Ioannis Stylios, Andreas Skalkos, Spyros Kokolakis and Maria Karyda
This research aims to build a system that will continuously. This paper is an extended version of SECPRE 2021 paper and presents a research on the development and validation of a…
Abstract
Purpose
This research aims to build a system that will continuously. This paper is an extended version of SECPRE 2021 paper and presents a research on the development and validation of a behavioral biometrics continuous authentication (BBCA) system that is based on users keystroke dynamics and touch gestures on mobile devices. This paper aims to build a system that will continuously authenticate the user of a smartphone.
Design/methodology/approach
Session authentication schemes establish the identity of the user only at the beginning of the session, so they are vulnerable to attacks that tamper with communications after the establishment of the authenticated session. Moreover, smartphones themselves are used as authentication means, especially in two-factor authentication schemes, which are often required by several services. Whether the smartphone is in the hands of the legitimate user constitutes a great concern and correspondingly whether the legitimate user is the one who uses the services. In response to these concerns, BBCA technologies have been proposed on a large corpus of literature. This paper presents a research on the development and validation of a BBCA system (named BioPrivacy), which is based on the user’s keystroke dynamics and touch gestures, using a multi-layer perceptron (MLP). Also, this paper introduces a new BB collection tool and proposes a methodology for the selection of an appropriate set of BB.
Findings
The system achieved the best results for keystroke dynamics which are 97.18% accuracy, 0.02% equal error rate, 97.2% true acceptance rate and 0.02% false acceptance rate.
Originality/value
This paper develops a new BB collection tool, named BioPrivacy, by which behavioral data of users on mobile devices can be collected. This paper proposes a methodology for the selection of an appropriate set of BB. This paper presents the development of a BBCA system based on MLP.
Details
Keywords
Ioannis Paspatis, Aggeliki Tsohou and Spyros Kokolakis
Privacy policies emerge as the main mechanism to inform users on the way their information is managed by online service providers, and still remain the dominant approach for this…
Abstract
Purpose
Privacy policies emerge as the main mechanism to inform users on the way their information is managed by online service providers, and still remain the dominant approach for this purpose. The literature notes that users find difficulties in understanding privacy policies because they are usually written in technical or legal language even, although most users are unfamiliar with them. These difficulties have led most users to skip reading privacy policies and blindly accept them. This study aims to address this challenge this paper presents AppAware, a multiplatform tool that intends to improve the visualization of privacy policies for mobile applications.
Design/methodology/approach
AppAware formulates a visualized report with the permission set of an application, which is easily understandable by a common user. AppAware aims to bridge the difficulty to read privacy policies and android’s obscure permission set with a new privacy policy visualization model. Thus, we propose AppAware parser, a mobile add-on that acts complementary with AppAware and helps mobile device users to monitor the applications they installed to their smart device.
Findings
To validate AppAware, the authors conducted a survey through questionnaire aiming to evaluate AppAware in terms of installability, usability and viability-purpose. The results demonstrate that AppAware is assessed above average by the users in all categories.
Originality/value
In the best of the authors’ knowledge, there is no such approach as AppAware as an application nor AppAware parser as add-on.
Details
Keywords
Aggeliki Tsohou, Maria Karyda, Spyros Kokolakis and Evangelos Kiountouzis
Recent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations are…
Abstract
Purpose
Recent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations are inadequate. The purpose of the paper is to increase understanding of this phenomenon and illuminate the problems that organizations face when trying to establish an information security awareness program.
Design/methodology/approach
Following an interpretive approach the authors apply a case study method and employ actor network theory (ANT) and the due process for analyzing findings.
Findings
The paper contributes to both understanding and managing security awareness programs in organizations, by providing a framework that enables the analysis of awareness activities and interactions with the various organizational processes and events.
Practical implications
The application of ANT still remains a challenge for researchers since no practical method or guide exists. In this paper the application of ANT through the due process model extension is enhanced and practically presented. This exploration highlights the fact that information security awareness initiatives involve different stakeholders, with often conflicting interests. Practitioners must acquire, additionally to technical skills, communication, negotiation and management skills in order to address the related organizational and managerial issues. Moreover, the results of this inquiry reveal that the role of artifacts used within the awareness process is not neutral but can actively affect it.
Originality/value
This study is one of the first to examine information security awareness as a managerial and socio‐technical process within an organizational context.
Details
Keywords
Fredrik Karlsson, Ella Kolkowska and Frans Prenkert
The purpose of this paper is to survey existing inter-organisational information security research to scrutinise the kind of knowledge that is currently available and the way in…
Abstract
Purpose
The purpose of this paper is to survey existing inter-organisational information security research to scrutinise the kind of knowledge that is currently available and the way in which this knowledge has been brought about.
Design/methodology/approach
The results are based on a literature review of inter-organisational information security research published between 1990 and 2014.
Findings
The authors conclude that existing research has focused on a limited set of research topics. A majority of the research has focused management issues, while employees’/non-staffs’ actual information security work in inter-organisational settings is an understudied area. In addition, the majority of the studies have used a subjective/argumentative method, and few studies combine theoretical work and empirical data.
Research limitations/implications
The findings suggest that future research should address a broader set of research topics, focusing especially on employees/non-staff and their use of processes and technology in inter-organisational settings, as well as on cultural aspects, which are lacking currently; focus more on theory generation or theory testing to increase the maturity of this sub-field; and use a broader set of research methods.
Practical implications
The authors conclude that existing research is to a large extent descriptive, philosophical or theoretical. Thus, it is difficult for practitioners to adopt existing research results, such as governance frameworks, which have not been empirically validated.
Originality/value
Few systematic reviews have assessed the maturity of existing inter-organisational information security research. Findings of authors on research topics, maturity and research methods extend beyond the existing knowledge base, which allow for a critical discussion about existing research in this sub-field of information security.
Details
Keywords
S.A. Kokolakis, A.J. Demopoulos and E.A. Kiountouzis
The increasing reliance of organisations on information systems connected to or extending over open data networks has established information security as a critical success factor…
Abstract
The increasing reliance of organisations on information systems connected to or extending over open data networks has established information security as a critical success factor for modern organisations. Risk analysis appears to be the predominant methodology for the introduction of security in information systems (IS). However, risk analysis is based on a very simple model of IS as consisting of assets, mainly data, hardware and software, which are vulnerable to various threats. Thus, risk analysis cannot provide for an understanding of the organisational environment in which IS operate. We believe that a comprehensive methodology for information systems security analysis and design (IS‐SAD) should incorporate both risk analysis and organisational analysis, based on business process modelling (BPM) techniques. This paper examines the possible contribution of BPM techniques to IS‐SAD and identifies the conceptual and methodological requirements for a technique to be used in this context. Based on these requirements, several BPM techniques have been reviewed. The review reveals the need for either adapting and combining current techniques or developing new, specialised ones.
Details
Keywords
Elspeth McFadzean, Jean‐Noel Ezingeard and David Birchall
Information security is becoming increasingly more important as organisations are endangered by a variety of threats from both its internal and external environments. Many…
Abstract
Purpose
Information security is becoming increasingly more important as organisations are endangered by a variety of threats from both its internal and external environments. Many theorists now advocate that effective security policies should be created at senior management level. This is because executives are able to evaluate the organisation using a holistic approach as well as having the power to ensure that new systems and procedures are implemented in a timely manner. There is, however, a continuing lack of understanding regarding the strategic importance of managing information security. In addition, there is a gap in the literature on the relationship between directors and information security strategy. This paper attempts to close this gap by exploring how directors perceive their organisation's security and what factors influence their decisions on the development and implementation of information security strategy.
Design/methodology/approach
The research is based on constructivist grounded theory. Forty‐three interviews were conducted at executive level in 29 organisations. These interviews were then coded and analysed in order to develop new theory on directors' perception of risk and its effect on the development and implementation of information security strategy.
Findings
The analysis shows that senior managers' engagement with information security is dependent on two key variables: the strategic importance of information systems to their organisation and their perception of risk. Additionally, this research found that these two variables are affected by both organisational contextual factors and the strategic and operational actions undertaken within the business. Furthermore, the results demonstrated that the two board variables also have an impact on the organisation's environment as well as its strategic and operational actions. This paper uses the data gathered from the interviews to develop a model of these factors. In addition, a perception grid is constructed which illustrates the potential concerns that can drive board engagement.
Practical implications
The paper illustrates the advantages of using the perception grid to understand and develop current and future information security issues.
Originality/value
The paper investigates how organisational directors perceive information security and how this perception influences the development of their information security strategy.
Details
Keywords
Lazaros Gymnopoulos, Vassilios Tsoumas, Ioannis Soupionis and Stefanos Gritzalis
The purpose of this paper is to provide a framework for enhancing security policy management in the Grid.
Abstract
Purpose
The purpose of this paper is to provide a framework for enhancing security policy management in the Grid.
Design/methodology/approach
The Grid security policy reconciliation problem is presented. A generic view on the security policy notion is adopted and the security policy ontology notion is introduced and used.
Findings
In the course of this work it was found that, in order to enhance security policy management in the Grid, Grid entities should have the ability to negotiate their security policies. It was also found that, in order to achieve security policy negotiation, effective security policy semantics manipulation towards security policy reconciliation is needed. Finally, it was established, through the use of an example, that if appropriate means are used for security policy reconciliation then incompatible security policy representations can be transformed into compatible ones.
Research limitations/implications
Research limitations stem from the adoption of a generic view on the security policy notion and the selection of identification and authentication security policies as the focal point of the proposed framework. Research implications include the possibility of examining how existing security policy reconciliation models can be incorporated in this generic framework. The possibility of investigating how such a framework can lead to a security policy knowledge management tool for Grid administrators is also demonstrated.
Practical implications
Practical implications of this work include the establishment of a common framework for security information exchange between Grid entities.
Originality/value
This paper proposes a framework for enhancing security policy management in the Grid. The proposed framework can be used by researchers as a reference and by security experts in order to reduce ambiguity concerning the interpretation of security policies expressed in different forms, by negotiating Grid entities.
Details
Keywords
The purpose of this paper is to make explicit why security needs to be viewed as a core activity and why senior management need to view security from a holistic perspective…
Abstract
Purpose
The purpose of this paper is to make explicit why security needs to be viewed as a core activity and why senior management need to view security from a holistic perspective. Reference is made to various activities carried out by computer hackers and the costs associated with computer related crime.
Design/methodology/approach
A literature review was undertaken and a conceptual security model was produced. The key elements of the activities associated with security were highlighted and the links between the activities were made clear.
Findings
Organized criminal syndicates and international terrorist groups are increasing their level of activity. Senior managers within companies need to put in place an intelligence and security strategy to counter the activities of criminals and terrorists. Furthermore, senior managers will in the future have to work more closely with law enforcement representatives and industry representatives. They will also have to develop an appreciation of the strategic intelligence objectives of various governments. There is also evidence that senior management need to pay greater attention to identifying future threats associated with advances in internet technology.
Research limitations/implications
More attention will need to be given to how facilitating technology such as the internet is providing computer hackers and criminals with ways to either disrupt business activities or extend the range of criminal activities that they are engaged in.
Practical implications
Senior management will need to refocus on the capability of staff vis‐à‐vis corporate intelligence and security work. The learning organization concept can be embraced and can be used to assist staff to identify the advantages associated with effective knowledge management. Scenario analysis and simulation exercises can be used to train staff in emergency work, and disaster management and prevention.
Originality/value
A diverse range of topics is covered and integrated into a security‐oriented context. Attention is focused on the link between organized criminal syndicates and international terrorist groups, and why senior managers in companies need to be engaged in disaster management recovery planning. The material highlights why senior managers in companies need to develop business contingency plans and embrace the counterintelligence concept.
Details
Keywords
Nikos Karacapilidis, Euripides Loukis and Stavros Dimopoulos
This paper investigates whether and how G2G collaboration for policy and decision‐making can be effectively supported by an appropriately developed information system.
Abstract
Purpose
This paper investigates whether and how G2G collaboration for policy and decision‐making can be effectively supported by an appropriately developed information system.
Design/methodology/approach
The research method adopted in this paper follows the “Design Science Paradigm”, which has been extensively used in information systems research.
Findings
As resulted from the case study described in this paper, the proposed system has significant potential for supporting G2G collaboration for policy and decision‐making. It can support the collaborative understanding of social problems and needs, and the development of alternative actions or solutions for them. In addition, it can support the collaborative development of detailed action plans for the selected alternative(s). During the implementation of these actions, the system can be used for the collaborative monitoring of them, the identification of implementation problems and issues, and the development of alternatives for managing them. Finally, it can be also used for the collaborative evaluation of these actions by the involved public organizations, as well as the citizens and groups who are their recipients.
Practical implications
Enhanced public policy and decision‐making through the use of the proposed web‐based system.
Originality/value
The main contribution of this paper lies in the development of a web‐based system for supporting the G2G collaboration required for public policy and decision‐making in the public administration, as well as the creation, leveraging and utilization of the relevant knowledge. The proposed system allows for distributed, synchronous or asynchronous, G2G collaboration and aims at aiding the involved public organizations by providing them a series of argumentation, decision‐making and knowledge management features.
Details
Keywords
Benedikt Lebek, Jörg Uffen, Markus Neumann, Bernd Hohler and Michael H. Breitner
This paper aims to provide an overview of theories used in the field of employees’ information systems (IS) security behavior over the past decade. Research gaps and implications…
Abstract
Purpose
This paper aims to provide an overview of theories used in the field of employees’ information systems (IS) security behavior over the past decade. Research gaps and implications for future research are worked out by analyzing and synthesizing existing literature.
Design/methodology/approach
This paper presents the results of a literature review comprising 113 publications. The literature review was designed to identify applied theories and to understand the cognitive determinants in the research field. A meta-model that explains employees’ IS security behavior is introduced by assembling the core constructs of the used theories.
Findings
The paper identified 54 used theories, but four behavioral theories were primarily used: Theory of Planned Behavior (TPB), General Deterrence Theory (GDT), Protection Motivation Theory (PMT) and Technology Acceptance Model (TAM). By synthesizing results of empirically tested research models, a survey of factors proven to have a significant influence on employees’ security behavior is presented.
Research limitations/implications
Some relevant publications might be missing within this literature review due to the selection of search terms and/or databases. However, by conduction a forward and a backward search, this paper has limited this error source to a minimum.
Practical implications
This study presents an overview of determinants that have been proven to influence employees’ behavioral intention. Based thereon, concrete training and awareness measures can be developed. This is valuable for practitioners in the process of designing Security Education, Training and Awareness (SETA) programs.
Originality/value
This paper presents a comprehensive up-to-date overview of existing academic literature in the field of employees’ security awareness and behavior research. Based on a developed meta-model, research gaps are identified and implications for future research are worked out.