Information system security commitment: A study of external influences on senior management

Barton, Kevin; Tejay, Gurvirender; Lane, Michael; Terrell, Steve

doi:10.1016/j.cose.2016.02.007

Cited by 50 publications

(58 citation statements)

References 177 publications

(491 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The cybersecurity community has recently begun making efforts to intervene by involving and educating top-level managers and executives. This approach is wellsupported by the research findings that: 1) Commitment by top executives is essential for adoption, implementation, and assimilation of security capabilities [97][98][99]; and 2) Cybersecurity concerns affect an entire organization (not just IT departments or isolated response teams) [100,101]; hence, the responsibility for addressing such issues should belong to managers at higher organizational levels.…”

Section: Implications For Practicementioning

confidence: 99%

Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment

Jalali

Siegel

Madnick

2019

The Journal of Strategic Information Systems

View full text Add to dashboard Cite

We developed a simulation game to study the effectiveness of decision-makers in overcoming two complexities in building cybersecurity capabilities: potential delays in capability development; and uncertainties in predicting cyber incidents. Analyzing 1,479 simulation runs, we compared the performances of a group of experienced professionals with those of an inexperienced control group. Experienced subjects did not understand the mechanisms of delays any better than inexperienced subjects; however, experienced subjects were better able to learn the need for proactive decision-making through an iterative process. Both groups exhibited similar errors when dealing with the uncertainty of cyber incidents. Our findings highlight the importance of training for decision-makers with a focus on systems thinking skills, and lay the groundwork for future research on uncovering mental biases about the complexities of cybersecurity. development. albeit inadvertently-introduce new, more subtle vulnerabilities. Research also suggests that attackers in cyberspace are not only rational and motivated by economic incentives [6], but also act strategically in identifying targets and approaches [7]-in other words, "The good guys are getting better, but the bad guys are getting badder faster" [8]. Perhaps there was a time a decade ago when cybersecurity was only a matter of "if" an organization was going to be compromised, but today it has become a question of "when," and "at what level."Despite the proliferation of cyberattack capabilities and their potential implications, many organizations still perform poorly with respect to cybersecurity management. These companies ignore or underestimate cyber risks, or rely solely on generic off-the-shelf cybersecurity solutions. A mere 19% of chief information security officers (CISOs) are confident that their companies can effectively address a cybersecurity incident [9]. In May 2017, the WannaCry ransomware attack-a type of malware that blocks access to computer systems until a ransom is paid-affected companies worldwide, even though a patch for the exploited Windows vulnerabilities had been made available by Microsoft months earlier in March 2017 [10]. As data grows in size and value, the increase of cyber risks and escalation of privacy concerns demand that managers improve their approach to cybersecurity capability development-interventions to build such capabilities typically include improvements to technology already in place, in addition to the purchase of new technology, talent acquisition, and training, among other activities. Research objective and approachThe importance of being proactive in cybersecurity capability development is well understoodit is more cost effective than taking a reactionary approach and reduces failure rates [11].Although many executives and decision-makers are becoming aware of the significance of cybersecurity, a major question remains unanswered: Are experienced managers more proactive than inexperienced individuals in building cybersecurity capabilities? F...

show abstract

Section: Implications For Practicementioning

confidence: 99%

Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment

Jalali

Siegel

Madnick

2019

The Journal of Strategic Information Systems

View full text Add to dashboard Cite

show abstract

“…Executive commitment and support of IT in general, [12,13] and of information security in particular, is a well-studied area [14,15]. Research shows that commitment by top executives is essential for adoption, implementation, and assimilation of security capabilities [16][17][18]. Moreover, the importance of being proactive in cybersecurity capability development is well understood-it is more cost effective than taking a reactionary approach and reduces failure rates [19].…”

Section: Introductionmentioning

confidence: 99%

Decision Making and Biases in Cybersecurity Capability Development: Evidence from a Simulation Game Experiment

2017

View full text Add to dashboard Cite

Abstract:We developed a simulation game to study how well decision makers understand two fundamental aspects of complexity in cybersecurity: potential delays in building capabilities, and uncertainties in predicting cyber-incidents. Analyzing 1,479 simulation runs, we compared the performances of a group of experienced professionals to an inexperienced control group. Experienced subjects did not understand the mechanisms of delays any better than inexperienced subjects. Both groups also exhibited similar errors when dealing with the uncertainty of cyber-incidents. Our findings highlight the importance of training for decision-makers, and lay the groundwork for future research in uncovering mental biases about the complexities of cybersecurity.

show abstract

“…The results showed that the information quality was positively correlated with the user satisfaction; the system quality was negatively related to the user satisfaction, while the service quality was not related to the user satisfaction. Therefore, the relationship between quality variables has shown a positive relationship between them, except in the case of information quality and service quality [30].…”

Section: Information Systems Security Successmentioning

confidence: 97%

“…Security requirements or data sensitivity are nothing lesser in small and mediumsized organizations than large, but small and medium-sized businesses face the challenge of lacking support for information security management due to insufficient awareness of its importance [10]. That is why they, instead of proactive, take reactive attitude according to information security, and consider security technologies as business costs rather than strategic potentials [29] resulting in greater resource constraints and education and training shortages in information systems security domain [30]. Due to the limited number of employees and technical constraints, small and medium-sized companies often have system administrator who is responsible for system configuration as well as system security management i.e.…”

Section: Information Security In Organizationsmentioning

confidence: 99%

“…Numerous researches show that management support is a key factor for success in adopting information security in organizations [33], [43], [30]. This support can highlight information security as an important function at the organizational level in many ways, including financing information security awareness education and training, human and financial resources allocation or promoting the importance of security for other employees within the organization [12], [33].…”

Section: Management Supportmentioning

confidence: 99%

See 1 more Smart Citation

Key Success Factors of Information Systems Security

Arbanas

Hrustek

2019

JIOS

View full text Add to dashboard Cite

The issue of information systems security, and thus information as key resource in today's information society, is something that all organizations in all sectors face in one way or another. To ensure that information remain secure, many organizations have implemented a continuous, structured and systematic security approach to manage and protect an organization's information from undermining individuals by establishing security policies, processes, procedures, and information security organizational structures. However, despite this, security threats, incidents, vulnerabilities and risks are still raging in many organizations. One of the main causes of this problem is poor understanding of information systems security key success factors. Identifying and understanding of information security key success factors can help organizations to manage how to focus limited resources on those elements that really impact on success, therefore saving time and money and creating added value and further enabling operational business. This research, based on comprehensive literature review, summarizes most cited key success factors of information systems security identified in scientific articles indexed in relevant databases, of which the top three success factors were management support, information security policy and information security education, training and awareness. At the end, article states identified research gaps and provides readers with possible directions for further researches. those from the organizational or sociological aspect, since even the best security technology cannot stop the social engineering based attack [1]. One of the first and the foremost challenges faced by information security executives is to successfully balance the need to protect information assets on the one hand and enable operational operations on the other, because over-strict protection can lead to business performance barriers while loose controls can create unacceptable risks for information assets [3]. A modern view of information security requires that an effective information security strategy must be balanced, i.e. designing and implementing security solutions should emphasize the importance of technology, but also the socio-organizational context within the organization [3] and observe information security also as business and social question, not just technical [3], [2].National Institute of Standards and Technology (NIST) [4] defines information security as "the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability"; information systems security as "the protection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats" and cyber security as "the ability to protect or defend...

show abstract

Information system security commitment: A study of external influences on senior management

Cited by 50 publications

References 177 publications

Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment

Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment

Decision Making and Biases in Cybersecurity Capability Development: Evidence from a Simulation Game Experiment

Key Success Factors of Information Systems Security

Contact Info

Product

Resources

About