Figure 3 - uploaded by Adéle Da Veiga
Content may be subject to copyright.
![1 Relation between ISG and ITG 3.2 Configuration of the ISG framework ITG framework has been discussed in ISO/IEC 38500:2008. As we have stated that ISG has common integral part with ITG, ISG should be aligned with ISO/IEC 38500:2008 [10]. We propose a new extended model for the ISG framework in 2 based on three requirements stated in chapter 2. The new model consists of five components, three common parts with ISO/IEC38500; "Direct" for guiding managements from the viewpoints of business strategies and risk management, "Monitor" for ensuring the governance activities visible with measurable indicators, "Evaluate" for assessing and verifying the results/outcomes. We extended with two new components for Information security aspect; "Oversee" for observing and auditing governance processes, and "Report" for disclosing the report to the stakeholders (see 2). As shown in 2, the framework includes the governing cycle starting from "Direct," "Monitor," and "Evaluate" Information Security Management (here in after ISM) process. Because ISO/IEC 27001:2005 [11] requires "commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS", the ISG framework should incorporate with this requirement.](profile/Adele-Veiga/publication/220630626/figure/fig1/AS:669960716185643@1536742490877/Relation-between-ISG-and-ITG-32-Configuration-of-the-ISG-framework-ITG-framework-has.png)
1 Relation between ISG and ITG 3.2 Configuration of the ISG framework ITG framework has been discussed in ISO/IEC 38500:2008. As we have stated that ISG has common integral part with ITG, ISG should be aligned with ISO/IEC 38500:2008 [10]. We propose a new extended model for the ISG framework in 2 based on three requirements stated in chapter 2. The new model consists of five components, three common parts with ISO/IEC38500; "Direct" for guiding managements from the viewpoints of business strategies and risk management, "Monitor" for ensuring the governance activities visible with measurable indicators, "Evaluate" for assessing and verifying the results/outcomes. We extended with two new components for Information security aspect; "Oversee" for observing and auditing governance processes, and "Report" for disclosing the report to the stakeholders (see 2). As shown in 2, the framework includes the governing cycle starting from "Direct," "Monitor," and "Evaluate" Information Security Management (here in after ISM) process. Because ISO/IEC 27001:2005 [11] requires "commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS", the ISG framework should incorporate with this requirement.
Source publication
Many companies, especially Japanese companies, have implemented information security with bottom up approach, starting from implementing piece by piece security controls. As increase the number of information security incidents and spread its impact, companies have implemented many measures in the wide spectrum, from technical counter measure syste...
Contexts in source publication
Context 1
... includes not only IT security but also physical security and paper security. Thus the relation with ISG and ITG is shown in Figure 3.1. [1], [3] One example of the intersection of ITG and ISG in Figure 3.1 (IT security element) is that a computer access control system which identifies the accessed personnel by ID and password and permits him to access to protected data according to his assigned privilege. ...
Context 2
... the relation with ISG and ITG is shown in Figure 3.1. [1], [3] One example of the intersection of ITG and ISG in Figure 3.1 (IT security element) is that a computer access control system which identifies the accessed personnel by ID and password and permits him to access to protected data according to his assigned privilege. Most of automated security controls belong to this category. ...
Context 3
... other examples of non-IT of ISG in Figure 3.1 are paper security and physical security. Paper may be printed out by use of IT. ...
Context 4
... . We propose a new extended model for the ISG framework in Figure 3.2 based on three requirements stated in chapter 2. ...
Context 5
... new model consists of five components, three common parts with ISO/IEC38500; "Direct" for guiding managements from the viewpoints of business strategies and risk management, "Monitor" for ensuring the governance activities visible with measurable indicators, "Evaluate" for assessing and verifying the results/outcomes. We extended with two new components for Information security aspect; "Oversee" for observing and auditing governance processes, and "Report" for disclosing the report to the stakeholders (see Figure 3.2). ...
Context 6
... shown in Figure 3.2, the framework includes the governing cycle starting from "Direct," "Monitor," and "Evaluate" Information Security Management (here in after ISM) process. Because ISO/IEC 27001:2005 [11] requires "commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS", the ISG framework should incorporate with this requirement. ...
Similar publications
![Fig 1: Essential Elements in a Secure Network (David Basham, [48])](profile/Nickson-Karie-2/publication/304072963/figure/fig1/AS:374323480154112@1466257080603/Essential-Elements-in-a-Secure-Network-David-Basham-48_Q320.jpg)
Managing network and system security in today’s highly dynamic and complex technological environments
is challenging task. This is backed up by the fact that the technological revolution around the world is no longer a myth but a reality. Organisations have been forced to enhance the existing network security and firewall framework to cater for tec...
Citations
... Overall, at least three major factors are agreed upon across the literature (see, for example, Da Veiga & Eloff, 2007). First, leadership plays a crucial role. ...
While the importance of designing for user experience has long been acknowledged, there has been relatively little exploration of the actual processes involved in constructing usable and cybersecure systems. In many conventional projects, cybersecurity and usability are not considered primary goals, making them likely candidates for sacrifice in the rush to meet project deadlines. Unfortunately, designing systems with both cybersecurity and usability in mind is easier said than done and typically requires a change towards an organizational culture more conducive of human-centric designing. This position paper advocates for expanded research to explore the connection between culture and engineering practices, highlighting their impact on advancing a cyber-secure society. We explore ways in which the behavior of software development team members towards designing software and products that are both usable and cybersecure can be influenced through organizational culture. We conclude that initiating change within culture requires additional knowledge that future research must seek to provide. Three of these areas are discussed in the paper for immediate attention. The practical implication of this paper is that it encourages research in the field and provides some propositions to guide future empirical investigations.
... Only one study mentioned that it included senior management as a category of participants. This is surprising within the study of the human aspects of ransomware, given that it has been shown that information security culture comes from the top of the organisation (da Veiga and Eloff, 2007;Hu et al., 2012). Individual difference can be an important factor to explain differences in users' information security behaviour when it comes to ransomware attacks. ...
Purpose
The purpose of this paper is to provide an overview of the trends and challenges relating to research into the human aspects of ransomware.
Design/methodology/approach
A systematic mapping study was carried out to investigate the trends in studies into the human aspects of ransomware, identify challenges encountered by researchers and propose directions for future research. For each of the identified papers from this study, the authors mapped the year of publication, the type of paper, research strategy and data generation method, types of participants included, theories incorporated and lastly, the authors mapped the challenges encountered by the researchers.
Findings
Fifty-nine papers published between 2006 and 2022 are included in the study. The findings indicate that literature on the human aspects of ransomware was scarce prior to 2016. The most-used participant groups in this area are students and cybersecurity professionals, and most studies rely on a survey strategy using the questionnaire to collect data. In addition, many papers did not use theories for their research, but from those that did, game theory was used most often. Furthermore, the most reported challenge is that being hit with ransomware is a sensitive topic, which results in individuals and organisations being reluctant to share their experiences.
Research limitations/implications
This mapping study reveals that the body of literature in the area of human aspects of ransomware has increased over the past couple of years. The findings highlight that being transparent about ransomware attacks, when possible, can help others. Moreover, senior management plays an important role in shaping the information security culture of an organisation, whether to have a culture of transparency or of secrecy.
Originality/value
This study is the first of its kind of systematic mapping studies contributing to the body of knowledge on the human aspects of ransomware.
... Overall, at least three major factors are agreed upon across the literature (see, for example, Da Veiga & Eloff, 2007). First, leadership plays a crucial role. ...
While the importance of designing for user experience has long been acknowledged, there has been relatively little exploration of the actual processes involved in constructing usable and cybersecure systems. In many conventional projects, cybersecurity and usability are not considered primary goals, making them likely candidates for sacrifice in the rush to meet project deadlines. Unfortunately, designing systems with both cybersecurity and usability in mind is easier said than done and typically requires a change towards an organizational culture more conducive of human-centric designing. This position paper advocates for expanded research to explore the connection between culture and engineering practices, highlighting their impact on advancing a cyber-secure society. We explore ways in which the behavior of software development team members towards designing software and products that are both usable and cybersecure can be influenced through organizational culture. We conclude that initiating change within culture requires additional knowledge that future research must seek to provide. Three of these areas are discussed in the paper for immediate attention. The practical implication of this paper is that it encourages research in the field and provides some propositions to guide future empirical investigations.
... The framework designed by Da Veiga et al. was used in this study (and in its practical application in the company). This framework was initially introduced in 2002 and has been continually developed, adapted to emerging research results and verified continuously (da Veiga and Eloff, 2010;da Veiga, 2018;da Veiga andMartins, 2015b, Martins andEloff, 2002;Veiga and Eloff, 2007). The most recent adoption was the introduction of the IPCA [1], which defines six dimensions to validate how employees perceive information protection from a cybersecurity perspective (da Veiga and Martins, 2015b). ...
Purpose
The human factor is the most important defense asset against cyberattacks. To ensure that the human factor stays strong, a cybersecurity culture must be established and cultivated in a company to guide the attitudes and behaviors of employees. Many cybersecurity culture frameworks exist; however, their practical application is difficult. This paper aims to demonstrate how an established framework can be applied to determine and improve the cybersecurity culture of a company.
Design/methodology/approach
Two surveys were conducted within eight months in the internal IT department of a global software company to analyze the cybersecurity culture and the applied improvement measures. Both surveys comprised the same 23 questions to measure cybersecurity culture according to six dimensions: cybersecurity accountability, cybersecurity commitment, cybersecurity necessity and importance, cybersecurity policy effectiveness, information usage perception and management buy-in.
Findings
Results demonstrate that cybersecurity culture maturity can be determined and improved if accurate measures are derived from the results of the survey. The first survey showed potential for improving the dimensions of cybersecurity accountability, cybersecurity commitment and cybersecurity policy effectiveness, while the second survey proved that these dimensions have been improved.
Originality/value
This paper proves that practical application of cybersecurity culture frameworks is possible if they are appropriately tailored to a given organization. In this regard, scientific research and practical application combine to offer real value to researchers and cybersecurity executives.
... The ISO 27001 certification mainly focuses on a comprehensive information security governance (ISG) framework to help its clients properly establish an ISMS ((AlGhamdi et al., 2020;Veiga and Eloff, 2007), and does not specify approaches to protection, detection and response to cybersecurity attacks. By contrast, the CIS Controls provide a detailed risk assessment for clients to prevent security incidents from happening. ...
... Such a broad range of precursors indicates the potential impact of organizational leaders on employees' perceptions of control mechanisms. Namely, leaders are the decision makers who decide which control mechanisms to adopt, i.e., the objective properties of such mechanisms and methods for facilitating and implementing them (Kankanhalli et al., 2003;Veiga & Eloff, 2007). In addition, the acts of such leaders nurture the organizational context that establishes a form of embedded work ethic to guide employees' behavior (Ghoshal & Bartlett, 1994). ...
This paper examines the underlying mechanisms through which paternalistic leadership (PL) motivates employees’ information systems policy (ISP) compliance. We propose that the three dimensions of PL—authoritarian leadership (AL), benevolent leadership (BL), and moral leadership (ML)—influence employees’ ISP compliance by affecting their perceptions of two information security control mechanisms: sanctions and the information security climate. Based on survey data from 760 participants, we found that the impact of AL is partially mediated by employees’ perceptions of sanctions, the impact of BL is partially mediated by employees’ perceptions of the information security climate, and the impact of ML is partially mediated by employees’ perceptions of both sanctions and the information security climate. Our research extends the existing literature by exploring the impact of specific leadership styles on employees’ perceptions of information security control mechanisms and by proposing that perceptions of information security control mechanisms play a mediating role between PL and ISP compliance. The findings suggest that in addition to choosing effective control mechanisms, it is also important for leaders to adjust their leadership style to ensure that employees perceive control mechanisms in the expected manner.
... Pri tem sodobne razprave med najpomembnejše člene in hkrati tudi ranljivosti na področju informacijske varnosti umeščajo človeške oz. družbene dejavnike (Da Veiga in Eloff, 2007;Rocha Flores idr., 2014;Soomro idr., 2016). Kljub vse bolj naprednim tehnološkim varnostnim rešitvam, njihova uporaba ne vodi nujno do izboljšanja varnosti, saj so za informacijskovarnostne incidente največkrat odgovorni uporabniki. ...
Behavioral information security is concerned with explaining the role of users in the information security system, drawing on various psychological, organizational, and criminological theories to explain and predict user behavior. Despite numerous systematic literature reviews on the field of information security, there is no comprehensive systematic review of the theories used in behavioral information security research. The purpose of this paper is to investigate which theories are most widely used in research, in which subject areas they are most used, which factors are most frequently included in research according to each set of theories, and which are most frequently statistically significant. Accordingly, we made two studies involving a systematic review of the literature over the past ten years. The findings suggest that the most used theories include the protection motivation theory and the theory of planned behavior. In these two theories, self-efficacy and perceived usefulness of the technology are factors, which are most often statistically significant in predicting self-protective behavior.
... ISO 17799 provides grounds to do just that. In addition to ISO 17799, additional consideration to weave information security architecture, information security risk management and information system-asset protection must be considered (Da Veiga and Eloff 2007;Ma et al. 2008;Tang 2008). ISO 17799 provides a scope of standards that address ten areas for a total of 124 controls. ...
The Sarbanes-Oxley Act (SOX) ensures that the timely and transparent delivery of accounting information is presented to the public. SOX ensures that the SEC creates regulations that define how publicly traded corporations comply with SOX reporting requirements. The benefits of SOX certainly outweigh the costs regarding the need for public protection, but SOX does not directly imply information technology controls. Information technology is used in business worldwide and the need to protect financial information is critical to any publicly traded company. However, SOX allows for computer crimes to be detected by combining financial auditing and approval circuits to uncover elements that may be hiding. Explicit enforcement of SOX allows companies to utilize databases to ensure access is controlled and monitored with time. Non-compliance with SOX exposes companies to additional financial risk, increased information systems and computer crime risk, criminal/civil liabilities, and SEC filing issues. 3
... IS governance framework (based on DaVeiga & Eloff, 2007) ...
Small and medium enterprises (SMEs) are said to struggle with several challenges when transforming parts of their value chain to smart production with the means of digitalization. [1] Since SMEs are the backbone of our economy it is important to understand those challenges to cope with them accordingly. [2] This book chapter provides an overview of SME-specific digitalization challenges including possibly challenging SME characteristics and necessary prerequisites from a literature review as well as deeper insights about singular companies from the region of Brandenburg in Germany. Those insights are derived from semi-structured interviews with SME managers. None of the identified obstacles is a showstopper for our interviewees but some of them are more severe than others. This chapter contributes to the existing literature by showing an overview of challenges for SMEs when transforming their value chain to smart production. Additionally, we provide insights with less abstract depictions about the process of SMEs coping with those challenges. This chapter is of interest for SME managers when defining the transformation process of their own SME under consideration of the digitalization challenges. The overview, as well as the insights, help researchers defining their approaches for finding solutions from their perspective on realizing smart factories in SMEs.
... This section adopts aspects of the Information Security Governance framework by Da Veiga and Ellof (2007) to discuss research from 2007 until 2012. The framework is useful because; 1. ...
This study related to the importance of information and information technology in today's global business. The global nature of information systems also exposes them to threats which make them prone to security breaches. Information risks are several internal and external, making it almost impossible for only information security professionals to handle. This therefore reinforces the need to involve end-users in by educating them to be aware of threats, and their role in curbing those threats. Related information security literature was reviewed to establish the business problem theoretically. Using focus group discussions and open-ended interview guide, data was collected from non-security employees from Takoradi Polytechnic. The data provided understanding of the employees' present security needs, employees perception of information security, employees' personal security initiative, and level of information security awareness. The key findings in the study suggested that, currently some arrangements have been made to ensure information security; however, there is the need for more non-computer-based arrangements such as physical security, training and data backup systems. Further, because some respondents did not perceive the current security arrangement to be adequate, they took personal initiatives like using passwords, using formal communication channels for obtaining information which falls outside their domain or function, and seldom reporting any perceived security threats. These personal initiatives seemed to be the basis for the employees' self-rating of their level of information security awareness, not some training they had acquired. Received: 8 September 2022 / Accepted: 29 October 2022 / Published: 5 November 2022
