Atif Ahmad

Information security strategies: towards an organizational multi-strategy perspective

There considerable advice in both research and practice oriented literature on the topic of information security. Most of the discussion in literature focuses on how to prevent security attacks using technical countermeasures even though there are a number of other viable strategies such as deterrence, deception, detection and response. This paper reports on a qualitative study, conducted in Korea, to determine how organizations implement security strategies to protect their information systems. The findings reveal a deeply entrenched preventive mindset, driven by the desire to ensure availability of technology and services, and a comparative ignorance of exposure to business security risks. Whilst there was some evidence of usage of other strategies, they were also deployed in a preventive capacity. The paper presents a research agenda that calls for research on enterprise-wide multiple strategy deployment with a focus on how to combine, balance and optimize strategies.

Incorporating a knowledge perspective into security risk assessments

Purpose – Many methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information used by organisations. This paper argues that these methodologies have a traditional orientation towards the identification and assessment of technical information assets. This obscures key risks associated with the cultivation and deployment of organisational knowledge. The purpose of this paper is to explore how security risk assessment methods can more effectively identify and treat the knowledge associated with business processes.Design/methodology/approach – The argument was developed through an illustrative case study in which a well‐documented traditional methodology is applied to a complex data backup process. Follow‐up interviews were conducted with the organisations security managers to explore the results of the assessment and the nature of knowledge “assets” within a business process.Findings – It was discovered that the backup process depended, in...

A situation awareness model for information security risk management

Information security risk management (ISRM) is the primary means by which organizations preserve the confidentiality, integrity and availability of information resources. A review of ISRM literature identified deficiencies in the practice of information security risk assessment that inevitably lead to poor decision-making and inadequate or inappropriate security strategies. In this conceptual paper, we propose a situation aware ISRM (SA-ISRM) process model to complement the information security risk management process. Our argument is that the model addresses the aforementioned deficiencies through an enterprise-wide collection, analysis and reporting of risk-related information. The SA-ISRM model is adapted from Endsleys situation awareness model and has been refined using our findings from a case study of the US national security intelligence enterprise.

A case analysis of information systems and security incident responses

Our case analysis presents and identifies significant and systemic shortcomings of the incident response practices of an Australian financial organization. Organizational Incident Response Teams accumulate considerable experience in addressing information security failures and attacks. Their first-hand experiences provide organizations with a unique opportunity to draw security lessons and insights towards improving enterprise-wide security management processes. However, previous research shows a distinct lack of communication and collaboration between the functions of incident response and security management, suggesting organizations are not learning from their incident experiences. We subsequently propose a number of lessons learned and a novel security-learning model.

Towards A Systemic Framework for Digital Forensic Readiness

Although digital forensics has traditionally been associated with law enforcement, the impact of new regulations, industry standards and cyber-attacks, combined with a heavy reliance on digital assets, has resulted in a more prominent role for digital forensics in organizations. Modern organizations, therefore, need to be forensically ready in order to maximize their potential to respond to forensic events and demonstrate compliance with laws and regulations. However, little research exists on the assessment of organizational digital forensic readiness. This paper describes a comprehensive approach to identifying the factors that contribute to digital forensic readiness and how these factors work together to achieve forensic readiness in an organization. We develop a conceptual framework for organizational forensic readiness and define future work towards the empirical validation and refinement of the framework.

An information-centric approach to data security in organizations

Many organizations focus on a computing-centric approach to information security whilst neglecting the security of information on paper and amongst personnel This paper presents a model that is both media-independent and information-centric, allowing organizations to pursue an integrated methodology towards analysing risks and providing information protection across all types of media. Using this model to map information flows within business and knowledge processes will quickly show that it will be almost impossible to control all risks, but the resulting detailed risk profile may enable the organization to explore alternative processes with lower risks.

Teaching information security management: reflections and experiences

Purpose – The purpose of this paper is to describe the development, design, delivery and evaluation of a postgraduate information security subject that focuses on a managerial, rather than the more frequently reported technical perspective. The authors aimed to create an atmosphere of intellectual excitement and discovery so that students felt empowered by new ideas, tools and techniques and realized the potential value of what they were learning in the industry. Design/methodology/approach – The paper develops fundamental principles and arguments that inform the design and development of the teaching curriculum. The curriculum is aimed at security management professionals in general and consultants in particular. The paper explains the teaching method in detail including the specific topics of lectures, representative reading material, assessment tasks and feedback mechanisms. Finally, lessons learned by the authors and their conclusions are presented as a form of reflection. Findings – The instructors r...

Information Security Governance: When Compliance Becomes More Important than Security

Current security governance is often based on a centralized decision making model and still uses an ineffective 20th century risk management approach to security. This approach is relatively simple to manage since it needs almost no security governance below the top enterprise level where most decisions are made. However, while there is a role for more corporate governance, new regulations, and improved codes of best practice to address current weak organizational security practices, this may not be sufficient in the current dynamic security environment. Organizational information security must adapt to changing conditions by extending security governance to middle management as well as system/network administrators. Unfortunately the lack of clear business security objectives and strategies at the business unit level is likely to result in a compliance culture, where those responsible for implementing information security are more interested in complying with organizational standards and policies than improving security itself.

Towards Understanding Deterrence: Information Security Managers’ Perspective

The enforcement of information security policy is an important issue in organisations. Previous studies approach policy enforcement using deterrence theory to deal with information security violations and focus on end-users’ awareness. This study investigates deterrence strategy within organisations from the perspective of information security managers. The results primarily reveal that current deterrence strategy has little influence on reducing violations because it is only used as a prevention strategy due to the lack of means of detection. Our study suggests that organisations should shift to detection of violations and identification of violators, and expand the range of sanctions. The research also presents an architecture of information security strategies to be operated in a coordinated manner for use in deterring security violations.

Online Social Networking: A Source of Intelligence for Advanced Persistent Threats

The professionalization of computer crime has resulted in a shift in motivation away from bragging rights towards financial gain. As a result, the operational tactics of cyber criminals is beginning to incorporate reconnaissance and intelligence gathering to inform attack planning. This paper discusses why information leakage in general, and Online Social Networking (OSN) in particular, has become a source of intelligence for attackers. Further, the paper profiles a range of security measures available to organizations to combat information leakage through OSN and identifies future directions for research into security culture and behaviour change.