Search results

1 – 10 of 710
To view the access options for this content please click here
Article
Publication date: 27 January 2021

Zuopeng (Justin) Zhang, Wu He, Wenzhuo Li and M'Hammed Abdous

Employees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks…

Abstract

Purpose

Employees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks. However, many cybersecurity awareness training (CSAT) programs fall short due to their misaligned training focuses.

Design/methodology/approach

To help organizations develop effective CSAT programs, we have developed a theoretical framework for conducting a cost–benefit analysis of those CSAT programs. We differentiate them into three types of CSAT programs (constant, complementary and compensatory) by their costs and into four types of CSAT programs (negligible, consistent, increasing and diminishing) by their benefits. Also, we investigate the impact of CSAT programs with different costs and the benefits on a company's optimal degree of security.

Findings

Our findings indicate that the benefit of a CSAT program with different types of cost plays a disparate role in keeping, upgrading or lowering a company's existing security level. Ideally, a CSAT program should spend more of its expenses on training employees to deal with the security threats at a lower security level and to reduce more losses at a higher security level.

Originality/value

Our model serves as a benchmark that will help organizations allocate resources toward the development of successful CSAT programs.

Details

Industrial Management & Data Systems, vol. 121 no. 3
Type: Research Article
ISSN: 0263-5577

Keywords

To view the access options for this content please click here
Article
Publication date: 29 March 2021

Susan Ramlo and John B. Nicholas

The purpose of this paper is to reveal and describe the divergent viewpoints about cybersecurity within a purposefully selected group of people with a range of expertise…

Abstract

Purpose

The purpose of this paper is to reveal and describe the divergent viewpoints about cybersecurity within a purposefully selected group of people with a range of expertise in relation to computer security.

Design/methodology/approach

Q methodology [Q] uses empirical evidence to differentiate subjective views and, therefore, behaviors in relation to any topic. Q uses the strengths of qualitative and quantitative research methods to reveal and describe the multiple, divergent viewpoints that exist within a group where individuals sort statements into a grid to represent their views. Analyses group similar views (sorts). In this study, participants were selected from a range of types related to cybersecurity (experts, authorities and uninformed).

Findings

Four unique viewpoints emerged such that one represents cybersecurity best practices and the remaining three viewpoints represent poor cybersecurity behaviors (Naïve Cybersecurity Practitioners, Worried but not Vigilant and How is Cybersecurity a Big Problem) that indicate a need for educational interventions within both the public and private sectors.

Practical implications

Understanding the divergent views about cybersecurity is important within smaller groups including classrooms, technology-based college majors, a company, a set of IT professionals or other targeted groups where understanding cybersecurity viewpoints can reveal the need for training, changes in behavior and/or the potential for security breaches which reflect the human factors of cybersecurity.

Originality/value

A review of the literature revealed that only large, nation-wide surveys have been used to investigate views of cybersecurity. Yet, surveys are not useful in small groups, whereas Q is designed to investigate behavior through revealing subjectivity within smaller groups.

Details

Information & Computer Security, vol. ahead-of-print no. ahead-of-print
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article
Publication date: 18 December 2020

Ravdeep Kour and Ramin Karim

The purpose of this research paper is to evaluate and estimate the cybersecurity maturity and awareness risk for workforce management in railway transportation by using…

Abstract

Purpose

The purpose of this research paper is to evaluate and estimate the cybersecurity maturity and awareness risk for workforce management in railway transportation by using Railway-Cybersecurity Capability Maturity Model (R-C2M2) and Information Security Awareness Capability Model (ISACM), respectively.

Design/methodology/approach

This research uses a case study strategy, so primary data comprise the majority of data collected. These data were collected through interviews and questionnaires. The secondary data were collected from the literature, technical reports and standards.

Findings

The results show that there is a gap in cybersecurity awareness within the workforce and there is a need to improve this gap. This paper provides some of the recommendations and literature to enhance cybersecurity workforce culture within railway organizations.

Practical implications

In this paper, the authors have demonstrated that cybersecurity awareness has positive impact on the overall dependability of the railway system.

Originality/value

This paper describes the importance of cybersecurity awareness and training in building more cyber resiliency across the operation and maintenance of railway.

Details

Journal of Quality in Maintenance Engineering, vol. ahead-of-print no. ahead-of-print
Type: Research Article
ISSN: 1355-2511

Keywords

To view the access options for this content please click here
Article
Publication date: 3 May 2016

V. Gerard Comizio, Behnam Dayanim and Laura Bain

To provide financial institutions an overview of the developments in cybersecurity regulation of financial institutions during 2015 by the United States, the United…

Abstract

Purpose

To provide financial institutions an overview of the developments in cybersecurity regulation of financial institutions during 2015 by the United States, the United Kingdom, and the European Union, as well as guidance for developing effective cyber-risk management programs in light of evolving cyber-threats and cyber-regulatory expectations.

Design/methodology/approach

Reviews US, UK and EU regulatory developments in the cybersecurity area and provides several best practice tips financial institutions should consider and implement to improve their cybersecurity compliance programs.

Findings

While cyber-threats and financial regulators’ expectations for cyber-security are constantly evolving, recent guidance and enforcement efforts by the US, UK and EU illustrate the need for financial institutions to develop effective cybersecurity programs that address current regulatory compliance requirements and prepare for emergency cyber responses.

Practical implications

Financial institutions should utilize the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool to assess their cyber-risk profile and cyber-preparedness.

Originality/value

Practical guidance from experienced financial regulatory and privacy lawyers that provides a survey of the current regulatory environment and recommendations for cyber-security compliance.

Details

Journal of Investment Compliance, vol. 17 no. 1
Type: Research Article
ISSN: 1528-5812

Keywords

To view the access options for this content please click here
Article
Publication date: 3 July 2017

Jonathan G. Cedarbaum, Benjamin A. Powell, D. Reed Freeman, Leah Schloss and Reed Abrahamson

To analyze the cybersecurity regulations for financial institutions issued by the New York State Department of Financial Services on February 16, 2017.

Abstract

Purpose

To analyze the cybersecurity regulations for financial institutions issued by the New York State Department of Financial Services on February 16, 2017.

Design/methodology/approach

This article summarizes the regulations’ scope and requirements including definition of Covered Entities and substantive requirements including periodic Risk Assessments, cyber policies, dedicated and trained personnel, testing, audit trails, control over Third Party Service Providers, authentication, secure disposal, encryption, and incident reporting.

Findings

The regulations go beyond federal requirements in a number of important respects.

Originality/value

This article provides a guide for regulated entities to start preparing for compliance with the new regulations from experienced lawyers with specialties in cybersecurity, privacy and communications.

Details

Journal of Investment Compliance, vol. 18 no. 2
Type: Research Article
ISSN: 1528-5812

Keywords

To view the access options for this content please click here
Expert briefing
Publication date: 9 May 2016

An assessment of the cyber threat to CNI.

Details

DOI: 10.1108/OXAN-DB210984

ISSN: 2633-304X

Keywords

Geographic
Topical
To view the access options for this content please click here
Article
Publication date: 20 December 2019

Wu He, Ivan Ash, Mohd Anwar, Ling Li, Xiaohong Yuan, Li Xu and Xin Tian

An organization’s ability to successfully manage intellectual capital is determined by the actions of its employees to prevent or minimize information security incidents…

Abstract

Purpose

An organization’s ability to successfully manage intellectual capital is determined by the actions of its employees to prevent or minimize information security incidents. To prevent more data breaches to intellectual capital, organizations must provide regular cybersecurity awareness training for all personnel. The purpose of this paper is to investigate the effect of different evidence-based cybersecurity training methods on employees’ cybersecurity risk perception and self-reported behavior.

Design/methodology/approach

The study participants were randomly assigned into four groups (i.e. malware report, malware videos, both malware report and malware videos and no interventions) to assess the effects of cybersecurity training on their perceptions of vulnerability, severity, self-efficacy, security intention as well as their self-reported cybersecurity behaviors.

Findings

The results show that evidence-based malware report is a relatively better training method in affecting employees’ intentions of engaging in recommended cybersecurity behaviors comparing with the other training methods used in this study. A closer analysis suggests whether the training method contains self-relevant information could make a difference to the training effects.

Originality/value

This paper reports an in-depth investigation on how different evidence-based cybersecurity training methods impact employees’ perceptions of susceptibility, severity, self-efficacy, security intention as well as on their self-reported cybersecurity behaviors.

Details

Journal of Intellectual Capital, vol. 21 no. 2
Type: Research Article
ISSN: 1469-1930

Keywords

To view the access options for this content please click here
Article
Publication date: 6 July 2015

Richard Kuhlman and Jason Kempf

To summarize and comment on FINRA’s report on cybersecurity practices, published on February 4, 2015, which arose from its 2014 targeted examination of firms’ cybersecurity

Abstract

Purpose

To summarize and comment on FINRA’s report on cybersecurity practices, published on February 4, 2015, which arose from its 2014 targeted examination of firms’ cybersecurity preparedness.

Design/methodology/approach

Explains the implications of the FINRA report and general guidance FINRA provides and expects all firms to consider in connection with developing their respective cybersecurity programs in eight areas: governance and risk management for cybersecurity; cybersecurity risk assessment; technical controls; incident response planning; vendor management; staff training; cyber intelligence and information sharing; and cyber insurance.

Findings

There is no doubt that cybersecurity is a key risk facing the financial services industry now. Accordingly, FINRA expects that firms will review the report and assess how the principles and effective practices provided therein could help build or improve cybersecurity readiness. The report reflects FINRA’s risk-management-based approach to cybersecurity issues, identifying principles and “effective practices” for member firms to consider, as opposed to decreeing specific requirements, policies or procedures.

Originality/value

Expert guidance from experienced securities lawyers.

Details

Journal of Investment Compliance, vol. 16 no. 2
Type: Research Article
ISSN: 1528-5812

Keywords

To view the access options for this content please click here
Article
Publication date: 11 June 2019

Maria Bada and Jason R.C. Nurse

The purpose of this study is to focus on organisation’s cybersecurity strategy and propose a high-level programme for cybersecurity education and awareness to be used when…

Abstract

Purpose

The purpose of this study is to focus on organisation’s cybersecurity strategy and propose a high-level programme for cybersecurity education and awareness to be used when targeting small- and medium-sized enterprises/businesses (SMEs/SMBs) at a city-level. An essential component of an organisation’s cybersecurity strategy is building awareness and education of online threats and how to protect corporate data and services. This programme is based on existing research and provides a unique insight into an ongoing city-based project with similar aims.

Design/methodology/approach

To structure this work, a scoping review was conducted of the literature in cybersecurity education and awareness, particularly for SMEs/SMBs. This theoretical analysis was complemented using a case study and reflecting on an ongoing, innovative programme that seeks to work with these businesses to significantly enhance their security posture. From these analyses, best practices and important lessons/recommendations to produce a high-level programme for cybersecurity education and awareness were recommended.

Findings

While the literature can be informative at guiding education and awareness programmes, it may not always reach real-world programmes. However, existing programmes, such as the one explored in this study, have great potential, but there can be room for improvement. Knowledge from each of these areas can, and should, be combined to the benefit of the academic and practitioner communities.

Originality/value

The study contributes to current research through the outline of a high-level programme for cybersecurity education and awareness targeting SMEs/SMBs. Through this research, literature in this space was examined and insights into the advances and challenges faced by an on-going programme were presented. These analyses allow us to craft a proposal for a core programme that can assist in improving the security education, awareness and training that targets SMEs/SMBs.

Details

Information & Computer Security, vol. 27 no. 3
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article
Publication date: 22 March 2021

Julie M. Haney and Wayne G. Lutters

Cybersecurity advocates safeguard their organizations by promoting security best practices. This paper aims to describe the skills and characteristics of successful advocates.

Abstract

Purpose

Cybersecurity advocates safeguard their organizations by promoting security best practices. This paper aims to describe the skills and characteristics of successful advocates.

Design/methodology/approach

This study involved 28 in-depth interviews of cybersecurity advocates.

Findings

Effective advocates possess not only technical acumen but also interpersonal skills, communication skills context awareness and a customer service orientation.

Practical implications

Non-technical skills are deemphasized in cybersecurity training, limiting career progression into the cybersecurity advocate role for existing security professionals and those from other disciplines. This paper suggests improvements for professional development that encourage greater security workforce diversity.

Originality/value

To the best of the authors’ knowledge, this study is the first to define and enumerate competencies for the role of cybersecurity advocate.

Details

Information & Computer Security, vol. ahead-of-print no. ahead-of-print
Type: Research Article
ISSN: 2056-4961

Keywords

1 – 10 of 710