Information security risk management (ISRM) is the primary means by which organizations preserve the confidentiality, integrity and availability of information resources. A review of ISRM literature ...identified deficiencies in the practice of information security risk assessment that inevitably lead to poor decision-making and inadequate or inappropriate security strategies. In this conceptual paper, we propose a situation aware ISRM (SA-ISRM) process model to complement the information security risk management process. Our argument is that the model addresses the aforementioned deficiencies through an enterprise-wide collection, analysis and reporting of risk-related information. The SA-ISRM model is adapted from Endsley's situation awareness model and has been refined using our findings from a case study of the US national security intelligence enterprise.
Display omitted
•We identify from literature 3 deficiencies in information security risk assessment.•We develop a security situational awareness (SA) model from Endsley's SA theory.•We refine our model though an in depth case study of the US intelligence enterprise.•We show how SA can be developed using an intelligence-driven approach.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK
In organizations, users' compliance with information security policies (ISP) is crucial for minimizing information security (IS) incidents. To improve users' compliance, IS managers have implemented ...IS awareness (ISA) programs, which are systematically planned interventions to continuously transport security information to a target audience. The underlying research analyzes IS managers' efforts to design effective ISA programs by comparing current design recommendations suggested by scientific literature with actual design practices of ISA programs in three banks. Moreover, this study addresses how users perceive ISA programs and related implications for compliant IS behavior. Empirically, we utilize a multiple case design to investigate three banks from Central and Eastern Europe. In total, 33 semi-structured interviews with IS managers and users were conducted and internal materials of ISA programs such as intranet messages and posters were also considered. The paper contributes to IS compliance research by offering a comparative and holistic view on ISA program design practices. Moreover, we identified influences on users' perceptions centering on IS risks, responsibilities, ISP importance and knowledge, and neutralization behaviors. Finally, the study raises propositions regarding the relationship of ISA program designs and factors, which are likely to influence users' ISP compliance.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK
Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information ...security. Since employees who comply with the information security rules and regulations of the organization are the key to strengthening information security, understanding compliance behavior is crucial for organizations that want to leverage their human capital. This research identifies the antecedents of employee compliance with the information security policy (ISP) of an organization. Specifically, we investigate the rationality-based factors that drive an employee to comply with requirements of the ISP with regard to protecting the organization's information and technology resources. Drawing on the theory of planned behavior, we posit that, along with normative belief and self-efficacy, an employee's attitude toward compliance determines intention to comply with the ISP. As a key contribution, we posit that an employee's attitude is influenced by benefit of compliance, cost of compliance, and cost of noncompliance, which are beliefs about the overall assessment of consequences of compliance or noncompliance. We then postulate that these beliefs are shaped by the employee's outcome beliefs concerning the events that follow compliance or noncompliance: benefit of compliance is shaped by intrinsic benefit, safety of resources, and rewards, while cost of compliance is shaped by work impediment; and cost of noncompliance is shaped by intrinsic cost, vulnerability of resources, and sanctions. We also investigate the impact of information security awareness (ISA) on outcome beliefs and an employee's attitude toward compliance with the ISP. Our results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply. Outcome beliefs significantly affect beliefs about overall assessment of consequences, and they, in turn, significantly affect an employee's attitude. Furthermore, ISA positively affects both attitude and outcome beliefs. As the importance of employees' following their organizations' information security rules and regulations increases, our study sheds light on the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance.
Full text
Available for:
BFBNIB, CEKLJ, IZUM, KILJ, NMLJ, NUK, PILJ, PNG, SAZU, UL, UM, UPUK
The article considers the process of information security from the position of cost-benefit assessment that allows to understand economic aspects of feasibility study of measures in the field of ...business information protection. In the practice of Russian business, the issues of information security are focused on compliance with regulatory requirements of the legislation. This leads to the fact that business entities neglect the procedure of comprehensive assessment of measures effectiveness that should consider the costs and benefits of legal, organizational, and technical information protection implementation. At the same time, in order to meet the new conditions of technological development of society, it is necessary to revise the concept of information protection of business entities and to fix in the policy of information security of activities the approaches to risk assessment based on assets value. The study contains a description of the cost/ benefit approach to the constituent components of ensuring information security of business process. To understand the economic aspects of information security, the research focuses on business entities of the market type of economic activity (the enterprise makes profit in its activity). The composition of components of the ensuring information security process has been defined. On the example of risk management costs and benefits of information security have been considered in detail.
The key threat to information security comes from employees who do not comply with information security policies. We developed a new multi-theory based model that explained employees’ adherence to ...security policies. The paradigm combines elements from the Protection Motivation Theory, the Theory of Reasoned Action, and the Cognitive Evaluation Theory. We validated the model by using a sample of 669 responses from four corporations in Finland. The SEM-based results showed that perceived severity of potential information security threats, employees’ belief as to whether they can apply and adhere to information security policies, perceived vulnerability to potential security threats, employees’ attitude toward complying with information security policies, and social norms toward complying with these policies had a significant and positive effect on the employees’ intention to comply with information security policies. Intention to comply with information security policies also had a significant impact on actual compliance with these policies. High level managers must warn employees of the importance of information security and why it is necessary to carry out these policies. In addition, employees should be provided with security education and hands on training.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK
Past research suggests that the demands of information security policies (ISPs) cause stress upon employees, leading them to violate the policies. It emphasises the distress process but overlooks a ...possible positive process that may arise from the ISP demands (i.e., the eustress process) and motivate employees to reduce ISP violations. This study explores both the distress and eustress processes. It proposes that the challenge and hindrance aspects of ISP demands induce these processes and subsequently affect ISP violations. Besides, employees' ISP-related self-efficacy may facilitate or impede these processes. To test the research model, a survey was conducted on 375 employees in the U.S. The results show that the challenge aspect of ISP demands elicits a positive psychological response of employees, which in turn triggers their planful problem-solving to deal with these demands. In contrast, the hindrance aspect of ISP demands provokes a negative psychological response that triggers employees' wishful thinking about ISP demands. Meanwhile, employees' self-efficacy strengthens the effect of positive psychological response on planful problem-solving. Subsequently, planful problem-solving reduces employees' intention to violate the ISP, while wishful thinking increases their intention. This dual-process view sheds new light on the connection between ISP demands and ISP violation intention.
Full text
Available for:
BFBNIB, GIS, IJS, KISLJ, NUK, PNG, UL, UM, UPUK
•This paper is aimed at synthesizing the existing literature to suggest that why a more holistic approach of information security management is needed in management context.•The paper entertains ...article on the related context for last ten years.•A rigorous method for literature search is used with predetermined inclusion and exclusion criteria.•At first more than 300 articles were downloaded for further processing and finally 39 articles were deemed to be relevant to the context under study.•The paper suggests that management role should be considered in information security management.
Information technology has dramatically increased online business opportunities; however these opportunities have also created serious risks in relation to information security. Previously, information security issues were studied in a technological context, but growing security needs have extended researchers' attention to explore the management role in information security management. Various studies have explored different management roles and activities, but none has given a comprehensive picture of these roles and activities to manage information security effectively. So it is necessary to accumulate knowledge about various managerial roles and activities from literature to enable managers to adopt these for a more holistic approach to information security management. In this paper, using a systematic literature review approach, we synthesised literature related to management's roles in information security to explore specific managerial activities to enhance information security management. We found that numerous activities of management, particularly development and execution of information security policy, awareness, compliance training, development of effective enterprise information architecture, IT infrastructure management, business and IT alignment and human resources management, had a significant impact on the quality of management of information security. Thus, this research makes a novel contribution by arguing that a more holistic approach to information security is needed and we suggest the ways in which managers can play an effective role in information security. This research also opens up many new avenues for further research in this area.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK, ZRSKP
This paper provides a systematic literature review in the information security policies' compliance (ISPC) field, with respect to information security culture, information security awareness, and ...information security management exploring in various settings the research designs, methodologies, and frameworks that have evolved over the last decade. Studies conducted from 2006 to 2016 reporting results from data collected through diverse means have been explored; however, only a few studies have focused primarily on a sensitive infrastructure under risk, as is the case with higher education institutions (HEIs). This study reports that ISPC in HEIs remains scarce, as is the realization of security threats and dissemination of information security policies to end users (employees). This research makes a novel contribution to the body of knowledge as a unique study that has reviewed the influence of institutional governance in HEIs on protection motivation leading towards ISPC.
Full text
Available for:
BFBNIB, GIS, IJS, KISLJ, NUK, PNG, UL, UM, UPUK
Information security data breaches are becoming larger and more frequent. Incorporating information security into the culture of the information technology (IT) staff members that support these ...technologies is a key function that must be considered in parallel to improved security technology. The framework proposed in this paper considers focusing on cost-reducing products, services and structures while building the correct behaviour and values in IT staff members and strengthening their ability to improve information security assessment capabilities in the organization to better support information security management. A tool to evaluate the framework is also described as well as concise feedback on how the framework and tool was tested in a few organizations.
Full text
Available for:
EMUNI, FIS, FZAB, GEOZS, GIS, IJS, IMTLJ, KILJ, KISLJ, MFDPS, NLZOH, NUK, OILJ, PNG, SAZU, SBCE, SBJE, SBMB, SBNM, UKNU, UL, UM, UPUK, VKSCE, ZAGLJ
Information Security (InfoSec) research is far reaching and includes many approaches to deal with protecting and mitigating threats to the information assets and technical resources available within ...computer based systems. Although a predominant weakness in properly securing information assets is the individual user within an organization, much of the focus of extant security research is on technical issues. The purpose of this paper is to highlight future directions for Behavioral InfoSec research, which is a newer, growing area of research. The ensuing paper presents information about challenges currently faced and future directions that Behavioral InfoSec researchers should explore. These areas include separating insider deviant behavior from insider misbehavior, approaches to understanding hackers, improving information security compliance, cross-cultural Behavioral InfoSec research, and data collection and measurement issues in Behavioral InfoSec research.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK
PDF
