Sean B. Maynard

Organisational security culture: Extending the end-user perspective

The concept of security culture is relatively new. It is often investigated in a simplistic manner focusing on end-users and on the technical aspects of security. Security, however, is a management problem and as a result, the investigation of security culture should also have a management focus. This paper describes a framework of eight dimensions of culture. Each dimension is discussed in terms of how they relate specifically to security culture based on a number of previously published case studies. We believe that use of this framework in security culture research will reduce the inherent biases of researchers who tend to focus on only technical aspects of culture from an end-users perspective.

Information security strategies: towards an organizational multi-strategy perspective

There considerable advice in both research and practice oriented literature on the topic of information security. Most of the discussion in literature focuses on how to prevent security attacks using technical countermeasures even though there are a number of other viable strategies such as deterrence, deception, detection and response. This paper reports on a qualitative study, conducted in Korea, to determine how organizations implement security strategies to protect their information systems. The findings reveal a deeply entrenched preventive mindset, driven by the desire to ensure availability of technology and services, and a comparative ignorance of exposure to business security risks. Whilst there was some evidence of usage of other strategies, they were also deployed in a preventive capacity. The paper presents a research agenda that calls for research on enterprise-wide multiple strategy deployment with a focus on how to combine, balance and optimize strategies.

A situation awareness model for information security risk management

Information security risk management (ISRM) is the primary means by which organizations preserve the confidentiality, integrity and availability of information resources. A review of ISRM literature identified deficiencies in the practice of information security risk assessment that inevitably lead to poor decision-making and inadequate or inappropriate security strategies. In this conceptual paper, we propose a situation aware ISRM (SA-ISRM) process model to complement the information security risk management process. Our argument is that the model addresses the aforementioned deficiencies through an enterprise-wide collection, analysis and reporting of risk-related information. The SA-ISRM model is adapted from Endsleys situation awareness model and has been refined using our findings from a case study of the US national security intelligence enterprise.

A case analysis of information systems and security incident responses

Our case analysis presents and identifies significant and systemic shortcomings of the incident response practices of an Australian financial organization. Organizational Incident Response Teams accumulate considerable experience in addressing information security failures and attacks. Their first-hand experiences provide organizations with a unique opportunity to draw security lessons and insights towards improving enterprise-wide security management processes. However, previous research shows a distinct lack of communication and collaboration between the functions of incident response and security management, suggesting organizations are not learning from their incident experiences. We subsequently propose a number of lessons learned and a novel security-learning model.

Towards A Systemic Framework for Digital Forensic Readiness

Although digital forensics has traditionally been associated with law enforcement, the impact of new regulations, industry standards and cyber-attacks, combined with a heavy reliance on digital assets, has resulted in a more prominent role for digital forensics in organizations. Modern organizations, therefore, need to be forensically ready in order to maximize their potential to respond to forensic events and demonstrate compliance with laws and regulations. However, little research exists on the assessment of organizational digital forensic readiness. This paper describes a comprehensive approach to identifying the factors that contribute to digital forensic readiness and how these factors work together to achieve forensic readiness in an organization. We develop a conceptual framework for organizational forensic readiness and define future work towards the empirical validation and refinement of the framework.

Ethical decision making: Improving the quality of acceptable use policies

While there is extensive literature on the positive effects of institutionalising ethics in organisational culture, our extensive research in information security culture has found no evidence of organisations encouraging ethical decision making in situations where information security might be at risk. Security policies, in particular acceptable use policies, have traditionally been written with a strategy of deterrence in mind, but in practice they rely mostly on deontological ethics, i.e. employees doing the right thing, to work. As far back as 1990, evidence has been reported of a widening socio-technical gap, where employees no longer always act according to expected social norms in an organisation. This change in moral behaviour is reducing the effectiveness of acceptable use policies in an organisation. In this paper, an alternative approach to the development of security policies is proposed to encourage ethical decision making based on consequential ethics. Acceptable use policies will need to distinguish between guidelines, standards and procedures, and guidelines will need to be written in such a way that the policy continuously acknowledges that employees are no longer expected to blindly follow these guidelines. And, as acceptable use policies can no longer cover all the possible risks related to an employees behaviour, the policy will need to emphasise both explicitly an implicitly that employees are expected to make an ethical judgement on all their actions that may possibly endanger the organisations security. This will in turn have positive effects on the usability and suitability of the acceptable use policy to the organisation.

Teaching information security management: reflections and experiences

Purpose – The purpose of this paper is to describe the development, design, delivery and evaluation of a postgraduate information security subject that focuses on a managerial, rather than the more frequently reported technical perspective. The authors aimed to create an atmosphere of intellectual excitement and discovery so that students felt empowered by new ideas, tools and techniques and realized the potential value of what they were learning in the industry. Design/methodology/approach – The paper develops fundamental principles and arguments that inform the design and development of the teaching curriculum. The curriculum is aimed at security management professionals in general and consultants in particular. The paper explains the teaching method in detail including the specific topics of lectures, representative reading material, assessment tasks and feedback mechanisms. Finally, lessons learned by the authors and their conclusions are presented as a form of reflection. Findings – The instructors r...

Organizational Security Culture: More Than Just an End-User Phenomenon

The concept of security culture is relatively new. It is often investigated in a simplistic manner focusing on end-users and on the technical aspects of security. Security, however, is a management problem and as a result the investigation of security culture should also have a management focus. This paper discusses security culture based on an organisational culture framework of eight dimensions. We believe that use of this framework in security culture research will reduce the inherent biases of researchers who tend to focus on only technical aspects of culture from an end users perspective.

Towards Understanding Deterrence: Information Security Managers’ Perspective

The enforcement of information security policy is an important issue in organisations. Previous studies approach policy enforcement using deterrence theory to deal with information security violations and focus on end-users’ awareness. This study investigates deterrence strategy within organisations from the perspective of information security managers. The results primarily reveal that current deterrence strategy has little influence on reducing violations because it is only used as a prevention strategy due to the lack of means of detection. Our study suggests that organisations should shift to detection of violations and identification of violators, and expand the range of sanctions. The research also presents an architecture of information security strategies to be operated in a coordinated manner for use in deterring security violations.

DSS evaluation criteria: a multiple constituency approach

Despite extensive research into the evaluation of the success of decision support systems (DSS), criteria important in measuring success are rarely defined. This may be critical when a number of reference groups, or constituencies, are considered. In multiple-constituency DSS evaluation the understanding of each criteria may be different for each constituency. Also, each constituency will have distinct requirements of the DSS and will consider a different set of criteria to measure these needs. This paper defines criteria for use within a multiple-constituency evaluation process and determines appropriate hierarchies of criteria for such a process. This forms the basis for ongoing research into multiple-constituency DSS evaluation.