Information Security Practices Research Articles

Case-based learning in the management practice of information security: an innovative pedagogical instrument

Case-based learning (CBL) approaches are critical to the education of tomorrow’s executives and managers. CBL instigates critical discussion, draws out relevant experiences from students, encourages questioning of accepted practices, and creates dialogue between theory and practice. There is unfortunately a lack of quality teaching resources to support CBL in information security management (ISM). In this paper, we address this need by developing, refining, and evaluating a teaching case of a hypothetical firm that suffers a catastrophic incident of intellectual property (IP) theft. Protecting IP is both complex and expensive as it involves developing enterprise-wide security mechanisms for the people, process, and technology dimensions of organizations. We drew the plot, narrative, characterization, dilemmas, and conflict from two landmark legal cases to focus on the three key areas of organizational security as defined by the joint task force on cybersecurity education—risk management, planning and strategy, and policy and governance. Our case was used to teach information security to Management Information Systems students enrolled in a Master’s Degree at the University of Melbourne, Australia. We subsequently developed a survey instrument to measure the utility of the teaching instrument for teaching. Survey data collected across 2 consecutive years indicated that students strongly agreed that the teaching case was relevant, realistic, engaging, challenging, and instructional.

Kepedulian Keamanan Informasi di Pemerintahan: Praktik Manajemen dan Dampaknya

Currently the organization is facing challenges due to the Covid19 pandemic which has caused changes in work patterns for all members of the organization. The priority of management is to give more attention to information security, especially for members and government organizations in general. Various information security practices have been carried out, but there are obstacles that occur such as the lack of awareness of information security, work behavior, work culture and the lack of human resources available and this can have a negative impact on the level of information security concern in the organization. Information security practices carried out by management do not always have an impact on changes in the behavior of organizational members. From the data obtained, there are many information security practices that may have been implemented by management. But do members of the organization care about the practice. Therefore, it is important to conduct research with the aim of knowing the practice of information security concern that has been carried out by management whether it has an impact on organizational members, especially the organization itself. This study used qualitative and quantitative interpretive approaches as a data collection process in three government organizations. Qualitative is used to obtain data from management and processed using the SAP-LAP model through interviews. Then an online survey was conducted with members of the organization to determine the impact of implementing information security care practices on the organization. The results show that organizational members have a high level of concern for the management's information security practices.

Assessment of Information Security Vulnerabilities in Common Seismological Equipment

Abstract Modern seismic and Global Navigation Satellite Systems stations are nowadays equipped with Internet of Things devices that acquire, process, and transmit various geophysical parameters in near-real time. This technological advance has introduced a new threat paradigm for common seismological devices. Such threats can be assessed with standard information security methods and practices. This article aims to identify security weaknesses, describe weak security points and potential attacks on such environments, and anticipate the countermeasures needed. Real tests and attacks have been applied to demonstrate the lack of data encryption and user authentication processes, the risks posed by unencrypted communication protocols, unsafe practices regarding settings and passwords, and poor design implementations. All these factors may impact and possibly disrupt the daily operation of seismic observatories because they can lead to falsifying data, altering configurations, or producing malicious false alarms. These in turn may cause unnecessary public concern or distrust, financial losses, or even national security issues. For all these reasons, several countermeasures and solutions are also proposed and evaluated to address each of the identified vulnerabilities.

Information and Knowledge Management in the Scope of the Information Security Practices: The Human Factor within Organizations

Information and Knowledge Management in the Scope of the Information Security Practices: The Human Factor within Organizations

Lei Geral de Proteção de Dados: desafio do Sistema Único de Saúde

A Lei Geral de Proteção de Dados (LGPD) promulgada no Brasil em 2018 é reflxo do movimento internacional de busca pela preservação de direitos fundamentais como privacidade, intimidade, honra, direito de imagem e dignidade humana. O objetivo do estudo foi o de apontar em que medida a estrutura do sistema público de saúde brasileiro será impactada pela publicação da Lei e indicar eventuais caminhos a serem trilhados nesse sentido. Trata-se de pesquisa de abordagem qualitativa, descritiva e exploratória, com utilização do método dedutivo a partir de pesquisa bibliográfia/artigos e documental/ordenamento jurídico. Os resultados alcançados apontam para a estreita relação entre o SUS e a necessidade de proteção de dados sensíveis e de boas práticas em segurança da informação, com impacto direto na privacidade de pacientes. A partir dos resultados, concluiu-se que o SUS será eminentemente impactado pela LGPD e, dada a imponência de sua estrutura de tecnologia da informação, deverá adotar medidas diligentes e céleres para seu amoldamento à Lei.

Analysis of the architecture and functions of protected automated systems installed at internal affairs facilities

Aim . One of the key objectives of the theory and practice of information security is to analyse the functioning of protected automated systems, particularly those operated at computerized facilities of internal affairs bodies. In order to identify potential threats to resources of confidential information, to assess the risk of threat implementation, as well as to form a list of potential threats to automated systems installed at computerized facilities of internal affairs bodies, it is necessary to analyse the composition and architecture of automated systems, identify the features of their protected functioning and determine the vulnerability of software and hardware systems. Methods . A comprehensive analysis of the functioning of protected automated systems during their operation at computerized facilities of internal affairs bodies was conducted. Results . Following an analysis of normative documentation and research publications in the field of protecting information in automated systems, departmental records of the Ministry of Internal Affairs of the Russian Federation, regulations for the protection of information at computerized facilities of internal affairs bodies, the structure and architecture of a protected automated system were defined. Potential threats to the functioning of such a system, including cyber attacks, were identified. On the basis of a survey among experts in the field of information security, the vulnerability (in term of cyber attacks) of the software components of an automated system installed at computerized facilities of internal affairs bodies was analysed. Conclusion . The results can be used in the process of designing and operating information security tools and systems installed at computerized facilities of internal affairs bodies for the purpose of improving their security.

An application and empirical test of the Capability Opportunity Motivation-Behaviour model to data leakage prevention in financial organizations

It is widely agreed that technology alone cannot prevent cyber incidents. Organizations often need to rely on the cooperation of employees, for instance to report cyber incidents and to follow security policies. This research article presents a model of how the psychological constructs capability, opportunity and motivation interact to produce employee security behaviours that are assumed to help prevent data leakage incidents. To validate this model we surveyed 384 bank employees about their data leakage prevention behaviour. Results generally show that capability (i.e., knowledge) is uniquely related to data leakage prevention behaviour, and that motivation and opportunity are uniquely related to capability. Our findings suggest that although knowledge is pivotal for achieving desired behaviour, increasing motivation and opportunity may be key to influence knowledge acquiring and consequently data leakage prevention behaviour. Implications for information security practice are discussed.

Enhancing information security best practices sharing in virtual knowledge communities

PurposeSharing information security best practices between experts via knowledge management systems is valuable for improving information security practices, exchanging expertise, mitigating security risks, spreading knowledge, reducing costs and saving efforts. The purpose of this paper is developing a conceptual model to enhance the transfer of information security best practices between professionals in virtual communities through a Web-based knowledge management system to exchange their successful experience in handling different information security situations.Design/methodology/approachThe model is validated by surveying 17 experts’ reviews on the correctness of the model’s structure and its related components through applying deep rich peer debriefing to test suitability. Quantitative data has been collected to achieve confirmatory results.FindingsThe resulting model incorporates five main components that support the formal mechanism for the acquisition and dissemination of knowledge: identification, classification, storage, validation and sharing. The success of knowledge sharing is highly dependent on the active collaboration of community members and highly influenced by motivation. Validating transferred knowledge is vital for ensuring the credibility of the system.Originality/valueTo the best of the author’s knowledge, this paper is one of the first to highlight the role of integrating knowledge management to enhance the effective share and reuse of information security best practices knowledge. The research results can support researchers investigating the topic and generate trustworthy literature to guide information security virtual community developers.

It is not my job: exploring the disconnect between corporate security policies and actual security practices in SMEs

PurposeThis paper aims to present empirical results exemplifying challenges related to information security faced by small and medium enterprises (SMEs). It uses guidelines based on work system theory (WST) to frame the results, thereby illustrating why the mere existence of corporate security policies or general security training often is insufficient for establishing and maintaining information security.Design/methodology/approachThis research was designed to produce a better appreciation and understanding of potential issues or gaps in security practices in SMEs. The research team interviewed 187 employees of 39 SMEs in the UK. All of those employees had access to sensitive information. Gathering information through interviews (instead of formal security documentation) made it possible to assess security practices from employees’ point of view.FindingsCorporate policies that highlight information security are often disconnected from actual work practices and routines and often do not receive high priority in everyday work practices. A vast majority of the interviewed employees are not involved in risk assessment or in the development of security practices. Security practices remain an illusory activity in their real-world contexts.Research limitations/implicationsThis paper focuses only on closed-ended questions related to the following topics: awareness of existing security policy; information security practices and management and information security involvement.Practical implicationsThe empirical findings show that corporate information security policies in SMEs often are insufficient for maintaining security unless those policies are integrated with visible and recognized work practices in work systems that use or produce sensitive information. The interpretation based on WST provides guidelines for enhancing information system security.Originality/valueBeyond merely reporting empirical results, this research uses WST to interpret the results in a way that has direct implications for practitioners and for researchers.

An Investigation of the Information Security Awareness and Practices among Third Level Education Staff, Case Study in Nalut Libya

The development of Information and Communication Technologies (ICTs) is becoming very common throughout society. Therefore, it is a must to protect information assets. In addition to the technological aspect, research continues to confirm the need to enhance security awareness among employees. The objective of this study is to investigate the factors that may impact users’ practice and awareness both in the workplace. Specifically, factors such as policy, behavior, training, knowledge of IT and education were tested. In addition, the second objective of this study is to investigate the information security awareness and practice level among the employees. To achieve the study objectives, a quantitative methodology was applied; specifically a survey instrument was developed to measure if each of the key factors has a significant association within the security awareness and practice in the workplace. 202 usable surveys were collected from higher education employees and analyzed using Bivariate/Pearson Correlation to determine the relationship between the independent variable and the dependent variable. The findings of the study revealed that there was a positive correlation between policy, behavior, training, knowledge of IT and education with security awareness and practice These results indicated that security awareness and practice level of employees' in the workplace at the middle level. It is hoped that the present study provides an initial step to focus on security training sessions among higher education employees to reflect new knowledge on the importance of security training to increase the knowledge of information security.

Conceptual principles for ensuring effective protection of information in the context of economic security of the enterprise

The necessity of formation of an effective information security system of the enterprise is substantiated. It is emphasized that when designing an information policy, the firm must comply with the requirements of the current legislation, take into account the level of technical support, especially the regulation of employees' access to confidential information, etc. It is stated that the costs of organizing information security measures should be appropriate to its value. The article identifies major threats that could be breached by confidential information. The list of the main normative legal acts aimed at bringing to civil, administrative and criminal responsibility for illegal collection, disclosure and use of information constituting a trade secret. The main stages of building an information security policy are summarized, the most common types of information threats related to the use of modern computer technologies are described. The necessity of developing a domestic original accounting (management) program that could be used in the long term by the vast majority of Ukrainian enterprises is pointed out. There are three groups of tools that are applied in the theory and practice of information security of the enterprise (active, passive and combined), emphasizing the need for planning and continuous monitoring in real time of all important processes and conditions that affect data security. It is noted that even if the information security system is built taking into account all modern methods and means of protection, it does not guarantee one hundred percent protection of the information resources of the enterprise, but a well-designed information security policy allows to minimize the corresponding risks. Key words: information security, information policy, information security, confidential information, information threats, information and communication technologies, software.

Maturity Framework Analysis ISO 27001: 2013 on Indonesian Higher Education

Information Security Management System (ISMS) implementation in Institution is an effort to minimize information security risks and threats such as information leakage, application damage, data loss and declining IT network performance. The several incidents related to information security have occurred in the implementation of the Academic System application in Indonesian higher education. This research was conducted to determine the maturity level of information security practices in Academic Information Systems at universities in Indonesia. The number of universities used as research samples were 35 institutions. Compliance with the application of ISO 27001:2013 standard is used as a reference to determine the maturity level of information system security practices. Meanwhile, to measure and calculate the level of maturity using the SSE-CMM model. In this research, the Information System Security Index obtained from the analysis results can be used as a tool to measure the maturity of information security that has been applied. There are six key areas examined in this study, namely the role and importance of ICT, information security governance, information security risk management, information security management framework, information asset management, and information security technology. The results showed the level of information security maturity at 35 universities was at level 2 Managed Process and level 3 Established Process. The composition is that 40% of universities are at level 3, and 60% are out of level 3. The value of the gap between the value of the current maturity level and the expected level of maturity is varied for each clause (domain). The smallest gap (1 level) is in clause A5: Information Security Policy, clause A9: Access Control, and clause A11: Physical and environmental security. The biggest gap (4 levels) is in clause A14: System acquisition, development and maintenance and clause A18: compliance.  Â

Employee Information Security Practices

Employee information security practices are pivotal to prevent, detect, and respond to security incidents. This article synthesizes insights from research on challenges related to employee information security practices and measures to address them. The challenges identified are associated to idiosyncratic aspects of communities and individuals within organizations (culture and personal characteristics) and to systemic aspects of organizations (procedural and structural arrangements). The measures aimed to enhance systemic capabilities and to adapt security mechanisms to the idiosyncratic characteristics and are categorized as: (a) measures of training and awareness; (b) measures of organizational support; and (c) measures of rewards and penalties. Further research is needed to explore the dynamics related to how challenges emerge, develop, and get addressed over time and also, to explore the interplay between systemic and idiosyncratic aspects. Additionally, research is needed on the role of security managers and how it can be reconfigured to suit flatter organizations.

Problems of implementing SIEM systems in the practice of managing information security of economic entities

The aim of the study is to increase the efficiency of information security management of economic entities that use Security Information and Event Management (SIEM) systems by identifying and solving the main problems of introducing these systems into the management of information security practices of economic entities [1-3]. Materials and research methods . Based on the analysis of scheme of the typical architecture of the SIEM system and the standard process of introducing the SIEM system into practice of managing information security of various types of economic entities, the main problems of the installation and configuration of the SIEM system are determined, and ways to solve them are substantiated. During the installation and configuration of the SIEM system, the team of customers and contractors may experience the following typical problems. The process of installing and configuring the SIEM system as part of a systematic approach is considered as a set of interconnected resource-based procedures that implement the installation and configuration of individual components of the SIEM system. Out of the whole set of these procedures, the procedures to be automated are determined. To determine the rational structure of the process of automated installation and configuration of the SIEM system, a method of network planning and management is proposed [4-5], which also allows you to evaluate the effectiveness of implementing the SIEM system in the practice of managing information security of economic entities based on the development and calculation of network schedules. Results. In this work, we developed ways to solve the problems of introducing SIEM systems into information security management practice: simplifying the SIEM system, which is a rejection of rarely used modules and rebuilding the architecture of the SIEM system; automation of the process of typical installation and general setup of the SIEM system, which represents the development of a methodology for automating the procedure of typical installation and general setup of the SIEM system and software module that implements the developed methodology; a combined approach, which is a joint application of the two above approaches, which allows you to bring the SIEM system closer as a product to the “box option. The paper presents reasonable proposals for improving the implementation of the SIEM system, based on the development and application of automated procedures for the typical installation and configuration of the SIEM system, which reduces the time spent on the implementation of the SIEM system, increases the convenience of performing these procedures, and in general can lead to the “boxed version of the solution for a product of this class of information security event management systems. Conclusion. The proposed ways to solve the problems of implementing SIEM systems in the practice of managing information security of economic entities based on the optimization of the installation and configuration of SIEM systems can accelerate the distribution and implementation of information security event management systems and increase efficiency by automating standard installation procedures and SIEM system settings.

A Human Dimension of Hacking: Social Engineering through Social Media

Social engineering through social media channels targeting organizational employees is emerging as one of the most challenging information security threats. Social engineering defies traditional security efforts due to the method of attack relying on human naiveté or error. The vast amount of information now made available to social engineers through online social networks is facilitating methods of attack which rely on some form of human error to enable infiltration into company networks. While, paramount to organisational information security objectives is the introduction of relevant comprehensive policy and guideline, perspectives and practices vary from global region to region. This paper identifies such regional variations and then presents a detailed investigation on information security outlooks and practices, surrounding social media, in Australian organisations (both public and private). Results detected disparate views and practices, suggesting further work is needed to achieve effective protection against security threats arsing due to social media adoption.

Risk management practices in information security: Exploring the status quo in the DACH region

Information security management aims at ensuring proper protection of information values and information processing systems (i.e. assets). Information security risk management techniques are incorporated to deal with threats and vulnerabilities that impose risks to information security properties of these assets. This paper investigates the current state of risk management practices being used in information security management in the DACH region (Germany, Austria, Switzerland). We used an anonymous online survey targeting strategic and operative information security and risk managers and collected data from 26 organizations. We analyzed general practices, documentation artifacts, patterns of stakeholder collaboration as well as tool types and data sources used by enterprises to conduct information security management activities. Our findings show that the state of practice of information security risk management is in need of improvement. Current industrial practice heavily relies on manual data collection and complex potentially subjective decision processes with multiple stakeholders involved. Dedicated risk management tools and methods are used selectively and neglected in favor of general-purpose documentation tools and direct communication between stakeholders. In light of our results we propose guidelines for the development of risk management practices that are better aligned with the current operational situation in information security management.

Análise de tratamento da segurança da informação de uma instituição de ensino público federal

Information Technology (I.T.) and its governance are increasingly present in educational institutions development by improving strategies and objectives. This study aims to verify how is information security processed through risk management within I.T. governance. As a mixed exploratory research, this study was developed in a federal public education institution through questionnaires for data survey and analysis regarding information security practices within I.T. governance. Data analysis suggests that the verified components are applicable to the institution, allowing improvements on principles implementation and maintenance by awareness of the risk environment and the opportunities it offers.

The Effect of Rational Based Beliefs and Awareness on Employee Compliance with Information Security Procedures: A Case Study of a Financial Corporation in Israel

Aim/Purpose: This paper examines the behavior of financial firm employees with regard to information security procedures instituted within their organization. Furthermore, the effect of information security awareness and its importance within a firm is explored. Background: The study focuses on employees’ attitude toward compliance with information security policies (ISP), combined with various norms and personal abilities. Methodology: A self-reported questionnaire was distributed among 202 employees of a large financial Corporation Contribution: As far as we know, this is the first paper to thoroughly explore employees’ awareness of information system procedures, among financial organizations in Israel, and also the first to develop operative recommendations for these organizations aimed at increasing ISP compliance behavior. The main contribution of this study is that it investigates compliance with information security practices among employees of a defined financial corporation operating under rigid regulatory governance, confidentiality and privacy of data, and stringent requirements for compliance with information security procedures. Findings: Our results indicate that employees’ attitudes, normative beliefs and personal capabilities to comply with firm’s ISP, have positive effects on the firm’s ISP compliance. Also, employees’ general awareness of IS, as well as awareness to ISP within the firm, positively affect employees’ ISP compliance. Recommendations for Practitioners: This study can help information security managers identify the motivating factors for employee behavior to maintain information security procedures, properly channel information security resources, and manage appropriate information security behavior. Recommendation for Researchers: Researchers can see that corporate rewards and sanctions have significant effects on employee security behavior, but other motivational factors also reinforce the ISP’s compliance behavior. Distinguishing between types of corporations and organizations is essential to understanding employee compliance with information security procedures. Impact on Society: This study offers another level of understanding of employee behavior with regard to information security in organizations and comprises a significant contribution to the growing knowledge in this area. The research results form an important basis for IS policymakers, culture designers, managers, and those directly responsible for IS in the organization. Future Research: Future work should sample employees from another type of corporation from other fields and should apply qualitative analysis to explore other aspects of behavioral patterns related to the subject matter.

Information security in healthcare supply chains: an analysis of critical information protection practices

Abstract: Because of their vital role and the need to protect the patient information, interest in information security in Healthcare Supply Chains (HSCs) is growing. This study analyzes how decisions related to information security practices in HSCs contribute to protecting patient information. Eleven semi-structured interviews were performed. The interviewees were managers from Brazilian HSC organizations. Four dimensions and 14 variables identified in a literature review were used to perform categorical content analysis. The findings suggest organizations, while aware of their critical information and internal processes, lack the necessary metrics to measure the impacts of possible failures. It seems organizations tend to invest in standard security measures, while apparently ignoring the specificity and complexity of information in HSCs.

Factors in Information Assurance Professionals' Intentions to Adhere to Information Security Policies

Information security policies (ISPs) serve to clarify and formalize organizational information security practices and reduce data risks, but research shows that ISP noncompliance remains a prominent concern for both scholars and practitioners. This study utilized the unified theory of acceptance and use of technology 2 (UTAUT2) to explore factors that predict information assurance professionals' behavioral intentions to comply with ISPs. The research question addressed: To what extent do performance expectancy, effort expectancy, social influence, facilitating conditions, hedonic motivation, price value, and habit predict information assurance professionals' behavioral intention to comply with information security policies in organizations? A nonexperimental, cross-sectional research design using structural equation modeling (PLS-SEM) addressed the research question with information assurance professionals in government agencies where habit emerged as the important component of ISP compliance with hedonic factors having a negative impact.