Global ETD Search

81	A Study of the Effect of Information Security Policies on Information Security Breaches in Higher Education Institutions Waddell, Stanie Adolphus 01 January 2013 (has links) Many articles within the literature point to the information security policy as one of the most important elements of an effective information security program. Even though this belief is continually referred to in many information security scholarly articles, very few research studies have been performed to corroborate this sentiment. Doherty and Fulford undertook two studies in 2003 and in 2005 respectively that sought to catalogue the impact of the information security policy on breaches at businesses in the United Kingdom. The pair went on to call for additional studies in differing industry segments. This dissertation built upon Doherty and Fulford (2005). It sought to add to the body of knowledge by determining the statistical significance of the information security policy on breaches within Higher education. This research was able to corroborate the findings from Doherty and Fulford's original research. There were no observed statistically significant relationships between information security policies and the frequency and severity of information security breaches. This study also made novel contributions to the body of knowledge that included the analysis of the statistical relationships between information security awareness programs and information security breaches. This effort also analyzed the statistical relationships between information security policy enforcement and breaches. The results of the analysis indicated no statistically significant relationships. Additionally, this research observed that while information security policies are heavily utilized by colleges and universities, security awareness training is not heavily employed by institutions of higher education. This research noted that many institutions reported not having consistent enforcement of information security policies. The data observed during this research implies there is room for additional coverage of formal information security awareness programs and potentially a call to attempt alternative training methods to achieve a reduction of the occurrences and impact of security breaches. There is room for greater adoption of consistent enforcement of policy at higher education organizations. The results of this dissertation suggest that the existence of policy, training, and enforcement activities in and of themselves are not enough to sufficiently curtail breaches. Additional studies should be performed to better understand how breaches can be reduced. Awareness Programs Colleges and Universities Information Security Information Security Policies Policy Enforcement Security Breaches Computer Sciences
82	Developing security metrics scorecard for health care organizations Elrefaey, Heba 22 January 2015 (has links) Information security and privacy in health care is a critical issue, it is crucial to protect the patients’ privacy and ensure the systems availability all the time. Managing information security systems is a major part of managing information systems in health care organizations. The purpose of this study is to discover the security metrics that can be used in health care organizations and to provide the security managers with a security metrics scorecard that enable them to measure the performance of the security system in a monthly basis. To accomplish this a prototype with a suggested set of metrics was designed and examined in a usability study and semi-structured interviews. The study participants were security experts who work in health care organizations. In the study security management in health care organizations was discussed, the preferable security metrics were identified and the usable security metrics scorecard specifications were collected. Applying the study results on the scorecard prototype resulted in a security metrics scorecard that matches the security experts’ recommendations. / Graduate / 0723 / 0769 / 0454 / hebae@uvic.ca health care information security
83	Investigating the Impact of Self-Control and Deterrents on Noncompliant Information Security Behavior Chuma, Ramadhan 01 January 2012 (has links) Employees' noncompliance with information security policy and rules is a serious impediment to the effectiveness of security programs in organizations. The extant information security studies have used General Deterrence Theory (GDT) to investigate noncompliant information security behavior, yet most of the findings have not been effective in practice due to a lack of strong theoretical underpinning. Neglecting criminal propensity of the potential perpetrator has been identified to be one of the theoretical weaknesses of GDT-based studies. Any attempt to explain noncompliant information security behavior in organizational context, demands a well grounded framework to explain why employees transgress information security policies and rules. The purpose of this study was to empirically investigate the link between self-control (criminal propensity), deterrence perceptions, and noncompliant information security behavior. Criminal propensity was operationalized using the three perspectives of self-control: personality trait, social bond, and self-generated inhibitions. This study then examined the influence of the three self-control variables on deterrence perceptions (certainty, severity, and celerity). Further, the study investigated the impact of deterrence perceptions on noncompliant information security behavior. Data collected from 421 employees in a Southern USA-based company was used to test the relationships between research model constructs using SPSS's Amos structural equation modeling software package. Results indicated that employees' perceptions on all three dimensions of deterrents were positively impacted by self-control based on self-generated inhibitions. The results also showed that only employees' perceptions on certainty of apprehension and celerity of punishment were positively impacted by social bond self-control. No significant relationships were established between deterrence perceptions and personality trait self-control. Further, employees' perceptions on certainty of apprehension and celerity of punishment were negatively associated with noncompliant information security behavior. The results also indicated that severity of punishment was not a significant predictor of noncompliant information security behavior. The uniqueness of this study provided evidence on the importance of incorporating criminal propensity in GDT-based studies. The current study also highlighted the importance of celerity of punishment dimension, which is highly neglected by GDT-based information security studies. Compliance Criminal Propensity General Deterrence Theory information security behavior Information security policy Self-control Computer Sciences
84	An Empirical Investigation of the Economic Value of Information Security Management System Standards Shoraka, Babak 01 January 2011 (has links) Within the modern and globally connected business landscape, the information assets of organizations are constantly under attack. As a consequence, protection of these assets is a major challenge. The complexities and vulnerabilities of information systems (ISs) and the increasing risks of failure combined with a growing number of security incidents, prompts these entities to seek guidance from information security management standards. The International Organization of Standardization (ISO) Information Security Management System (ISMS) standard specifies the requirements for establishing, operating, monitoring, and improving an information security management system within the context of an organization's overall business risks. Importantly, this standard is designed to ensure the selection of adequate information security controls for the protection of an organization's information assets and is the only auditable international standard for information security management. The adoption of, and certification against the ISO ISMS standard is a complex process which impacts many different security aspects of organizations and requires significant investments in information security. Although many benefits are associated with the adoption of an information security management standard, organizations are increasingly employing economic measures to evaluate and justify their information security investments. With the growing emphasis on the importance of understanding the economic aspects of information security, this study investigated the economic value of the ISO ISMS standard adoption and certification. The principles of the efficient market hypothesis and the event study methodology were employed to establish whether organizations realized economic gains from obtaining certification against the ISO ISMS standard. The results of this research showed that capital markets did not react to the ISO ISMS certification announcements. Furthermore, the capital market reaction to information security breaches was not different between ISO ISMS certified and non-certified firms. It was concluded that the ISO ISMS certification did not create economic value for the certified firms Event study Information secuity Information security incidents ISMS Standards Computer Sciences
85	An Automated Tool For Information Security Management System Erkan, Ahmet 01 September 2006 (has links) (PDF) This thesis focuses on automation of processes of Information Security Management System. In accordance with two International Standards, ISO/IEC 27001:2005 and ISO/IEC 17799:2005, to automate the activities required for a documented ISMS as much as possible helps organizations. Some of the well known tools in this scope are analyzed and a comparative study on them including &ldquo / InfoSec Toolkit&rdquo / , which is developed for this purpose in the thesis scope, is given. &ldquo / InfoSec Toolkit&rdquo / is based on ISO/IEC 27001:2005 and ISO 17799:2005. Five basic integrated modules constituting the &ldquo / InfoSec Toolkit&rdquo / are &ldquo / Gap Analysis Module&rdquo / , &ldquo / Risk Module&rdquo / , &ldquo / Policy Management Module&rdquo / , &ldquo / Monitoring Module&rdquo / and &ldquo / Query and Reporting Module&rdquo / . In addition a research framework is proposed in order to assess the public and private organizations&rsquo / information security situation in Turkey.
86	Study on Architecture-Oriented Information Security Management Model Tsai, Chiang-nan 07 January 2009 (has links) Information security, sometimes referred as enterprise security, plays a very important and professional role in the enterprises. Therefore, information security management is getting more and more popularity among the enterprises in recent years. Several aspects on information, such as technical documents, research and development plans, product quotations, are considered as core assets in one company. How to effectively manage and realize an information security system has become a key for a company¡¦s survival. The international information security management standard, ISO 27001:2005, which includes personnel security, technology security, physical security and management security has been promulgated. When bringing in an information security management system, a company usually embraces the process-oriented approach which treats the system¡¦s structure view and behavior view separately. Separating structure view from behavior view during the planning phase may cause many difficulties, such as uneven distribution of resources, poor safety performance, bad risk management, poor system management and so on, when working on the later realization and verification phase of the information security management system¡¦s construction. Up to date, there is no enterprise architecture theory for information security management system. This research utilizes architecture-oriented modeling methodology so that structure view and behavior view are coalesced when decomposing the information security management system to obtain structural elements and behaviors deriving from interactions among these structure elements. By adopting structure behavior coalescence, abbreviated as SBC, which includes ¡§architecture hierarchy diagram", "structure element diagram", "structure element service diagram", "structure element connection diagram", "structure behavior coalescence diagram", and "interactive flow diagram", this research constructs a complete architecture-oriented information security management model, abbreviated as AOISMM. This research is the first study using architecture-oriented approach to construct the information security management system. Also, AOISMM solves many difficulties caused by the process-oriented approach when constructing information security management systems. These are the contributions of this research. Enterprise Architecture Enterprise Security Information Security
87	New Perspectives on Implementing Health Information Technology Sarkar, Sumantra 24 July 2014 (has links) The importance of studying challenges in implementing information technology solutions in health care organizations is highlighted by the huge investments in health care information technology (HIT) which has been spurred by recent government mandates. Information technology can help improve health care delivery cost by facilitating the standardization of work processes or routines and reducing variations among them. Set in a premier 950+ bed hospital in the south eastern part of US, this dissertation consists of two studies examining the challenges involved in implementing HIT solutions. In the first study, we seek to gain deep insights into how the process of creating a patient’s chart evolves over time in a health care institution. The second study focuses on the users of Electronic Health Records (EHR) system, investigating the compliance behavior of various providers with respect to patient records in the system. In the first study, through the lens of Activity theory our results show that the charting routine is implicated by the following environmental factors: (1) Tools, (2) Rules, (3) Community, and (4) Roles, and by individual factors: (5) Computer Self-Efficacy and (6) Risk Propensity. In the second study, our results indicate that there is a substantial effect of subculture of the different occupational groups on IT security compliance intent and behavior in a health care institution. routines process activity theory information security information security policy compliance behavior policy violation pseudo-compliance
88	Information Security Awareness amongst students : A study about information security awareness at universities Lund, Per January 2018 (has links) In the era of information, it has become vital for companies to make sure that their information is properly protected. They are therefore, willing to spend large amounts of resources on protecting their information. This can usually be done in a large variety of ways. The root of information security is first and foremost, having policies that regulate how information security is upheld. And secondly, by teaching employees proper practice of information security. These are however procedures that are not all that common in a university environment, and even more so in relation to students. In order to explore this phenomenon further, an exploratory study have been carried out to find more information on the subject. This has been done in several ways in order to grasp as much information as possible. Firstly, by doing a literary study to find out what is already known within the field of information security in regard to students. Secondly, by doing a quantitative study that evaluates the student’s information security awareness. And lastly, by conducting an interview with a member of staff at a university to find out their attitude towards the phenomenon. The thesis concludes by suggesting how universities might want to handle information security in relationship to students. Information security awareness information security students University Information Systems
89	Mikroträning som utbildningsmetod inom informationssäkerhet / Micro training as a education approach in information security Skärgård, Marie January 2017 (has links) Cyberbrott har idag blivit en multimiljard-industri och det utövas mer och mer sofistikerade attacker där människan är måltavlan. Det är därför dags att ta utbildning och träning inom informationssäkerhet till en ny nivå. Detta för att skapa högre grad av medvetenhet gällande säkerhetsrisker. Det finns redan fungerande metoder, men bara för de som är motiverade att lära sig. Detta arbete har undersökt hur mikroträning uppfattas som utbildningsmetod inom informationssäkerhet. En studie som utförts med hjälp av både kvalitativa och kvantitativa metoder. Mikroträningsmaterial har tagits fram i form av videoklipp som på ett kort, koncist och konkret sätt presenterar olika områden inom informationssäkerhet på 60 sekunder. Dessa har sedan utvärderats av 198 subjekt i en enkätundersökning där subjektens attityd både till materialet och till mikroträning som koncept har analyserats. Studiens resultat visar att mikroträning är en uppskattad metod för att träna och lära ut specifika områden inom informationssäkerhet. Denna studie ska bidra till ett framtida forskningsprojekt som vill undersöka om mikroträning i den stund som användaren behöver den kommer bidra till högre grad av informationssäkerhetsmedvetenhet. Detta för att se om medvetenhetsträningen ger den eftersträvade effekt som önskas, att klokare och säkrare beslut fattas i en riskfylld situation. / Cybercrime has become a multimillion industry and it is practicing more and more sophisticated attacks where the human is the main target. Thus it is time to take education and training in information security to a new level, to create a higher degree of awareness about security risks. There are already working methods, but only for those who are motivated to learn. This work has investigated how micro training is perceived as an education method of information security, a study conducted using both qualitative and quantitative methods. Micro training material has been developed in the form of video clips that briefly, concisely and concretely present various areas of information security in 60 seconds. These have been evaluated by 198 subjects in a questionnaire survey where the subject's attitude to the material and micro training as concept has been analysed. The study's findings show that micro training is an appreciated method for training and learning specific areas of information security. This study will contribute to a future research project that wants to investigate whether micro training in the moment the user needs it will contribute a greater degree of information security awareness. This to see whether awareness training will provide the desired effect, that a wiser and safer decision is made in a risky situation. information security information security awareness micro training informationssäkerhet informationssäkerhetsmedvetenhet mikroträning Information Systems
90	Integrace ISMS/ISO 27001/ISO 27002 do společnosti RWE / Integration of ISMS/ISO 27001/ISO 27002 to RWE company Peroutka, Tomáš January 2011 (has links) The main theme of this diploma thesis is Information Security Management System (ISMS) which is based on security standard ISO 27001 and ISO 27002. This thesis is one part of the project of integration ISMS to company RWE. First goal is analysis of actual documentation of RWE. Second goal is proposal of ideal structure of ISMS documentation. Third goal is assignment the parts of RWE documentation to ideal structure of ISMS documentation. Analysis of actual documentation used knowledge about RWE documentation to create overview table with all documents and their relations. Ideal structure of ISMS documentation was based on selected parts of ISO 27001 and multicriterial analysis. Third goal of this thesis was reached by assignment parts of RWE documentation to selected parts of ISO 27001 from the second goal. Contribution of this diploma thesis is the ideal structure of ISMS documentation and form of old RWE documentation assignment, because these goals are usual steps of PDCA cycle of ISMS but they are described briefly and sparsely in security standards and works related to ISMS.

Search results