171 research outputs found
A process model for implementing information systems security governance.
Purpose: The frequent and increasingly potent cyber-attacks due to lack of an optimal mix of technical as well as non-technical IT controls, has led to increased adoption of security governance controls by organizations. The paper thus seeks to construct and empirically validate an information security governance process model through the Plan-Do-Check-Act cycle model of Deming. Design/methodology/approach: This descriptive research using an interpretive paradigm follows a qualitative methodology using expert interviews of five respondents working in the information security governance (ISG) domain in United Arab Emirates to validate the theoretical model. Findings: Our findings suggest the primacy of the Plan-Do-Check-Act Deming cycle for initiating ISG through a risk-based approach assisted by industry-wide best practices in ISG. Regarding selection of ISG frameworks, respondents preferred to have ISO 27K supported by NIST as the core framework with other relevant ISG frameworks/standards forming the peripheral layer. The implementation focus of the ISG model is on mapping ISO 27 K/NIST IT controls relevant IT controls selected from ISG frameworks from a horizontal and vertical perspective. Respondents asserted the automation of measurement and control mechanism through automation to assist in the feedback loop of the PDCA cycle. Originality/value: The validated model helps academics and practitioners gain insight into the methodology of the phased implementation of an information systems governance process through the PDCA model, as well as the positioning of ITG and ITG frameworks in ISG. Practitioners can glean valuable insights from the empirical section of the research where experts detail the success factors, the sequential steps, and justification of these factors in the ISG implementation process
Human and Organizational Factors of Healthcare Data Breaches
Copyright © 2014, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. Over the past few years, concerns related to healthcare data privacy have been mounting since healthcare information has become more digitized, distributed and mobile. However, very little is known about the root cause of data breach incidents; making it difficult for healthcare organizations to establish proper security controls and defenses. Through a systematic review and synthesis of data breaches literature, and using databases of earlier reported healthcare data breaches, the authors re-examine and analyze the causal factors behind healthcare data breaches. The authors then use the Swiss Cheese Model (SCM) to shed light on the technical, organizational and human factors of these breaches. The author\u27s research suggests that incorporating the SCM concepts into the healthcare security policies and procedures can assist healthcare providers in assessing the vulnerabilities and risks associated with the maintenance and transmission of protected health information
Threat detection in smart homes: a sociotechnical multimodal conversational approach for improved cyber situational awareness. [Dataset]
Smart homes are becoming increasingly more complex and difficult to defend. Expanding Internet of Things (IoT) devices has reshaped socio-technical interactions within smart homes, yet security remains a secondary concern. In addition, users have been shown to lack awareness of potential vulnerabilities, leaving smart homes susceptible to attacks. The file associated with this output contains supplementary images, text, TEX, BST, CLO and PDF files
An Optimized Dynamic Process Model of IS Security Governance Implementation
The year 2011 has witnessed a lot of high profiles data breaches despite the availability of IS security and governance controls, frameworks, standards and models for organisations to choose from; and the technical advances made in intrusion prevention and detection. Taking this issue into account the objective of this paper is to identify and analyse the weaknesses in the IS security defences of organisations from a holistic perspective, and propose a dynamic IS security governance process model for the implementation of appropriate controls and mechanisms for optimised IS security. Optimization is achieved through the strategic overlap of security and governance frameworks implemented in a prioritized phased manner for efficiency and effectiveness in cost, time and effort. The paper starts with the analysis of data breaches to identify the weaknesses in the organisational information system. This is followed by the analysis of recommended requirements and dimensions of effective IS security architecture, IS governance, concepts and models to identify relevant frameworks used in IS security and governance. Thereafter, the best practices for implementing the model is evaluated and finally the frameworks and IS entities are integrated into an optimized Information Systems Security and Governance (ISSG) process model
Insourcing a government information system: a case study from Malaysia.
Insourcing, outsourcing and co-sourcing are three approaches to procuring an information system. This research contributes to the body of knowledge on insourcing an information system; exploring and discussing the enabling and inhibiting factors of the insourcing of an information system in selected government agencies in Malaysia. This study was undertaken in response to a paucity of similar projects and a limited literature focused on developing countries. It considers the post outsourcing context following the decision to insource a major Malaysian Government Information System in 2011. A qualitative research method was used to obtain empirical evidence from selected government agencies through 69 semi-structured interviews in two data collection periods: 2013-2014 and 2015. Interviews were conducted with civil servants at all levels, from senior management to clerical staff, including users of the government information system. By using coding principles from grounded theory to analyse the data, seven exciters and six inhibitors of insourcing a government information system were identified and mapped in the analytical framework. Further, this is the first research to use an enhanced model, devised by combining the OPTIMISM model and two distinct theoretical traditions: institutional theory and the capability approach; in order to analyse the insourcing of government information system adoption. The enhanced model was created by mapping the OPTIMISM model (that has a set of dimensions) to an analytical framework comprising the capability approach, institutional theory and technology (ICTs). The main research contribution of this thesis is in the area of capacity building of the internal development team. The increased budget for training, the selection of appropriate training providers and knowledge sharing among experienced and novice developers all contribute to building capacity in the internal development team; and consequently help to improve the quality of the system which will improve service delivery to the general public. The approach and findings of this study contribute to the body of knowledge and understanding of the subject in government information system development and implementation, and can also be applied to improving the quality of service delivery. While this study has focused on government information systems, the wider area of eGovernment, and applications serving the needs of the general public, is equally important, and therefore the researcher suggests that insourcing eGovernment applications would also assist in the capacity building of internal IT staff
Information technology audit: systems alignment and effectiveness measures
Information technology audit has proven to be a relatively new, less researched and rapidly expanding field among large, medium and even small businesses (commercial and non-commercial organisations). The implementation rate has grown rapidly and presents a huge growth market for audit consultants due to the need for transparency and compliance with regulation (for example: Sarbanes Oxley Act) and the need to be competitive in the marketplace. The audit process is being conducted mainly by consultants following a traditional process but using different proprietary approaches and mostly done manually. The purpose of this study is to present a scientific method to attach a purely measurement focus to the auditing process so as to provide an auditing as well as a quantitative outcome of the performance to the various IS entities that are audited using a novel automated method that can save organisations considerable resources in terms of time, cost and effort. The nature of the topic directed the researcher to three domains of information system (IS) namely studies on IS measurement, IT governance and software engineering. These areas provided information on the nature of IS measurement and the models used; the process of auditing/measurement and the corresponding frameworks used; the principles and methodology of measurement of IS entities; and measurement models used both in the software engineering and information systems domain. The review of the literature gave rise to the research question and the COBIT-GQM (Control Objectives for Information Technology Audit) – Goal Question Metrics) model. The research question that had emerged out of the four propositions “How can an IT audit or governance framework be used to measure the effectiveness of IS entities in a scientific manner using customised and goal oriented metrics” along with the nature of data sought (positivist), guided the researcher to qualitative research using multiple case studies to test the theoretical model (grounded theory) that had emerged out of the literature review. The theoretical model was automated (with a front end interface and a back-end database) and initially tested for usability issues. Then the common COBIT control objective that was obtained through an initial survey was entered into the database along with a set of questions and metrics (developed by the researcher by following the given GQM guidelines). This application that was demonstrated, and given for evaluation in four organisations gave rise to expected and surprising results. While the respondents expressed their desire to incorporate a customised and goal oriented measurement perspective to their IT audit/performance functions, that would save them time, effort and cost, numerous suggestions were provided that need to be incorporated into the model to make it fully functional. Notable among them are the need to embed a multiple contextual qualifying layer, incorporating benchmarking feature to the model, and the need to link this with the maturity model. These were incorporated into the model and a comprehensive model incorporating all the suggestions was created. The qualitative case study method being used here more to evaluate a theory, provided a sound base for future studies to generate hypothesis that can be evaluated using quantitative survey methods for the model to be generalised. IT auditing being a relatively new, less researched, conventional and high growth oriented field, the use of an innovative, comprehensive, automated and scientific method of audit and measurement method will satisfy the implied need for organisations to incorporate the diverse audit/measurement/ control/standards into one comprehensive method and this research is a major step in this direction. Since the new model is comprehensive and can be automated organisations can economise in terms of time, cost and effort. Irrespective of the nature of economic cycle the need for economising in terms of cost, time and effort is universal for all organisations
Information Technology Audit: Systems Alignment and Effectiveness Measures
Information technology audit has proven to be a relatively new, less researched and rapidly expanding field among large, medium and even small businesses (commercial and non-commercial organisations). The implementation rate has grown rapidly and presents a huge growth market for audit consultants due to the need for transparency and compliance with regulation (for example: Sarbanes Oxley Act) and the need to be competitive in the marketplace. The audit process is being conducted mainly by consultants following a traditional process but using different proprietary approaches and mostly done manually. The purpose of this study is to present a scientific method to attach a purely measurement focus to the auditing process so as to provide an auditing as well as a quantitative outcome of the performance to the various IS entities that are audited using a novel automated method that can save organisations considerable resources in terms of time, cost and effort. The nature of the topic directed the researcher to three domains of information system (IS) namely studies on IS measurement, IT governance and software engineering. These areas provided information on the nature of IS measurement and the models used; the process of auditing/measurement and the corresponding frameworks used; the principles and methodology of measurement of IS entities; and measurement models used both in the software engineering and information systems domain. The review of the literature gave rise to the research question and the COBIT-GQM (Control Objectives for Information Technology Audit) – Goal Question Metrics) model. The research question that had emerged out of the four propositions “How can an IT audit or governance framework be used to measure the effectiveness of IS entities in a scientific manner using customised and goal oriented metrics” along with the nature of data sought (positivist), guided the researcher to qualitative research using multiple case studies to test the theoretical model (grounded theory) that had emerged out of the literature review. The theoretical model was automated (with a front end interface and a back-end database) and initially tested for usability issues. Then the common COBIT control objective that was obtained through an initial survey was entered into the database along with a set of questions and metrics (developed by the researcher by following the given GQM guidelines). This application that was demonstrated, and given for evaluation in four organisations gave rise to expected and surprising results. While the respondents expressed their desire to incorporate a customised and goal oriented measurement perspective to their IT audit/performance functions, that would save them time, effort and cost, numerous suggestions were provided that need to be incorporated into the model to make it fully functional. Notable among them are the need to embed a multiple contextual qualifying layer, incorporating benchmarking feature to the model, and the need to link this with the maturity model. These were incorporated into the model and a comprehensive model incorporating all the suggestions was created. The qualitative case study method being used here more to evaluate a theory, provided a sound base for future studies to generate hypothesis that can be evaluated using quantitative survey methods for the model to be generalised. IT auditing being a relatively new, less researched, conventional and high growth oriented field, the use of an innovative, comprehensive, automated and scientific method of audit and measurement method will satisfy the implied need for organisations to incorporate the diverse audit/measurement/ control/standards into one comprehensive method and this research is a major step in this direction. Since the new model is comprehensive and can be automated organisations can economise in terms of time, cost and effort. Irrespective of the nature of economic cycle the need for economising in terms of cost, time and effort is universal for all organisations
Evaluating IT Governance Structure Implementation in the Gulf Cooperation Council Region
© 2020 IOP Publishing Ltd. All rights reserved. IT governance (ITG) implementations in organizations started to gain momentum during the turn of the twenty first century mainly due to (but not limited to) the need for IT business alignment, better return of investment, effective utilization of IT and for a strategic direction of IT. This initially mandates to establish and implement a set of ITG structures in the organization to initiate, adopt, and implement relevant ITG frameworks to set in the motion of successful ITG implementation. While researchers have stated twelve relevant ITG structures that needs to be set in place, two questions remain in terms of the two factors namely \u27ease of implementation/use\u27 and \u27effectiveness\u27 of these ITG structures. With scant research in this domain, we explore the relationship of these two factors on the twelve ITG structures through a survey of senior managers involved in ITG domain in the Gulf Cooperation Council (GCC) region. With diverse board and executive level cultures evident in different regions of the world, the adoption of these ITG frameworks and standards depend on the ITG practices being followed in each cultural context. The results thus assist organisations and ITG consultants in the GCC region to know the level of effectiveness of relevant ITG structures as well as the implementation effort required for these
A decision matrix model to identify and evaluate APT vulnerabilities at the user plane
© 2018 Croatian Society MIPRO. While advances in cyber-security defensive mechanisms have substantially prevented malware from penetrating into organizational Information Systems (IS) networks, organizational users have found themselves vulnerable to threats emanating from Advanced Persistent Threat (APT) vectors, mostly in the form of spear phishing. In this respect, the question of how an organizational user can differentiate between a genuine communication and a similar looking fraudulent communication in an email/APT threat vector remains a dilemma. Therefore, identifying and evaluating the APT vector attributes and assigning relative weights to them can assist the user to make a correct decision when confronted with a scenario that may be genuine or a malicious APT vector. In this respect, we propose an APT Decision Matrix model which can be used as a lens to build multiple APT threat vector scenarios to identify threat attributes and their weights, which can lead to systems compromise
Applying System Dynamics to Model Advanced Persistent Threats
© 2019 Association for Computing Machinery. System dynamics (SD) concept has been successfully applied to analyze issues that are non-linear, complex, and dynamic in disciplines namely social sciences and technology. However, its application to cyber security issues especially threats that involves multiple variables interacting with the technical as well as the organizational domain is lacking. In this respect, Advanced Persistent Threat (APT) is regarded as a highly targeted and sophisticated attack using zero-day malware, stealth, and multiple advanced techniques to gain entry and maintain its presence inside organizational network unnoticed. Being a threat that exploits technical as well as organizational vulnerabilities, preventing it at the security perimeter and, detecting it once it enters the system is a challenge till date. To demonstrate the application of SD in identifying and analyzing the effect of each of the variables, we took the Equinox data breach as a case study. The variables leading to the breach were identified, entered into Vensim software and simulated to get the results. Through this exercise, we could identify seven key independent management variables for the technical security and three key independent variables for records breach. This research being the foremost study to apply SD to APT, we presume that by modelling APT attacks using SD through a case study this paper, thus provides insights into the dynamics of the threat. Furthermore, it suggests \u27what if\u27 strategies to minimize APT risks thereby reduce the extent of damages should an APT attack occur
- …
