Search results

1 – 10 of 63
Per page
102050
Citations:
Loading...
Access Restricted. View access options
Article
Publication date: 1 August 2000

S.A. Kokolakis, A.J. Demopoulos and E.A. Kiountouzis

The increasing reliance of organisations on information systems connected to or extending over open data networks has established information security as a critical success factor…

3969

Abstract

The increasing reliance of organisations on information systems connected to or extending over open data networks has established information security as a critical success factor for modern organisations. Risk analysis appears to be the predominant methodology for the introduction of security in information systems (IS). However, risk analysis is based on a very simple model of IS as consisting of assets, mainly data, hardware and software, which are vulnerable to various threats. Thus, risk analysis cannot provide for an understanding of the organisational environment in which IS operate. We believe that a comprehensive methodology for information systems security analysis and design (IS‐SAD) should incorporate both risk analysis and organisational analysis, based on business process modelling (BPM) techniques. This paper examines the possible contribution of BPM techniques to IS‐SAD and identifies the conceptual and methodological requirements for a technique to be used in this context. Based on these requirements, several BPM techniques have been reviewed. The review reveals the need for either adapting and combining current techniques or developing new, specialised ones.

Details

Information Management & Computer Security, vol. 8 no. 3
Type: Research Article
ISSN: 0968-5227

Keywords

Access Restricted. View access options
Article
Publication date: 14 November 2016

Fredrik Karlsson, Ella Kolkowska and Frans Prenkert

The purpose of this paper is to survey existing inter-organisational information security research to scrutinise the kind of knowledge that is currently available and the way in…

1580

Abstract

Purpose

The purpose of this paper is to survey existing inter-organisational information security research to scrutinise the kind of knowledge that is currently available and the way in which this knowledge has been brought about.

Design/methodology/approach

The results are based on a literature review of inter-organisational information security research published between 1990 and 2014.

Findings

The authors conclude that existing research has focused on a limited set of research topics. A majority of the research has focused management issues, while employees’/non-staffs’ actual information security work in inter-organisational settings is an understudied area. In addition, the majority of the studies have used a subjective/argumentative method, and few studies combine theoretical work and empirical data.

Research limitations/implications

The findings suggest that future research should address a broader set of research topics, focusing especially on employees/non-staff and their use of processes and technology in inter-organisational settings, as well as on cultural aspects, which are lacking currently; focus more on theory generation or theory testing to increase the maturity of this sub-field; and use a broader set of research methods.

Practical implications

The authors conclude that existing research is to a large extent descriptive, philosophical or theoretical. Thus, it is difficult for practitioners to adopt existing research results, such as governance frameworks, which have not been empirically validated.

Originality/value

Few systematic reviews have assessed the maturity of existing inter-organisational information security research. Findings of authors on research topics, maturity and research methods extend beyond the existing knowledge base, which allow for a critical discussion about existing research in this sub-field of information security.

Details

Information & Computer Security, vol. 24 no. 5
Type: Research Article
ISSN: 2056-4961

Keywords

Access Restricted. View access options
Article
Publication date: 1 December 2005

Lazaros Gymnopoulos, Vassilios Tsoumas, Ioannis Soupionis and Stefanos Gritzalis

The purpose of this paper is to provide a framework for enhancing security policy management in the Grid.

1216

Abstract

Purpose

The purpose of this paper is to provide a framework for enhancing security policy management in the Grid.

Design/methodology/approach

The Grid security policy reconciliation problem is presented. A generic view on the security policy notion is adopted and the security policy ontology notion is introduced and used.

Findings

In the course of this work it was found that, in order to enhance security policy management in the Grid, Grid entities should have the ability to negotiate their security policies. It was also found that, in order to achieve security policy negotiation, effective security policy semantics manipulation towards security policy reconciliation is needed. Finally, it was established, through the use of an example, that if appropriate means are used for security policy reconciliation then incompatible security policy representations can be transformed into compatible ones.

Research limitations/implications

Research limitations stem from the adoption of a generic view on the security policy notion and the selection of identification and authentication security policies as the focal point of the proposed framework. Research implications include the possibility of examining how existing security policy reconciliation models can be incorporated in this generic framework. The possibility of investigating how such a framework can lead to a security policy knowledge management tool for Grid administrators is also demonstrated.

Practical implications

Practical implications of this work include the establishment of a common framework for security information exchange between Grid entities.

Originality/value

This paper proposes a framework for enhancing security policy management in the Grid. The proposed framework can be used by researchers as a reference and by security experts in order to reduce ambiguity concerning the interpretation of security policies expressed in different forms, by negotiating Grid entities.

Details

Internet Research, vol. 15 no. 5
Type: Research Article
ISSN: 1066-2243

Keywords

Access Restricted. View access options
Article
Publication date: 1 September 2005

Peter R.J. Trim

The purpose of this paper is to make explicit why security needs to be viewed as a core activity and why senior management need to view security from a holistic perspective…

4391

Abstract

Purpose

The purpose of this paper is to make explicit why security needs to be viewed as a core activity and why senior management need to view security from a holistic perspective. Reference is made to various activities carried out by computer hackers and the costs associated with computer related crime.

Design/methodology/approach

A literature review was undertaken and a conceptual security model was produced. The key elements of the activities associated with security were highlighted and the links between the activities were made clear.

Findings

Organized criminal syndicates and international terrorist groups are increasing their level of activity. Senior managers within companies need to put in place an intelligence and security strategy to counter the activities of criminals and terrorists. Furthermore, senior managers will in the future have to work more closely with law enforcement representatives and industry representatives. They will also have to develop an appreciation of the strategic intelligence objectives of various governments. There is also evidence that senior management need to pay greater attention to identifying future threats associated with advances in internet technology.

Research limitations/implications

More attention will need to be given to how facilitating technology such as the internet is providing computer hackers and criminals with ways to either disrupt business activities or extend the range of criminal activities that they are engaged in.

Practical implications

Senior management will need to refocus on the capability of staff vis‐à‐vis corporate intelligence and security work. The learning organization concept can be embraced and can be used to assist staff to identify the advantages associated with effective knowledge management. Scenario analysis and simulation exercises can be used to train staff in emergency work, and disaster management and prevention.

Originality/value

A diverse range of topics is covered and integrated into a security‐oriented context. Attention is focused on the link between organized criminal syndicates and international terrorist groups, and why senior managers in companies need to be engaged in disaster management recovery planning. The material highlights why senior managers in companies need to develop business contingency plans and embrace the counterintelligence concept.

Details

Disaster Prevention and Management: An International Journal, vol. 14 no. 4
Type: Research Article
ISSN: 0965-3562

Keywords

Access Restricted. View access options
Article
Publication date: 1 June 2012

Michael Workman

Funding agencies such as the Office of Naval Research, Department of Homeland Security, and others, have reduced funding for non‐tactical operations. Simultaneously, organizations…

948

Abstract

Purpose

Funding agencies such as the Office of Naval Research, Department of Homeland Security, and others, have reduced funding for non‐tactical operations. Simultaneously, organizations are squeezing their overhead budgets (where security initiatives fall) and are focusing more on revenue generation given current economic climates. Thus, in both governmental sectors and in commercial settings, there are reasons to believe that strategic security initiatives are being sacrificed, and those that survive must be compelling. To assist organizational leaders with these difficult choices, it is critical to understand biases that affect decisions about strategic security initiatives. The purpose of this paper is to validate and empirically test the predictability of a theoretical model, from which implications can be made for research and practice.

Design/methodology/approach

Using behavioral decision theory, a randomized longitudinal study was conducted over three years with a multinational corporation with headquarter‐offices in the UK and the USA, and regional offices in India, Germany and France. From these data, a model was developed and tested for fit with a confirmatory factor analysis and its predictive ability was tested using structured equation modeling.

Findings

It was found that risk aversion, overconfidence, adjustment of cognitive anchors, and expected utility biases affected whether managers and other stakeholders continued or terminated strategic security initiatives.

Originality/value

Prematurely terminating or over commitment to a strategic initiative can be costly if not significantly damaging to an organization or government military or intelligence agency. Understanding how biases factor into these decisions can help strategic initiative decision makers improve their decisions and assist them in recognizing normative rules or optimal (straddle point) solutions.

Access Restricted. View access options
Article
Publication date: 2 October 2007

Elspeth McFadzean, Jean‐Noel Ezingeard and David Birchall

Information security is becoming increasingly more important as organisations are endangered by a variety of threats from both its internal and external environments. Many…

5063

Abstract

Purpose

Information security is becoming increasingly more important as organisations are endangered by a variety of threats from both its internal and external environments. Many theorists now advocate that effective security policies should be created at senior management level. This is because executives are able to evaluate the organisation using a holistic approach as well as having the power to ensure that new systems and procedures are implemented in a timely manner. There is, however, a continuing lack of understanding regarding the strategic importance of managing information security. In addition, there is a gap in the literature on the relationship between directors and information security strategy. This paper attempts to close this gap by exploring how directors perceive their organisation's security and what factors influence their decisions on the development and implementation of information security strategy.

Design/methodology/approach

The research is based on constructivist grounded theory. Forty‐three interviews were conducted at executive level in 29 organisations. These interviews were then coded and analysed in order to develop new theory on directors' perception of risk and its effect on the development and implementation of information security strategy.

Findings

The analysis shows that senior managers' engagement with information security is dependent on two key variables: the strategic importance of information systems to their organisation and their perception of risk. Additionally, this research found that these two variables are affected by both organisational contextual factors and the strategic and operational actions undertaken within the business. Furthermore, the results demonstrated that the two board variables also have an impact on the organisation's environment as well as its strategic and operational actions. This paper uses the data gathered from the interviews to develop a model of these factors. In addition, a perception grid is constructed which illustrates the potential concerns that can drive board engagement.

Practical implications

The paper illustrates the advantages of using the perception grid to understand and develop current and future information security issues.

Originality/value

The paper investigates how organisational directors perceive information security and how this perception influences the development of their information security strategy.

Details

Online Information Review, vol. 31 no. 5
Type: Research Article
ISSN: 1468-4527

Keywords

Access Restricted. View access options
Article
Publication date: 1 July 2005

Petros Belsis, Spyros Kokolakis and Evangelos Kiountouzis

Information systems security management is a knowledge‐intensive activity that currently depends heavily on the experience of security experts. However, the knowledge dimension of…

7248

Abstract

Purpose

Information systems security management is a knowledge‐intensive activity that currently depends heavily on the experience of security experts. However, the knowledge dimension of IS security management has been neglected, both by research and industry. This paper aims to explore the sources of IS security knowledge and the potential role of an IS security knowledge management system.

Design/methodology/approach

The results of this paper are based on field research involving five organizations (public and private) and five security experts and consultants. A model to illustrate the structure of IS security knowledge in an organization is then proposed.

Findings

Successful security management largely depends on the involvement of users and other stakeholders in security analysis, design, and implementation, as well as in actively defending the IS. However, most stakeholders lack the required knowledge of IS security issues that would allow them to play an important role in IS security management.

Originality/value

In this paper, the knowledge management aspect of IS security management has been highlighted. Moreover, the basic sources of security‐related knowledge have been identified and a model of IS security knowledge has been created. Also, the activities to be supported by a security‐focused KM system have been identified. Thus, the basis for the development of specialized security KM systems has been set.

Details

Information Management & Computer Security, vol. 13 no. 3
Type: Research Article
ISSN: 0968-5227

Keywords

Access Restricted. View access options
Article
Publication date: 17 August 2012

Aggeliki Tsohou, Maria Karyda, Spyros Kokolakis and Evangelos Kiountouzis

Recent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations are…

2723

Abstract

Purpose

Recent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations are inadequate. The purpose of the paper is to increase understanding of this phenomenon and illuminate the problems that organizations face when trying to establish an information security awareness program.

Design/methodology/approach

Following an interpretive approach the authors apply a case study method and employ actor network theory (ANT) and the due process for analyzing findings.

Findings

The paper contributes to both understanding and managing security awareness programs in organizations, by providing a framework that enables the analysis of awareness activities and interactions with the various organizational processes and events.

Practical implications

The application of ANT still remains a challenge for researchers since no practical method or guide exists. In this paper the application of ANT through the due process model extension is enhanced and practically presented. This exploration highlights the fact that information security awareness initiatives involve different stakeholders, with often conflicting interests. Practitioners must acquire, additionally to technical skills, communication, negotiation and management skills in order to address the related organizational and managerial issues. Moreover, the results of this inquiry reveal that the role of artifacts used within the awareness process is not neutral but can actively affect it.

Originality/value

This study is one of the first to examine information security awareness as a managerial and socio‐technical process within an organizational context.

Details

Information Technology & People, vol. 25 no. 3
Type: Research Article
ISSN: 0959-3845

Keywords

Access Restricted. View access options
Article
Publication date: 1 May 2006

Aggeliki Tsohou, Maria Karyda, Spyros Kokolakis and Evangelos Kiountouzis

The purpose of this paper is to examine the potential of cultural theory as a tool for identifying patterns in the stakeholders' perception of risk and its effect on information…

5701

Abstract

Purpose

The purpose of this paper is to examine the potential of cultural theory as a tool for identifying patterns in the stakeholders' perception of risk and its effect on information system (IS) risk management.

Design/methodology/approach

Risk management involves a number of human activities which are based on the way the various stakeholders perceive risk associated with IS assets. Cultural theory claims that risk perception within social groups and structures is predictable according to group and individual worldviews; therefore this paper examines the implications of cultural theory on IS risk management as a means for security experts to manage stakeholders perceptions.

Findings

A basic theoretical element of cultural theory is the grid/group typology, where four cultural groups with differentiating worldviews are identified. This paper presents how these worldviews affect the process of IS risk management and suggests key issues to be considered in developing strategies of risk management according to the different perceptions cultural groups have.

Research limitations/implications

The findings of this research are based on theoretical analysis and are not supported by relevant empirical research. Further research is also required for incorporating the identified key issues into information security management systems (ISMS).

Originality/value

IS security management overlooks stakeholders' risk perception; for example, there is no scheme developed to understand and manage the perception of IS stakeholders. This paper proposes some key issues that should be taken into account when developing strategies for addressing the issue of understanding and managing the perception of IS stakeholders.

Details

Information Management & Computer Security, vol. 14 no. 3
Type: Research Article
ISSN: 0968-5227

Keywords

Access Restricted. View access options
Article
Publication date: 1 October 2001

T. Tryfonas, E. Kiountouzis and A. Poulymenakou

As information and communication technologies become a critical component of firms’ infrastructures and information establishes itself as a key business resource as well as…

3258

Abstract

As information and communication technologies become a critical component of firms’ infrastructures and information establishes itself as a key business resource as well as driver, people start to realise that there is more than the functionality of the new information systems that is significant. Business or organisational transactions over new media require stability, one factor of which is information security. Information systems development practices have changed in line with the evolution of technology offerings as well as the nature of systems developed. Nevertheless, as this paper establishes, most contemporary development practices do not accommodate sufficiently security concerns. Beyond the literature evidence, reports on empirical study results indicating that practitioners deal with security issues by applying conventional risk analysis practices after the system is developed. Addresses the lack of a defined discipline for security concerns integration in systems development by using field study results recording development practices that are currently in use to illustrate their deficiencies, to point to required enhancements of practice and to propose a list of desired features that contemporary development practices should incorporate to address security concerns.

Details

Information Management & Computer Security, vol. 9 no. 4
Type: Research Article
ISSN: 0968-5227

Keywords

1 – 10 of 63
Per page
102050