Search results
1 – 10 of 917Muhammad Adnan, Mike Just, Lynne Baillie and Hilmi Gunes Kayacik
– The purpose of this paper is to investigate the work practices of network security professionals and to propose a new and robust work practices model of these professionals.
Abstract
Purpose
The purpose of this paper is to investigate the work practices of network security professionals and to propose a new and robust work practices model of these professionals.
Design/methodology/approach
The proposed work practices model is composed by combining the findings of ten notable empirical studies performed so far this century. The proposed model was then validated by an online survey of 125 network security professionals with a wide demographic spread.
Findings
The empirical data collected from the survey of network security professionals strongly validate the proposed work practices model. The results also highlight interesting trends for different groups of network security professionals, with respect to performing different security-related activities.
Research limitations/implications
Further studies could investigate more closely the links and dependencies between the different activities of the proposed work practices model and tools used by network security professionals to perform these activities.
Practical implications
A robust work practices model of network security professionals could hugely assist tool developers in designing usable tools for network security management.
Originality/value
This paper proposes a new work practices model of network security professionals, which is built by consolidating existing empirical evidence and validated by conducting a survey of network security professionals. The findings enhance the understanding of tool developers about the day-to-day activities of network security professionals, consequently assisting developers in designing better tools for network security management.
Details
Keywords
Forough Nasirpouri Shadbad and David Biros
This study focuses on unintended negative consequences of IT, called technostress. Given that employees are recognized as a major information security threat, it makes sense to…
Abstract
Purpose
This study focuses on unintended negative consequences of IT, called technostress. Given that employees are recognized as a major information security threat, it makes sense to investigate how technostress resulting from employees' constant interaction with IT influences the likelihood of security incidents. Although past research studied the concept of security-related technostress, the effect of IT use itself on employees’ extra-role activities such as security-related behaviors is unanswered. Thus, this paper aims to provide an understanding of the negative impact of technostress on employee information security policy (ISP) compliance.
Design/methodology/approach
Drawing on technostress literature, this research develops a research model that investigates the effect of technostress on employee intention to violate ISPs. It also extends the dimensionality of technostress construct by adding a new dimension called “techno-unreliability” that shows promising results. The authors use online survey data from a sample of 356 employees who have technology-based professions. We apply the structural equation modeling technique to evaluate the proposed research model.
Findings
Findings showed that IT use imposes high-level perceptions of a set of technostress creators, which makes users rationalize their ISP violations and engage in non-compliant behaviors. Further analysis of each dimension of technostress showed that techno-complexity, techno-invasion and techno-insecurity account for higher ISP non-compliant behaviors.
Originality/value
This study provides a new understanding of technostress to the context of information security and emphasizes on its negative impact on employee ISP compliance behaviors.
Details
Keywords
Forough Nasirpouri Shadbad and David Biros
Since the emergence of the Internet in the twentieth century and the rapid growth of different types of information technologies (IT), our lives, either personal or professional…
Abstract
Since the emergence of the Internet in the twentieth century and the rapid growth of different types of information technologies (IT), our lives, either personal or professional, have become digitised. Adoption and diffusion of IT enhance individuals and organisational performance, yet scholars discovered a dual nature of IT in which IT usage may have negative aspects too. First, the inability to cope with IT in a healthy manner creates stress in users, termed technostress. Second, digitisation and adoption of new technologies (e.g. IoT and multi-cloud environments) have increased vulnerabilities to information security (InfoSec) threats. Although organisations utilise counteraction strategies (e.g., security systems, security policies), end-users remain the top source of security incidents. Existing behavioural research has approached technostress and InfoSec independently. However, it is not clear how technology-stressors influence employees’ security-related behaviours. This chapter reviews the interaction effect of these concepts in detail by proposing a conceptual model that explains that technostress is the main reason for employees’ non-compliance with security policies in which users with high-level perceptions of technostress are more likely to violate InfoSec policies. Counteraction strategies to mitigate technostress and security threats are also discussed.
Details
Keywords
Judith M. Whipple, M. Douglas Voss and David J. Closs
This paper compares firms purchasing and/or selling food products internationally to those with domestic supply chains in order to determine if international firms: place greater…
Abstract
Purpose
This paper compares firms purchasing and/or selling food products internationally to those with domestic supply chains in order to determine if international firms: place greater managerial importance on security; and are more likely to engage supply chain partners in security‐related verification and information exchange. The purpose of this paper is to explore the link between security initiatives and firm performance in terms of security outcomes, product quality, and customer service.
Design/methodology/approach
A series of one‐way ANOVA tests are used to assess the differences between firms with international and domestic supply chains. Additionally, cluster analysis is conducted to group firms based on their performance levels.
Findings
Initial results indicate respondents with international supply chains perceive that their firms place more importance on security and are more likely to assess the security procedures of supply chain partners. Results further indicate that, in general, respondents in international firms perceive better security performance is achieved in terms of the ability to detect and recover from security incidents. Once firms are grouped by performance, respondents in the high‐performance cluster, represented predominantly by international firms, perceived significantly higher performance in the areas examined.
Originality/value
This paper is the first to compare, the differences in security measures employed by firms maintaining internationally oriented as opposed to domestically oriented supply chains and also relates the implementation of supply chain security measures to security and firm performance.
Details
Keywords
Cansu Tayaksi, Erhan Ada, Yigit Kazancoglu and Muhittin Sagnak
Today, information systems and technology provides a wide set of tools for companies to increase the efficiency of their businesses. Although technology offers many benefits to…
Abstract
Purpose
Today, information systems and technology provides a wide set of tools for companies to increase the efficiency of their businesses. Although technology offers many benefits to businesses, it also brings risks as the information systems security breaches. Security breaches and their financial impact is a constant concern of the researchers and practitioners. This paper explores information systems breaches and their financial impacts on the publicly traded companies in different sectors.
Design/methodology/approach
After a comprehensive data collection process, data from 192 events are analyzed by employing Event Study Methodology and a comparison of the results between the four highly affected sectors (Consumer Goods, Technology, Financial and Communications) is presented. The abnormal returns on the prices of stocks after the events are calculated with the Market Model. Also, the results of the Market Adjusted Model and Mean Adjusted Model are presented to support the results.
Findings
While information systems security breaches have a significant negative impact on the Financials and the Technology sectors for all the event windows in the study ([−5, 0], [−5, 1], [−5, 5], and [−5, 10]), the significant negative impact is observed only on the [−5, 5] and [−5, 10] event windows for the Consumer Goods sector. No significant negative impact is observed in the Communications sector, in fact, the cumulative abnormal returns are positive for this sector.
Originality/value
The contribution of this paper to provide evidence about the financial impacts of the information systems breaches for businesses in different sectors. While there are studies that have previously focused on the information systems breaches and their financial impacts on businesses, to the best of our knowledge, this is the first study that compares this effect between the four highly impacted sectors. With a relatively larger sample size and broader event windows than the past studies in the literature, statistical evidence is provided to managers to justify their investments in information security and build preventive measures to secure the market value of their firms.
Details
Keywords
Hong Gyue Park and YoungJae Park
The purpose of this paper is to examine the impact of financial investment (FI) in Authorized Economic Operator (AEO) certification on performance of Korean logistics companies…
Abstract
Purpose
The purpose of this paper is to examine the impact of financial investment (FI) in Authorized Economic Operator (AEO) certification on performance of Korean logistics companies through public and private partnership (PPP) and trade facilitation (TF).
Design/methodology/approach
Questionnaire survey was conducted to collect the data for this study, out of which 285 were adopted for the analysis using structural equation modeling for quantitative analysis. Also, it is based on professionals in Korean logistics companies that are AEO certified only.
Findings
FI on AEO certification had positive impacts on performance via PPP, while TF variable had no significant impact on the overall performance.
Research limitations/implications
This study focuses on the FI in AEO certification and its impact on performance in Korea. There should be more quantitative and confirmatory research on other countries with AEO certification to validate the findings of this study. It may be possible to generate contrary findings in different economies or countries.
Practical implications
These findings imply that public managers should focus more on TF aspects of the program with the Mutual Recognition Agreement with major trading partners and growing economies around the world in order to make the AEO program more popular and global with supply chain members overseas.
Originality/value
This study has offered original discovery and practical, academic implications for AEO program in terms of testing and suggesting factors provided by previous studies as a confirmatory and quantitative research.
Details
Keywords
TieCheng Yang, Yang Chen, Scarlett Zhang, Virginia Qiao, Zhenyu Wang and Shuozhu Zheng
To introduce the Securities Law of the People's Republic of China (the “Securities Law 2019”) revised on 28 December 2019, and provide a detailed analysis on its key implications…
Abstract
Purpose
To introduce the Securities Law of the People's Republic of China (the “Securities Law 2019”) revised on 28 December 2019, and provide a detailed analysis on its key implications to the securities regulatory regime and market activities, especially securities issuance and trading activities in China.
Design/methodology/approach
This article starts from a historical overview of the Securities Law and its several revisions and amendments, highlights the notable core revisions in the Securities Law 2019, analyzes the key legal and regulatory impacts to the securities-related activities and market players, and finally, provides an outlook to the future developments of securities regulatory regime in conformity with the Securities Law 2019.
Findings
This article concludes that the revisions made to the Securities Law 2019 cover a broad range of issues including the issuance and trading of securities, acquisition of a listed company, information disclosure, securities registration and settlement, etc. Such revisions to the Securities Law will lead to far-reaching and profound implications on the securities regulatory system and industry practice in China.
Practical implications
The Securities Law 2019 attracts broad attention from securities market players as well as relevant professionals of the industry, including securities lawyers. As this is a novel and hot topic within the industry, it is important for securities lawyers to keep on track.
Originality/value
High-level guidance from experienced lawyers in the Capital Markets and Financial Regulation practices.
Details
Keywords
To enable quantitative and qualitative modelling of information systems security management that takes into account technology and human factor.
Abstract
Purpose
To enable quantitative and qualitative modelling of information systems security management that takes into account technology and human factor.
Design/methodology/approach
The approach is based on systems dynamics and it is done in two phases. In the first phase two basic qualitative models are developed, while in the second phase a possibility to further develop them into quantitative models is studied.
Findings
Appropriate approach to IS security management requires addressing “hard” and “soft” factors. Further, to enable quantitative study of such systems, which are highly non‐linear, exact analytical (mathematically rigorous) treatment is close to impossible. Thus, computer simulations have to be used. One appropriate methodological answer to the above requirements is systems (business) dynamics.
Research limitations/implications
Research limitations are partially related to system dynamics, which operates on an aggregates level. This prevents or makes harder study of phenomena at the micro level, from where the above‐mentioned aggregates emerge. Further, many sub‐areas need further standardisation to enable more realistic simulations – one such case is security policy standardisation and quantification. Similar holds true for threats/vulnerabilities and related taxonomies.
Practical implications
The research presents one of first steps in the direction that could provide quantitative models for effective IS security policy management in organisations.
Originality/value
The research presents two models, one for risk management and the other, which is a generic model that identifies basic variables that have to be addressed for IS security management. Further, findings can be used for security awareness courses.
Details
Keywords
Tadele Shimels and Lemma Lessa
Information systems' security is more critical than ever before since security threats are rapidly growing. Before putting in place information systems' security measures…
Abstract
Purpose
Information systems' security is more critical than ever before since security threats are rapidly growing. Before putting in place information systems' security measures, organizations are required to determine the maturity level of their information security governance. Literature review reveals that there is no recent study on information systems' security maturity level of banks in Ethiopia. This study thus seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators.
Design/methodology/approach
Four private banks are selected as a representative sample. The system security engineering capability maturity model (SSE-CMM) is used as the maturity measurement criteria, and the measurement was based on ISO/IEC 27001 information security control areas. The data for the study were gathered using a questionnaire.
Findings
A total of 93 valid questionnaires were gathered from 110 participants in the study. Based on the SSE-CMM maturity model assessment criteria the private banking industry's current maturity level is level 2 (repeatable but intuitive). Institutions have a pattern that is repeated when completing information security operations but its existence was not thoroughly proven and institutional inconsistency still exists.
Originality/value
This study seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators. This topic has not been attempted previously in the context of Ethiopian financial sector.
Details
Keywords
Moufida Sadok, Steven Alter and Peter Bednar
This paper aims to present empirical results exemplifying challenges related to information security faced by small and medium enterprises (SMEs). It uses guidelines based on work…
Abstract
Purpose
This paper aims to present empirical results exemplifying challenges related to information security faced by small and medium enterprises (SMEs). It uses guidelines based on work system theory (WST) to frame the results, thereby illustrating why the mere existence of corporate security policies or general security training often is insufficient for establishing and maintaining information security.
Design/methodology/approach
This research was designed to produce a better appreciation and understanding of potential issues or gaps in security practices in SMEs. The research team interviewed 187 employees of 39 SMEs in the UK. All of those employees had access to sensitive information. Gathering information through interviews (instead of formal security documentation) made it possible to assess security practices from employees’ point of view.
Findings
Corporate policies that highlight information security are often disconnected from actual work practices and routines and often do not receive high priority in everyday work practices. A vast majority of the interviewed employees are not involved in risk assessment or in the development of security practices. Security practices remain an illusory activity in their real-world contexts.
Research limitations/implications
This paper focuses only on closed-ended questions related to the following topics: awareness of existing security policy; information security practices and management and information security involvement.
Practical implications
The empirical findings show that corporate information security policies in SMEs often are insufficient for maintaining security unless those policies are integrated with visible and recognized work practices in work systems that use or produce sensitive information. The interpretation based on WST provides guidelines for enhancing information system security.
Originality/value
Beyond merely reporting empirical results, this research uses WST to interpret the results in a way that has direct implications for practitioners and for researchers.
Details