Stephen Flowerday

Real-time information integrity=system integrity+data integrity+continuous assurances

A majority of companies today are totally dependent on their information assets, in most cases stored, processed and communicated within information systems in digital format. These information systems are enabled by modern information and communication technologies. These technologies are exposed to a continuously increasing set of risks. Yet, management and stakeholders continuously make important business decisions on information produced in real-time from these information systems. This information is unaccompanied by objective assurances as the current auditing procedures provide assurances months later. Therefore, risk management, including a system of internal controls, has become paramount to ensure the informations integrity. A system of internal controls, including IT controls at its core, help limit uncertainty and mitigate the risks to an acceptable level. Auditors play an increasingly important role in providing independent assurances that the information systems infrastructure and data maintain their integrities. These assurances include proposed new methods such as continuous auditing for assurance on demand.

Continuous auditing technologies and models: A discussion

In the age of real-time accounting and real-time communication current audit practices, while effective, often provide audit results long after fraud and/or errors have occurred. Real-time assurances can assist in preventing intentional or unintentional errors. This can best be achieved through continuous auditing which relies heavily on technology. These technologies are embedded within and are crucial to continuous auditing models.

Continuous auditing: verifying information integrity and providing assurances for financial reports

The various stakeholders of a firm have become increasingly reliant upon digital information. This includes financial reports, which are generated from numerous electronic transactions and are recorded in various ledgers. The auditors are expected to audit these financial reports and provide assurances that the information found within these reports has not been compromised, whether intentionally or unintentionally. However, the task of providing the required assurances has become difficult with the fading of the traditional audit trail. Evidence of this is found in the lapses in corporate governance and the recent corporate scandals. A possible solution to this dilemma is Continuous Auditing, which assists in verifying information integrity.

Smartphone information security awareness: A victim of operational pressures

Abstract Smartphone information security awareness describes the knowledge, attitude and behaviour that employees apply to the security of the organisational information that they access, process and store on their smartphone devices. The surge in the number of smartphone devices connecting to organisational systems and used to process organisational data has enabled a new level of operational efficiency. While employees are aware of the benefits they enjoy by bringing their personal devices into the workplace, managers too are aware of the benefits of having a constantly connected workforce. Unfortunately, those aware of the risks to information security do not share an equal level of enthusiasm. These devices are owned by employees who are not adequately skilled to configure the security settings for acceptable security of that information. Moreover, routine information security awareness programmes, even if applied, gradually fade into the daily rush of operations from the day they are completed. This paper explores the factors which influence these oscillating levels of information security awareness. By applying an adapted version of an awareness model from the domain of accident prevention, the factors which cause diminishing awareness levels are exposed. Subsequently, information security awareness emerges as a symptom of such factors. Through geometrical modelling of the boundaries and pressures that govern our daily operations, an awareness model emerges. This model ensures that organisations are better equipped to monitor their information security awareness position, their boundaries and the daily pressures affecting the organisation, thus allowing them to design better integrated policies and procedures to encourage safe operating limits. The model is evaluated using a theory evaluation framework through an expert review process.

An assessment of the role of cultural factors in information security awareness

An information security awareness program is regarded as an important instrument in the protection of information assets. In this study, the traditional approach to an information security awareness program is extended to include possible cultural factors relating to people from diverse backgrounds. The human factor, consisting of two closely related dimensions, namely knowledge and behaviour, play a significant role in the field of ICT security. In addition, cultural factors also impact on the security knowledge and behaviour of people as cultural differences may manifest themselves in different levels of security awareness. An information security vocabulary test was used to assess the level of awareness pertaining to the two human dimensions — knowledge and behaviour amongst students from two different regional universities in South Africa. The objective is to determine whether cultural differences among students have an effect on their ICT security awareness levels. Results obtained suggest that certain cultural factors such as mother tongue, area where you grew up, etc., do have an impact on security awareness levels and should be taken into consideration when planning and developing an information security awareness program.

Trust: An Element of Information Security

Information security is no longer restricted to technical issues but incorporates all facets of securing systems that produce the company’s information. Some of the most important information systems are those that produce the financial data and information. Besides securing the technical aspects of these systems, one needs to consider the human aspects of those that may ‘corrupt’ this information for personal gain. Opportunistic behaviour has added to the recent corporate scandals such as Enron, WorldCom, and Parmalat. However, trust and controls help curtail opportunistic behaviour, therefore, confidence in information security management can be achieved. Trust and security-based mechanisms are classified as safeguard protective measures and together allow the stakeholders to have confidence in the company’s published financial statements. This paper discusses the concept of trust and predictability as an element of information security and of restoring stakeholder confidence. It also argues that assurances build trust and that controls safeguard trust.

Online social networks: Enhancing user trust through effective controls and identity management

Online social networking is one of the largest Internet activities, with almost one third of all daily Internet users visiting these websites. Characteristics of this environment are issues relating to trust, user privacy and anonymity. Service providers are focused primarily on acquiring users and little attention is given to the effective management of these users within the social networking environment. In order to examine this problem, user trust and its enhancement is discussed. An evaluation of current identity management processes and effective controls is undertaken, in order to understand the current environment. Lastly, by means of a detailed experiment focusing on the two main online social networking providers, Facebook and MySpace, controls and identity management processes were assessed for vulnerabilities. The findings of this experiment, together with the current environment of controls and identity management practices, form the proposed set of controls. These controls are aimed at increasing trust and privacy through the effective implementation of these controls and identity management processes.

Information security policy development and implementation

The development of an information security policy involves more than mere policy formulation and implementation. Unless organisations explicitly recognise the various steps required in the development of a security policy, they run the risk of developing a policy that is poorly thought out, incomplete, redundant and irrelevant, and which will not be fully supported by the users. This paper argues that an information security policy has an entire life cycle through which it must pass during its useful lifetime. A formal content analysis of information security policy development methods was conducted using secondary sources. Based on the results of the content analysis, a conceptual framework was subsequently developed. The proposed framework outlines the various constructs required in the development and implementation of an effective information security policy. In the course of this study, a survey of 310 security professionals was conducted in order to validate and refine the concepts contained in the key component of the framework: the ISPDLC.

Information security competence test with regards to password management

It is widely acknowledged that when it comes to IT security the human factor is usually the weakest link. In an effort to strengthen this link, most CIOs are embracing the deployment of security awareness programmes. It is accepted that these programmes can create an information security-aware culture where security risks can be reduced. Even though work has been done in ensuring that these programmes include mechanisms for changing behaviour and reinforcing good security practices, there is a lack of work on measuring the effectiveness of such programmes. Competence based questions have long been used in HR to select employees with the skills that are necessary to perform effectively in a job. Competence based tests focus mainly on the behaviours and traits critical for success on the job and how they have been demonstrated in the past. This current paper presents the description of an approach that uses competency based behavioural questions to measure security competence levels at a university with regards to password management. A sample of 140 students participated in the study. The findings revealed that even though students were aware of the procedures, many failed to implement them. For example, 48.6% of students would share their passwords even though they know it was wrong. It was also found that there is a positive relationship between the year of study and the creation of strong passwords (n=140; r=+0.268; p=0.007).

Using Participatory Crowdsourcing in South Africa to Create a Safer Living Environment

The increase in urbanisation is making the management of city resources a difficult task. Data collected through observations (utilising humans as sensors) of the city surroundings can be used to improve decision making in terms of managing these resources. However, the data collected must be of a certain quality in order to ensure that effective and efficient decisions are made. This study is focused on the improvement of emergency and nonemergency services (city resources) through the use of participatory crowdsourcing (humans as sensors) as a data collection method (collect public safety data), utilising voice technology in the form of an interactive voice response (IVR) system. This study proposes public safety data quality criteria which were developed to assess and identify the problems affecting data quality. This study is guided by design science methodology and applies three driving theories: the data information knowledge action result (DIKAR) model, the characteristics of a smart city, and a credible data quality framework. Four critical success factors were developed to ensure that high quality public safety data is collected through participatory crowdsourcing utilising voice technologies.