Management Information Systems Commons^™

Infosec Policy - The Basis For Effective Security Programs, Herbert Mattord, Michael Whitman

Herbert J. Mattord

The success of any information security program lies in policy development. The lack of success in any particular program can often be attributed to this unmet need to build the foundation for success. In 1989, the National Institute of Standards and Technology addressed this point in Special Publication SP 500-169: Executive Guide to the Protection of Information Resources (1989): The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems. You, the policy maker, set the tone and the emphasis on how important a role information …

Principles Of Information Security, 2nd Edition, Michael Whitman, Herbert Mattord

Herbert J. Mattord

Principles of Information Security examines the field of information security to prepare information systems students for their future roles as business decision-makers. This textbook presents a balance of the managerial and the technical aspects of the discipline and addresses knowledge areas of the CISSP (Certified Information Systems Security Professional) certification throughout. The authors discuss information security within a real-world context, by including examples of issues faced by today's professionals and by including tools, such as an opening vignette and "Offline" boxes with interesting sidebar stories in each chapter. Principles of Information Security also offers extensive opportunities for hands-on work.

Roadmap To Information Security: For It And Infosec Managers, Michael Whitman, Herbert Mattord

Herbert J. Mattord

Roadmap to Information Security: For IT and Infosec Managers provides a solid overview of information security and its relationship to the information needs of an organization. Content is tailored to the unique needs of information systems professionals who find themselves brought in to the intricacies of information security responsibilities. The book is written for a wide variety of audiences looking to step up to emerging security challenges, ranging from students to experienced professionals. This book is designed to guide the information technology manager in dealing with the challenges associated with the security aspects of their role, providing concise guidance on …

Principles Of Information Security, 4th Edition, Michael Whitman, Herbert Mattord

Herbert J. Mattord

The fourth edition of Principles of Information Security explores the field of information security and assurance with updated content including new innovations in technology and methodologies. Students will revel in the comprehensive coverage that includes a historical overview of information security, discussions on risk management and security technology, current certification information, and more. The text builds on internationally-recognized standards and bodies of knowledge to provide the knowledge and skills students need for their future roles as business decision-makers. Information security in the modern organization is a management issue which technology alone cannot answer; it is a problem that has important …

The Roles Of Positive And Negative Exemplars In Information Security Strategy, Richard Taylor

Richard Taylor

Information Security Awareness In Saudi Arabia, Abdulaziz Alarifi, H. Tootell, Peter Hyland

Dr Holly Tootell

While the Web, cell phone „apps‟ and cloud computing put a world of information at our fingertips, that information is under constant threat from cyber vandals and hackers. Although awareness of information threats is growing in the Western world, in places like Saudi Arabia, information security is very poor. Unlike Western pluralistic democracies, Saudi Arabia is a highly-censored country, with a patriarchical and tribal culture, which may influence its poor information security rating. This paper examines the level of information security awareness (ISA) among the general public in Saudi Arabia, using an anonymous online survey, based on instruments produced by …

Information Security Awareness In Saudi Arabia, Abdulaziz Alarifi, H. Tootell, Peter Hyland

Associate Professor Peter Hyland

While the Web, cell phone „apps‟ and cloud computing put a world of information at our fingertips, that information is under constant threat from cyber vandals and hackers. Although awareness of information threats is growing in the Western world, in places like Saudi Arabia, information security is very poor. Unlike Western pluralistic democracies, Saudi Arabia is a highly-censored country, with a patriarchical and tribal culture, which may influence its poor information security rating. This paper examines the level of information security awareness (ISA) among the general public in Saudi Arabia, using an anonymous online survey, based on instruments produced by …

Common Criteria Meets Realpolitik Trust, Alliances, And Potential Betrayal, Jan Kallberg

Jan Kallberg

Common Criteria for Information Technology Security Evaluation has the ambition to be a global standard for IT-security certification. The issued certifications are mutually recognized between the signatories of the Common Criteria Recognition Arrangement. The key element in any form of mutual relationships is trust. A question raised in this paper is how far trust can be maintained in Common Criteria when additional signatories enter with conflicting geopolitical interests to earlier signatories. Other issues raised are control over production, the lack of permanent organization in the Common Criteria, which leads to concerns of being able to oversee the actual compliance. As …

An Exploration Of Human Resource Management Information Systems Security, Humayun Zafar, Jan Guynes Clark, Myung S. Ko

Humayun Zafar

In this exploratory study we investigate differences in perception between management and staff with regard to overall information security risk management and human resources security risk management at two Fortune 500 companies. This study is part of a much larger study with regard to organizational information security issues. To our knowledge, this is the first time the issue of security risk management has been discussed in the context of human resource systems. We found significant differences between management and staff perceptions regarding overall security risk management and human resources security risk management. Our findings lay the ground work for future …

Employee Compliance With Information Systems Security Policy In Retail Industry. Case: Store Level Employees, Bertrand Muhire

Honors Thesis Program in the College of Management

In this digital era, information has become a very important component to any type of organizations. For some, it is not only an important component of daily routine operations but also required for competitive advantage. From big corporations to small businesses, non-profit organizations and governments, organizations need to safeguard and secure their information by implementing information security policies and make sure that all employees comply with such policies.

Since information is growing faster than in the previous decades, there is a need to safeguard and manage that information efficiently and effectively in order to make it useful. One of the …

Threats To Information Security Revisited, Michael Whitman, Herbert J. Mattord

Faculty and Research Publications

The battle for the protection of information assets continues to rage at all organizations, big and small. In the ever-changing world of information security, new threats emerge, and old threats remain potent risks to poorly prepared organizations. It is critical to the ongoing protection of valuable information assets to understand these threats, new and old. This study seeks to inform organizations and researchers about the characteristics of specific threat categories and the relative dangers they pose. In addition, the study provides updated findings of a study conducted in 2002. New findings reveal the more things change, the more they stay …

A Call To Is Educators To Respond To The Voices Of Women In Information Security, Amy B. Woszczynski, Sherri Shade

Faculty and Research Publications

Much prior research has examined the dearth of women in the IT industry. The purpose of this study is to examine the perceptions of women in IT within the context of information security and assurance. This paper describes results from a study of a relatively new career path to see if there are female-friendly opportunities that have not existed in previous IT career paths. Research methodology focuses on a qualitative analysis of in-depth interviews with women who are self-described information security professionals. A primary goal of the study is to understand the perceptions of women in information security and determine …

Protection-Motivated Behaviors Of Organizational Insiders, Michael C. Posey

Doctoral Dissertations

Protecting information from a wide variety of security threats is an important and sometimes daunting organizational activity. Instead of solely relying on technological advancements to help solve human problems, managers within firms must recognize and understand the roles that organizational insiders have in the protection of information. The systematic study of human influences on organizational information security is termed behavioral information security (Fagnot 2008; Stanton, Stam, Mastrangelo, and Jolton 2006), and it affirms that the protection of organizational information assets is best achieved when the detrimental behaviors of organizational insiders are effectively deterred and the beneficial activities of these individuals …

Effects Of It Governance On Information Security, Yu Wu

Electronic Theses and Dissertations

This dissertation is composed by three essays that explore the relationship between good IT governance and effective information security services. Governance steers and verifies performance of fiduciary duties, through the implementation of proper governance mechanisms. With a focus on information security, this essay presents three categories of governance mechanisms - process-based, structural, and relational. When properly instituted, they work together to ensure that IT understands business requirements for information security and strives to fulfill them. An explanation is offered about the efficacy of those mechanisms, based on an agency theory perspective that views IT as an agent for business. The …

Economics Of Information Security Investment In The Case Of Simultaneous Attacks, C. Derrick Huang, Qing Hu, Ravi S. Behara

Qing Hu

With billions of dollars being spent on information security related products and services each year, the economics of information security investment has become an important area of research, with significant implications for management practices. Drawing on recent studies that examine optimal security investment levels under various attack scenarios, we propose an economic model that considers simultaneous attacks from multiple external agents with distinct characteristics, and derive optimal investments based on the principle of benefit maximization. The relationships among the major variables, such as systems vulnerability, security breach probability, potential loss of security breach, and security investment levels, are investigated via …

Enemy At The Gate: Threats To Information Security, Michael E. Whitman

Faculty and Research Publications

A firm can build more effective security strategies by identifying and ranking the severity of potential threats to its IS efforts.