 2017) that the staff of its Division of Corporation Finance will accept draft registration statement submissions from all companies for nonpublic review, thereby expanding a popular benefit previously available only to emerging growth companies (ECGs) under the JOBS Act and, in limited circumstances, to certain foreign private issuers under historical Staff practices.

Explains the rationale and limitations of the new policy, the existing confidential submission process, the expanded class of issuers and transactions that now qualifies for the nonpublic review process, and content and staff processing details.

Recognizing that the confidential submission process for EGCs proved highly popular and quickly became standard practice for eligible companies seeking to conduct an IPO, the SEC has made the nonpublic review process available to an expanded class of issuers and transactions. The expanded confidential submission process for IPOs addresses some of the typical concerns associated with engaging in the IPO process by giving a company more time and flexibility to determine whether it actually will be able to achieve the benefits of going public before it incurs the burdens and expenses of doing so.

Practical guidance from experienced securities and corporate finance lawyers.

Measurement of information security assurance (ISA) is an important but difficult task. This paper aims to propose a framework, which helps in refining information security requirements into controls whose effectiveness can be measured. This work also provides aggregation techniques to combine these measurements so as to obtain an indicator for ISA at the organizational level.

A top-down approach of refining security objectives to measurable independent tasks is carried out using assign graph as the model. This captures the various objectives and their interrelationships whose initial values and relative impacts are obtained from experts. Using fuzzy cognitive model (FCM), these initial values are combined together to obtain an indicator for ISA at the firm's level.

The two applications of the framework revealed that interrelationships do exist between the different controls employed in actual security implementations and that these dependencies are seldom accounted for. When those few controls that are to be measured are clearly identified, the security experts can focus their attention on them and ensure their correct implementation and appropriate measurement. The extent of impact of a single control on the overall security picture of the firm can also be found using this approach.

While the framework is generic, the assurance values obtained are context-sensitive. This is primarily because of the subjectivity involved in assigning impact measures and initial values.

This work helps in answering two difficult questions in information security management: “what to measure?” and “how to quantify the overall security assurance of the organization?” This assists the information security team in identifying and refining those controls that needs to be appropriately emphasized. The proposed framework helps the top management in doing “what-if” analysis, thereby aiding their decision-making for information security investments.

The novel framework proposes a top-down approach for security control refinement and a bottom-up approach for combining the confidence values to obtain an indicator for ISA. This work identifies and accommodates the possibilities of having interdependencies between security controls. The proposed aggregation method using FCM is being applied for the first time in information security context and provides convergence even in the presence of cyclic dependencies amongst the controls.

This paper seeks to empirically examine the existence and implementation of information security governance (ISG) in Saudi organizations.

An empirical survey, using a self‐administered questionnaire, is conducted to explore and evaluate the current status and the main features of ISG in the Saudi environment. The questionnaire is developed based on ISG guidelines for boards of directors and executive management issued by the Information Technology (IT) Governance Institute and other related materials available in the literature. A total of 167 valid questionnaires are collected and processed using the Statistical Package for Social Sciences, version 16.

The results of the study reveal that although the majority of Saudi organizations recognize the importance of ISG as an integrant factor for the success of IT and corporate governance, most of them have no clear information security strategies or written information security policy statements. The majority of Saudi organizations have no disaster recovery plans to deal with information security incidents and emergencies; information security roles and responsibilities are not clearly defined and communicated. The results also show that alignment between ISG and the organization's overall business strategy is relatively poor and not adequately implemented. The results also show that risk assessment procedures are not adequately and effectively implemented, ISG is not a regular item in the board's agenda, and there are no properly functioning ISG processes or performance‐measuring systems in the majority of Saudi organizations. Accordingly, appropriate actions should be taken to improve implementing and measuring the ISG performance in Saudi organizations.

From a practical standpoint, managers and practitioners alike stand to gain from the findings of this study. The results of the paper enable them to better understand and evaluate ISG and to champion IT development for business success in Saudi organizations.

The authors position security measures and payment culture as key determinants of perceived security (PS) and trust. The purpose of this paper is to empirically investigate how PS and trust affect users’ attitude toward mobile payment use and why mobile payment has developed differently in the USA and in China.

Empirical data were collected from a survey conducted both in China and in the USA. The whole sample consists of 186 Chinese and 196 Americans. Partial least squares analysis was conducted to test the proposed relationships and multigroup comparison analysis was performed to examine the differences in the coefficients of those relationships between Chinese and the US model.

The findings show that payment culture (measured by coverage of mobile payment context (CMPC) and uncertainty avoidance (UA)) and security measures (measured by security technology protection (STP), security rules and policies (SRP), and security responsibility commitment (SRC)) have significantly positive impacts on the PS and trust, except that the positive impact of security on trust is not supported. The impacts of CMPC and PS on trust in the USA are significantly smaller than those in China, whereas the impacts of security measures and UA on PS and trust do not show significant differences between the two countries.

Respondents of this study are selected from young educated population, the major users of mobile payment in 2015. However, recently with the increasing penetration of mobile payment, major mobile payment users are not only limited to young educated population, and thus there may be new findings after extending the range of respondents’ age. Since the research subjects in this study are the mobile payment of China and the USA, the authors could also expect different findings when the research subjects are extended or changed to other countries because of different mobile payment cultures across countries.

Findings in this paper will help mobile payment service providers to know the determinants of their users’ behavior intention and to take measures to improve these determinants, and these findings can also provide mobile payment service providers with insights into the differences in mobile payment use between the two countries and suggestions of measures that they can take to increase users’ attitude toward mobile payment use. Furthermore, the findings of this paper also help these providers globalize efficiently by paying more attention to those antecedents.

The findings in this paper show that there is no difference in the impacts of UA and security measures on PS and trust between China and the USA. However, the impacts of PS and CMPC on trust in China are significantly higher than those in the USA. This is because that globalization has made people from different countries hold similar UA, whereas the CMPC, a construct refers to the business environment of mobile payment, is still very different between China and the USA.

This study extends prior studies of attitude toward mobile payment use through proposing that security measures and payment culture are key determinants of PS and trust and examining the role of PS and trust on the attitude. Furthermore, the empirical findings will not only provide mobile payment service providers with important insights into the differences in mobile payment adoption between the two countries, but also help these providers globalize efficiently by paying more attention to those antecedents.

The mature age market segment in Australia have increased leisure time and disposable income. Many hotels are trying to increase occupancies, particularly in low season, by attempting to attract this market segment. Reports on a survey of the security needs and perceptions of the mature guests and compares the results with research in other settings. The respondents′ views about emerging security practices are also investigated.

Because of changes that have taken place in the way that IT is used in organisations, as well as the purposes for which it is used, traditional forms of computer security are no longer adequate. Today, information is more important than the IT systems which house it and effective information security management is required to adequately protect this information. The implementation of information security management is, however, a complex process and a methodology for its implementation provided in the form of an interactive software tool, featuring automation of certain steps, would prove valuable to modern organisations.

This paper aims to examine the relationship between six factors of consumers’ perceived risk and consumers’ online purchase intentions. In particular, this study will examine the relationship between financial risk, product risk, security risk, time risk, social risk and psychological risk and online purchase intention.

Survey method was used for the purpose of data collection, and quantitative analysis was used to test the hypotheses. A total of 350 respondents participated on an online survey, and data were quantitatively analyzed via IBM SPSS Statistics 24.

The findings from this study suggest consumers’ perceived risks when they intend to purchase online. Five factors of perceived risk have a significant negative influence on consumer online purchase intention, while social risk was found to be insignificant. Among these factors, security risk is the main contributor for consumers to deter from purchasing online.

This study provides useful information to online retailers in electronic commerce (e-commerce) activities. Previous studies show that many online retailers are still facing some risks in online business, and this will affect the transaction and performance of the retailers. It is hoped that the findings can help online retailers to formulate strategies to reduce risks in the online shopping environment, especially security risks for better e-commerce.

The development of online shopping has led to some challenges to consumers, which comprise security of payment, data protection, the validity and enforceability of e-contract, insufficient information disclosure, product quality and enforcement of rights. This issue emerged because many online retailers do not understand the main factors that will contribute to consumers’ perceived risk. Consumers’ perceived risks will influence consumer attitudes toward online shopping and purchase behaviors. Studies on consumers’ perceived risks toward online purchase intentions are still inconclusive. Thus, this paper fills the gap in the research area.