Search results

The objective of this research was to propose and validate a holistic framework for information security culture evaluation, built around a novel approach, which includes technological, organizational and social issues. The framework's validity and reliability were determined with the help of experts in the information security field and by using multivariate statistical methods.

The conceptual framework was constructed upon a detailed literature review and validated using a range of methods: first, measuring instrument was developed, and then content and construct validity of measuring instrument was confirmed via experts' opinion and by closed map sorting method. Convergent validity was confirmed by factor analysis, while the reliability of the measuring instrument was tested using Cronbach's alpha coefficient to measure internal consistency.

The proposed framework was validated based upon the results of empirical research and the usage of multivariate analysis. The resulting framework ultimately consists of 46 items (manifest variables), describing eight factors (first level latent variables), grouped into three categories (second level latent variables). These three categories were built around technological, organizational and social issues.

This paper contributes to the body of knowledge in information security culture by developing and validating holistic framework for information security culture evaluation, which does not observe information security culture in only one aspect but takes into account its organizational, sociological and technical component.

This paper aims to investigate two different types of compliance measures: the first measure is a value-monistic compliance measure, whereas the second is a value-pluralistic measure, which introduces the idea of competing organisational imperatives.

A survey was developed using two sets of items to measure compliance. The survey was sent to 600 white-collar workers and analysed through ordinary least squares.

The results suggest that when using the value-monistic measure, employees’ compliance was a function of employees’ intentions to comply, their self-efficacy and awareness of information security policies. In addition, compliance was not related to the occurrence of conflicts between information security and other organisational imperatives. However, when the dependent variable was changed to a value-pluralistic measure, the results suggest that employees’ compliance was, to a great extent, a function of the occurrence of conflicts between information security and other organisational imperatives, indirect conflicts with other organisational values.

The results are based on small survey; yet, the findings are interesting and justify further investigation. The results suggest that relevant organisational imperatives and value systems, along with information security values, should be included in measures for employees’ compliance with information security policies.

Practitioners and researchers should be aware that there is a difference in measuring employees’ compliance using value monistic and value pluralism measurements.

Few studies exist that critically compare the two different compliance measures for the same population.

This paper seeks to empirically examine the existence and implementation of information security governance (ISG) in Saudi organizations.

An empirical survey, using a self‐administered questionnaire, is conducted to explore and evaluate the current status and the main features of ISG in the Saudi environment. The questionnaire is developed based on ISG guidelines for boards of directors and executive management issued by the Information Technology (IT) Governance Institute and other related materials available in the literature. A total of 167 valid questionnaires are collected and processed using the Statistical Package for Social Sciences, version 16.

The results of the study reveal that although the majority of Saudi organizations recognize the importance of ISG as an integrant factor for the success of IT and corporate governance, most of them have no clear information security strategies or written information security policy statements. The majority of Saudi organizations have no disaster recovery plans to deal with information security incidents and emergencies; information security roles and responsibilities are not clearly defined and communicated. The results also show that alignment between ISG and the organization's overall business strategy is relatively poor and not adequately implemented. The results also show that risk assessment procedures are not adequately and effectively implemented, ISG is not a regular item in the board's agenda, and there are no properly functioning ISG processes or performance‐measuring systems in the majority of Saudi organizations. Accordingly, appropriate actions should be taken to improve implementing and measuring the ISG performance in Saudi organizations.

From a practical standpoint, managers and practitioners alike stand to gain from the findings of this study. The results of the paper enable them to better understand and evaluate ISG and to champion IT development for business success in Saudi organizations.

The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on organizational security. Different measurement instruments have been developed to measure and assess information security culture using survey-based tools. However, the content, breadth and face validity of these scales vary greatly. This study aims to identify and provide an overview of the scales that are used to measure information security culture and to evaluate the rigor of reported scale development and validation procedures.

Papers that introduce a new or adapt an existing scale of information security culture were systematically reviewed to evaluate scales of information security culture. A standard search strategy was applied to identify 19 relevant scales, which were evaluated based on the framework of 16 criteria pertaining to the rigor of reported operationalization and the reported validity and reliability of the identified scales.

The results show that the rigor with which scales of information security culture are validated varies greatly and that none of the scales meet all the evaluation criteria. Moreover, most of the studies provide somewhat limited evidence of the validation of scales, indicating room for further improvement. Particularly, critical issues seem to be the lack of evidence regarding discriminant and criterion validity and incomplete documentation of the operationalization process.

Researchers focusing on the human factor in information security need to reach a certain level of agreement on the essential elements of the concept of information security culture. Future studies need to build on existing scales, address their limitations and gain further evidence regarding the validity of scales of information security culture. Further research should also investigate the quality of definitions and make expert assessments of the content fit between concepts and items.

Organizations that aim to assess the level of information security culture among employees can use the results of this systematic review to support the selection of an adequate measurement scale. However, caution is needed for scales that provide limited evidence of validation.

This is the first study that offers a critical evaluation of existing scales of information security culture. The results have decision-making value for researchers who intend to conduct survey-based examinations of information security culture.

The purpose of this case study is to examine the factors that impact higher education employees’ violations of information security policy by developing a research model based on grounded theories such as deterrence theory, neutralization theory and justice theory.

The research model was tested using 195 usable responses. After conducting model validation, the hypotheses were tested using multiple linear regression.

The results of the study revealed that procedural justice, distributive justice, severity and celerity of sanction, privacy, responsibility and organizational security culture were significant predictors of violations of information security measures. Only interactional justice was not significant.

As with any exploratory case study, this research has limitations such as the self-reported information and the method of measuring the violation of information security measures. The method of measuring information security violations has been a challenge for researchers. Of course, the best method is to capture the actual behavior. Another limitation to this case study which might have affected the results is the significant number of faculty members in the respondent pool. The shared governance culture of faculty members on a US university campus might bias the results more than in a company environment. Caution should be applied when generalizing the results of this case study.

The findings validate past research and should encourage managers to ensure employees are involved with developing and implementing information security measures. Additionally, the information security measures should be applied consistently and in a timely manner. Past research has focused more on the certainty and severity of sanctions and not as much on the celerity or swiftness of applying sanctions. The results of this research indicate there is a need to be timely (swift) in applying sanctions. The importance of information security should be grounded in company culture. Employees should have a strong sense of treating company data as they would want their own data to be treated.

Engaging employees in developing and implementing information security measures will reduce employees’ violations. Additionally, giving employees the assurance that all are given the same treatment when it comes to applying sanctions will reduce the violations.

Setting and enforcing in a timely manner a solid sanction system will help in preventing information security violations. Moreover, creating a culture that fosters information security will help in positively affecting the employees’ perceptions toward privacy and responsibility, which in turn, impacts information security violations. This case study applies some existing theories in the context of the US higher education environment. The results of this case study contributed to the extension of existing theories by including new factors, on one hand, and confirming previous findings, on the other hand.

Transportation project evaluation and prioritization use traditional performance measures including travel time, safety, user costs, economic efficiency and environmental quality. The project impacts in terms of enhancing the infrastructure resilience or mitigating the consequences of infrastructure damage in the event of disaster occurrence are rarely considered in project evaluation. This paper aims to present a methodology to address this issue so that in prioritizing investments, infrastructure with low security can receive the attention they deserve. Second, the methodology can be used for prioritizing candidate investments from a budget that is dedicated specifically to security enhancement.

In defining security as the absence of risk of damage from threats due to inherent structural or functional resilience, this paper uses security-related considerations in investment prioritization, thus introducing robustness in such evaluation. As this leads to an increase in the number of performance criteria in the evaluation, the paper adopts a multi-criteria analysis approach. The paper’s methodology quantifies the overall security level for an infrastructure in terms of the threats it faces, its resilience to damage and the consequences in the event of the infrastructure damage.

The paper demonstrates that it is feasible to develop a security-related measure that can be used as a performance criterion in the evaluation of general transportation projects or projects dedicated specifically toward security improvement. Through a case study, the paper applies the methodology by measuring the risk (and hence, security) of each for multiple infrastructure assets. On the basis of the multiple types of impacts including risk impacts (i.e. increase in security) because of each candidate investment, the paper shows how to prioritize security investments across the multiple infrastructure assets using multi-criteria analysis.

The overall framework consists of the traditional steps in risk management, and the paper’s specific contribution is in the part of the framework that measures the risk. The paper shows how infrastructure security can be quantified and incorporated in the project evaluation process.

Sees the objective of teaching financial management to be to help managers and potential managers to make sensible investment and financing decisions. Acknowledges that financial theory teaches that investment and financing decisions should be based on cash flow and risk. Provides information on payback period; return on capital employed, earnings per share effect, working capital, profit planning, standard costing, financial statement planning and ratio analysis. Seeks to combine the practical rules of thumb of the traditionalists with the ideas of the financial theorists to form a balanced approach to practical financial management for MBA students, financial managers and undergraduates.

The purpose of this paper is to study the implementation of organizational information security measures and assess the effectiveness of such measures.

A survey was designed and data were collected from information security managers in a selection of Norwegian organizations.

Technical‐administrative security measures such as security policies, procedures and methods are the most commonly implemented organizational information security measures in a sample of Norwegian organizations. Awareness‐creating activities are applied by the organizations to a considerably lesser extent, but are at the same time these are assessed as being more effective organizational measures than technical‐administrative ones. Consequently, the study shows an inverse relationship between the implementation of organizational information security measures and assessed effectiveness of the organizational information security measures.

Provides insight into the non‐technological side of information security. While most other studies look at the effectiveness of single organizational security measures, the present study considers combinations of organizational security measures.

Supply chain stakeholders may perceive security risks differently and thereby misalign mitigation strategies. Hence, causing weak spots in supply chains and thereby disruptions. The purpose of this paper is to determine whether supply chain companies actually perceive security risks and effectiveness of mitigation strategies differently.

Two survey studies measuring perception of security risks and effectiveness of measures have been developed and used to collect data from European and Latin American companies, grouped as cargo owners and logistics companies.

The findings of the surveys unveil that only two (out of six) security risks, namely, violation of customs non-fiscal regulations and illegal immigration, show significant differences between the two groups of companies. In addition, the surveys show that companies perceive equally the effectiveness of security measures. This study concludes that supply chains seem to have good visibility over the security risks of their partners. Hence, in terms of security, supply chain companies seem to have achieved a common understanding of risks and furthermore are able to act jointly to secure assets and operations.

Previous research claim supply chain stakeholders may perceive risks differently and thereby may fail to correctly align mitigation strategies. Yet, to the authors knowledge, previous research has not empirically demonstrated these differences in perceptions of risks and mitigation strategies.

This paper presents an initial development of a personal data attitude (PDA) measurement instrument based on established psychometric principles. The aim of the research was to develop a reliable measurement scale for quantifying and comparing attitudes towards personal data that can be incorporated into cybersecurity behavioural research models. Such a scale has become necessary for understanding individuals’ attitudes towards specific sets of data, as more technologies are being designed to harvest, collate, share and analyse personal data.

An initial set of 34 five-point Likert-style items were developed with eight subscales and administered to participants online. The data collected were subjected to exploratory and confirmatory factor analyses and MANOVA. The results are consistent with the multidimensionality of attitude theories and suggest that the adopted methodology for the study is appropriate for future research with a more representative sample.

Factor analysis of 247 responses identified six constructs of individuals’ attitude towards personal data: protective behaviour, privacy concerns, cost-benefit, awareness, responsibility and security. This paper illustrates how the PDA scale can be a useful guide for information security research and design by briefly discussing the factor structure of the PDA and related results.

This study addresses a genuine gap in research by taking the first step towards establishing empirical evidence for dimensions underlying personal data attitudes. It also adds a significant benchmark to a growing body of literature on understanding and modelling computer users’ security behaviours.