Article

A study of employees' attitudes towards organisational information security policies in the UK and Oman

Authors:
To read the full-text of this research, you can request a copy directly from the author.

Abstract

There is a need to understand what makes information security successful in an organization. What are the threats that the organization must deal with and what are the criteria of a beneficial information security policy? Policies are in place, but why employees are not complying? This study is the first step in trying to highlight effective approaches and strategies that might help organizations to achieve good information security through looking at success factors for the implementation. This dissertation will focus on human factors by looking at what concerns employees about information security. It will explore the importance of information security policy in organizations, and employee’s attitudes to compliance with organizations' policies. This research has been divided into four stages. Each stage was developed in light of the results from the previous stage. The first two stages were conducted in the Sultanate of Oman in order to use a population just starting out in the information security area. Stage one started with a qualitative semi-structured interview to explore and identify factors contributing towards successful implementation of information security in an organization. The results suggested a number of factors organizations needed to consider to implement information security successfully. The second stage of the research was based on the first stage’s results. After analysing the outcomes from the semi-structured interviews a quantitative questionnaire was developed to explore for information security policy. The findings did suggest that the more issues the organization covers in their security policy the more effective their policy is likely to be. The more an organization reports adoption of such criteria in their security policy, the more they report a highly effective security policy. The more the organization implements the ‘success factors’ the more effective they feel their security policy will be. The third stage was conducted in the UK at Glasgow University because employees are somewhat familiar with the idea of information security. It was based on the findings derived from the analysis of the quantitative questionnaire at stage two. The findings revealed different reasons for employee’s non-compliance to organization security policy as well as the impact of non-compliance. The fourth stage consolidates the findings of the three studies and brings them together to give recommendations about how to formulate a security policy to encourage compliance and therefore reduce security threats.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the author.

... On the other hand, the current literature contains few studies that explored ISA at OGAs. Al-Awadi (2009) found that employees in OGAs did not know about information security policies or even if such policies existed. Al-Izki and Weir (2016) found that around two-thirds of employees at OGAs were non-compliant with information security policies and had negative perceptions towards ISA. ...
... In Oman, according to ITA (2008), the ISA level for each employee is evaluated during his/her appraisal and based on the employee's knowledge about information security policies. Al-Awadi (2009) found that employees at OGAs did not know about information security policies or even if these policies existed at their agencies. Meanwhile, MTC (2019) and Portal (2012) used online questionnaires to evaluate the knowledge and experience of employees about information security policies. ...
... At the same time, the timeline sequences of previous studies along with their findings have revealed that the problem under investigation has existed for more than a decade at OGAs. Since 2009, there has been a continuous lack of ISA and some carelessness among employees at OGAs (Al-Awadi, 2009;Al-Kalbani, 2017;Al-Izki & Weir, 2016). At the same time, several publications that provide frameworks, policies, and guidelines for use in supporting OGAs to accomplish their mission have been found in the literature (Portal, n.d.). ...
Article
Full-text available
This paper aims at reviewing Information Security Awareness (ISA) practices in general and at Omani Government Agencies (OGA) in particular. It also explores the concerns and challenges that may affect their implementation, and the reasons why ISA practices remained problematic for more than a decade at the OGAs. To inform the aim of this research, the researchers employed a systematic process to review the publications that explored ISA practices in general and at OGAs in particular. As a sampling technique, the researchers created a research strategy to select relevant publications for the study. The grounded theory technique is adopted for data analysis since it provides an inductive and systematic interpretive approach to generate theoretical insights from the data. The review reveals that current ISA practices seem ineffective in meeting the needs of employees. Furthermore, a set of important ISA practices are either missing or undeveloped. The review also revealed the absence of a framework for the ISA process at OGAs. To the best of our knowledge, the present study is one of the first to conduct an in-depth review on ISA practices applied in general and at OGAs in particular. Therefore, this study contributed to the emerging field of information security by reviewing the current state of ISA practices. In addition, this research study contributed a comprehensive picture of sources dealing with vital issues of insider threats and human factors within OGAs that were indeed unclear and surrounded by various ambiguities in the past.
... On whether their staff were trained towards mitigating threats and vulnerabilities, majority (86.2%) of the respondents agreed, a few (2.2%) disagreed while 11.7% remained neutral. Al-Awadi (2009) emphasized that training enhances implementation of information security and make the implementation of security easier. Due to the dynamic nature of information technology training should be carried out in a continuous process in all firms. ...
Article
Full-text available
Information security risk assessments enable SMEs to identify their key information assets and risks in order to develop effective and economically-viable control strategies. In Kenya, SMEs employ about 85 percent of the workforce. The need to link ISRA with firm performance has become vital for firms striving to achieve superior performance. However, limited attention has been paid to the link and more so to the moderating role of EO on ISRA-firm performance relationship model. To better understand this relationship, this paper employed a mixed methods research guided by a cross-sectional research design. Quantitative and qualitative techniques were employed to analyze the collected data using SPSS, Ms-Excel, AMOS, SmartPLS, STATA, R-GUI and ATLAS.ti analytical softwares. Analyses were conducted using a two-phase process consisting of CFA and SEM. The theoretical models and hypotheses were tested based on empirical data gathered from 94 SMEs in the 2013 Top 100 Survey. The study found that ISRA was a significant predictor of firm performance. The results also revealed that entrepreneurial orientation significantly moderated the relationship between ISRA and firm performance in Kenya. This study will enhance the skill set in Kenyan SMEs and produce a more sustainable solution.
... An aware user who does not also understand and accept the security message may wilfully ignore anything inconvenient to their own tasks, particularly where is little compulsion to comply (Furnell and Clarke, 2012;Furnell and Thomson, 2009;Von Solms and Von Solms, 2004). They must be persuaded of a threat to their interests and that their action might be effective against it (Herath and Rao, 2009;Besnard and Arief, 2004;Siponen, 2000;Al-Awadi, 2009;Fulford and Doherty, 2003). To enable this, policies must be the product of dialogue rather than artefacts of diktat (Albrechtsen, 2007;Albrechtsen and Hovden, 2010;Gagn e et al., 2008). ...
Article
In response to the increased “cyber” threats to business, the UK and US Governments are taking steps to develop the training and professional identity of information security practitioners. The ambition of the UK Government is to drive the creation of a recognised profession, in order to attract technology graduates and others into the practice of cyber-security. Although much has been written by state bodies and industry commentators alike on this topic, we believe this qualitative study is the first empirical academic work investigating attitudes to that professionalisation amongst information security workers. The results are contextualised using concepts from the literature in the fields of professionalisation and social topics in information security.
Article
Full-text available
Information systems have become part and parcel of today’s business operations, with competition on its rise. The security challenges related to information systems could have a severe impact on the overall business objectives of an institution if not handled at the right time. A well-meaning institution must take a full-blown step towards information security management to achieve information security. Information security management has been seen as any management system to address the security issues affecting an institution and align security needs to the overall business objectives. Conversely, Information security policy is the foundation upon which institutions base their entire information security management. This study looks at the uptake of information security policy among Nigerian institutions. The survey result created a clear picture of the uptake of information security policy among Nigerian institutions.
Article
Full-text available
The ‘human factor’ is commonly considered to be the weakest link in an organization’s security chain, and a significant percentage of companies have implemented security awareness (SA) programs to address this vulnerability. However, an element whose usefulness is still underestimated is the importance to perform measurements of the different SA programs’ effectiveness in order to assess their adequateness for achieving the intended goals. This gap has serious consequences as most of the security awareness campaigns have resulted to be largely unsuccessful. Awareness measurement tools might be determinant in providing feedback on the outcome of a program as well as in helping with the strategic planning for endorsing security. This article will introduce and critically compare a set of measurement methods. It will then discuss their attributes and suggested applications.
Article
Full-text available
The increasing interest arising around the field of security becomes a pragmatic issue when we consider the behavior of the employees of large organizations involved in critical infrastructures. As a matter of common knowledge, the human factor is the weakest link in the security chain. This introduces the topic of the security awareness of employees in large organizations. In this paper, we describe the results of a survey designed and delivered to large organizations in Europe, to understand how the topic of security is perceived and implemented and which are the security awareness initiatives held by organizations to instruct their employees. Moreover, we evaluate 23 methods to increase the security awareness, on the basis of several indicators describing their effectiveness, cost, implementation time, and other relevant aspects, to emphasize their pros and cons and their areas of applicability. Finally, we describe a tool developed to support the design of a security awareness campaign respecting the constraints imposed by the needs of each organization.
Article
Purpose The purpose of this paper is to identify various information security management parameters and develop a conceptual framework for it. Design/methodology/approach Interpretive Structural Modeling (ISM) and MICMAC approaches have been used to identify and classify the key factors of information security management based on the direct and indirect relationship of these factors. Findings The research presents a classification of key parameters according to their driving power and dependence which enable information security management in an organization. It also suggests parameters on which management should pay more attention. Research limitations/implications In the paper, 12 parameters were identified based on a literature study and expert help. It is possible to identify some more parameters for ISM development. The help of experts was also used to identify the contextual relationship among the variables for the ISM model. This may introduce some element of bias. Although a relationship model using ISM has been developed, it has not been validated statistically. For future research, it is suggested that the structural equation modelling (SEM) technique may be used to corroborate the findings of ISM. Some of the variables have been grouped together, being a part of a subset due to their similar nature; but it is possible to treat them as independent variables. Future researches may establish their interrelationships also. Practical implications The paper has tremendous practical utility for organizations which want to reap the benefits of information and communication technology for their growth but are struggling to find a right approach to deal with information security breach incidents. Originality/value Development of a framework for information security management in an organization is the major contribution of this paper. This would be of help to strategic managers in managing information security with emphasis on key parameters identified here.
Conference Paper
Full-text available
Information security management needs a paradigm shift in order to successfully protect information assets. Organisations must change to the holistic management of information security, requiring a well-established Information Security Management System (ISMS). An ISMS addresses all aspects in an organisation that deals with creating and maintaining a secure information environment. Organisational management and their staff to manage information security cost-effectively can use the ISMS. It can also help with the assessment of the trustworthiness of an organisation's information security arrangements by other organisations. An intelligent mix of aspects such as policies, standards, guidelines, codes-of-practice, technology, human issues, legal and ethical issues constitute an ISMS. Ideally organisations should opt for a combination of these different aspects in establishing an ISMS. The initial combination of all the aspects might by a bridge too far when embarking on the establishment of an ISMS, forcing organisations to take a 'phased' approach. One approach can be to implement the controls as contained in a standard such as ISO17799. In this case information security is driven from a management process point of view and referred to as 'process security'. Another approach that also complement or add to process security, is to use certified products in the IT infrastructure environment when possible. The approach here focuses on technical issues and is referred to as 'product security'.
Conference Paper
Full-text available
The level of quality of security policy is rarely discussed in any great depth in literature. Consequently, organizations often find it difficult to define quality in security policy terms. As the security policy field matures, however, the concept of quality is becoming more important for many of these organizations. This paper presents a model of security policy quality factors which has been developed from software development quality and data model quality. It briefly discusses the importance of these issues to organizations and gives some insight to their relevance by presenting some initial case study results.
Article
Full-text available
The purpose of this research was to investigate how computer-mediated communication affects persuasion in dyadic interactions. Two studies compared participants' attitudes after hearing a series of arguments from a same-gender communicator via either e-mail or face-to-face interaction. In Study 1, women showed less message agreement in response to e-mail versus face-to-face messages, whereas men showed no difference between communication modes. Study 2 replicated this finding and examined the impact of prior interaction with the communicator. For women, the condition that provided the least social interaction led to the least message agreement. For men, the condition that provided the most social challenge led to the least message agreement. Results are interpreted in terms of gender differences in interaction style. (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Article
Full-text available
The research objective was to develop a model for evaluating the human impact that password authentication issues are having on the security of information systems. Through distributing a survey and conducting an experiment, researchers created a model for predicting the vulnerability that a particular set of conditions will have on the likelihood of error in an information system. The survey consisted of over 250 respondents. The experiment consisted of 30 subjects and the analysis utilized a χ2 goodness of fit test. The findings indicate that human error associated with password authentication can be significantly reduced through the use of passwords comprised of data meaningful for the user and that meet the information technology community requirement for strength of password. Future research will be performed to further validate and enhance the developed model and to develop human factor password guidelines.
Article
Full-text available
The concept of an 'information security culture' is relatively new. A review of published research on the topic suggests that it is not the information security panacea that has been suggested. Instead it tends to refer to a range of existing techniques for addressing the human aspect of information security, oversimplifying the link between culture and behaviour, exaggerating the ease with which a culture can be adjusted, and treating culture as a monolith, set from the top. Evidence for some of the claims is also lacking. The paper finds that the term 'information security culture' is ambiguous and vague enough to suggest the possibility of achieving an almost mystical state whereby behaviour consistent with information security is second nature to all employees, but when probed does not deliver. Instead, future research should be clear about what it considers information security culture to be, should provide evidence for claims, and should take complexity and context seriously.
Article
Full-text available
Requirements engineering is one of the key activities in the software development process. The rapid expansion of e-commerce and internet applications increases the need for adequate application security. Yet, c onventional requirements engineering methodologies rarely mention information security aspects. The information security community, on the other hand, has developed system security requirements specification methodologies. These methodologies, from the software architect's point of view, are often hard to understand and too general to be applied. By following conventional methodologies and failing to thoroughly understand the security consequences, architects end up with inadequate application security. This paper presents two commonly observed cases -antipatterns. In the first case, an old and well-known (perimeter security) model is applied in a new context without analysis of the security requirements. In the second case, the impact of lacking data sensitivity classification and threat analyses is considered.
Article
Full-text available
Until the era of the information society, information security was a concern mainly for organizations whose line of business demanded a high degree of security. However, the growing use of information tedmology is affecting the status of information security so that it is gradually becoming an area that plays an important role in our everyday lives. As a result, information security issues should now be regarded on a par with other security issues. Using this asseliion as the point of departure, dfis paper outlines the dimensions of information security awareness, namely its organizational, gene~ public, socio-political, computer ethical and institutional education dimensions, along with the categories (or target groups) within each dimension.
Article
Full-text available
This paper reports on the need for Information Security Awareness educational programs to supplement teaching in Information Security. The need for such a program is demonstrated by findings resulting from a survey of university faculty and staff at Armstrong Atlantic State University conducted from February through April 2005 regarding the information security behaviors of such employees.
Article
Full-text available
Man-made disasters usually lead to the tightening of safety regulations, because rule breaking is seen as a major cause of them. This reaction is based on the assumptions that the safety rules are good and that the rule-breakers are wrong. The reasons the personnel of a coke factory gave for breaking rules raise doubt about the tenability of these assumptions. It is unlikely that this result would have been achieved on the basis of a disaster evaluation, or high-reliability theory. In both approaches, knowledge of the consequences of human conduct hinders an unprejudiced judgement about where the blame for rule breaking lies.
Article
Full-text available
More and more organisations formulate a code of conduct in order to stimulate responsible behaviour among their members. Much time and energy is usually spent fixing the content of the code but many organisations get stuck in the challenge of implementing and maintaining the code. The code then turns into nothing else than the notorious "paper in the drawer", without achieving its aims. The challenge of implementation is to utilize the dynamics which have emerged from the formulation of the code. This will support a continuous process of reflection on the central values and standards contained in the code. This paper presents an assessment method, based on the EFQM model, which intends to support this implementation process.
Article
Full-text available
Many organisations suspect that their internal security threat is more pressing than their external security threat. The internal threat is predominantly the result of poor user security behaviour. Yet, despite that, security awareness programmes often seem more likely to put users to sleep than to improve their behaviour. This article discusses the influences that affect a user's security behaviour and outlines how a well structured approach focused on improving behaviour could be an excellent way to take security slack out of an organisation and to achieve a high return for a modest, low-risk investment.
Conference Paper
Full-text available
Locality as a unifying concept for understanding the normal behavior of benign users of computer systems is suggested as a unifying paradigm that will support the detection of malicious anomalous behaviors. The paper notes that locality appears in many dimensions and applies to such diverse mechanisms as the working set of IP addresses contacted during a web browsing session, the set of email addresses with which one customarily corresponds, the way in which pages are fetched from a web site. In every case intrusive behaviors that violate locality are known to exist and in some cases, the violation is necessary for the intrusive behavior to achieve its goal. If this observation holds up under further investigation, we will have a powerful way of thinking about security and intrusive activity.
Article
Full-text available
Organizations and individuals are increasingly impacted by misuses of information that result from security lapses. Most of the cumulative research on information security has investigated the technical side of this critical issue, but securing organizational systems has its grounding in personal behavior. The fact remains that even with implementing mandatory controls, the application of computing defenses has not kept pace with abusers’ attempts to undermine them. Studies of information security contravention behaviors have focused on some aspects of security lapses and have provided some behavioral recommendations such as punishment of offenders or ethics training. While this research has provided some insight on information security contravention, they leave incomplete our understanding of the omission of information security measures among people who know how to protect their systems but fail to do so. Yet carelessness with information and failure to take available precautions contributes to significant civil losses and even to crimes. Explanatory theory to guide research that might help to answer important questions about how to treat this omission problem lacks empirical testing. This empirical study uses protection motivation theory to articulate and test a threat control model to validate assumptions and better understand the “knowing-doing” gap, so that more effective interventions can be developed.
Article
Full-text available
The success behind the web-based businesses is consumers' trust in the context of e-commerce, starting with their beliefs, attitudes, intentions, and willingness to perform transactions at web sites. Trust is a complex social phenomenon reflecting technological, behavioral, social, psychological, and organizational interactions among human and nonhuman technological agents. Web vendors must align both their long-term and short-term relationships with consumers and develop interventions to inspire consumer beliefs that affect their attitudes, intentions, and dependence, and ultimately their willingness to spend money. Managers must address the factors affecting different belief classes to establish the trustworthiness of their organizations.
Article
Full-text available
A firm can build more effective security strategies by identifying and ranking the severity of potential threats to its IS efforts.
Article
Full-text available
The current approaches in terms of information security awareness and education are descriptive (i.e. they are not accomplishment-oriented nor do they recognize the factual/normative dualism); and current research has not explored the possibilities offered by motivation/behavioural theories. The first situation, level of descriptiveness, is deemed to be questionable because it may prove eventually that end-users fail to internalize target goals and do not follow security guidelines, for example – which is inadequate. Moreover, the role of motivation in the area of information security is not considered seriously enough, even though its role has been widely recognised. To tackle such weaknesses, this paper constructs a conceptual foundation for information systems/organizational security awareness. The normative and prescriptive nature of end-user guidelines will be considered. In order to understand human behaviour, the behavioural science framework, consisting in intrinsic motivation, a theory of planned behaviour and a technology acceptance model, will be depicted and applied. Current approaches (such as the campaign) in the area of information security awareness and education will be analysed from the viewpoint of the theoretical framework, resulting in information on their strengths and weaknesses. Finally, a novel persuasion strategy aimed at increasing users’ commitment to security guidelines is presented.
Article
Full-text available
The economics of information security has recently become a thriving and fast-moving discipline. As distributed systems are assembled from machines belonging to principals with divergent interests, we find that incentives are becoming as important as technical design in achieving dependability. The new field provides valuable insights not just into “security” topics (such as bugs, spam, phishing, and law enforcement strategy) but into more general areas such as the design of peer-to-peer systems, the optimal balance of effort by programmers and testers, why privacy gets eroded, and the politics of digital rights management.
Article
Full-text available
It has been widely argued in the literature that security concerns should be integrated with software engineering practices. However, only recently work has been initiated towards this direction. Most of this work, however, only considers how security can be analysed during the development lifecycles and not how the security of an information system can be tested during the analysis and design stages. In this paper we present results from the development of a technique, which is based on the use of scenarios, to test the reaction of an information system against potential security attacks. Unpublished conference paper
Article
Full-text available
This paper provides an overview of a research program examining the antecedents and consequences of safety climate and safety behaviour. A model is presented identifying the linkages between safety climate, safety knowledge, safety motivation, and safety behaviour. Findings from a series of studies are reviewed that support the hypothesized linkages between safety climate and safety behaviour. Longitudinal analyses have examined the role of additional factors, such as general organisational climate, supportive leadership and conscientiousness as sources of stability and change in safety climate and safety behaviour. Further developments of the model, aimed at integrating safety behaviour into broader models of work effectiveness, are also discussed.
Article
Full-text available
This paper firstly argues that the design of security applications needs to consider more than technical elements. Since almost all security systems involve human users as well as technology, security should be considered, and designed as, a socio-technical work system. Secondly, we argue that safety-critical systems design has similar goals and issues to security design, and should thus provide a good starting point. Thirdly, we identify Reason's (1990) Generic Error Modeling System as the most suitable starting point for a socio-technical approach, and demonstrate how its basic elements can be applied to the domain of information security. We demonstrate how the application of the model's concepts, especially the distinction between active and latent failures, offers an effective way of identifying and addressing security issues that involve human behavior. Finally, we identify strengths and weaknesses of this approach, and the requirement for further work to produce a security-specific sociotechnical design framework.
Article
Information Systems (IS) development can be seen as a social activity. Research methodologies from social sciences, such as Grounded Theory (GT) can therefore be used to investigate IS practices. This paper asks whether GT can be used to investigate the use of specific methodologies by IS practitioners when the practitioners are not familiar with the methodologies in question. It aims to contribute to GT research methods as well as systems thinking research methods.
Article
This article explores the concept of “human security” as an academic and fledgling policy movement that seeks to place the individual—or people collectively—as the referent of security. It does this against a background of evolving transnational norms relating to security and governance, and the development of scientific understanding that challenges orthodox conceptions of security. It suggests that human security is not a coherent or objective school of thought. Rather, there are different, and sometimes competing, conceptions of human security that may reflect different sociological/cultural and geostrategic orientations. The article argues that the emergence of the concept of human security—as a broad, multifaceted, and evolving conception of security—rreflects the impact of values and norms on international relations. It also embraces a range of alliances, actors, and agendas that have taken us beyond the traditional scope of international politics and diplomacy. As a demonstration of change in international relations, of evolving identities and interests, this is best explained with reference to “social constructivist” thought, in contradistinction with the structural realist mainstream of international relations. In a constructivist vein, the article suggests that empirical research is already building a case in support of human security thinking that is, slowly, being acknowledged by decision-makers, against the logic of realist determinism.
Article
There is an old Peanuts strip where Charlie Brown says, “Working here is like wetting your pants in the pool, wearing a dark bathing suit. You get that warm feeling but nobody notices.” Increasingly, I think computer security professionals in large enterprises are in that metaphorical swimming pool. In fact, many are swimming in the deep end without their water wings. When computer security professionals do an excellent job protecting systems and information, the number of bad outcomes decreases. After a generation of peace, pretty soon people start asking why we need the army. I believe this problem stems in part from a fuzzy fundamental: the definition of information security.
Article
This study evaluates current management and security practices with respect to computer virus infestations in business computer systems. Given the rise in macro viruses within recent years many business firms have adopted either a restrictive or proactive management approach to the problem. It is unclear whether there is a significant difference between the approaches in terms of user satisfaction and future virus outbreaks. The lack of consistent computer backup procedures tends to exacerbate a virus outbreak. The cost structure used to address virus management tends to escalate depending on the severity of a virus episode.
Article
The concept of security culture is relatively new. It is often investigated in a simplistic manner focusing on end-users and on the technical aspects of security. Security, however, is a management problem and as a result, the investigation of security culture should also have a management focus. This paper describes a framework of eight dimensions of culture. Each dimension is discussed in terms of how they relate specifically to security culture based on a number of previously published case studies. We believe that use of this framework in security culture research will reduce the inherent biases of researchers who tend to focus on only technical aspects of culture from an end-users perspective.
Article
Many information security specialists believe that promoting good end user behaviors and constraining bad end user behaviors provide one important method for making information security effective within organizations. Because of the important of end user security-related behaviors, having a systematic viewpoint on the different kinds of behavior that end users enact could provide helpful benefits for managers, auditors, information technologists, and others with an interest in assessing and/or influencing end user behavior. In the present article, we describe our efforts to work with subject matter experts to develop a taxonomy of end user security-related behaviors, test the consistency of that taxonomy, and use behaviors from that taxonomy to conduct a U.S. survey of an important set of end user behaviors. We interviewed 110 individuals who possessed knowledge of end user security-related behaviors, conducted a behavior rating exercise with 49 information technology subject matter experts, and ran a U.S. survey of 1167 end users to obtain self-reports of their password-related behaviors. Results suggested that six categories of end user security-related behaviors appeared to fit well on a two-dimensional map where one dimension captured the level of technical knowledge needed to enact the behavior and another dimension captured the intentionality of the behavior (including malicious, neutral, and benevolent intentions). Our U.S. survey of non-malicious, low technical knowledge behaviors related to password creation and sharing showed that password “hygiene” was generally poor but varied substantially across different organization types (e.g., military organizations versus telecommunications companies). Further, we documented evidence that good password hygiene was related to training, awareness, monitoring, and motivation.
Article
As organizations become increasingly dependent on information systems (IS) for strategic advantage and operations, the issue of IS security also becomes increasingly important. In the interconnected electronic business environment of today, security concerns are paramount. Management must invest in IS security to prevent abuses that can lead to competitive disadvantage. Using the literature on security practices and organizational factors, this study develops an integrative model of IS security effectiveness and empirically tests the model. The data were collected through a survey of IS managers from various sectors of the economy. Small and medium-sized enterprises were found to engage in fewer deterrent efforts compared to larger organizations. Organizations with stronger top management support were found to engage in more preventive efforts than organizations with weaker support from higher management. Financial organizations were found to undertake more deterrent efforts and have stiffer deterrent severity than organizations in other sectors. Moreover, greater deterrent efforts and preventive measures were found to lead to enhanced IS security effectiveness. Implications of these findings for further research and practice are discussed.
Conference Paper
This paper presents a concept for the integration of quantitative and qualitative information sources with their accompanying management support functionalities from navigation and retrieval up to analysis and business intelligence. The integration is realized by a common keyword-based metadata base, retrievable and extendible by the end user on a web-based platform. This enables a dynamic acquisition of supplementary information on the usage, usability and benefit of basic and derived information objects, e.g. data warehouses, data marts, OLAP cubes, reports or (textual) documents. Being extended by functions to automatically catch contextual links during system usage, the concept is discussed as a contribution to the implementation of knowledge management. The concept is being developed and successfully tested in the practical environment of a reference project for the implementation of an IT-infrastructure to support decentralized decision-making at a German university.
Conference Paper
We address the problem of controlling information leakage in a concurrent declarative programming setting. Our aim is to define verification tools in order to distinguish between authorized, or declared, information flows such as password testing (e.g., ATM, login processes, etc.) and non-authorized ones. In this paper, we first propose a way to define security policies as confluent and terminating rewrite systems. Such policies define how the privacy levels of information evolve. Then, we provide a formal definition of secure processes with respect to a given security policy. We also define an actual verification algorithm of secure processes based on constraint solving.
Article
The importance of security monitoring in providing immediate feedback regarding the efficacy of a network's security is highlighted. Managed Security Monitoring (MSM) is proposed as an efficient tool to provide active network monitoring. The role of human intervention in network security by prevention, detection, response and combination of best technologies with best procedures is discussed. It is depicted that due to the lures of new markets, new customers, new revenue sources and new business models, companies would flock to Internet regardless of risks.
Article
The third wave of information security is on us, and we will have to surf it to stay competitive. Information Security can only be managed properly if, on a macro level, an internationally accepted reference framework (code of practice) is used, and if on a micro level, physical measurements can be made. All this must be accompanied by an international information security certificate, and a comprehensive corporate information security culture.
Article
Internet security is a pervasive concern for all companies. While many previous studies have attempted to quantify financial losses resulting from IT security breaches, reliance on self-reported survey data has undermined the credibility of their results. Using an event-study methodology, this article analyzes the financial impact of cyber-breaches, by measuring the stock market reaction, and reveals several new perspectives.
Article
Traditional approaches to security architecture and design have attempted to achieve the goal of the elimination of risk factors — the complete prevention of system compromise through technical and procedural means. Insurance- based solutions to risk long ago admitted that a complete elimination of risk is impossible and, instead, have focused more on reducing the impact of harm through financial avenues, providing policies that indemnify the policy holder in the event of harm.
Article
This article details the author's attempts to improve understanding of organisational behaviour through investigation of the cognitive and affective processes that underlie attitudes and behaviour. To this end, the paper describes the author's earlier work on the attribution theory of leadership and, more recently, in three areas of emotion research: affective events theory, emotional intelligence, and the effect of supervisors' facial expression on employees' perceptions of leader-member exchange quality. The paper summarises the author's research on these topics, shows how they have contributed to furthering our understanding of organisational behaviour, suggests where research in these areas are going, and draws some conclusions for management practice.
Article
To show how triangulation with qualitative and quantitative methods can help confirm a theory to a greater degree than can either method alone. CONSTRUCT: Coherence view of theory structure and confirmation. Evidence helps confirm a theory if the theory is the most coherent way of accounting for the evidence, and one theory is more coherent than another insofar as it leaves fewer unanswered questions (and fewer unquestioned answers). The method of this theoretical essay is analytic. Analysis of the debate over methodological triangulation reveals presuppositions about theory structure and confirmation. Well-known arguments in the philosophy of science are presented to show that the presuppositions are false. The arguments provide evidence for the construction of an alternative, coherence model of theory structure and confirmation. Three consequences of the analysis are: (a) qualitative and quantitative methods do not produce theories with different structures; (b) qualitative and quantitative methods help to confirm theory in the same ways; and (c) used together, qualitative and quantitative methods can confirm a theory to a greater degree than the use of either method alone. A coherence of model of theory structure and confirmation supports a version of the blending view of methodological triangulation. Triangulation can provide completeness, abductive inspiration, and confirmation. This version of blending provides principles for resolving issues of methodological dominance and order, and it indicates how different methods can disconfirm theory.
Article
In a survey of Australian citizens (valid N = 1,406), personal and social norms were found to moderate effects of deterrence on tax evasion. Personal, internalized norms of tax honesty were negatively related to tax evasion and moderated the effects of deterrence variables (i.e., sanction severity), suggesting deterrence effects only when individual ethics were weak. Perceived social norms, beyond those internalized as personal norms, were not directly related to tax evasion but moderated the effects of sanction severity. Only when social norms were seen as strongly in favor of tax honesty was sanction severity negatively related to tax evasion. This result held only for respondents who did not identify strongly as Australians. Hence, when internalized, norms delimit effects of deterrence; when considered external to one's self norms boost deterrence effects, giving social meaning to formal sanctions.
Article
Today, security is a major concern at the top corporate, government, and academic levels, and security problems in cyberspace are unlikely to disappear or be solved any time soon. Indeed, new problems and requirements are likely to emerge, and we can anticipate continued interest in the field. The author discusses user friendly security and considers business-driven security.