Search results

1 – 10 of 210
Per page
102050
Citations:
Loading...
Access Restricted. View access options
Article
Publication date: 12 June 2007

Marijke Coetzee and J.H.P. Eloff

This paper seeks to investigate how the concept of a trust level is used in the access control policy of a web services provider in conjunction with the attributes of users.

839

Abstract

Purpose

This paper seeks to investigate how the concept of a trust level is used in the access control policy of a web services provider in conjunction with the attributes of users.

Design/methodology/approach

A literature review is presented to provide background to the progressive role that trust plays in access control architectures. The web services access control architecture is defined.

Findings

The architecture of an access control service of a web service provider consists of three components, namely an authorisation interface, an authorisation manager, and a trust manager. Access control and trust policies are selectively published according to the trust levels of web services requestors. A prototype highlights the incorporation of a trust level in the access control policy as a viable solution to the problem of web services access control, where decisions of an autonomous nature need to be made, based on information and evidence.

Research limitations/implications

The WSACT architecture addresses the selective publication of policies. The implementation of sophisticated policy‐processing points at each web service endpoint, to automatically negotiate about policies, is an important element needed to complement the architecture.

Practical implications

The WSACT access control architecture illustrates how access control decisions can be made autonomously by including a trust level of web services requestors in an access control policy.

Originality/value

The WSACT architecture incorporates the trust levels of web services requestors and the attributes of users into one model. This allows web services providers to grant advanced access to the users of trusted web services requestors, in contrast with the limited access that is given to users who make requests through web services requestors with whom a minimal level of trust has been established.

Details

Internet Research, vol. 17 no. 3
Type: Research Article
ISSN: 1066-2243

Keywords

Access Restricted. View access options
Article
Publication date: 14 October 2020

Saurabh Kumar, Baidyanath Biswas, Manjot Singh Bhatia and Manoj Dora

The present study aims to identify and investigate the antecedents of enhanced level of cyber-security at the organisational level from both the technical and the human resource…

1952

Abstract

Purpose

The present study aims to identify and investigate the antecedents of enhanced level of cyber-security at the organisational level from both the technical and the human resource perspective using human–organisation–technology (HOT) theory.

Design/methodology/approach

The study has been conducted on 151 professionals who have expertise in dealing with cyber-security in organisations in sectors such as retail, education, healthcare, etc. in India. The analysis of the data is carried out using partial least squares based structural equation modelling technique (PLS-SEM).

Findings

The results from the study suggest that “legal consequences” and “technical measures” adopted for securing cyber-security in organisations are the most important antecedents for enhanced cyber-security levels in the organisations. The other significant antecedents for enhanced cyber-security in organisations include “role of senior management” and “proactive information security”.

Research limitations/implications

This empirical study has significant implications for organisations as they can take pre-emptive measures by focussing on important antecedents and work towards enhancing the level of cyber-security.

Originality/value

The originality of this research is combining both technical and human resource perspective in identifying the determinants of enhanced level of cyber-security in the organisations.

Details

Journal of Enterprise Information Management, vol. 34 no. 6
Type: Research Article
ISSN: 1741-0398

Keywords

Access Restricted. View access options
Article
Publication date: 26 July 2021

Hwee-Chin Tan, Keng Lin Soh, Wai Peng Wong and Ming-Lang Tseng

In the face of information leakage, this study aims to demonstrate pathways to supply chain resilience (SCR) during information sharing by deploying organizational ethical climate…

916

Abstract

Purpose

In the face of information leakage, this study aims to demonstrate pathways to supply chain resilience (SCR) during information sharing by deploying organizational ethical climate (OEC) and information security culture (ISC) as non-punitive mitigation approaches.

Design/methodology/approach

This empirical study was conducted to verify the framework using a questionnaire distributed to Malaysian multinational corporations (MNCs) of the manufacturing sector. The data were analysed using structural equation modeling (SEM) techniques with the AMOS software.

Findings

This study has confirmed the adverse impact of intentional and unintentional leakages on information sharing effectiveness. The findings showed ISC could reduce the impact of information leakage, but an OCE could not. This study provides evidence that information sharing effectiveness could impact SCR. The former is a mediator between information leakage and SCR, with information leakage moderated by information security culture. These findings convey that multinationals should set up an ISC to reduce information leakage and enhance their SCR.

Originality/value

Prior studies lacked the explanation of the impact of mitigating factors on information leakage in information sharing effectiveness affecting SCR. A framework that explains the relationships add value to organizations making available strategic decisions to curb information leakage and manage SCR.

Details

Journal of Enterprise Information Management, vol. 35 no. 3
Type: Research Article
ISSN: 1741-0398

Keywords

Access Restricted. View access options
Article
Publication date: 8 June 2015

Sushma Mishra

The purpose of this study is to develop theoretically grounded and empirically derived organizational security governance (OSG) objectives. Developing organizational security…

2173

Abstract

Purpose

The purpose of this study is to develop theoretically grounded and empirically derived organizational security governance (OSG) objectives. Developing organizational security governance (OSG) objectives pose significant challenges for organizations considering the ever-increasing vulnerability from lack of or misuse of appropriate controls. In recent years, there have been several cases of colossal losses to businesses due to inadequate security governance measure. In many cases, organizations do not even know as to what their ISG objectives might be. Following an extensive empirical study, this paper proposes 6 fundamental and 17 means objectives for designing security governance. The objectives were developed from individual values of information technology and security executives across a wide range of firms. The study comprised 52 interview respondents across 9 firms, which resulted in 23 OSG objectives. Theoretically, the study was grounded in Catton’s (1959) value theory and Keeney’s (1992) value-focused thinking. The objectives provide a useful basis for strategic planning for information security governance.

Design/methodology/approach

This research is grounded in value-focused thinking methodology. Step 1: develop a comprehensive list of personal values underlying the problem being explored. The researcher undertakes extensive interviews, using relevant probes, to elicit underlying values of respondents. Step 2: change the values enlisted to a common form and convert them into objectives. The data collected in Step 1 is collated and presented in a common form, which enables cross-comparison and easy interpretation. Step 3: classify the objectives as means and fundamental for the decision context. Objectives are clustered into groups and then classified into fundamental and means.

Findings

This study uses a value-focused approach to develop OSG objectives. Incorporating individual values in developing governance objectives would facilitate alignment of individual and organizational values about OSG. This study proposes 6 fundamental and 17 means objectives for OSG. The study provides a comprehensive list of OSG that is rooted in values of stakeholders in an organization.

Originality/value

The main contributions study can be classified in two categories. First, it represents a collective set of OSG objectives which touch upon technical, formal, informal, moral and ethical dimensions of governance. This is a unique, synthesized and cohesive framework for OSG, which incorporates several aspects of OSG into one platform, thus allowing the development of a comprehensive security management program. Second, some of the objectives developed in this research (“establish corporate control strategy”, “establish punitive structure”, “establish clear control development process”, “ensure formal control assessment functionality” and “maximize group cohesiveness”) have not been emphasized enough in security governance literature.

Details

Information & Computer Security, vol. 23 no. 2
Type: Research Article
ISSN: 2056-4961

Keywords

Access Restricted. View access options
Article
Publication date: 1 December 1998

L. Labuschagne and J.H.P. Eloff

Using new concepts, such as those on which Java is based, it is now possible to define a new framework within which risk analyses can be performed on electronic communications. In…

657

Abstract

Using new concepts, such as those on which Java is based, it is now possible to define a new framework within which risk analyses can be performed on electronic communications. In order truly to be effective, risk analyses must be done in real time, owing to the dynamic nature of open, distributed public networks. The strength of these public networks lies in the many routes available for a message to travel from point A to point B, thus ensuring that the message will be delivered. These many routes, however, also constitute the biggest security weakness in public networks, as it is impossible proactively to determine the route a message will follow. In a bid to compensate for the said weakness, this article will be devoted to a discussion on a framework in terms of which Real‐time Risk Analysis (RtRA) can, henceforth, be performed to determine a risk value for a communications session, rather than for the network components used on routes that need to be fixed and known in advance, as for conventional risk analysis. A communication session is defined as the transfer of data between two hosts; for example, exchanging e‐mail messages over open, distributed public networks RtRA produces a risk value that can be used to determine the appropriate countermeasures with which to minimise the risk associated with a communication session.

Details

Information Management & Computer Security, vol. 6 no. 5
Type: Research Article
ISSN: 0968-5227

Keywords

Access Restricted. View access options
Article
Publication date: 17 June 2019

Estee van der Walt and Jan Eloff

This paper aims to describe requirements for a model that can assist in identity deception detection (IDD) on social media platforms (SMPs). The model that was discovered…

304

Abstract

Purpose

This paper aims to describe requirements for a model that can assist in identity deception detection (IDD) on social media platforms (SMPs). The model that was discovered demonstrates the usefulness of the requirements. The aim of the model is to identify humans lying about their identity on SMPs.

Design/methodology/approach

The requirements of a model for IDD will be determined through a literature study combined with a study that identifies currently available identity related metadata on SMPs. This metadata refers to the attributes that describe a user account on an SMP. The aim is to restrict IDD to be only based on these types of attributes, as opposed to or combined with the contents of a single or multiple communications.

Findings

Data science experiments were conducted and in particular supervised machine learning models were discovered that indeed detects identity deception on SMPs with an area under the receiver operator characteristics curve (ROC-AUC) of 75.5 per cent.

Originality/value

SMPs allow any user to easily communicate with their friends or the general public at large. People can now be targeted at great scale, most often for malicious purposes. The reality is that many of these cyber-attacks involve some form of identity deception, where the attackers lie about who they are. Much focus to date has been on the identification of non-human deceptive accounts. This paper focuses on deceptive human accounts that target vulnerable individuals on SMPs.

Details

Information & Computer Security, vol. 27 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

Access Restricted. View access options
Article
Publication date: 2 September 2014

Abhishek Narain Singh, M.P. Gupta and Amitabh Ojha

Despite many technically sophisticated solutions, managing information security has remained a persistent challenge for organizations. Emerging IT/ICT media have posed new…

3316

Abstract

Purpose

Despite many technically sophisticated solutions, managing information security has remained a persistent challenge for organizations. Emerging IT/ICT media have posed new security challenges to business information and information assets. It is felt that technical solutions alone are not sufficient to address the information security challenge. It has been argued that organizations also need to consider the management aspects of information security. Consequently, literature, especially in the last decade, has witnessed various scholarly works in this direction. Therefore, a synthesis exercise is required to bring clarity on categorizing the issues of organizational information security management (ISM) to take the research forward. The purpose of this paper is to identify management factors that address organizational information security challenges.

Design/methodology/approach

Using a mix method approach, the paper adopts the qualitative (keyword analysis and experts’ opinion) and quantitative (questionnaire survey) research routes. Exploratory factor analysis is conducted to find out the key factors of organizational ISM.

Findings

The paper categorizes various organizational ISM functions into ten factors. Spanning across three levels (strategic, tactical and operational), these factors cover various management issues of organizational ISM.

Originality/value

The paper takes the ISM literature forward by statistically validating the key management factors of organizational ISM. The study outcome should help to draw the attention of organizations toward the managerial challenges of organizational ISM.

Details

Journal of Enterprise Information Management, vol. 27 no. 5
Type: Research Article
ISSN: 1741-0398

Keywords

Access Restricted. View access options
Article
Publication date: 12 June 2020

Wai-Peng Wong, Kim Hua Tan, Stephanie Hui-Wen Chuah, Ming-Lang Tseng, Kuan Yew Wong and Shamraiz Ahmad

This study investigates information quality, information security technology and information sharing with moderation by information security culture and information leakage and…

706

Abstract

Purpose

This study investigates information quality, information security technology and information sharing with moderation by information security culture and information leakage and how they all play out to influence supply chain performance for contract suppliers (Contract), noncontract suppliers (Noncontract) and pooled suppliers (Contract and Noncontract combined).

Design/methodology/approach

Multigroup analysis was deployed to compare the impact on Contract and Noncontract.

Findings

The finding on pooled suppliers confirmed the hypothesis that, in the multigroup analysis, information security culture negatively impacted the information quality–information sharing relationship of Contract.

Practical implications

The practical learning point is that Noncontract could still share information and perform and in some instances better than Contract. Noncontract suppliers are still workable.

Originality/value

Information security culture motivated Noncontract to share and perform better than Contract. This result presents a dilemma.

Details

Journal of Enterprise Information Management, vol. 34 no. 1
Type: Research Article
ISSN: 1741-0398

Keywords

Access Restricted. View access options
Article
Publication date: 1 December 2005

M. Coetzee and J.H.P. Eloff

This paper aims to show that information and evidence found in the XML‐based environment of web services can allow web services providers to gain a sense of the trustworthiness of…

1557

Abstract

Purpose

This paper aims to show that information and evidence found in the XML‐based environment of web services can allow web services providers to gain a sense of the trustworthiness of web services requestors over time.

Design/methodology/approach

A literature review on trust in web services environment is provided. Trust management models, and an existing trust specification for web services are discussed. Next, a conceptual framework for web services trust formation is presented.

Findings

The paper makes explicit types of information that can be used for trust formation. Web services providers are given the ability to trust requestors autonomously by making use of information that is published through web services standards, defined over and above a web services interface. The approach incorporates elements of social trust as it is concerned with more than cryptographic controls. It has mechanisms that allow a web services provider to manage trust autonomously, enabling different types of trust for different situations.

Research limitations/implications

A conceptual framework for trust formation has been defined that identifies a proposal for trust calculation. The paper does not address the implementation of the framework, and calculation of trust over information categories.

Practical implications

The paper identifies a practical approach to autonomous web services trust by making use of web services standards such as WS‐Policy and WSMetadataExchange.

Originality/value

This paper identifies a taxonomy of trust information that can be used to make explicit the requirements for web services trust.

Details

Internet Research, vol. 15 no. 5
Type: Research Article
ISSN: 1066-2243

Keywords

Access Restricted. View access options
Article
Publication date: 12 October 2010

Ahmad Abu‐Musa

This paper seeks to empirically examine the existence and implementation of information security governance (ISG) in Saudi organizations.

4264

Abstract

Purpose

This paper seeks to empirically examine the existence and implementation of information security governance (ISG) in Saudi organizations.

Design/methodology/approach

An empirical survey, using a self‐administered questionnaire, is conducted to explore and evaluate the current status and the main features of ISG in the Saudi environment. The questionnaire is developed based on ISG guidelines for boards of directors and executive management issued by the Information Technology (IT) Governance Institute and other related materials available in the literature. A total of 167 valid questionnaires are collected and processed using the Statistical Package for Social Sciences, version 16.

Findings

The results of the study reveal that although the majority of Saudi organizations recognize the importance of ISG as an integrant factor for the success of IT and corporate governance, most of them have no clear information security strategies or written information security policy statements. The majority of Saudi organizations have no disaster recovery plans to deal with information security incidents and emergencies; information security roles and responsibilities are not clearly defined and communicated. The results also show that alignment between ISG and the organization's overall business strategy is relatively poor and not adequately implemented. The results also show that risk assessment procedures are not adequately and effectively implemented, ISG is not a regular item in the board's agenda, and there are no properly functioning ISG processes or performance‐measuring systems in the majority of Saudi organizations. Accordingly, appropriate actions should be taken to improve implementing and measuring the ISG performance in Saudi organizations.

Originality/value

From a practical standpoint, managers and practitioners alike stand to gain from the findings of this study. The results of the paper enable them to better understand and evaluate ISG and to champion IT development for business success in Saudi organizations.

Details

Information Management & Computer Security, vol. 18 no. 4
Type: Research Article
ISSN: 0968-5227

Keywords

1 – 10 of 210
Per page
102050