Information systems security (ISS) behavioral research has produced different models to explain security policy compliance. This paper (1) reviews 11 theories that have served the majority of ...previous information security behavior models, (2) empirically compares these theories (Study 1), (3) proposes a unified model, called the unified model of information security policy compliance (UMISPC), which integrates elements across these extant theories, and (4) empirically tests the UMISPC in a new study (Study 2), which provided preliminary empirical support for the model. The 11 theories reviewed are (1) the theory of reasoned action, (2) neutralization techniques, (3) the health belief model, (4) the theory of planned behavior, (5) the theory of interpersonal behavior, (6) the protection motivation theory, (7) the extended protection motivation theory, (8) deterrence theory and rational choice theory, (9) the theory of self-regulation, (10) the extended parallel processing model, and (11) the control balance theory. The UMISPC is an initial step toward empirically examining the extent to which the existing models have similar and different constructs. Future research is needed to examine to what extent the UMISPC can explain different types of ISS behaviors (or intentions thereof). Such studies will determine the extent to which the UMISPC needs to be revised to account for different types of ISS policy violations and the extent to which the UMISPC is generalizable beyond the three types of ISS violations we examined. Finally, the UMISPC is intended to inspire future ISS research to further theorize and empirically demonstrate the important differences between rival theories in the ISS context that are not captured by current measures.
Information system security within XYZ University constitutes a vital component of its IT framework, exerting significant influence over security levels across all facets of the information systems. ...Among the numerous implemented information system services at the university, a considerable portion lacks active security measures within operational systems. In pursuit of achieving uniform governance, this study adopts the most recent COBIT 2019 framework. The primary objective of this research is to evaluate the degree to which current information system security management aligns with the process achievement values stipulated in the COBIT 2019 standard. This evaluation entails the calculation of maturity level values that gauge performance levels in managing information system security. Findings from the COBIT 2019 Design assessment conducted at XYZ University's LTIK reveal that individuals scoring above 80 or those requiring Capability Level 4 include APO12 and BAI10. Moreover, the calculation outcomes for each subdomain reveal the presence of 2 subdomains at Level 4, 4 subdomains at Level 3, 15 subdomains at Level 2, and 19 subdomains at Level 1. The identification outcomes underscore the existence of gaps within each domain. Particularly, the APO12 and BAI10 domains exhibit a gap spanning 2 levels.
•We analyzed IS engineers’ acceptance of Privacy by Design (PbD) and examined motivating factors.•We proposed and tested a UTAUT-based integrated model.•The proposed model preforms better in ...explaining IS engineers’ acceptance of PbD.•IS engineers’ attitude plays a critical role in promoting PbD implementation.•IS engineers’ effort and performance expectancies positively influences their attitude.
Given the serious issues caused by privacy leakage, Privacy by Design (PbD) is gaining the attention of professionals as a new privacy protection paradigm with enormous potential. This study proposes a UTAUT-based integrated model from the perspective of information system (IS) engineers, and explores the determinants of PbD implementation. The implementation of PbD and privacy protection measures relay heavily on IS engineers. However, there is a paucity of research exploring IS engineers’ acceptance of PbD, particularly research that considers engineers’ individualized factors and personal attitudes. Empirical data collected from 261 IS engineers in China demonstrate the rationality of proposed model and the importance of integrating conceptual constructs. The findings suggest that IS engineers’ attitude towards PbD implementation significantly impacts both their behavioral intention and their implementing behavior. IS engineers’ awareness of PbD is a predictor of their effort and performance expectancies, and intention to implement; IS engineers’ effort and performance expectancies concerning PbD usage have significantly impact on their attitude towards PbD. This study reveals the factors that motivate IS engineers to implement PbD into their workflow and proposes for the first time that IS engineers’ attitude towards PbD usage is the key factor for PbD implementation.
Recent data breaches underscore the importance of organizational cybersecurity. However, the high costs of such security can force chief financial officers (CFOs) to make difficult financial and ...ethical trade-offs that have both business and societal implications. We employ a 2 × 2 randomized experiment that varies both an observed scenario CFO’s investment decision (invest/not invest in security) and organizational outcomes (positive/negative) to investigate these trade-offs. Participant managers assess the observed CFO’s investment behavior and indicate their own intentions to invest. Results indicate that when the observed scenario CFO invests in security, managers primarily follow their peers when making investment decisions. However, when the observed CFO does not invest in security, managers make their own decisions by engaging in more in-depth reasoning that includes assessment of the seriousness of consequences, as well as the ethical and societal considerations. Moderated mediation findings further deconstruct and corroborate these relationships.
Abstract
Cloud computing has the characteristics of super computing power, low cost and high security, as well as providing powerful data storage and network services. In the commercial field, it has ...begun to take shape. This paper attempts to introduce cloud computing technology into the construction of digital archives, analyzes the possibility and reality of the application of cloud computing technology services in the service and management of digital archives from the common point of view of cloud computing services and digital archives, and puts forward the corresponding ways of cloud computing application in digital archives. This paper analyzes and integrates all kinds of risks that digital archives may face under the cloud computing environment, and establishes the security evaluation index system including the security elements of information system and cloud computing technology. In this paper, fuzzy comprehensive evaluation method is used to evaluate the mathematical model of cloud digital archives security evaluation system, and a set of security evaluation system suitable for cloud digital archives is proposed.
Using institutional theory as a theoretical framework, this study illuminates organizational changes stemming from institutional pressures to investigate innovation in e-government information system ...security (ISS). From the perspective of mimetic isomorphism, the study examines ISS innovation by the South Korean government to elucidate organizational factors affecting organizational changes. This study attempted to investigate the interrelation of institutional influences and internal organizational factors in the course of ISS innovation. A research model was developed to elucidate the effects of mimetic isomorphism on innovation-supportive culture, legitimacy, and organizational citizenship behavior (OCB); furthermore, the relationships among innovation-supportive culture, legitimacy, and OCB, as well as how they influence organizational ISS effectiveness, were examined. A survey was administered to 489 civil servants working for the South Korean national government; valid data were analyzed using the partial least squares method. The results showed that mimetic isomorphism positively affected both innovation-supportive culture and legitimacy in ISS innovation. However, mimetic isomorphism influenced only individual OCB, not organizational OCB. Consistent with our hypotheses, innovation-supportive culture, legitimacy, and OCB positively influenced ISS effectiveness, whereas organizational cynicism negatively influenced ISS effectiveness. These findings provide interesting insights into how ISS innovation for e-government can be viewed within institutional theory and organizational behavior. As this study's results show the appropriateness of ISS innovation-supportive culture for ISS effectiveness in the government, the government should diagnose cultural manifestations or cultural artifacts to help ISS practitioners formulate, implement, and manage ISS strategies.
•We illuminate organizational changes for innovation in e-government information security through institution pressures.•This study examines ISS innovation to elucidate organizational factors and behavior in Korea government.•Mimetic isomorphism positively affected innovation-supportive culture and legitimacy in ISS innovation and individual OCB.•Innovation-supportive culture, legitimacy, individual and organizational OCBs positively influenced ISS effectiveness.•These findings provide insights into how ISS innovation in terms of institution theory and organizational behavior.
Information systems are frequently exposed to various types of threats which can cause different types of damages that might lead to significant financial losses. Information security damages can ...range from small losses to entire information system destruction. The effects of various threats vary considerably: some affect the confidentiality or integrity of data while others affect the availability of a system. Currently, organizations are struggling to understand what the threats to their information assets are and how to obtain the necessary means to combat them which continues to pose a challenge. To improve our understanding of security threats, we propose a security threat classification model which allows us to study the threats class impact instead of a threat impact as a threat varies over time. This paper addresses different criteria of information system security risks classification and gives a review of most threats classification models. We define a hybrid model for information system security threat classification in order to propose a classification architecture that supports all threat classification principles and helps organizations implement their information security strategies.
Along with the rapid development of socio-technical systems, people are playing an increasingly important role in information system and have actually become an essential system component. However, ...unlike technology-based attacks that have been investigated for decades, social engineering attacks have not been efficiently addressed. In particular, due to the interdisciplinary nature of social engineering, there is a lack of consensus on its definition, hindering the further development of this research field. In this paper, we propose a comprehensive and fundamental ontology of social engineering based on a systematic review of existing social engineering taxonomies and ontologies in order to provide a theoretical foundation for social engineering analysis. The essential contributions of this paper include: (1) propose a comprehensive ontology of social engineering and precisely specify ontological definitions of its essential concepts based on Situation Calculus; (2) enumerate and summarize a set of social engineering techniques and present their fine-grained classification based on the proposed ontology; (3) incorporate psychology and sociology knowledge into social engineering analysis, encapsulating such knowledge in terms of a formalized ontology. We have evaluated our ontology based on a set of real social engineering attacks, the results of which show the usefulness of our proposal.
•A review of existing social engineering ontologies.•A proposal of a unified set of concepts of social engineering.•A proposal of ontological definitions of social engineering based on Situation Calculus.•A presentation of fine-grained classification of social engineering techniques, incorporating psychology and sociology knowledge into social engineering analysis.•A formalization of social engineering ontology using Description Logic.
This paper applies the emotion extraction method based on emotion lexicon to the group emotion analysis of the information system, combines the vector space model to process the text emotion in the ...information system, expresses the emotion in the form of vectors, and divides the different types of emotion according to the distance between the emotion vectors for identification. The five-level index system in fuzzy mathematics is chosen to measure the value of emotional intensity, and by analyzing the emotional state of the group in the information leakage incident, a decision in line with the user’s emotion is made based on the emotion of the information system security. Accordingly, the security defense index of the information system is improved according to the information security risk index. The results show that in identifying the emotions of the information system security events, the group’s emotions are mainly biased towards the negative. The proportion of negative emotions is the largest of 98%, which indicates that attention should be paid to the confidentiality of the user group’s information in the security of the information system. The maximum security event risk value in the evaluation in the information system is in the T8 period, with a value of 0.819, indicating that the security defense of the information system should be strengthened in the T8 period.
This study aims to investigate the direct and indirect effects of information system security practices that observed the relationship effect between cyber supply chain risk management and supply ...chain performance. In Industry 4.0 era, a cyber-attack becomes unavoidable and needs to adopt cyber supply chain risk management to improve the firm. The data were collected from 105 firms in Malaysia through online surveys. The partial least squares structural equation modeling technique examined the model's goodness and research hypothesis. The results revealed that operations, directly and indirectly, influence (via mediators) supply chain performance. In contrast, governance directly affects supply chain flexibility and indirect (via mediators) influence on supply chain performance; in addition, systems integration did not, directly, and indirectly, influence supply chain performance. This framework indicates the manufacturing industry and related parties with a better understanding of cyber supply chain risk management.