Global ETD Search

51	An Empirical Investigation of the Economic Value of Information Security Management System Standards Shoraka, Babak 01 January 2011 (has links) Within the modern and globally connected business landscape, the information assets of organizations are constantly under attack. As a consequence, protection of these assets is a major challenge. The complexities and vulnerabilities of information systems (ISs) and the increasing risks of failure combined with a growing number of security incidents, prompts these entities to seek guidance from information security management standards. The International Organization of Standardization (ISO) Information Security Management System (ISMS) standard specifies the requirements for establishing, operating, monitoring, and improving an information security management system within the context of an organization's overall business risks. Importantly, this standard is designed to ensure the selection of adequate information security controls for the protection of an organization's information assets and is the only auditable international standard for information security management. The adoption of, and certification against the ISO ISMS standard is a complex process which impacts many different security aspects of organizations and requires significant investments in information security. Although many benefits are associated with the adoption of an information security management standard, organizations are increasingly employing economic measures to evaluate and justify their information security investments. With the growing emphasis on the importance of understanding the economic aspects of information security, this study investigated the economic value of the ISO ISMS standard adoption and certification. The principles of the efficient market hypothesis and the event study methodology were employed to establish whether organizations realized economic gains from obtaining certification against the ISO ISMS standard. The results of this research showed that capital markets did not react to the ISO ISMS certification announcements. Furthermore, the capital market reaction to information security breaches was not different between ISO ISMS certified and non-certified firms. It was concluded that the ISO ISMS certification did not create economic value for the certified firms Event study Information secuity Information security incidents ISMS Standards Computer Sciences
52	An Automated Tool For Information Security Management System Erkan, Ahmet 01 September 2006 (has links) (PDF) This thesis focuses on automation of processes of Information Security Management System. In accordance with two International Standards, ISO/IEC 27001:2005 and ISO/IEC 17799:2005, to automate the activities required for a documented ISMS as much as possible helps organizations. Some of the well known tools in this scope are analyzed and a comparative study on them including &ldquo / InfoSec Toolkit&rdquo / , which is developed for this purpose in the thesis scope, is given. &ldquo / InfoSec Toolkit&rdquo / is based on ISO/IEC 27001:2005 and ISO 17799:2005. Five basic integrated modules constituting the &ldquo / InfoSec Toolkit&rdquo / are &ldquo / Gap Analysis Module&rdquo / , &ldquo / Risk Module&rdquo / , &ldquo / Policy Management Module&rdquo / , &ldquo / Monitoring Module&rdquo / and &ldquo / Query and Reporting Module&rdquo / . In addition a research framework is proposed in order to assess the public and private organizations&rsquo / information security situation in Turkey.
53	Study on Architecture-Oriented Information Security Management Model Tsai, Chiang-nan 07 January 2009 (has links) Information security, sometimes referred as enterprise security, plays a very important and professional role in the enterprises. Therefore, information security management is getting more and more popularity among the enterprises in recent years. Several aspects on information, such as technical documents, research and development plans, product quotations, are considered as core assets in one company. How to effectively manage and realize an information security system has become a key for a company¡¦s survival. The international information security management standard, ISO 27001:2005, which includes personnel security, technology security, physical security and management security has been promulgated. When bringing in an information security management system, a company usually embraces the process-oriented approach which treats the system¡¦s structure view and behavior view separately. Separating structure view from behavior view during the planning phase may cause many difficulties, such as uneven distribution of resources, poor safety performance, bad risk management, poor system management and so on, when working on the later realization and verification phase of the information security management system¡¦s construction. Up to date, there is no enterprise architecture theory for information security management system. This research utilizes architecture-oriented modeling methodology so that structure view and behavior view are coalesced when decomposing the information security management system to obtain structural elements and behaviors deriving from interactions among these structure elements. By adopting structure behavior coalescence, abbreviated as SBC, which includes ¡§architecture hierarchy diagram", "structure element diagram", "structure element service diagram", "structure element connection diagram", "structure behavior coalescence diagram", and "interactive flow diagram", this research constructs a complete architecture-oriented information security management model, abbreviated as AOISMM. This research is the first study using architecture-oriented approach to construct the information security management system. Also, AOISMM solves many difficulties caused by the process-oriented approach when constructing information security management systems. These are the contributions of this research. Enterprise Architecture Enterprise Security Information Security
54	New Perspectives on Implementing Health Information Technology Sarkar, Sumantra 24 July 2014 (has links) The importance of studying challenges in implementing information technology solutions in health care organizations is highlighted by the huge investments in health care information technology (HIT) which has been spurred by recent government mandates. Information technology can help improve health care delivery cost by facilitating the standardization of work processes or routines and reducing variations among them. Set in a premier 950+ bed hospital in the south eastern part of US, this dissertation consists of two studies examining the challenges involved in implementing HIT solutions. In the first study, we seek to gain deep insights into how the process of creating a patient’s chart evolves over time in a health care institution. The second study focuses on the users of Electronic Health Records (EHR) system, investigating the compliance behavior of various providers with respect to patient records in the system. In the first study, through the lens of Activity theory our results show that the charting routine is implicated by the following environmental factors: (1) Tools, (2) Rules, (3) Community, and (4) Roles, and by individual factors: (5) Computer Self-Efficacy and (6) Risk Propensity. In the second study, our results indicate that there is a substantial effect of subculture of the different occupational groups on IT security compliance intent and behavior in a health care institution. routines process activity theory information security information security policy compliance behavior policy violation pseudo-compliance
55	Strong Intents Against Weak Links : Towards a Holistic Integration of Behavioral Information Security in Organizations with Strategic Intent Koller, Teresa Marie, Ljung, Migle January 2021 (has links) The human factor has been detected as the weakest link in the information security of organizations. Methods like training and awareness programs and the implementation of security policies have been developed, but they still seem to be less effective than desired. Authors have suggested integrating information security more holistically in organizations. In this study we discuss how strategic intent can influence an information security culture and improve information security behavior, thereby strengthening the weakest link. This thesis aims to develop a conceptual framework for organizations to integrate behavioral information security holistically with strategic intent. This thesis is based on a qualitative study with an abductive approach consisting of nine exploratory, semi-structured interviews. This way we could find today’s most prominent factors that might reinforce information security behavior in organizations and discuss the interrelations among those factors together with their potential facilitators and barriers. To improve behavioral InfoSec holistically in organizations, strategic Intent and InfoSec culture are promising factors. All factors have clear interrelations, but also potential facilitators and barriers. Information Security Behavior Information Security Culture Strategic Intent Behavioral Information Security Qualitative Study Business Administration Företagsekonomi
56	Zavedenie systému riadenia informačnej bezpečnosti v malom podniku / The Implemetation of Information Security Management system in the Small Company Altamirano, Peter January 2013 (has links) The diploma thesis deals with the design of implementation of information security management system in IT company, deals with metrics for measuring the effectiveness of the system, according to the international standards ISO/IEC 2700x. The thesis solves invested resources in the establishment of the system. The thesis provides a summary of theoretical knowledge of information security management system, analyzes the current situation in the company and propose measures to increase security in the company.
57	Information Security Guidelines for Organizations Intending to Adopt Cloudsourcing Annamalai, Neelambari January 2012 (has links) Change is constant and computing paradigm is no exception. It has witnessed major shifts right from centralized client server systems to widely distributed systems. This time the locus of change in the computing paradigm is moving towards virtualization, paving way to cloud computing. Cloud computing aims at providing computing services to its users as an utility. It allows its authenticated users to access a wide range of highly scalable computing capabilities and services via the internet on a pay-per-usage basis. Organisations not only view these benefits as cost-saving strategies, but also aim at improving the competitive advantages using cloud computing. Hence, this has given rise to a new horizon in IT/IS outsourcing. With a collaboration of cloud computing and outsourcing emerged a new concept called cloudsourcing. Cloudsourcing can be termed as the next generation outsourcing and the next phase of cloud computing promising benefits from both the areas. Cloudsourcing is outsourcing traditional business via the cloud infrastructure. Though there is pompous popularity surrounding this new technology, there is much hesitation in adopting it due to the inherent security issues. This paper discusses in detail the security issues and possible solution to the same. As this is a new concept, not much work is identified to be done in providing a set of guidelines to adopt cloudsourcing that are very specific to information security. This work intends to fill this aperture by building a set of well-defined information security guidelines, which can be termed as a novel. For this purpose, design science research method proposed by Hevner et al is used so as to accomplish this goal. Initially, a literature study is done after which an exploratory study comprising of interviews is done to gather qualitative data. The results of the exploratory interview is tested for correctness and evaluated based on an evaluation study comprising a survey based questionnaire. The analysis of the evaluation study results provides the final results. In such an attempt, the identified countermeasures to risks are classified into three groups namely, organisational, technical and regulatory and compliance guidelines. Hence the end results constituting the set of information security guidelines are classified into the above mentioned groups. This work is assumed to contribute to our understanding of information security in cloudsourcing and in supporting IT decision makers, IT project managers and security executives of organisations for a smooth and secure transition towards cloudsourcing their business. Cloud computing outsourcing cloudsourcing information security risks Engineering and Technology Teknik och teknologier
58	Assessing The Relative Importance of Information Security Governance Processes on Reducing Negative Impacts From Information Security Incidents Farnian, Adnan January 2010 (has links) Today the extent and value of electronic data is constantly growing. Dealing across the internet depends on how secure consumers believe their personal data are. And therefore, information security becomes essential to any business with any form of web strategy, from simple business-to-consumer, or business-to-business to the use of extranets, e-mail and instants messaging. It matters too any organization that depends on computers for its daily existence. This master thesis has its focus on Information Security Governance. The goal of this thesis was to study different Information Security processes within the five objectives for Information Security Governance in order to identify which processes that organizations should prioritize in order to reduce negative consequences on the data, information and software of a business from security incidents. By surveying IT experts, it was possible to gather their relative opinion regarding the relationship between Information Security Governance processes and security incidents. By studying the five desired objectives for Information Security Governance, Strategic Alignment, Risk Management, Resource Management, Performance Measurement and Value Delivery the result indicated that some processes within Performance Measurements have a difference in relation to other processes. For those processes a conclusion can be made that they are not as important as the processes which they were compared to. A reason for this can be that the processes within performance measurement are different in such a way that they measure an incident after it has actually happened. While other processes within the objectives for ISG are processes which needs to be fulfilled in order to prevent that an incident happens. This could obviously explain why the expert‟s choose to value the processes within performance measurement less important compared to other processes. However, this conclusion cannot be generalized, since the total amount of completed responses where less than expected. More respondents would have made the result more reliable. The majority of the respondents were academicals and their opinion and experience may be different from the IT experts within the industry, which have a better understanding of how it actually works in reality within an organization. Information Technology Information Security Information Security Governance Elektroteknik och elektronik
59	Exploring SME Vulnerabilities to Cyber-criminal Activities Through Employee Behavior and Internet Access Twisdale, Jerry Allen 01 January 2018 (has links) Cybercriminal activity may be a relatively new concern to small and medium enterprises (SMEs), but it has the potential to create financial and liability issues for SME organizations. The problem is that SMEs are a future growth target for cybercrime activity as larger corporations begin to address security issues to reduce cybercriminal risks and vulnerabilities. The purpose of this study was to explore a small business owner's knowledge about to the principal elements of decision making for SME investment into cybersecurity education for employees with respect to internet access and employee vulnerabilities. The theoretical framework consisted of the psychological studies by Bandura and Jaishankar that might affect individual decision making in terms of employee risks created through internet use. This qualitative case study involved a participant interview and workplace observations to solicit a small rural business owner's knowledge of cybercriminal exploitation of employees through internet activities such as social media and the potential exploitation of workers by social engineers. Word frequency analysis of the collected data concluded that SME owners are ill equipped to combat employee exploitation of their business through social engineering. Qualitative research is consistent with understanding the decision factors for cost, technical support, and security threat prevention SME organizational leadership use and is the focus of this study as emergent themes. The expectation is that this study will aid in the prevention of social engineering tactics against SME employees and provide a platform for future research for SMEs and cybercriminal activity prevention. cybercrime cyber security information security information security management Small and medium enterprises social engineering Databases and Information Systems
60	Information Security Management and Organisational Agility Adetona, Temitayo Eniola January 2023 (has links) An organization's ability to succeed depends on the Confidentiality, Integrity, and Availability of its information. This implies that the organization's information and assets must be secured and protected. However, the regular occurrence of threats, risks, and intrusions could serve as a barrier to the security of this information. This has made the management of Information security a necessity. Organizations are then trying to be more agile by looking for ways to identify and embrace opportunities swiftly and confront these risks more quickly. Very little research has examined the relationships between Organizational Agility and Information Security. Hence, this study aims to investigate the management of Information Security in organizations while maintaining agility and highlighting the challenges encountered, and also addresses the research question: How do organizations manage information security while maintaining organizational agility? The research strategy used is the Case Study, and the data collection methods used are semi-structured interviews and documents. The interview was conducted in a financial institution in Nigeria with seven security specialists, and documents were obtained from the company's website to help gain insights into the services and products offered. Thematic analysis was the data analysis method chosen. The findings revealed eighteen measures in which Information Security can be managed while maintaining Organizational Agility. Part of the identified measures are similar to those identified in previous research, while new measures are also discovered. Furthermore, these identified measures will be useful for other organizations, particularly financial institutions, to emulate in managing their Information Security and being agile while at it. Organizations Information Security Organizational Agility Information Security Management Computer Sciences Datavetenskap (datalogi)

Search results