Towards an Organizational Culture Framework for Information Security Practices

In organizations, employee behaviour has a considerable impact on information security. The organizational culture (OC) that shapes acceptable employee behaviours is therefore significant. A large body of literature exists that calls for the cultivation of security culture to positively influence information security related behaviour of employees. However, there is little research examining OC that enables the implementation of information security. The authors address the unsubstantiated claim that there is an important relationship between OC and the ability to successfully implement information security. Findings suggest that security practices can be successfully implemented within eight organizational culture characteristics. Investigation of these organizational culture characteristics from a security perspective is an important step toward future empirical research aimed at understanding the relationship between OC and the implementation of systematic improvement of security practices. The research and practical implications of these findings are discussed, and future research areas are explored.

A Construct Grid Approach to Security Classification and Analysis

This chapter presents a method of mapping solution elements to regions of the problem space. Security requires complete, effective, and comprehensive coverage. Existing methodologies can enumerate known weaknesses and common solution elements. But not every solution is right for every situation. Moreover, any weakness in any component, phase, or activity can compromise the entire system. The method presented here helps map solutions to problems, and also brings attention to what might be missing. The approach, called a construct grid, divides the conceptual problem space along multiple dimensions. The space along each dimension is defined as a continuum with identifiable regions of concern. The chapter provides examples of several dimensions and the types of concerns used to define the regions of concern.

Surveillance Communities of Practice

This discussion focuses primarily on supporting communities of practice tasked with compliance monitoring in complex environments. Here, the decision makers, as members of the surveillance community of practice, may be confronted with rapidly changing information, and the solution or solutions may be required rapidly at a low cost. In these cases, fully automated monitoring or surveillance systems are limited in their utility because of dynamic contexts and temporal and spatial variations. Managing these limitations typically requires human judgement to assess the results of these monitoring systems. Other reasons for requiring human judgement include a need for the surveillance results to be verified and assured with substantiating evidence, and the delegation of control and responsibility when actioning remedial responses to generated alerts and alarms. Surveillance Information Systems performance depends on reducing the decision time for remedial action by verifying alarms and generating actionable indicators, in context. This chapter discusses support and assurance of surveillance monitoring and compliance verification knowledge management of surveillance results. The aim is to support information assurance real time alarm identification and verification, assurance and management decision making by tracking the parameters monitored by the existing information assurance monitoring infrastructure and operating work systems, and using that data/knowledge to create useful and actionable information. The goal is to reduce the (information assurance remedial action) time to decision to enable accurate and rapid operational execution.

ISMS Building for SMEs through the Reuse of Knowledge

The information society is increasingly more dependent upon Information Security Management Systems (ISMSs), and the availability of these systems has become crucial to the evolution of Small and Medium-size Enterprises (SMEs). However, this type of companies requires ISMSs which have been adapted to their specific characteristics, and these systems must be optimized from the point of view of the resources necessary to deploy and maintain them. Over the last 10 years, the authors have obtained considerable experience in the establishment of ISMSs, and during this time, they have observed that the structure and characteristics of SMEs as regards security management are frequently very similar (since they can all be grouped by business size and sector), thus signifying that it is possible to construct patterns for ISMSs that can be reused and refined. In this chapter, the authors present the strategy that they have designed to manage and reuse security information in information system security management. This strategy is framed within a methodology designed for integral security management and its information systems maturity, denominated as “Methodology for Security Management and Maturity in Small and Medium-size Enterprises (MSM2-SME),” and it is defined in a reusable model called “Reusable Pattern for Security Management (RPSM),” which systematically defines, manages, and reuses the aforementioned methodology through a sub-process denominated as “Generation of Security Management Patterns (GSMP).” This model is currently being applied in real cases, and is thus constantly improving.

Enterprise Information Security Policies, Standards, and Procedures

This chapter explores enterprise information security policies, standards, and procedures. It examines the existing resources, analyses the available options, and offers recommendations to the CIOs and other people that have to make decisions about policies, standards, and procedures to ensure information security in their enterprise. Additionally, the need, requirements, and audience for different types of security documents are scrutinized. Their mutual relationship is examined, and the association among them is illustrated with a diagram supplemented by an example to bring about better comprehension of these documents. It is important to know the sources and organizations that make standards and guidelines. Therefore, the major ones are discussed. This research involved finding all of the relevant documents and analyzing the reasons for the ever-increasing number of newer ones and the revisions of the existing ones. Various well-known and established international, as well as national, information security standards and guidelines are listed to provide a pertinent collection from which to choose. The distinguishing factors and common attributes are researched to make it easier to classify these documents. Finally, the crux of the chapter involves recommending appropriate information security standards and guidelines based on the sector to which an organization belongs. An analysis of the role played by these standards and guidelines in the effectiveness of information security is also discussed, along with some caveats. It is important for practitioners and researchers to know what is available, who the key players are, and the potential issues with information security standards and guidelines; they are all concisely presented in this chapter.

Investigating the Concept of Information Security Culture

The concept of an “information security culture” is relatively new. A review of published research on the topic suggests that it is not the information security panacea that has been suggested. Instead, it tends to refer to a range of existing techniques for addressing the human aspect of information security, oversimplifying the link between culture and behaviour, exaggerating the ease with which a culture can be adjusted, and treating culture as a monolith, set from the top. Evidence for some of the claims is also lacking. This chapter finds that the term “information security culture” is ambiguous and vague enough to suggest the possibility of achieving an almost mystical state, whereby behaviour consistent with information security is second nature to all employees, but when probed does not deliver. Instead, future research should be clear about what it considers information security culture to be, should provide evidence for claims, and should take complexity and context seriously.

Establishment of Enterprise Secured Information Architecture

Due to the fast progressing of the Information Technology, the issues of the information security became more important for the industry recently. Since the scopes of the information security are so broad, it hardly can be absolutely safety, not to mention only the limited resources are provided. The possible solution to enhance the security of present IT environment is to plan the safe and sound information flow (includes the strategy flow, risk management flow, and logistic flow) by integrated planning, based on the company integrated operation modes.

Information Security Governance and Standard Based Management Systems

The importance of information and Information Systems for modern organizations as a key differentiator is increasingly recognized. Sharpened legal and regulatory requirements have further promoted to see information security governance as part of corporate governance. More than 1.37 million organizations worldwide are implementing a standards based management system, such as ISO9001 or others. To implement information security governance and compliance in an effective, efficient, and sustainable way, the authors integrate these standard based management systems with different information security governance frameworks and the requirements of the international ISO/IEC 27001 information security management standard to a holistic information security governance model. In that way information security is part of all strategic, tactical, and operational business processes promotes corporate governance and living information security. The implementation of this innovative holistic model in several organizations and the case studies results are described.

Detecting Credit Fraud in E-Business System

Credit fraud (also known as credit card fraud) in e-business is a growing concern, especially in the banking sector. E-business has been established mainly on the platform of Internet system. With the evolution of electronic technologies, a faster e-transaction has been made possible by the Internet. It has been noticed that Internet fraud or e-business fraud is increasing with the increase of e-transaction. A few sorts of card (debit or credit) fraud are decreasing by the banks and the government providing detection and prevention systems. But Card-not-Present fraud losses are increasing at higher rate. In online transactions, it is obvious that there is no chance to use Chip and Pin, and also no chance to use card face-to-face. Card-not-Present fraud losses are growing in an unprotected and undetected way. This chapter seeks to investigate the current debate regarding the credit fraud and vulnerabilities in online banking and to study some possible remedial actions to detect and prevent credit fraud. A comprehensive study of online banking and e-business has been undertaken with a special focus on credit fraud detection. This research reveals a lot of channels of credit fraud that are increasing day by day. These kinds of fraud are the main barrier of promoting e-business in the banking sector.

Information Security Management Systems Cybernetics

With the widespread dissemination of Information Technology in enterprises and households in the mid-90s, discussions began on how to manage it. Meanwhile, in the area of enterprise security management systems worldwide, enforced use of the Deming cycle initially worked against the implementation of policies. Standard management systems include ISMS (Information Security Management System) as specified in ISO 27001, BCM (Business Continuity Management System) as specified in BS 25999, and ITSM (Information Technology Service Management System) as specified in ISO 20000. In contrast to policies, these best-practice management systems continue to operate today with no formal method. Management systems have, however, some advantages that policies do not have. In this chapter, the authors present possible uses of policies with respect to management systems and identify potential applications. Furthermore, the authors present a field study, cited here, which highlights the advantages of management systems in practice. Moreover, this chapter shows how a formal description of an information security management system can be created by means of discrete-event systems theory and how an objective function for management systems can be defined.