Evangelos A. Kiountouzis

The insider threat to information systems and the effectiveness of ISO17799

Insider threat is widely recognised as an issue of utmost importance for IS security management. In this paper, we investigate the approach followed by ISO17799, the dominant standard in IS security management, in addressing this type of threat. We unfold the criminology theory that has designated the measures against insider misuse suggested by the standard, i.e. the General Deterrence Theory, and explore the possible enhancements to the standard that could result from the study of more recent criminology theories. The paper concludes with supporting the argument for a multiparadigm and multidisciplinary approach towards IS security management and insider threat mitigation.

Information systems security policies: a contextual perspective

The protection of information systems is a major problem faced by organisations. The application of a security policy is considered essential for managing the security of information systems. Implementing a successful security policy in an organisation, however, is not a straightforward task and depends on many factors. This paper explores the processes of formulating, implementing and adopting a security policy in two different organisations. A theoretical framework based on the theory of contextualism is proposed and applied in the analysis of these cases. The contextual perspective employed in this paper illuminates the dynamic nature of the application of security policies and brings forth contextual factors that affect their successful adoption.

Information systems security from a knowledge management perspective

– Information systems security management is a knowledge‐intensive activity that currently depends heavily on the experience of security experts. However, the knowledge dimension of IS security management has been neglected, both by research and industry. This paper aims to explore the sources of IS security knowledge and the potential role of an IS security knowledge management system., – The results of this paper are based on field research involving five organizations (public and private) and five security experts and consultants. A model to illustrate the structure of IS security knowledge in an organization is then proposed., – Successful security management largely depends on the involvement of users and other stakeholders in security analysis, design, and implementation, as well as in actively defending the IS. However, most stakeholders lack the required knowledge of IS security issues that would allow them to play an important role in IS security management., – In this paper, the knowledge management aspect of IS security management has been highlighted. Moreover, the basic sources of security‐related knowledge have been identified and a model of IS security knowledge has been created. Also, the activities to be supported by a security‐focused KM system have been identified. Thus, the basis for the development of specialized security KM systems has been set.

Embedding security practices in contemporary information systems development approaches

As information and communication technologies become a critical component of firms’ infrastructures and information establishes itself as a key business resource as well as driver, people start to realise that there is more than the functionality of the new information systems that is significant. Business or organisational transactions over new media require stability, one factor of which is information security. Information systems development practices have changed in line with the evolution of technology offerings as well as the nature of systems developed. Nevertheless, as this paper establishes, most contemporary development practices do not accommodate sufficiently security concerns. Beyond the literature evidence, reports on empirical study results indicating that practitioners deal with security issues by applying conventional risk analysis practices after the system is developed. Addresses the lack of a defined discipline for security concerns integration in systems development by using field study results recording development practices that are currently in use to illustrate their deficiencies, to point to required enhancements of practice and to propose a list of desired features that contemporary development practices should incorporate to address security concerns.

Investigating Information Security Awareness: Research and Practice Gaps

ABSTRACT The aim of this survey is largely exploratory, namely, to discover patterns and trends in the way that practitioners and academics alike tackle the security awareness issue and to have a better understanding of the reasons why security awareness practice remains an unsolved problem. Open coding analysis was performed on numerous publications (articles, surveys, standards, reports and books). A classification scheme of six categories of concern has emerged from the content analysis (e.g., terminology ambiguity), and the chosen publications were classified based on it. The paper identifies ambiguous aspects of current security awareness approaches and the proposed classification provides a guide to identify the range of options available to researchers and practitioners when they design their research and practice on information security awareness.

The use of business process modelling in information systems security analysis and design

The increasing reliance of organisations on information systems connected to or extending over open data networks has established information security as a critical success factor for modern organisations. Risk analysis appears to be the predominant methodology for the introduction of security in information systems (IS). However, risk analysis is based on a very simple model of IS as consisting of assets, mainly data, hardware and software, which are vulnerable to various threats. Thus, risk analysis cannot provide for an understanding of the organisational environment in which IS operate. We believe that a comprehensive methodology for information systems security analysis and design (IS‐SAD) should incorporate both risk analysis and organisational analysis, based on business process modelling (BPM) techniques. This paper examines the possible contribution of BPM techniques to IS‐SAD and identifies the conceptual and methodological requirements for a technique to be used in this context. Based on these requirements, several BPM techniques have been reviewed. The review reveals the need for either adapting and combining current techniques or developing new, specialised ones.

Managing the introduction of information security awareness programmes in organisations

Several studies explore information security awareness focusing on individual and/or organisational aspects. This paper argues that security awareness processes are associated with interrelated changes that occur at the organisational, the technological and the individual level. We introduce an integrated analytical framework that has been developed through action research in a public sector organisation, comprising actor-network theory (ANT), structuration theory and contextualism. We develop and use this framework to analyse and manage changes introduced by the implementation of a security awareness programme in the research setting. The paper illustrates the limitations of each theory (ANT, structuration theory and contextualism) to study multi-level changes when used individually, demonstrates the synergies of the three theories, and proposes how they can be used to study and manage awareness-related changes at the individual, organisational and technological level.

Process‐variance models in information security awareness research

Purpose – The purpose of this paper is to study the way information systems (IS) security researchers approach information security awareness and examine whether these approaches are consistent with the organization theory and IS approaches for the study of organizational processes.Design/methodology/approach – Open coding analysis was performed on selected publications (articles, surveys, standards, and reports). The chosen publications were classified and the classification results are presented, based on a proposed typology.Findings – The proposed typology allows us to identify different types of research models followed by security researchers and practitioners, and to infer a set of practical implications, for the benefit of those interested in empirically studying information security awareness.Research limitations/implications – The paper represents a pilot survey, performed in a selected number of publications.Practical implications – The paper helps researchers and practitioners to distinguish th...

Analyzing trajectories of information security awareness

Purpose – Recent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations are inadequate. The purpose of the paper is to increase understanding of this phenomenon and illuminate the problems that organizations face when trying to establish an information security awareness program.Design/methodology/approach – Following an interpretive approach the authors apply a case study method and employ actor network theory (ANT) and the due process for analyzing findings.Findings – The paper contributes to both understanding and managing security awareness programs in organizations, by providing a framework that enables the analysis of awareness activities and interactions with the various organizational processes and events.Practical implications – The application of ANT still remains a challenge for researchers since no practical method or guide exists. In this paper the application of ANT through the due pro...

Achieving Interoperability in a Multiple-Security- Policies Environment

The interoperability problems that emerge when information systems cooperate, are often attributed to incompatible security policies. In this paper, we introduce a systemic framework for achieving interoperability when multiple security policies are employed. First, we present a Metapolicy Development System (MDS) for the resolution of interoperability problems caused by incompatible security policies. Then we provide a policy framework and a metapolicy framework to serve as conceptual devices in the application of the MDS. Finally, we examine the possibility of developing software tools to support the MDS. We argue that a policy repository may serve as the basic component of a software tool for the management of multiple security policies and the application of the MDS. The policy repository is implemented in Telos, an object-oriented knowledge representation language.