Current challenges in information security risk managementFenz, Stefan ; Heurix, Johannes ; Neubauer, Thomas ; Pechstein, Fabian
2014 Information Management & Computer Security
doi: 10.1108/IMCS-07-2013-0053
Purpose – The purpose of this paper is to give an overview of current risk management approaches and outline their commonalities and differences, evaluate current risk management approaches regarding their capability of supporting cost-efficient decisions without unnecessary security trade-offs, outline current fundamental problems in risk management based on industrial feedback and academic literature and provide potential solutions and research directions to address the identified problems. Despite decades of research, the information security risk management domain still faces numerous challenges which hinder risk managers to come up with sound risk management results. Design/methodology/approach – To identify the challenges in information security risk management, existing approaches are compared against each other, and as a result, an abstracted methodology is derived to align the problem and solution identification to its generic phases. The challenges have been identified based on literature surveys and industry feedback. Findings – As common problems at implementing information security risk management approaches, we identified the fields of asset and countermeasure inventory, asset value assignment, risk prediction, the overconfidence effect, knowledge sharing and risk vs. cost trade-offs. The reviewed risk management approaches do not explicitly provide mechanisms to support decision makers in making an appropriate risk versus cost trade-offs, but we identified academic approaches which fulfill this need. Originality/value – The paper provides a reference point for professionals and researchers by summing up the current challenges in the field of information security risk management. Therefore, the findings enable researchers to focus their work on the identified real-world challenges and thereby contribute to advance the information security risk management domain in a structured way. Practitioners can use the research results to identify common weaknesses and potential solutions in information security risk management programs.
Using response action with intelligent intrusion detection and prevention system against web application malwareAlazab, Ammar ; Hobbs, Michael ; Abawajy, Jemal ; Khraisat, Ansam ; Alazab, Mamoun
2014 Information Management & Computer Security
doi: 10.1108/IMCS-02-2013-0007
Purpose – The purpose of this paper is to mitigate vulnerabilities in web applications, security detection and prevention are the most important mechanisms for security. However, most existing research focuses on how to prevent an attack at the web application layer, with less work dedicated to setting up a response action if a possible attack happened. Design/methodology/approach – A combination of a Signature-based Intrusion Detection System (SIDS) and an Anomaly-based Intrusion Detection System (AIDS), namely, the Intelligent Intrusion Detection and Prevention System (IIDPS). Findings – After evaluating the new system, a better result was generated in line with detection efficiency and the false alarm rate. This demonstrates the value of direct response action in an intrusion detection system. Research limitations/implications – Data limitation. Originality/value – The contributions of this paper are to first address the problem of web application vulnerabilities. Second, to propose a combination of an SIDS and an AIDS, namely, the IIDPS. Third, this paper presents a novel approach by connecting the IIDPS with a response action using fuzzy logic. Fourth, use the risk assessment to determine an appropriate response action against each attack event. Combining the system provides a better performance for the Intrusion Detection System, and makes the detection and prevention more effective.
Impact of information security initiatives on supply chain performancePN, Sindhuja
2014 Information Management & Computer Security
doi: 10.1108/IMCS-05-2013-0035
Purpose – The purpose of this empirical research is to attempt to explore the effect of information security initiatives (ISI) on supply chain performance, considering various intra- and inter-organization information security aspects that are deemed to have an influence on supply chain operations and performance. Design/methodology/approach – Based on extant information security management and supply chain security management literature, a conceptual model was developed and validated. A questionnaire survey instrument was developed and administered among supply chain managers to collect data. Data were collected from 197 organizations belonging to various sectors. The study used exploratory and confirmatory factor analysis for data analysis. Further, to test the hypotheses and to fit the theoretical model, structural equation modeling techniques were used. Findings – Results of this study indicate that ISI, comprising technical, formal and informal security aspects in an intra- and inter-organizational environment, are positively associated with supply chain operations, which, in turn, positively affects supply chain performance. Research limitations/implications – This study provides the foundation for future research in the management of information security in supply chains. Findings are expected to provide the communities of practice with better information security decision-making in a supply chain context, by clearly formulating technical, formal and informal information security policies for improving supply chain performance. Originality/value – In today’s global supply chain environment where competition prevails among supply chains, this research is relevant in terms of capability that an organization has to acquire for managing internal and external information security. In that sense, this study contributes to the body of knowledge with an empirical analysis of organizations’ information security management initiatives as a blend of technical, formal and informal security aspects.
Security culture and the employment relationship as drivers of employees’ security complianceD'Arcy, John ; Greene, Gwen
2014 Information Management & Computer Security
doi: 10.1108/IMCS-08-2013-0057
Purpose – The purpose of this paper is to examine the influence of security-related and employment relationship factors on employees’ security compliance decisions. A major challenge for organizations is encouraging employee compliance with security policies, procedures and guidelines. Specifically, we predict that security culture, job satisfaction and perceived organizational support have a positive effect on employees’ security compliance intentions. Design/methodology/approach – This study used a survey approach for data collection. Data were collected using two online surveys that were administered at separate points in time. Findings – Our results provide empirical support for security culture as a driver of employees’ security compliance in the workplace. Another finding is that an employee’s feeling of job satisfaction influences his/her security compliance intention, although this relationship appears to be contingent on the employee’s position, tenure and industry. Surprisingly, we also found a negative relationship between perceived organizational support and security compliance intention. Originality/value – Our results provide one of the few empirical validations of security culture, and we recognize its multidimensional nature as conceptualized through top management commitment to security (TMCS), security communication and computer monitoring. We also extend security compliance research by considering the influence of employment relationship factors drawn from the organizational behavior literature.
Repairing trust in an e-commerce and security context: an agent-based modeling approachChoi, Jae ; Nazareth, Derek L.
2014 Information Management & Computer Security
doi: 10.1108/IMCS-09-2013-0069
Purpose – The aim of this paper is to study the critical role of trust in electronic commerce extensively in the context of establishing initial trust between trading partners. Ongoing trust between partners can quickly be eroded through security or other trust violations. This paper examines whether customers are willing to transact with an eCommerce vendor in light of security and trust violations. Design/methodology/approach – The paper draws upon research in professional trust relationships and adapts it to the e-commerce context to create a process view of trust violation and repair. Using a design science framework, this paper employs agent-based modeling as the simulation technique to study the implications of security and trust violations on the willingness of customers to continue transacting with the vendor. The simulations are conducted for a variety of trust violations and reconciliation actions. Findings – While some of the results are predictable, the key finding for managers is that moderate reconciliation tactics are effective for all cases but the most severe trust violations, where trust is irrevocably broken. This has clear financial implications, particularly in cases where vendors may operate with small margins in competitive markets. Originality/value – Given the increasing push toward mobile and Internet-based commerce, and the large range of possible trust violations and security incidents in online purchases, coupled with increasing competition among vendors, it becomes imperative for vendors to provide effective tactics to repair customer trust violations when they arise.
Teaching information security management: reflections and experiencesAhmad, Atif ; Maynard, Sean
2014 Information Management & Computer Security
doi: 10.1108/IMCS-08-2013-0058
Purpose – The purpose of this paper is to describe the development, design, delivery and evaluation of a postgraduate information security subject that focuses on a managerial, rather than the more frequently reported technical perspective. The authors aimed to create an atmosphere of intellectual excitement and discovery so that students felt empowered by new ideas, tools and techniques and realized the potential value of what they were learning in the industry. Design/methodology/approach – The paper develops fundamental principles and arguments that inform the design and development of the teaching curriculum. The curriculum is aimed at security management professionals in general and consultants in particular. The paper explains the teaching method in detail including the specific topics of lectures, representative reading material, assessment tasks and feedback mechanisms. Finally, lessons learned by the authors and their conclusions are presented as a form of reflection. Findings – The instructors recognized four key factors that played a role in the atmosphere of intellectual excitement and motivation. These were new concepts and ideas, an increased level of engagement, opportunities for students to make their own discoveries and knowledge presented in a practical context. Maintaining a high quality of teaching resources, catering for diverse student needs and incorporating learning cycles of assessment in a short period of time were additional challenges. Originality/value – Most “information security” curricula described in research literature take a technology-oriented perspective. This paper presents a much-needed management point of view. The teaching curriculum (including assessment tasks) and experiences will be useful to existing and future teaching and research academics in “information security management”. Those interested in developing their own teaching material will benefit from the discussion on potential topic areas, choice of assessment tasks and selection of recommended reading material.