Information security management and the human aspect in organizations

2017 ◽  
Vol 25 (5) ◽  
pp. 494-534 ◽  
Author(s):  
Harrison Stewart ◽  
Jan Jürjens
Keyword(s):  
Information Security ◽  
Security Management ◽  
Security Requirements ◽  
It Security ◽  
Security Risk ◽  
Information Security Management ◽  
Content Type ◽  
Positive Effects ◽  
Industrial Sectors ◽  
Security Compliance

Purpose The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset. Design/methodology/approach Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B. Findings Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own. Research limitations/implications The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings. Practical implications In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed. Social implications The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps. Originality/value The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

Identifying core control items of information security management and improvement strategies by applying fuzzy DEMATEL

2015 ◽  
Vol 23 (2) ◽  
pp. 161-177 ◽  
Author(s):  
Li-Hsing Ho ◽  
Ming-Tsai Hsu ◽  
Tieh-Min Yen
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Security Management ◽  
Fuzzy Dematel ◽  
Information Security Management ◽  
Content Type ◽  
Cause And Effect ◽  
Information Security Management System ◽  
Security Control ◽  
Improvement Strategies

Purpose – The purpose of this paper is to analyze the cause-and-effect relationship and the mutually influential level among information security control items, as well as to provide organizations with a method for analyzing and making systematic decisions for improvement. Design/methodology/approach – This study utilized the Fuzzy DEMATEL to analyze cause-and-effect relationships and mutual influence of the 11 control items of the International Organization for Standardization (ISO) 27001 Information Security Management System (ISMS), which are discussed by seven experts in Taiwan to identify the core control items for developing the improvement strategies. Findings – The study has found that the three core control items of the ISMS are security policy (SC1), access control (SC7) and human resource security (SC4). This study provides organizations with a direction to develop improvement strategies and effectively manage the ISMS of the organization. Originality/value – The value of this study is for an organization to effectively dedicate resources to core control items, such that other control items are driven toward positive change by analyzing the cause-and-effect relation and the mutual influential level among information security control items, through a cause-and-effect matrix and a systematic diagram.

scholarly journals INFORMATION SECURITY MANAGEMENT STRATEGY ANALYSIS USING SYSTEM DYNAMICS MODELING

JOURNAL ASRO ◽  
2018 ◽  
Vol 9 (2) ◽  
pp. 107
Author(s):  
Arie Marbandi ◽  
Ahmadi Ahmadi ◽  
Adi Bandono ◽  
Okol S Suharyo
Keyword(s):  
Information Systems ◽  
Information Security ◽  
System Dynamics ◽  
Security Management ◽  
Security Risk ◽  
Dynamics Modeling ◽  
Strategy Analysis ◽  
Information Security Management ◽  
Security Costs ◽  
Alternative Choice

Handling information security management is an absolute thing to do for organizations that have information systems to support the organization's operations. Information systems consisting of assets both software and hardware that manage data and information that are spread over networks and the internet, make it vulnerable to threats. Therefore investment and costs are needed to secure it. Costs incurred for this need are not small, but investment expenditures and information security costs carried out need serious handling to be more effective and on target. The System Dynamics Model is used to evaluate alternative strategies to demonstrate the effectiveness of investment and the cost of managing information security through simulation of policy changes. System Dynamics are methods for describing models and systems analysis that are dynamic and complex, consisting of variables that influence each other in the form of causal relationships and feedback between variables that are either reinforcing or giving balance. Simulation using a dynamic system model in this study illustrates that the management of risk assessment followed by vulnerability reduction efforts has a very large impact on the management of information security. By making a difference in the value of security tools investment, this provides an alternative choice in information security risk management investments to achieve the effectiveness of the overall costs incurred in managing information security

A framework for technology-based factors for knowledge management in supply chain of auto industry

VINE ◽  
2014 ◽  
Vol 44 (3) ◽  
pp. 375-393 ◽  
Author(s):  
Mohsen Shafiei Nikabadi
Keyword(s):  
Knowledge Management ◽  
Supply Chain ◽  
Information Systems ◽  
Information Security ◽  
Systems Integration ◽  
Security Management ◽  
Information Security Management ◽  
Content Type ◽  
Information Systems Integration ◽  
Comprehensive Framework

Purpose – The main aim of this study is to provide a framework for technology-based factors for knowledge management in supply chain. Design/methodology/approach – This is an applied research and has been done as a survey in Iran Khodro and Saipa Company as the largest companies in automotive industry of Iran. In this study, 206 experts participated. Reliability methods were Cronbach’s alfa, and validity tests were content and construction analyses. In response to one main question and three sub-questions in this research, first and second confirmative factor analysis were used. Findings – In this research, after a literature review, a comprehensive framework with three factors is presented. These factors are information technology (IT) tools, information systems integration and information security management. The findings indicate that the first framework in supply chain of the automotive industry has a good fitness and perfect validity. Second, in this framework, factors have also been considered based on importance. The technique of factor analysis was given the highest importance to the information systems integration. Then, IT tools and, ultimately, information security management are considered. In addition, findings indicate that information systems integration has the highest correlation with IT tools. Originality/value – The main innovation aspect of the research is to present a comprehensive framework for technology-based factors and indices for knowledge management in supply chain. In this paper, in addition to presenting a grouping for IT tools for knowledge management processes in supply chain, key indices for information systems integration and information security management are also referred.

Information security in supply chains: a management control perspective

2015 ◽  
Vol 23 (5) ◽  
pp. 476-496 ◽  
Author(s):  
Sindhuja P N ◽  
Anand S. Kunnathur
Keyword(s):  
Supply Chain ◽  
Information Security ◽  
Organizational Context ◽  
Security Management ◽  
Management Control ◽  
Organizational Level ◽  
Information Security Management ◽  
Content Type ◽  
Security Controls ◽  
Management Controls

Purpose – This paper aims to discuss the need for management control system for information security management that encapsulates the technical, formal and informal systems. This motivated the conceptualization of supply chain information security from a management controls perspective. Extant literature on information security mostly focused on technical security and managerial nuances in implementing and enforcing technical security through formal policies and quality standards at an organizational level. However, most of the security mechanisms are difficult to differentiate between businesses, and there is no one common platform to resolve the security issues pertaining to varied organizations in the supply chain. Design/methodology/approach – The paper was conceptualized based on the review of literature pertaining to information security domain. Findings – This study analyzed the need and importance of having a higher level of control above the already existing levels so as to cover the inter-organizational context. Also, it is suggested to have a management controls perspective for an all-encompassing coverage to the information security discipline in organizations that are in the global supply chain. Originality/value – This paper have conceptualized the organizational and inter-organizational challenges that need to be addressed in the context of information security management. It would be difficult to contain the issues of information security management with the existing three levels of controls; hence, having a higher level of security control, namely, the management control that can act as an umbrella to the existing domains of security controls was suggested.

IT Security

2009 ◽  
pp. 84-95
Author(s):  
Matthew Guah
Keyword(s):  
Information Security ◽  
Computer Security ◽  
Security Management ◽  
Implementation Process ◽  
Cyber Attacks ◽  
It Security ◽  
Security Risk ◽  
Corporate Security ◽  
It Systems ◽  
Organizational Perspective

One area that has scarcely received attention in the IT security literature, is the role that individual compliance plays in preventing cyber-attacks. Specifically, how individuals take precautions, how they are motivated to take precautions, and the impact of corporate security policies on individual precaution-taking behaviour have not been extensively researched. Existing literature has underdeveloped conceptualizations of how these control systems work in the realm of information security. This chapter adds to the body of knowledge concerning the socio-organizational perspective for understanding IT security management in the organization that implement VLITP. It examines the VLITP implementation process for achieving IT security management BS 7799 Part 2 certification. The author also gives regards to the role of individual perceptions of the compulsion of controls as a significant part of the IT security process. Focusing more on behavioural aspects of security during the implementation of VLITP, this book considers Information security is to be different from computer security—which is the encompassing of information security in addition to the other aspects of security such as technical aspects, physical security, system security, networking issues, and so forth.. IT security risk considerations cause are capable of causing particular concern on the interdependence of IT systems and inject another element of complexity in the application of the policies governing VLITPs.

scholarly journals Productivity vs security: mitigating conflicting goals in organizations

2017 ◽  
Vol 25 (2) ◽  
pp. 137-151 ◽  
Author(s):  
Peter Mayer ◽  
Nina Gerber ◽  
Ronja McDermott ◽  
Melanie Volkamer ◽  
Joachim Vogt
Keyword(s):  
Information Security ◽  
Goal Setting ◽  
Security Policy ◽  
Negative Effects ◽  
Content Type ◽  
Factors Affecting ◽  
Positive Effects ◽  
Survey Results ◽  
Security Compliance ◽  
Reported Data

Purpose This paper aims to contribute to the understanding of goal setting in organizations, especially regarding the mitigation of conflicting productivity and security goals. Design/methodology/approach This paper describes the results of a survey with 200 German employees regarding the effects of goal setting on employees’ security compliance. Based on the survey results, a concept for setting information security goals in organizations building on actionable behavioral recommendations from information security awareness materials is developed. This concept was evaluated in three small- to medium-sized organizations (SMEs) with overall 90 employees. Findings The survey results revealed that the presence of rewards for productivity goal achievement is strongly associated with a decrease in security compliance. The evaluation of the goal setting concept indicates that setting their own information security goals is welcomed by employees. Research limitations/implications Both studies rely on self-reported data and are, therefore, likely to contain some kind of bias. Practical implications Goal setting in organizations has to accommodate for situations, where productivity goals constrain security policy compliance. Introducing the proposed goal setting concept based on relevant actionable behavioral recommendations can help mitigate issues in such situations. Originality/value This work furthers the understanding of the factors affecting employee security compliance. Furthermore, the proposed concept can help maximizing the positive effects of goal setting in organizations by mitigating the negative effects through the introduction of meaningful and actionable information security goals.

A utilitarian re-examination of enterprise-scale information security management

2018 ◽  
Vol 26 (1) ◽  
pp. 39-57
Author(s):  
Andrew Stewart
Keyword(s):  
Information Security ◽  
Multinational Corporations ◽  
Best Practice ◽  
Management Practices ◽  
Gap Analysis ◽  
Security Management ◽  
Value Added ◽  
Investment Banks ◽  
Information Security Management ◽  
Content Type

Purpose An action is utilitarian when it is both useful and practical. This paper aims to examine a number of traditional information security management practices to ascertain their utility. That analysis is performed according to the particular set of challenges and requirements experienced by very large organizations. Examples of such organizations include multinational corporations, the governments of large nations and global investment banks. Design/methodology/approach The author performs a gap analysis of a number of security management practices. The examination is focused on the question of whether these practices are both useful and practical when used within very large organizations. Findings The author identifies a number of information security management practices that are considered to be “best practice” in the general case but that are suboptimal at the margin represented by very large organizations. A number of alternative management practices are proposed that compensate for the identified weaknesses. Originality/value Quoting from the conclusion of the paper: We have seen in our analysis within this paper that some best practices can experience what economists refer to as diminishing marginal utility. As the target organization drifts from the typical use-case the amount of value-added declines and can potentially enter negative territory. We have also examined the degree of innovation in the practice of security management and the extent to which the literature can support practical, real-world activities. In both the areas, we have identified a number of opportunities to perform further work.

The ISO/IEC 27001 standard provides a systematic approach to information security management

2021 ◽  
pp. 36-38
Author(s):  
Ekaterina Ahler
Keyword(s):  
Information Security ◽  
Systematic Approach ◽  
Security Management ◽  
Correct Choice ◽  
It Security ◽  
Security Measures ◽  
Information Security Management ◽  
Iec 27001

The company's information security is not only compliance with a set of IT security measures, but also the correct choice of the appropriate standard. Let's look at what standards are aimed at ensuring the information security of the company.

scholarly journals Information Security Management (ISM)

2012 ◽  
Vol 20 (Special-Number) ◽  
pp. 114-119
Author(s):  
Jarmila Šalgovičová ◽  
Vanessa Prajová
Keyword(s):  
Information Security ◽  
Security Management ◽  
Organizational Structures ◽  
Strategic Decision ◽  
Security Requirements ◽  
Information Security Management ◽  
Control Processes ◽  
And Control ◽  
Size And Structure

Abstract Currently, all organizations have to tackle the issue of information security. The paper deals with various aspects of Information Security Management (ISM), including procedures, processes, organizational structures, policies and control processes. Introduction of Information Security Management should be a strategic decision. The concept and implementation of Information Security Management in an organization are determined by the corporate needs and objectives, security requirements, the processes deployed as well as the size and structure of the organization. The implementation of ISM should be carried out to the extent consistent with the needs of the organization.

Sign in / Sign up

Export Citation Format

Share Document