Search results
1 – 10 of over 6000Špela Orehek and Gregor Petrič
The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on…
Abstract
Purpose
The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on organizational security. Different measurement instruments have been developed to measure and assess information security culture using survey-based tools. However, the content, breadth and face validity of these scales vary greatly. This study aims to identify and provide an overview of the scales that are used to measure information security culture and to evaluate the rigor of reported scale development and validation procedures.
Design/methodology/approach
Papers that introduce a new or adapt an existing scale of information security culture were systematically reviewed to evaluate scales of information security culture. A standard search strategy was applied to identify 19 relevant scales, which were evaluated based on the framework of 16 criteria pertaining to the rigor of reported operationalization and the reported validity and reliability of the identified scales.
Findings
The results show that the rigor with which scales of information security culture are validated varies greatly and that none of the scales meet all the evaluation criteria. Moreover, most of the studies provide somewhat limited evidence of the validation of scales, indicating room for further improvement. Particularly, critical issues seem to be the lack of evidence regarding discriminant and criterion validity and incomplete documentation of the operationalization process.
Research limitations/implications
Researchers focusing on the human factor in information security need to reach a certain level of agreement on the essential elements of the concept of information security culture. Future studies need to build on existing scales, address their limitations and gain further evidence regarding the validity of scales of information security culture. Further research should also investigate the quality of definitions and make expert assessments of the content fit between concepts and items.
Practical implications
Organizations that aim to assess the level of information security culture among employees can use the results of this systematic review to support the selection of an adequate measurement scale. However, caution is needed for scales that provide limited evidence of validation.
Originality/value
This is the first study that offers a critical evaluation of existing scales of information security culture. The results have decision-making value for researchers who intend to conduct survey-based examinations of information security culture.
Details
Keywords
Martin Karlsson, Fredrik Karlsson, Joachim Åström and Thomas Denk
This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.
Abstract
Purpose
This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.
Design/methodology/approach
The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy.
Findings
The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance.
Research limitations/implications
The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance.
Practical implications
Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations.
Originality/value
Few information security policy compliance studies exist on the consequences of different organizational/information cultures.
Details
Keywords
Tadele Shimels and Lemma Lessa
Information systems' security is more critical than ever before since security threats are rapidly growing. Before putting in place information systems' security measures…
Abstract
Purpose
Information systems' security is more critical than ever before since security threats are rapidly growing. Before putting in place information systems' security measures, organizations are required to determine the maturity level of their information security governance. Literature review reveals that there is no recent study on information systems' security maturity level of banks in Ethiopia. This study thus seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators.
Design/methodology/approach
Four private banks are selected as a representative sample. The system security engineering capability maturity model (SSE-CMM) is used as the maturity measurement criteria, and the measurement was based on ISO/IEC 27001 information security control areas. The data for the study were gathered using a questionnaire.
Findings
A total of 93 valid questionnaires were gathered from 110 participants in the study. Based on the SSE-CMM maturity model assessment criteria the private banking industry's current maturity level is level 2 (repeatable but intuitive). Institutions have a pattern that is repeated when completing information security operations but its existence was not thoroughly proven and institutional inconsistency still exists.
Originality/value
This study seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators. This topic has not been attempted previously in the context of Ethiopian financial sector.
Details
Keywords
Ji-Young Park, Jung Ung Min and Jeong Soo Park
Though logistics security only took care of trading phase in the past, many countries in the world have begun to introduce logistics security system as its coverage has been…
Abstract
Though logistics security only took care of trading phase in the past, many countries in the world have begun to introduce logistics security system as its coverage has been extended from production stage to delivery at the final destination. Logistics security system has become indispensable element for global corporations involved in international trading and studies on logistics security keep going on. Most of the studies, however, are focused on discussion of system, cost and influence of logistics security and few of them have been specifically dealing with substantial effectiveness thereof. This study developed the models of supply chain security activities and their outcome by means of using Balanced Scorecard (BCS) which is a well known performance indicator to identify relationship between supply chain security activities and their accomplishment. In this study we have presented 8 supply chain frameworks, human resources management, information system management, facilities/freight management, security process, crisis management capability, relationship with partners, sharing of logistics information and logistics security accomplishment, with reference to standards of C-TPAT and AEO based on WCO framework, 10 supply chain security capabilities. This study further indicates that relationship with partners has more effect on logistics security accomplishment than sharing of logistic information. Just as relationship between corporations in chain of supply and sharing of information among them are important elements in management of supply chain, relationship with partners and sharing of logistic information will have positive effect on supply chain security accomplishment and raise its effectiveness.
Details
Keywords
The Black Sea region has become as an important energy transit route for Caspian and Russian oil and natural gas to western markets. Since 1996 the quantity of oil exported from…
Abstract
The Black Sea region has become as an important energy transit route for Caspian and Russian oil and natural gas to western markets. Since 1996 the quantity of oil exported from the Black Sea through the Turkish Straits and the number of transiting tankers has doubled and will continue to expand. However, these are also two waterways where the risk of either an accidental or intentional disaster is significant bringing serious repercussions for energy supply security. This paper will analyze measures taken by Black Sea coastal States to provide for secure ports and shipping against accidental and intentional disasters. The paper will examine the role of technology, such as satellite based VTS providers in the Black Sea, implementation of the ISPS Code, the role of the relatively new BlackSeaFor in providing both port and navigational security. The paper will further make recommendations for further improvements for enhancement of security emergency response planning. In addition, the paper will examine current security measures taken by the Turkish Administration for oil transportation through the Turkish Straits.
Details
Keywords
Durga Prasad Dube and Rajendra Prasad Mohanty
As evident from the literature review, the research on cyber security performance is centered on security metrics, maturity models, etc. Essentially, all these are helpful for…
Abstract
Purpose
As evident from the literature review, the research on cyber security performance is centered on security metrics, maturity models, etc. Essentially, all these are helpful for evaluating the efficiency of cyber security organization but what matters is how the factors of internal efficiency affect the business performance, i.e. the external effectiveness. The purpose of this research paper is to derive the factors of internal efficiency and external effectiveness of cyber security and develop impact model to identify the most and least preferred parameters of internal efficiency with respect to all the parameters of external effectiveness.
Design/methodology/approach
There are two objectives for this research: Deriving the factors of internal efficiency and external effectiveness of cyber security; Developing a model to identify the impact of internal efficiency factors on the external effectiveness of cyber security since there is not much evidence of research in defining the factors of internal efficiency and external effectiveness of cyber security, the authors have chosen grounded theory methodology (GTM) to derive the parameters. In this study emic approach of GTM is followed and an algorithm is developed for administering the grounded theory research process. For the second research objective survey methodology and rank order was used to formulate the impact model. Two different samples and questionnaires were designed for each of the objectives.
Findings
For the objective 1, 11 factors of efficiency and 10 factors of effectiveness were derived. These are used as independent and dependent variable respectively in the later part of the research for the second objective. For the objective 2 the impact models among independent and dependent variables were formulated to find out the following. Most and least preferred parameters lead to internal efficiency of cyber security organization to identify the most and least preferred parameters of internal efficiency with respect to all the parameters external effectiveness.
Research limitations/implications
The factors of internal efficiency and external effectiveness constructed by using grounded theory cannot remain constant in the long run, because of dynamism of the domain itself. Over and above this, there are inherent limitations of the tools like grounded theory, used in the research. Few important limitations of GTM are as below in grounded theory, it is comparatively difficult to maintain and demonstrate the rigors of research discipline. The sheer volume of data makes the analysis and interpretation complex, and lengthy time consuming. The researchers’ presence during data gathering, which is often unavoidable and desirable too in qualitative research, may affect the subjects’ responses. The subjectivity of the data leads to difficulties in establishing reliability and validity of approaches and information. It is difficult to detect or to prevent researcher-induced bias.
Practical implications
The internal efficiency and external effectiveness factors of cyber security can be further correlated by the future researchers to understand the correlations among all the factors and predict cyber security performance. The grounded theory algorithm developed by us can be further used for qualitative research for deriving theory through abstractions in the areas where there is no sufficient availability of data. Practitioners of cyber security can use this research to focus on relevant areas depending on their respective business objective/requirements. The models developed by us can be used by the future researchers to for various sectoral validations and correlations.
Social implications
Though the financial costs of a cyber-attack are steep, the social impact of cyber security failures is less readily apparent but can cause lasting damage to customers, employees and the company. Therefore, it is always important to be mindful of how the impact of cyber security affects society as well as the bottom line when they are calculating the potential impact of a breach. Underestimating either impact can destroy a brand. The factor of internal efficiency and external effectiveness derived by us will help stakeholder in focusing on relevant area depending on their business. The impact model developed in this research is very useful for focusing a particular business requirement and accordingly tune the efficiency factor.
Originality/value
During literature study the authors did not find any evidence of application of grounded theory approach in cyber security research. While the authors were exploring research literature to find out some insight into the factor of internal efficiency and external effectiveness of cyber security, the authors did not find concrete and objective research on this. This motivated us to use grounded theory to derive these factors. This, in the authors’ opinion is one of the pioneering and unique contribution to the research as to the authors’ knowledge no researchers have ever tried to use this methodology for the stated purpose and cyber security domain in general. In this process the authors have also developed an algorithm for administering GTM. Further developing impact models using factors of internal efficiency and external effectiveness has lots of managerial and practical implication.
Details
Keywords
Danat Valizade, Hugh Cook, Christopher Forde and Robert MacKenzie
This paper examines the extent of bargaining concessions in recession through investigating the effects of union bargaining on pay, job security and workforce composition.
Abstract
Purpose
This paper examines the extent of bargaining concessions in recession through investigating the effects of union bargaining on pay, job security and workforce composition.
Design/methodology/approach
Drawing on an original survey (n = 400) of workplace level trade union bargaining units in England, the authors employed latent class analysis to establish three groups of bargaining units on the basis of pay outcomes achieved. Linear regression analysis with moderation effects investigated whether pay rises at or above inflation in conjunction with shifts in bargaining priorities was associated with decreases in perceived job security and changes in the composition of the workforce.
Findings
Around a quarter of sampled units, concentrated mostly in decentralised bargaining units in the private sector, achieved pay rises at or above the inflation rate during an economic downturn. Pay rises at or above inflation in workplaces severely affected by recession triggered changes in bargaining priorities requiring some concessions, notably in terms of employees' job security. That said, across the sample, achieving pay rises was associated with improved perception of job security and lesser use of contingent labour.
Originality/value
The findings uncover a subset of bargaining units able to secure positive outcomes for workers against a hostile economic tide, whilst demonstrating that concession bargaining is not inevitable but rather contingent on the micro-environments in which union bargaining takes place.
Details
Keywords
Patrick Sven Ulrich, Alice Timmermann and Vanessa Frank
The starting point for the considerations the authors make in this paper are the special features of family businesses in the area of management discussed in the literature. It…
Abstract
Purpose
The starting point for the considerations the authors make in this paper are the special features of family businesses in the area of management discussed in the literature. It has been established here that family businesses sometimes choose different organizational setups than nonfamily businesses. This has not yet been investigated for cybersecurity. In the context of cybersecurity, there has been little theoretical or empirical work addressing the question of whether the qualitative characteristics of family businesses have an impact on the understanding of cybersecurity and the organization of cyber risk defense in the companies. Based on theoretically founded hypotheses, a quantitative empirical study was conducted in German companies.
Design/methodology/approach
The article is based on a quantitative-empirical survey of 184 companies, the results of which were analyzed using statistical-empirical methods.
Findings
The article asked – based on the subjective perception of cybersecurity and cyber risks – to what extent family businesses are sensitized to the topic and what conclusions they draw from it. An interesting tension emerges: family businesses see their employees more as a security risk, but do less than nonfamily businesses in terms of both training and organizational establishment. Whether this is due to a lack of technical or managerial expertise, or whether family businesses simply think they can prevent cybersecurity with less formal methods such as trust, is open to conjecture, but cannot be demonstrated with the research approach taken here. Qualitative follow-up studies are needed here.
Originality/value
This paper represents the first quantitative survey on cybersecurity with a specific focus on family businesses. It shows tension between awareness, especially of risks emanating from employees, and organizational routines that have not been implemented or established.
Details
Keywords
Lemma Lessa and Daniel Gebrehawariat
This study is aimed at assessing the information security management practice with a focus on banking card security in selected financial institutions in Ethiopia, using an…
Abstract
Purpose
This study is aimed at assessing the information security management practice with a focus on banking card security in selected financial institutions in Ethiopia, using an international information security standard as a benchmark. It is to identify the gaps and recommend best security practices to help financial institutions meet the required security compliance.
Design/methodology/approach
Two financial sectors were purposively selected. A total of twenty-five respondents (IT executives and IT staff) were included in the study. Quantitative data was collected using the PCI-DSS (Payment Card Industry Data Security Standard) security standard questionnaire. In addition, observation and document analysis were made.
Findings
The result shows that most of the essential security management activities in the financial sectors do not comply with the international security standard. Similarly, the level of most of the indispensable security requirements that should be in place is found to be below the acceptable level. The study also revealed major security factors that prohibit the financial sectors from PCI-DSS security standard compliance.
Originality/value
This study assessed the information security management practice with a focus on banking card security and tried to figure out the limitations of security practices of the organizations surveyed based on the standard adopted. The topic has not been well explored especially in the Ethiopia context. Hence, the result can positively influence security policies, particularly in the banking sector.
Details
Keywords
Yousaf Ali, Zainab Ahmed Shah and Amin Ullah Khan
This study aims to cover issues regarding traveling to a tourist destination which has seen war and terrorism. These problems can be addressed altogether, as they are…
Abstract
Purpose
This study aims to cover issues regarding traveling to a tourist destination which has seen war and terrorism. These problems can be addressed altogether, as they are interrelated. Based on tourists’ opinions, this paper aims to focus on measures or steps that can be taken to ensure changing their perceptions about a certain destination.
Design/methodology/approach
This study targets tourism experts for their opinions regarding the measures most necessary to change the perceptions of tourists. Their opinions were extracted through a questionnaire based on three criteria with four alternatives. Furthermore, raw data extracted are studied using the Fuzzy-VIKOR technique to rank the alternatives in order of importance. Moreover, the questionnaire also aims to know the perception of participants by asking them what would make them trust a destination with a history of terrorism.
Findings
The problems captivate the attention of government, guiding them to ensure that they need to focus more on physical security of tourists if they expect tourism industry to thrive. It was found that the steps needed to be taken are in the areas of international trade, cultural exchange programs and social media advertising.
Originality/value
Research based on improving tourist perception of Pakistan to develop Pakistan as a tourist destination is scarce. The study takes four different alternatives into account for image recovery and based on those alternatives, it provides a unique solution to the government in this regard with the necessary steps they need to take and attempts to help the government ensure tourism expansion in the country.
Details