Yvgne Monfelt, Sofie Pilemalm, Jonas Hallberg and Louise Yngström
The purpose of this paper is to describe the controlled information security project which is designed to investigate, assess and provide tools to improve the information security…
Abstract
Purpose
The purpose of this paper is to describe the controlled information security project which is designed to investigate, assess and provide tools to improve the information security status in organizations with a focus on public agencies. A central question for the project is how information security issues are communicated within organizations, specifically underlining that communication is control in a cybernetic sense.
Design/methodology/approach
The research method applied can be expressed as applied general systems theory combined with design science. The project is carried out in a number of steps: to design modelling techniques and metrics for information security issues in organizations; to collect data from Swedish governmental agencies; to use the modelling techniques to model communication of information security in organizations from different perspectives; to apply metrics on the data in order to assess information security levels in the agencies; to identify gaps; and to identify needs for improvement.
Findings
The motivation for the research is that communication of information security issues within organizations tend to be insufficient and the mental connections between IT‐security and information security work are weak, which prohibits the organization from learning and adapting in its security work. An entity's authority depends on its ability to control and manage the variety in the 14 layers. The general control objectives needed were implied based on the information security management standard.
Originality/value
The paper focuses on mind to mind communication conditions and how to adapt mechanistic systems.
Details
Keywords
Haider Abbas, Christer Magnusson, Louise Yngstrom and Ahmed Hemani
The purpose of this paper is to address three main problems resulting from uncertainty in information security management: dynamically changing security requirements of an…
Abstract
Purpose
The purpose of this paper is to address three main problems resulting from uncertainty in information security management: dynamically changing security requirements of an organization; externalities caused by a security system; and obsolete evaluation of security concerns.
Design/methodology/approach
In order to address these critical concerns, a framework based on options reasoning borrowed from corporate finance is proposed and adapted to evaluation of security architecture and decision making for handling these issues at organizational level. The adaptation as a methodology is demonstrated by a large case study validating its efficacy.
Findings
The paper shows through three examples that it is possible to have a coherent methodology, building on options theory to deal with uncertainty issues in information security at an organizational level.
Practical implications
To validate the efficacy of the methodology proposed in this paper, it was applied to the Spridnings‐och Hämtningssystem (SHS: dissemination and retrieval system) system. The paper introduces the methodology, presents its application to the SHS system in detail and compares it to the current practice.
Originality/value
This research is relevant to information security management in organizations, particularly issues on changing requirements and evaluation in uncertain circumstances created by progress in technology.
Details
Keywords
Almut Herzog and Nahid Shahmehri
This paper aims to present concrete and verified guidelines for enhancing the usability and security of software that delegates security decisions to lay users and captures these…
Abstract
Purpose
This paper aims to present concrete and verified guidelines for enhancing the usability and security of software that delegates security decisions to lay users and captures these user decisions as a security policy.
Design/methodology/approach
This work is an exploratory study. The authors hypothesised that existing tools for runtime set‐up of security policies are not sufficient. As this proved true, as shown in earlier work, they apply usability engineering with user studies to advance the state‐of‐the‐art.
Findings
Little effort has been spent on how security policies can be set up by the lay users for whom they are intended. This work identifies what users want and need for a successful runtime set‐up of security policies.
Practical implications
Concrete and verified guidelines are provided for designers who are faced with the task of delegating security decisions to lay users.
Originality/value
The devised guidelines focus specifically on the set‐up of runtime security policies and therefore on the design of alert windows.
Details
Keywords
Durga Prasad Dube and Rajendra Prasad Mohanty
As evident from the literature review, the research on cyber security performance is centered on security metrics, maturity models, etc. Essentially, all these are helpful for…
Abstract
Purpose
As evident from the literature review, the research on cyber security performance is centered on security metrics, maturity models, etc. Essentially, all these are helpful for evaluating the efficiency of cyber security organization but what matters is how the factors of internal efficiency affect the business performance, i.e. the external effectiveness. The purpose of this research paper is to derive the factors of internal efficiency and external effectiveness of cyber security and develop impact model to identify the most and least preferred parameters of internal efficiency with respect to all the parameters of external effectiveness.
Design/methodology/approach
There are two objectives for this research: Deriving the factors of internal efficiency and external effectiveness of cyber security; Developing a model to identify the impact of internal efficiency factors on the external effectiveness of cyber security since there is not much evidence of research in defining the factors of internal efficiency and external effectiveness of cyber security, the authors have chosen grounded theory methodology (GTM) to derive the parameters. In this study emic approach of GTM is followed and an algorithm is developed for administering the grounded theory research process. For the second research objective survey methodology and rank order was used to formulate the impact model. Two different samples and questionnaires were designed for each of the objectives.
Findings
For the objective 1, 11 factors of efficiency and 10 factors of effectiveness were derived. These are used as independent and dependent variable respectively in the later part of the research for the second objective. For the objective 2 the impact models among independent and dependent variables were formulated to find out the following. Most and least preferred parameters lead to internal efficiency of cyber security organization to identify the most and least preferred parameters of internal efficiency with respect to all the parameters external effectiveness.
Research limitations/implications
The factors of internal efficiency and external effectiveness constructed by using grounded theory cannot remain constant in the long run, because of dynamism of the domain itself. Over and above this, there are inherent limitations of the tools like grounded theory, used in the research. Few important limitations of GTM are as below in grounded theory, it is comparatively difficult to maintain and demonstrate the rigors of research discipline. The sheer volume of data makes the analysis and interpretation complex, and lengthy time consuming. The researchers’ presence during data gathering, which is often unavoidable and desirable too in qualitative research, may affect the subjects’ responses. The subjectivity of the data leads to difficulties in establishing reliability and validity of approaches and information. It is difficult to detect or to prevent researcher-induced bias.
Practical implications
The internal efficiency and external effectiveness factors of cyber security can be further correlated by the future researchers to understand the correlations among all the factors and predict cyber security performance. The grounded theory algorithm developed by us can be further used for qualitative research for deriving theory through abstractions in the areas where there is no sufficient availability of data. Practitioners of cyber security can use this research to focus on relevant areas depending on their respective business objective/requirements. The models developed by us can be used by the future researchers to for various sectoral validations and correlations.
Social implications
Though the financial costs of a cyber-attack are steep, the social impact of cyber security failures is less readily apparent but can cause lasting damage to customers, employees and the company. Therefore, it is always important to be mindful of how the impact of cyber security affects society as well as the bottom line when they are calculating the potential impact of a breach. Underestimating either impact can destroy a brand. The factor of internal efficiency and external effectiveness derived by us will help stakeholder in focusing on relevant area depending on their business. The impact model developed in this research is very useful for focusing a particular business requirement and accordingly tune the efficiency factor.
Originality/value
During literature study the authors did not find any evidence of application of grounded theory approach in cyber security research. While the authors were exploring research literature to find out some insight into the factor of internal efficiency and external effectiveness of cyber security, the authors did not find concrete and objective research on this. This motivated us to use grounded theory to derive these factors. This, in the authors’ opinion is one of the pioneering and unique contribution to the research as to the authors’ knowledge no researchers have ever tried to use this methodology for the stated purpose and cyber security domain in general. In this process the authors have also developed an algorithm for administering GTM. Further developing impact models using factors of internal efficiency and external effectiveness has lots of managerial and practical implication.