Influence of Information Security Culture on the Information Security Governance Capabilities (Case Study: PT XYZ)

Objective – To analyze the relationship between a company’s information security approach/culture with its information security governance capabilities based on COBIT 5 framework and provide recommendations that can be used to improve the company's information security capabilities per COBIT 5 standard. Methodology – The research uses qualitative and quantitative methods by conducting interviews and distributing questionnaires to 3 members of the IT Department at PT XYZ. Findings – The research found that the measured COBIT 5 processes (APO13 and DSS05) failed to reach the expected target (level 4), with each DSS05 and APO13 can only reach level 1 and 2 respectively. In addition, several flaws were also found in the company’s information security culturethat may have contributed directly or indirectly to the current state of the company’s information security capabilities. Novelty – In this study, the researchers expand the previous study on information security culture conducted in 2010 by performing a security audit on a company's IT department to analyze the connection between corporate culture, especially information security culture and the capability level of information security governance. The company thus can make improvements or corrections to its information security approach/culture based on the recommendations provided with COBIT 5 framework. Keywords: Capability Level; COBIT; Governance; Information Security Culture.

A Scoring System for Information Security Governance Framework Using Deep Learning Algorithms: A Case Study on the Banking Sector

Cybercrime reports showed an increase in the number of attacks targeting financial institutions. Indeed, banks were the target of 30% of the total number of cyber-attacks. One of the recommended methods for driving the security challenges is to implement an Information Security Governance Framework (ISGF), a comprehensive practice that starts from the top management and ends with the smallest function in a bank. Although such initiatives are effective, they typically take years to achieve and require loads of resources, especially for larger banks or if there are multiple ISGFs available for the bank to choose. These implementation challenges showed the necessity of having a method for evaluating the adequacy of an ISGF for a bank. The research performed during the preparation of this article did not reveal any available structured evaluation method for an ISGF before its implementation. This chapter introduces a novel method for scoring an ISGF to assess its adequacy for a bank without implementing it. The suggested approach is based on ISGF decomposition and transformation into a survey that will be answered by security experts. The survey results were loaded into a Deep Learning Algorithm that produced a scoring model that could predict the adequacy of an ISGF for a bank with an accuracy of 75%.

Securing Cloud Computing Through IT Governance

Lack of alignment between information technology (IT) and the business is a problem facing many organizations. Most organizations, today, fundamentally depend on IT. When IT and the business are aligned in an organization, IT delivers what the business needs and the business is able to deliver what the market needs. IT has become a strategic function for most organizations, and it is imperative that IT and business are aligned. IT governance is one of the most powerful ways to achieve IT to business alignment. Furthermore, as the use of cloud computing for delivering IT functions becomes pervasive, organizations using cloud computing must effectively apply IT governance to it. While cloud computing presents tremendous opportunities, it comes with risks as well. Information security is one of the top risks in cloud computing. Thus, IT governance must be applied to cloud computing information security to help manage the risks associated with cloud computing information security. This study advances knowledge by extending IT governance to cloud computing and information security governance.

Building a Maturity Framework for Information Security Governance Through an Empirical Study in Organizations

There is a dearth of academic research literature on the practices and commitments of information security governance in organizations. Despite the existence of referential and standards of the security governance, the research literature remains limited regarding the practices of organizations and, on the other hand, the lack of a strategy and practical model to follow in adopting an effective information security governance. This chapter aims to explore the engagement processes and the practices of organizations involved in a strategy of information security governance via a statistical and econometric analysis of data from a survey of 1000 participants (with a participation rate of 83.67%) from large and medium companies belonging to various industries. Based on the results of the survey regarding practices of information security management and governance, a practical maturity framework for the information security governance and management in organizations is presented.