Search results

1 – 4 of 4
Per page
102050
Citations:
Loading...
Access Restricted. View access options
Article
Publication date: 7 June 2011

Yvgne Monfelt, Sofie Pilemalm, Jonas Hallberg and Louise Yngström

The purpose of this paper is to describe the controlled information security project which is designed to investigate, assess and provide tools to improve the information security…

1285

Abstract

Purpose

The purpose of this paper is to describe the controlled information security project which is designed to investigate, assess and provide tools to improve the information security status in organizations with a focus on public agencies. A central question for the project is how information security issues are communicated within organizations, specifically underlining that communication is control in a cybernetic sense.

Design/methodology/approach

The research method applied can be expressed as applied general systems theory combined with design science. The project is carried out in a number of steps: to design modelling techniques and metrics for information security issues in organizations; to collect data from Swedish governmental agencies; to use the modelling techniques to model communication of information security in organizations from different perspectives; to apply metrics on the data in order to assess information security levels in the agencies; to identify gaps; and to identify needs for improvement.

Findings

The motivation for the research is that communication of information security issues within organizations tend to be insufficient and the mental connections between IT‐security and information security work are weak, which prohibits the organization from learning and adapting in its security work. An entity's authority depends on its ability to control and manage the variety in the 14 layers. The general control objectives needed were implied based on the information security management standard.

Originality/value

The paper focuses on mind to mind communication conditions and how to adapt mechanistic systems.

Details

Information Management & Computer Security, vol. 19 no. 2
Type: Research Article
ISSN: 0968-5227

Keywords

Access Restricted. View access options
Article
Publication date: 22 March 2011

Haider Abbas, Christer Magnusson, Louise Yngstrom and Ahmed Hemani

The purpose of this paper is to address three main problems resulting from uncertainty in information security management: dynamically changing security requirements of an…

4124

Abstract

Purpose

The purpose of this paper is to address three main problems resulting from uncertainty in information security management: dynamically changing security requirements of an organization; externalities caused by a security system; and obsolete evaluation of security concerns.

Design/methodology/approach

In order to address these critical concerns, a framework based on options reasoning borrowed from corporate finance is proposed and adapted to evaluation of security architecture and decision making for handling these issues at organizational level. The adaptation as a methodology is demonstrated by a large case study validating its efficacy.

Findings

The paper shows through three examples that it is possible to have a coherent methodology, building on options theory to deal with uncertainty issues in information security at an organizational level.

Practical implications

To validate the efficacy of the methodology proposed in this paper, it was applied to the Spridnings‐och Hämtningssystem (SHS: dissemination and retrieval system) system. The paper introduces the methodology, presents its application to the SHS system in detail and compares it to the current practice.

Originality/value

This research is relevant to information security management in organizations, particularly issues on changing requirements and evaluation in uncertain circumstances created by progress in technology.

Details

Information Management & Computer Security, vol. 19 no. 1
Type: Research Article
ISSN: 0968-5227

Keywords

Access Restricted. View access options
Article
Publication date: 16 October 2007

Almut Herzog and Nahid Shahmehri

This paper aims to present concrete and verified guidelines for enhancing the usability and security of software that delegates security decisions to lay users and captures these…

773

Abstract

Purpose

This paper aims to present concrete and verified guidelines for enhancing the usability and security of software that delegates security decisions to lay users and captures these user decisions as a security policy.

Design/methodology/approach

This work is an exploratory study. The authors hypothesised that existing tools for runtime set‐up of security policies are not sufficient. As this proved true, as shown in earlier work, they apply usability engineering with user studies to advance the state‐of‐the‐art.

Findings

Little effort has been spent on how security policies can be set up by the lay users for whom they are intended. This work identifies what users want and need for a successful runtime set‐up of security policies.

Practical implications

Concrete and verified guidelines are provided for designers who are faced with the task of delegating security decisions to lay users.

Originality/value

The devised guidelines focus specifically on the set‐up of runtime security policies and therefore on the design of alert windows.

Details

Information Management & Computer Security, vol. 15 no. 5
Type: Research Article
ISSN: 0968-5227

Keywords

Available. Open Access. Open Access
Article
Publication date: 30 December 2022

Durga Prasad Dube and Rajendra Prasad Mohanty

As evident from the literature review, the research on cyber security performance is centered on security metrics, maturity models, etc. Essentially, all these are helpful for…

2181

Abstract

Purpose

As evident from the literature review, the research on cyber security performance is centered on security metrics, maturity models, etc. Essentially, all these are helpful for evaluating the efficiency of cyber security organization but what matters is how the factors of internal efficiency affect the business performance, i.e. the external effectiveness. The purpose of this research paper is to derive the factors of internal efficiency and external effectiveness of cyber security and develop impact model to identify the most and least preferred parameters of internal efficiency with respect to all the parameters of external effectiveness.

Design/methodology/approach

There are two objectives for this research: Deriving the factors of internal efficiency and external effectiveness of cyber security; Developing a model to identify the impact of internal efficiency factors on the external effectiveness of cyber security since there is not much evidence of research in defining the factors of internal efficiency and external effectiveness of cyber security, the authors have chosen grounded theory methodology (GTM) to derive the parameters. In this study emic approach of GTM is followed and an algorithm is developed for administering the grounded theory research process. For the second research objective survey methodology and rank order was used to formulate the impact model. Two different samples and questionnaires were designed for each of the objectives.

Findings

For the objective 1, 11 factors of efficiency and 10 factors of effectiveness were derived. These are used as independent and dependent variable respectively in the later part of the research for the second objective. For the objective 2 the impact models among independent and dependent variables were formulated to find out the following. Most and least preferred parameters lead to internal efficiency of cyber security organization to identify the most and least preferred parameters of internal efficiency with respect to all the parameters external effectiveness.

Research limitations/implications

The factors of internal efficiency and external effectiveness constructed by using grounded theory cannot remain constant in the long run, because of dynamism of the domain itself. Over and above this, there are inherent limitations of the tools like grounded theory, used in the research. Few important limitations of GTM are as below in grounded theory, it is comparatively difficult to maintain and demonstrate the rigors of research discipline. The sheer volume of data makes the analysis and interpretation complex, and lengthy time consuming. The researchers’ presence during data gathering, which is often unavoidable and desirable too in qualitative research, may affect the subjects’ responses. The subjectivity of the data leads to difficulties in establishing reliability and validity of approaches and information. It is difficult to detect or to prevent researcher-induced bias.

Practical implications

The internal efficiency and external effectiveness factors of cyber security can be further correlated by the future researchers to understand the correlations among all the factors and predict cyber security performance. The grounded theory algorithm developed by us can be further used for qualitative research for deriving theory through abstractions in the areas where there is no sufficient availability of data. Practitioners of cyber security can use this research to focus on relevant areas depending on their respective business objective/requirements. The models developed by us can be used by the future researchers to for various sectoral validations and correlations.

Social implications

Though the financial costs of a cyber-attack are steep, the social impact of cyber security failures is less readily apparent but can cause lasting damage to customers, employees and the company. Therefore, it is always important to be mindful of how the impact of cyber security affects society as well as the bottom line when they are calculating the potential impact of a breach. Underestimating either impact can destroy a brand. The factor of internal efficiency and external effectiveness derived by us will help stakeholder in focusing on relevant area depending on their business. The impact model developed in this research is very useful for focusing a particular business requirement and accordingly tune the efficiency factor.

Originality/value

During literature study the authors did not find any evidence of application of grounded theory approach in cyber security research. While the authors were exploring research literature to find out some insight into the factor of internal efficiency and external effectiveness of cyber security, the authors did not find concrete and objective research on this. This motivated us to use grounded theory to derive these factors. This, in the authors’ opinion is one of the pioneering and unique contribution to the research as to the authors’ knowledge no researchers have ever tried to use this methodology for the stated purpose and cyber security domain in general. In this process the authors have also developed an algorithm for administering GTM. Further developing impact models using factors of internal efficiency and external effectiveness has lots of managerial and practical implication.

Details

Organizational Cybersecurity Journal: Practice, Process and People, vol. 3 no. 1
Type: Research Article
ISSN: 2635-0270

Keywords

1 – 4 of 4
Per page
102050