Information Security Breaches Research Articles

PUBLIC DISCLOSURE OF INFORMATION SECURITY BREACH INCIDENTS: SHORT-TERM STOCK MARKET REACTION ON INDIAN LISTED FIRMS

ABSTRACT Data breach incidents are growing by the day and firms struggle to detect, defend, and respond to such breaches. Nowadays, security breaches are considered one of the major concerns for corporate organizations around the world. Hence, it is essential to assess the impact of such breaches on organizations. This article reports stock price reaction due to public disclosure of information security breach (ISB) incidents on publicly traded firms of India. Using the event study methodology on a sample of 120 publicly announced ISB incidents between January 2004 and April 2019 pertaining to 69 publicly listed firms of India, we found that exposure to an ISB incident exacerbates negative stock price reactions based on both one-factor market model and Fama-French three-factor model. On average, breached firms lost 0.55% of their market value within two days post the announcement of ISB incidents. Further, we found some factors that significantly negatively impacted Cumulative Abnormal Return (CAR). Important emerging factors such as type of compromised data, sentiment, subjectivity, and remedial strategy significantly impact CAR. According to our study findings, we suggest that firms should mention remedial measures in terms of apology and/or compensation in the ISB disclosure. Furthermore, the result indicates that investors penalize listed firms for subsequent ISB incidents. Thus, our findings may guide Chief Information Officers (CIOs), information security managers, and IT managers of publicly traded firms to devise various strategies in terms of IT security measures and content of the ISB disclosure.

Video Forgery Detection with Deep Learning Using RESNET and CNN Algorithm

Video forgery is continuously increasing in the digital world due to breaches of information security, consequently establishing a scenario for image and video content monitoring for forgery identification. The spread of fake videos raises security risks and anarchy in society. The reason for video forgery is to the augmentation in the malware, which has facilitated user (anyone) to upload, download, or share objects online comprising audio, images, or video. With the development of technology and ease of creation of fake content, the manipulation of media is carried out on a large scale in recent times. Video forgery detection has applications in media science, forensic analysis, digital investigations, and authenticity verification of a video. The purpose of video forensic technology is to extract features to distinguish fake content frames from original videos.

Does intellectual capital curb the long-term effect of information security breaches on firms’ market value?

Does intellectual capital curb the long-term effect of information security breaches on firms’ market value?

Filtering and Detection of Real-Time Spam Mail Based on a Bayesian Approach in University Networks

With the advent of digital technologies as an integral part of today’s everyday life, the risk of information security breaches is increasing. Email spam, commonly known as junk email, continues to pose a significant challenge in the digital realm, inundating inboxes with unsolicited and often irrelevant messages. This relentless influx of spam not only disrupts user productivity but also raises security concerns, as it frequently serves as a vehicle for phishing attempts, malware distribution, and other cyber threats. The prevalence of spam is fueled by its low-cost dissemination and its ability to reach a wide audience, exploiting vulnerabilities in email systems. This paper marks the inception of an in-depth investigation into the viability and potential implementation of a robust spam filtering and prevention system tailored explicitly to university networks. With the escalating threat of email-based hacking attacks and the incessant deluge of spam, the need for a comprehensive and effective defense mechanism within academic institutions becomes increasingly imperative. In exploring potential solutions, this study delves into the applicability and efficacy of Bayesian filters, a class of probabilistic classifiers renowned for their aptitude in distinguishing between legitimate emails and spam messages. Bayesian filters utilize statistical algorithms to analyze email content, learning patterns and features to accurately categorize incoming emails.

An Investigation of the Factors That Influence Information Security Culture in Government Organizations in Bhutan

ABSTRACT Organizations make large investments to secure data and networks, but information security breaches as a result of insiders continue to rise. One possible contributor to this is poor information security culture. This study investigated the key factors that contribute to effective information security culture in government organizations in Bhutan and how information security culture influences employee security behavior. A research model was developed for the study based on an analysis of the information security literature. Data was collected using an online survey of 181 government employees. Senior management support, information security policy, training and awareness campaigns, interpersonal trust, and job- versus employee-oriented organizational culture were all found to influence information security culture, and information security culture contributed to information security behavior. The study extends understanding of the roles of trust and different dimensions of organizational culture in improving information security culture and behavior. The findings should help government policy makers and information security practitioners when developing information security strategies and programs.

Peer governance effects of information security breaches

Peers' information security risks may have sent negative signals to the market, thus forcing firms to strengthen their internal control governance. Solow's paradox, however, suggests that when information technology (IT) investment does not reach equilibrium, firms may still blindly increase IT investment while neglecting information security management. Using the unique information security breaches data released by the China National Information Security Vulnerability Database (CNVD), we find that the peers' information security breaches have a governance effect on firm internal control. The underlying mechanism is that peer information security breach increases the cost of proprietary information and reputation maintenance. In addition, we find that the above peer governance effects are more significant in samples with higher agency conflicts, high-tech industries, and higher supply. Further, our further analysis also shows that the peer governance effects of information security breaches positively affect firms' investment efficiency. Overall, our findings verify the peer governance effects of the information security breaches.

Modified Caesar Cipher and Card Deck Shuffle Rearrangement Algorithm for Image Encryption

ABSTRACT In today's social networking era, information security breaches are at an all-time high, especially when it comes to texts and images, which should come as no surprise. Integrity is therefore crucial for information sharing over an unprotected connection. As a result, image/text encryption is a crucial preprocessing step in today's information transmission. Sensitive information may be sent via image encryption, which facilitates a variety of procedures. Here the proposed method is a combination of the Modified Caesar Cipher and the Card Deck Shuffle Algorithm for image encryption. The Card Deck Shuffle Algorithm rearranges the pixels from the result of the Modified Caesar approach, which encrypts the pixel value of each image. The method employs an n + 8 variable bit key (n is frequently more than 18 in real-world applications), which needs more than 2 26 brute force attacks to be successful. The method described here may be used to secure images in a variety of multimedia applications.

Leveraging Taxonomical Engineering for Security Baseline Compliance in International Regulatory Frameworks

A surge in successful Information Security (IS) breaches targeting Research and Education (R&E) institutions highlights a pressing need for enhanced protection. Addressing this, a consortium of European National Research and Education Network (NREN) organizations has developed a unified IS framework. This paper aims to introduce the Security Baseline for NRENs and a security maturity model tailored for R&E entities, derived from established security best practices to meet the specific needs of NRENs, universities, and various research institutions. The models currently in existence do not possess a system to smoothly correlate varying requirement tiers with distinct user groups or scenarios, baseline standards, and existing legislative actions. This segmentation poses a significant hurdle to the community’s capacity to guarantee consistency, congruency, and thorough compliance with a cohesive array of security standards and regulations. By employing taxonomical engineering principles, a mapping of baseline requirements to other security frameworks and regulations has been established. This reveals a correlation across most regulations impacting R&E institutions and uncovers an overlap in the high-level requirements, which is beneficial for the implementation of multiple standards. Consequently, organizations can systematically compare diverse security requirements, pinpoint gaps in their strategy, and formulate a roadmap to bolster their security initiatives.

Challenges and Opportunities in Password Management: A Review of Current Solutions

For over six decades, passwords have served as the primary authentication mechanism for almost all modern computer systems. However, password management is a challenging task for most computer users, and that has led users to many malpractices that open the door for most information security breaches over time. Despite many efforts, no alternative solution has ever succeeded in replacing passwords as the primary authentication mechanism. As a result, users are now heavily relying on password managers to alleviate the burden of manual password management. This paper addresses the topic of password management about different types of password managers and their inherent limitations. By evaluating the existing password management approaches and identifying potential improvements, this paper aims to signify an important research gap that exists in the study area; the need for fully automating the process of manual password management.

Security Baseline for Substation Automation Systems.

The use of information technology and the automation of control systems in the energy sector enables a more efficient transmission and distribution of electricity. However, in addition to the many benefits that the deployment of intelligent and largely autonomous systems brings, it also carries risks associated with information and cyber security breaches. Technology systems form a specific and critical communication infrastructure, in which powerful control elements integrating IoT principles and IED devices are present. It also contains intelligent access control systems such as RTU, IDE, HMI, and SCADA systems that provide communication with the data and control center on the outer perimeter. Therefore, the key question is how to comprehensively protect these specialized systems and how to approach security implementation projects in this area. To establish rules, procedures, and techniques to ensure the cyber security of smart grid control systems in the energy sector, it is necessary to understand the security threats and bring appropriate measures to ensure the security of energy distribution. Given the use of a wide range of information and industrial technologies, it is difficult to protect energy distribution systems using standard constraints to protect common IT technologies and business processes. Therefore, as part of a comprehensive approach to cyber security, specifics such as legislative framework, technological constraints, international standards, specialized protocols or company processes, and many others need to be considered. Therefore, the key question is how to comprehensively protect these specialized systems and how to approach security implementation projects in this area. In this article, a basic security concept for control systems of power stations, which are part of the power transmission and distribution system, is presented based on the Smart Grid domain model with emphasis on substation intelligence, according to the Purdue model. The main contribution of the paper is the comprehensive design of mitigation measures divided into mandatory and recommended implementation based on the standards defined within the MITRE ATT&CK matrix specified, concerning the specifications of intelligent distribution substations. The proposed and industry-tested solution is mapped to meet the international security standards ISO 27001 and national legislation reflecting the requirements of NIS2. This ensures that the security requirements will be met when implementing the proposed Security Baseline.

Examining sharing economy operations: A process perspective

<scp>Examining sharing economy operations</scp>: A <scp>process perspective</scp>

A systematic literature review of cybersecurity scales assessing information security awareness

Information Security Awareness (ISA) is a significant concept that got considerable attention recently and can assist in minimizing the risks associated with information security breaches. Several measurement scales have been developed in this regard, as measuring users’ ISA is paramount. Although ISA specific scales are very important, yet what methodological rigor they use in terms of initial conceptualization of ISA, data collection and analysis during the development, and scale validation of such scales are some unknown aspects. Therefore, we provide a comprehensive review of the existing ISA specific scales to address all the above concerns. A popular method, PRISMA, is utilized, and a total of 24 articles that match with criteria of this research are included for the final in-depth analysis. Also, a holistic evaluation framework is developed containing three phases and 19 criteria. Findings revealed that most studies treat ISA as a multi-dimensional construct, and ISA researchers rarely conduct both pilot testing and pre-text evaluation while validating and refining the initial scales. Additionally, several articles did not report some of the essential elements used for checking the rigor of factor analysis, and evidence for validities of the identified scales is inadequate. Consequently, existing ISA specific scales must be improved both in terms of the methodological thoroughness of the scale development procedure and their validities. Moreover, not only justifying why the development of a new scale is necessary, but also improving the quality of the existing scales by doing multiple iterations is significant in the future. Likewise, the inclusion of all the dimensions of ISA, while generating the initial items pool is an important aspect to be considered. A thorough discussion, recommendations for future research, conclusions, and study limitations are provided.

Design &amp; analysis of novel IT security framework for overcoming data security &amp; privacy challenges

IT security has always been a major concern for all organizations, especially after the rise in IT Integration amongst all processes, Post pandemic this has become a bigger issue than earlier. The organizations are growing also with IT Integration the negative impact of information related risk incidents are also increasing worldwide. There are several IT Risk Assessment Frameworks in use to address information security assaults, vulnerabilities, threats, and breaches, including ISO 270001/27005. COBIT, NIST SP- 800/53 etc, though following and implementation of these protocols, still organizations face challenges of IT risk, which may involve an asset or information. The biggest challenge is the data Security or privacy. Based on survey data, this study evaluates the majority of the current IT risk management frameworks and makes an effort to pinpoint any shortcomings in them. Based on the analysis done, a new IT Security framework is proposed and implemented in two organizations for its detailed analysis and validations with the existing models For the Risk Assessment of the same organization new technique for IT Risk Assessment is also proposed.

Information Security Breach Events and Stock Market Reactions: A Meta-Analysis

Information Security Breach Events and Stock Market Reactions: A Meta-Analysis

Factors Affecting Information Security and the Implementation of Bring Your Own Device (BYOD) Programmes in the Kingdom of Saudi Arabia (KSA)

In recent years, desktop computer use has decreased while smartphone use has increased. This trend is also prevalent in the Middle East, particularly in the Kingdom of Saudi Arabia (KSA). Therefore, the Saudi government has prioritised overcoming the challenges that smartphone users face as smartphones are considered critical infrastructure. The high number of information security (InfoSec) breaches and concerns has prompted most government stakeholders to develop comprehensive policies and regulations that introduce inclusive InfoSec systems. This has, mostly, been motivated by a keenness to adopt digital transformations and increase productivity while spending efficiently. This present study used quantitative measures to assess user acceptance of bring your own device (BYOD) programmes and identifies the main factors affecting their adoption using the unified theory of acceptance and use of technology (UTAUT) model. Constructs, such as the perceived business (PT-Bs) and private threats (PT-Ps) as well as employer attractiveness (EA), were also added to the UTAUT model to provide the public, private, and non-profit sectors with an acceptable method of adopting BYOD programmes. The factors affecting the adoption of BYOD programmes by the studied sectors of the KSA were derived from the responses of 857 participants.

Cyberterrorism Using Smart Phones

The explosive expansion of smart phones causes massive information security breaches. Smart phones are tempting targets and elements for attackers due to their popularity and lax security [6]. Government of Ghana should make a determined effort to promote youth awareness and foster patriotism. Multi-agency counter-cyber operations and techniques should also be included in a nation-wide strategy curtail this menace. This paper seeks to explore cyberterrorism using smart phones and counter measures in Ghana.

EVALUATION OF QUALITY INDICATORS OF FUNCTIONING CYBER PROTECTION MANAGEMENT SYSTEMS OF INFORMATION SYSTEMS

Evidence of the complexity of the cybersecurity problem is the rapid increase in the number of information security breaches and losses on cybersecurity threats combined with an increase in the average loss from each of the breaches. Therefore, it is necessary to create requirements for a cybersecurity system that could provide more opportunities in the choice of methods in the management of the protection of automated information systems.&#x0D; The task of determining the optimal quality indicators of information resource management systems of automated systems is one of the most important problems in designing integrated information security systems. This is due to the complexity of such systems, the presence of many variable parameters, and the complexity of calculating quality indicators. In addition, the determined quality indicators should not only ensure the optimality of the target function, but also the stability of the protection system in a wide range of external adverse effects. The problem is that the existing methods of calculating integrated quadratic estimates (IQE) do not take into account errors in determining quality indicators, as well as the vector nature of these indicators.&#x0D; The aim of this work is to solve problems (development of algorithms), which are a problem of optimization of stable protection management systems using vector objective functions. Based on the model of information management system protection of information resources in the form of an automatic control system, the method of forming integrated quadratic estimates (IQE) of control error is proposed. This method takes into account the weights of the estimates at the desired installation time and standard transfer functions. Algorithms for calculating IQE according to the modified Katz formula and Ostrom's method for arbitrary order control systems are developed, including vector representation of the objective function of the protection system. The vector penalty function is proposed and the algorithm of its calculation is developed to display the degree of infringement of conditions of stability of parameters of the system of protection by the Rauss-Hurwitz criterion.

Privacy please: Power distance and people's responses to data breaches across countries.

Information security and data breaches are perhaps the biggest challenges that global businesses face in the digital economy. Although data breaches can cause significant harm to users, businesses, and society, there is significant individual and national variation in people’s responses to data breaches across markets. This research investigates power distance as an antecedent of people’s divergent reactions to data breaches. Eight studies using archival, correlational, and experimental methods find that high power distance makes users more willing to continue patronizing a business after a data breach (Studies 1–3). This is because they are more likely to believe that the business, not they themselves, owns the compromised data (Studies 4–5A) and, hence, do not reduce their transactions with the business. Making people believe that they (not the business) own the shared data attenuates this effect (Study 5B). Study 6 provides additional evidence for the underlying mechanism. Finally, Study 7 shows that high uncertainty avoidance acts as a moderator that mitigates the effect of power distance on willingness to continue patronizing a business after a data breach. Theoretical contributions to the international business literature and practitioner and policy insights are discussed.Supplementary InformationThe online version contains supplementary material available at 10.1057/s41267-022-00519-5.

Do Information Security Breach and Its Factors Have a Long-Run Competitive Effect on Breached Firms’ Equity Risk?

A breach in information security (infosec) can materially impact a firm’s long-term competitiveness. For publicly listed firms, an infosec breach can have a long-lasting effect on their competitive stock performance, including their equity risk. Despite its significance, past research has focused primarily on examining the short-term effect of infosec breaches while ignoring its long-term effect on the firm’s equity risk. Therefore, in this research, we examined the long-run effect of 276 infosec breaches at publicly traded firms on equity risk from 2009 to 2018. We analyzed each firm’s equity risk compared to its competitive control firms of similar sizes and performances for three years, from one year before to two years after the breach, using a one-to-one matching methodology. The univariate analysis of infosec breaches on equity risk indicated that breach firms have a 7% higher equity risk than competitive control firms. Additionally, the quantile regression analysis of the effect of infosec breach factors on long-run equity risk showed that the rise in equity risk is higher if the breach involves the compromise of confidential information and is a repeat breach for the same firm. The findings provide a valuable resource for investors, managers, and researchers interested in understanding the long-term relationship between infosec breaches and a firm’s stock competitiveness.

“Standardizing information security – a structurational analysis”

Given that there are an increasing number of information security breaches, organizations are being driven to adopt best practice for coping with attacks. Information security standards are designed to embody best practice and the legitimacy of these standards is a core issue for standardizing organizations. This study uncovers how structures at play in de jure standard development affect the input and throughput legitimacy of standards. We participated as members responsible for standards on information security and our analysis revealed two structures: consensus and warfare. A major implication of the combination of these structures is that legitimacy claims based on appeals to best practice are futile because it is difficult to know which the best practice is.