A risk based approach for managing information technology security risk within a dynamic environment

Mahopo, Ntombizodwa Bessy

11 1900

Information technology (IT) security, which is concerned with protecting the confidentiality, integrity and availability of information technology assets, inherently possesses a significant amount of known and unknown risks. The need to manage IT security risk is regarded as an important aspect in the daily operations within organisations. IT security risk management has gained considerable attention over the past decade due to the collapse of some large organisations in the world. Previous investigative research in the field of IT security has indicated that despite the efforts that organisations use to reduce IT security risks, the trend of IT security attacks is still increasing. One of the contributing factors to poor management of IT security risk is attributed to the fact that IT security risk management is often left to the technical security technologists who do not necessarily employ formal risk management tools and reasoning. For this reason, organisations find themselves in a position where they do not have the correct approach to identify, assess and treat IT security risks. The IT security discipline is complex in nature and requires specialised skills. Organisations generally struggle to find a combination of IT security and risk management skills in corporate markets. The scarcity of skills leaves organisations with either IT security technologists who do not apply risk management principles to manage IT security risk or risk management specialists who do not understand IT security in order to manage IT security risk. Furthermore, IT is dynamic in nature and introduces new threats and vulnerabilities as it evolves. Taking a look at the development of personal computers over the past 20 years is indicative of how change has been constant in this field, from big desktop computers to small mobile computing devices found today. The requirement to protect IT against threats associated with desktops was far less than the requirement associated with protecting mobile devices. There is pressure for organisations to ensure that they stay abreast with the current technology and associated risks. Failure to understand and manage IT security risk is often cited as a major cause of concern within most organisations’ IT environments because comprehensive approaches to identify, assess and treat IT security risk are not consistently applied. This is due to the fact that the trend of IT security attacks across the globe is on the increase, resulting in gaps when managing IT security risk. Employing a formal risk based approach in managing IT security risk ensures that risks of importance to an organisation are accounted for and receive the correct level of attention. Defining an approach of how IT security risk is managed should be seen as a fundamental task and is the basis of this research. This study aims to contribute to the field of IT security by developing an approach that assists organisations in treating IT security risk more effectively. This is achieved through the use of a combination of existing best practice IT security frameworks and standards principles, basic risk management principles, as well as existing threat modelling processes. The approach developed in this study serves to encourage formal IT security risk management practices within organisations to ensure that IT security risk is accounted for by senior leadership. Furthermore, the approach is anticipated to be more proactive and iterative in nature to ensure that external factors that influence the increasing trend of IT security threats within the IT environment are acknowledged by organisations as technology evolves. / Computing / M. Sc. (Computing)

IT

IT security

Risk

Risk management

IT security threat modelling

IT security management

OCTAVE

COBIT

ITIL

ISO 27001/2

ISF Standard of Good Practice

005.82

Computer security -- Standards

Cyberterrorism

The relationship between organisational climate and employee satisfaction in a South African Information and Technology organisation

Castro, Monia Lola

11 1900

This research explores the relationship between organisational climate and job satisfaction in an Information and Communication Technology (ICT) organisation within South Africa by means of quantitative research. An organisational climate questionnaire was developed to measure the organisational climate and job satisfaction of the organisation and was administered to a sample of 696 employees across three regions. The results indicate that there was a strong positive correlation (0.813 at the 0.01 level) between organisational climate and job satisfaction, therefore supporting the research hypothesis. A stepwise regression was conducted and nine dimensions of organisational climate were found to predict 71% variance in job satisfaction. The interaction of biographical and organisational variables on organisational climate and job satisfaction was studied by means of t-tests and ANOVA. Although statistical significant differences were found, in terms of practical significance, the effect sizes were generally found to be small. / Industrial and Organisational Psychology / M.A. (Industrial and Organisational Psychology)

Organisational climate

Job satisfaction

Organisational culture

Confirmatory factor analysis (CFD)

658.30410968

Job satisfaction -- South Africa

Organizational change -- South Africa

Confirmatory factor analysis

Information technology project managers' productivity and project success: the influence of polychronic communication

Coetzee, Basil B

10 September 2014

This research focuses on the role that polychronic Communication (PC) plays in the productivity and project success of Information Technology (IT) Project Managers (PMs). PC refers to a communication style where the communicator switches rapidly between several conversations, irrespective of topic similarity, instead of completing one conversation before starting another. An online questionnaire collected data from Information Technology workers in multiple industries across the globe. The data consisted out of two distinct groups: IT PMs (n = 202) and IT project team members (n = 122). Statistical analysis on the dataset considered the perspectives of both participant groups, first separately and then combined. The results showed relationships between: 1. IT PMs’ individual polychronicity and their PC. 2. IT PMs’ PC and their opinion of the influence of PC on the success of the projects that they are managing. 3. IT PMs’ PC and their opinion of the influence of PC on their productivity. 4. IT PMs’ PC and the corporate polychronicity of their employers. In addition, when IT PMs rate their PC, the rating is lower than when other IT project team members rate the IT PMs’ PC. By contrast, there was no difference between IT PMs rating the influence of their PC on their project success and productivity versus IT project teams rating the influence of the IT PMs’ PC on their project success and productivity. These findings contribute to the factors that a corporation has to consider in hiring new IT PMs or training their current IT PMs. / Information Science / M. Sc. (Information Systems)

Project

Project management

Information technology

IT Project management

Polychronicity

Monochronicity

Polychronic communication

Polychronic attitude index

Inventory of polychronic values

004.068

Information technology projects

Intercultural communication

Information technology management

Project management

Framework to assist organisations with information technology adoption governance

Jokonya, Osden

03 1900

The evidence from the literature suggests that Information Technology adoption (IT) governance in organisations is still a challenge. The diversity of application and the ever-increasing use of IT results in making decisions on IT adoption a major challenge for organisations. The decision about using a particular technology from an organisational perspective is problematic since individual users have different worldviews. The implicit assumption in IT adoption literature is that stakeholders always reach consensus during IT adoption decision making in organisations. This study explored the existing models and frameworks in order to develop a preliminary improved IT adoption governance framework. This study used a case study sequential explanatory mixed methods research approach to validate the preliminary IT adoption governance framework. The first validation phase of the framework was done using a quantitative approach followed by the second validation phase based on qualitative interviews. The last validation was done after integrating the quantitative and qualitative results to produce the refined framework. The results suggest that the developed framework may improve IT adoption governance in organisations. The results showed that the framework components facilitate IT adoption governance in organisations. The results also suggest that the components have an association with each other except for the Technology Acceptance Model component. The results indicate that stakeholder participation and hard systems thinking components have a strong predictive impact on IT governance framework component perception in organisations. The study results suggest that IT adoption decision makers need to balance different stakeholders’ demands during IT adoption decision making in organisations. The framework helps in that regard by reconciling different stakeholders’ demands through collective IT adoption decision making. The strength of the framework is its integration of theories from various disciplines in understanding stakeholder expectations. On that basis the framework is in a better position to offer more insight into understanding challenges of IT adoption decision making than existing frameworks and models. The framework offers a potentially valuable basis for future research in IT adoption decision making in organisations. The results suggest that the framework may facilitate IT adoption in organisations using different components. / Information Science / D. Litt. et Phil. (Information systems)

IT adoption

Systems approach

Soft systems thinking

Hard systems thinking

Emancipatory systems thinking

Critical systems thinking

Mixed methods

Pragmatism

Sociological paradigm

Diffusion of innovation

Systems dynamics

658.403801

Information technology

Information technology -- Management

Business -- Information technology

Addressing the incremental risks associated with adopting a Bring Your Own Device program by using the COBIT 5 framework to identify keycontrols

Weber, Lyle

04 1900

Thesis (MComm)--Stellenbosch University, 2014. / ENGLISH ABSTRACT: Bring Your Own Device (BYOD) is a technological trend which individuals of all ages are embracing. BYOD involves an employee of an organisation using their own mobile devices to access their organisations network. Several incremental risks will arise as a result of adoption of a BYOD program by an organisation. The research aims to assist organisations to identify what incremental risks they could potentially encounter if they adopt a BYOD program and how they can use a framework like COBIT 5 in order to reduce the incremental risks to an acceptable level. By means of an extensive literature review the study revealed 50 incremental risks which arise as a result of the adoption of a BYOD program. COBIT 5 was identified as the most appropriate framework which could be used to map the incremental risks against. Possible safeguards were identified from the mapping process which would reduce the incremental risks to an acceptable level. It was identified that 13 of the 37 COBIT 5 processes were applicable for the study.

Theses -- Accountancy

Dissertations -- Accountancy

Computer networks -- Security measures

Computer security -- Risk assessment

Dissertations -- Computer auditing

Theses -- Computer auditing

UCTD

Uso organizacional da tecnologia de informação: um estudo sobre a avaliação do grau de informatização de empresas industriais paulistas / Organizational use of information technology: an study on the evaluation of the computerization level of brazilian industrial companies

Souza, Cesar Alexandre de

21 December 2004

Inserida de maneira central na atualidade está a questão da difusão da tecnologia de informação (TI) em todos os níveis da sociedade. Governos em todo o mundo têm se preocupado com a inclusão de seus países na “economia digital" e investido na construção de infra-estruturas tecnológicas que permitam conectar suas instituições, cidadãos e empresas entre si e com o mercado global. Isso se reflete em um intenso processo de informatização da sociedade, e, especialmente no caso das empresas, se faz necessário para que possam participar deste mercado. Apesar disso, muitos estudos apontam dois aspectos que destoam desse quadro: em primeiro lugar, não se comprovou relação direta entre investimentos realizados em TI e a obtenção de resultados como o aumento da lucratividade ou produtividade empresariais; e, em segundo lugar, muitas empresas, especialmente de micro, pequeno e médio porte encontram-se em posição relativamente atrasada nesse processo. Quanto ao primeiro aspecto, o que tem despontado como principal conclusão dos estudos é o fato de que não importa o quanto se investe em tecnologia, mas sim o como essa tecnologia é utilizada para o efetivo apoio aos processos empresariais. Em relação ao segundo aspecto, o que se aponta é a necessidade de os gestores das empresas terem à sua disposição recursos que possibilitem realizar (a) uma avaliação de como a empresa se encontra em relação ao uso da TI; (b) um correto posicionamento desse uso em relação a outras empresas de mesmo porte e setor e; (c) o conhecimento das alternativas disponíveis para a informatização. Assim, o objetivo principal deste trabalho é o desenvolvimento de uma medida unificada para a avaliação do uso da TI, e que será denominada “grau de informatização". A medida do grau de informatização foi desenvolvida com base em quatro dimensões: infra-estrutura de TI; uso organizacional; gestão de TI; e impactos organizacionais advindos da utilização da TI, tendo como foco específico empresas do setor industrial. O desenvolvimento dessa medida unificada para o “grau de informatização" se insere no contexto maior de um projeto que tem como objetivo a disponibilização de um instrumento para que empresas possam avaliar seus processos de informatização, e, ao mesmo tempo, desenvolver a cultura da avaliação de TI e obter conceitos e conhecimentos necessários para que esse processo possa ser bem sucedido. Esse projeto é denominado “iDigital – Perfil da Empresa Digital" e é realizado em parceria entre a Federação das Indústrias do Estado de São Paulo (FIESP), a Fundação Instituto de pesquisas Econômicas (FIPE) e a Faculdade de Economia, Administração e Contabilidade da Universidade de São Paulo (FEA/USP). Para a elaboração da medida, foram selecionadas e analisadas variáveis obtidas em 345 questões apresentadas em um questionário disponibilizado na Internet, e que foram sintetizadas em 66 indicadores que compõem a medida proposta. A amostra final obtida contou com 1.391 empresas, sendo que 830 atenderam os requisitos para o cálculo da medida proposta. Para teste e validação da medida, foi utilizado o modelo de equações estruturais (SEM). A medida atendeu a requisitos de confiabilidade e validade interna, e mostrou ter validade externa ao se confirmarem as proposições de evolução com o porte de empresa, diferenciação por setores empresariais, e inexistência de correlação com os investimentos em TI realizados pelas empresas. / The diffusion of information technology (IT) in all levels of society is central to the context of the new economy. Around the world, governments are investing in the development of a technological infrastructure to make possible to their institutions, citizens and companies to connect among them and to the global market. This need is reflected in an intense process of computerization of the society, and, in the case of commercial companies, it is even necessary to compete. In spite of this, some studies show two facts that are not aligned with this situation: first, there is no proof of a direct causal link between investments in IT and organizational performance; second, it is shown that in many companies this process is delayed, and it is especially the case of small and medium business. In relation to the first fact, the main conclusion of such studies is that it is not the amount invested in IT that matters, but how it is invested and how technology is effectively used to support organizational processes. Relative to the second fact, it is pointed that managers and executives have a need for evaluation instruments that allow them to: (a) evaluate the organizational use they are making of IT; (b) obtain a knowledge of their positioning in relation to other companies; and (c) inform them about possible uses of IT in their companies. So, the main objective of this work is to develop a measure to evaluate the organizational use of IT, that is, a measure of the “computerization level" of industrial firms. The development of this measure was based on four dimensions: IT infrastructure; Organizational Use of IT; IT Management; and IT Impacts, being industrial companies the focus of the research. The development of this measure is inserted into a greater context of a project that aims to make available an evaluation instrument that at the same time allows the evaluation of the companies computerization processes and acts as a mean to disseminate knowledge to executive managers about the possible uses of IT. The development of this measure was done by selecting and analyzing variables obtained in 345 questions presented in a web questionnaire, and that were summarized into 66 indicators. A sample of 1391 companies was obtained, and 830 were effectively used to develop the measure. To test and validate the measure, structural equation modeling (SEM) was employed. The final computerization level measure reached reliability and internal validity requirements and showed external validity as initial propositions of being related to size and sector of companies and of not being related to investments in IT were confirmed.

Gestão da Tecnologia de informação

Grau de Informatização de Empresas

Information Technology Management

Structural Equation Modeling (SEM)

Capacidade implanta????o-TI e vantagem competitiva: um estudo explorat??rio no Brasil

Sant???Anna Junior, Rubens

30 October 2015

Submitted by Elba Lopes (elba.lopes@fecap.br) on 2016-05-04T20:57:57Z No. of bitstreams: 2 Rubens_Santanna_Junior.pdf: 651868 bytes, checksum: 37ccb1fbac0e554051327465270028f3 (MD5) license_rdf: 23148 bytes, checksum: 9da0b6dfac957114c6a7714714b86306 (MD5) / Made available in DSpace on 2016-05-04T20:57:57Z (GMT). No. of bitstreams: 2 Rubens_Santanna_Junior.pdf: 651868 bytes, checksum: 37ccb1fbac0e554051327465270028f3 (MD5) license_rdf: 23148 bytes, checksum: 9da0b6dfac957114c6a7714714b86306 (MD5) Previous issue date: 2015-10-30 / We examine with an empirical study the hypothesis that the IT Deployment Capabilities impacts are positively associated with competitive advantage in Brazilian companies. The study uses the conceptual research model proposed by Tian et al. (2009). As part of this study, some of the main theoretical concepts of Resource Based View are reviewed, establishing a link between these concepts and the explanation about competitive advantage. The three constructs that set up the IT Deployment Capabilities are identified and investigated: Strategic Flexibility Partnership Business and Business Alignment. This is a descriptive exploratory research with a quantitative approach. The data collection instrument answered by the employees was a survey with a 7-point Likert scale available through Electronic Link on the Internet, using the website Survey Monkey. The study used public or private companies, national or international companies headquartered in Brazil as criteria for population, within various segments, and sample included the following functions: CEOs and Directors, Managers and Coordinators working at Information Technology areas in their companies. 320 e-mails were sent, yielding 192 responses. Of these 108 were selected as surveys with the desired research profile. To provide validation to the study, a statistical tool validation was used performing exploratory factor analysis tests (FAT) and multiple linear regression (MLR). The results showed that the constructs Strategic Flexibility and Business Partnership are positively associated with the perception of the impact of information technology competitive advantage, while the construct Business Alignment had no significant results to corroborate the studies by Tian et al. (2009) in Chinese companies. / O principal objetivo deste trabalho ?? examinar, com um estudo emp??rico, se os impactos da Capacidade Implanta????o-TI est??o positivamente associados ?? vantagem competitiva nas empresas brasileiras. O estudo utiliza o modelo conceitual de pesquisa proposto por Tian et al. (2009). Como partes deste estudo s??o revistos, dentre eles alguns dos principais conceitos te??ricos da Vis??o Baseada em Recursos, estabelece-se um elo entre esses conceitos e a explica????o da vantagem competitiva, identificando-se e investigando-se os tr??s constructos que comp??em a Capacidade Implanta????o-TI: Flexibilidade Estrat??gica, Parceria de Neg??cio e Alinhamento do Neg??cio. Trata-se de uma pesquisa explorat??ria descritiva, com uma abordagem quantitativa. O instrumento de coleta de dados empregado foi um Survey, utilizando-se a escala Likert com 7 pontos de Link eletr??nico, dispon??vel na Internet atrav??s do site Monkey Survey. O estudo utilizou como crit??rio de popula????o empresas nacionais ou internacionais sediadas no Brasil, de capital aberto ou fechado, e seus diversos segmentos, sendo que a amostra envolveu as fun????es de: CEOs, Diretores, Gerentes e Coordenadores que estavam ligados ?? ??rea de Tecnologia da Informa????o nas empresas onde colaboram. Foram enviados 320 e-mails, obtendo-se 192 respostas. Desse total, foram selecionadas 108 respostas com o perfil desejado da pesquisa. Para proporcionar garantia ao estudo, foi utilizado o instrumento estat??stico de valida????o, no qual foram realizados os testes de an??lise fatorial explorat??ria (AFE) e regress??es lineares m??ltiplas (RLM). Os resultados mostraram que os constructos Flexibilidade Estrat??gica e Parceria de Neg??cio est??o positivamente associados ?? percep????o dos impactos da Tecnologia da Informa????o na vantagem competitiva, enquanto o constructo Alinhamento do Neg??cio n??o apresentou resultados significativos, corroborando os estudos realizados por Tian et al. (2009) nas empresas chinesas.

ADMINISTRA????O DE EMPRESAS

The personal information management behaviour of academics : implications for librarians' support

Newton-Smith, Carol Jean

Unknown Date

The aim of this study was to better understand how academics manage their personal information and therefore to have a basis for planning for appropriate support by librarians. There did not appear to be any current relevant research but from a review of previous studies, in which the predominant management strategy included a card personal index, a model was drawn up and validated by a number of academics would be using electronic personal indexes to manage their personal collections. The research methods selected for this study were in-depth interviews and a questionnaire survey. The main findings were that academics do not use a personal index (card or electronic) to manage their personal collections and they also use a language different from that of librarians to describe their activities of personal information management. Academics manage their information by organising their personal collection according to their working subject framework. to expand their collections they work outwards from items of known quality or follow the advice of colleagues to locate such items. To become aware of the new material in the library (or elsewhere), academics prefer to browse new journals and books, rather than use a subject index. Databases are used for confirmation of reference details and citation indexes are used to work outwards from documents of known quality. The output of references is by the use of word processing software with a few academics using bibliographic software just for this function. The conclusion of the study were that academics manage their personal information in a dissimilar way to that expected by librarians. Academics are managing ideas not documents and their methods of personal information management reflect the need to manage these ideas and the associated connective thought process. Librarians can better assist academics by designing library services that facilitate academics' ideas management. Suggestions for improved support include the development of services that enable browsing, the linking of ideas between research publications in different disciplines and the provision of a service to confirm reference details.

Personal information management

Information technology -- Management

The impact of information and communication technologies (ICTs) on rural livelihoods: the case of smallholder farming in Zimbabwe

Mago, Shamiso

January 2012

This study seeks to determine the impact of Information and Communication Technologies (ICTs) on livelihoods of smallholder farmers in Zimbabwe. The study was motivated by the fact that benefits of ICT development still need to be known among rural smallholder farmers in Zimbabwe. ICTs have been upheld as catalysts for the promotion of rural livelihoods the world over. The question that remains is whether ICTs in Zimbabwe promote livelihoods of smallholder farmers. Although the Government formulated the ICT policy in 2005, the benefits still need to be known among rural smallholder farmers in Zimbabwe. The challenges faced by smallholder farmers include limited access to ICTs, high costs in ICT services and lack of ICT infrastructural development in the country. The challenges hindered ICT benefits that are expected to accrue to smallholder farmers. This study is significant in the view that most studies on ICT have focused on the general roles of ICT on rural development without giving particular attention to smallholder farming that has a potential of reducing poverty and promoting food security. For a theoretical lens, the Sustainable Livelihood Approach was used with special attention to Chapman et al (2001)’s information wheel. Regarding methodological issues, the study followed a qualitative research methodology guided by a secondary analysis research design. Data were collected from published reports of government, reports from the Ministry of ICT, internet, journals, newspapers and periodicals. The study established that ICTs promote livelihoods of smallholder farmers through the dissemination of vital information for improvement of agricultural productivity. From the research findings, the study proposes four main recommendations. Firstly, strengthening of ICT policy for effective smallholder farmers. Secondly, the government to organise ICT awareness campaigns directed towards rural people especially smallholder farmers. Thirdly, up scaling ICT Infrastructural development .Finally, a large-scale ICTs and livelihoods research must be commissioned in the country.

Farms, Small -- Zimbabwe

Family farms -- Zimbabwe

Poverty -- Zimbabwe

Rural poor -- Zimbabwe

Rural development -- Zimbabwe

Sustainable development -- Zimbabwe

Food security -- Zimbabwe

Information technology -- Management

Technological innovations -- Management

Management information systems

Knowledge management and its effectiveness for organisational transformation through knowledge sharing and transfer

Mazorodze, Alfred Hove

06 1900

Knowledge Management aims to improve organisational performance and it marks the beginning of organisational transformation. The two types of knowledge managed are respectively categorised “tacit” and “explicit.” This research investigated the effectiveness of Knowledge Management for organisational transformation in Namibia. It was necessitated by the lack of knowledge sharing among employees and also lack of appropriate tools for effective Knowledge Management. Moreover, some organisations engage in Knowledge Management practices without a full understanding of the processes involved. This was determined by a through literature review which indicated that there were very few studies conducted on Knowledge Management in Namibia as shown on Table 1.1 on page 6. The study therefore provided a nuanced understanding of Knowledge Management. The study additionally established that the use of appropriate tools and technologies to better manage the knowledge ultimately improves organisational performance. The research objectives sought to explore the initiatives deployed to enable knowledge sharing, identify barriers to effective Knowledge Management, analyse the role of social media for knowledge sharing and also measure the effectiveness of the knowledge transfer activities. A mixed method research methodology was used to conduct this investigation. Participants were selected through purposive sampling. Out of 130 questionnaires distributed, 112 were fully completed and returned. This represented an 86.1% response rate. The results of the study revealed that organisational transformation is dependent on effective Knowledge Management. In addition to that, the study found that there is a correlation of 0.6 between Information Technology and Knowledge Management. The study further revealed that initiatives to enable knowledge sharing start with executive support and the employees should be motivated to share knowledge. More so, it was also found that lack of funds for Knowledge Management projects is the greatest barrier in organisations. Effective Knowledge Management is facilitated by social media. Finally, it was found that the most effective knowledge transfer activity is a collaborative virtual workspace followed by Communities of Practice. / School of Computing / M.Sc. (Computing)

Knowledge

Knowledge management

Knowledge management systems

Information and Communication Technology

Knowledge sharing

Communities of Practice

Organisational performance

Organisational transformation

006.33

Knowledge management

Information technology -- Management

Organizational learning

Expert systems (Computer science)