| 1. |
- Sadok, Moufida, et al.
(författare)
-
It is not my job : exploring the disconnect between corporate security policies and actual security practices in SMEs
- 2020
-
Ingår i: Information and Computer Security. - 2056-4961. ; 28:3, s. 467-483
-
Tidskriftsartikel (refereegranskat)abstract
- Purpose: This paper aims to present empirical results exemplifying challenges related to information security faced by small and medium enterprises (SMEs). It uses guidelines based on work system theory (WST) to frame the results, thereby illustrating why the mere existence of corporate security policies or general security training often is insufficient for establishing and maintaining information security. Design/methodology/approach: This research was designed to produce a better appreciation and understanding of potential issues or gaps in security practices in SMEs. The research team interviewed 187 employees of 39 SMEs in the UK. All of those employees had access to sensitive information. Gathering information through interviews (instead of formal security documentation) made it possible to assess security practices from employees’ point of view. Findings: Corporate policies that highlight information security are often disconnected from actual work practices and routines and often do not receive high priority in everyday work practices. A vast majority of the interviewed employees are not involved in risk assessment or in the development of security practices. Security practices remain an illusory activity in their real-world contexts. Research limitations/implications: This paper focuses only on closed-ended questions related to the following topics: awareness of existing security policy; information security practices and management and information security involvement. Practical implications: The empirical findings show that corporate information security policies in SMEs often are insufficient for maintaining security unless those policies are integrated with visible and recognized work practices in work systems that use or produce sensitive information. The interpretation based on WST provides guidelines for enhancing information system security. Originality/value: Beyond merely reporting empirical results, this research uses WST to interpret the results in a way that has direct implications for practitioners and for researchers.
|
|
| 2. |
- Sadok, Moufida, et al.
(författare)
-
Understanding Security Practices Deficiencies: A Contextual Analysis
- 2015
-
Ingår i: Human Aspects of Information Security and Assurance Conference Proceedings. - 9781841023885 ; , s. 151-160
-
Konferensbidrag (refereegranskat)abstract
- This paper seeks to provide an overview of how companies assess and manage security risks in practice. For this purpose we referred to data of security surveys to examine the scope of risk analysis and to identify involved entities in this process. Our analysis shows a continuous focus on data system security rather than on real world organizational context as well as a prevalent involvement of top management and security staff in risk analysis process and in security policy definition and implementation. We therefore suggest that three issues need to be further investigated in the field of information security risk management in order to bridge the gap between design and implementation of secure and usable systems. First, there is a need to broaden the horizon to consider information system as human activity system which is different from a data processing system. Second, the involvement of relevant stakeholders in context for risk analysis leads to better appreciation of security risks. Third, it is necessary to develop ad-hoc tools and techniques to facilitate discussions and dialogue between stakeholders in risk analysis context.
|
|
| 3. |
- Bednar, Peter, et al.
(författare)
-
Selected Topics on Socio-technical Perspective in Information Systems : Editorial Introduction to Issue 18 of CSIMQ
- 2019
-
Ingår i: Complex Systems Informatics and Modeling Quarterly (CSIMQ). - : Riga Technical University. - 2255-9922. ; :18, s. I-II
-
Tidskriftsartikel (övrigt vetenskapligt/konstnärligt)abstract
- This thematic issue of the Complex Systems Informatics and Modeling Quarterly journal is dedicated to using a socio-technical perspective in the Information Systems (IS) field. It contains a selection of extended papers presented at STPIS'18 – 4th International Workshop on Socio-Technical Perspective in IS Development held on June 12, 2018 in Tallinn, Estonia. The articles presented in this thematic issue contain at least 30% new material compared to the initial papers. After the extension, all articles went through two rounds of reviews to ensure the quality of the papers published in this issue. STPIS papers cover both theoretical and practical aspects of using a socio-technical perspective in IS, which is reflected in the current issue that contains both theoretically and practically oriented papers.
|
|
| 4. |
- Bednar, Peter, et al.
(författare)
-
Contextual Dependencies in Information Systems Security
- 2013
-
Ingår i: AIS SIGSEC and IFIP TC 11.1.
-
Konferensbidrag (refereegranskat)abstract
- This paper addresses the contextual dependencies related to the use of information systems security and criticizes the predominance of technical and formalized paradigm in the development and implementation of IS security policies and procedures. The underlying epistemology of our research lies in the interpretative paradigm. It explores the patterns of how the contextual use of information systems security is involved according to a business/organizational practice perspective. It elicits the detailed processes and practices that constitute the pragmatic perspective in developing information security activities.
|
|
