Možnosti zajištění informační bezpečnosti pomocí definice standardního chování zaměstnanců / Options to ensure information security by defining a standard behavior of employees

Dvořák, Martin

January 2009

Continually the number of transactions carried out electronically via the internet has grown, as well as the number of users of IT (information technology). In the same way are accruing transactions that may be at risk in terms of information security as well as an increasing number of security incidents threatening financial gain or thefts of sensitive information. Attackers carried out attacks in order to make financial gains using more sophisticated methods, sophisticated not only using information technology but also using social engineering techniques. This growing trend is known about by governments and measures are being taken to help increase the information security of the state. This is evidenced by the fact that the European Parliament recently approved the following Directive Directive of the European parliament and of the council concerning measures to ensure a high common level of network and information security across the Union and the ensuing law on cyber security (Act No. 181/2014 Coll.) adopted by the Parliament of the Czech Republic in the summer of 2014. This act orders organizations which are maintaining critical infrastructure to implement a system to evaluate cybersecurity events (user behavior). So far no unified approach to implement such systems has been defined. Author defines standardized methodology for implementation of systems which evaluate user behavior with focus on optimization of data which these systems have to process to ensure their efficient functionality.

The COVID-19 pandemic impact on Information Security Policy compliance in regional healthcare. : An empirical study

Fält, Melker, Minierski, Bartlomiej

January 2022

Information Security (InfoSec) is a broad term used to describe the study of how to protect sensitive data from unauthorized access, modification, or deletion. InfoSec is commonly used within companies and organisations to facilitate the secure use of digital systems, taking its shape in the form of technical solutions as well as rules and guidelines defined in a so-called Information Security Policy (ISP). Subsequently, ISPs, which aim to mitigate the risks posed by the generally agreed upon weakest link, the human factor, is considered a crucial asset to maintaining security. The outbreak of the COVID-19 pandemic further solidifying its worth as an increase in attacks targeting humans, especially within the healthcare sector, can be seen. Research directed at ISPs is a much debated area which scientists from many different fields of study continuously lend their efforts. However, to the best of the authors' knowledge no recent studies can been seen that examines ISP Compliance (ISPC), with a focus on InfoSec awareness, from a Swedish regional healthcare employees’ perspective. Hence, this study seeks to provide an insight into this area, with the outbreak of the COVID-19 pandemic in mind. The research is based on a web-questionnaire survey created using information gained throughout several interviews with people working in the field of InfoSec. It seeks to examine healthcare employees' InfoSec awareness following the COVID-19 pandemic outbreak with regard  teleworking. It can be seen from the results that healthcare sector employees' were well aware of the InfoSec risks related to the changing work conditions following the outbreak of the COVID-19 pandemic.

Computer Science

Information Security Policy

Information Security Policy compliance

COVID-19 pandemic

Healthcare

Computer Sciences

Datavetenskap (datalogi)

Impact of demographic factors on information security awareness : a study on professionals and students in Sweden

Ojala Burman, Emma

January 2021

Over the past year, cyberattacks have increased and one of the reasons is a lack of security awareness in society. The Covid-19 pandemic has forced a drastic change in working conditions and the most prominent shift is that many people had to start working from home. From an information security perspective, this places great demands on the individual since they are not protected by their organization's security solutions in the same degree as in the physical office space. This is being exploited by cybercriminals and the issue of focusing on the human aspect of information security is becoming more essential. Education is used to increase information security awareness (ISA), which in turn leads to improved security behavior. Through education, organizations can therefore reduce the risk of being exposed to various cyberattacks. To develop training programs within information security, one should look for the underlying factors that have an impact on ISA. Therefore, the purpose of this study is to see if demographic factors have any impact on ISA among Swedish professionals and students. The study is based on a quantitative survey in which a total of 157 professionals and students participated. The study was conducted using The Human Aspects of Information Security Questionnaire (HAIS-Q), which is a validated questionnaire developed to measure ISA. The results of the study strengthen previous findings that knowledge about security policies is a crucial factor for a high ISA. In addition, age and level of education also show an impact on ISA. Information about underlying factors that impact ISA can be useful when designing training programs in information security for Swedish professionals and students.

Information security

information security awareness

security behavior

Information Systems, Social aspects

INFORMATION SECURITY AWARENESS TRAINING FOR END-USER : A Survey on the Perspective of Nordic Municipalities

Al Salek, Aous

January 2021

The reliance on information systems in daily operations in organizations made these systems and the security thereof a vital asset that must be protected. Traditionally, technical solutions were thought to be the critical factor in achieving security requirements. However, this has changed with research advancements into information security, suggesting that users are the root cause of the majority of information security incidents. It is widely accepted that an integral part of the methodology of securing information systems is end-user Information Security Awareness Train-ing (ISAT). The goal of ISAT is described to be a change in user behavior. As a result, research into the area has been steadily improving the ways ISAT is carried out. Yet, information security incidents are still on the rise with no indication of slowing down. Previous research has mainly examined users’ experience in relation to ISAT with very little focus on the organizational per-spective. In this study, the organizational perspective on the preferences and expectations of ISAT is examined by inviting all Nordic municipalities to participate in an online survey. The survey consisted of two parts; the first part focused on the current state of ISAT in Nordic municipalities. The second part examined the ideal design of ISAT according to participants. The results obtained from the survey revealed that the participating Nordic municipalities are well aware of recent developments in ISAT. Furthermore, their preferences and expectations of ISAT and what they consider an ideal design of ISAT conform to what is suggested in the literature—with some ex-ceptions. However, there seems to be a gap between knowing about recent developments and having a desired ideal design that conforms to the literature on one side, and actually applying these in production on the other side.

information security

information security awareness training

information systems

ISAT

user security training

Information Systems

Standardizing Instructional Definition and Content Supporting Information Security Compliance Requirements

Curran, Theresa

01 January 2018

Information security (IS)-related risks affect global public and private organizations on a daily basis. These risks may be introduced through technical or human-based activities, and can include fraud, hacking, malware, insider abuse, physical loss, mobile device misconfiguration or unintended disclosure. Numerous and diverse regulatory and contractual compliance requirements have been mandated to assist organizations proactively prevent these types of risks. Two constants are noted in these requirements. The first constant is requiring organizations to disseminate security policies addressing risk management through secure behavior. The second constant is communicating policies through IS awareness, training and education (ISATE) programs. Compliance requirements direct that these policies provide instruction about making compliant and positive security decisions to reduce risk. Policy-driven and organizationally-relevant ISATE content is understood to be foundational and critical to prevent security risk. The problem identified for investigation is inconsistency of the terms awareness, training and education as found in security-related regulatory, contractual and policy compliance requirements. Organizations are mandated to manage a rapidly increasing portfolio of inconsistent ISATE compliance requirements generated from many sources. Since there is no one set of common guidance for compliance, organizations struggle to meet global, diverse and inconsistent compliance requirements. Inconsistent policy-related content and instructions, generated from differing sources, may cause incorrect security behavior that can present increased security risk. Traditionally, organizations were required to provide only internally-developed programs, with content left to business, regulatory/contractual, and cultural discretion. Updated compliance requirements now require organizations to disseminate externally-developed content in addition to internally-provided content. This real-world business requirement may cause compliance risks due to inconsistent instruction, guidance gaps and lack of organizational relevance. The problem has been experienced by industry practitioners within the last five years due to increased regulatory and contractual compliance requirements. Prior studies have not yet identified specific impacts of multiple and differing compliance requirements on organizations. The need for organizational relevance in ISATE content has been explored in literature, but the amount of organizationally-relevant content has not been examined in balance of newer compliance mandates.The goal of the research project was to develop a standard content definition and framework. Experienced practitioners responsible for ISATE content within their organizations participated in a survey to validate definitions, content, compliance and organizational relevance requirements imposed on their organizations. Fifty-five of 80 practitioners surveyed (68.75% participation rate) provided responses to one or more sections of the survey. This research is believed to be the first to suggest a standardized content definition for ISATE program activities based on literature review, assessment of existing regulatory, contractual, standard and framework definitions and information obtained from specialized practitioner survey data. It is understood to be the first effort to align and synthesize cross-industry compliance requirements, security awareness topics and organizational relevance within information security awareness program content. Findings validated that multiple and varied regulatory and contractual compliance requirements are imposed on organizations. A lower number of organizations were impacted by third party program requirements than was originally expected. Negative and positive impacts of third party compliance requirements were identified. Program titles and content definitions vary in respondent organizations and are documented in a variety of organizational methods. Respondents indicated high acceptance of a standard definition of awareness, less so for training and education. Organizationally-relevant program content is highly important and must contain traditional and contemporary topics. Results are believed to be an original contribution to information/cyber security practitioners, with findings of interest to academic researchers, standards/framework bodies, auditing/risk management practitioners and learning/development specialists.

cybersecurity program

information security awareness

information security policy

organizational relevance

security compliance requirements

security risk management

Computer Sciences

User Information Security Behavior in Professional Virtual Communities: A Technology Threat Avoidance Approach

Forrester, Vivienne

01 January 2019

The popularization of professional virtual communities (PVCs) as a platform for people to share experiences and knowledge has produced a paradox of convenience versus security. The desire to communicate results in disclosure where users experience ongoing professional and social interaction. Excessive disclosure and unsecured user security behavior in PVCs increase users’ vulnerability to technology threats. Nefarious entities frequently use PVCs such as LinkedIn to launch digital attacks. Hence, users are faced with a gamut of technology threats that may cause harm to professional and personal lives. Few studies, however, have examined users’ information security behavior and their motivation to engage in technology threat avoidance behavior in a PVC. This study tested a professional virtual community technology threat avoidance model empirically. The model was developed from the conceptualization of different aspects of the technology threat avoidance theory, social cognitive theory, and involvement theory through an integrated approach. This quantitative study employed a random sampling methodology. Prior to collecting data for the main study an expert panel review and a pilot study were conducted. A web-based survey designed with a 5-point Likert scale was distributed to 1285 LinkedIn members to gather self-reported data on users’ technology threat avoidance behavior. Confirmatory factor analysis (CFA) and structural equation modeling (SEM) were used to analyze the data gathered from 380 respondents. The results of the data analysis revealed that perceived susceptibility, perceived severity, and information security knowledge sharing are strong predictors of avoidance motivation. Information security knowledge sharing had the most significant predicting effect on avoidance motivation in PVCs. Also, self-efficacy, group norms, and avoidance motivation all have a significant predicting effect on users’ information security avoidance behavior in PVCs. However, information security experience and safeguarding measure cost do not have a significant predicting effect on users’ information security avoidance motivation. This study makes significant contributions to the IS body of knowledge and has implications for practitioners and academics. This study offers a comprehensive model through the integration of behavioral and cognitive theories to better understand user information security behavior in PVCs. The model also identifies essential elements to motivate users to engage in technology threat avoidance behavior.

information security

LinkedIn

professional virtual communities

technology threat avoidance theory

user information security behavior

virtual communities

Computer Sciences

The Economics of Data Breach: Asymmetric Information and Policy Interventions

Garcia, Michael Erik

23 July 2013

No description available.

Economics

Information Technology

cybersecurity

cyber security

data breach

economics

data breach notification

information security

information security economics

Vårdanställdas efterlevnad av informationssäkerhetspolicys : faktorer som påverkar efterlevnaden / Health care professionals' compliance with information security policies : variables influencing the compliance

Franc, Karolina

January 2014

Informationssäkerhet är ett område som kommit att sättas alltmer i fokus hos organisationer. Tidigare har främst tekniska lösningar för att skydda viktig information fått uppmärksamhet, det är först på senare tid som informationssäkerhet har börjat uppfattas som ett komplext område som innefattar såväl tekniska, som organisatoriska och mänskliga faktorer. För att eftersträva en god informationssäkerhet inom organisationen bör ett grundligt arbete läggas på att utveckla informationssäkerhetspolicys och säkerhetsansvariga måste kontinuerligt utbilda och skapa medvetenhet hos anställda kring vilka hot som finns mot organisationen ifall informationssäkerhetsbestämmelser inte efterlevs. Huvudsyftet i föreliggande studie har varit att undersöka vilka faktorer som styr anställdas efterlevnad av informationssäkerhetspolicys. Ytterligare delsyfte har varit att undersöka hur den faktiska efterlevnaden av informationssäkerhetsbestämmelser avspeglar sig inom två vårdverksamheter i Landstinget i Östergötland. För att uppfylla studiens syfte har fallstudier genomförts där såväl observationer som intervjuer med personal legat till grund för datainsamlingen. Resultatet visar att säkerhetsmedvetandet och efterlevnaden av säkerhetsbestämmelser inom de undersökta organisationerna är tämligen god, men det finns skillnader i graden av efterlevnad. Resultaten visar att anställda i viss mån hoppar över säkerhetsbestämmelser för att effektivisera sitt arbete. Den vanligaste säkerhetsbestämmelsen som visade på bristande efterlevnad var att en del anställda slarvade med att logga ut eller låsa datorn då denna lämnades oövervakad. Faktorer som visat sig vara avgörande för ifall säkerhetsbestämmelser efterlevs eller inte är bland annat ifall den anställde anser att beteendet övervakas, hur väl medveten man är kring konsekvensen av att säkerhetsbestämmelser inte efterlevs, samt hur stor sannolikhet man anser det vara att hotet realiseras. Ytterligare faktorer som visat sig spela roll är ifall den anställde anser att säkerhetsbestämmelsen ligger i konflikt med andra intressen, såsom effektivitet eller bekvämlighet. För att kunna införa effektiva policyåtgärder krävs det därmed att policyutvecklare förstår vad som motiverar anställda till att följa säkerhetsbestämmelser och vilka värderingar som ligger bakom deras beteende. / Information security has grown into a field of study that has gained increasingly attention within organizations. In the early days focus of the field has primerly been on technical solutions in order to protect information. Only recently information security has come to be seen as a complex area including both technical, organizational and human factors. In order to strive for a high degree of information security within the organization, emphasis has to be placed on developing a functional information security policy. Just as important is that security managers continually educate and create awareness amongst employees with regards to existing threats if information security rules are not respected. The main purpose in regards to this study has been to investigate the determinants of employees' compliance with information security policies. A further aim of the study has been to examine how the actual compliance of information security regulations is reflected in two healthcare clinics in the county council of Östergötland. In order to fulfill the purpose of the study, case studies were carried out in the clinics, where both filed studies and interviews with staff members formed the basis for data collection. The results show that security awareness and compliance with safety regulations within the surveyed organizations are fairly good, but there are differences in the level of compliance. The results show that employees to some degree overlook safety rules in order to make their work more efficient. The most common security rule that showed non-compliance was where employees occasionally did not logg off or lock the computer as it was left unattended. Determinants that showed to have an influence on whether or not employees comply with information security policys are among other factors to what extent the employee belives that the behavior is being monitored, awareness about conseqences from not complying with the security rules, as well as to what extent one belives that the actual threat occurs. Additional determinants that were found to have an influence on the actual behavior with regards to compliance is to what extent the employee considers the regulations to be in conflict with other interests, such as efficiency or convenience. In order to introduce effective policy measures knowledge is needed where policy makers understand what motivates employees to comply with safety rules, as well as the values that underlie their behavior.

Towards a conceptual framework for information security digital divide

Chisanga, Emmanuel

10 1900

In the 21st century, information security has become the heartbeat of any organisation. One of the best-known methods of tightening and continuously improving security on an information system is to uniquely and efficiently combine the human aspect, policies, and technology. This acts as leverage for designing an access control management approach which not only avails parts of the system that end-users are permitted to but also regulates which data is relevant according to their scope of work. This research explores information security fundamentals at organisational and theoretical levels, to identify critical success factors which are vital in assessing the organisation’s security maturity through a model referred to as “information security digital divide maturity framework”. The foregoing is based on a developed conceptual framework for information security digital divide. The framework strives to divide end-users, business partners, and other stakeholders into “specific information haves and have-nots”. It intends to assist organisations to continually evaluate and improve on their security governance, standards, and policies which permit access on the basis of each end-user or stakeholder’s business function, role, and responsibility while at the same time preserving the traditional standpoint of confidentiality, integrity, and availability. After a thorough review of a range of frameworks that have influenced the information security landscape, COBITTM was relied upon as a baseline for the development of the framework of the study because of its rich insight and maturity on IT management and governance. To ascertain that the proposed framework meets the required expectation, a survey targeting end-users within three participating organisations was carried out. The outcome revealed the current maturity level of each participating organisation, highlighting strengths and limitations of current information security practices. As such, for new organisations relying on the proposed framework for the first time, the outcome of such an assessment will represent a benchmark to be relied on for further improvement before embarking on the next maturity assessment cycle. In addition, a second survey was conducted with subject matter experts in information security. Data generated and collected through a questionnaire was then analysed and interpreted qualitatively and quantitatively in order to identify aspects, not only to gauge the acceptance of the proposed conceptual framework but also to identify areas for improvements. The study found that there was a general consensus amongst experts on the importance of a framework for benchmarking information security digital divide in organisations. It also provided a range of valuable input relied upon to improve the framework to its final version. / School of Computing / M. Sc. (Computing)

Capability maturity

Digital divide

Information security

Information systems

Critical success factors

Information security digital divide

Information security maturity level

Frameworks

Benchmarking

005.8

Computer security

Computer networks -- Security measures

Tietoturvakoulutuksen vaikuttavuuden arviointi yksilön ja organisaation tietoturvakäyttäytymiseen

Nykänen, K. (Kari)

02 November 2011

Abstract Information security is a key factor supporting companies' security and business requirements, and it is significantly affected by the information security behavior of the employees. Previous research has studied empirically as to which factors explains employees' compliance with information security policies and instructions. However, there are only a few empirical studied on the effectiveness of information security training on the information security behavior of employees. Especially, studies examining the effect on training on employees' cyberloafing (non-work related Internet use) behavior are far and few between. To address this gap in research, this thesis carries out an action research study aimed at improving employees' cyberloafing behavior at an organizational context. The results suggest that cyberloafing can be reduced by a proper training. / Tiivistelmä Tietoturva on keskeinen tekijä yrityksen kokonaisturvallisuuden ja liiketoiminnan tarpeiden tukemisessa, johon henkilökunnan tietoturvakäyttäytyminen vaikuttaa hyvin merkittävästi. Yksilön tietoturvakäyttäytymistä ja tietoturvapolitiikan ja -ohjeistuksien noudattamista on tutkittu empiirisesti vahvojen teoreettisten taustojen pohjalta. Tutkimustulokset ovat osoittaneet, että yksilön normeista ja ohjeistuksista poikkeava käyttäytyminen on vahvasti sidoksissa henkilökohtaisiin tapoihin, joita puolustellaan ja selitetään erilaisilla syillä. Tietoturvakoulutuksen vaikuttavuutta yksilön ja organisaation tietoturvakäyttäytymiseen on tutkittu empiirisesti hyvin vähän. Työhön liittymättömän Internetin käytön kontekstissa tehtyjä tutkimuksia on vain muutamia, ja niissä on selvitetty käytön motivaatiota ja käyttäjien profilointia. Tietoturvakoulutuksen vaikutusta yksilön työhön liittymättömän Internet-käyttäytymisen muuttamiseen ei ole aikaisemmin tieteellisesti tutkittu. Tässä väitöskirjassa tutkitaan tätä ajankohtaista kansainvälisen tutkijayhteisön tiedostamaa ongelmaa. Tutkimus suoritetaan noudattaen toimintatutkimusmallia kahdessa vaiheessa, joista toisessa sovelletaan kokeellista tutkimusmenetelmää. Pitkittäistutkimuksen ensimmäisessä vaiheessa tutkitaan organisaation tietoturvakäyttäytymistä ja -toimintaa. Tämän perusteella suunnitellaan koulutusmenetelmä, jonka avulla pyritään ratkaisemaan organisaation tietoturvatoiminnan keskeiset ongelmat ja parantamaan yksilön tietoturvatietoisuutta. Toisessa vaiheessa koulutusmenetelmää kehitetään ja laajennetaan koko organisaation henkilökunnan tasolle, minkä tavoitteena on muuttaa yksilön työhön liittymätöntä Internet-käyttäytymistä. Tutkimuksessa sovelletaan kriminologiaan pohjautuvaa neutralisoimisteoriaa ja sosiaalipsykologian tapateoriaa, joiden avulla pyritään selittämään yksilön työhön liittymätöntä Internet-käyttäytymistä. Tietoturvakoulutuksen laadinnassa sovelletaan oppimisen psykologiaa, sosiokonstruktiivista oppimisnäkemystä ja muutos-johtamista. Tutkimustulokset tarjoavat uutta tietoa siitä, mitä tulee huomioida laadittaessa organisaation tietoturvakoulutusta ja miten huolellisesti laaditun koulutuksen avulla voidaan muuttaa yksilön työhön liittymätöntä Internet-käyttäytymistä. Koulutuksen avulla pyritään vaikuttamaan yksilön syvälle juurtuneisiin tapoihin, käyttäytymiseen ja vastuunottamiseen omasta toiminnasta.

Internet-behavior

employees’ cyberloafing behavior

information security

information security behavior

information security training

neutralization techniques

non-work related Internet-behavior

Internet-käyttäytyminen

neutralisoimistekniikat

tietoturva

tietoturvakoulutus

tietoturvakäyttäytyminen