Anthonie B. Ruighaver

Organisational security culture: Extending the end-user perspective

The concept of security culture is relatively new. It is often investigated in a simplistic manner focusing on end-users and on the technical aspects of security. Security, however, is a management problem and as a result, the investigation of security culture should also have a management focus. This paper describes a framework of eight dimensions of culture. Each dimension is discussed in terms of how they relate specifically to security culture based on a number of previously published case studies. We believe that use of this framework in security culture research will reduce the inherent biases of researchers who tend to focus on only technical aspects of culture from an end-users perspective.

Ethical decision making: Improving the quality of acceptable use policies

While there is extensive literature on the positive effects of institutionalising ethics in organisational culture, our extensive research in information security culture has found no evidence of organisations encouraging ethical decision making in situations where information security might be at risk. Security policies, in particular acceptable use policies, have traditionally been written with a strategy of deterrence in mind, but in practice they rely mostly on deontological ethics, i.e. employees doing the right thing, to work. As far back as 1990, evidence has been reported of a widening socio-technical gap, where employees no longer always act according to expected social norms in an organisation. This change in moral behaviour is reducing the effectiveness of acceptable use policies in an organisation. In this paper, an alternative approach to the development of security policies is proposed to encourage ethical decision making based on consequential ethics. Acceptable use policies will need to distinguish between guidelines, standards and procedures, and guidelines will need to be written in such a way that the policy continuously acknowledges that employees are no longer expected to blindly follow these guidelines. And, as acceptable use policies can no longer cover all the possible risks related to an employees behaviour, the policy will need to emphasise both explicitly an implicitly that employees are expected to make an ethical judgement on all their actions that may possibly endanger the organisations security. This will in turn have positive effects on the usability and suitability of the acceptable use policy to the organisation.

An information-centric approach to data security in organizations

Many organizations focus on a computing-centric approach to information security whilst neglecting the security of information on paper and amongst personnel This paper presents a model that is both media-independent and information-centric, allowing organizations to pursue an integrated methodology towards analysing risks and providing information protection across all types of media. Using this model to map information flows within business and knowledge processes will quickly show that it will be almost impossible to control all risks, but the resulting detailed risk profile may enable the organization to explore alternative processes with lower risks.

Wireless Intrusion Detection: Not as easy as traditional network intrusion detection

While wireless networks are growing in popularity, monitoring these networks for abuse and intrusions is almost nonexistent. Although some intrusion prevention systems have recently appeared on the market, their intrusion detection capabilities are limited. Real intrusion detection in wireless networks is not a simple add on. This paper discusses the fundamental difference between wireless intrusion detection and traditional network intrusion detection and identifies some of the challenges that will need to be solved in designing and deploying a cost-effective wireless intrusion detection system.

Information Security Governance: When Compliance Becomes More Important than Security

Current security governance is often based on a centralized decision making model and still uses an ineffective 20th century risk management approach to security. This approach is relatively simple to manage since it needs almost no security governance below the top enterprise level where most decisions are made. However, while there is a role for more corporate governance, new regulations, and improved codes of best practice to address current weak organizational security practices, this may not be sufficient in the current dynamic security environment. Organizational information security must adapt to changing conditions by extending security governance to middle management as well as system/network administrators. Unfortunately the lack of clear business security objectives and strategies at the business unit level is likely to result in a compliance culture, where those responsible for implementing information security are more interested in complying with organizational standards and policies than improving security itself.

Organizational Security Culture: More Than Just an End-User Phenomenon

The concept of security culture is relatively new. It is often investigated in a simplistic manner focusing on end-users and on the technical aspects of security. Security, however, is a management problem and as a result the investigation of security culture should also have a management focus. This paper discusses security culture based on an organisational culture framework of eight dimensions. We believe that use of this framework in security culture research will reduce the inherent biases of researchers who tend to focus on only technical aspects of culture from an end users perspective.

Towards Understanding Deterrence: Information Security Managers’ Perspective

The enforcement of information security policy is an important issue in organisations. Previous studies approach policy enforcement using deterrence theory to deal with information security violations and focus on end-users’ awareness. This study investigates deterrence strategy within organisations from the perspective of information security managers. The results primarily reveal that current deterrence strategy has little influence on reducing violations because it is only used as a prevention strategy due to the lack of means of detection. Our study suggests that organisations should shift to detection of violations and identification of violators, and expand the range of sanctions. The research also presents an architecture of information security strategies to be operated in a coordinated manner for use in deterring security violations.

Reconfigurable optical interconnection networks without optical switching

The Melbourne University Optoelectronic Multicomputer Project is developing dense optical interconnection networks that support the efficient transfer of 32 or 64 b of data. The high density of these networks has been achieved by providing each processing element (PE) with multiple broadcasting-channels. Multiple broadcasting is an alternative to the optical crossbar switch, but networks based on multiple broadcasting do not need any optical switches, and are therefore suited for implementation with state-of-the-art optical technology.<<ETX>>

Factors Influencing the Implementation of Information Systems Security Strategies in Organizations

Many organizations still rely on deterrence to control insider threats and on purely preventive strategies to control outsider threats. Such a simple approach to organizational information security is no longer viable given the increasing operational sophistication of current security threat agents and the complexity of information technology infrastructure. Effective implementation of security requires organizations to select a combination of strategies that work in tandem and best suits their security situation. This paper addresses the identification and classification of factors that influence implementation of security strategies in organizations. In this paper, we develop a preliminary architecture that aims to assist organizations in deciding how strategies can be designed to complement each other to improve the cost-effectiveness of security.