Spyros Kokolakis

The insider threat to information systems and the effectiveness of ISO17799

Insider threat is widely recognised as an issue of utmost importance for IS security management. In this paper, we investigate the approach followed by ISO17799, the dominant standard in IS security management, in addressing this type of threat. We unfold the criminology theory that has designated the measures against insider misuse suggested by the standard, i.e. the General Deterrence Theory, and explore the possible enhancements to the standard that could result from the study of more recent criminology theories. The paper concludes with supporting the argument for a multiparadigm and multidisciplinary approach towards IS security management and insider threat mitigation.

Information systems security policies: a contextual perspective

The protection of information systems is a major problem faced by organisations. The application of a security policy is considered essential for managing the security of information systems. Implementing a successful security policy in an organisation, however, is not a straightforward task and depends on many factors. This paper explores the processes of formulating, implementing and adopting a security policy in two different organisations. A theoretical framework based on the theory of contextualism is proposed and applied in the analysis of these cases. The contextual perspective employed in this paper illuminates the dynamic nature of the application of security policies and brings forth contextual factors that affect their successful adoption.

Security requirements, risks and recommendations for small enterprise and home‐office environments

The pervasive use of information technology in enterprises of every size and the emergence of widely deployed ubiquitous networking technologies have brought with them a widening need for security. Information system security policy development must begin with a thorough analysis of sensitivity and criticality. Risk analysis methodologies, like CRAMM, provide the ability to analyse and manage the associated risks. By performing a risk analysis on a typical small enterprise and a home‐office set‐up the article identifies the risks associated with availability, confidentiality, and integrity requirements. Although both environments share weaknesses and security requirements with larger enterprises, the risk management approaches required are different in nature and scale. Their implementation requires co‐operation between end users, network service providers, and software vendors.

Information systems security from a knowledge management perspective

– Information systems security management is a knowledge‐intensive activity that currently depends heavily on the experience of security experts. However, the knowledge dimension of IS security management has been neglected, both by research and industry. This paper aims to explore the sources of IS security knowledge and the potential role of an IS security knowledge management system., – The results of this paper are based on field research involving five organizations (public and private) and five security experts and consultants. A model to illustrate the structure of IS security knowledge in an organization is then proposed., – Successful security management largely depends on the involvement of users and other stakeholders in security analysis, design, and implementation, as well as in actively defending the IS. However, most stakeholders lack the required knowledge of IS security issues that would allow them to play an important role in IS security management., – In this paper, the knowledge management aspect of IS security management has been highlighted. Moreover, the basic sources of security‐related knowledge have been identified and a model of IS security knowledge has been created. Also, the activities to be supported by a security‐focused KM system have been identified. Thus, the basis for the development of specialized security KM systems has been set.

Investigating Information Security Awareness: Research and Practice Gaps

ABSTRACT The aim of this survey is largely exploratory, namely, to discover patterns and trends in the way that practitioners and academics alike tackle the security awareness issue and to have a better understanding of the reasons why security awareness practice remains an unsolved problem. Open coding analysis was performed on numerous publications (articles, surveys, standards, reports and books). A classification scheme of six categories of concern has emerged from the content analysis (e.g., terminology ambiguity), and the chosen publications were classified based on it. The paper identifies ambiguous aspects of current security awareness approaches and the proposed classification provides a guide to identify the range of options available to researchers and practitioners when they design their research and practice on information security awareness.

The use of business process modelling in information systems security analysis and design

The increasing reliance of organisations on information systems connected to or extending over open data networks has established information security as a critical success factor for modern organisations. Risk analysis appears to be the predominant methodology for the introduction of security in information systems (IS). However, risk analysis is based on a very simple model of IS as consisting of assets, mainly data, hardware and software, which are vulnerable to various threats. Thus, risk analysis cannot provide for an understanding of the organisational environment in which IS operate. We believe that a comprehensive methodology for information systems security analysis and design (IS‐SAD) should incorporate both risk analysis and organisational analysis, based on business process modelling (BPM) techniques. This paper examines the possible contribution of BPM techniques to IS‐SAD and identifies the conceptual and methodological requirements for a technique to be used in this context. Based on these requirements, several BPM techniques have been reviewed. The review reveals the need for either adapting and combining current techniques or developing new, specialised ones.

Managing the introduction of information security awareness programmes in organisations

Several studies explore information security awareness focusing on individual and/or organisational aspects. This paper argues that security awareness processes are associated with interrelated changes that occur at the organisational, the technological and the individual level. We introduce an integrated analytical framework that has been developed through action research in a public sector organisation, comprising actor-network theory (ANT), structuration theory and contextualism. We develop and use this framework to analyse and manage changes introduced by the implementation of a security awareness programme in the research setting. The paper illustrates the limitations of each theory (ANT, structuration theory and contextualism) to study multi-level changes when used individually, demonstrates the synergies of the three theories, and proposes how they can be used to study and manage awareness-related changes at the individual, organisational and technological level.

Process‐variance models in information security awareness research

Purpose – The purpose of this paper is to study the way information systems (IS) security researchers approach information security awareness and examine whether these approaches are consistent with the organization theory and IS approaches for the study of organizational processes.Design/methodology/approach – Open coding analysis was performed on selected publications (articles, surveys, standards, and reports). The chosen publications were classified and the classification results are presented, based on a proposed typology.Findings – The proposed typology allows us to identify different types of research models followed by security researchers and practitioners, and to infer a set of practical implications, for the benefit of those interested in empirically studying information security awareness.Research limitations/implications – The paper represents a pilot survey, performed in a selected number of publications.Practical implications – The paper helps researchers and practitioners to distinguish th...

Analyzing trajectories of information security awareness

Purpose – Recent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations are inadequate. The purpose of the paper is to increase understanding of this phenomenon and illuminate the problems that organizations face when trying to establish an information security awareness program.Design/methodology/approach – Following an interpretive approach the authors apply a case study method and employ actor network theory (ANT) and the due process for analyzing findings.Findings – The paper contributes to both understanding and managing security awareness programs in organizations, by providing a framework that enables the analysis of awareness activities and interactions with the various organizational processes and events.Practical implications – The application of ANT still remains a challenge for researchers since no practical method or guide exists. In this paper the application of ANT through the due pro...

A security standards' framework to facilitate best practices' awareness and conformity

Purpose – Recent information security surveys indicate that both the acceptance of international standards and the relative certifications increase continuously. However, it is noted that still the majority of organizations does not know the dominant security standards or does not fully implement them. The aim of this paper is to facilitate the awareness of information security practitioners regarding globally known and accepted security standards, and thus, contribute to their adoption.Design/methodology/approach – The paper adopts a conceptual approach and results in a classification framework for categorizing available information security standards. The classification framework is built in four layers of abstraction, where the initial layer is founded in ISO/IEC 27001:2005 information security management system.Findings – The paper presents a framework for conceptualizing, categorizing and interconnecting available information security standards dynamically.Research limitations/implications – The comp...