Rossouw von Solms

Towards information security behavioural compliance

Auditing has always played an important role in the business environment. With the introduction of information technology and the resulting security challenges that organizations face daily, it has become essential to ensure the security of the organizations information and other valuable assets. However, one aspect that auditing does not cover effectively is that of the behaviour of the employee, which is so crucial to any organizations security. The objective of this paper is to explore the potential problems concerning the attempt to audit the behaviour of the employee. It will be demonstrated that it is extremely difficult to audit human behaviour and so an alternative method to behavioural auditing needs to be found, where policing the employee is not necessary, but instead a softer, more informal approach is used to change the culture to a more information security conscious one.

The 10 deadly sins of information security management

This paper identifies 10 essential aspects, which, if not taken into account in an information security governance plan, will surely cause the plan to fail, or at least, cause serious flaws in the plan. These 10 aspects can be used as a checklist by management to ensure that a comprehensive plan has been defined and introduced.

A framework for the governance of information security

This paper highlights the importance of protecting an organizations vital business information assets by investigating several fundamental considerations that should be taken into account in this regard. Based on this, it is illustrated that information security should be a priority of executive management, including the Board and CEO and should therefore commence as a corporate governance responsibility. This paper, therefore, motivates that there is a need to integrate information security into corporate governance through the development of an information security governance (ISG) framework. This paper further proposes such a framework to aid an organization in its ISG efforts.

From policies to culture

Management normally sets company vision, rules and regulations through policies. These policies should provide guidance to employees and partners as to how they should act and behave to be in line with managements wishes. These policies need to be structured and organized effectively to cater for business and technological dynamics and advances. Having defined a series of company policies does not ensure that all employees will necessarily obey these policies. Ideally these policies must manifest in some company culture to ensure appropriate behaviour. This can only be achieved through a proper education process. This paper addresses exactly the process of integrating policies, education and culture.

From information security to cyber security

The term cyber security is often used interchangeably with the term information security. This paper argues that, although there is a substantial overlap between cyber security and information security, these two concepts are not totally analogous. Moreover, the paper posits that cyber security goes beyond the boundaries of traditional information security to include not only the protection of information resources, but also that of other assets, including the person him/herself. In information security, reference to the human factor usually relates to the role(s) of humans in the security process. In cyber security this factor has an additional dimension, namely, the humans as potential targets of cyber attacks or even unknowingly participating in a cyber attack. This additional dimension has ethical implications for society as a whole, since the protection of certain vulnerable groups, for example children, could be seen as a societal responsibility.

Cultivating an organizational information security culture

An information security solution should be a fundamental component in any organization. One of the major difficulties in achieving the assimilation of information into an organization is the actions and behaviour of employees. To ensure the integration of information security into the corporate culture of an organization, the protection of information should be part of the daily activities and second-nature behaviour of the employees.

Information security management: why standards are important

Information security is no longer a domestic issue. In this age of electronic commerce, one company’s information security certainly affects their business partners. For this reason it became imperative that business partners demand an acceptable level of information security from one another. Information security management standards should certainly play a major role in this regard. In this paper, some information security management standards and their applicability will be discussed and put into context.

A business approach to effective information technology risk analysis and management

Suggests that a number of difficulties are experienced by organizations using conventional risk analysis and management. “Conventional” refers to those methodologies which are based on the traditional asset/threat/vulnerability model. Identifies a need for an approach that is more suitable for smaller organizations, as well as organizations requiring a quicker, more simplified and less resource‐intensive approach. In light of this requirement, proposes an alternative approach to effective information technology (IT) risk analysis and management. This approach has a business‐oriented focus from an IT perspective.

From information security to...business security

This short opinion paper argues that information security, the discipline responsible for protecting a companys information assets against business risks, has now become such a crucial component of good Corporate Governance, that it should rather be called Business Security instead of Information Security.

Special Features: From Risk Analysis to Security Requirements

577 Risk analysis used to play a major role in identifying security controls to protect computer and related infrastructures.Today, the emphasis has moved to the protection of information and it seems as if the traditional way of identifying security controls needs to be modernized. This paper studies the evolution of the computer and related technologies and the protection thereof. It further analyses whether an alternative approach to risk analysis should be used to effectively identify the most suitable security controls to protect information as a resource.