Integrating information quality dimensions into information security risk management (ISRM)

信息质量维度与信息安全风险管理的融合

Journal of Information Security and Applications, Volume 36, October 2017, Pages 1-10

Palaniappan Shamala, Rabiah Ahmad, Ali Zolait, Muliati Sedek

Abstract:Information security is becoming an important entity to most organizations due to current trends in information transfer through a borderless and vulnerable world. This gives more concerns and aware organization to apply information security risk management (ISRM) to develop effective and economically-viable control strategies. Even though there are numerous ISRM methods that are readily available, most of the ISRM methods prescribe a similar process that leads to establish a scope of the assessment, collecting information, producing intermediary information, and finally using the collected information to identify their security risks and provide a measured, analyzed security profile of critical information assets. Based on the “garbage in-garbage out” phenomenon, the success of ISRM planning tremendously depends on the quality of input information. However, with the amount, diversity and variety of information available, practitioners can easily deflects with grown information and becoming unmanageable. Therefore this paper contribute as a stepping stone to determine which IQ dimensions constitute the quality of the information throughout the process of gathering information during ISRM. Seems to accurately define the attributes of IQ dimensions, IQ needs to be assessed within the context of its generation. Thus, papers on IQ web were assessed and comparative analysis was conducted to identify the possible dimensions for ISRM. Then, online survey using likert structured questionnaire were distributed among a group of information security practitioners in Malaysia (N = 150). Partial least square (PLS) analysis revealed that dimension accuracy, amount of data, objective, completeness, reliability and verifiability are significantly influence the quality of information gathering for ISRM. These IQ dimensions can guide practitioners in the process of gathering quality and complete information in order to make a plan that leads to a clear direction, and ultimately help to make decisions that lead to success.

Information security risks management framework – A step towards mitigating security risks in university network

信息安全风险管理框架 ---降低大学网络安全风险之途径

Journal of Information Security and Applications, Volume 35, August 2017, Pages 128-137

Chanchala Joshi, Umesh Kumar Singh

Abstract:Information is one of the most prominent assets for Universities and must be protected from security breach. This paper analyzed the security threats specifically evolve in University's network, and with consideration of these issues, proposed information security framework for University network environment. The proposed framework reduces the risk of security breach by supporting three phase activities; the first phase assesses the threats and vulnerabilities in order to identify the weak point in educational environment, the second phase focuses on the highest risk and create actionable remediation plan, the third phase of risk assessment model recognizes the vulnerability management compliance requirement in order to improve University's security position. The proposed framework is applied on Vikram University Ujjain India's, computing environment and the evaluation result showed the proposed framework enhances the security level of University campus network. This model can be used by risk analyst and security manager of University to perform reliable and repeatable risk analysis in realistic and affordable manner.

Investigation into the formation of information security influence: Network analysis of an emerging organization

信息安全影响的形成研究：某一新兴组织的网络分析

Computers & Security, Volume 70, September 2017, Pages 111-123

Duy Dang-Pham, Siddhi Pittayachawan, Vince Bruno

Abstract:While prior research has been examining information security behaviours in mature environments with formal policies and practices, there is less attention paid to new or transforming environments that lack security controls. It is crucial to understand what factors affect the formation of an emerging information security environment, so that security managers can make use of the forming mechanisms to improve the security environment without relying too much on enforcement. This research adopts exponential random graph modelling to predict the occurrence of information security influence among 114 employees in a recently established construction organisation. Our empirical findings show that physically co-locating, as well as having specific senior levels and similar tenure can result in more security influence. Other contributing work relationships include the exchange of work-related advice, interpersonal trust, and seeing others as role model and long-term collaborators. The structural features of the information security influence network were also examined, which offer strategies for security managers to diffuse security behaviours within the workplace. Furthermore, specific directions for future network research were elaborated in detail.