Search results

Introduces a series of contributions on computer security. Begins by pointing out that information is an organizational asset which needs to be protected. Policies are the primary building blocks for every information security effort. In order to be successful with information security, every organization must have a set of policies which establishes both direction and management support. Discusses the role and function of the information security management specialist within the organization. Finally outlines possible exceptions to information security policies.

The purpose of this paper is to describe the controlled information security project which is designed to investigate, assess and provide tools to improve the information security status in organizations with a focus on public agencies. A central question for the project is how information security issues are communicated within organizations, specifically underlining that communication is control in a cybernetic sense.

The research method applied can be expressed as applied general systems theory combined with design science. The project is carried out in a number of steps: to design modelling techniques and metrics for information security issues in organizations; to collect data from Swedish governmental agencies; to use the modelling techniques to model communication of information security in organizations from different perspectives; to apply metrics on the data in order to assess information security levels in the agencies; to identify gaps; and to identify needs for improvement.

The motivation for the research is that communication of information security issues within organizations tend to be insufficient and the mental connections between IT‐security and information security work are weak, which prohibits the organization from learning and adapting in its security work. An entity's authority depends on its ability to control and manage the variety in the 14 layers. The general control objectives needed were implied based on the information security management standard.

The paper focuses on mind to mind communication conditions and how to adapt mechanistic systems.

The protection of organisational information assets is a human problem. It is widely acknowledged that an organisation's employees are the weakest link in the protection of the organisation's information assets. Most current approaches towards addressing this human problem focus on awareness and educational activities and do not necessarily view the problem from a holistic viewpoint. Combating employee apathy and motivating employees to see information security as their problem is often not adequately addressed by “isolated” awareness activities. The purpose of this paper is to show how employee apathy towards information security can be addressed through the use of existing theory from the social sciences.

By means of a literature study, three key organizational environments that could exist are identified and explored. Goal‐setting theory is then investigated. Finally, arguments are presented to show how goal‐setting theory could be used to actively foster an organizational environment in which employees will view their roles and responsibilities towards information security as prosocial behaviour.

The work in the paper is primarily of a conceptual nature. However, the authors believe that encouraging such prosocial behaviour could contribute towards an organizational culture of information security.

The paper examines the motivation of employees to actively contribute towards information security from an organisational science perspective.

Information Security Management consists of various facets, for example Information Security Policy, Risk Analysis, Risk Management, Contingency Planning and Disaster Recovery which are all interrelated in some way. These interrelationships often cause uncertainty and confusion among top management. Proposes a model for Information Security Management, called an Information Security Management Model (ISM⊃2) and puts all the various facts in context. The model consists of five different levels defined on a security axis. ISM⊃2 introduces the idea of international security criteria or international security standards (baselines). The rationale behind these baselines is to enable information security evaluation according to internationally‐accepted criteria.

Information security is no longer a domestic issue. In this age of electronic commerce, one company’s information security certainly affects their business partners. For this reason it became imperative that business partners demand an acceptable level of information security from one another. Information security management standards should certainly play a major role in this regard. In this paper, some information security management standards and their applicability will be discussed and put into context.

To take relative actions to cope with the threat which network finance information security now encounters by constructing controlling tactical and synergetic model.

It is practical to use the synergetic self‐organization theory to calculate the effects that the force of synergetic system of controlling tactics to financial information security makes on network financial system, and it is also practical to construct the synergetic model of controlling tactics to network financial information security on the basis of it.

Through applying synergetic analysis to controlling tactical system of network financial information security, it can be found out that controlling tactical system is an open system which changes from disorder to order and which keeps away from a balancing state. As an opening system, controlling tactics are interacting with outside from now and then.

Network financial information security takes on dynamics, relativity, integrity and complexity. Accessibility of data is the main limitations which model will be applied.

From the view of network financial information security, constructing controlling tactical and synergetic model of information security are explained.

Network finance is orientated as a special social and economic system. The author does analysis on the network financial system, and expounds order parameters and model of network financial system.

Information security has become very important in most organizations. The main reason for this is that access to information and the associated resources has become easier because of the developments in distributed processing, for example the Internet and electronic commerce. The result is that organizations need to ensure that their information is properly protected and that they maintain a high level of information security. In many cases, organizations demand some proof of adequate information security from business partners before electronic commerce can commence. In this paper, one of the building blocks for a secure IT infrastructure is discussed, namely trusted computer products and systems. A high level explanation of the TCSEC and ITSEC standards forms the latter part of the paper.

Information security is an integral part of all outsourcing activities and it is important for both the outsourcing company and the vendor to reach agreement as regards what type and what level of information security will be provided by the vendor in relation to the outsourced activities. The purpose of this paper is to evaluate the potential risks and information system (IS) security needs when outsourcing takes place and analyse the different security level in outsourcing agreements.

This paper is primarily based on a review of the literature. International security standards and best security practices are analysed and discussed. A multiple level security framework as an effective approach in outsourcing domain is addressed.

It is found that IS security risks can be effectively identified, monitored and evaluated by the concept of a layered security model that fits best in the complex outsourcing domain. There are three levels of security, first guidelines of technical security, second risk analysis and, third compliance and evaluation criteria, including managing information security.

The approach could be used to integrate IS security with service level agreements. Outsourcing vendors with security certifications, strong security adherence systems and optimal disaster recover plans will have a competitive edge in the industry.

Describes a set of “baseline” threats and presents the reasoning behind the “baseline” security approach. Discusses an example of the acceptance of the security baseline approach and suggests the way in which it can be used. Describes the advantages and disadvantages of the approach and concludes that a baseline approach is worthy of consideration as a way forward.

This article surveys why libraries are vulnerable to social engineering attacks and how to manage risks of human-caused cyber threats on organizational level; investigates Estonian library staff awareness of information security and shares recommendations concerning focus areas that should be given more attention in the future.

The data used in this paper is based on an overview of relevant literature highlighting the theoretical points and giving the reasons why human factor is considered the weakest link in information security and cyber security and studying how to mitigate the related risks in the organisation. To perform the survey, a web questionnaire was designed which included 63 sentences and was developed based on the knowledge-attitude-behaviour (KAB) model supported by Kruger and Kearney and Human Aspects of Information Security Questionnaire (HAIS-Q) designed by Parsons et al.

The research results show that the information security awareness of library employees is at a good level; however, awareness in two focus areas needs special attention and should be improved. The output of this study is the mapping of seven focus areas of information security policy in libraries based on the HAIS-Q framework and the KAB model.

The cyber awareness of library employees has not been studied in the world using HAIS-Q and KAB model, and to the best of the authors’ knowledge, no research has been previously carried out in the Estonian library context into cyber security awareness.