R von Solms

Information security awareness: educating your users effectively

This article investigates the evolution of computing, with specific reference to the security issues involved. These issues are then taken further to determine the need for education in the workplace through an information security awareness program. Techniques borrowed from the field of social psychology, which have been largely ignored in current awareness programs, are highlighted in order to show how they could be utilized to improve the effectiveness of the awareness program.

Information security culture: A management perspective

Information technology has become an integral part of modern life. Today, the use of information permeates every aspect of both business and private lives. Most organizations need information systems to survive and prosper and thus need to be serious about protecting their information assets. Many of the processes needed to protect these information assets are, to a large extent, dependent on human cooperated behavior. Employees, whether intentionally or through negligence, often due to a lack of knowledge, are the greatest threat to information security. It has become widely accepted that the establishment of an organizational sub-culture of information security is key to managing the human factors involved in information security. This paper briefly examines the generic concept of corporate culture and then borrows from the management and economical sciences to present a conceptual model of information security culture. The presented model incorporates the concept of elasticity from the economical sciences in order to show how various variables in an information security culture influence each other. The purpose of the presented model is to facilitate conceptual thinking and argumentation about information security culture.

Continuous auditing technologies and models: A discussion

In the age of real-time accounting and real-time communication current audit practices, while effective, often provide audit results long after fraud and/or errors have occurred. Real-time assurances can assist in preventing intentional or unintentional errors. This can best be achieved through continuous auditing which relies heavily on technology. These technologies are embedded within and are crucial to continuous auditing models.

Phishing for phishing awareness

Using various social-engineering techniques, criminals run havoc on the Internet and defraud many people in a number of different ways. This puts various organisational communities at risk. Therefore, it is important that people within such communities should learn how to protect themselves when active in cyberspace, or when dealing with cyber-related technologies. Training can indeed play a big role in this regard, and consequently, assist by altering the insecure behaviour of many people. The objective of this article is to ascertain whether simulating phishing attacks together with embedded training can contribute towards cultivating users’ resistance towards ‘phishing attacks’. In order to achieve this objective, a phishing exercise at an institution in South Africa was conducted.

A Tool for Information Security Management

Top management is responsible for the wellbeing of the organization. Most organizations nowadays are dependent totally on the availability and effectiveness of their information service resources. For this reason it is imperative that top management gets involved and stays involved in the protection of the information service assets of the organization. This can only be accomplished through a process of continuous information security evaluation and reporting. An information security evaluation and reporting tool, representing the information security status in a concise, clear manner, will help a great deal in ensuring top management involvement. Suggests implementation of an information security management model by means of an evaluation tool. This tool will provide top management with information security status reporting in a clear, non‐technical format.

A Model for Information Security Management

Information Security Management consists of various facets, for example Information Security Policy, Risk Analysis, Risk Management, Contingency Planning and Disaster Recovery which are all interrelated in some way. These interrelationships often cause uncertainty and confusion among top management. Proposes a model for Information Security Management, called an Information Security Management Model (ISM⊃2) and puts all the various facts in context. The model consists of five different levels defined on a security axis. ISM⊃2 introduces the idea of international security criteria or international security standards (baselines). The rationale behind these baselines is to enable information security evaluation according to internationally‐accepted criteria.