Organizational Information Security Research Articles

A Maturity Level Framework for Measurement of Information Security Performance

is one of the most important assets of the company. With the development of information technology is very rapid, the possibility of ever increasing information security disorder. This research was conducted to find out the level of information security in organization to give recommendations improvements in information security management at the company. This research uses the ISO 27001 by involving the entire clause that exists in ISO 27001 checklist. The source of the data used in this study was a detailed questionnaire and interview. The respondents in this study are all the employees are in the Office of the Bureau of information technology as many as 14 peoples. The results showed maturity level of information security in the Office of the Bureau of information technology is at level 2. The value of the gap between the value of the maturity level of the current and expected level of maturity value is 2.79. Recommendations for improvement are given requires an understanding of the company and also required coordination with the internal company.

Mandatory Standards and Organizational Information Security

Mandatory security standards that force firms to establish minimum levels of security controls are enforced in many domains, including information security. The information security domain is characterized by multiple intertwined security controls, not all of which can be regulated by standards, but compliance with existing security standards is often used by firms to deflect liability if a security breach occurs. We analyze a stylized setting where a firm has two security controls that are linked in either a serial or a parallel configuration. One control is directly regulated by a security standard, whereas the other one is not. We show that a higher security standard does not necessarily lead to a higher firm security. Furthermore, the conditions under which a higher standard hurts the firm security are sharply different in the two—serial and parallel—configurations. If standard compliance leads to reduced liability for a firm following a breach, such liability reduction in turn weakens the tie between the standard and firm security. Under a setting in which the firm meets the optimal standard set by a policy maker, both firm security and social welfare are higher when the damage to the firm following a breach takes a higher share of the total damage to social welfare, and also when the firm takes a larger share of liability.

Human aspects of information security in organisations

Information is core to the well-being of any modern-day organisation. In order to satisfactorily protect this important asset, human, organisational and technological aspects play a core integrative role in information security. Both technological and organisational control aspects are critically important, but both of these are closely related to people. Information security technology cannot guarantee the safety of information assets in organisations. A range of human aspects also need to be taken into consideration. Nader Sohrabi Safa, Rossouw von Solms and Lynn Futcher of the Nelson Mandela Metropolitan University, South Africa show that, while people are often the weakest link, through cooperation and coordination they can also be a source of great strength in developing effective and efficient defences.

Organizational Violations of Externally Governed Privacy and Security Rules: Explaining and Predicting Selective Violations under Conditions of Strain and Excess

Privacy and security concerns are pervasive because of the ease of access to information. Recurrent negative cases in the popular press attest to the failure of current privacy regulations to keep consumer and protected health information sufficiently secure in today’s climate of increased IT use. One reason for such failure is that organizations violate these regulations for multiple reasons. To address this issue, we propose a theoretical model to explain the likelihood that organizations will select an externally governed privacy or security rule for violation in response to organizational strain or slack resources. Our proposed theoretical model, the selective organizational information privacy and security violations model (SOIPSVM), explains how organizational structures and processes, along with characteristics of regulatory rules, alter perceptions of risk when an organization’s performance does not match its aspiration levels and thereby affects the likelihood of rule violations. Importantly, SOIPSVM is contextualized to organizational privacy and security violations. SOIPSVM builds on and extends the selective organizational rule violations model (SORVM), which posits that organizational rule violations are selective. SOIPSVM provides at least four contributions to the privacy and security literature that can further guide empirical research and practice. First, SOIPSVM introduces the concept of selectivity in rule violations to privacy and security research. This concept can improve privacy and security research by showing that organizational violations of privacy and security rules are dynamic and selective yet influenced by external forces. Second, SOIPSVM extends the boundaries of SORVM, which is limited to explaining the behavior of organizations under strain, such as economic hardship. We contribute to the theory of selective deviance by proposing that selectivity extends to organizations with slack resources. Third, we address ideas of non-economic risk and strain in addition to economic risk and strain. SOIPSVM thus explains organizational rule-violating behavior as an attempt to protect core organizational values from external entities that pressure organizations to change their values to comply with rules. Fourth, we broaden the theoretical scope of two important constructs, namely structural secrecy and procedural emphasis to improve the explanatory power of the model. Fifth, we identify important elements of rule enforcement by drawing from the tenets of general deterrence theory. We also discuss how constructs from general deterrence theory can be studied at the organizational level. To conclude, we offer recommendations for the structuring of organizations and external regulations to decrease organizational rule violations, which often lead to the abuse of consumer information.

Organizational Characteristics Role in the Implementation of Information Security in Knowledge Management with a Focus on Employee Safety Behavior

Nowadays competitive advantage maintenance and organizational survival are not possible with no knowledge management. Due to the fact that the main components of the organizational knowledge transfer are human resources and this force only can produce and share knowledge content in the context of a safe system. Therefore, the implementation of the information security and safety principles observance by the personnel are essential in knowledge management. Among these factors, organizational characteristics can be an affecting factor in the implementation of information security in knowledge management. In this study, the role of organizational characteristics on the implementation of the information security in organization's knowledge management with a focus on safety behavior of the staff in the Ministry of Communications and Information Technology and its subsidiaries, is investigated. The study type is applied research and the method is descriptive method which its population consists of senior managers and experts in the Ministry of Communications and Information Technology and its subsidiary companies. The sample size of 253 people has been set. A questionnaire was used to measure the research variables. Regression analysis was used to investigate the relationships between variables and AMOS software was used in this study. The results showed a significant relationship between organizational characteristics with safety behavior and also safety behavior with information security implementation in knowledge management. The organizational characteristics significantly are associated with the implementation of information security in knowledge management.

Cyber Espionage and Illegitimate Information Retrieval

One of the most serious threats to a modern country's trade, industry and long-term economic development is cyber espionage and insiders. The activities are directed against high-technological industries and companies with advanced basic research. The defence and telecoms sectors are of particular interest, just as biotechnics, medical and material technology. Behind this kind of espionage there may be individual states and security services as well as competing companies. One trend is that criminal players are getting involved both as thieves and fences of information. Computerisation and the development of the Internet drastically increase the possibility of procuring sensitive information through illegal means. This can be done in different ways. In the paper the convergence between industrial- and cyber espionage are discussed. A number of examples are provided of different kinds of espionage as well as some of the methods that is used to collect information over the Internet – such as signals intelligence, monitoring of traffic, penetration and overtaking of computers with the aid of trojans. Examples are given on succesful cybertheft operations such as the operation Buckshot Yankee and the Chinese Ghostnet. The paper ends with a discussion on how to improve information security in organisations in order to reduce the risks for illegitimate information drainage.

Management of organizations in Serbia from the aspect of the maturity analysis of information security

The aim of this work is focused on research of information security in organizations, with a focus on cybersecurity. In accordance with the theoretical analysis, the subject of the empirical part of the work is the analysis of information security in Serbia, in order to better understand the information security programs and management structures in organizations in Serbia. The survey covers a variety of industries and discusses how organizations assess, develop, create and support their programs to ensure information security. The survey included 53 companies. The results that were obtained enabled us to select five core elements of the program on the state of information security and cybersecurity in Serbian companies: most companies had not been exposed to cybersecurity incidents; in most companies policy, procedures and spheres of responsibility for information security exist, there are not enough controls to ensure compliance with relevant safety standards by third parties, top management and end-users are insufficiently familiar with cybersecurity risks, although they apply basic measures of protection, safety protection systems are very rare. The scientific goal of this work is to, on the basis of the results obtained, make conclusions that can contribute to the study of corporate information security with special emphasis on cybersecurity. The practical aim of the research is the application of the results for more efficient implementation process of security against cyber attacks in the Serbian organizations.

The Impact Assessment of IT Infrastructure on Information Security: A Survey Report

Information technology infrastructure trigger unending concern for IT players accountable for information security. Sensitive organization information can be easily acquired and lost. The community dearth of self-confidence in information technology (IT) infrastructure is not purely about security of worth, but also about faith in the information group. Integrity, privacy and vulnerability security fears are the important cause web user is not confident over the web. Proposes to investigate the integrity, privacy and vulnerability security fears of IT user in order to establish a consensus among them. Uses data from 127 contributors to come to a decision that the following major concerns (in the descending of importance) exist: integrity, privacy, security and fears, unauthorized access, data leaked, impersonation and forged identity and e-mail safety. The objective of the survey was to collect statistics to quantify the influence of Information technology infrastructure on organization information security.

Time-based deterministic model of information security of a business organization

Time-based deterministic model of information security of a business organization

The impacts of organizational culture on information security culture: a case study

Information security cannot rely solely on technology. More attention must be drawn to the users' behavioral perspectives regarding information security. In this study, we propose that a culture encouraging employees to comply with information policies related to collecting, preserving, disseminating and managing information will improve information security. Information security culture is believed to be influenced by an organization's corporate culture (or organizational culture). We examine how this occurs through an in-depth case study of a large organization. We present a relationship map for organizational culture and information security practices. Six propositions are drawn from the findings of our interviews and discussions. Managerial insights, such as how to measure an organization's information security culture and subsequently determine what perspective(s) is important for the organization to improve, are also discussed.

Organizational information security as a complex adaptive system: insights from three agent-based models

The management of information security can be conceptualized as a complex adaptive system because the actions of both insiders and outsiders co-evolve with the organizational environment, thereby leading to the emergence of overall security of informational assets within an organization. Thus, the interactions among individuals and their environments at the micro-level form the overall security posture at the macro-level. Additionally, in this complex environment, security threats evolve constantly, leaving organizations little choice but to evolve alongside those threats or risk losing everything. In order to protect organizational information systems and associated informational assets, managers are forced to adapt to security threats by training employees and by keeping systems and security procedures updated. This research explains how organizational information security can perhaps best be managed as a complex adaptive system (CAS) and models the complexity of IS security risks and organizational responses using agent-based modeling (ABM). We present agent-based models that illustrate simple probabilistic phishing problems as well as models that simulate the organizational security outcomes of complex theoretical security approaches based on general deterrence theory (GDT) and protection motivation theory (PMT).

Information security policy compliance model in organizations

The Internet and information technology have influenced human life significantly. However, information security is still an important concern for both users and organizations. Technology cannot solely guarantee a secure environment for information; the human aspects of information security should be taken into consideration, besides the technological aspects. The lack of information security awareness, ignorance, negligence, apathy, mischief, and resistance are the root of users' mistakes. In this research, a novel model shows how complying with organizational information security policies shapes and mitigates the risk of employees' behaviour. The significant aspect of this research is derived from the conceptualization of different aspects of involvement, such as information security knowledge sharing, collaboration, intervention and experience, as well as attachment, commitment, and personal norms that are important elements in the Social Bond Theory. The results of the data analysis revealed that information security knowledge sharing, collaboration, intervention and experience all have a significant effect on employees' attitude towards compliance with organizational information security policies. However, attachment does not have a significant effect on employees' attitude towards information security policy compliance. In addition, the findings have shown that commitment and personal norms affect employees' attitude. Attitude towards compliance with information security organizational policies also has a significant effect on the behavioural intention regarding information security compliance.

The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets

Insiders may act to sustain and improve organizational information security, yet our knowledge of what motivates them to do so remains limited. For example, most extant research relies on mere portions of protection motivation theory (PMT) and has focused on isolated behaviors, thus limiting the generalizability of findings to isolated issues, rather than addressing the global set of protective security behaviors. Here, we investigate the motivations surrounding this larger behavioral set by assessing maladaptive rewards, response costs, and fear alongside traditional PMT components. We extend PMT by showing that: (1) security education, training, and awareness (SETA) efforts help form appraisals; (2) PMT’s applicability to organizational rather than personal contexts depends on insiders’ organizational commitment levels; and (3) response costs provide the link between PMT’s appraisals. We show in detail how organizational commitment is the mechanism through which organizational security threats become personally relevant to insiders and how SETA efforts influence many PMT-based components.

The Enigma Andred Hodges [Book Reviews

Reports on the life and work of Alan Turing that was presented in this book. Discusses the time in which Alan Turing conducted his work in attempting to crack the enigma code. Perceptions and options of Turing work changed after the publication of this book. Since 1983 a tsunami of information has become available about almost every aspect of the operations of Bletchley Park and its parent organization GCCS (the predecessor of GCHQ, the present-day U.K. signals intelligence and information security organization). This includes the release of the 500+ page “General Report on Tunny” in 2000 (“Tunny” was the code name for an important online German teleprinter encryption device), as well as wartime manuals and technical papers of Turing, Alexander, and others, other archival materials, and memoirs of many people who worked in the different units at Bletchley. The book under review is a reissue of Hodges’s original 1983 biography.

SECURQUAL: An Instrument for Evaluating the Effectiveness of Enterprise Information Security Programs

ABSTRACTThe ever-increasing number of security incidents underscores the need to understand the key determinants of an effective information security program. Research that addresses this topic requires objective measures, such as number of incidents, vulnerabilities, and non-compliance issues, as indicators of the effectiveness of an organization's information security activities. However, these measures are not readily available to researchers. While some research has used subjective assessments as a surrogate for objective security measures, such an approach raises questions about scope and reliability. To remedy these deficiencies, this study uses the COBIT Version 4.1 Maturity Model Rubrics to develop an instrument (SECURQUAL) that obtains an objective measure of the effectiveness of enterprise information security programs. We show that SECURQUAL scores reliably predict objective measures of information security program effectiveness. Future research might use the instrument as a surrogate effectiveness measure that avoids asking respondents to disclose sensitive information about information security incidents and vulnerabilities.

Cultivating and Assessing an Organizational Information Security Culture; an Empirical Study

An information security-aware culture will minimize internal threats to information assets through the construction of appropriate information security beliefs and values that guide employee behavior when interacting with information assets and information technology systems. This paper aims to illustrate the application of the Information Security Culture Framework (ISCF) to asses and cultivate an information security aware culture within an organization through an empirical study. The ISCF is a comprehensive framework that consists of five dimensions (Strategy, Technology, Organization, People, and Environment) and integrates change management and the human factor in information security. The empirical study includes three case studies, selected to demonstrate the effectiveness of ISCF in describing and explaining the organizational information security culture. A sequential mixed method, to collect quantitative survey data and qualitative interview data, is used to demonstrate the validity and reliability of the framework. The ISCF therefore could be used by all types of organizations in order to assess whether an acceptable level of information security culture has been implemented and, if not, corrective actions are suggested.

An information security control assessment methodology for organizations' financial information

In an era where dependence of information systems is significantly high, the threat of incidents related to information security that could jeopardize financial information held by organizations is serious. Alarming facts within the literature point to inadequacies in information security practices, particularly the evaluation of information security controls in organizations. Research efforts have resulted in various methodologies developed to deal with the information security controls assessment problem. A closer look at these traditional methodologies highlights various weaknesses that prevent an effective information security controls assessment in organizations. This paper develops a methodology that addresses such weaknesses when evaluating information security controls in organizations' financial systems. The methodology uses the fuzzy set theory which allows for a more accurate assessment of imprecise criteria than traditional methodologies. It is argued that using the fuzzy set theory to evaluate information security controls in organizations addresses existing weaknesses identified in the literature and leads to a more precise assessment. This, in turn, results in a more effective selection of information security controls and enhanced information security in organizations. The main contribution of this research is the development of a fuzzy set theory-based assessment methodology that provides for a thorough evaluation of information security controls in organizations. Overall, the methodology presented herein proved to be a feasible technique for evaluating information security controls in organizations' financial systems.

Information security conscious care behaviour formation in organizations

Today, the Internet can be considered to be a basic commodity, similar to electricity, without which many businesses simply cannot operate. However, information security for both private and business aspects is important. Experts believe that technology cannot solely guarantee a secure environment for information. Users' behaviour should be considered as an important factor in this domain. The Internet is a huge network with great potential for information security breaches. Hackers use different methods to change confidentiality, integrity, and the availability of information in line with their benefits, while users intentionally or through negligence are a great threat for information security. Sharing their account information, downloading any software from the Internet, writing passwords on sticky paper, and using social security numbers as a username or password are examples of their mistakes. Users' negligence, ignorance, lack of awareness, mischievous, apathy and resistance are usually the reasons for security breaches. Users' poor information security behaviour is the main problem in this domain and the presented model endeavours to reduce the risk of users' behaviour in this realm. The results of structural equation modelling (SEM) showed that Information Security Awareness, Information Security Organization Policy, Information Security Experience and Involvement, Attitude towards information security, Subjective Norms, Threat Appraisal, and Information Security Self-efficacy have a positive effect on users' behaviour. However, Perceived Behavioural Control does not affect their behaviour significantly. The Protection Motivation Theory and Theory of Planned Behaviour were applied as the backbone of the research model.

정보보호 전담조직 편성모델에 관한 연구

Information security organization has normally been organized under the IT department. However, as the importance of information security has gradually increased, the way of information security organized for enterprise security management has become a noteworthy issue. The need for separation of Information security organization from IT department is growing, such as restriction on the concurrent positions in CIO and CISO. Nowadays there are many studies about Information security organization while relatively there has been minimal research regarding a departmentalization. For these reasons this study proposes a Information Security Departmentalization Model which is based on business risk and reliance on the IT for effectively organizing Information security organization, using Contingency theory. In addition, this study classified the position of Information security organization into Planning & Coordination, Internal Control, Management and IT and analyze the strengths and weaknesses of each case.

Preemptive Security Through Information Analytics

ABSTRACTBusiness security and threat actors continue to play a dangerous cat-and-mouse game with businesses intellectual property, customer data, and business reputations at stake. Businesses need to delve into a new way of doing business security to break out of this game. Businesses are sitting on repositories full of security-relevant data that is not being capitalized upon with the current information security and physical security organizations within businesses. This article poses the introduction of a data scientist role and a new supporting central data correlation technology platform based on big data predictive analytics into business security functions. The goal is to intelligently and autonomously identify, correlate and pinpoint normally innocuous or unnoticed security event attributes to allow security personnel to preemptively remediate physical and information risks before exploitation or loss of intellectual property occurs.