Search results

The objective of this research was to propose and validate a holistic framework for information security culture evaluation, built around a novel approach, which includes technological, organizational and social issues. The framework's validity and reliability were determined with the help of experts in the information security field and by using multivariate statistical methods.

The conceptual framework was constructed upon a detailed literature review and validated using a range of methods: first, measuring instrument was developed, and then content and construct validity of measuring instrument was confirmed via experts' opinion and by closed map sorting method. Convergent validity was confirmed by factor analysis, while the reliability of the measuring instrument was tested using Cronbach's alpha coefficient to measure internal consistency.

The proposed framework was validated based upon the results of empirical research and the usage of multivariate analysis. The resulting framework ultimately consists of 46 items (manifest variables), describing eight factors (first level latent variables), grouped into three categories (second level latent variables). These three categories were built around technological, organizational and social issues.

This paper contributes to the body of knowledge in information security culture by developing and validating holistic framework for information security culture evaluation, which does not observe information security culture in only one aspect but takes into account its organizational, sociological and technical component.

The purpose of this study is to define the interactions that determine how secure a society is from terrorism and to propose a method for measuring the threat of terrorism in an objective and spatio-temporally comparable manner.

Game-theoretic analysis of the determinants of security and discussion of how to implement these interactions into a measure of security.

We show that governments concerned with popularity have an incentive to over-invest in security and that, in certain situations, this leads to a deterioration in net security position. Our discussion provides an implementable means for measuring the levels of threat and protection, as well as individuals’ perceptions of both, which we propose can be combined into an objective and scientific measure of security.

The implication for researchers is the suggestion that efficiency, as well as scale of counter-terrorism, is important in determining a country’s overall security position. Furthermore, we suggest that individuals’ perceptions are at least as important in determining suitable counter-terrorism policy as objective measures of protection and threat. The limitations of this research are found in the vast data requirements that any attempt to measure security will need.

We propose the first method for objectively measuring the net security position of a country, using economic and econometric means.

This paper aims to investigate two different types of compliance measures: the first measure is a value-monistic compliance measure, whereas the second is a value-pluralistic measure, which introduces the idea of competing organisational imperatives.

A survey was developed using two sets of items to measure compliance. The survey was sent to 600 white-collar workers and analysed through ordinary least squares.

The results suggest that when using the value-monistic measure, employees’ compliance was a function of employees’ intentions to comply, their self-efficacy and awareness of information security policies. In addition, compliance was not related to the occurrence of conflicts between information security and other organisational imperatives. However, when the dependent variable was changed to a value-pluralistic measure, the results suggest that employees’ compliance was, to a great extent, a function of the occurrence of conflicts between information security and other organisational imperatives, indirect conflicts with other organisational values.

The results are based on small survey; yet, the findings are interesting and justify further investigation. The results suggest that relevant organisational imperatives and value systems, along with information security values, should be included in measures for employees’ compliance with information security policies.

Practitioners and researchers should be aware that there is a difference in measuring employees’ compliance using value monistic and value pluralism measurements.

Few studies exist that critically compare the two different compliance measures for the same population.

Food security is an essential measure of welfare, especially for low-income families in developing countries. Policy makers should be aware of the harm food insecurity has on vulnerable households. This chapter empirically addresses the problems of measuring and monitoring food security in Mexico.

We identify the macro and micro approaches for measuring food security. The macro approach uses variables at the country level. Usually, this information is available on a yearly basis, is easy to implement, and can be compared across countries. The micro approach uses household questionnaires to collect food security information. Our analysis suggests that a macro approach will not be as precise as the micro approach due to inequality (agroclimatic, social, and economic).

Empirical experience suggests that food insecurity and its severity can be captured at the household level using the Food Insecurity Experiences Questionnaire. This questionnaire allows us to calculate food security measurements that closely follow the food security definition.

From a public policy perspective, the different methodologies for measurement do not consider all the dimensions of food security as defined by the term. This chapter examines which approach provides the best measurement of food security.

This paper seeks to empirically examine the existence and implementation of information security governance (ISG) in Saudi organizations.

An empirical survey, using a self‐administered questionnaire, is conducted to explore and evaluate the current status and the main features of ISG in the Saudi environment. The questionnaire is developed based on ISG guidelines for boards of directors and executive management issued by the Information Technology (IT) Governance Institute and other related materials available in the literature. A total of 167 valid questionnaires are collected and processed using the Statistical Package for Social Sciences, version 16.

The results of the study reveal that although the majority of Saudi organizations recognize the importance of ISG as an integrant factor for the success of IT and corporate governance, most of them have no clear information security strategies or written information security policy statements. The majority of Saudi organizations have no disaster recovery plans to deal with information security incidents and emergencies; information security roles and responsibilities are not clearly defined and communicated. The results also show that alignment between ISG and the organization's overall business strategy is relatively poor and not adequately implemented. The results also show that risk assessment procedures are not adequately and effectively implemented, ISG is not a regular item in the board's agenda, and there are no properly functioning ISG processes or performance‐measuring systems in the majority of Saudi organizations. Accordingly, appropriate actions should be taken to improve implementing and measuring the ISG performance in Saudi organizations.

From a practical standpoint, managers and practitioners alike stand to gain from the findings of this study. The results of the paper enable them to better understand and evaluate ISG and to champion IT development for business success in Saudi organizations.

The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on organizational security. Different measurement instruments have been developed to measure and assess information security culture using survey-based tools. However, the content, breadth and face validity of these scales vary greatly. This study aims to identify and provide an overview of the scales that are used to measure information security culture and to evaluate the rigor of reported scale development and validation procedures.

Papers that introduce a new or adapt an existing scale of information security culture were systematically reviewed to evaluate scales of information security culture. A standard search strategy was applied to identify 19 relevant scales, which were evaluated based on the framework of 16 criteria pertaining to the rigor of reported operationalization and the reported validity and reliability of the identified scales.

The results show that the rigor with which scales of information security culture are validated varies greatly and that none of the scales meet all the evaluation criteria. Moreover, most of the studies provide somewhat limited evidence of the validation of scales, indicating room for further improvement. Particularly, critical issues seem to be the lack of evidence regarding discriminant and criterion validity and incomplete documentation of the operationalization process.

Researchers focusing on the human factor in information security need to reach a certain level of agreement on the essential elements of the concept of information security culture. Future studies need to build on existing scales, address their limitations and gain further evidence regarding the validity of scales of information security culture. Further research should also investigate the quality of definitions and make expert assessments of the content fit between concepts and items.

Organizations that aim to assess the level of information security culture among employees can use the results of this systematic review to support the selection of an adequate measurement scale. However, caution is needed for scales that provide limited evidence of validation.

This is the first study that offers a critical evaluation of existing scales of information security culture. The results have decision-making value for researchers who intend to conduct survey-based examinations of information security culture.

The purpose of this case study is to examine the factors that impact higher education employees’ violations of information security policy by developing a research model based on grounded theories such as deterrence theory, neutralization theory and justice theory.

The research model was tested using 195 usable responses. After conducting model validation, the hypotheses were tested using multiple linear regression.

The results of the study revealed that procedural justice, distributive justice, severity and celerity of sanction, privacy, responsibility and organizational security culture were significant predictors of violations of information security measures. Only interactional justice was not significant.

As with any exploratory case study, this research has limitations such as the self-reported information and the method of measuring the violation of information security measures. The method of measuring information security violations has been a challenge for researchers. Of course, the best method is to capture the actual behavior. Another limitation to this case study which might have affected the results is the significant number of faculty members in the respondent pool. The shared governance culture of faculty members on a US university campus might bias the results more than in a company environment. Caution should be applied when generalizing the results of this case study.

The findings validate past research and should encourage managers to ensure employees are involved with developing and implementing information security measures. Additionally, the information security measures should be applied consistently and in a timely manner. Past research has focused more on the certainty and severity of sanctions and not as much on the celerity or swiftness of applying sanctions. The results of this research indicate there is a need to be timely (swift) in applying sanctions. The importance of information security should be grounded in company culture. Employees should have a strong sense of treating company data as they would want their own data to be treated.

Engaging employees in developing and implementing information security measures will reduce employees’ violations. Additionally, giving employees the assurance that all are given the same treatment when it comes to applying sanctions will reduce the violations.

Setting and enforcing in a timely manner a solid sanction system will help in preventing information security violations. Moreover, creating a culture that fosters information security will help in positively affecting the employees’ perceptions toward privacy and responsibility, which in turn, impacts information security violations. This case study applies some existing theories in the context of the US higher education environment. The results of this case study contributed to the extension of existing theories by including new factors, on one hand, and confirming previous findings, on the other hand.

Transportation project evaluation and prioritization use traditional performance measures including travel time, safety, user costs, economic efficiency and environmental quality. The project impacts in terms of enhancing the infrastructure resilience or mitigating the consequences of infrastructure damage in the event of disaster occurrence are rarely considered in project evaluation. This paper aims to present a methodology to address this issue so that in prioritizing investments, infrastructure with low security can receive the attention they deserve. Second, the methodology can be used for prioritizing candidate investments from a budget that is dedicated specifically to security enhancement.

In defining security as the absence of risk of damage from threats due to inherent structural or functional resilience, this paper uses security-related considerations in investment prioritization, thus introducing robustness in such evaluation. As this leads to an increase in the number of performance criteria in the evaluation, the paper adopts a multi-criteria analysis approach. The paper’s methodology quantifies the overall security level for an infrastructure in terms of the threats it faces, its resilience to damage and the consequences in the event of the infrastructure damage.

The paper demonstrates that it is feasible to develop a security-related measure that can be used as a performance criterion in the evaluation of general transportation projects or projects dedicated specifically toward security improvement. Through a case study, the paper applies the methodology by measuring the risk (and hence, security) of each for multiple infrastructure assets. On the basis of the multiple types of impacts including risk impacts (i.e. increase in security) because of each candidate investment, the paper shows how to prioritize security investments across the multiple infrastructure assets using multi-criteria analysis.

The overall framework consists of the traditional steps in risk management, and the paper’s specific contribution is in the part of the framework that measures the risk. The paper shows how infrastructure security can be quantified and incorporated in the project evaluation process.

Sees the objective of teaching financial management to be to help managers and potential managers to make sensible investment and financing decisions. Acknowledges that financial theory teaches that investment and financing decisions should be based on cash flow and risk. Provides information on payback period; return on capital employed, earnings per share effect, working capital, profit planning, standard costing, financial statement planning and ratio analysis. Seeks to combine the practical rules of thumb of the traditionalists with the ideas of the financial theorists to form a balanced approach to practical financial management for MBA students, financial managers and undergraduates.

This chapter proposes a novel nonnormative approach to evaluating quality, effectiveness, and efficiency of food security.

On the demand side, we consider the quality, effectiveness, and efficiency of the food security system, whose mechanisms should be evaluated by their impact on the quality of life of an endangered population. On the supply side, the motives of food aid donors and food security providers (directly and via policy mechanisms) are discussed in the context of the deservingness heuristic.

The model illustrates three problems with measuring food security-related quality of life: peoples’ different expectations, the different points at which people stand on their food security trajectory, and the potential for an evolving reference value of peoples’ expectations. The deservingness heuristic is the mechanism behind the domestic and international food security aid that occurs via evolutionary forces, or cultural, institutional, and ideological forces.

Food security is a problem that requires a humanistic approach rooted in the evolutionary process/development of the human race. Food security can be misused by the food aid/welfare recipients for their own purposes. Likewise, food security programs by food aid/welfare donors can be targeted unethically when used to achieve the ideological, institutional, and political goals of the donors. Differentiating between the behavioral causes of providing food security may be helpful in predicting whether aid/welfare will be provided to the needy at all.