Information security risk analysis model using fuzzy decision theory

This paper proposes a risk analysis model for information security assessment, which identifies and evaluates the sequence of events – referred to as alternatives – in a potential accident scenario following the occurrence of an initiating event corresponding to abuses of Information Technology systems. In order to perform this evaluation, this work suggests the use of Event Tree Analysis combined with fuzzy decision theory. The contributions of the present proposal are: the development of a taxonomy of events and scenarios, the ranking of alternatives based on the criticality of the risk, considering financial losses, and finally, the provision of information regarding the causes of information system attacks of highest managerial relevance for organizations. We included an illustrative example regarding a data center aiming to illustrate the applicability of the proposed model. To assess its robustness, we analyzed twelve alternatives considering two different methods of setting probabilities of the occurrence of events. Results showed that deliberate external database services attack represent the most risky alternative.     

An economic modelling approach to information security risk management

This paper presents an approach enabling economic modelling of information security risk management in contemporaneous businesses and other organizations. In the world of permanent cyber attacks to ICT systems, risk management is becoming a crucial task for minimization of the potential risks that can endeavor their operation. The prevention of the heavy losses that may happen due to cyber attacks and other information system failures in an organization is usually associated with continuous investment in different security measures and purchase of data protection systems. With the rise of the potential risks the investment in security services and data protection is growing and is becoming a serious economic issue to many organizations and enterprises. This paper analyzes several approaches enabling assessment of the necessary investment in security technology from the economic point of view. The paper introduces methods for identification of the assets, the threats, the vulnerabilities of the ICT systems and proposes a procedure that enables selection of the optimal investment of the necessary security technology based on the quantification of the values of the protected systems. The possibility of using the approach for an external insurance based on the quantified risk analyses is also provided.     

Collaborative risk method for information security management practices: A case context within Turkey

In this case study, a collaborative risk method for information security management has been analyzed considering the common problems encountered during the implementation of ISO standards in eight Turkish public organizations. This proposed risk method has been applied within different public organizations and it has been demonstrated to be effective and problem-free. The fundamental issue is that there is no legislation that regulates the information security liabilities of the public organizations in Turkey. The findings and lessons learned presented in this case provide useful insights for practitioners when implementing information security management projects in other international public sector organizations.     

Information security management needs more holistic approach: A literature review

Information technology has dramatically increased online business opportunities; however these opportunities have also created serious risks in relation to information security. Previously, information security issues were studied in a technological context, but growing security needs have extended researchers' attention to explore the management role in information security management. Various studies have explored different management roles and activities, but none has given a comprehensive picture of these roles and activities to manage information security effectively. So it is necessary to accumulate knowledge about various managerial roles and activities from literature to enable managers to adopt these for a more holistic approach to information security management. In this paper, using a systematic literature review approach, we synthesised literature related to management's roles in information security to explore specific managerial activities to enhance information security management. We found that numerous activities of management, particularly development and execution of information security policy, awareness, compliance training, development of effective enterprise information architecture, IT infrastructure management, business and IT alignment and human resources management, had a significant impact on the quality of management of information security. Thus, this research makes a novel contribution by arguing that a more holistic approach to information security is needed and we suggest the ways in which managers can play an effective role in information security. This research also opens up many new avenues for further research in this area.     

A framework of cloud-based virtual phones for secure intelligent information management

As mobile networks and devices being rapidly innovated, many new Internet services and applications have been deployed. However, the current implementation faces security, management, and performance issues, which are critical to the use in business environments. Migrating sensitive information, management facilities, and intensive computation to security hardened virtualized environment in the cloud provides effective solutions. This paper proposes an innovative Internet service and business model to provide a secure and consolidated environment for enterprise mobile information management based on the infrastructure of cloud-based virtual phones (CVP). Our proposed solution enables the users to execute Android and web applications in the cloud and connect to other users of CVP with enhanced performance and protected privacy. The organization of CVP can be mixed with centralized control and distributed protocols, which emulates the behavior of human societies. This minimizes the need to handle sensitive data in mobile devices, eases the management of data, and reduces the overhead of mobile application deployment.     

Mining knowledge from natural language texts using fuzzy associated concept mapping

Natural Language Processing (NLP) techniques have been successfully used to automatically extract information from unstructured text through a detailed analysis of their content, often to satisfy particular information needs. In this paper, an automatic concept map construction technique, Fuzzy Association Concept Mapping (FACM), is proposed for the conversion of abstracted short texts into concept maps. The approach consists of a linguistic module and a recommendation module. The linguistic module is a text mining method that does not require the use to have any prior knowledge about using NLP techniques. It incorporates rule-based reasoning (RBR) and case based reasoning (CBR) for anaphoric resolution. It aims at extracting the propositions in text so as to construct a concept map automatically. The recommendation module is arrived at by adopting fuzzy set theories. It is an interactive process which provides suggestions of propositions for further human refinement of the automatically generated concept maps. The suggested propositions are relationships among the concepts which are not explicitly found in the paragraphs. This technique helps to stimulate individual reflection and generate new knowledge. Evaluation was carried out by using the Science Citation Index (SCI) abstract database and CNET News as test data, which are well known databases and the quality of the text is assured. Experimental results show that the automatically generated concept maps conform to the outputs generated manually by domain experts, since the degree of difference between them is proportionally small. The method provides users with the ability to convert scientific and short texts into a structured format which can be easily processed by computer. Moreover, it provides knowledge workers with extra time to re-think their written text and to view their knowledge from another angle.     

A probabilistic approach to information management of order fulfilment reliability with the help of perfect-order analytics

Supplier reliability and order fulfilment performance are usually assessed using a perfect-order calculation. Information management of perfect-order estimation is frequently reduced to expert estimates and to the multiplication of probabilities of failure-free performance of some logistics operations. Moreover, perfect-order estimation is calculated without consideration of supply chain structure, possible combinations of failures, and operational policies (e.g., safety stock levels and alternative transportation routes). As a result, the existing methods frequently provide different estimates for the same statistics and cannot be consistently used in the allocation of companies’ resources to improve the order fulfilment process. This paper considers different variants of probabilistic assessment of a perfect order and proposes an approach to assess the impact of changes in parameter probabilities and number of parameters on the value of a perfect order. The proposed models are based on an analytical approach using discrete distributions of random variables. We illustrate the applicability of our approach to several numerical examples to confirm the adequacy of the proposed method. Our approach can be immediately applied in practice to assess supply and order fulfilment process reliability and to evaluate the effectiveness of various operational policies (safety stock levels or modes of transportation) to achieve some planned values of a perfect order in the supply chain.     

A study on the motivational aspects of information management practice

This research investigates the motivational aspects of information management practice by developing and performing an initial test of the theorization on the components and structural properties of a new variable, called information management motivation (IMM). Based on a synthesis of the motivation and information processing literature in the information systems, psychology, management, and information technology training fields, we theorize IMM as a second order construct composed of formative sub-constructs of proactiveness, sharing, transparency, and formality. New measures were developed for the constituent constructs of IMM and refined through two studies involving 120 knowledge workers. The model of IMM was tested, confirming the proposed structural relationships between the constituent constructs and IMM. The study findings provide important insights on understanding and improving individual knowledge workers’ information management activities.     

高校二级学院(部门)网站模块化架构及信息安全

就目前我国高校校园网络建设中普遍存在的二级学院(部门)网站的更新维护开展探讨.以浙江农林大学工程学院学院网、学生工作网、招生宣传网为例,对如何实现二级网站的集约式、模块化建构进行了有益尝试.     

基于风险偏好的信息系统安全技术选择与配置策略研究

以IDSs和人工调查技术组合为例,通过构建博弈模型,分析了风险偏好对信息系统安全技术选择与配置的影响,认为组织风险偏好不仅影响着自身的策略也将影响对方的策略。研究结论显示风险厌恶型组织配置IDS数量并不总是高于风险中立型组织,组织风险偏好对其部署单IDS还是多IDSs甚至无直接影响。同时组织在黑客期望收益很低时对风险厌恶型黑客的人工调查率更高,而在黑客期望收益很高时其对风险中立型黑客的调查率更高。此外,黑客在组织人工调查成本较低时更倾向于入侵风险中立型组织,在人工调查成本很高时更愿意入侵风险厌恶型组织。     

Innovating strategically in information and knowledge management: Applications of organizational behavior theory

A business school declares its strategy as becoming a leading European institution. As main vehicle for achieving recognition is the implementation of a top-down strategy naming five academic fields as key – (a) finance, (b) economics, (c) marketing, (d) law, accounting, and auditing, and (e) organizational behavior (OB). Top management allocates resources for research, academic activities, and positions to these five strategically chosen areas. Academic areas that are not strategically named must generate their own income through educational programs and research grants. Can OB serve as the platform to ensure the survival of IS/KMS? In our analysis, we found no other business school formulating a strategy along these lines; dominating strategic themes are internationalization, research excellence, and student environment. No academic field is singled out as strategic. We argue that selecting a few academic areas as a strategy is dysfunctional. We also found that OB is not very actively employed in research, be it positioning, theory, research model, analysis, or discussion. Hence, we do not find that OB offers any theorizing help to IS/KMS – this in contrast to innovation and change theories, for which we propose an framework as a means of defining IS/KMS research projects.     

A risk minimization framework for information retrieval

This paper presents a probabilistic information retrieval framework in which the retrieval problem is formally treated as a statistical decision problem. In this framework, queries and documents are modeled using statistical language models, user preferences are modeled through loss functions, and retrieval is cast as a risk minimization problem. We discuss how this framework can unify existing retrieval models and accommodate systematic development of new retrieval models. As an example of using the framework to model non-traditional retrieval problems, we derive retrieval models for subtopic retrieval, which is concerned with retrieving documents to cover many different subtopics of a general query topic. These new models differ from traditional retrieval models in that they relax the traditional assumption of independent relevance of documents.     

On the governance of information: Introducing a new concept of governance to support the management of information

Information governance as an approach to better govern the use of information within and outside an organization is rapidly gaining popularity. A common and scientific ground for this approach has not yet been formulated. In this article the authors describe a definition for information governance, extending the common, one-dimensional approach into a more generic statement. Starting from the well-known principles of IT governance the authors further explore the aspects of both information and governance. Four hypotheses are proposed to give ground to the use of information governance. These hypotheses will be the basis for further research.     

Exploring solutions for mobile companionship: A design research approach to context-aware management

The mobile phone is not just another device; it is with you day and night, and you rely on its capabilities in work and in private. In short, the mobile phone is your companion. As your companion, it should understand your situational and informational needs. How do we increase the friendliness of your mobile phone, in order to fulfil this promise? In this paper, we explore how context awareness can be used for managing the user mobile experience. To this end, we employed a design research approach to integrate context-aware and cloud based services in an Android application. Through a user evaluation and proof-of-concept implementation we show how new technologies can increase the friendliness of your mobile phone. In so doing, we provide evidence that adaptive applications based on user context offer a fertile ground for taking mobile companionship to the next level.     

An approach for selecting and using a method of inter-coder reliability in information management research

Qualitative researchers in information management research often need to evaluate inter-coder reliability (ICR) to test the trustworthiness of their content analysis. A suitable method of evaluating ICR enables researchers to rigorously assess the degree of agreement among two or more independent qualitative coders. This allows researchers to identify mistakes in the content analysis before the codes are used in developing and testing a theory or a measurement model and avoid any associated time, effort and financial cost. Different methods have been proposed, but little guidance is available on which approach to evaluating ICR should be used. In this paper, we review and compare leading ICR methods that are suitable for qualitative information management research. We propose an approach for selecting and using an ICR method, supported by an illustrative example. The five steps in our proposed approach include: selecting an ICR method based on its characteristics and requirements of a project; developing a coding scheme; selecting and training independent coders; calculating the ICR coefficient and resolving discrepancies; and reporting the process of evaluating ICR and its results.     

Motivating information security policy compliance: The critical role of supervisor-subordinate guanxi and organizational commitment

Employees’ non-compliance with organizational information security policy (ISP) when using informational resources has become the main reason for continuous security incidents. Drawing upon technology threat avoidance theory (TTAT) and social exchange theory (SET), our study investigates the influence of supervisor-subordinate guanxi (SSG) and organizational commitment in the information security management. Our hypotheses were tested using survey data from 235 Chinese government employees. Results not only confirm the direct effect of SSG on government employees’ ISP compliance but also suggest that SSG indirectly influences compliance behavior via the mediation of organizational commitment. Organizational commitment weakens the negative influence of perceived costs on compliance behavior and also weakens the positive effect of self-efficacy on employees’ ISP compliance. For low-commitment employees, the negative influence of perceived costs on compliance behavior is more significant than that of those with strong organizational commitment, and self-efficacy exerts a stronger effect on ISP compliance for low-commitment employees than it does for high-commitment employees. This study contributes to current literature on information systems (IS) by confirming the critical roles of SSG and organizational commitment in motivating employees’ compliance behavior.     

Fifty years of information management research: A conceptual structure analysis using structural topic modeling

Information management is the management of organizational processes, technologies, and people which collectively create, acquire, integrate, organize, process, store, disseminate, access, and dispose of the information. Information management is a vast, multi-disciplinary domain that syndicates various subdomains and perfectly intermingles with other domains. This study aims to provide a comprehensive overview of the information management domain from 1970 to 2019. Drawing upon the methodology from statistical text analysis research, this study summarizes the evolution of knowledge in this domain by examining the publication trends as per authors, institutions, countries, etc. Further, this study proposes a probabilistic generative model based on structural topic modeling to understand and extract the latent themes from the research articles related to information management. Furthermore, this study graphically visualizes the variations in the topic prevalences over the period of 1970 to 2019. The results highlight that the most common themes are data management, knowledge management, environmental management, project management, service management, and mobile and web management. The findings also identify themes such as knowledge management, environmental management, project management, and social communication as academic hotspots for future research.     

Mis-spending on information security measures: Theory and experimental evidence

Information resources are becoming increasingly important to individuals and organizations, and ensuring their security is a major concern. While research in information security has adopted primarily a quantitative method to determine how and how much to invest in security, most decision makers rely on non-quantitative methods for this purpose, thereby introducing a considerable amount of as yet unexplained subjective judgment to the problem. We use a behavioral decision making approach to investigate factors causing possible inefficiencies of security spending decisions. Decision makers in our experiment performed a series of economic games featuring the key characteristics of a typical security problem. We found several biases in investment decisions. For budgeting their investment between major classes of security measures, decision makers demonstrated a strong bias toward investing in preventive measures rather than in detection and response measures, even though the task was designed to yield the same return on investment for both classes of measures. We term this phenomenon the “Prevention Bias.” Decision makers also reacted to security threats when the risk was so small that no investment was economically justified. For higher levels of risk that warranted some security investment, decision makers showed a strong tendency to overinvest. Theoretical and practical implications of the findings are discussed.     

安全标识在实验室安全管理中的发展和应用

安全标识作为实验室安全管理过程中最后一道防线,为保障实验员的人身安全和预防实验室安全事故的发生起着最直接最有效的作用。文章分析了国内外高校实验室安全标识的使用现状,有针对性地整理设计了适合实验室应用的安全标识,并且提出了配备实验室安全标识应用的其他措施。安全标识为"和谐实验室"的安全管理和广大师生的人身安全提供了基本保障。