An Approach For Defensive Information Warfare In The Turkish Land Forces Command

Ozcan, Fuzuli

01 January 2003

In this study, Information Warfare (IW) and Information System (IS) security concept in the Turkish Land Forces Command (TLFC) are investigated. An approach that will enhance the success for a secure Information System to alleviate experienced risks is proposed. Starting with the general overview of the literature about IW and IS security, the relation between the concepts, the future, advantages and disadvantages of security development approaches, and the requirements for security are reviewed. Then the specific problems, security risks and IW threats of the TLFC are considered. After reviewing the specific problems, a proposal for IS security in Defensive Information Warfare process in the TLFC is presented and partially applied. The proposal is evaluated within the framework of a case study. The stronger points of the proposal are reviewed by comparing the proposed approach with some other approaches actually applied.

IS security leveraging the concept of knowledge management

Neville, Karen M.

January 2010

IS Security (ISS) has become a key element of business risk management and can itself create competitive advantage. Thus, organisations seek practical approaches to protect the operation of the business. Protecting the functionality of an organisation is a difficult task but it is the responsibility of both senior management and ISS functions to do so. An analysis of the ISS literature reveals a paucity of research of ISS management, and a need for research to develop a holistic model for managing ISS knowledge to overcome the ever-increasing number of negative security incidents. The ISS research community is restrained by small-scale technical questions as the social aspects of ISS are ignored resulting in fragmented research across the IS field. While several possible methods are scattered throughout the literature – they focus on the development of information systems. ISS professionals require a range of skills encompassing business knowledge, legal awareness, and organisational processes as well as technical security knowledge. Research to date has failed to provide an integrated approach to managing ISS knowledge. This study investigates how ISS could leverage the concept of knowledge management. It proposes a theoretical model derived from the ISS and KM literatures. Thus to address this gap in research, this study adopts an exploratory interpretive holistic case study approach using interviews and document analysis as data gathering methods. The study will focus on the relationship between ISS and KM and the proposed benefits that an ISS KM initiative would produce. An analysis of the approaches used by these specialised structures in managing knowledge within and across the two case studies facilitated the development of an integrated model. The interplay between the functions provided rich description of the approaches used to manage knowledge. This research builds on previous studies documented in the ISS literature, by providing a much needed model against which practitioners may diagnose problems, plan action and implement solutions. ISS models and standards today do not exhibit much flexibility, therefore managers make ISS decisions in a vacuum. ISS problems can be managed or reduced when the ISS functions and management are aware of the full range of controls available and implement the most effective. Unfortunately, they often lack this knowledge and their subsequent actions to cope with threats are less effective. The focus of ISS research to date has been technical and grounded in positivism and few, if any, studies utilise a qualitative approach, therefore eliminating holistic, in-depth rich descriptions of core issues within the field. Comparatively little work has taken a managerial point of view, covering broad organisational and social issues. This study acknowledges these issues and provides a solid conceptual foundation for future studies on ISS by answering calls for a theoretical model to guide research in the area. The study also identifies the positive and negative impacts of compliance and describes how organisations can apply the model to overcome these negative effects.

338.0068

IS security ; KM ; governance

Designing secure information systems and software:critical evaluation of the existing approaches and a new paradigm

Siponen, M. (Mikko)

24 August 2002

Abstract This dissertation is composed of three contributions. First, it recognizes a set of key security issues for information systems (IS), and examines the extent to which these issues have been studied and resolved by existing research efforts. Second, it analyses and discusses the existing approaches for designing secure information systems (SIS), shedding light on their underlying foundations. Third, based on the findings, a framework is put forth, addressing the fundamental shortcomings of the existing SIS design approaches. A meta-notation for adding security into IS development methods is presented as a framework-based example. An action research intervention is accomplished to test the relevance, suitability and feasibility of the meta-notation in practice. Overall, this dissertation sets forth a novel approach for extending security in IS/software development methods.

IS security

development of secure IS

Understanding information systems (IS) security investments in organizations

Shao, X. (Xiuyan)

01 September 2015

Abstract Increasing information systems (IS) security breaches require investments in terms of IS security techniques/practices or personnel. Prior research on IS security investment has provided economic models based on neoclassical economics to assess how much to invest in IS security. These models assume that the goal of IS security investment is only benefit maximization, and that all of the actors involved are unbiased rational actors with complete information. It is argued in this thesis that these prior models for IS security investment are flawed for two reasons. First, benefit maximization is not an appropriate goal for IS security investment, because the benefits and costs of IS security investment cannot be reliably calculated. Second, decision makers are not unbiased rational actors, because they do not have enough information to make IS security investment decisions. To address these concerns, this thesis outlines a framework for IS security investment, which is based on behavioral economics. This framework makes new assumptions about IS security investment decision makers, and redefines the contextual nature of IS security investment. As an example of how to operationalize this framework in IS research, this thesis examines IS security investment decision-making by using a theoretical model drawn from reputational herding theory. A field study for empirical testing of the model was conducted, which involved surveying 88 information security experts in Finland. The results of the field study not only confirm the new framework, but also identify several motives that strongly predict IS security investment. In this thesis the assumptions proposed for the framework have also been also tested in a different research setting: the unauthorized uploading behavior of digital goods. This study involves 220 respondents, and the findings suggest that the proposed assumptions for the framework are also applicable in that new research setting. Overall, this doctoral thesis contributes to IS research by providing a framework to increase the overall understanding of how IS security managers make decisions with regard to IS security investment; moreover, this thesis presents empirically-grounded implications for how practitioners can improve the quality of their IS security investments. / Tiivistelmä Jatkuvasti lisääntyvät tietoturvaloukkaukset edellyttävät investointeja tietoturvatekniikoihin/käytänteisiin tai henkilöstöön. Aikaisempi tietoturvainvestointitutkimus on kehittänyt neoklassiseen taloustieteeseen perustuvia taloudellisia malleja tietoturvainvestointien määrän arvioimiseksi. Nämä mallit olettavat, että tietoturvainvestointien tavoitteena on ainoastaan hyötyjen maksimointi ja että kaikki toimijat ovat täydellisen tiedon pohjalta toimivia, puolueettomia ja rationaalisia. Tässä väitöskirjassa esitetään, että aikaisemmat tietoturvainvestointimallit ovat puutteellisia kahdesta syystä. Yhtäältä hyödyn maksimointi ei sovellu hyvin tietoturvainvestointien tavoitteeksi, koska sen hyötyjä ja kustannuksia ei voida luotettavasti laskea. Toisaalta päätöksentekijät eivät ole puolueettomia rationaalisia toimijoita, koska heillä ei ole käytettävissään tarpeeksi tietoa tietoturvainvestointipäätösten tekemiseksi. Nämä asiat huomioidaan tässä väitöskirjassa kehittämällä käyttäytymistaloustieteeseen perustuva tietoturvainvestointien viitekehys. Viitekehys esittää uusia olettamuksia tietoturvainvestointeja tekevistä päätöksentekijöistä ja tietoturvainvestointien kontekstuaalisesta luonteesta Väitöskirjassa havainnollistetaan kehitetyn viitekehyksen soveltamisesta tietojärjestelmätieteen tutkimuksessa tarkastelemalla tietoturvainvestointeihin liittyvää päätöksentekoa maineeseen perustuvan laumateorian (reputational herding theory) pohjalta laaditun teoreettisen mallin näkökulmasta. Kenttätutkimuksessa mallin testaamiseksi empiirisesti laadittiin kysely, johon vastasi 88 tietoturva-asiantuntijaa Suomessa. Kenttätutkimuksen tulokset sekä vastasivat uutta viitekehystä että toivat esiin useita tietoturvainvestointeja vahvasti ennustavia motiiveja. Väitöskirjassa kehitetyn viitekehyksen olettamuksia testattiin myös toisentyyppisessä tutkimusasetelmassa: digitaalisten hyödykkeiden luvaton lataaminen. Tähän tutkimukseen osallistui 220 vastaajaa, ja löydökset osoittavat esitettyjen olettamusten olevan hyödynnettävissä myös tässä uudessa tutkimusasetelmassa. Kaiken kaikkiaan tämän väitöskirjan kontribuutio tietojärjestelmätieteelle on sen tarjoama viitekehys, joka lisää ymmärrystä siitä, kuinka tietoturvapäälliköt tekevät tietoturvainvestointeihin liittyviä päätöksiä. Väitöskirja esittää myös empiiriseen tutkimukseen pohjautuvia käytännön implikaatioita tietoturvainvestointien laadun parantamiseksi.

IS security

IS security investment

empirical test

new assumption of decision maker

Tietoturva

empiirinen testaus

tietoturvainvestoinnin piirteet

tietoturvainvestointi

Examining Multiple Stages of Protective Behavior of Information System End-Users

Burns, Mary B.

January 2012

The adage, "old habits die hard", is especially relevant when humans learn new protective behaviors (i.e., dental flossing, IS security behaviors). The foundation that underlies many social-cognitive theories used in IS research is that intention to change predicts actual behavior change. Despite intentions to change, humans do not always change their habits due to actual or perceived obstacles, for example. In this study, user behavior, particularly with respect to vigilance over phishing attempts, was investigated via the theoretical lens of a hybrid continuum-stage behavior change model adapted from health-related fields. This type of model helps us to understand whether there are qualitatively different stages for adopting a more vigilant action plan toward phishing attempts, the number and ordering of distinct stages that a user must move through between forming an intention and subsequent behavior, what characterizes those stages, and how appropriate interventions at these stages can move a user to a higher stage of vigilant behavior. The goal of this research was to gain a better understanding of: a) whether there are distinct stages that distinguish end-users' vigilance toward phishing attempts; b) how many qualitatively different stages there are; and, c) what characterizes these stages. This study profiled IS end-users based on the model's constructs (e.g., coping self-efficacy, intention, action/coping planning, and risk perception) that examined end-users' protective behavior toward phishing attempts. In an exploratory analysis of survey data, stages of IS end-users were determined via cluster analysis techniques (hierarchical followed by K-means). A survey was administered to respondents (n= 394). Next, an agglomerative hierarchical cluster analysis using within-groups method of average linkage and Euclidean distance measures was performed on the model's constructs. Three clusters emerged as the optimal number to be used in the subsequent K-means cluster analysis. After conducting analyses for stability and validity for the 3-cluster solution, I compared the means of the model's constructs to develop profiles for the distinct three stages. I conclude that exploratory cluster analysis is an effective technique to discover natural groupings for protective behavior of IS end-users and propose future research to investigate stage-appropriate interventions to move users to higher stages.

Phishing

Stage models

Management Information Systems

IS end-users

IS Security

Developing a Multi-Objective Decision Model for Maximizing IS Security within an Organization

May, Jeffrey Lee

01 January 2008

Numerous IS researchers have argued that IS Security can be more effectively managed if the emphasis goes beyond the technical means of protecting information resources. In an effort to adopt a broader perspective that accounts for issues that transcend technical means alone, Dhillon and Torkzadeh (2006) present an array of 9 fundamental and 16 means objectives that are essential for maximizing IS security in an organization. These objectives were derived using a value-focused thinking approach and are organized into a conceptual framework. This conceptual framework provides a rigorous theoretical base for considering IS security in a manner that accounts for both technical and organizational issues; however, no direction is provided for using these objectives so that informed decisions can be made. As a result, the goal of this dissertation is to develop a decision model using Multiple Objective Decision Analysis (MODA) techniques that seek to provide informed alternatives to decision makers who desire to maximize IS security within an organization.

multi-objective decision analysis

IS security

value-focused thinking

Business

Management Information Systems

Intrinsic Motivation and Information Systems Security Policy Compliance in Organizations

Abdul Talib, Yurita Yakimin

01 January 2015

Incidents of computer abuse, proprietary information leaks and other security lapses have been on the increase. Most often, such security lapses are attributed to internal employees in organizations subverting established organizational IS security policy. As employee compliance with IS security policy is the key to escalating IS security breaches, understanding employee motivation for following IS security policy is critical. In addition to several types of extrinsic motives noted in prior studies, including sanctions, rewards, and social pressures, this study adds that an important contributing intrinsic factor is empowerment. Per Thomas and Velthouse’s (1990) intrinsic motivation model, empowerment is the positive feelings derived from IS security task assessments. Through survey data collected from 289 participants, the study assesses how dimensions of psychological empowerment (i.e., competence, meaning, impact, and choice) as derived from IS security task may impact the IS security performance of the participants, measured by their compliance with IS security policy. The study demonstrates that the competence and meaning dimensions of psychological empowerment have a positive impact on participants’ IS security policy compliance intention, while impact has a marginal negative influence on compliance. Furthermore, dimensions of psychological empowerment can be predicted by structural empowerment facets, particularly IS security education, training, and awareness (SETA), access to IS security strategy and goals, and participation in IS security decision-making. In addition, the competence and meaning dimensions of psychological empowerment may act as mediators for the relations between structural empowerment and participants’ IS security policy compliance. Theoretical contributions, managerial implications, and directions for future research of this study will be discussed.

IS security policy compliance

intrinsic motivation

psychological empowerment

structural empowerment

Business

Management Information Systems

Actual and Perceived Information Systems Security

Oscarson, Per

January 2007

As the Internet becomes the major information infrastructure in most sectors, the importance of Information Systems (IS) security steadily increases. While reaching a certain level of actual IS security is vital for most businesses, this level must also be perceived as acceptable by stakeholders. Businesses have to maintain a certain level of security and be able to assess the level of other actors’ security. IS security is abstract and complex, however, and difficult to estimate and measure. This thesis uses epistemic and ontological frameworks to study the conceptual nature of IS security and separate the concepts of actual and perceived IS security. A well-known event is used to illustrate the conceptual discussion: the Sasser worm that was spread around the world in 2004. This study also includes a smaller case study from the City of Stockholm, where about 4,000 computers were infected by Sasser. The outcome of the study is that actual IS security should be treated as a dynamic condition that is influenced by three different objects: information assets, threat objects and security mechanisms. Incidents are processes that are ruled by the conditions of these three objects and affect the states of confidentiality, integrity and availability of information assets. The concepts of threat, risk and trust remain at epistemic level, i.e. perceptions. Perceptions of IS security can differ depending on their social establishment and are classified as subjective judgements, inter-subjective judgements or institutional facts. While actual IS security conditions can influence actors’ perceptions of IS security, perceived IS security can also influence actual IS security.

Information systems security

IS security

IT security

Information security

Actual and perceived

Information science

Informationslära

Users’ information systems (IS) security behavior in different contexts

Li, Y. (Ying)

09 October 2015

Abstract Users’ information systems (IS) security behavior continuously draws attentions from scholars and practitioners. While previous studies usually focused on one context (e.g., employees’ compliance with IS security policies in an organizational context), little research has focused on the possible explanations for users’ IS security behavior if the context changes. To address this gap, this dissertation discusses the role of context in IS security behavior research. An analysis of the differences between the organizational context and the home context suggests a need to study users’ IS security behavior solely in a specific context, such as home. This study provides guidelines for applying and developing contextualized theories in IS security behavior research. Based on the guidelines, this dissertation includes two empirical studies. First, drawing on rational choice theory, it compares specific IS security behavior in two contexts: the work context (N = 210) and the personal context (N = 202). Second, drawing on stewardship theory, this dissertation develops a contextualized theory explaining employees’ IS security risk-taking behavior in the organizational context (N = 170). The findings of this dissertation show different explanations for users’ IS security behavior in different contexts and highlight the importance of taking context into account when doing IS security behavior research. The results of each empirical study provide both theoretical contributions to research as well as actionable advice to practice. / Tiivistelmä Tietokoneenkäyttäjien tietoturvakäyttäytyminen on jatkuvan kiinnostuksen kohteena niin tutkijoiden kuin käytännön ammatinharjoittajienkin keskuudessa. Aiempi tutkimus on keskittynyt tarkastelemaan tietoturvakäyttäytymistä yleensä yhdessä kontekstissa (esim. työntekijöiden tietoturvaohjeiden noudattaminen organisaatiokontekstissa), kun taas vähemmälle huomiolle on jäänyt se, kuinka kontekstin muuttuminen selittää tietoturvakäyttäytymistä. Tämä väitöskirja vastaa kyseiseen ongelmaan, sillä se käsittelee kontekstin roolia tietoturvakäyttäytymistutkimuksessa. Tutkimuksessa analysoidaan organisaatiokontekstin ja kotikontekstin eroja. Analyysi osoittaa, että on tarpeellista tutkia tietokoneen käyttäjien tietoturvakäyttäytymistä tietyissä konteksteissa, kuten esimerkiksi kotikontekstissa. Tutkimus tarjoaa ohjeita siihen, kuinka kontekstisidonnaisia teorioita sovelletaan ja kehitetään tietoturvakäyttäytymistutkimuksessa. Väitöskirja sisältää 2 empiiristä tutkimusta, jotka pohjautuvat edellä mainittuihin ohjeisiin. Ensimmäisessä vaiheessa tutkimuksessa sovelletaan rational choice -teoriaa, jonka pohjalta vertaillaan tiettyä tietoturvakäyttäytymistyyppiä 2 kontekstissa: työkonteksti<br clear="none"/> (N = 210) ja henkilökohtaisen käytön konteksti (N = 202). Toiseksi, tutkimus soveltaa stewardship -teoriaa ja kehittää siihen pohjautuen kontekstisidonnaisen teorian, joka selittää organisaation työntekijöiden käyttäytymistä liittyen tietoturvariskin ottamiseen<br clear="none"/> (N = 170). Väitöskirjan tutkimustulokset esittävät erilaisia selityksiä tietokoneen käyttäjien tie-toturvakäyttäytymiselle eri konteksteissa. Tutkimus korostaa sitä, kuinka tärkeää on ottaa konteksti huomioon tutkittaessa tietoturvakäyttäytymistä. Kummankin empiirisen tutkimuksen tulokset tarjoavat teoreettisen kontribuution lisäksi käytännöllisiä neuvoja tietoturvan toteuttamiseen.

IS security behavior

context

rational choice theory

stewardship theory

konteksti

rational choice -teoria

stewardship -teoria

tietoturvakäyttäytyminen

Zero Trust Adoption : Qualitative research on factors affecting the adoption of Zero Trust

Hansen, Jennifer

January 2022

The following qualitative research explores the adoption of Zero Trust in organisations from an organisational and user acceptance perspective. From an organisational perspective, the research highlights essential aspects such as testing the Zero Trust architecture in a pre-adoption phase, involving top management in the planning phase, communicating in a non-technical language, and making end-users feel a personal connection to IS security. The research highlights the importance of balancing the ease of use with security, evaluating the end-user's technical maturity, and carrying out evaluations from a user acceptance perspective. To gather valuable empirical data, the researcher has conducted semi-structured interviews with highly competent respondents within the field of Zero Trust. Most of the literature available today within Zero Trust focuses on technical aspects, and this research is a unique and vital contribution to the limited available research.

Zero Trust

Traditional Network-based Security

Perimeter-based Security

End-users

Implementation

IS Adoption

IS Security

IS Security Innovation Adoption

Information Systems, Social aspects