Sean B. Maynard

Sean B. Maynard
University of Melbourne | MSD · Department of Computing and Information Systems

PhD

About

74
Publications
112,500
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
1,563
Citations
Introduction
Dr Sean B Maynard is an academic based at the Department of Computing and Information Systems, University of Melbourne. His early career focused on the use of computing technology to aid senior management (EIS) and the evaluation of decision support systems. His research over the past two decades has been in the area of information security, in particular focusing on the evaluation of security policy quality and on the investigation of security culture within organisations.

Publications

Publications (74)
Article
Full-text available
Our case analysis presents and identifies significant and systemic shortcomings of the incident response practices of an Australian financial organization. Organizational Incident Response Teams accumulate considerable experience in addressing information security failures and attacks. Their first-hand experiences provide organizations with a uniqu...
Article
Full-text available
Modern organizations need to develop ‘digital forensic readiness’ to comply with their legal, contractual, regulatory, security and operational obligations. A review of academic and practitioner literature revealed a lack of comprehensive and coherent guidance on how forensic readiness can be achieved. This is compounded by the lack of maturity in...
Article
Full-text available
Purpose This paper describes the development, design, delivery and evaluation of a post-graduate information security subject that focuses on a managerial, rather than the more frequently reported technical perspective. The authors aimed to create an atmosphere of intellectual excitement and discovery so that students felt empowered by new ideas, t...
Article
Full-text available
There considerable advice in both research and practice oriented literature on the topic of information security. Most of the discussion in literature focuses on how to prevent security attacks using technical countermeasures even though there are a number of other viable strategies such as deterrence, deception, detection and response. This paper...
Article
The concept of security culture is relatively new. It is often investigated in a simplistic manner focusing on end-users and on the technical aspects of security. Security, however, is a management problem and as a result, the investigation of security culture should also have a management focus. This paper describes a framework of eight dimensions...
Conference Paper
Full-text available
The increasing frequency, impact, consequence and sophistication of cybersecurity attacks is becoming a strategic concern for boards and executive management of organisations. Consequently, in addition to focusing on productivity and performance, organisations are prioritising Information Security Management (ISM). However, research has revealed li...
Conference Paper
Full-text available
This paper extends a proposed theory on information security using pilot data to further refine and elaborate. We argue that the goal of information security is imperfectly understood and aim to bring about an altered understanding of why efforts are made to engage in information security. The goal of information security is widely recognized as th...
Article
Digital assets of organizations are under constant threat from a wide assortment of nefarious actors. When threats materialize, the consequences can be significant. Most large organizations invest in a dedicated information security management (ISM) function to ensure that digital assets are protected. The ISM function conducts risk assessments, de...
Conference Paper
Full-text available
Effective information security education, training and awareness (SETA) is essential for protecting organisational information resources. Whilst most organisations invest significantly in implementing SETA programs, the number of incidents resulting from employee noncompliance with security policy are increasing. This trend may indicate that many c...
Thesis
Knowledge leakage poses a critical risk to the competitiveness advantages of knowledge-intensive organisations. Although knowledge leakage is a human-centric security issue, little is known in relation to the key factors of individual-level leaking behaviour. Therefore, the aim of this thesis was to explore security practitioners' perspectives on t...
Thesis
Full-text available
Knowledge leakage poses a critical risk to the competitiveness advantages of knowledge-intensive organisations. Although knowledge leakage is a human-centric security issue, little is known in relation to the key factors of individual-level leaking behaviour. Therefore, the aim of this thesis was to explore security practitioners' perspectives on t...
Conference Paper
Full-text available
Effective information security training and awareness (ISTA) is essential to protect organizational information resources. Our review of industry best-practice guidelines on ISTA exposed two key deficiencies. First, they are presented at a conceptual-level without any empirical evidence of their validity. Second, the guidelines are generic (one siz...
Conference Paper
Full-text available
The modern organisation operates within a sophisticated and evolving security threat landscape that exposes its information infrastructure to a range of security risks. Unsurprisingly, despite the existence of industry ‘best-practice’ security standards and unprecedented levels of investment in security technology, the rate of incidents continues t...
Article
Full-text available
Dependence on information, including for some of the world’s largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences indicate that attacks are escalating on organisations conducting these information-based activi...
Article
Full-text available
The Internet of Things (IoT) is considered to be one of the most significant disruptive technologies of modern times, and promises to impact our lives in many positive ways. At the same time, its interactivity and interconnectivity poses significant challenges to privacy and data protection. Following an exploratory interpretive qualitative case st...
Conference Paper
Full-text available
This paper proposes a theory on information security. We argue that information security is imperfectly understood and aim to bring about an altered understanding of why efforts are made to engage in information security. The goal of information security is widely recognised as the confidentiality, integrity and availability of information however...
Article
Full-text available
Supply Chain Agility is important for organisations to stay competitive in today's dynamic business environment. There is increasing interest in deploying Business Intelligence (BI) in the Supply Chain Management (SCM) context to improve Supply Chain (SC) Agility. However, there is limited research exploring BI contributions to SC Agility. In this...
Article
Full-text available
Knowledge sharing drives innovation and the opportunity to develop a sustainable competitive advantage. However, in the extant knowledge management and information security literature, leakage from sharing activities is neglected. The risk of knowledge leakage is exacerbated with the pervasive use of mobile devices and the adoption of BYOD (Bring Y...
Article
Full-text available
Research articles can support teaching by introducing the latest expert thinking on relevant topics and trends and describing practical real-world case studies to encourage discussion and analysis. However, from the point of view of the instructor, a common challenge is identifying the most suitable papers for classroom teaching amongst a very larg...
Article
Full-text available
Considerable research effort has been devoted to the study of Policy in the domain of Information Security Management (ISM). However, our review of ISM literature identified four key deficiencies that reduce the utility of the guidance to organisations implementing policy management practices. This paper provides a comprehensive overview of the man...
Article
Despite extensive research into the evaluation of the success of decision support systems (DSS), criteria important in measuring success are rarely defined. This may be critical when a number of reference groups, or constituencies, are considered. In multiple-constituency DSS evaluation the understanding of each criteria may be different for each c...
Conference Paper
Full-text available
Dependence on information, including for some of the world's largest organisations such as governments and multinational corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these in...
Conference Paper
Full-text available
Considerable research effort has been devoted to the study of Policy in the domain of Information Security Management (ISM). However, our review of ISM literature identified four key deficiencies that reduce the utility of the guidance to organisations implementing policy management practices. This paper provides a comprehensive overview of the man...
Conference Paper
Full-text available
Supply Chain Agility is vital for organisations wanting to remain competitive in today's dynamic business environment. There is increasing interest in deploying Business Intelligence (BI) in the Supply Chain Management (SCM) context to improve Supply Chain (SC) Agility. However, there is limited research exploring BI contributions to SC Agility. In...
Conference Paper
Full-text available
Research articles can support teaching by introducing the latest expert thinking on relevant topics and trends and describing practical real-world case studies to encourage discussion and analysis. However, from the point of view of the instructor, a common challenge is identifying the most suitable papers for classroom teaching amongst a very larg...
Conference Paper
Full-text available
Knowledge sharing drives innovation and the opportunity to develop a sustainable competitive advantage. However, in the extant knowledge management and information security literature, leakage from sharing activities is neglected. The risk of knowledge leakage is exacerbated with the pervasive use of mobile devices and the adoption of BYOD (Bring Y...
Article
Full-text available
The Internet of Things (IoT) heralds a new era of computing whereby every imaginable object is equipped with, or connected to a smart device allowing data collection and communication through the Internet. The IoT challenges individual privacy in terms of the collection and use of individuals' personal data. This study assesses the extent to which...
Article
Full-text available
Business analytics (BA) capabilities can potentially provide value and lead to better organisational performance. This paper develops a holistic, theoretically-grounded and practically relevant business analytics capability framework (BACF) that specifies, defines and ranks the capabilities that constitute an organisational BA initiative. The BACF...
Article
Full-text available
There is considerable literature in the area of information security management (ISM). However, from an organizational viewpoint, the collective body of literature does not present a coherent, unified view of recommended security management practices. In particular, despite the existence of ‘best-practice’ standards on information security manageme...
Technical Report
Traditionally, digital forensic investigations are conducted by law enforcement agencies to collect evidence ‘after-the-fact’. Given the volatility of digital environments and the time expired between incident and investigation, law enforcement typically finds a limited amount of usable evidence available for collection and subsequent analysis. In...
Article
Full-text available
Three deficiencies exist in the organisational practice of information security risk management: risk assessments are commonly perfunctory, security risks are estimated without investigation; risk is assessed on an occasional (as opposed to continuous) basis. These tendencies indicate that important data is being missed and that the situation aware...
Article
Full-text available
Information security risk management (ISRM) is the primary means by which organizations preserve the confidentiality, integrity and availability of information resources. A review of ISRM literature identified deficiencies in the practice of information security risk assessment that inevitably lead to poor decision-making and inadequate or inapprop...
Article
Full-text available
Although digital forensics has traditionally been associated with law enforcement, the impact of new regulations, industry standards and cyber-attacks, combined with a heavy reliance on digital assets, has resulted in a more prominent role for digital forensics in organizations. Modern organizations, therefore, need to be forensically ready in orde...
Conference Paper
Full-text available
Three deficiencies exist in information security under prevailing practices: organisations tend to focus on compliance over protection; to estimate risk without investigating it; and to assess risk on an occasional (as opposed to continuous) basis. These tendencies indicate that important data is being missed and that the situation awareness of dec...
Conference Paper
Full-text available
***BEST PAPER AWARD*** Information Security (InfoSec) education varies in its content, focus and level of technicality across the world. In this paper we investigate the differences between graduate InfoSec programs in top universities in China and in the United States of America (USA). In China, curriculum emphasises Telecommunication, Computer Sc...
Conference Paper
Full-text available
In the modern information economy, the security of information is critically important to organizations. Information-security risk assessments (ISRAs) allow organizations to identify key information assets and security risks so security expenditure can be directed cost-effectively. Unfortunately conducting ISRAs requires special expertise and tends...
Article
Full-text available
Business analytics (BA) systems are an important strategic investment for many organisations and can potentially contribute significantly to firm performance. Establishing strong BA capabilities is currently one of the major concerns of chief information officers. This research project aims to develop a BA capability maturity model (BACMM). The BAC...
Chapter
The enforcement of information security policy is an important issue in organisations. Previous studies approach policy enforcement using deterrence theory to deal with information security violations and focus on end-users’ awareness. This study investigates deterrence strategy within organisations from the perspective of information security mana...
Chapter
Full-text available
In organizations, employee behaviour has a considerable impact on information security. The organizational culture (OC) that shapes acceptable employee behaviours is therefore significant. A large body of literature exists that calls for the cultivation of security culture to positively influence information security related behaviour of employees....
Conference Paper
Full-text available
Business analytics (BA) systems are an important strategic investment for many organisations and can potentially contribute significantly to firm performance. Establishing strong BA capabilities is currently one of the major concerns of chief information officers. Our research project aims to develop a BA capability maturity model (BACMM) that will...
Conference Paper
Full-text available
***BEST PAPER AWARD*** The enforcement of information security policy is an important issue in organisations. Previous studies approach policy enforcement using deterrence theory to deal with information security violations and focus on end-users’ awareness. This study investigates deterrence strategy within organisations from the perspective of in...
Conference Paper
Full-text available
The Information Security Policy (ISP) of an organisation is expected to specify for employees their behaviour towards security, and the security ethos of the organisation. However, there are a wide range of opinions and expertise that should be considered by organisations when developing an ISP. This paper aims to identify the stakeholders that sho...
Article
While there is extensive literature on the positive effects of institutionalising ethics in organisational culture, our extensive research in information security culture has found no evidence of organisations encouraging ethical decision making in situations where information security might be at risk. Security policies, in particular acceptable u...
Conference Paper
Full-text available
The behaviour of employees has been identified as a key factor in the protection of organizational information. As such, many researchers have called for information security culture (ISC) to be embedded into organizations to positively influence employee behaviour towards protecting organizational information. Despite claims that ISC may influence...
Thesis
Full-text available
An integral part of any information security management program is the information security policy. The purpose of an information security policy is to define the means by which organisations protect the confidentiality, integrity and availability of information and its supporting infrastructure from a range of security threats. The tenet of this...
Conference Paper
Full-text available
Managing Information Security is becoming more challenging in today’s business because people are both a cause of information security incidents as well as a key part of the protection from them. As the impact of organizational culture (OC) on employees is significant, many researchers have called for the creation of information security culture (I...
Conference Paper
Full-text available
Although organizations are taking security policy more seriously and are beginning to adopt a lifecycle approach to security policy development, how to assess the quality of security policy is still an unaddressed issue. This paper describes the results of two case studies focusing on a multiple constituency perspective of security quality assessme...
Conference Paper
Full-text available
The concept of security culture is relatively new. It is often investigated in a simplistic manner focusing on end-users and on the technical aspects of security. Security, however, is a management problem and as a result the investigation of security culture should also have a management focus. This paper discusses security culture based on an org...
Conference Paper
Full-text available
The level of quality of security policy is rarely discussed in any great depth in literature. Consequently, organizations often find it difficult to define quality in security policy terms. As the security policy field matures, however, the concept of quality is becoming more important for many of these organizations. This paper presents a model of...
Conference Paper
Full-text available
Financial crimes are a huge problem in today's business world, and electronic financial crimes are becoming increasingly prevalent. This study, conducted in collaboration with the Victorian Police Computer Crime Squad, focuses on the reactions and responses of a large financial organisation to both electronic and non-electronic financial crimes, in...
Conference Paper
Full-text available
While there is an overwhelming amount of literature that recognises the need for organisations to create a security culture in order to effectively manage security, little is known about how to create a good security culture or even what constitutes a good security culture. In this paper, we report on one of two case studies performed to examine ho...
Chapter
Full-text available
While information security policy development has some foundation in literature, it is uncertain how often the methods described are implemented. The cost and complexity of the policy development process has lead to the construction of extensive life cycle models, which are only relevant to organizations that need, and can afford, to develop and ma...
Conference Paper
Full-text available
Rapidly increasing threats to the security of information systems is forcing organizations to put more effort into improving security policy quality. An initial approach to improving the security policy development process may be to enforce similar standards to those used in information systems development. This will focus those developing the secu...
Conference Paper
Full-text available
Based on a research model borrowed from organisational culture we conducted two explorative case studies to investigate how we can evaluate and improve the quality of the security culture in organisations. In this paper we described the differences in the security culture of these two organisations, and how their culture relates to their widely dif...
Conference Paper
Full-text available
Until now the concept of 'security culture' has not been clearly defined in the literature. To develop a research model that can be used to assess the quality of an organisation's security culture, we adapted a comprehensive framework from organisational culture. This framework was chosen because it summarised existing organisational culture litera...
Conference Paper
Full-text available
While information security policy development seems to have some foundation in the literature, it is uncertain whether the methods described are operationalized in an organizational setting. Little is known about how organizations develop security policies, how these policies are documented, what factors contribute to policy effectiveness and how p...
Article
Full-text available
The evaluation of the performance of any information system is important for the further improvement of that system. This paper proposes a Decision Support System (DSS) evaluation method based on multiple-criteria techniques within a multiple-constituency perspective. With multiple-constituency DSS evaluation, many criteria may be valuable to a par...
Working Paper
Full-text available
Many approaches have been suggested for the evaluation of decision support systems (DSS). Most attempt to produce a single evaluation measure, usually based on the opinions of a single group. As DSS development and use can involve a large number of different people, this approach may be deficient. We propose a framework that takes into account mult...
Conference Paper
Full-text available
Information System security evaluation research usually focuses on the evaluation of how well information systems are secured in relation to a security policy statement or security plan. Most studies concentrate on standards of security measurement such as the "orange book", or the European standard (ITSEC). Little research however, concentrates on...
Conference Paper
Full-text available
Many studies discuss approaches for the evaluation of DSS. Few, however, provide a method to allow the context of the evaluation to be explicitly considered. This paper proposes a DSS evaluation method based on multiple criteria and incorporating a multiple constituency perspective. The approach proposed can be used for any group -constituencies, i...
Thesis
Full-text available
This research focuses on the evaluation of decision support system (DSS) projects from a multiple-viewpoint, multiple-criteria perspective. Past DSS evaluation tends to focus on a single group, usually the users or decision-makers, producing an evaluation outcome for that group. While this is accomplished using multiple criteria, the outcome of the...

Network

Cited By

Projects