Enhancing the governance of information security in developing countries : the case of Zanzibar

Shaaban, Hussein Khamis

January 2014

Organisations in the developing countries need to protect their information assets (IA) in an optimal way. This thesis is based upon the argument that in order to achieve fully effective information security management (ISM) strategy, it is essential to look at information security in a socio-technical context, i.e. the cultural, ethical, moral, legal dimensions, tools, devices and techniques. The motivation for this study originated from the concern of social chaos, which results from ineffective information security practices in organisations in the developing nations. The present strategies were developed for organisations in countries where culture is different to culture of the developing world. Culture has been pointed out as an important factor of human behaviour. This research is trying to enhance information security culture in the context of Zanzibar by integrating both social and technical issues. The theoretical foundation for this research is based on cultural theories and the theory of semiotics. In particular, the study utilised the GLOBE Project (House et al, 2004), Competing Values Framework (Quinn and Cameron; 1983) and Semiotic Framework (Liu, 2000). These studies guide the cultural study and the semiotics study. The research seeks to better understand how culture impact the governance of information security and develop a framework that enhances the governance of information security in non-profit organisations. ISO/IEC 27002 best practices in information security management provided technical guidance in this work. The major findings include lack of benchmarking in the governance of information security. Cultural issues impact the governance of information security. Drawing the evidence from the case study a framework for information security culture was proposed. In addition, a novel process model for information security analysis based on semiotics was developed. The process model and the framework integrated both social and technical issues and could be implemented in any non-profit organisation operating within a societal context with similar cultural feature as Zanzibar. The framework was evaluated using this process model developed in this research. The evaluated framework provides opportunities for future research in this area.

005.8

Strategic framework to minimise information security risks in the UAE

Alkaabi, Ahmed

January 2014

The transition process to ICT (Information and Communication Technology) has had significant influence on different aspects of society. Although the computerisation process has motivated the alignment of different technical and human factors with the expansion process, the technical pace of the transition surpasses the human adaptation to change. Much research on ICT development has shown that ICT security is essentially a political and a managerial act that must not disregard the importance of the relevant cultural characteristics of a society. Information sharing is a necessary action in society to exchange knowledge and to enable and facilitate communication. However, certain information should be shared only with selected parties or even kept private. Information sharing by humans forms the main obstacle to security measure undertaken by organisations to protect their assets. Moreover, certain cultural traits play a major role in thwarting information security measures. Arab culture of the United Arab Emirates is one of those cultures with strong collectivism featuring strong ties among individuals. Sharing sensitive information including passwords of online accounts can be found in some settings in some cultures, but with reason and generally on a small scale. However, this research includes a study on 3 main Gulf Cooperation Council (GCC) countries, namely, Saudi Arabia (KSA), United Arab Emirates (UAE) and Oman, showing that there is similar a significant level of sensitive information sharing among employees in the region. This is proven to highly contribute to compromising user digital authentication, eventually, putting users’ accounts at risk. The research continued by carrying out a comparison between the United Kingdom (UK) and the Gulf Cooperation Council (GCC) countries in terms of attitudes and behaviour towards information sharing. It was evident that there is a significant difference between GCC Arab culture and the UK culture in terms of information sharing. Respondents from the GCC countries were more inclined to share sensitive information with their families and friends than the UK respondents were. However, UK respondents still revealed behaviour in some contexts, which may lead potential threats to the authentication mechanism and consequently to other digital accounts that require a credential pass. It was shown that the lack of awareness and the cultural impact are the main issues for sensitive information sharing among family members and friends in the GCC. The research hence investigated channels and measures of reducing the prevalence of social engineering attacks, such as legislative measures, technological measures, and education and awareness. The found out that cultural change is necessary to remedy sensitive information sharing as a cultural trait. Education and awareness are perhaps the best defence to cultural change and should be designed effectively. Accordingly, the work critically analysed three national cybersecurity strategies of the United Kingdom (UK), the United States (U.S.) and Australia (AUS) in order to identify any information security awareness education designed to educate online users about the risk of sharing sensitive information including passwords. The analysis aimed to assess possible adoption of certain elements, if any, of these strategies by the UAE. The strategies discussed only user awareness to reduce information sharing. However, awareness in itself may not achieve the required result of reducing information sharing among family members and friends. Rather, computer users should be educated about the risks of such behaviour in order to realise and change. As a result, the research conducted an intervention study that proposed a UAE-focused strategy designed to promote information security education for the younger generation to mitigate the risk of sensitive information sharing. The results obtained from the intervention study of school children formed a basis for the information security education framework also proposed in this work.

005.8

DEFINING VALUE BASED INFORMATION SECURITY GOVERNANCE OBJECTIVES

Mishra, Sushma

09 December 2008

This research argues that the information security governance objectives should be grounded in the values of organizational members. Research literature in decision sciences suggest that individual values play an important role in developing decision objectives. Information security governance objectives, based on values of the stakeholders, are essential for a comprehensive security control program. The study uses Value Theory as a theoretical basis and value focused thinking as a methodology to develop 23 objectives for information security governance. A case study was conducted to reexamine and interpret the significance of the proposed objectives in an organizational context. The results suggest three emergent dimensions of information security governance for effective control structure in organizations: resource allocation, user involvement and process integrity. The synthesis of data suggests eight principles of information security governance which guides organizations in achieving a comprehensive security environment. We also present a means-end model of ISG which proposes the interrelationships of the developed objectives. Contributions are noted and future research directions suggested.

information security governance

value theory

value focussed approach

internal control

case study

Business

Management Information Systems

Kommuner i interorganisatorisk samverkan : Att säkert och effektivt styra informationssäkerhetsarbete / Municipalities in interorganizational cooperation : Effective and efficient information security governance

Donnerin, Oscar, Mouwafi, Adham

January 2015

Samverkan mellan kommuner är något som varit en aktuell fråga för svenska myndigheter under en längre tid. Mer specifikt har en tydlig ökning identifierats sedan kommunallagen trädde i kraft 1991 och samverkansformen visade sig möta reella politiska behov på ett positivt sätt. Samtidigt har offentliga organisationer de senaste 15 åren gått från att förespråka skyddandet av information till att bli mer öppna och utbyta information över organisatoriska gränser. Denna kvalitativa fallstudie undersöker informationssäkerhet i en interorganisatorisk samverkan mellan svenska kommuner. Teorier som behandlas i uppsatsen är informationssäkerhet, information security governance och samverkan. Studiens syfte är att undersöka utmaningarna med styrning av informationssäkerhetsarbete i en interorganisatorisk samverkan mellan svenska kommuner. Vi ämnar således bidra till forskningen genom att dels förfina befintliga teorier kring de separata ämnesområdena men även utveckla teori där dessa ämnen möts. Vi syftar även till att bidra till praktiken genom att generera värdefull kunskap för de studerade organisationerna men även generalisera resultatet för liknande organisationer. Resultatet visar att vi identifierat ett antal centrala utmaningar där vissa är svårare att hantera än andra. En central utmaning är att det politiska självstyret är tydligt uttalat vilket sätter begräsningar för vad som är möjligt att realisera gemensamt. Vi kan även konstatera att resurser och prioriteringar påverkas av detta. Vi har presenterat ett antal förslag på behov som kan beaktas, både internt i kommunerna men även gemensamt över kommunala gränser. De rekommendationer vi har till kommunerna är att ta ett steg tillbaka gällande samverkan, detta då de ligger på så pass olika nivåer och kan få svårt att skapa en gemensam grund. Kommunerna bör även fokusera på den interna verksamheten och öka säkerhetsmedvetandet för att bli mer redo för att ingå i en samverkan. Uppfylls detta kan de börja fokusera på att anta principer och andra gemensamma aktiviteter som till exempel utbildningar. Detta gör att informationssäkerhetsarbetet går från att vara reaktivt till att bli mer proaktivt. Detta är något som vi anser att både offentliga- och privata organisationer borde sträva mot men även forskare borde ta hänsyn till.

Interorganisatorisk samverkan

informationssäkerhet

informationsutbyte

offentlig sektor

policy

information security governance

säkerhetsmedvetande

Information Systems

Assessing The Relative Importance of Information Security Governance Processes on Reducing Negative Impacts From Information Security Incidents

Farnian, Adnan

January 2010

Today the extent and value of electronic data is constantly growing. Dealing across the internet depends on how secure consumers believe their personal data are. And therefore, information security becomes essential to any business with any form of web strategy, from simple business-to-consumer, or business-to-business to the use of extranets, e-mail and instants messaging. It matters too any organization that depends on computers for its daily existence. This master thesis has its focus on Information Security Governance. The goal of this thesis was to study different Information Security processes within the five objectives for Information Security Governance in order to identify which processes that organizations should prioritize in order to reduce negative consequences on the data, information and software of a business from security incidents. By surveying IT experts, it was possible to gather their relative opinion regarding the relationship between Information Security Governance processes and security incidents. By studying the five desired objectives for Information Security Governance, Strategic Alignment, Risk Management, Resource Management, Performance Measurement and Value Delivery the result indicated that some processes within Performance Measurements have a difference in relation to other processes. For those processes a conclusion can be made that they are not as important as the processes which they were compared to. A reason for this can be that the processes within performance measurement are different in such a way that they measure an incident after it has actually happened. While other processes within the objectives for ISG are processes which needs to be fulfilled in order to prevent that an incident happens. This could obviously explain why the expert‟s choose to value the processes within performance measurement less important compared to other processes. However, this conclusion cannot be generalized, since the total amount of completed responses where less than expected. More respondents would have made the result more reliable. The majority of the respondents were academicals and their opinion and experience may be different from the IT experts within the industry, which have a better understanding of how it actually works in reality within an organization.

Information Technology

Information Security

Information Security Governance

Elektroteknik och elektronik

Institutionalization of Information Security: Case of the Indonesian Banking Sector

Nasution, Muhamad Faisal Fariduddin Attar

10 May 2012

This study focuses on the institutionalization of information security in the banking sector. This study is important to pursue since it explicates the internalization of information security governance and practices and how such internalization develops an organizational resistance towards security breach. The study argues that information security governance and practices become institutionalized through social integration of routines and system integration of relevant technologies. The objective is to develop an understanding of how information security governance and practices in the Indonesian banking sector become institutionalized. Such objective is built on an argument that information security governance and practices become institutionalized through social integration of routines and system integration of relevant technologies. Pursuing this study is necessary to conceptualize the incorporation of security governance and practices as routines, the impact of security breaches on such routines, and the effects of a central governing body on such routines altogether. Accordingly, the concept of institutionalization is developed using Barley and Tolbert’s (1997) combination of institutional theory and structuration theory to explain the internalization of security governance and practices at an organizational level. Scott’s (2008) multilevel institutional processes based on institutional theory is needed to elaborate security governance and practices in an organization-to-organization context. The research design incorporates the interpretive case-study method to capture communicative interactions among respondents. Doing so provides answers to the following research questions: (1) how institutions internalize information security governance and practices, (2) how an external governing body affects the institutionalization of information security governance and practices in institutions, and (3) how security breaches re-institutionalize information security governance and practices in institutions. Several important findings include the habitualized security routines, information stewardship, and institutional relationship in information-security context. This study provides contributions to the body of literature, such as depicting how information security becomes internalized in an organization and the interaction among organizations engaged in implementing information security.

Information Systems Security

Information Security Governance

Institutionalization

Institutional Theory

Structuration Theory

Banking Sector

Business

Management Information Systems

Shaping information security behaviors related to social engineering attacks

Rocha Flores, Waldo

January 2016

Today, few companies would manage to continuously stay competitive without the proper utilization of information technology (IT). This has increased companies’ dependency of IT and created new threats that need to be addressed to mitigate risks to daily business operations. A large extent of these IT-related threats includes hackers attempting to gain unauthorized access to internal computer networks by exploiting vulnerabilities in the behaviors of employees. A common way to exploit human vulnerabilities is to deceive and manipulate employees through the use of social engineering. Although researchers have attempted to understand social engineering, there is a lack of empirical research capturing multilevel factors explaining what drives employees’ existing behaviors and how these behaviors can be improved. This is addressed in this thesis. The contribution of this thesis includes (i) an instrument to measure security behaviors and its multilevel determinants, (ii) identification of multilevel variables that significantly influence employees’ intent for behavior change, (iii) identification of what behavioral governance factors that lay the foundation for behavior change, (iv) identification that national culture has a significant effect on how organizations cope with behavioral information security threats, and (v) a strategy to ensure adequate information security behaviors throughout an organization. This thesis is a composite thesis of eight papers. Paper 1 describes the instrument measuring multilevel determinants. Paper 2 and 3 describes how security knowledge is established in organizations, and the effect on employee information security awareness. In Paper 4 the root cause of employees’ intention to change their behaviors and resist social engineering is described. Paper 5 and 8 describes how the instrument to measure social engineering security behaviors was developed and validated through scenario-based surveys and phishing experiments. Paper 6 and 7 describes experiments performed to understand reason to why employees fall for social engineering. Finally, paper 2, 5 and 6 examines the moderating effect of national culture. / <p>QC 20160503</p>

Information security

Behavioral information security

Social engineering

Phishing

Measuring information security behaviors

Information security governance

Experiments

National culture

Mixed method research design

Quantitative methods

Styrning av informationssäkerhet vid hemarbete : En fallstudie om styrning av informationssäkerhet i förhållande till hemarbete / Governance of information security in a work from home context : A case study on information security governance relative to working from home

Palmgren, Patrik, Schylström, Per

January 2021

Under Covid-19-pandemin har organisationer med hjälp av digitaliseringen genomgått en omställning från kontorsarbete till hemarbete i en större utsträckning än tidigare. Förflyttningen av personal till hemmet och nya kommunikationskanaler har lett till en ökad hotbild gentemot organisationer och dess medarbetare som arbetar med känslig information. Höga krav ställs därför på en god informationssäkerhetsnivå inom organisationer, vilket kräver ett systematiskt styrningsarbete av informationssäkerhet. En nyckelfaktor i efterlevnaden av organisationers regler för informationssäkerhet är tydlig kommunikation och utbildning i syfte att öka medvetenheten och förmågan hos medarbetarna i organisationen. Genom en kvalitativ ansats beskriver denna fallstudie hur olika medarbetare som arbetar hemifrån kan uppleva informationssäkerhet och hur en organisation kan arbeta med styrning av informationssäkerhet i samband med att medarbetarna arbetar hemifrån. Studien presenterar också likheter och skillnader som finns mellan dessa två perspektiv. Vi har genomfört åtta intervjuer med olika personer från en fallorganisation som har flyttat större delen av sin arbetsstyrka från arbetsplatsen till hemmet.  Studiens resultat är att efterlevnaden av informationssäkerhet är beroende av en organisations kultur och personalens säkerhetsmedvetande. Motivationsfaktorer för att följa regler för informationssäkerhet har i fallet följt delarna i Protection Motivation Theory och Fogg Behavior Model. Vi ser också att borttagandet av sociala kontakter och påminnelser försvårar för medarbetare att arbeta på ett informationssäkert sätt och för organisationen att påverka sina medarbetare. Vidare är också avsaknaden av kontroll vid utbildning och kommunikation en faktor som är organisationen inte har åtkomst till, detta är ett problem då det försvårar för en organisation att bygga en bild över medarbetarnas kompetens. Insatser för att öka medvetenheten om informationssäkerhet bör ske löpande och det ska vara enkelt för medarbetaren att göra rätt och hitta väsentlig information. / During the Covid-19 pandemic, organisations have shifted from office work to work at home to a greater extent than before with the help of digitalisation. The shift of staff to the home and new communication channels have led to an increased threat to organisations and their employees working with sensitive information. High standards of information security are required within organisations, which calls for great governance efforts regarding information security. Clear communication and training to increase the awareness and capability of employees in the organisation is a key factor in ensuring compliance with the organisation's information security rules. Through a qualitative approach, this case study describes how different employees working from home experience information security efforts and how an organisation can work on information security governance. The study also presents similarities and differences that exist between these two perspectives. We conducted eight interviews with different people from different parts of an organisation that has moved most of its workforce from the workplace to their home.  The findings of the study are that compliance with information security is dependent on an organisation's culture and the security awareness and ability of its staff. Motivational factors for information security compliance in the case followed the elements of Protection Motivation Theory and Fogg's Behavior Model. We also see that the removal of social contacts and reminders makes it more difficult for employees to work in an information-secure manner and for the organization to influence its employees. Furthermore, the lack of control in training and communication is also a factor that is not accessible to the organisation, this is a problem as it makes it difficult for an organisation to build a picture of the competence of its employees. Efforts to raise awareness of information security should be ongoing and it should be easy for employees to do the right thing and find essential information.

information security

information security governance

compliance

work from home

informationssäkerhet

informationssäkerhetsstyrning

efterlevnad

hemarbete

Information Systems, Social aspects