Search results
1 – 10 of 607Eylem Thron, Shamal Faily, Huseyin Dogan and Martin Freer
Railways are a well-known example of complex critical infrastructure, incorporating socio-technical systems with humans such as drivers, signallers, maintainers and passengers at…
Abstract
Purpose
Railways are a well-known example of complex critical infrastructure, incorporating socio-technical systems with humans such as drivers, signallers, maintainers and passengers at the core. The technological evolution including interconnectedness and new ways of interaction lead to new security and safety risks that can be realised, both in terms of human error, and malicious and non-malicious behaviour. This study aims to identify the human factors (HF) and cyber-security risks relating to the role of signallers on the railways and explores strategies for the improvement of “Digital Resilience” – for the concept of a resilient railway.
Design/methodology/approach
Overall, 26 interviews were conducted with 21 participants from industry and academia.
Findings
The results showed that due to increased automation, both cyber-related threats and human error can impact signallers’ day-to-day operations – directly or indirectly (e.g. workload and safety-critical communications) – which could disrupt the railway services and potentially lead to safety-related catastrophic consequences. This study identifies cyber-related problems, including external threats; engineers not considering the human element in designs when specifying security controls; lack of security awareness among the rail industry; training gaps; organisational issues; and many unknown “unknowns”.
Originality/value
The authors discuss socio-technical principles through a hexagonal socio-technical framework and training needs analysis to mitigate against cyber-security issues and identify the predictive training needs of the signallers. This is supported by a systematic approach which considers both, safety and security factors, rather than waiting to learn from a cyber-attack retrospectively.
Details
Keywords
Jassim Happa and Michael Goldsmith
Several attack models attempt to describe behaviours of attacks with the intent to understand and combat them better. However, all models are to some degree incomplete. They may…
Abstract
Purpose
Several attack models attempt to describe behaviours of attacks with the intent to understand and combat them better. However, all models are to some degree incomplete. They may lack insight about minor variations about attacks that are observed in the real world (but are not described in the model). This may lead to similar attacks being classified as the same type of attack, or in some cases the same instance of attack. The appropriate solution would be to modify the model or replace it entirely. However, doing so may be undesirable as the model may work well for most cases or time and resource constraints may factor in as well. This paper aims to explore the potential value of adding information about attacks and attackers to existing models.
Design/methodology/approach
This paper investigates used cases of minor variations in attacks and how it may and may not be appropriate to communicate subtle differences in existing attack models through the use of annotations. In particular, the authors investigate commonalities across a range of existing models and identify where and how annotations may be helpful.
Findings
The authors propose that nuances (of attack properties) can be appended as annotations to existing attack models. Using annotations appropriately should enable analysts and researchers to express subtle but important variations in attacks that may not fit the model currently being used.
Research limitations/implications
This work only demonstrated a few simple, generic examples. In the future, the authors intend to investigate how this annotation approach can be extended further. Particularly, they intend to explore how annotations can be created computationally; the authors wish to obtain feedback from security analysts through interviews, identify where potential biases may arise and identify other real-world applications.
Originality/value
The value of this paper is that the authors demonstrate how annotations may help analysts communicate and ask better questions during identification of unknown aspects of attacks faster,e.g. as a means of storing mental notes in a structured manner, especially while facing zero-day attacks when information is incomplete.
Details
Keywords
The issue of cybersecurity has been cast as the focal point of a fight between two conflicting governance models: the nation-state model of national security and the global…
Abstract
Purpose
The issue of cybersecurity has been cast as the focal point of a fight between two conflicting governance models: the nation-state model of national security and the global governance model of multi-stakeholder collaboration, as seen in forums like IGF, IETF, ICANN, etc. There is a strange disconnect, however, between this supposed fight and the actual control over cybersecurity “on the ground”. This paper aims to reconnect discourse and control via a property rights approach, where control is located first and foremost in ownership.
Design/methodology/approach
This paper first conceptualizes current governance mechanisms through ownership and property rights. These concepts locate control over internet resources. They also help us understand ongoing shifts in control. Such shifts in governance are actually happening, security governance is being patched left and right, but these arrangements bear little resemblance to either the national security model of states or the global model of multi-stakeholder collaboration. With the conceptualization in hand, the paper then presents case studies of governance that have emerged around specific security externalities.
Findings
While not all mechanisms are equally effective, in each of the studied areas, the author found evidence of private actors partially internalizing the externalities, mostly on a voluntary basis and through network governance mechanisms. No one thinks that this is enough, but it is a starting point. Future research is needed to identify how these mechanisms can be extended or supplemented to further improve the governance of cybersecurity.
Originality/value
This paper bridges together the disconnected research communities on governance and (technical) cybersecurity.
Details
Keywords
The purpose of this study results and recommendations will have a paramount significance for policymakers, policy advocates, development planners and practitioners who may be in…
Abstract
Purpose
The purpose of this study results and recommendations will have a paramount significance for policymakers, policy advocates, development planners and practitioners who may be in need of such information for reconsideration, evaluation and inclusion into their respective development and humanitarian programming and operational strategies. Above all, the study result has further provided the local community with viable adaptation strategies to climate-induced changes in the study area.
Design/methodology/approach
This study was conducted to measure the livelihood vulnerability of Borana pastoralists to climate change and variability in southern Ethiopia. Pastoralists’ households were sampled using multistage sampling techniques. A total of 27 socio-economic and biophysical indicators were used to reflect vulnerability components: adaptive capacity, exposure and sensitivity. Principal component analysis was used to develop weights for indicators and to produce livelihood vulnerability index to classify households according to their level of vulnerability. Ordinal logistic regression was used to identify the determinants of vulnerability to climate-induced stresses.
Findings
The results showed that 24.4% of households were highly vulnerable, 60.3% were moderately vulnerable and 15.3% of households were less vulnerable to climate-induced stresses. Factor estimates of the logistic model further revealed that early warning information, bush encroachment, coping strategy, temperature, drought frequency, provision of humanitarian services and food shortage during the normal season of the year have a significant influence on vulnerability in the study area.
Social implications
The study’s results and recommendations will be of great significance to policymakers, development planners, and practitioners who require such information for reconsideration, evaluation, and inclusion in their respective development and humanitarian program and operational strategies. Most importantly, the study’s findings have provided the local community with practical adaptation strategies to climate-induced changes in the study area.
Originality/value
The study explored pastoralist perception of climate change and variability and measured the livelihood vulnerability of pastoralists’ households to climate change and variability and finally investigated viable adaptation and coping strategies in the study area.
Details
Keywords
Stefan Fenz and Thomas Neubauer
The purpose of this paper is to provide a method to formalize information security control descriptions and a decision support system increasing the automation level and…
Abstract
Purpose
The purpose of this paper is to provide a method to formalize information security control descriptions and a decision support system increasing the automation level and, therefore, the cost efficiency of the information security compliance checking process. The authors advanced the state-of-the-art by developing and applying the method to ISO 27002 information security controls and by developing a semantic decision support system.
Design/methodology/approach
The research has been conducted under design science principles. The formalized information security controls were used in a compliance/risk management decision support system which has been evaluated with experts and end-users in real-world environments.
Findings
There are different ways of obtaining compliance to information security standards. For example, by implementing countermeasures of different quality depending on the protection needs of the organization. The authors developed decision support mechanisms which use the formal control descriptions as input to support the decision-maker at identifying the most appropriate countermeasure strategy based on cost and risk reduction potential.
Originality/value
Formalizing and mapping the ISO 27002 controls to the security ontology enabled the authors to automatically determine the compliance status and organization-wide risk-level based on the formal control descriptions and the modelled environment, including organizational structures, IT infrastructure, available countermeasures, etc. Furthermore, it allowed them to automatically determine which countermeasures are missing to ensure compliance and to decrease the risk to an acceptable level.
Details
Keywords
Eline Punt, Jochen Monstadt, Sybille Frank and Patrick Witte
Cyber resilience has emerged as an approach for seaports to deal with cyberattacks; it emphasizes ports’ ability to prepare for an attack and to keep operating and recover…
Abstract
Purpose
Cyber resilience has emerged as an approach for seaports to deal with cyberattacks; it emphasizes ports’ ability to prepare for an attack and to keep operating and recover quickly. However, little research has been undertaken on the challenges of governing cyber risks in seaports. This study aims to address this gap.
Design/methodology/approach
Governing cyber resilience is shaped by distributed responsibilities, uncertainties and ambiguities. The authors use this conceptualization to explore the governance of cyber risks in seaports, taking the Port of Rotterdam as a case study and analyzing semistructured interviews with stakeholders, participatory observation and policy documents and legislation.
Findings
The authors found that many strategies for governing cyber risks remain dedicated to protecting computer systems against cyberattacks. Nevertheless, port stakeholders have also developed strategies in anticipation of disruptions. However, these strategies appear informal and uncoordinated due to a lack of information exchange, insufficient knowledge regarding cyber risks and disagreement about how to make the Port of Rotterdam cyber resilient. What mainly hampers the cyber resilience of the port is the lack of a comprehensive regulatory framework and economic incentives. The authors conclude that resilience is merely an ideal at the Port of Rotterdam, meaning related governance strategies remain incremental and await institutionalization.
Originality/value
This paper offers insights into the cyber resilience of critical socio-technical systems, which have been underexposed in cyber resilience debates, but, when exploited, can manifest in large-scale disruptions.
Details
Keywords
Julia Slupska and Leonie Maria Tanczer
Technology-facilitated abuse, so-called “tech abuse,” through phones, trackers, and other emerging innovations, has a substantial impact on the nature of intimate partner violence…
Abstract
Technology-facilitated abuse, so-called “tech abuse,” through phones, trackers, and other emerging innovations, has a substantial impact on the nature of intimate partner violence (IPV). The current chapter examines the risks and harms posed to IPV victims/survivors from the burgeoning Internet of Things (IoT) environment. IoT systems are understood as “smart” devices such as conventional household appliances that are connected to the internet. Interdependencies between different products together with the devices' enhanced functionalities offer opportunities for coercion and control. Across the chapter, we use the example of IoT to showcase how and why tech abuse is a socio-technological issue and requires not only human-centered (i.e., societal) but also cybersecurity (i.e., technical) responses. We apply the method of “threat modeling,” which is a process used to investigate potential cybersecurity attacks, to shift the conventional technical focus from the risks to systems toward risks to people. Through the analysis of a smart lock, we highlight insufficiently designed IoT privacy and security features and uncover how seemingly neutral design decisions can constrain, shape, and facilitate coercive and controlling behaviors.
Details
Keywords
Mingqiu Song, Penghua Wang and Peng Yang
The purpose of this study was to establish a Technology-Organization-Personality model of secure software development (SSD) innovation assimilation at the level of individual…
Abstract
Purpose
The purpose of this study was to establish a Technology-Organization-Personality model of secure software development (SSD) innovation assimilation at the level of individual motivation. The model identifies individual psychological motivation, which influences innovation assimilation intention and behavior. It constitutes an organizational management view of SSD innovation assimilation from individual psychological motivation perspective.
Design/methodology/approach
An empirical study was employed to verify the assumption model. Semi-structured user interviews were conducted with some security experts to consult their advice and obtain the measurement scales. And questionnaires were circulated at a focus group meeting and among some software security professionals by email. Of 230 questionnaires that were answered, 215 could be used. IBM SPSS 19.0 and AMOS 17.0 were used alternately to analyze the data. Structural equation model was employed to verify the hypotheses of the model.
Findings
Results reveal that two types of individual motivation can influence SSD innovation assimilation, namely, potential organization support and individual needs. Furthermore, absorption capability was found to play a regulated function in the transition of SSD assimilation intention to behavior.
Originality/value
The findings reveal how individual motivation plays an important role in promoting complex innovation assimilation. It fills the gap of the research on organizational assimilation behavior and individual motivation in the context of SSD complex innovation, and provides management of software development organization with empirically based conceptualization to guide their personnel incentive policymaking.
Details
Keywords
Data breaches are an increasing phenomenon in today's digital society. Despite the preparations an organization must take to prevent a data breach, it is still necessary to…
Abstract
Purpose
Data breaches are an increasing phenomenon in today's digital society. Despite the preparations an organization must take to prevent a data breach, it is still necessary to develop strategies in the event of a data breach. This paper explores the key recovery areas necessary for data breach recovery.
Design/methodology/approach
Stakeholder theory and three recovery areas (customer, employee and process recovery) are proposed as necessary theoretical lens to study data breach recovery. Three data breach cases (Anthem, Equifax, and Citrix) were presented to provide merit to the argument of the proposed theoretical foundations of stakeholder theory and recovery areas for data breach recovery research.
Findings
Insights from these cases reveal four areas of recovery are necessary for data breach recovery – customer recovery, employee recovery, process recovery and regulatory recovery.
Originality/value
These areas are presented in the data recovery areas model and are necessary for: (1) organizations to focus on these areas when resolving data breaches and (2) future data breach recovery researchers in developing their research in the field.
Details
Keywords
Sherali Zeadally, Farhan Siddiqui, Zubair Baig and Ahmed Ibrahim
The aim of this paper is to identify some of the challenges that need to be addressed to accelerate the deployment and adoption of smart health technologies for ubiquitous…
Abstract
Purpose
The aim of this paper is to identify some of the challenges that need to be addressed to accelerate the deployment and adoption of smart health technologies for ubiquitous healthcare access. The paper also explores how internet of things (IoT) and big data technologies can be combined with smart health to provide better healthcare solutions.
Design/methodology/approach
The authors reviewed the literature to identify the challenges which have slowed down the deployment and adoption of smart health.
Findings
The authors discussed how IoT and big data technologies can be integrated with smart health to address some of the challenges to improve health-care availability, access and costs.
Originality/value
The results of this paper will help health-care designers, professionals and researchers design better health-care information systems.
Details