Article

Why we need a new definition of information security

Authors:
To read the full-text of this research, you can request a copy directly from the author.

Abstract

There is an old Peanuts strip where Charlie Brown says, “Working here is like wetting your pants in the pool, wearing a dark bathing suit. You get that warm feeling but nobody notices.” Increasingly, I think computer security professionals in large enterprises are in that metaphorical swimming pool. In fact, many are swimming in the deep end without their water wings. When computer security professionals do an excellent job protecting systems and information, the number of bad outcomes decreases. After a generation of peace, pretty soon people start asking why we need the army. I believe this problem stems in part from a fuzzy fundamental: the definition of information security.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the author.

... [14] Many definitions of cybersecurity focus on the concepts of Confidentiality, Integrity, and Availability, the so-called CIA Triad, while other research adds attributes such as authenticity and non-repudiation. However, this research is based on the perspective presented by Anderson (2003) that, while these individual notions are worthy goals to be achieved, they are not the "end state" of a cybersecurity program and should not be viewed as such. ...
... While organizations are beginning to realize the value of their IS and information assets, cybersecurity incidents do occur, and with potentially significant losses. Anderson (2003) further argued that a proper definition of cybersecurity must be both flexible and attainable, and support the organizational context in which it is implemented. This passage will adopt the definition of cybersecurity adapted from Anderson (2003) and Dunkerley and Tejay (2012) of "a well-informed sense of assurance that information risks and information security controls are in balance." ...
... Anderson (2003) further argued that a proper definition of cybersecurity must be both flexible and attainable, and support the organizational context in which it is implemented. This passage will adopt the definition of cybersecurity adapted from Anderson (2003) and Dunkerley and Tejay (2012) of "a well-informed sense of assurance that information risks and information security controls are in balance." [15] This definition promotes the concept of balance within an organizational cybersecurity program that considers both the security of the IS and its concomitant data while not tossing the business objectives out the door at their expense. ...
Article
Full-text available
See book review end of Cyber Defense Review 2:2.
... 12 However, information security and cybersecurity terms are intertwined because cybersecurity has yet to properly handle the soft issues of information security and fully recognize the technical nature of 80 security 13 Therefore, we define information security as a continuous sense of assurance that information risks and applicable controls are in constant balance. 15 This definition caught our attention, since it highlights the element of risk as the main driver of information security. ...
... 27 3 The Cybersecurity Framework consists of three parts: the framework core, the implementation tiers, and the framework profile. 28 Physical and environmental security 15 A. 12 Operations security 14 A. 13 Communication Security 7 A.14 System acquisition, development, and maintenance 13 A. 15 Supplier relationship 5 A. 16 Information Security Incident management 7 A. 17 Information Security aspects of business continuity management 4 A. 18 Compliance 8 Table 2 represents the framework core which describes a life cycle of five functions that group 20 categories of security controls. These five functions are (1) identify (i.e., to identify assets and potential 125 threats), (2) protect (i.e., to implement a security baseline), (3) detect (i.e., to monitor and control cybersecurity activities that can be considered threats), (4) respond (i.e., to respond to a cyber event), and (5) recover (i.e., to effectively recover from an incident). ...
Article
Information security and privacy are matters of concern in every industry. The healthcare sector has lagged in terms of implementing cybersecurity measures. Therefore, hospitals are more exposed to cyber events due to the criticality of patient data. Currently, little is known about state-of-the-art research on information security and privacy in hospitals. The purpose of this study is to report the outcome of a systematic literature review on research about the application of information security and privacy in hospitals. A systematic literature review following the PRISMA methodology was conducted. To reference our sample according to cybersecurity domains, we benchmarked each article against two cybersecurity frameworks: ISO 27001 Annex A and the NIST framework core. Limited articles in our papers referred to the policies and compliance sections of ISO 27001. In addition, most of our sample is classified by the NIST function "Protect," meaning activities related to identity management, access control and data security. Furthermore, we have identified key domains where research in security and privacy are critical, such as big data, IOT, cloud computing, standards and regulations. The results indicate that although cybersecurity is a growing concern in hospitals, research is still weak in some areas. Considering the recrudescence of cyber-attacks in the healthcare sector, we call for more research in hospitals in managerial and non-technical domains of information security and privacy that are uncovered by our analysis.
... The terms information security, cybersecurity, Internet security, computer security, and network security have intersecting and evolving meanings, but generally refer to processes of implementing security controls including IA/IT governance frameworks to protect the confidentiality, integrity, and availability of privileged information as well as the technological infrastructure of a computer network or system against unauthorized access or manipulation (Anderson, 2003;Blakley, McDermott & Geer, 2001;Cherdantseva & Hilton, 2013;CNSS, 2010;ISACA, 2008;ISO/IEC 27000:2009;Venter & Eloff, 2003). Sensitive data should be protected based on the potential impact of a loss of confidentiality, integrity, or availability. ...
... • aims to provide assurance "that information risks and controls are in balance" (Anderson, J., 2003); ...
Thesis
Full-text available
Cyber attacks by domestic and foreign threat actors are increasing in frequency and sophistication. Cyber adversaries exploit a cybersecurity skill/knowledge gap and an open society, undermining the information security/privacy of citizens and businesses and eroding trust in governments, thus threatening social and political stability. The use of open digital hacking technologies in ethical hacking in higher education and within broader society raises ethical, technical, social, and political challenges for liberal democracies. Programs teaching ethical hacking in higher education are steadily growing but there is a concern that teaching students hacking skills increases crime risk to society by drawing students toward criminal acts. A cybersecurity skill gap undermines the security/viability of business and government institutions. The thesis presents an examination of opportunities and risks involved in using AI powered intelligence gathering/surveillance technologies in ethical hacking teaching practices in Canada. Taking a qualitative exploratory case study approach, technoethical inquiry theory (Bunge-Luppicini) and Weick’s sensemaking model were applied as a sociotechnical theory (STEI-KW) to explore ethical hacking teaching practices in two Canadian universities. In-depth interviews with ethical hacking university experts, industry practitioners, and policy experts, and a document review were conducted. Findings pointed to a skill/knowledge gap in ethical hacking literature regarding the meanings, ethics, values, skills/knowledge, roles and responsibilities, and practices of ethical hacking and ethical hackers which underlies an identity and legitimacy crisis for professional ethical hacking practitioners; and a Teaching vs Practice cybersecurity skill gap in ethical hacking curricula. Two main S&T innovation risk mitigation initiatives were explored: An OSINT Analyst cybersecurity role and associated body of knowledge foundation framework as an interdisciplinary research area, and a networked centre of excellence of ethical hacking communities of practice as a knowledge management and governance/policy innovation approach focusing on the systematization and standardization of an ethical hacking body of knowledge.
... According to Certified Information Systems Auditor (CISA) [14], cybersecurity is a technology that protects networks, devices, and data from unauthorized access or criminal use, as well as refers to practices that ensure confidentiality, integrity, and availability of information [15]. Inadequate cybersecurity infrastructure could allow a malicious attacker to break into the system and spread malware, posing a serious risk. ...
Article
Full-text available
With the deployment of the 5G cellular system, the upsurge of diverse mobile applications and devices has increased the potential challenges and threats posed to users. Industry and academia have attempted to address cyber security challenges by implementing automated malware detection and machine learning algorithms. This study expands on previous research on machine learning-based mobile malware detection. We critically evaluate 154 selected articles and highlight their strengths and weaknesses as well as potential improvements. We explore the mobile malware detection techniques used in recent studies based on attack intentions, such as server, network, client software, client hardware, and user. In contrast to other SLR studies, our study classified the means of attack as supervised and unsupervised learning. Therefore, this article aims at providing researchers with in-depth knowledge in the field and identifying potential future research and a framework for a thorough evaluation. Furthermore, we review and summarize security challenges related to cybersecurity that can lead to more effective and practical research.
... Safety in DTC involves protection of users' information and communication against the problems generated by ICT use (Barrow & Heywood-Everett, 2006). It is related to the privacy, integrity, and efficiency of Internet technology and information (Anderson, 2003). Safety refers to teachers' knowledge, abilities, and attitudes to design and develop learning experiences that promote, model, and train students as digitally responsible citizens. ...
Article
Full-text available
The use of technologies and the Internet poses problems and risks related to digital security. This article presents the results of a study on the evaluation of the digital competence of future teachers in the DigCompEdu European framework. 317 undergraduate students from Spain and Portugal answered a questionnaire with 59 items, validated by experts, in order to assess the level and predominant competence profile in initial training (including knowledge, uses and interactions and attitudinal patterns). The results show that 47% of the participants belong to the profile of teachers at medium digital risk, evidencing habitual practices that involve risks such as sharing information and digital content inappropriately, not using strong passwords, and ignoring concepts such as identity, digital “footprint” and digital reputation. The average valuations of each item in the seven categories show that future teachers have an average competence in the area of digital security. They have good attitudes toward security but less knowledge and fewer skills and practices related to the safe and responsible use of the Internet. Future lines of work are proposed, aimed at responding to the demand for a better prepared and more digitally competent citizenry. The demand for education in security, privacy and digital identity is becoming increasingly important, and these elements form an essential part of initial training. El uso de las tecnologías e Internet plantea problemas y riesgos relacionados con la seguridad digital. Este artículo presenta los resultados de un estudio sobre la evaluación de la competencia digital de futuros docentes en el marco europeo DigCompEdu. Participan 317 estudiantes de Grado de España y Portugal. Se aplica un cuestionario con 59 ítems validado por expertos con el objeto de conocer el nivel y perfil competencial predominante en la formación inicial (incluyendo conocimientos, usos e interacciones y patrones actitudinales). Los resultados muestran que el 47% de los participantes pertenecen al perfil de docentes en riesgo digital medio, evidenciando prácticas habituales que conllevan riesgos tales como compartir información y contenidos digitales de forma inapropiada, no utilizar contraseñas seguras, y desconocer conceptos como identidad, huella o reputación digital. Las valoraciones medias de cada ítem en las siete categorías evidencian que los futuros docentes poseen una competencia media en el área de seguridad digital. Tienen buenas actitudes hacia la seguridad, pero menos conocimientos, habilidades y prácticas relacionadas con el uso seguro y responsable de Internet. Se plantean futuras líneas de trabajo enfocadas a dar respuesta a la exigencia de una ciudadanía mejor preparada y más competente digitalmente. La demanda de formación en seguridad, privacidad e identidad digital está siendo cada vez más importante, reconociéndose que es muy necesaria en la formación inicial.
... Effective information security requires enforced policies, training management, and established security controls (Cheung, 2014). The small business sector should be aware of the information threats to effectively protect against their assets and infrastructure before deploying security measures (Anderson, 2003). Pranggono and Arabo (2021) suggest using a virtual private network continuous training for system end-users. ...
Conference Paper
Information is a significant asset of any organization. The increased information demand by all parties has gained attention and raised security concerns-especially in this digital era where everyone depends heavily on the Internet. The Internet and online platforms expose valuable information to various information threats. These pervasive threats compromise information privacy, safety, and security. Legitimate people and criminals compete to access information. Criminals use innovative ways to gradually increase information security threats, especially in the small business sector with only a minimal budget for proactive security measures. Due to the scarcity of academic research on information security threats for small businesses, this study presents the impact of security threats on businesses during the global Covid-19 pandemic. A qualitative survey within the interpretive approach was used to gather data from 20 small businesses in Western Cape, South Africa, to fill this gap. The study used judgmental sampling to select research participants who are business owners. Data were analyzed using thematic analysis. The results indicated the knowledge gap relating to information threats, even though most businesses are familiar with the costly and negative impact of threats on business operations, resulting in business discontinuity. However, some small business sectors showed minimal awareness a6nd understanding of information security threats, their impact, and proactive mitigation strategies. The study concluded with recommendations to protect against information security threats.
... "Добре информирано чувство за увереност, че информационните рискове и контролa са в баланс." (Anderson, 2003). ...
Book
Full-text available
Пазарът на труда постоянно се променя и промените идват все по-бързо и по-бързо. Днес той е много различен от преди 10 години само. Професиите, които са съществували тогава, може да не се търсят или дори да не съществуват днес. Единственото сигурно е, че пазарът на труда ще се промени още по-бързо, когато напредъкът на технологиите и най-вече на информационните и комуникационните технологии (ИКТ) се увеличава. Някои работни места, които ще бъдат с голямо търсене за бъдещите поколения дори не съществуват днес. Дигиталните технологии се превръщат във водеща нишка, преминаваща през всички работни места във всички сфери на работа. Това е предизвикателството и едновременно с това и възможността на нашето време. До 2030 г. 800 млн. работни места ще изчезнат заради автоматизацията, показа проучване на McKinsey Global Institute, цитирано от Би Би Си. Въпреки това ще има нови работни места, които най-вече са свързани със създаването на знания и иновациите. Това повдига много въпроси като например: Кои ИКТ най-силно влияят върху пазара на труда? Кои са работните места на бъдещето? Какви умения са необходими за новите работни места? Технологиите ще заменят ли хората? Добри или лоши са технологиите? Търсенето на отговор на тези въпроси ме провокира да направя настоящето изследване. Акцентите в него са: • Представен и анализиран е днешния дигитален пейзаж; • Открояват се и се разглеждат ИТ, които оказват най-силно въздействие за трансформиране на пазара на труда - Големи данни (Big Data), Роботика (Robotics), Информационна сигурност (Information Security), Виртуализация (Virtualization), Мобилни технологии, Програмиране, Облачни изчисления (Cloud Computing), Когнитивни изчисления (Cognitive Computing), Изкуствен интелект (Artificial intelligence AI). Всяка технология се разглежда в следната структура: Дефиниции и характеристики; Използвани технологии; Предимства, които носи използването ѝ в бизнеса; Области на приложение; Професии и Заключение. • Синтезирани са отговорностите, задълженията и изискванията за новите работни места възникнали в следствие на технологичната революция; • Очертани са необходимите умения за новите работните места; • Откроени са най-обещаващите работни места в бъдеще и какво е подходящото образование за тях; • Разглежда се и се анализира актуалното състояние на пазара на труда, свързан с новите работни места появили се в следствие на бурното развитие на ИКТ, у нас, в ЕС и в световен мащаб. В заключение: Съществува сложна обратна връзка между нови технологии, работни места и умения. Новите технологии могат да стимулират растежа на бизнеса, създаването на работни места и търсенето на специализирани умения, но също така могат да изместят цели професии, когато определени задачи остареят или се автоматизират. Пропуските в уменията, както сред работниците, така и сред ръководството на организациите, могат да ускорят тенденциите към автоматизация в някои случаи, но също така могат да създадат бариери пред приемането на нови технологии и следователно да възпрепятстват растежа на бизнеса. Дигиталните технологии преобразуват фундаментално организациите, като темпът на технологичните промени увеличава предизвикателствата. Организациите трябва да имат последователна стратегия, която включва план за преквалифициране на работниците. Докато предишните технологични революции (най-вече индустриалната революция) се развиваха за сравнително дълъг период от време, то скоростта на дигиталната трансформация е такава, че организациите трябва да са много динамични и гъвкави, ако не искат да изостанат. Съществува належаща необходимост от цялостна стратегия за развитие, подход при който организациите да се стремят да използват автоматизацията на някои работни задачи, за да допълнят и подобрят силните качества на служителите си и да им дадат възможност да разгърнат пълния си потенциал. Вместо да се акцентира само върху икономията на разходите за труд, базирана на автоматизацията, стратегията за развитие трябва да отчита по-широки аспекти на дейностите по създаване на стойност, които могат да се извършват от хората, често в допълнение към технологиите, когато те са освободени от необходимостта да извършват рутинни, повтарящи се задачи и имат възможност по-добре да използват своите таланти и човешки способности. Да не забравяме да виждаме гората, а не само дървото. За да се реализира този положителен сценарий обаче, работниците ще трябва да притежават съответните умения, които да им позволят да са уверени на работното си място в бъдеще, както и способността да продължат да се учат и преквалифицират през целия си живот. По този начин създаването на система за учене през целия живот, инвестирането в човешки капитал и сътрудничеството с други заинтересовани страни за стратегия за развитие на работната сила следва да бъде ключов бизнес императив, от решаващо значение за средносрочния и дългосрочния растеж на компаниите, както и важен принос за обществото, социалното развитие и стабилността. Политиците, регулаторите и преподавателите също имат ключова роля за реализиране на този положителен сценарий, като се правят подобренията в образованието и обучителните системи, както и се актуализира трудовото законодателство и се разработват политики за развитие на пазара на труда, които да съответстват на реалностите на Четвъртата индустриална революция. Дигиталната революция създаде нови професии (като мениджъри за оптимизация на търсачки и мениджъри на акаунти в социални медии), нови видове организации (доставчици на облачни изчисления и агенции за социални медии) и дори нови сектори на икономиката (дигитална сигурност и наука за данни). Днес обаче въпросът дали новите технологии повече създават или повече унищожават работни места все по-често се дискутира. Истината е, че всъщност знаем доста малко за това какво точно ще се случи. Какво ще бъде икономическото въздействие на развитието на ИКТ в бъдеще? Как хората ще взаимодействат с машини и алгоритми? Какви умения ще са нужни и как да се научат? Как всичко това ще се отрази на пазарите на труда? В този контекст направеният в тази разработка анализ предполага, че дигиталната трансформация свързана с развитието на ИКТ има потенциал да създаде значителен брой работни места. Но е ясно че ще има както победители, така и губещи, докато нетното въздействие върху работните места в някои индустрия може да бъде положително, много сектори ще претърпят загуба на работни места. Ние живеем във време, в което всячески се опитваме да обединим физически, дигитални и биологични системи и правим невъзможното за това. Според мен технологията не е тук, за да ни замени, а да ни помогне и да ни даде възможност да правим повече. Така че технологията всъщност не е лоша, въпреки че някои може да твърдят, че губим връзка и има голямо негативно обществено въздействие. Технологията е това, което правим с нея, всичко зависи от това как ще използваме технологията, но с това идва и огромната отговорност на всеки от нас. Светът става все по-дигитален, всичко се променя. Според някои бъдещи прогнози за хората, естествената концепция ще се промени, телата ни ще бъдат толкова високотехнологични, че ще бъде трудно да се разграничи кое е реално и кое не е и затова трябва да приемем и да сме наясно с тази промяна Това означава ли, че ще бъдем супер хора? Времето ще покаже…
... Privacy is an individual's right to determine whether their health information should be revealed to others and the extent to which and where the information can be used (Westin, 2003). Security is defined as a sense of assurance that the information can be safeguarded (Anderson, 2003). Although there is an ongoing debate on the distinction between privacy and security (Smith et al., 2011), health information privacy is implemented through information security and indeed, the concept of privacy is non-existent without security practices (Lafky and Horan, 2011). ...
Article
Full-text available
Purpose Little is known about factors that affect patient use of online medical records (OMR). Specifically, with rising vulnerability concerns associated with security and privacy breaches, patient use of OMR requires further attention. This paper aims to investigate patient use of OMR. Using the Unified Theory of Acceptance and Use of Technology (UTAUT), factors affecting continued use of OMR were examined. Design/methodology/approach The Health Information National Trends Survey 5 (HINTS 5), Cycle 1 data were used. This is an ongoing nation-wide survey sponsored by the National Cancer Institute (NCI) of the USA. The subjects were 31-74 years old with access to the Internet. Descriptive information was projected to the US population. Findings In total, 765 respondents representing 48.7 million members of the US population were analyzed. Weighted regression results showed significant effects of perceived usefulness, visit frequency and provider encouragement on continued use of OMR while vulnerability perception was not significant. Moderating effects of these variables were also noted. Perceived usefulness and provider encouragement emerged as important predictors. Practical implications Insights may help design interventions by health-care providers and policymakers. Social implications Insights should help patient empowerment and developers with designing systems. Originality/value This is the first study to examine health-care consumers’ continued use of OMR using nationally representative data and real-world patients, many of who have one or more chronic diseases (e.g. diabetes, hypertension, asthma) or are cancer survivors. Results highlight factors helping or hindering continuing OMR use. As such, insights should help identify opportunities to increase the extent of use, project future OMR usage patterns and spread the benefits of OMR, including bringing forth positive health outcomes.
... When exploring Cyber Security concepts, von Solms & van Niekerk, concluded that "disambiguation as an important contribution to the common body of knowledge for the field of information and cyber security' [19]. Anderson [2], supports the requirement for further research in this domain to clarify the definitions and usefulness of the terms and contribute to an improved taxonomy. ...
Conference Paper
Effectively managing cyber security (CS) is a significant challenge for governments and businesses as technological advancements accelerate as well as the growing interconnectedness of the global economy. Reports of data breaches and sabotage appear to be escalating as more stakeholders are exposed to cyberrisks, exposing regulatory gaps and governance failures. Notwithstanding the significant interest directed towards government strategies and board level governance of CS witnessed over the past decade, significant uncertainty remains about how CS can be effectively governed in theory and practice. To address this uncertainty, the overarching aim of this research is to develop a deeper understanding about how CS governance is experienced and constituted in practice. Much of the research to date has been based on large-scale industry surveys that are limited in terms of providing insights into context. In this paper, an overview of the research design is provided, and specifically the findings from phase one, stage one of the research is reported on involving the potential of a socio-spatial perspective. The goal is to identify the research imperatives for the next stage of the research into cybersecurity governance.
... Here privacy is individuals' right to determine whether their personal health related information should be revealed to others as well as to which extent and where the information can be used (Westin et al. 2003). In this research, security is defined as sense of assurance of information safeguard (Anderson 2003). Although there is an ongoing debate on the distinction between privacy and security (Smith et al. 2011), health information privacy is implemented through information security and indeed, the concept of privacy is nonexistent without security practices (Lafky et al. 2011). ...
Conference Paper
Full-text available
Little is known about factors affecting adoption of Online Medical Records (OMR). We examined associations of vulnerability perception, usefulness, ease of use, visit frequency and provider encouragement with use of OMR and moderating effects of these variables using National Cancer Institute (NCI) data. Usefulness and provider encouragement played important roles.
... The term information security, while frequently used, lacks a seminal definition or explanation. Existing literature observed the term is a concept that lacks a clear-cut definition (Anderson 2003;Torres et al. 2006). Dlamini et al. (2009) found that the concept of information security predates the invention of the computer. ...
Conference Paper
Full-text available
Organizations can suffer attacks designed to take advantage of employee vulnerabilities. Successful attacks cause firms to suffer financial damage ranging from minor information breaches to severe financial losses. Cybercriminals focus on organization executives, because the power and influence they wield affords access to more sensitive data and financial resources. The purpose of this research in progress submission is to identify the types of executive behaviors that information security professionals believe introduce risk to an organization, as well as to explore the degree of risk organizations face as a result of these behaviors.
... Moreover, building a trust model system will satisfy the trustworthy communication path and address security issues in networks [41]. Security is a combination of confidentiality, availability and integrity attributes prevents unauthorized and unauthenticated access, disclosure, modification, inspection, recording or destruction of information [42]. ...
Article
Full-text available
Internet of Things (IoT) creates a world where smart objects and services interacting autonomously. Taking into account the dynamic-heterogeneous characteristic of interconnected devices in IoT, demand for a trust model to guarantee security, authentication, authorization, and confidentiality of connected things, regardless of their functionality, is imperative. However, as far as we know, against the centrality of trust-based recommendation mechanisms in the IoT environment, there is no ambient study for investigating its techniques. In this paper, we present a systematic literature review (SLR) of trust based IoT recommendation techniques so far. Detailed classifications based on extracted parameters as well as investigation existing techniques in three different IoT layers put forth. Moreover, the advantages, disadvantages and open issues of each approach are introduced that can expand more frontier in obtaining accurate IoT recommendation in the future.
... Many published works conclude that Information security is the processes and methodologies used in the safeguarding of three components, namely confidentiality, integrity, and availability (Anderson, 2003, The South African Cyber Threat Barometer, 2012, Safa et al., 2016, or the CIA triangle (von Solms and van Niekerk, 2013). This corresponds with the definition by the ISO/IEC 27002 international standard (2005), which states that Information security protects the confidentiality, integrity, and availability of information. ...
Thesis
Full-text available
In the technology-people-management chain, people are predominantly identified as the weakest link in properly securing information systems. Previous information security studies pursued an understanding of information security behaviour by investigating internal and external factors influencing such behaviour. With some information security studies placing great significance on the role of the situation, an external factor, when investigating human behaviour. Psychological Situationism research emphasises that behaviour is shaped mainly by the exigencies of a particular situation. An examination of information security literature indicated that the exigencies of computer system failure situations had not been explored as an external factor in influencing information security behaviour. Computer system failure situations are perceived by employees as crises that interrupt or prevent them from performing their everyday tasks. Irrespective of the technological failure, employees still need to get the job done. Because the situation and its exigencies are influential in determining and shaping behaviour, it has the potential to negatively influence employee information security behaviour. Insecure employee behaviour could cause negative outcomes for organisations, such as financial loss and damage to reputation. The present study focused on the exigencies of computer system failure situations and how it influence employee information security behaviour. In this context, exigencies denote the demands and pressures placed on employees during computer system failure situations, while computer system failure situations include hardware, software and network failures. Underpinned by the philosophy of Husserl, the present study inductively collected qualitative data via in-depth, semi-structured interviews, from twelve employees purposively sampled from within an entertainment services organisation. Qualitative text data were analysed in two phases, firstly, through methods and procedures of phenomenological analysis formulated by Moustakas, and secondly, via a summative analysis. Aggregate results showed that the demands and pressures placed on employees during computer system failure situations have an important effect on their information security behaviour. Employees’ intentional non-malicious information security behaviour during computer system failure situations were explained as influenced by the exigencies of the situation in which the behaviour takes place. Although no one single solution and/or approach will succeed to fully explain the intricacy of employee information security behaviour, results from the current study significantly improved our understanding of how the exigencies of computer system failure situations, an external factor, influence employee information security behaviour. It also and provided practitioners empirical implications on how to improve the governance of the human factor of the technology-people-management chain.
... Information security can be defined as "a well-informed sense of assurance that information risks and controls are in balance" (Anderson, 2003). According to IT Governance Institute (2001), the objective of information security is "protecting the interests of those relying on information, and the systems and communications that deliver the information, from harm resulting from failures of availability, confidentiality, and integrity". ...
Article
Full-text available
In the Industrial Revolution 4.0 (IR 4.0), information security has been highlighted as one of the critical component that needs to be addressed by industry practitioners. To this effect, the deployment of information security controls, both technical and nontechnical is very essential so as to safeguard and protect organizational information from any form of threats or danger. Information Security Culture (ISC) is a term used to describe a situation where not only members aware and skillful in terms of information security, but the process and procedure as well as the technologies are also in place to protect and safeguard organizational information. This paper reports the findings of a study aimed at assessing the ISC of the Malaysian public organizations. The study used a survey research methodology with a questionnaire as the data collection technique. The results of the study suggest that ISC which are measured in terms of management support, policy and procedures, compliance, awareness, budget and technology are not in place in these participating organizations. The findings send a strong message that much effort is needed to strengthen the ISC in these participating organizations.
... There are three performance metrics of PKC, which are security, speed and space [6][7]. According to [8] security is defined as all about confidentiality, integrity and availability. Other than that, computer and network security is about concerning in protecting the systems. ...
Article
Full-text available
Cryptography is a method used to establish secure data communication. The goal of cryptography is to send data to satisfy the criteria of confidentiality, data integrity, authentication and non-repudiation. In line with the goals, the performance metrics is the important evaluation criteria to be analyzed. This paper presents the review of performance metrics of Public Key Cryptography (PKC) that had been analyzed based on the PKC scheme from the previous researchers‟ effort since the last four decades. It also displayed the research pattern in different performance metrics over the years. The aim of this paper is to identify the key performance metrics which addressed by the researchers in previous studies. Finally, the critical concern of this paper which shows the overall PKC performance metrics also presented in this paper. © 2018 Institute of Advanced Engineering and Science All rights reserved.
... There are numerous definitions of information security, but many of them revolve around achieving confidentiality, integrity, and availability of the information and/or systems (Anderson, 2003;Dhillon and Backhouse, 2000;Sumra, Hasbullah, and AbManan, 2015;Von Solms and Van Niekerk, 2013). These goals are important, as they provide trust and guarantee the safety of data in motion and data at rest. ...
Article
Full-text available
This case study follows the security breach that affected Target at the end of 2013 and resulted in the loss of financial data for over 70 million customers. The case provides an overview of the company and describes the reasons that led to one of the biggest security breaches in history. It offers a discussion on Target's vendor management processes and the vulnerability at Fazio Mechanical Services that was among the main causes of the breach. Further, the case introduces the incident response plan implemented by Target and discusses the aftermath of the attack. The lessons learned describe some of the steps the company took to mitigate risks in the future and to strengthen its security posture. While the breach had a significant impact on Target, the organization was able to fully recover from it and develop best practices that are now widely implemented by other retailers. The case is suitable for both undergraduate and graduate students enrolled in information security or information systems courses that discuss vendor management, security incident response, or general security program administration topics.
... With these rapid developments, there has been an increasing need for cryptographic methods which prompted many fields such as nanotechnology, biotechnology, chaos fractals and others to provide a contribution toward this goal. Information security, the protection of information in hostile environments, is a crucial factor in industry, business, and administration which ensures a balance between reasonable assessment of information risks, and a proper selection of information controls (James, 2003). It is concerned with the study of mathematical techniques related to aspects that support the requirements for strong security. ...
Chapter
Information security can provide confidentiality, integrity, and availability for society to benefit efficiently from data storage and open networks. Free space communication networks suffer from adversaries who interfere with data on networked computers. Inventing new protection techniques has arisen to ensure integrity and authenticity of digital information. This chapter introduces Nano and Bio techniques in cryptography to enhance the information security systems. Tasks unfeasible on a classical computer can now be performed by quantum computers, yielding a big impact on online security. Threats of exponentially fast quantum algorithms on business transactions could be overcome by this new technology. Based on biological observations, the exploration of biometric cryptography and authentication to determine individuals' authenticity can be done through numeric measurements. This provides very reliable automated verification and strong protection against biometric system attacks.
... When concepts and words are borrowed from other disciplines, often uncritically or speculatively, at some distance from the discourse from which they came, they add little to the creation of new concepts. So, what the term "information security" adds to the well-known concept of security, defined as "the state of being free from danger or threat," is unclear (Anderson, 2003). Schön (1963) suggests that the production of new concepts is closely related to understanding how to work with metaphors and analogies. ...
Conference Paper
Full-text available
The goal of this study is to advance conceptual development and the growth of knowledge in the information systems (IS) field by placing the spotlight on a component of theory that is rarely discussed-the native IS concept. Beginning with the assertion that concepts are not the same as constructs, we build the argument that concepts, which are observable sets of ideas, should take priority over constructs which are unobservable fictions and hypothetical entities. Using natural language processing (NLP) based principles and techniques, we extract a sample of the most important concepts in the IS field from a corpus of 245 highly cited IS review articles and 1,293 citing articles from the Senior Scholars' Basket of Journals to illustrate the extent to which the field agrees on their usage, their clarity and distinctiveness and how the field can move forward in enhancing its conceptual formation.
... The goal of managing information security is to ensure the confidentiality, integrity, and availability of valuable information assets that may be strategic, protected, sensitive, or proprietary (Anderson, 2003;Parker, 1998). Illustrated in Fig. 1, this is often termed the "CIA Triad." ...
Article
This conceptual paper explores the impact of blockchain technology on public sector processes through the lens of information security. It includes an overview of the evolution of e-government, a synopsis of existing applications of blockchain technology, and innovative blockchain developments. We utilize the Confidentiality-Integrity-Accessibility (CIA) triad to guide our discussion of the security, governance, and regulatory implications of this technology. Leveraging the CIA triad model, we provide context for public managers who may consider blockchain technologies, and we highlight certain advantages arising from the “non-reputability” of distributed ledgers. In particular, we highlight the advantages of blockchain technologies with regards to non-reputability to help public managers understand how to best leverage blockchain technology to transform operations.
... Information security scholars have consistently criticized this approach for managing cybersecurity risks and questioned its over-reliance on technical controls [39]. In addition, prior literature stresses the limited utility of this approach, which fails to effectively consider wider organizational and social aspects of cybersecurity due to a narrow technical orientation and focus [18,4]. ...
Chapter
Full-text available
Many organizations continue to struggle with the implementation of cybersecurity risk assessment and management programs. Navigating the evolving cybersecurity landscape and trends in technology commercialization require an understanding of the relational organizational context within which cybersecurity risks are rooted. While several existing cybersecurity risk management frameworks discuss the importance of identifying a context for cyber risks, they do not provide much guidance on “how” that should be done. Leaning on systems theory, this chapter advances the notion that a business and IT alignment approach can be leveraged to inform and drive subsequent cybersecurity risk management and assessment efforts. We outline a holistic roadmap through the incorporation of multiple interconnected dimensions as the underpinning of cybersecurity risk identification and mitigation. We introduce a novel framework that identifies practical organizational drivers and priorities to improve cyber resiliency within the organizational perspective.
... Against these threats, infosec and cryptography are traditionally included among successful anti-surveillance practices (Leistert, 2012). Per se, infosec lacks a shared definition among computer scientists, as most of the definitions available in the literature tend to indicate what infosec does, rather than what it is (Anderson, 2003). Among the other available definitions, Neumann's is probably the one that fits best in relation to the application of infosec to the practice of journalism. ...
Article
Full-text available
Information security (infosec) has become a field of primary interest for journalism, especially in the wake of the 2013 Edward Snowden revelations about the ramifications of Internet mass surveillance. Following the increasing dangers posed by digital threats—and surveillance in particular—to the safety of journalists and their sources, newsrooms and reporters have shown an increased interest in technological solutions for improved protection of their work and sources. In particular, the adoption of strong encryption tools for communication purposes has become an urgent matter for journalists worldwide, becoming a niche of research in journalism studies as well. By reviewing the existing literature in the field, this article examines how journalism studies approach the use of encryption and information security tools for journalistic purposes. Based on research on the major journalism studies journals and other publications, the article offers an overview of the research advancements, highlighting current major trends and research areas.
... Rights reserved. security to protect information and communication with other users (Le et al., 2015;Barrow & Heywood-Everett, 2006;Anderson, 2003). The second is related to education for digital security, which aims to give teachers and students the knowledge and skills needed to ensure security. ...
Article
Full-text available
The goal of this review is to analyse the state of inquiry in the field of digital competence in security in initial teacher education, via indicators to assess preservice teachers’ digital competence in security, in order to help find opportunities to improve their competence level. Following the parameters defined in the PRISMA declaration, the review uses a bibliographic research methodology to explore the WoS, Scopus and ERIC databases. After a search identifying a sample of 31 scholarly articles published between 2010 and 2021, we analyse the information obtained using descriptive statistics and content analysis. The results show a predominance of empirical research in the European context. These studies are quantitative and tend to use questionnaires. Our conclusion proposes the need to train preservice teachers in data protection and privacy, searching for and using Internet images with authorship screening, use of open software programs, and respect for online communication norms, as well as ethical and responsible technology use. All of these issues are implicitly and transversally linked to the area of digital competence in security.
... Information security involves all processes for protecting data and reducing the adverse effects of any incidents of unlawful use, disclosure, deletion, corruptions, or any form of misuse. As defined by [2], information security is the assurance that information risks and controls are in balance. Cryptographic hash functions are widely used in information security in many areas, like digital signatures and authentication, cybersecurity for risk management, and healthcare systems security [3][4][5][6]. ...
Article
Full-text available
In the current Internet of things era, all companies shifted from paper-based data to the electronic format. Although this shift increased the efficiency of data processing, it has security drawbacks. Healthcare databases are a precious target for attackers because they facilitate identity theft and cybercrime. This paper presents an approach for database damage assessment for healthcare systems. Inspired by the current behavior of COVID-19 infections, our approach views the damage assessment problem the same way. The malicious transactions will be viewed as if they are COVID-19 viruses, taken from infection onward. The challenge of this research is to discover the infected transactions in a minimal time. The proposed parallel algorithm is based on the transaction dependency paradigm, with a time complexity O((M+NQ+N^3)/L) (M = total number of transactions under scrutiny, N = number of malicious and affected transactions in the testing list, Q = time for dependency check, and L = number of threads used). The memory complexity of the algorithm is O(N+KL) (N = number of malicious and affected transactions, K = number of transactions in one area handled by one thread, and L = number of threads). Since the damage assessment time is directly proportional to the denial-of-service time, the proposed algorithm provides a minimized execution time. Our algorithm is a novel approach that outperforms other existing algorithms in this domain in terms of both time and memory, working up to four times faster in terms of time and with 120,000 fewer bytes in terms of memory.
... There is confidentiality, integrity and availability (CIA) based classification methods. Confidentiality refers to keeping information confidential, integrity keeping information immutable, and availability refers to using information immediately, regardless of geographic or temporal constraints [7]. The security class of the document is evaluated for each area of confidentiality, integrity and availability, and the total impact is calculated to reflect this, and the classes are classified. ...
... Information Security is a multidisciplinary area of study and professional activity focusing on safeguarding and protecting Information Technology against a variety of dangers and threats. 1,2 Initially, information security was characterized by a rather technical approach best left to the technical experts. 3 Even at this early stage, people responsible for implementing information security, identified the need for top management becoming involved. ...
Article
This paper presents a cyber-security culture framework for assessing and evaluating the current security readiness of an organization’s workforce. Having conducted a thorough review of the most commonly used security frameworks, we identify core security human-related elements and classify them by constructing a domain agnostic security model. We then proceed by presenting in detail each component of our model and attempt to quantify them in order to achieve a feasible assessment methodology. The paper thereafter presents the application of this methodology for the design and development of a security culture evaluation tool, that offers recommendations and alternative approaches to workforce training programs and techniques. The model has been designed to easily adapt on various application domains while focusing on their unique characteristics. The paper concludes on applications of our instrument on security-critical domains, and its contribution to current research by providing deeper insights regarding the human factor in cybersecurity.
... Information system security has become a critical issue for management in securing the organization, information system, and security risks caused by various interrelated internal and external factors (Feng et al., 2014). Anderson (2003) and Dhillon and Torkzadeh (2006) state that information system security is high-quality information which ensures that the risk from information source is appropriate to technical control, administration, and behaviors of the organization. Thus, information system security has become a core business process in any organization (Trcek, 2003). ...
... Poorly-secured systems make firms prone to cyber security threats, especially when new IT technologies are integrated with the legacy systems [20]. Thus, firms need to ensure security in terms of: (1) accessibility of data only by authorized actors and protection of sensitive data i.e. confidentiality; (2) controlling any modification i.e. integrity (3) continuity of operations i.e. availability [2]. ...
Chapter
Organizational processes, production, business strategy, value creation and value delivery are undergoing significant change as a result of emerging new technologies in industry 4.0 context. This has drawn attention across many countries and not only organizations, but also stakeholders and policy makers as the fourth industrial revolution. While Industry 4.0 has been widely investigated in large enterprises, yet to date, little is known about how SMEs with limited financial resources make strategic decisions in particular about IT investment on diverse emerging technologies. To close this gap, this paper focused on the propensity of SMEs in IT investment in an industry 4.0 context. We analyze the responses of 1889 Italian SMEs to Government policies designed to facilitate SMEs in adopting technologies for Industry 4.0. This study aims to contribute to alignment literature by highlighting the importance of IT investment as a strategic decision in Industry 4.0. Moreover, the paper offers a set of practical implications.
Chapter
Full-text available
Information security and privacy are multi-faceted concepts, and earlier definitions of information security and privacy seem inadequate in the context of emerging technologies such as social media. Hence, this chapter presents an analysis of the concept of information security followed by a discussion of computer security, information security, network security, personal privacy, informational privacy, etc. Then the discussion narrows down to information security and privacy on Social Networking Sites (SNS) followed by an analysis of the consequences of information security and privacy breaches from individualistic and organizational perspectives. The lack of understanding of the complex nature of security and privacy issues are preventing businesses from gaining the full economic benefit, especially on SNS. Therefore, some solutions and recommendations are suggested towards the end of the chapter, including the need for a common legal framework. Finally, the chapter ends with suggestions for future research.
Chapter
Despite great interest of researchers and professionals in Information Security (InfoSec) and Information Assurance (IA), there is still no commonly agreed understanding of the disciplines. This chapter clarifies the meaning, scope, and goals of InfoSec and IA as well as the relationship between the disciplines. Clarity of the scope and goals of InfoSec and IA is important because this knowledge serves as a foundation for the definition of (1) curricula for the InfoSec and IA education programs, (2) responsibilities of practitioners, and (3) organisations' InfoSec strategy and policies. The study analyses US and European InfoSec- and IA-related official publications and standards and discusses the perception of the disciplines in academic and industry works. The study highlights the importance of clear and precise definitions of InfoSec and IA and a need for the definitions to promote open-mindedness among practitioners and researchers. Since the existing definitions of InfoSec and IA do not fully reflect the complexity and the evolving nature of the disciplines, the contemporary adapted definitions of InfoSec and IA are elaborated in the chapter.
Article
Full-text available
Due to the spectacular growth of the wireless services and demands in recent years, Orthogonal Frequency Division Multiplexing (OFDM) is a latest and suitable modulation scheme for commercial high-speed broadband wireless communication systems. OFDM is one of the main techniques proposed to be employed in 4th Generation Wireless Systems. One of the OFDM key parameters is a cyclic Prefix (CP). Cyclic prefix is a guard time length padded with every OFDM symbol to completely alleviate Inter-symbol Interference (ISI) and to preserve orthogonality among OFDM subcarriers as long as the guard time length is sufficiently greater than channel delay spread. This paper analyzes OFDM system and the effect of cyclic prefix and length of cyclic prefix on OFDM system. Besides, compare the performance of the system with and without cyclic prefix. The simulations were carried out over AWGN and Rayleigh fading channels, and the results have been compared with the theoretical ones.
Article
The Novelty of Cybercrime is a research problem in criminology where scholars are asking whether cybercrime is a wholly new form of crime compared with traditional–terrestrial crimes and whether new criminological theories are needed to understand it. Most criminological theories focus on the human rational aspects and downplay the role of non-humans in explaining what may be novel in cybercrime. This paper shows that a sociotechnical perspective can be developed for understanding the Novelty of Cybercrime using some insights from criminology. Working from the agnosticism principle of Actor-Network Theory and a situated genealogical perspective, it is possible to see that a criminological vocabulary can accommodate both the roles and relations of rational human and non-human actors. This is achieved by proposing the concept of the engineer–criminologist, developed by conducting a study of the development of information security for timesharing systems in the 1960s and 1970s. Timesharing security engineers were facing a completely new form of rule-breaking behaviour, that of unauthorised access and at the same time they were constantly using criminological concepts to shape their design of security and explain this behaviour. The concept of engineer–criminologists affords the use of criminological concepts in the sociotechnical study of the Novelty of Cybercrime.
Article
Connected and autonomous vehicles (CAVs) and intelligent transport systems are transforming individual driving behavior and thus, the vehicle industry and transport sector. However, increasing vehicle connectivity makes CAVs more susceptible to cyber-attacks, which is a barrier to consumers’ CAV adoption. This study analyzes the types of information security threats consumers consider to be the most dangerous and consumer preference for the information security solution that protects their CAVs from such information security threats. We use stated preference data from a discrete choice experiment and a mixed logit model to reflect consumers’ heterogeneity on information security threats and solutions. Furthermore, we investigate the effects of experiencing privacy leakage on attitudes toward CAV information security threats by dividing respondents into two groups. The results show that consumers regard communication failure and the unauthorized collection of personal information as dangerous information security threats, which implies that confidentiality and availability are more essential to CAV security than other factors. Moreover, convenience of use, such as having automatic updates and a security dashboard, is also important when purchasing a CAV information security solution. We also find that respondents who have experienced privacy leakage have a higher preference for protecting CAVs from information security threats than those who have not.
Chapter
This chapter examines the development of Russia’s official cybersecurity policies with regard to the Arctic since the early 2000s, which is when the first Strategy for the Development of an Information Society was adopted. The primary focus is on examining how the notion of cybersecurity is framed at the official level and determining who its major target groups are. More specifically, this chapter analyses whether the issues associated with human security are included in Russia’s official cybersecurity discourse. The subject of Russia’s official discourse on cybersecurity in the Arctic is important in terms of revealing the critical actors who will enforce and benefit from cybersecurity at a time characterised by the increasing digitalisation of the Arctic.
Article
Full-text available
The rapid evaluation of data transmission in wireless communication technologies can show many problems. In the previous year’s many routing protocols was developed, implemented, and evaluated for transmission of data in the Mobile ad hoc network (MANET), where it envisioned to be a useful technology in military communication systems and other areas. One of the routing protocols used in MANET is the hierarchical routing protocol that considered an energy efficient. Therefore, in this paper, a comprehensive study will be presented of the hierarchical routing protocol for MANET in order to expose new open issues to either improve the existing routing techniques or to develop new routing solutions for other researchers. The reviewed routing protocol is designed to support networks of a medium size, containing approximately between 150 to 250 nodes but less than 3,000 nodes. The reviewed design is intentionally simple to allow ease of implementation in comparison with other MANET protocols that provide similar functionality
Chapter
One of the problems highlighted within the area of information security is that international standards are implemented in organisations without adopting them to special organisational settings. In this chapter the authors analyse information security goals found in hospital settings. They found that the CIA-triad fails to cover organisational specific information security goals in hospital settings. They found also that information security goals held by information security managers and business managers are not the same, implying that both these groups should be involved in designing of information security goals, in order to find information security goals relevant for the organisation. Finally, the authors found goal maps used in this study for analysis of empirical data, to be a useful tool for analysis and communication of information security goals in an organisation.
Article
Full-text available
With the rapid development of Internet of Things technology (e.g. wireless sensor networks), security has become a global issue. Confidentiality, integrity, and availability (known as the CIA triangle) is widely used to define and model information security. However, this CIA triangle is insufficient to address rapidly changing security requirements. In this article, we divide information systems into four layers: physical layer, operational layer, data layer, and content layers (PODC). Corresponding, hierarchy of information security is proposed. Furthermore, we define the basic security properties for each layer and show that the four properties (i.e. confidentiality, availability, controllability, and authentication, called CACA) are minimally complete and independent for information security. Based on PODC and CACA, a new definition of information security is proposed, which acts as a secure foundation for information systems.
Chapter
As information systems become more pervasive within organizations, securing their associated information assets has become a topic of extensive research. However, minimal research has been focused on understanding the dimensions of information systems security within an organizational context. This study organizes a considerable body of information systems security literature based on their findings, and the authors identify core dimensions of information system security success and operationalize them as a model to predict success with information security initiatives. The utility of the proposed model is evaluated for the e-Government context and emergent issues for research and practice are discussed.
Thesis
Full-text available
The research topic under investigation in this thesis is information security strategy in organisations and I propose a substantive theory for understanding this phenomenon under varying environmental and internal conditions. My original contribution to knowledge includes a definition for information security strategy, criteria for organisational environment and information assessment, a conceptual model of information security strategy, a substantive theory on information security strategy, and a descriptive set of benefits that can be adopted after strategy selection and approval. Organisations are progressively undertaking digital transformation of their products and services to reduce costs, improve customer relationships, and consolidate operations. Information is the “lifeblood” of any organisation and is increasingly being used to support this digital transformation across the entire organisation. Yet, the boundaries of information, its value, and importance in supporting organisational goals are frequently overlooked, creating security exposures and vulnerabilities. One reason for this is a lack of attention paid to cataloguing and controlling valuable information being used as a business resource. Others are that usage of emerging disruptive technology such as cloud-based applications can create porous network borders, that security controls used to protect information can be expensive and complex, and that organisational leaders may resist the implementation of security controls due to a perception that they impede productivity. This then leads to increased risk to information, affecting organisational leaders in the governing body, who currently have no consistent guidance available to help them in selecting a strategy or setting a strategic direction for information security. To address this problem, I examine a range of concepts when adopting an approach to securing information, by interviewing security leaders in organisations. In a qualitative study, I interviewed twenty-five participants and took a phenomenological approach to understanding their lived experiences with developing and using an information security strategy. I used grounded theory methodology and techniques to analyse the interview transcripts and their organisation’s information security strategy documents when permitted, to understand significant information security concepts and their relationships in an organisational context. The results show that organisational leaders choose from four main strategies when making decisions to secure their organisation’s information, which are Fortification, Devaluation, Outsourcing and Minimisation. Their selection depends on consideration of organisational factors including constraints on outsourcing decisions and the value of information held within the organisation. This facilitated the development of a conceptual model of information security strategy and a substantive theory on information security strategy. The implications of this are that organisations can continue business operations towards the achievement of strategic goals using information as a resource, and that the selection of an information security strategy can lead to a more complete understanding of the comprehensive strategic plans required to implement operational security controls throughout an organisation, making them more applicable and cost effective.
Article
Full-text available
This research paper was published in a special issue (2020) of the journal Transforming Government People Process and Policy. The aim of the special issue was to identify what was “idle” in the policies of governments to address the challenges of cyber, among other aspects. This paper explores the work undertaken by United Nations bodies in the field of cyber security and cyber peace. It assesses the work underway and attempts to propose some realistic directions for further progress. Purpose : The development of technologies for the conduct of cyber operations represents an opportunity for states to defend their interests in international relations but also bears risks and challenges. Since the early 2000s, the United Nations “group of governmental experts (GGE) on developments in the field of information and telecommunications in the context of international security” debates on this issue. This paper aims to investigate how states are challenged in the development of international cyber norms and where capacity to act is idle, i.e. to assess how much has been reached in the international community’s debate on cyber threats and malicious behaviors in the international security context and to identify directions to move GGE work further. Design/methodology/approach : The methodology uses an extensive text-based desk research and relies on a thorough collection, analysis and interpretation of the United Nations (UNs) documents. When specific substantial topics are addressed in the GGE, the content of the debate was confronted with issue-specific academic literature on those matters. Findings : The results highlight that the GGE managed to gather consensus on a number of cooperation and normative measures in this politically highly sensitive topic and more deliverables are expected during this and next year. The paper identifies a weakness in terms of operational implementation though. The paper proposes a few examples of concrete headways that could complement existing consensus, especially on the implementation side. Originality/value : Because of its political sensitivity, the GGE has worked with discretion and has attracted little academic attention. This paper is an original and timely attempt to assess the achievements and possible outlook of this endeavor of the international community, including the incipient work of a recently established open-ended working group. It also attempts to connect the subject matter discussed in the UN with related academic literature, including in respect of definitional and conceptual issues. Available at: https://www.emerald.com/insight/content/doi/10.1108/TG-01-2020-0007/full/html
Book
Full-text available
Information security contributes to the success of organizations, as it gives a solid foundation to increase both efficiency and productivity. Many business organizations realize that compliance with the information security standards will affect their business prospects. Securing information resources from unauthorized access is extremely important. Information security needs to be managed in a proper and systematic manner as information security is quite complex. One of the effective ways to manage information security is to comply with an information security management standard. There are a number of security standards around; however, ISO 27001 is the most widely accepted one. Therefore, it is important for an organization to implement ISO 27001 to address information security issues comprehensively. Unfortunately, the existing ISO 27001 compliance methods are complex, time consuming and expensive. A new method, preferably supported by an automated tool, will be much welcomed. One of the key components for the success of information security certification is by using a framework. This framework acts as a tool to understand the process and technical aspects. Unfortunately, existing frameworks do not provide fixed and practical models for RISC (Readiness and Information Security Capabilities) investigation, which is investigation conducted to find out an organization’s readiness and information security capabilities regarding ISO 27001