Search results
1 – 10 of over 1000Eylem Thron, Shamal Faily, Huseyin Dogan and Martin Freer
Railways are a well-known example of complex critical infrastructure, incorporating socio-technical systems with humans such as drivers, signallers, maintainers and passengers at…
Abstract
Purpose
Railways are a well-known example of complex critical infrastructure, incorporating socio-technical systems with humans such as drivers, signallers, maintainers and passengers at the core. The technological evolution including interconnectedness and new ways of interaction lead to new security and safety risks that can be realised, both in terms of human error, and malicious and non-malicious behaviour. This study aims to identify the human factors (HF) and cyber-security risks relating to the role of signallers on the railways and explores strategies for the improvement of “Digital Resilience” – for the concept of a resilient railway.
Design/methodology/approach
Overall, 26 interviews were conducted with 21 participants from industry and academia.
Findings
The results showed that due to increased automation, both cyber-related threats and human error can impact signallers’ day-to-day operations – directly or indirectly (e.g. workload and safety-critical communications) – which could disrupt the railway services and potentially lead to safety-related catastrophic consequences. This study identifies cyber-related problems, including external threats; engineers not considering the human element in designs when specifying security controls; lack of security awareness among the rail industry; training gaps; organisational issues; and many unknown “unknowns”.
Originality/value
The authors discuss socio-technical principles through a hexagonal socio-technical framework and training needs analysis to mitigate against cyber-security issues and identify the predictive training needs of the signallers. This is supported by a systematic approach which considers both, safety and security factors, rather than waiting to learn from a cyber-attack retrospectively.
Details
Keywords
Per Håkon Meland, Karin Bernsmed, Christian Frøystad, Jingyue Li and Guttorm Sindre
Within critical-infrastructure industries, bow-tie analysis is an established way of eliciting requirements for safety and reliability concerns. Because of the ever-increasing…
Abstract
Purpose
Within critical-infrastructure industries, bow-tie analysis is an established way of eliciting requirements for safety and reliability concerns. Because of the ever-increasing digitalisation and coupling between the cyber and physical world, security has become an additional concern in these industries. The purpose of this paper is to evaluate how well bow-tie analysis performs in the context of security, and the study’s hypothesis is that the bow-tie notation has a suitable expressiveness for security and safety.
Design/methodology/approach
This study uses a formal, controlled quasi-experiment on two sample populations – security experts and security graduate students – working on the same case. As a basis for comparison, the authors used a similar experiment with misuse case analysis, a well-known technique for graphical security modelling.
Findings
The results show that the collective group of graduate students, inexperienced in security modelling, perform similarly as security experts in a well-defined scope and familiar target system/situation. The students showed great creativity, covering most of the same threats and consequences as the experts identified and discovering additional ones. One notable difference was that these naïve professionals tend to focus on preventive barriers, leading to requirements for risk mitigation or avoidance, while experienced professionals seem to balance this more with reactive barriers and requirements for incident management.
Originality/value
Our results are useful in areas where we need to evaluate safety and security concerns together, especially for domains that have experience in health, safety and environmental hazards, but now need to expand this with cybersecurity as well.
Details
Keywords
Lemma Lessa and Daniel Gebrehawariat
This study is aimed at assessing the information security management practice with a focus on banking card security in selected financial institutions in Ethiopia, using an…
Abstract
Purpose
This study is aimed at assessing the information security management practice with a focus on banking card security in selected financial institutions in Ethiopia, using an international information security standard as a benchmark. It is to identify the gaps and recommend best security practices to help financial institutions meet the required security compliance.
Design/methodology/approach
Two financial sectors were purposively selected. A total of twenty-five respondents (IT executives and IT staff) were included in the study. Quantitative data was collected using the PCI-DSS (Payment Card Industry Data Security Standard) security standard questionnaire. In addition, observation and document analysis were made.
Findings
The result shows that most of the essential security management activities in the financial sectors do not comply with the international security standard. Similarly, the level of most of the indispensable security requirements that should be in place is found to be below the acceptable level. The study also revealed major security factors that prohibit the financial sectors from PCI-DSS security standard compliance.
Originality/value
This study assessed the information security management practice with a focus on banking card security and tried to figure out the limitations of security practices of the organizations surveyed based on the standard adopted. The topic has not been well explored especially in the Ethiopia context. Hence, the result can positively influence security policies, particularly in the banking sector.
Details
Keywords
Špela Orehek and Gregor Petrič
The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on…
Abstract
Purpose
The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on organizational security. Different measurement instruments have been developed to measure and assess information security culture using survey-based tools. However, the content, breadth and face validity of these scales vary greatly. This study aims to identify and provide an overview of the scales that are used to measure information security culture and to evaluate the rigor of reported scale development and validation procedures.
Design/methodology/approach
Papers that introduce a new or adapt an existing scale of information security culture were systematically reviewed to evaluate scales of information security culture. A standard search strategy was applied to identify 19 relevant scales, which were evaluated based on the framework of 16 criteria pertaining to the rigor of reported operationalization and the reported validity and reliability of the identified scales.
Findings
The results show that the rigor with which scales of information security culture are validated varies greatly and that none of the scales meet all the evaluation criteria. Moreover, most of the studies provide somewhat limited evidence of the validation of scales, indicating room for further improvement. Particularly, critical issues seem to be the lack of evidence regarding discriminant and criterion validity and incomplete documentation of the operationalization process.
Research limitations/implications
Researchers focusing on the human factor in information security need to reach a certain level of agreement on the essential elements of the concept of information security culture. Future studies need to build on existing scales, address their limitations and gain further evidence regarding the validity of scales of information security culture. Further research should also investigate the quality of definitions and make expert assessments of the content fit between concepts and items.
Practical implications
Organizations that aim to assess the level of information security culture among employees can use the results of this systematic review to support the selection of an adequate measurement scale. However, caution is needed for scales that provide limited evidence of validation.
Originality/value
This is the first study that offers a critical evaluation of existing scales of information security culture. The results have decision-making value for researchers who intend to conduct survey-based examinations of information security culture.
Details
Keywords
Julia Slupska and Leonie Maria Tanczer
Technology-facilitated abuse, so-called “tech abuse,” through phones, trackers, and other emerging innovations, has a substantial impact on the nature of intimate partner violence…
Abstract
Technology-facilitated abuse, so-called “tech abuse,” through phones, trackers, and other emerging innovations, has a substantial impact on the nature of intimate partner violence (IPV). The current chapter examines the risks and harms posed to IPV victims/survivors from the burgeoning Internet of Things (IoT) environment. IoT systems are understood as “smart” devices such as conventional household appliances that are connected to the internet. Interdependencies between different products together with the devices' enhanced functionalities offer opportunities for coercion and control. Across the chapter, we use the example of IoT to showcase how and why tech abuse is a socio-technological issue and requires not only human-centered (i.e., societal) but also cybersecurity (i.e., technical) responses. We apply the method of “threat modeling,” which is a process used to investigate potential cybersecurity attacks, to shift the conventional technical focus from the risks to systems toward risks to people. Through the analysis of a smart lock, we highlight insufficiently designed IoT privacy and security features and uncover how seemingly neutral design decisions can constrain, shape, and facilitate coercive and controlling behaviors.
Details
Keywords
Kavya Sharma, Xinhui Zhan, Fiona Fui-Hoon Nah, Keng Siau and Maggie X. Cheng
Phishing attacks are the most common cyber threats targeted at users. Digital nudging in the form of framing and priming may reduce user susceptibility to phishing. This research…
Abstract
Purpose
Phishing attacks are the most common cyber threats targeted at users. Digital nudging in the form of framing and priming may reduce user susceptibility to phishing. This research focuses on two types of digital nudging, framing and priming, and examines the impact of framing and priming on users' behavior (i.e. action) in a cybersecurity setting. It draws on prospect theory, instance-based learning theory and dual-process theory to generate the research hypotheses.
Design/methodology/approach
A 3 × 2 experimental study was carried out to test the hypotheses. The experiment consisted of three levels for framing (i.e. no framing, negative framing and positive framing) and two levels for priming (i.e. with and without priming).
Findings
The findings suggest that priming users to information security risks reduces their risk-taking behavior, whereas positive and negative framing of information security messages regarding potential consequences of the available choices do not change users' behavior. The results also indicate that risk-averse cybersecurity behavior is associated with greater confidence with the action, greater perceived severity of cybersecurity risks, lower perceived susceptibility to cybersecurity risks resulting from the action and lower trust in the download link.
Originality/value
This research shows that digital nudging in the form of priming is an effective way to reduce users' exposure to cybersecurity risks.
Details
Keywords
Stefan Fenz and Thomas Neubauer
The purpose of this paper is to provide a method to formalize information security control descriptions and a decision support system increasing the automation level and…
Abstract
Purpose
The purpose of this paper is to provide a method to formalize information security control descriptions and a decision support system increasing the automation level and, therefore, the cost efficiency of the information security compliance checking process. The authors advanced the state-of-the-art by developing and applying the method to ISO 27002 information security controls and by developing a semantic decision support system.
Design/methodology/approach
The research has been conducted under design science principles. The formalized information security controls were used in a compliance/risk management decision support system which has been evaluated with experts and end-users in real-world environments.
Findings
There are different ways of obtaining compliance to information security standards. For example, by implementing countermeasures of different quality depending on the protection needs of the organization. The authors developed decision support mechanisms which use the formal control descriptions as input to support the decision-maker at identifying the most appropriate countermeasure strategy based on cost and risk reduction potential.
Originality/value
Formalizing and mapping the ISO 27002 controls to the security ontology enabled the authors to automatically determine the compliance status and organization-wide risk-level based on the formal control descriptions and the modelled environment, including organizational structures, IT infrastructure, available countermeasures, etc. Furthermore, it allowed them to automatically determine which countermeasures are missing to ensure compliance and to decrease the risk to an acceptable level.
Details
Keywords
Godwin Thomas and Mary-Jane Sule
This paper proposes a holistic, proactive and adaptive approach to cybersecurity from a service lens, given the continuously evolving cyber-attack techniques, threat and…
Abstract
Purpose
This paper proposes a holistic, proactive and adaptive approach to cybersecurity from a service lens, given the continuously evolving cyber-attack techniques, threat and vulnerability landscape that often overshadow existing cybersecurity approaches.
Design/methodology/approach
Through an extensive literature review of relevant concepts and analysis of existing cybersecurity frameworks, standards and best practices, a logical argument is made to produce a dynamic end-to-end cybersecurity service system model.
Findings
Cyberspace has provided great value for businesses and individuals. The COVID-19 pandemic has significantly motivated the move to cyberspace by organizations. However, the extension to cyberspace comes with additional risks as traditional protection techniques are insufficient and isolated, generally focused on an organization's perimeter with little attention to what is out there. More so, cyberattacks continue to grow in complexity creating overwhelming consequences. Existing cybersecurity approaches and best practices are limited in scope, and implementation strategies, differing in strength and focus, at different levels of granularity. Nevertheless, the need for a proactive, adaptive and responsive cybersecurity solution is recognized.
Originality/value
This paper presents a model that promises proactive, adaptive and responsive end-to-end cybersecurity. The proposed cybersecurity continuity and management model premised on a service system, leveraging on lessons learned from existing solutions, takes a holistic analytical view of service activities from source (service provider) to destination (Customer) to ensure end-to-end security, whether internally (within an organization) or externally.
Details
Keywords
Elina Haapamäki and Jukka Sihvonen
This paper aims to update the cybersecurity-related accounting literature by synthesizing 39 recent theoretical and empirical studies on the topic. Furthermore, the paper provides…
Abstract
Purpose
This paper aims to update the cybersecurity-related accounting literature by synthesizing 39 recent theoretical and empirical studies on the topic. Furthermore, the paper provides a set of categories into which the studies fit.
Design/methodology/approach
This is a synthesis paper that summarizes the research literature on cybersecurity, introducing knowledge from the extant research and revealing areas requiring further examination.
Findings
This synthesis identifies a research framework that consists of the following research themes: cybersecurity and information sharing, cybersecurity investments, internal auditing and controls related to cybersecurity, disclosure of cybersecurity activities and security threats and security breaches.
Practical implications
Academics, practitioners and the public would benefit from a research framework that categorizes the research topics related to cybersecurity in the accounting field. This type of analysis is vital to enhance the understanding of the academic research on cybersecurity and can be used to support the identification of new lines for future research.
Originality/value
This is the first literature analysis of cybersecurity in the accounting field, and it has significant implications for research and practice by detailing, for example, the benefits of and obstacles to information sharing. This synthesis also highlights the importance of the model for cybersecurity investments. Further, the review emphasizes the role of internal auditing and controls to improve cybersecurity.
Details
Keywords
Natile Nonhlanhla Cele and Sheila Kwenda
The purpose of the study is to identify cybersecurity threats that hinder the adoption of digital banking and provide sustainable strategies to combat cybersecurity risks in the…
Abstract
Purpose
The purpose of the study is to identify cybersecurity threats that hinder the adoption of digital banking and provide sustainable strategies to combat cybersecurity risks in the banking industry.
Design/methodology/approach
Systematic literature review guidelines were used to conduct a quantitative synthesis of empirical evidence regarding the impact of cybersecurity threats and risks on the adoption of digital banking.
Findings
A total of 84 studies were initially examined, and after applying the selection and eligibility criteria for this systematic review, 58 studies were included. These selected articles consistently identified identity theft, malware attacks, phishing and vishing as significant cybersecurity threats that hinder the adoption of digital banking.
Originality/value
With the country’s banking sector being new in this area, this study contributes to the scant literature on cyber security, which is mostly in need due to the myriad breaches that the industry has already suffered thus far.
Details