A risk based approach for managing information technology security risk within a dynamic environment

Mahopo, Ntombizodwa Bessy

11 1900

Information technology (IT) security, which is concerned with protecting the confidentiality, integrity and availability of information technology assets, inherently possesses a significant amount of known and unknown risks. The need to manage IT security risk is regarded as an important aspect in the daily operations within organisations. IT security risk management has gained considerable attention over the past decade due to the collapse of some large organisations in the world. Previous investigative research in the field of IT security has indicated that despite the efforts that organisations use to reduce IT security risks, the trend of IT security attacks is still increasing. One of the contributing factors to poor management of IT security risk is attributed to the fact that IT security risk management is often left to the technical security technologists who do not necessarily employ formal risk management tools and reasoning. For this reason, organisations find themselves in a position where they do not have the correct approach to identify, assess and treat IT security risks. The IT security discipline is complex in nature and requires specialised skills. Organisations generally struggle to find a combination of IT security and risk management skills in corporate markets. The scarcity of skills leaves organisations with either IT security technologists who do not apply risk management principles to manage IT security risk or risk management specialists who do not understand IT security in order to manage IT security risk. Furthermore, IT is dynamic in nature and introduces new threats and vulnerabilities as it evolves. Taking a look at the development of personal computers over the past 20 years is indicative of how change has been constant in this field, from big desktop computers to small mobile computing devices found today. The requirement to protect IT against threats associated with desktops was far less than the requirement associated with protecting mobile devices. There is pressure for organisations to ensure that they stay abreast with the current technology and associated risks. Failure to understand and manage IT security risk is often cited as a major cause of concern within most organisations’ IT environments because comprehensive approaches to identify, assess and treat IT security risk are not consistently applied. This is due to the fact that the trend of IT security attacks across the globe is on the increase, resulting in gaps when managing IT security risk. Employing a formal risk based approach in managing IT security risk ensures that risks of importance to an organisation are accounted for and receive the correct level of attention. Defining an approach of how IT security risk is managed should be seen as a fundamental task and is the basis of this research. This study aims to contribute to the field of IT security by developing an approach that assists organisations in treating IT security risk more effectively. This is achieved through the use of a combination of existing best practice IT security frameworks and standards principles, basic risk management principles, as well as existing threat modelling processes. The approach developed in this study serves to encourage formal IT security risk management practices within organisations to ensure that IT security risk is accounted for by senior leadership. Furthermore, the approach is anticipated to be more proactive and iterative in nature to ensure that external factors that influence the increasing trend of IT security threats within the IT environment are acknowledged by organisations as technology evolves. / Computing / M. Sc. (Computing)

IT

IT security

Risk

Risk management

IT security threat modelling

IT security management

OCTAVE

COBIT

ITIL

ISO 27001/2

ISF Standard of Good Practice

005.82

Computer security -- Standards

Cyberterrorism

Awareness and training: the influence on end-user' attitude towards information security policy compliance

Snyman, Mmabatho Charity

02 1900

Research accentuates that end-users‘ noncompliance with information security policy (ISP) is a key concern for government just as it is for the private sector. Although awareness and training programmes are important factors impacting employees‘ intentions to comply with an organisation‘s ISP, it can be argued that there is insufficient empirical evidence to support this assertion. To address this gap, this study seeks to expand research on ISP compliance by focusing on attitudes as targets of change. A research model based on the Theory of Planned Behaviour was proposed to illustrate the influence of ISP awareness training on end-users‘ attitudes towards complying with their organisation‘s ISP. Relevant hypotheses were developed to test the research conceptualisation. A survey and an experiment was undertaken to collect the data from a sample of 173 end-users of a single government organisation in one province. The data was captured and analysed using a Statistical Package for Social Sciences (SPSS). Furthermore, Structural Equation Modelling (SEM) was used to test whether the overall model appears to be a good fit to support the hypotheses. The reliability, validity, and model fit were found to be statistically significant, and three out of five research hypotheses were supported. Overall this study contributes to the existing body of knowledge by providing an understanding of the methods that can be used to encourage end-users‘ ISP compliance behaviour through an attitudinal shift, thereby targeting end-users‘ attitude as a means to improve information security policy compliance. Implications of the findings are further discussed in the paper. / Information Technology / M. Tech. (Information Technology)

Attitudes

Information security

Information security policy

Awareness training

Intentions to comply

Information security compliance

Self-efficacy

005.8

Computer security -- Government policy

Data protection -- Government policy

Computer networks -- Security measures

Compliance auditing

Information technology -- Management

A framework to manage sensitive information during its migration between software platforms

Ajigini, Olusegun Ademolu

06 1900

Software migrations are mostly performed by organisations using migration teams. Such migration teams need to be aware of how sensitive information ought to be handled and protected during the implementation of the migration projects. There is a need to ensure that sensitive information is identified, classified and protected during the migration process. This thesis suggests how sensitive information in organisations can be handled and protected during migrations by using the migration from proprietary software to open source software to develop a management framework that can be used to manage such a migration process.A rudimentary management framework on information sensitivity during software migrations and a model on the security challenges during open source migrations are utilised to propose a preliminary management framework using a sequential explanatory mixed methods case study. The preliminary management framework resulting from the quantitative data analysis is enhanced and validated to conceptualise the final management framework on information sensitivity during software migrations at the end of the qualitative data analysis. The final management framework is validated and found to be significant, valid and reliable by using statistical techniques like Exploratory Factor Analysis, reliability analysis and multivariate analysis as well as a qualitative coding process. / Information Science / D. Litt. et Phil. (Information Systems)

Closed Source Software

Information classification

Information protection

Information security

Information sensitivity

Information sensitivity

IP Protection

IS Migration

IS theory development

IT control frameworks

005.8

Information technology -- Management

Computer programs -- Software

Information science -- Software

Computer programs -- Security measures

Data protection