Informační bezpečnost jako ukazatel výkonnosti podniku / Information Security as an Indicator of Business Performance

Gancarčik, Rastislav

January 2017

The content of this thesis is a proposal of methodology for evaluating company's performance in areas of information security, while their performance will be judged based on compliance with standard ISO/IEC 27001:2013, Act no. 181/2014 Coll., Regulation 2016/679 of European Parliament and Directive 2016/1148 of the European Parliament. The proposal of this methodology is designed in a particular company which operates in the Czech Republic.

Zavedenie systému riadenia informačnej bezpečnosti v malom podniku / The Implemetation of Information Security Management system in the Small Company

Altamirano, Peter

January 2013

The diploma thesis deals with the design of implementation of information security management system in IT company, deals with metrics for measuring the effectiveness of the system, according to the international standards ISO/IEC 2700x. The thesis solves invested resources in the establishment of the system. The thesis provides a summary of theoretical knowledge of information security management system, analyzes the current situation in the company and propose measures to increase security in the company.

Information Security Guidelines for Organizations Intending to Adopt Cloudsourcing

Annamalai, Neelambari

January 2012

Change is constant and computing paradigm is no exception. It has witnessed major shifts right from centralized client server systems to widely distributed systems. This time the locus of change in the computing paradigm is moving towards virtualization, paving way to cloud computing. Cloud computing aims at providing computing services to its users as an utility. It allows its authenticated users to access a wide range of highly scalable computing capabilities and services via the internet on a pay-per-usage basis. Organisations not only view these benefits as cost-saving strategies, but also aim at improving the competitive advantages using cloud computing. Hence, this has given rise to a new horizon in IT/IS outsourcing. With a collaboration of cloud computing and outsourcing emerged a new concept called cloudsourcing. Cloudsourcing can be termed as the next generation outsourcing and the next phase of cloud computing promising benefits from both the areas. Cloudsourcing is outsourcing traditional business via the cloud infrastructure. Though there is pompous popularity surrounding this new technology, there is much hesitation in adopting it due to the inherent security issues. This paper discusses in detail the security issues and possible solution to the same. As this is a new concept, not much work is identified to be done in providing a set of guidelines to adopt cloudsourcing that are very specific to information security. This work intends to fill this aperture by building a set of well-defined information security guidelines, which can be termed as a novel. For this purpose, design science research method proposed by Hevner et al is used so as to accomplish this goal. Initially, a literature study is done after which an exploratory study comprising of interviews is done to gather qualitative data. The results of the exploratory interview is tested for correctness and evaluated based on an evaluation study comprising a survey based questionnaire. The analysis of the evaluation study results provides the final results. In such an attempt, the identified countermeasures to risks are classified into three groups namely, organisational, technical and regulatory and compliance guidelines. Hence the end results constituting the set of information security guidelines are classified into the above mentioned groups. This work is assumed to contribute to our understanding of information security in cloudsourcing and in supporting IT decision makers, IT project managers and security executives of organisations for a smooth and secure transition towards cloudsourcing their business.

Cloud computing

outsourcing

cloudsourcing

information security risks

Engineering and Technology

Teknik och teknologier

Assessing The Relative Importance of Information Security Governance Processes on Reducing Negative Impacts From Information Security Incidents

Farnian, Adnan

January 2010

Today the extent and value of electronic data is constantly growing. Dealing across the internet depends on how secure consumers believe their personal data are. And therefore, information security becomes essential to any business with any form of web strategy, from simple business-to-consumer, or business-to-business to the use of extranets, e-mail and instants messaging. It matters too any organization that depends on computers for its daily existence. This master thesis has its focus on Information Security Governance. The goal of this thesis was to study different Information Security processes within the five objectives for Information Security Governance in order to identify which processes that organizations should prioritize in order to reduce negative consequences on the data, information and software of a business from security incidents. By surveying IT experts, it was possible to gather their relative opinion regarding the relationship between Information Security Governance processes and security incidents. By studying the five desired objectives for Information Security Governance, Strategic Alignment, Risk Management, Resource Management, Performance Measurement and Value Delivery the result indicated that some processes within Performance Measurements have a difference in relation to other processes. For those processes a conclusion can be made that they are not as important as the processes which they were compared to. A reason for this can be that the processes within performance measurement are different in such a way that they measure an incident after it has actually happened. While other processes within the objectives for ISG are processes which needs to be fulfilled in order to prevent that an incident happens. This could obviously explain why the expert‟s choose to value the processes within performance measurement less important compared to other processes. However, this conclusion cannot be generalized, since the total amount of completed responses where less than expected. More respondents would have made the result more reliable. The majority of the respondents were academicals and their opinion and experience may be different from the IT experts within the industry, which have a better understanding of how it actually works in reality within an organization.

Information Technology

Information Security

Information Security Governance

Elektroteknik och elektronik

Exploring SME Vulnerabilities to Cyber-criminal Activities Through Employee Behavior and Internet Access

Twisdale, Jerry Allen

01 January 2018

Cybercriminal activity may be a relatively new concern to small and medium enterprises (SMEs), but it has the potential to create financial and liability issues for SME organizations. The problem is that SMEs are a future growth target for cybercrime activity as larger corporations begin to address security issues to reduce cybercriminal risks and vulnerabilities. The purpose of this study was to explore a small business owner's knowledge about to the principal elements of decision making for SME investment into cybersecurity education for employees with respect to internet access and employee vulnerabilities. The theoretical framework consisted of the psychological studies by Bandura and Jaishankar that might affect individual decision making in terms of employee risks created through internet use. This qualitative case study involved a participant interview and workplace observations to solicit a small rural business owner's knowledge of cybercriminal exploitation of employees through internet activities such as social media and the potential exploitation of workers by social engineers. Word frequency analysis of the collected data concluded that SME owners are ill equipped to combat employee exploitation of their business through social engineering. Qualitative research is consistent with understanding the decision factors for cost, technical support, and security threat prevention SME organizational leadership use and is the focus of this study as emergent themes. The expectation is that this study will aid in the prevention of social engineering tactics against SME employees and provide a platform for future research for SMEs and cybercriminal activity prevention.

cybercrime

cyber security

information security

information security management

Small and medium enterprises

social engineering

Databases and Information Systems

Information Security Management and Organisational Agility

Adetona, Temitayo Eniola

January 2023

An organization's ability to succeed depends on the Confidentiality, Integrity, and Availability of its information. This implies that the organization's information and assets must be secured and protected. However, the regular occurrence of threats, risks, and intrusions could serve as a barrier to the security of this information. This has made the management of Information security a necessity. Organizations are then trying to be more agile by looking for ways to identify and embrace opportunities swiftly and confront these risks more quickly. Very little research has examined the relationships between Organizational Agility and Information Security. Hence, this study aims to investigate the management of Information Security in organizations while maintaining agility and highlighting the challenges encountered, and also addresses the research question: How do organizations manage information security while maintaining organizational agility? The research strategy used is the Case Study, and the data collection methods used are semi-structured interviews and documents. The interview was conducted in a financial institution in Nigeria with seven security specialists, and documents were obtained from the company's website to help gain insights into the services and products offered. Thematic analysis was the data analysis method chosen. The findings revealed eighteen measures in which Information Security can be managed while maintaining Organizational Agility. Part of the identified measures are similar to those identified in previous research, while new measures are also discovered. Furthermore, these identified measures will be useful for other organizations, particularly financial institutions, to emulate in managing their Information Security and being agile while at it.

Organizations

Information Security

Organizational Agility

Information Security Management

Computer Sciences

Datavetenskap (datalogi)

Methods for Hospital Network and Computer Security

Hausrath, Nathaniel L.

16 August 2011

No description available.

Information Technology

hospital it Security

information security

network security

computer security

hospital information security

security

Information Security Behavior: A Cross-Cultural Comparison of Irish and US Employees

Connolly, Lena Y., Lang, M., Wall, D.S.

16 June 2020

Yes / This study explores how aspects of perceived national culture affect the information security attitudes and behavior of employees. Data was collected using 19 semi-structured interviews in Ireland and the United States of America (US). The main findings are that US employees in the observed organizations are more inclined to adopt formalized information security policies and procedures than Irish employees, and are also more likely to have higher levels of compliance and lower levels of non-compliance.

Information security culture

National culture

Information security behaviour

Cross-cultural research

Qualitative research

The human connection to information security : A qualitative study on policy development, communication and compliance in government agencies / Den mänskliga kopplingen till informationssäkerhet : En kvalitativ studie om policyutveckling, kommunikation och efterlevnad inom statliga myndigheter

Abdulhadi, Osama

January 2023

The human factor and insider threats play a crucial role in information security. In today’s digital age, protecting organizational data requires a deep understanding of human behaviour and its impact on information security. The increasing volume of electronically stored data has led to a rise in cyber threats and breaches, necessitating effective information security policies and regulations. This study focuses on the experiences and perspectives of employees and top management in government agencies regarding the development, communication, compliance, and attitudes towards information security policies and regulations. Semi-structured interviews were conducted with participants from both top management or information security officers and regular employees, which allowed for an in-depth exploration of their experiences and perspectives. The findings show that government agencies systematically develop policies by engaging stakeholders, ensuring accessibility, and adhering to legal frameworks. Addressing the human factor involves training, awareness programs, and top management support. Policy development and implementation include risk assessment, stakeholder identification, objective setting, continuous review, and integration into daily operations. Communication channels such as intranets, training, coordinators, and awareness events are utilized, but their effectiveness is not directly measured. Proposed improvements include enhancing accessibility, improving policy document management, and using clearer language. Employees generally possess a positive attitude towards information security, though their understanding varies, and challenges to their understanding include complex language and unclear instructions. Compliance also varies, with difficulties arising from technical terminology and information overload. Enhanced compliance can be achieved through simplified language, providing better resources, and top management support. Proactive incident management focuses on learning and risk minimization. The human factor and insider threats remain significant concerns, which emphasizes the need for further education, awareness training, and motivation.

Communication

compliance

development

effectiveness

government agencies

human factor

information security

information security awareness

information security culture

information security management system

information security policy

insider threat

Information Systems, Social aspects

Study on Architecture-Oriented Coast Guard Information Security Management Model

Chen, Chih-Ming

20 December 2011

With the popularity of computer networks, e-systems have enhanced the information flow within the Coast Guard Institute. Due to constant information security incidents, formulating policies and managing mechanisms become an important task of the internal security authorities. In this study, we construct an Architecture-Oriented Coast Guard Information Security Management Model (AOCGISMM) which is based on the six fundamental diagrams of Structure-Behavior Coalescence (SBC) Architecture. AOCGISMM, not only provides an integrated description of structure and behavior on the Coast Guard Institute Information Security operations, but also makes the employees within the organization easily to promote compliance.. AOCGISMM covers all structure and behavior of the whole Coast Guard Institute Information Security operations. Therefore, AOCGISMM describes the complete picture of Coast Guard Institute Information Security so that every employee shall understand and communicate well to meet the organization needs.

Architecture

Information Security Management