| 1. |
- Karlsson, Fredrik, 1974-, et al.
(författare)
-
Information security culture : state-of-the-art review between 2000 and 2013
- 2015
-
Ingår i: Information and Computer Security. - : Emerald. - 2056-4961. ; 23:3, s. 246-285
-
Forskningsöversikt (refereegranskat)abstract
- Purpose – The aim of this paper is to survey existing information security culture research to scrutinise the kind of knowledge that has been developed and the way in which this knowledge has been brought about.Design/methodology/approach – Results are based on a literature review of information security culture research published between 2000 and 2013 (December).Findings – This paper can conclude that existing research has focused on a broad set of research topics, but with limited depth. It is striking that the effects of different information security cultures have not been part of that focus. Moreover, existing research has used a small repertoire of research methods, a repertoire that is more limited than in information systems research in general. Furthermore, an extensive part of the research is descriptive, philosophical or theoretical – lacking a structured use of empirical data – which means that it is quite immature.Research limitations/implications – Findings call for future research that: addresses the effects of different information security cultures; addresses the identified research topics with greater depth; focuses more on generating theories or testing theories to increase the maturity of this subfield of information security research; and uses a broader set of research methods. It would be particularly interesting to see future studies that use intervening or ethnographic approaches because, to date, these have been completely lacking in existing research.Practical implications – Findings show that existing research is, to a large extent, descriptive, philosophical or theoretical. Hence, it is difficult for practitioners to adopt these research results, such as frameworks for cultivating or assessment tools, which have not been empirically validated.Originality/value – Few state-of-the-art reviews have sought to assess the maturity of existing research on information security culture. Findings on types of research methods used in information security culture research extend beyond the existing knowledge base, which allows for a critical discussion about existing research in this sub-discipline of information security.
|
|
| 2. |
- Karlsson, Fredrik, 1974-, et al.
(författare)
-
Inter-organisational information security : a systematic literature review
- 2016
-
Ingår i: Information & Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 24:5, s. 418-451
-
Forskningsöversikt (refereegranskat)abstract
- Purpose: The purpose of this paper is to survey existing inter-organisational information securityresearch to scrutinise the kind of knowledge that is currently available and the way in which thisknowledge has been brought about.Design/methodology/approach: The results are based on a literature review of inter-organisational information security research published between 1990 and 2014.Findings: The authors conclude that existing research has focused on a limited set of research topics.A majority of the research has focused management issues, while employees’/non-staffs’ actualinformation security work in inter-organisational settings is an understudied area. In addition, themajority of the studies have used a subjective/argumentative method, and few studies combinetheoretical work and empirical data.Research limitations/implications: The findings suggest that future research should address abroader set of research topics, focusing especially on employees/non-staff and their use of processes andtechnology in inter-organisational settings, as well as on cultural aspects, which are lacking currently;focus more on theory generation or theory testing to increase the maturity of this sub-field; and use abroader set of research methods.Practical implications: The authors conclude that existing research is to a large extent descriptive,philosophical or theoretical. Thus, it is difficult for practitioners to adopt existing research results, suchas governance frameworks, which have not been empirically validated.Originality/value: Few systematic reviews have assessed the maturity of existinginter-organisational information security research. Findings of authors on research topics, maturity andresearch methods extend beyond the existing knowledge base, which allow for a critical discussionabout existing research in this sub-field of information security.
|
|
| 3. |
- Lundgren, Martin
(författare)
-
Rethinking capabilities in information security risk management : a systematic literature review
- 2020
-
Ingår i: International Journal of Risk Assessment and Management. - : InderScience Publishers. - 1466-8297 .- 1741-5241. ; 23:2, s. 169-190
-
Forskningsöversikt (refereegranskat)abstract
- Information security risk management capabilities have predominantly focused on instrumental onsets, while largely ignoring the underlying intentions and knowledge these management practices entail. This article aims to study what capabilities are embedded in information security risk management. A theoretical framework is proposed, namely rethinking capability as the alignment between intent and knowing. The framework is situated around four general risk management practices. A systematic literature review using the framework was conducted, resulting in the identification of eight identified capabilities. These capabilities were grouped into respective practices: integrating various perspectives and values to reach a risk perception aligned with the intended outcome (identify); adapting to varying perspectives of risks and prioritizing them in accordance with the intended outcome (prioritize); security controls to enable resources, and integrate/reconfigure beliefs held by various stakeholders (implement); and sustaining the integrated resources and competences held by stakeholders to continue the alignment with the intended outcome (monitor).
|
|
| 4. |
- Lundgren, Martin
(författare)
-
Rethinking capabilities in information security risk management : a systematic literature review
- 2020
-
Ingår i: International Journal of Risk Assessment and Management. - : InderScience Publishers. - 1466-8297 .- 1741-5241. ; 23:2, s. 169-190
-
Forskningsöversikt (refereegranskat)abstract
- Information security risk management capabilities have predominantly focused on instrumental onsets, while largely ignoring the underlying intentions and knowledge these management practices entail. This article aims to study what capabilities are embedded in information security risk management. A theoretical framework is proposed, namely rethinking capability as the alignment between intent and knowing. The framework is situated around four general risk management practices. A systematic literature review utilising the framework was conducted, resulting in the identification of eight identified capabilities. These capabilities were grouped into respective practices: integrating various perspectives and values to reach a risk perception aligned with the intended outcome (identify); adapting to varying perspectives of risks and prioritising them in accordance with the intended outcome (prioritise); security controls to enable resources, and integrate/reconfigure beliefs held by various stakeholders (implement); and sustaining the integrated resources and competences held by stakeholders to continue the alignment with the intended outcome (monitor).
|
|
| 5. |
- Khando, Khando, 1979-, et al.
(författare)
-
Enhancing employees information security awareness in private and public organisations : A systematic literature review
- 2021
-
Ingår i: Computers & security (Print). - : Elsevier. - 0167-4048 .- 1872-6208. ; 106
-
Forskningsöversikt (refereegranskat)abstract
- Preserving the confidentiality, integrity and availability (CIA) of an organisation's sensitive information systems assets against attacks and threats is a challenge in this digital age. Or-ganisations worldwide make huge investments in information security technological coun-termeasures. Nonetheless, organisations in many cases fail to protect their information as-sets as they rely mainly on technical solutions which are not contextually compatible and sufficient. As a matter of fact, a significant number of organisational information security in-cidents are due to the exploitation of human elements that directly and/or indirectly cause the majority of security incidents. Therefore, employees' information security awareness (ISA) becomes one of the critical aspects of protection against undesirable information se-curity behaviours. However, to date, there is limited synthesised knowledge about methods for enhancing ISA and integrated insights on factors affecting employees' ISA levels. This study, therefore, provides a systematic review of the literature on ISA and puts forward a state-of-the-art collection of ISA methods and factors for enhancing employees' ISA within both private and public sector organisations. The results indicate that various methods and factors are used to enhance employees' ISA in organisations. Theoretical models and gami-fication are the methods widely used in both private and public organisations, whereas the constructivist approach and violation detections are some of the methods used only in pri-vate organisations. Furthermore, this study offers some insights into the latest trends in ISA content development methods and factors, and fosters good ISA practice by disseminating information and knowledge amongst Information Security professionals to help them build an overarching ISA development programme in their organisations.
|
|
| 6. |
- Rostami, Elham, 1983-, et al.
(författare)
-
The hunt for computerized support in information security policy management : A literature review
- 2020
-
Ingår i: Information and Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 28:2, s. 215-259
-
Forskningsöversikt (refereegranskat)abstract
- Purpose: The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about.Design/methodology/approach: The results are based on a literature review of ISP management research published between 1990 and 2017.Findings: Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare.Research limitations/implications: Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process.Practical implications: The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners.Originality/value: Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.
|
|
| 7. |
- Lennartsson, Markus, et al.
(författare)
-
Exploring the meaning of usable security – a literature review
- 2021
-
Ingår i: Information and Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 29:4, s. 647-663
-
Forskningsöversikt (refereegranskat)abstract
- PurposeFor decades, literature has reported on the perceived conflict between usability and security. This mutual trade-off needs to be considered and addressed whenever security products are developed. Achieving well-balanced levels of both is a precondition for sufficient security as users tend to reject unusable solutions. To assess it correctly, usability should be evaluated in the context of security. This paper aims to identify and describe universally applicable and solution-independent factors that affect the perceived usability of security mechanisms.Design/methodology/approachThe selected methodology was a systematic literature review during which multiple database resources were queried. Application of predefined selection criteria led to the creation of a bibliography before backward snowballing was applied to minimize the risk of missing material of importance. All 70 included publications were then analyzed through thematic analysis.FindingsThe study resulted in the identification of 14 themes and 30 associated subthemes representing aspects with reported influence on perceived usability in the context of security. While some of them were only mentioned sparsely, the most prominent and thus presumably most significant ones were: simplicity, information and support, task completion time, error rates and error management.Originality/valueThe identified novel themes can increase knowledge about factors that influence usability. This can be useful for different groups: end users may be empowered to choose appropriate solutions more consciously, developers may be able to avoid common usability pitfalls when designing new products and system administrators may benefit from a better understanding of how to configure solutions and how to educate users efficiently.
|
|
| 8. |
- Shokry, Mostafa, et al.
(författare)
-
Systematic survey of advanced metering infrastructure security: Vulnerabilities, attacks, countermeasures, and future vision
- 2022
-
Ingår i: Future generations computer systems. - : Elsevier. - 0167-739X .- 1872-7115. ; 136, s. 358-377
-
Forskningsöversikt (refereegranskat)abstract
- There is a paradigm shift from traditional power distribution systems to smart grids (SGs) due to advances in information and communication technology. An advanced metering infrastructure (AMI) is one of the main components in an SG. Its relevance comes from its ability to collect, process, and transfer data through the internet. Although the advances in AMI and SG techniques have brought new operational benefits, they introduce new security and privacy challenges. Security has emerged as an imperative requirement to protect an AMI from attack. Currently, ensuring security is a major challenge in the design and deployment of an AMI. This study provides a systematic survey of the security of AMI systems from diverse perspectives. It focuses on attacks, mitigation approaches, and future visions. The contributions of this article are fourfold: First, the vulnerabilities that may exist in all components of an AMI are described and analyzed. Second, it considers attacks that exploit these vulnerabilities and the impact they can have on the performance of individual components and the overall AMI system. Third, it discusses various countermeasures that can protect an AMI system. Fourth, it presents the open challenges relating to AMI security as well as future research directions. The uniqueness of this review is its comprehensive coverage of AMI components with respect to their security vulnerabilities, attacks, and countermeasures. The future vision is described at the end.
|
|
| 9. |
- Andreasson, Joakim, 1973, et al.
(författare)
-
Molecules for security measures: From keypad locks to advanced communication protocols
- 2018
-
Ingår i: Chemical Society Reviews. - : Royal Society of Chemistry (RSC). - 1460-4744 .- 0306-0012. ; 47:7, s. 2266-2279
-
Forskningsöversikt (refereegranskat)abstract
- The idea of using molecules in the context of information security has sparked the interest of researchers from many scientific disciplines. This is clearly manifested in the diversity of the molecular platforms and the analytical techniques used for this purpose, some of which we highlight in this Tutorial Review. Moreover, those molecular systems can be used to emulate a broad spectrum of security measures. For a long time, molecular keypad locks enjoyed a clear preference and the review starts off with a description of how these devices developed. In the last few years, however, the field has evolved into something larger. Examples include more complex authentication protocols (multi-factor authentication and one-time passwords), the recognition of erroneous procedures in data transmission (parity devices), as well as steganographic and cryptographic protection.
|
|
| 10. |
- Balozian, Puzant, et al.
(författare)
-
Review of IS security policy compliance : Toward the building blocks of an IS asecurity theory
- 2017
-
Ingår i: Data Base for Advances in Information Systems. - 0095-0033. ; 48:3, s. 11-43
-
Forskningsöversikt (refereegranskat)abstract
- An understanding of insider threats in information systems (IS) is important to help address one of the dangers lurking within organizations. This article provides a review of the literature on insider compliance (and failure of compliance) with information systems' policies in order to understand the status of IS research regarding negligent and malicious insiders. We begin by defining the terms, developing a new taxonomy of insiders, and then providing a comprehensive review of articles on IS policy compliance for the past 26 years. Grounding the analysis in the literature, we inductively identify four themes to foster Information Security policy compliance among employees. The themes are: 1) IS management philosophy, 2) procedural countermeasures, 3) technical countermeasures, and 4) environmental countermeasures. We propose that future research can draw upon these themes and use them as the building blocks of an indigenous IS security theory.
|
|
