Search results
1 – 10 of over 39000Priti Rani Rajvanshi, Taranjeet Singh, Deepa Gupta and Mukul Gupta
Introduction: The frequency and complexity of cyber assaults have grown in recent years. Consequently, organisations have increased their expenditures in more robust…
Abstract
Introduction: The frequency and complexity of cyber assaults have grown in recent years. Consequently, organisations have increased their expenditures in more robust infrastructure to protect themselves from these cyber assaults. These organisations’ assets, data, and reputations are at risk due to rapidly increasing cybercrimes. However, complete protection from these many and ever-changing threats is very challenging as a result. To deal with them, companies are taking steps to reduce risks and limit company losses in their occurrence.
Purpose: Progressively, the insurance sector organisations are including digital protection as a component of the board’s general danger technique. Protection enterprises, then again, depend on accurately expecting risks, while a significant number of them depend on normalised approaches. Because of the exceptional attributes of the digital assaults, transporters now and again depend on subjective strategies dependent on master decisions. There is an unmistakeable absence of observational information on digital protection, specifically subjective examinations planning to comprehend and depict necessities, impediments, and cycles applicable for digital protection.
Methodology: There are various unanswered inquiries and worries about the oversight and legitimate and administrative assessment of network safety weaknesses in the protection business. In the wake-up of looking over all these worries and issues, steps to alleviate them are laid out after an extensive literature survey and secondary data sources. In this study, the authors have principally viewed the executive parts of the associations as the danger. While considering network protection, their insight of needs was taken as one among a few dangerous treatment systems, just as the necessities of the organisations’ protection in assessing the danger level of likely customers.
Findings: This section analyses past research in network safety and information security in the protection market. The danger of the executives’ strategies, the numerical models, and the forecasts of digital occassions are illustrated in this section. Lastly, the future headings are likewise expressed momentarily.
Practical implications: This review might be valuable for additional examination and logical discussion, yet additionally for down-to-earth applications. Moreover, it could be gainful to organisations as a supportive instrument for better agreement on what digital protection is and how to get ready to take on network safety and information security procedures in the association.
Significance: These associations’ resources, information, and notoriety are in danger because of quickly expanding cybercrimes. Cybercriminals are utilising more refined approaches to start digital assaults. Digital protection was anticipated to affect security conduct before any proof was gathered. Progressively, organisations are including digital protection as a feature of their general danger to the executive system. Because of the exceptional attributes of the digital assaults, transporters as often as possible depend on subjective methods dependent on master decisions. Thus, this space of network safety and information security is vital uniquely in the protection market.
Details
Keywords
Vasiliki Diamantopoulou, Aggeliki Tsohou and Maria Karyda
This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by…
Abstract
Purpose
This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this paper as a basis for extending the already existing security control modules towards data protection; and as guidance for reaching compliance with the regulation.
Design/methodology/approach
This study has followed a two-step approach; first, synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013 and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, this paper identified GDPR requirements not addressed by ISO/IEC 27001:2013.
Findings
The findings of this work include the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; and the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR.
Originality/value
This paper provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR.
Details
Keywords
Efrosini Siougle, Sophia Dimelis and Nikolaos Malevris
This study explores the link between ISO 9001 certification, personal data protection and firm performance using financial balance sheet and survey data. The security aspect of…
Abstract
Purpose
This study explores the link between ISO 9001 certification, personal data protection and firm performance using financial balance sheet and survey data. The security aspect of data protection is analyzed based on the major requirements of the General Data Protection Regulation and mapped to the relevant controls of the ISO/IEC 27001/27002 standards.
Design/methodology/approach
The research analysis is based on 96 ISO 9001–certified and non-certified publicly traded manufacturing and service firms that responded to a structured questionnaire. The authors develop and empirically test their theoretical model using the structural equation modeling technique and follow a difference-in-differences econometric modeling approach to estimate financial performance differences between certified and non-certified firms accounting for the level of data protection.
Findings
The estimates indicate three core dimensions in the areas of “policies, procedures and responsibilities,” “access control management” and “risk-reduction techniques” as desirable components in establishing the concept of data security. The estimates also suggest that the data protection level has significantly impacted the performance of certified firms relative to the non-certified. Controlling for the effect of industry-level factors reveals a positive relationship between data security and high-technological intensity.
Practical implications
The results imply that improving the level of compliance to data protection enhances the link between certification and firm performance.
Originality/value
This study fills a gap in the literature by empirically testing the influence of data protection on the relationship between quality certification and firm performance.
Details
Keywords
Inger Anne Tøndel, Martin Gilje Jaatun, Daniela Soares Cruzes and Laurie Williams
Today, agile software development teams in general do not adopt security risk-assessment practices in an ongoing manner to prioritize security work. Protection Poker is a…
Abstract
Purpose
Today, agile software development teams in general do not adopt security risk-assessment practices in an ongoing manner to prioritize security work. Protection Poker is a collaborative and lightweight software security risk-estimation technique that is particularly suited for agile teams. Motivated by a desire to understand why security risk assessments have not yet gained widespread adoption in agile development, this study aims to assess to what extent the Protection Poker game would be accepted by agile teams and how it can be successfully integrated into the agile practices.
Design/methodology/approach
Protection Poker was studied in capstone projects, in teams doing a graduate software security course and in sessions with industry representatives. Data were collected via questionnaires, observations and group interviews.
Findings
Results show that Protection Poker has the potential to be adopted by agile teams. Key benefits include good discussions on security and the development project, along with increased knowledge and awareness. Challenges include ensuring efficient use of time and gaining impact on the end product.
Research limitations/implications
Using students allowed easy access to subjects and an ability to collect rich data over time, but at the cost of generalizability to professional settings. Results from interactions with professionals supplement the data from students, showing similarities and differences in their opinions on Protection Poker.
Originality/value
The paper proposes ways to tackle the main obstacles to the adoption of the Protection Poker technique, as identified in this study.
Details
Keywords
Prasetyo Adi Wibowo Putro, Dana Indra Sensuse and Wahyu Setiawan Setiawan Wibowo
This paper aims to develop a framework for critical information infrastructure (CII) protection in smart government, an alternative measure for common cybersecurity frameworks…
Abstract
Purpose
This paper aims to develop a framework for critical information infrastructure (CII) protection in smart government, an alternative measure for common cybersecurity frameworks such as NIST Cybersecurity Framework and ISO 27001. Smart government is defined as the government administration sector of CII due to its similarity as a core of smart technology.
Design/methodology/approach
To ensure the validity of the data, the research methodology used in this paper follows the predicting malfunctions in socio-technical systems (PreMiSTS) approach, a variation of the socio-technical system (STS) approach specifically designed to predict potential issues in the STS. In this study, PreMiSTS was enriched with observation and systematic literature review as its main data collection method, thematic analysis and validation by experts using fuzzy Delphi method (FDM).
Findings
The proposed CII protection framework comprises several dimensions: objectives, interdependency, functions, risk management, resources and governance. For all those dimensions, there are 20 elements and 41 variables.
Practical implications
This framework can be an alternative guideline for CII protection in smart government, particularly in government administration services.
Originality/value
The author uses PreMiSTS, a socio-technical approach combined with thematic analysis and FDM, to design a security framework for CII protection. This combination was designed as a mixed-method approach to improve the likelihood of success in an IT project.
Details
Keywords
Matteo La Torre, Vida Lucia Botes, John Dumay and Elza Odendaal
Privacy concerns and data security are changing the risks for businesses and organisations. This indicates that the accountability of all governance participants changes. This…
Abstract
Purpose
Privacy concerns and data security are changing the risks for businesses and organisations. This indicates that the accountability of all governance participants changes. This paper aims to investigate the role of external auditors within data protection practices and how their role is evolving due to the current digital ecosystem.
Design/methodology/approach
By surveying the literature, the authors embrace a practice-oriented perspective to explain how data protection practices emerge, exist and occur and examine the auditors’ position within data protection.
Findings
Auditors need to align their tasks to the purpose of data protection practices. Accordingly, in accessing and using data, auditors are required to engage moral judgements and follow ethical principles that go beyond their legal responsibility. Simultaneously, their accountability extends to data protection ends for instilling confidence that security risks are properly managed. Due to the changing technological conditions under, which auditors operate, the traditional auditors’ task of hearing and verifying extend to new phenomena that create risks for businesses. Thus, within data protection practices, auditors have the accountability to keep interested parties informed about data security and privacy risks, continue to transmit signals to users and instill confidence in businesses.
Research limitations/implications
The normative level of the study is a research limitation, which calls for future empirical research on how Big Data and data protection is reshaping accounting and auditing practices.
Practical implications
This paper provides auditing standard setters and practitioners with insights into the redefinitions of auditing practices in the era of Big Data.
Social implications
Recent privacy concerns at Facebook have sent warning signals across the world about the risks posed by in Big Data systems in terms of privacy, to those charged with governance of organisations. Auditors need to understand these privacy issues to better serve their clients.
Originality/value
This paper contributes to triggering discussions and future research on data protection and privacy in accounting and auditing research, which is an emerging, yet unresearched topic.
Details
Keywords
Jie Zhang, Brian J. Reithel and Han Li
The purpose of this paper based on compensation theory, is to incorporate perceived technical security protection into the theory of planned behavior and examined factors…
Abstract
Purpose
The purpose of this paper based on compensation theory, is to incorporate perceived technical security protection into the theory of planned behavior and examined factors affecting end‐user security behaviors, specifically, compliance with security policies.
Design/methodology/approach
An online survey is conducted to validate the proposed research model. The survey is sent out to an industrial panel. A total of 176 usable responses are received and used in the data analysis.
Findings
The results show that both perceived behavioral control (PBC) and attitude have significant impact on intention to comply with security policy. Perceived technical protection affects behavioral intentions both indirectly, through PBC, and directly. The negative direct effect (i.e. perceived high technical protection leads to low intention to comply with security policy) suggests possible risk compensation effects in the information security context.
Practical implications
This result should be of interest to practitioners. In practice (e.g. during security training), the power and capability of technical protection mechanisms should not be exaggerated. Instead, its limitations and drawbacks should be emphasized, so that end‐users will adopt more cautious security practices and adhere to the requirements of the organization's security policies.
Originality/value
This paper embeds risk compensation theory within the security policy compliance context and offers a useful starting point for further empirical examination of this theory in information security context.
Details
Keywords
Erik Framner, Simone Fischer-Hübner, Thomas Lorünser, Ala Sarah Alaqra and John Sören Pettersson
The purpose of this paper is to develop a usable configuration management for Archistar, which utilizes secret sharing for redundantly storing data over multiple independent…
Abstract
Purpose
The purpose of this paper is to develop a usable configuration management for Archistar, which utilizes secret sharing for redundantly storing data over multiple independent storage clouds in a secure and privacy-friendly manner. Selecting the optimal secret sharing parameters, cloud storage servers and other settings for securely storing the secret data shares, while meeting all of end user’s requirements and other restrictions, is a complex task. In particular, complex trade-offs between different protection goals and legal privacy requirements need to be made.
Design/methodology/approach
A human-centered design approach with structured interviews and cognitive walkthroughs of user interface mockups with system administrators and other technically skilled users was used.
Findings
Even technically skilled users have difficulties to adequately select secret sharing parameters and other configuration settings for adequately securing the data to be outsourced.
Practical implications
Through these automatic settings, not only system administrators but also non-technical users will be able to easily derive suitable configurations.
Originality/value
The authors present novel human computer interaction (HCI) guidelines for a usable configuration management, which propose to automatically set configuration parameters and to solve trade-offs based on the type of data to be stored in the cloud. Through these automatic settings, not only system administrators but also non-technical users will be able to easily derive suitable configurations.
Details
Keywords
Since the European Union’s (EU) Charter of Fundamental Rights became binding in 2009, data protection has attained the status of a fundamental right (Article 8) throughout the EU…
Abstract
Since the European Union’s (EU) Charter of Fundamental Rights became binding in 2009, data protection has attained the status of a fundamental right (Article 8) throughout the EU. This chapter discusses the relevance of data protection in the context of security. It shows that data protection has been of particular relevance in the German context – not only against the backdrop of rapidly evolving information technology, but also of the historical experiences with political regimes collecting information in order to oppress citizens.
Details
Keywords
Yong Sun, Ya-Feng Zhang, Yalin Wang and Sihui Zhang
This paper aims to investigate the cooperative governance mechanisms for personal information security, which can help enrich digital governance research and provide a reference…
Abstract
Purpose
This paper aims to investigate the cooperative governance mechanisms for personal information security, which can help enrich digital governance research and provide a reference for the formulation of protection policies for personal information security.
Design/methodology/approach
This paper constructs an evolutionary game model consisting of regulators, digital enterprises and consumers, which is combined with the simulation method to examine the influence of different factors on personal information protection and governance.
Findings
The results reveal seven stable equilibrium strategies for personal information security within the cooperative governance game system. The non-compliant processing of personal information by digital enterprises can damage the rights and interests of consumers. However, the combination of regulatory measures implemented by supervisory authorities and the rights protection measures enacted by consumers can effectively promote the self-regulation of digital enterprises. The reputation mechanism exerts a restricting effect on the opportunistic behaviour of the participants.
Research limitations/implications
The authors focus on the regulation of digital enterprises and do not consider the involvement of malicious actors such as hackers, and the authors will continue to focus on the game when assessing the governance of malicious actors in subsequent research.
Practical implications
This study's results enhance digital governance research and offer a reference for developing policies that protect personal information security.
Originality/value
This paper builds an analytical framework for cooperative governance for personal information security, which helps to understand the decision-making behaviour and motivation of different subjects and to better address issues in the governance for personal information security.
Details