Arne Roar Nygård and Sokratis K. Katsikas
This paper aims to discuss the ethical aspects of hardware reverse engineering (HRE) and propose an ethical framework for HRE when used to mitigate cyber risks of the digital…
Abstract
Purpose
This paper aims to discuss the ethical aspects of hardware reverse engineering (HRE) and propose an ethical framework for HRE when used to mitigate cyber risks of the digital supply chain of critical infrastructure operators.
Design/methodology/approach
A thorough review and analysis of existing relevant literature was performed to establish the current state of knowledge in the field. Ethical frameworks proposed for other areas/disciplines and identified pertinent ethical principles have been used to inform the proposed framework’s development.
Findings
The proposed framework provides actionable guidance to security professionals engaged with such activities to support them in assessing whether an HRE project conforms to ethical principles. Recommendations on action needed to complement the framework are also proposed. According to the proposed framework, reverse engineering is neither unethical nor illegal if performed honourably. Collaboration with vendors and suppliers at an industry-wide level is critical for appropriately endorsing the proposed framework.
Originality/value
To the best of the authors’ knowledge, no ethical framework currently guides cybersecurity research, far less of cybersecurity vulnerability research and reverse engineering.
Details
Keywords
Kristian Kannelønning and Sokratis K. Katsikas
Cybersecurity attacks on critical infrastructures, businesses and nations are rising and have reached the interest of mainstream media and the public’s consciousness. Despite this…
Abstract
Purpose
Cybersecurity attacks on critical infrastructures, businesses and nations are rising and have reached the interest of mainstream media and the public’s consciousness. Despite this increased awareness, humans are still considered the weakest link in the defense against an unknown attacker. Whatever the reason, naïve-, unintentional- or intentional behavior of a member of an organization, the result of an incident can have a considerable impact. A security policy with guidelines for best practices and rules should guide the behavior of the organization’s members. However, this is often not the case. This paper aims to provide answers to how cybersecurity-related behavior is assessed.
Design/methodology/approach
Research questions were formulated, and a systematic literature review (SLR) was performed by following the recommendations of the Preferred Reporting Items for Systematic Reviews and Meta-Analyses statement. The SLR initially identified 2,153 articles, and the paper reviews and reports on 26 articles.
Findings
The assessment of cybersecurity-related behavior can be classified into three components, namely, data collection, measurement scale and analysis. The findings show that subjective measurements from self-assessment questionnaires are the most frequently used method. Measurement scales are often composed based on existing literature and adapted by the researchers. Partial least square analysis is the most frequently used analysis technique. Even though useful insight and noteworthy findings regarding possible differences between manager and employee behavior have appeared in some publications, conclusive answers to whether such differences exist cannot be drawn.
Research limitations/implications
Research gaps have been identified, that indicate areas of interest for future work. These include the development and employment of methods for reducing subjectivity in the assessment of cybersecurity-related behavior.
Originality/value
To the best of the authors’ knowledge, this is the first SLR on how cybersecurity-related behavior can be assessed. The SLR analyzes relevant publications and identifies current practices as well as their shortcomings, and outlines gaps that future research may bridge.
Details
Keywords
George Aggelinos and Sokratis K. Katsikas
The purpose of this paper is to propose the integration of disaster recovery plan (DRP) objects development activities with the activities of the structured system analysis and…
Abstract
Purpose
The purpose of this paper is to propose the integration of disaster recovery plan (DRP) objects development activities with the activities of the structured system analysis and design method (SSADM) methodology for developing an information system.
Design/methodology/approach
A step‐by‐step correlation of the SSADM methodology with DRP development activities is performed. By following this approach, a smaller system for emergency operations (DRP) can be designed in parallel with that for normal operations. Furthermore, the implementation of a normal operations system based on the requirements analysis and of an emergency operations system based on the critical business functions may follow the same line of reasoning.
Findings
The proposed enhancement brings benefits to both the organization and the system developer in terms of expenditure, self‐knowledge, personnel experience, reaction time, time and capability management and increase of competitiveness.
Practical implications
The practical acceptance of the proposed approach can drastically reduce the time elapsing between the completion of the normal operations system and the design of the emergency operations system. Moreover, the needs of the emergency operations system can be forecasted during the design of the normal operations system.
Originality/value
The paper extends the SSADM methodology by incorporating DRP development.
Details
Keywords
Mohsen Ziaee, Mohammad Fathian and S.J. Sadjadi
This paper aims to study an enterprise resource planning (ERP) software selection problem. The primary goal of this paper is to propose a two‐phase procedure to select an ERP…
Abstract
Purpose
This paper aims to study an enterprise resource planning (ERP) software selection problem. The primary goal of this paper is to propose a two‐phase procedure to select an ERP vendor and a suitable ERP software.
Design/methodology/approach
In the first phase of the proposed method the preliminary actions – such as constructing a project team, collecting all possible information about ERP vendors and systems, and identifying the ERP system characteristics – are established. In the second phase, the authors present a modular approach to ERP vendor and software selection and propose a 0‐1 programming model to minimize total costs associated with procurement and integration expenditures.
Findings
The proposed approach and the model are considered to be more useful for small manufacturing enterprises (SMEs).
Originality/value
In using the model for analyzing the data about a real case study that is a commercial SME and based on obtained results, some parameter values of the model for all SMEs are suggested.
Details
Keywords
Olusegun Folorunso, Oluwafemi Shawn Ogunseye and Sushil K. Sharma
Education delivery via electronic media is becoming relevant in Nigeria educational systems, especially the universities. In spite of this, there are hindrances affecting the…
Abstract
Purpose
Education delivery via electronic media is becoming relevant in Nigeria educational systems, especially the universities. In spite of this, there are hindrances affecting the total acceptability of this technology.
Design/methodology/approach
In this paper, we investigated these critical factors by analyzing the questionnaires collected from three sampled universities in Nigeria: private, public and state owned universities.
Findings
The results obtained indicated that mass unawareness, low computer literacy level and cost were identified as the critical factors affecting the acceptability of the technology.
Originality/value
Analysis herein has shown the factors affecting the acceptability of e‐learning in Nigeria. The results obtained will assist policy makers by finding solutions to literacy problems in Nigeria.
Details
Keywords
Hervé Debar and Jouni Viinikka
Security information management (SIM) has emerged recently as a strong need to ensure the ongoing security of information systems. However, deploying a SIM and the associated…
Abstract
Purpose
Security information management (SIM) has emerged recently as a strong need to ensure the ongoing security of information systems. However, deploying a SIM and the associated sensors is a challenge in any organization, as the complexity and cost of such a project are difficult to bear. This paper aims to present an architecture for outsourcing a SIM platform, and discuss the issues associated with the deployment of such an environment.
Design/methodology/approach
The paper is an overview of the typical SIM and a possible architecture for its outsourcing.
Findings
The paper explains that the day‐to‐day operation of a SIM is beyond the financial capabilities of all but the largest organizations, as the SIM must be monitored constantly to ensure timely reaction to alerts. Many managed security services providers (MSSP), therefore, propose outsourcing the alert management activities. Sensors are deployed within the customer's infrastructure, and the alerts are sent to the outsourced SIM along with additional log information.
Originality/value
The paper illustrates that intrusion detection and SIM as two important and active research domains for information systems security.
Details
Keywords
The objective of this study was to investigate the placement, role, functioning, and human resource aspects of IT departments in Kuwaiti corporate companies in the banking and…
Abstract
Purpose
The objective of this study was to investigate the placement, role, functioning, and human resource aspects of IT departments in Kuwaiti corporate companies in the banking and finance sector.
Design/methodology/approach
The results of this study are based on an interview‐based survey of IT managers in 17 banking, finance and investment companies in Kuwait. Data were collected through open‐ended interviews, focused upon the profile and organizational characteristics of IT operations, including placement, reporting relationship, role of managers, human resources, and internal organization. Information was collected about employment of servers, operating environments and applications of IT systems and networks these companies were using.
Findings
It has been found that most companies had elaborate IT functions where IT managers played a significant role. Large companies had built in‐house systems with little outsourcing while the majority of the other companies used turnkey systems and a great deal of outsourcing. Diversity was noted in system and network applications, related to the size and organizational needs of these companies. It was found that websites of most companies were static and these companies had to take firm initiatives if they had to adopt e‐commerce or electronic transactions.
Originality/value
This study has provided crucial understanding about the management of IT functions and applications in Kuwaiti companies.
Details
Keywords
Dimitrios Lekkas and Costas Lambrinoudakis
Digital signatures are only enjoying a gradual and reluctant acceptance, despite the long existence of the relevant legal and technical frameworks. One of the major drawbacks of…
Abstract
Purpose
Digital signatures are only enjoying a gradual and reluctant acceptance, despite the long existence of the relevant legal and technical frameworks. One of the major drawbacks of client‐generated digital signatures is the requirement for effective and secure management of the signing keys and the complexity of the cryptographic operations that must be performed by the signer. Outsourcing digital signatures to a trusted third party would be an elegant solution to the key management burden. Aims to investigate whether this is legally and technically feasible.
Design/methodology/approach
In this paper's approach a relying party trusts a Signature Authority (SA) for the tokens it issues, rather than a Certification Authority for the certificates it creates in a traditional public key infrastructure scheme.
Findings
The paper argues that passing the control of signature creation to a SA rather than the signer herself, is not a stronger concession than the dependence on an identity certificate issued by a Certification Authority.
Originality/value
The paper proposes a framework for outsourced digital signatures.
Details
Keywords
The paper aims at identifying key information technology enablers for business continuance.
Abstract
Purpose
The paper aims at identifying key information technology enablers for business continuance.
Design/methodology/approach
The paper provides an analysis of the issues surrounding communication technology downtime and business continuity.
Findings
To be competitive, today's business has to be continuous from a data availability perspective and agile with regard to data access. System and/or application downtime are not an option in modern business since each hour, even minute, of downtime may generate negative financial effects. A framework for the design and implementation of a server operating environment for business continuance is presented.
Originality/value
Analyses an important issue in the business environment.