ArticlePDF Available

Information security management standards: Problems and solutions

DOI:10.1016/j.im.2008.12.007
Authors:
Mikko Siponen at University of Jyväskylä
Mikko Siponen
Robert Willison at Xi'an Jiaotong-Liverpool University
Robert Willison
Download full-text PDF
Read full-text
Download citation

Abstract

International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.
Content uploaded by Mikko Siponen
Author content
All content in this area was uploaded by Mikko Siponen on Mar 18, 2020
Content may be subject to copyright.
Information security management standards: Problems and solutions
Mikko Siponen
a,
*, Robert Willison
b
a
University of Oulu, IS Security Research Center and Department of Information Processing Science, Linnanmaa, P.O. Box 3000, FIN-90014, Finland
b
Copenhagen Business School, Howitzvej 60, DK-2000 Frederiksberg, Denmark
1. Introduction
Information security management (ISM) guidelines, which
attempt to provide the best ISM practices, are used by organiza-
tions. By adopting an authoritative guideline, organizations can
demonstrate their commitment to secure business practices;
organizations may then apply for certification, accreditation, or a
security-maturity classification attesting to their compliance to a
set of rules and practices.
Complying with security management guidelines is essential.
However, current guidelines have two problems. First, the well
known ones are generic in scope, while organizations need
methods tailored to their environment and operations. Second,
they have not been validated but are fostered by an appeal to
common practice, which is an unsound basis for a true standard.
2. Research framework
2.1. Information security management guidelines
Different international ISM guidelines have been proposed,
including the TCSEC/Orange Book, GMITS, CobiT, IT Baseline
Protection Manual, Generally Accepted Information Security
Principles (GAISP), the System Security Engineering CMM (SSE-
CMM) [22], and BS7799 and its derivatives (BS7799, BS ISO/
IEC17799: 2000).
These, not surprisingly, have common features. First, they were
offered either to help secure organizations’ IS or for certification
purposes, to prove that organizations’ IS complied with the
guideline; in theory, all standards can be used for both purposes.
Second, they were externally developed by committees. Third, they
provided an authoritative voice on infosec management.
Of the ‘‘standards’’, we selected BS7799, BS ISO/IEC17799: 2000,
GASSP/GAISP and the SSE-CMM for analysis on the basis of three
factors. First, they are all relatively new. Second, they are widely
advocated by scholars and practitioners; these four standards or
guidelines have received positive recognition. Third, their advo-
cates are geographically dispersed. BS7799 has advocates in
Australia, New Zealand, South-Africa and the UK [1] and the SSE-
CMM is well-known in Canada and the U.S.
The Common Criteria [9] and ITSEC [16] focused on technical
security features [18]. The Common Criteria has been used
primarily for evaluating security properties of IT products. Here,
we are focusing on ISM aspects and guidelines, which emphasize
organizational, social and behavioural aspects of ISM in organiza-
tions. Such issues include development of organizational strategies
that ensure that employees are educated to comply with the
security policies [11]. In addition, BS, GASSP and the SSE-CMM
were selected over GMITS, the OECD guideline, ISF and the IT
Baseline Protection Manual [17]. Furthermore the GASSP’s
‘‘pervasive principles’’ were based on the OECD principles [10].
Hence, GAISP can be viewed as an later version.
Information & Management 46 (2009) 267–270
ARTICLE INFO
Article history:
Received 28 July 2003
Received in revised form 10 April 2007
Accepted 7 December 2008
Available online 20 May 2009
Keywords:
Information systems security
Information security management
standards
Information security management
Information security management
guidelines
Information security certification
ABSTRACT
International information security management guidelines play a key role in managing and certifying
organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to
determine and compare how these guidelines are validated, and how widely they can be applied. First,
we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal
in scope; consequently they do not pay enough attention to the differences between organizations and
the fact that their security requirements are different. Second, we noted that these guidelines were
validated by appeal to common practice and authority and that this was not a sound basis for important
international information security guidelines. To address these shortcomings, we believe that
information security management guidelines should be seen as a library of material on information
security management for practitioners.
ß2009 Elsevier B.V. All rights reserved.
* Corresponding author. Fax: +358 553 1890.
E-mail address: msiponen@tols16.oulu.fi (M. Siponen).
Contents lists available at ScienceDirect
Information & Management
journal homepage: www.elsevier.com/locate/im
0378-7206/$ – see front matter ß2009 Elsevier B.V. All rights reserved.
doi:10.1016/j.im.2008.12.007
2.1.1. Generally accepted systems security principles (GASSP)
The development of GASSP started in 1992, with support from
the U.S. government, the International Information Security
Foundation, and other world-wide organizations. GASSP version
2.0 was published in 1999, and with the release of version 3.0 the
name was changed to Generally Accepted Information Security
Principles. The aim in the development of GAISP was to document
common practice. The preface stated: ‘‘We believe it is time for the
Information Security profession to create our own set of accepted
principles and practices.’’ [11].
GAISP proposed three levels of information security principles:
pervasive (few, rarely changing) such as those of ethics and
awareness; broad functional (more detailed); and most detailed.
Pervasive principles lay down the basis for the others. In total,
there are nine pervasive principles. GAISP version 3.0 included the
‘‘Detailed Principles Cookbook’’ for guiding GAISP developers in
detailing the principles from authorities such as OECD and ISF.
2.1.2. BS7799 and derivatives
BS7799 was developed in 1995 by the UK Department of Trade
and Industry, with international companies joining in the effort. An
international version (BS ISO/IEC17799:2000 [7]) was later
published. The 1995 version [5] is well-known and respected.
Later versions were published in 1999 [6] and 2000 [7] but for
clarity, we refer to these as BS Version 1, BS Version 2 and BS
Version 3, respectively. A standard known as BS 7799-2: 2002 [8]
will be referred to as BS Version 4. BS Version 1 included ten key
controls that are essential for all organizations, however the term
key controls was changed in versions 2 and 3 to ‘‘information
security starting point’’ with eight ‘‘critical success factors.’’
BS Version 4 described a process for use of the guideline, known
as the ‘‘Plan–Do–Check–Act’’ process:
Plan !establish a security policy and relevant procedures and
controls; then prepare a statement of the scope of its application,
justifying why the controls were selected and why others were
not;
Do !implement the security policy and relevant procedures;
Check !assess and measure the process performance, and
report the results to management;
Act !take appropriate corrective actions.
These methods were intended for use both in securing IS and in
their certification.
2.1.3. The system security engineering capability maturity model
(SSE-CMM)
The development of the SSE-CMM started in 1993 as an NSA-
sponsored endeavor to extend the capability maturity model [14].
The purpose of the effort was to use the model to address security
issues in systems development. To aid in development of the SSE-
CMM, the International Systems Security Engineering Association
(ISSEA) was founded.
Versions 2.0 and 3.0 of the SSE-CMM both included base
practices that were grouped into 22 key process areas (11 security-
related and 11 general project-oriented), and six maturity levels.
Version 3.0 included 129 base practices, such as: ‘‘Identify system
security vulnerabilities.’’ The 11 security-related process areas
were: (1) administer security controls; (2) assess impact; (3) assess
security risk; (4) assess threat; (5) assess vulnerability; (6) build
assurance argument; (7) coordinate security; (8) monitor security
posture; (9) provide security input; (10) specify security needs;
and (11) verify and validate security.
The SSE-CMM was intended to be used in certificating the
maturity level of an organization’s IS security and thus its security
processes. Version 3.0 of the SSE-CMM also included a 10-point set
of rules of thumb, which could be seen as a process guiding the use
of the guideline. The maturity levels are similar to those of SEI’s
CMM/CMMI: (0) not performed; (1) performed initially, based on
individual effort; (2) planned and tracked, when there is a security
process in place; (3) well-defined, where the security process is
standardized, tailorable and integrated into the organization-wide
process; (4) quantitatively controlled, where the security process is
quantitatively measured; and (5) continuously improving, where
metrics are used to collect feedback that is then used to improve
the process.
2.2. Criteria for assessing infosec management guidelines
The guidelines were analyzed from the perspectives shown in
Table 1.
2.3. Scope of application
It is important to know how broadly ISM guidelines can be
applied, and also to assess the extent to which a guideline is suited
to the needs of small to large organizations. The scope of a
guideline may be generic (applying throughout organizations, with
rare exceptions where the it does not), universal (applicable, to all
organizations, from small to multinational, without exception) or
company-specific (where every company may have a unique set of
requirements). Thus a company-specific international ISM guide-
line would start by listing and modeling the organization’s unique
security goals and requirements. We argue that guidelines should
be company-specific, to a certain degree. General and generic
security practices may overlook specific requirements, which may
result in expenditure in the wrong places, resulting in waste and
potentially insecure systems [4].
2.4. Type of evidence
Two types of evidence, validation and argumentation, are
important in research and development efforts.
Given the importance of information security guidelines, it is
necessary to examine how, and on what evidence they are
validated. Claims may be based on arguments that have empirical
support. However, one criterion is accepted: that the research
processes and types of evidence should be made public and visible.
In argumentation theory, several fallacies are discussed, including
appeals to popularity (Ad Populum), to common practice and
authority (Ad Verecundiam). We argue that ISM guidelines should
not be based on fallacious arguments.
3. Analysis of BS7799, GAISP/GASSP, and the SSE-CMM
3.1. Scope of application
BS Version 1 (and derivatives), the SSE-CMM, and GASSP/GAISP
appear to be generic or universal in scope. The following citations
illustrate how these principles were embodied.
BS Version 1 states that ‘‘some controls are not applicable to every
IT environment and should be used selectively. However, most of the
controls documented are widely accepted’’ ... and ... ‘‘recommended
good practices for all organizations.’’ [5]. Thus, the controls are
applicable to all organizations, while leaving room for exceptional
Table 1
Criteria for evaluating ISM guidelines and guidelines.
Viewpoints Examples
Scope of application Generic, universal, company-specific
Type of evidence Is the research process visible? Is the evidence sound?
M. Siponen, R. Willison / Information & Management 46 (2009) 267–270
268
situations. It also prescribed key controls that were universal. They
‘‘are either essential requirements ... or are considered to be
fundamental building blocks for information security.’’ and the
controls ‘‘apply to all organizations and environments’’. Later
versions use ‘‘information security starting point’’ principles,
which ‘‘apply to most organizations and in most environments’’
[7]. Hence, they are generic.
GASSP distinguishes between what is ‘‘generally accepted’’ and
‘‘universally accepted’’ and notes that all principles may have
exceptions. Thus, GASSP is of generic scope but GAISP does not state
this view explicitly; rather, it offers ‘‘...comprehensive, objective
guidance for IS professionals, organizations, governments, and users.’’
[12]. It seems that such objectivism leans towards a universal view.
Even though the SSE-CMM ‘‘applies to all types and sizes of
security engineering organizations ...’’, it states that organizations’
security requirements differ: ‘‘The SSE-CMM includes practices that
focus on gaining an understanding of the customer’s security needs.’’
The SSE-CMM takes this into account in two ways. First, the
designer can select the relevant process areas and base practices.
Second, the SSE-CMM describes what practices need to be
performed, though it does not state how they are to be performed.
The 12 common features, associated with the five maturity levels,
are universal.
3.2. Validation based on appeal to common practice and authority
The international ISM guidelines being considered were based
on ‘‘generally accepted principles’’, or ‘‘best practice’’. Neither the
evidence for the reasoning behind them nor the underlying
research processes were given or made public and visible. Thus, the
results are not verifiable or repeatable. Thus practitioners have no
way of evaluating the reliability (or objectivity) of the claimed best
practices.
GASSP and GAISP note how: ‘‘the principles have been developed
on the basis of experience, reason, custom ...’’ and ‘‘practices are
generally accepted because they represent prevalent practice’’.
BS Version 1 states: ‘‘These generally accepted controls are often
referred to as baseline security controls, because they collectively
define an industry baseline of good security practice’’. This appeal to
common practice is evident when BS Version 1 argued that ‘‘most of
the controls documented are widely accepted by large, experienced
organizations as recommended good practices for all situations’’. BS
Version 2 and Version 3 continue with the ‘‘information security
starting point’’ principles justified since they are ‘‘considered to be
common best practice for information security’’ [6].
The SSE-CMM version 2.0 offered a similar justification; the
standard ‘‘is a compilation of the best-known security engineering
practices’’.
The appeal to common practice is a faulty argument. In
addition, it is questionable whether any research methods have
been used to obtain results supporting such a claim: the SSE-CMM
versions 2.0 and 3.0 and GASSP reports imply that there have been
none. Hopkinson [15] states that the SSE-CMM version 2.0 was
based on experts’ judgment and their personal experience. This
also seems to be the case for version 3.0: ‘‘The SSE-CMM model was
developed by a consensus process’’. GASSP and GAISP present a
similar line of reasoning: principles were ‘‘generally accepted by
agreement (often tacit agreement) rather than formal derivation from
a set of postulates or basic concepts’’. GAISP maintained that ‘‘these
principles will be reviewed and vetted by skilled information security
experts and authorities who will ensure’’ that they are valid. This was
an appeal to authority.
Hefner and Monroe [13] reported that the SSE-CMM also used
key and community reviewers. They also referred to pilot projects,
which they suggested made the SSE-CMM fundamentally sound.
However, no further evidence was provided about them.
4. The weaknesses of prior ISM guidelines and
a possible solution
We will term the current position taken on ISM guidelines as
the traditional view. According to our analysis, the guidelines were
developed externally by security experts, and their scope was
generic or universal.
4.1. The traditional view
Guidelines developed according to the traditional view were
based on generic or universal principles, which the guidelines’
developers sought to validate by appealing to common practice
and authority. Both approaches are problematic. Generic and
universal guidelines do not pay enough attention to organizational
difference. Such guidelines do not address the organization’s own,
and unique, information security needs, but prescribe universal or
general procedures. In addition, and perhaps more worryingly,
information security may not be applied in areas where it is
required.
BS Versions 2 and 3 have moved in the right direction by stating
that the guidelines can be used as a starting point for developing
organization-specific guidelines. ISM guidelines [7] were validated
by appeals to common practice and authority. Because some
organizations are using certain practices, does not prove that they
are best practices. Consequently, we have no evidence of the
reliability of the guidelines. The current international ISM guide-
lines do not meet this criterion.
4.1.1. Overcoming the weaknesses of the current ISM guidelines
Rigorous empirical studies are needed in which all possible
variables are considered. The authors of guidelines should (1)
try to validate their usefulness and implications empirically,
and (2) consider how various environmental and organizational
factors may affect the use of the guideline. Both qualitative
(e.g., action research, interpretive field studies, interpretive
case research) and quantitative (e.g., survey) studies are
required.
First, there is a need to study what security techniques and
methods are currently in use and their real effects and possible
weaknesses. Second, studies are needed, to examine not only the
individual techniques, but managers and users perceptions of their
value, etc. In addition, the problems and implications of using
guidelines in organizations should be considered. In particular,
more care needs to be paid to the generalizability of the findings.
When developing new guidelines, the extent that existing results
can be generalized should be assessed.
4.2. Guidelines as a library of research results for practitioners
Guidelines must be crafted for the benefit of practitioners. Their
scope of application should be considered on its individual
principles and any findings should have undergone a peer-review
process. While we cannot outline a full guideline here, we can
illustrate our proposal with a simple example (Table 2).
In this simple example there are two areas: user compliance
with respect to security policies and guidelines, and risk analysis.
Each consists of objectives, principles and cautions. The objectives
lay down the general aim of the principles. In this example, the
areas are risk analysis and user compliance with respect to security
policies and guidelines. The principles act as a guide to how the
different means for ensuring security should be used. The caution
could warn about some pitfalls in the use of a principle. The key
references for objectives, principles and caution are listed, so that
practitioners can refer to them for further information. The
Evidence column shows the evidence on which the objectives,
M. Siponen, R. Willison / Information & Management 46 (2009) 267–270
269
principles and cautions are based. Practitioners may extract only
those points they need.
5. Conclusions
It is widely accepted that ISM guidelines play an important role
in managing and certifying information security in organizations.
We analyzed BS7799 and its derivatives, GASPP/GAISP, and the
SSE-CMM to show how these guidelines were validated and their
scope of application. They are generic or universal in scope and
thus they do not pay enough attention to the differences between
organizations and their security requirements. The guidelines
were validated by appeal to common practice and authority and
this process is likely to be fallible.
References
[1] J. Backhouse, C. Hsu, L. Silva, Circuits of power in creating de jure standards:
shaping an international information systems security standard, MIS Quarterly 30
(Special issue), 2006, pp. 413–438.
[2] R. Baskerville, Risk analysis: an interpretative feasibility tool in justifying infor-
mation systems security, European Journal of Information Systems 1 (2), 1991, pp.
121–130.
[3] R. Baskerville, Risk analysis as a source of professional knowle dge, Computers and
Security 10 (8), 1991, pp. 749–764.
[4] R. Baskerville, Information systems security design methods: implications for
information systems development, Computing Surveys 25 (4), 1993, pp. 375–414.
[5] 7799BS, Code of Practice for Information Security Management, Department of
Trade and Industry, DISC PD003, British Standard Institute, London, UK (1995).
[6] BS7799-1, Code of Practice for Information Security Management, Department of
Trade and Industry, 1999.
[7] BS ISO/IEC 17799:2000 (BS 7799-1:2000), Information Technology – Code of
Practice for Information Security Management, British Standards Institute, 2000.
[8] BS 7799-2:2002 Information security management systems – Specification with
guidance for use, BSI, UK, 2002.
[9] Common Criteria, Common criteria for information technology security evalua-
tion, 2006, http://www.commoncriteriaportal.org/public/consumer/index.php?-
menu=2.
[10] GASSP, Generally Accepted System Security Principles (GASSP), Version 2.0,
Information Systems Security, June, vol. 8, no. 3, 1999.
[11] GAISP V3.0, 2003, http://www.issa.org/gaisp/_pdfs/v30.pdf.
[12] GAISP, Detailed Principles Cookbook, 2003, http://www.issa.org/gaisp/_pdfs/
v30.pdf.
[13] R. Hefner, W. Monroe, System Security Engineering Capability Maturity Model,
Conference on Software Process Improvement, UC Irvine, CA, USA, 1997.
[14] J. Herbsleb, D. Zubrow, D. Goldenson, W. Hayes, M. Paulk, Software quality and the
capability model, Communications of the ACM 40 (6), 1997, pp. 30–40.
[15] J. Hopkinson, Security standards overview, in: Proceedings of the Second Annual
International Systems Security Engineering Conference, 2001.
[16] Information Technology Security Evaluation Criteria (ITSEC), Harmonised Criteria
of France, Germany, the Netherlands and the United Kingdom, 1990.
[17] IT Baseline Protection Manual, BSI, Germany, 1996.
[18] P. Overbeek, Common criteria for IT security Evaluation – Update Report, in:
Proceedings of the IFIP TC11 Eleventh International Conference on Information
Security, Cape Town, South Africa, 1995.
[19] T. Saltmarsh, P. Browne, Data processing – risk assessment, in: M. Wofsey (Ed.),
Advances in Computer Security Management, (vol. 2), John Wiley and Sons Ltd,
1983, pp. 93–116.
[20] M. Siponen, Information security standards focus on the existence of process not
its content? Communications of the ACM 49 (8), 2006, pp. 97–100.
[21] M. Siponen, S. Pahnila, A. Mahmood, Employees’ adherence to information
security policies: an empirical study, in: Proceedings of the IFIP SEC2007, Sand-
ton, Gauteng, South Africa, 2007.
[22] SSE-CMM, The Appraisal Method, v2.0 and v3.0, 1998, http://www.sse-cmm.org.
[23] D. Straub, Effective IS security: an empirical study, Information Systems Research
1 (3), 1990, pp. 255–276.
[24] D. Straub, W. Nance, Discovering and disciplining computer abuse in organiza-
tions: a field study, MIS Quarterly 14 (1), 1990, pp. 45–60.
Mikko Siponen is a Professor and Director of the IS
Security Research Centre in the Department of Infor-
mation Processing Science at the University of Oulu,
Finland. He holds a Ph.D. in Philosophy from theUni-
versity of Joensuu, Finland, and Ph.D. in IS from the
University of Oulu, Finland. His research interests
include IS security, IS development, computer ethics,
and philosophical aspects of IS. He has published 30
papers in journals, such as MIS Quarterly Journal of the
Association for Information Systems,European Journal of
Information Systems,Information & Organization,Infor-
mation Systems Journal,ACM Database,Communications
of the ACM and IEEE IT Professional. He has received over 5.4 million USD of research
funding from companies and numerous funding bodies. He has acted as SE for ICIS
and is currently SE for an MIS Quarterly special issue entitled ‘Information Systems
Security in a Digital Economy’. He sits on the editorial boards of the European Journal
of Information Systems,Journal of Organizational and End User Computing and the
Journal of Information Systems Security.
Robert Willison is an Assistant Professor in the
Department of Informatics, Copenhagen Business
School. He received his Ph.D. in IS from the London
School of Economics and Political Science. His research
focuses on IS security, with a specific interest in
employee computer crime. He has published in journals
including Information and Organisation,European Jour-
nal of Information Systems and Communications of the
ACM. He acts as an AE for the European Journal of
Information Systems and is currently guest editing a
special issue of the journal entitled ‘Behavioral and
Policy Issues in IS Security’.
Table 2
An example of a guideline as a library of research results for practitioners.
Areas Content (objectives, principles and cautions) Key references Evidence
1. Employees’ compliance with respect to
security policies and guidelines
Objective 1: To make users comply with security policy objectives. [21,23,24] Quantitative survey
Principle 1: Wide dissemination of security policies, use of software
preventives and disciplinary actions for non-compliance, and enough
full-time security staff (or their increased visibility) increase
information security.
Deterrence theory
Caution for principle 1: The mere existence of security practice
(e.g., policies, education programs) does not guarantee their
quality in practise.
[20] Conceptual
2. Risk analysis Objective 1: Risk analysis with the aim of calculating and managing risk. [2] Conceptual
Objective 2: Risk analysis as a tool for communication between
developers and managers.
Principles: (1) Analysis of security relevant resources and assets; (2)
analysis of threats whose occurrence could cause loss; (3) analysis of
vulnerabilities in security controls which may increase the frequency
of threat occurrences or their impact; (4) analysis of the overall risk;
(5) analysis and selection of appropriate controls that may reduce the risks.
[19] Conceptual
Caution: Risk analysis to meet objective 1 is subjective. [3] Conceptual
M. Siponen, R. Willison / Information & Management 46 (2009) 267–270
270
... Although many organizations have adopted ISMS standards and frameworks to secure their information systems, these represent general best practice of ISMS and do not consider that security requirements differ from one organization to another [24]. Moreover, there is no adequate guidance for implementing or complying with such standards and frameworks, and nor are they designed to manage the security and compliance risks of outsourced IT project [25]. ...
... Usually guidelines are developed using generic or universal models that may not be applicable for all organizations. Guidelines based to common, traditional practices take into consideration differences of the organizations and organization specific security requirements [9]. ...
Towards a Design Theory for Resilient (Sociotechnical, Cyber-Physical, Software-intensive and Systems of) Systems
Article
Full-text available
  • Mar 2022
Resilience, as a property of a system, must transition from just a buzzword to an operational paradigm for system management, especially under future climate change. Identifying the need for system resilience requires defining the system. Revolutionary advances in hardware, networking, information and human interface technologies require new ways of thinking about how sociotechnical, cyber-physical, and systems of systems are conceptualized, built and evaluated. The aim of this paper is to start a development process for a design theory (DT) for resilient systems (DT4RS). With the help of DT4RS, communities are able to develop and operate different information and security technologies, and share knowledge and best practices.
... However, the standards neglect to provide clear and practical guidance on ISA program implementation and effective methods for changing employees' behavior. Standard advice lacks support from empirical data and pays little consideration to organizational context [13], [30], [66]. Therefore, there exists a need to find empirical evidence via experimental research to assist organizations in finding the proper ISA methods needed to raise their employees' awareness and ultimately change their security behavior. ...
Assessment of the Impact of Information Security Awareness Training Methods on Knowledge, Attitude, and Behavior
Article
Full-text available
  • Jan 2022
Technology is changing the way we work more than ever before. Therefore, it is critical to understand the security threats associated with these advanced tools to protect systems and data. Security is a combination of people, processes, and technology. Thus, to effectively counter cyber-threats, information security awareness (ISA) programs are an essential cornerstone of enterprise security. There are many ways in which information security knowledge can be delivered. In this paper, we have conducted an experiment to test the impact of multiple intervention strategies on knowledge, attitude, and behavior. The HAIS-Q was used to evaluate the effectiveness of training methods on the employees. Our study suggests that all methods raise knowledge equivalently. However, having more than one delivery method to convey the same message has a greater impact on users’ attitudes. When it comes to behavioral change, however, text-based and game-based training formats performed better than their counterparts. Additionally, employees’ tendency to engage in self-education activities and participate in future awareness programs was influenced by the intervention strategy. These findings have important implications, as ISA programs should be designed in a way that positively influences the mindset of employees and motivates them to embrace security practices in their daily activities.
... In this section, we focus on providing an overview of some related researches in the context of information security and insider threats. Siponen et al. [10] have provided a comparison between guidelines including: BS ISO/IEC17799: 2000, BS7799, the SSE-CMM, and GASPP/GAISP to determine and study how widely they can be exploited. Their study shows that these guidelines are very generic and consequently they do not pay attention to the different security requirements in different organizations. ...
Predicting Malicious Behavior of Employees using Game Theory
Preprint
Full-text available
  • Nov 2022
Information security is a crucial issue nowadays in organizations. Security flaws are serious threats to an organization. Every organization has sensitive information that may be threatened by malicious adversaries and even employees (insiders). In order to limit security incidents, each organization must concentrate on employee’s behavior. Indeed, employees of an organization act as a natural safeguard for information. Therefore, predicting the behavior of internal employees against the information assets of the organization is very important. To this end, this paper proposes a game-theoretic modelling approach to capture the interaction between employees and organization to predict malicious employees (insiders) and organizations behavior with incomplete information. The game parameters are some important elements of security culture including influencing and organizational behavior factors, and security related factors. By solving the game model, Nash equilibriums are computed and best-response strategies for the players are recognized. Quantitative evaluation of the information security of organization can be done according to the probability of performing unacceptable behavior by employees and the probability of organization investment in order to increase the organizational security culture.
... 7 Both security maturity assessments and security standardization help organizations improve their security capabilities and processes. 8,9 We refer to standardization as adopting existing standards (international, regional, or national). Despite the challenges faced by SMEs, research on cybersecurity considering SMEs has been scant in the literature. ...
Adaptable Security Maturity Assessment and Standardization for Digital SMEs
Article
Full-text available
Small and Medium-sized Enterprises (SMEs) constitute a very large part of every country’s economy and play an essential role in economic growth and social development. SMEs are frequent targets of cyberattacks. Unlike large enterprises, SMEs generally have limited capabilities regarding cybersecurity practices. Assessment and improvement of cybersecurity capabilities are crucial for SMEs to survive and sustain their operations. Despite the availability of maturity assessment models and standards to assess and improve cybersecurity capabilities, SMEs’ specific requirements and roles in the digital ecosystem are often neglected. This paper presents high-level SME requirements regarding cybersecurity maturity assessment and standardization and translates them into an Adaptable Security Maturity Assessment and Standardization (ASMAS) framework to address this gap. The framework is demonstrated by a web-based software prototype. In the evaluation study conducted with SMEs, we obtained positive results for perceived usefulness, perceived ease of use of the framework, and intention to use it.
Socio-technical Cyber Resilience: A Systematic Review of Cyber Resilience Management Frameworks
Chapter
  • Dec 2022
Cybersecurity threats are regarded as one of the most significant global risks worldwide. The greater integration of technologies into organizational and societal functioning is associated with expanding cyber-attack surfaces and growing cybersecurity threats. Given the increasing frequency and complexity of adverse cyber events, organizations relying on digital technologies need to move from a posture of cybersecurity to one of cyber resilience to maintain their effective functioning. Cyber resilience management frameworks serve as the standard for organizations to build or improve their cyber resilience posture. Even though most cyber-attacks exploit the socio-technical gaps of a system, cyber resilience management frameworks proposed by security solutions providers, standard organizations, and academics have primarily employed a techno-centric approach to cyber resilience. This article explores the socio-technical shortcomings in cyber resilience management frameworks proposed in academic literature. To do so, it conceptualizes organizational cyber resilience from the perspectives of the socio-technical system. The systematic analysis contributes to identifying the extent of inclusion of socio-technical systems thinking in cyber resilience management frameworks and proposes potential future research directions.KeywordsCyber resilienceCybersecuritySocio-technicalFrameworkICTs
How Selected Generations Consider Immigrants' Needs in Times of Globalization: the Research Results
Conference Paper
Full-text available
  • Oct 2016
Many nations and political bodies are struggling to define attitudes and policies towards immigrants and immigration for the 21st Century. This national and global debate usually revolves around economic impacts and the legal status of individual or groups of immigrants. It is significant to deal with an issue of immigrants´needs and also how people consider them, because it is very actual topic in times of globalization. Understanding immigrants´needs means bigger chance for being accepted to the society. Public opinion will become more favourable toward immigrants and more accepting of immigration as younger, more liberal and tolerant generations replace older ones. Elderly people rely more heavily on stereotypes and lack “the ability to inhibit information,” causing people to be more prejudiced than they would like to be. The aim of the paper is to evaluate the perception of immigrants´needs by 3 generations of people – Generation Y, Generation X and Baby Boomers. Using the method – sentence completion, respondents from the Czech republic were asked, what they consider important for immigrants´ needs and which factors influencing their satisfaction. Obtained data were processed through a grounded theory method. Independent ttest was used to evaulate results. Immigrants’ needs for community services could pose new challenges for local governments. The results are broadly discussed.
Information Security Risk Assessments following Cybersecurity Breaches: The Mediating Role of Top Management Attention to Cybersecurity
Article
Full-text available
Information Systems (IS) research on managerial response to cybersecurity breaches has largely focused on externally oriented actions such as customer redressal and crisis response. Within the firm itself, a breach may be a symptom of systematic problems, and a narrow, siloed focus on only fixing immediate issues through technical fixes and controls might preclude other managerial actions to ensure future cybersecurity. Towards this end, Information Security Risk Assessments (ISRA) can help surface other vulnerabilities following a breach. While the role of governance in such exercises is emphasized in standards, it is undertheorized in IS research and lacks empirical evidence. We draw on the attention-based view to theorize that the principles of focus of attention, structural distribution of attention, and situated attention can lead to the top management team (TMT) according greater attention to cybersecurity following relatively high breach costs. Using firm level data, we find that high breach costs result in greater TMT attention to cybersecurity, while also making it more likely that firms will carry out an ISRA. Moreover, TMT attention to cybersecurity partially mediates the relation between breach costs and the decision to carry out an ISRA. We theorize that this is because the TMT is best positioned to oversee resource allocation, consider business implications, and centrally orchestrate an ISRA. Our findings stress the need for the cybersecurity function to work with the TMT in managing breach response.
A Quantitative Field Study of a Persuasive Security Technology in the Wild
Chapter
  • Oct 2022
Persuasive techniques and persuasive technologies have been suggested as a means to improve user cybersecurity behaviour, but there have been few quantitative studies in this area. In this paper, we present a large scale evaluation of persuasive messages designed to encourage University staff to complete security training. Persuasive messages were based on Cialdini’s principles of persuasion, randomly assigned, and transmitted by email. The training was real, and the messages sent constituted the real campaign to motivate users during the study period. We observed statistically significant variations, but with mild effect sizes, in participant responses to the persuasive messages. ‘Unity’ persuasive messages that had increased emphasis on the collaborative role of individual users as part of an organisation-wide team effort towards cybersecurity were more effective compared to ‘Authority’ messages that had increased emphasis on a mandatory obligation of users imposed by a hierarchical authority. Participant and organisational factors also appear to impact upon participant responses. The study suggests that the use of messages emphasising different principles of persuasion may have different levels of effectiveness in encouraging users to take particular security actions. In particular, it suggests that the use of social capital, in the form of increased emphasis of ‘unity’, may be more effective than increased emphasis of ‘authority’. These findings motivate further studies of how the use of Social capital may be beneficial for encouraging individuals to adopt similar positive security behaviours.
Managing Security Functions Using Security Standards
Chapter
  • Jan 2000
In this chapter we will discuss the issue of managing security processing in business organization with special emphasis on computer systems. Our intention is not to prove that managing information security resources is the most important issue within the information security domain but that it must deal first in a chain of activities leading to building and operating information systems in a secure way. Before starting the discussion it is necessary to look at the historical developments leading to this issue. Most people are aware of the dramatic rate of development of information technology. However, few could attach quantitative values measuring this growth apart from a known statement that “If the auto industry had done what the computer industry has done in the last 30 years, a Rolls-Royce would cost $2.50 and get 2,000,000 miles per gallon.” This is true, but a more precise measure must be introduced.
An Analysis of the Recent IS Security Development Approaches
Chapter
  • Jan 2001
Recently, several Information Systems Security (ISS) development approaches that support modeling have been presented. This chapter analyzes and compares the recent approaches for the development of secure ISs. The comparison and analysis will be carried out from the viewpoints of a conceptual meta-model for IS; research methods used; the organizational roles of IS security; the objectives of the research; selected philosophical foundations (underlying epistemology, philosophy of science) and applicability. This contribution of the chapter can be divided into descriptive (assumptions that researchers should be aware of) and prescriptive implications (the direction of future research).
Managing Security Functions Using Security Standards
Chapter
  • Jan 2000
In this chapter we will discuss the issue of managing security processing in business organization with special emphasis on computer systems. Our intention is not to prove that managing information security resources is the most important issue within the information security domain but that it must deal first in a chain of activities leading to building and operating information systems in a secure way. Before starting the discussion it is necessary to look at the historical developments leading to this issue. Most people are aware of the dramatic rate of development of information technology. However, few could attach quantitative values measuring this growth apart from a known statement that “If the auto industry had done what the computer industry has done in the last 30 years, a Rolls-Royce would cost $2.50 and get 2,000,000 miles per gallon.” This is true, but a more precise measure must be introduced. Purchase this chapter to continue reading all 25 pages >
A Critical Consideration of the Lakatosian Concepts: “Mature” and “Immature” Science
Chapter
  • Jan 1989
The aim in this paper is simply to sketch some basic characteristics of the concepts of mature and immature science. In other words, my aim is to show the importance of these concepts for two purposes that every historian of science has sometime or other to deal with: firstly, the aforementioned concepts are useful for the understanding of great scientific changes or revolutions. (This is particularly true for the historian concerned with the transition from medieval science to the new scientific universe of the 17th century); secondly, it seems possible to me that these concepts might give us the key to the understanding of the interaction between internal and external factors in science’s historical development. Furthermore, I think that we could define mature and immature science in a way that permits us to include external factors in our rational reconstructions without having to give up a criterial theory of scientific rationality.