Organizational Cybersecurity Journal: Practice, Process and People最新文献_第2页

Toward enhancing the information base on costs of cyber incidents: implications from literature and a large-scale survey conducted in Germany 加强网络事件成本的信息库:来自文献和在德国进行的大规模调查的启示

Organizational Cybersecurity Journal: Practice, Process and People Pub Date : 2022-05-31 DOI: 10.1108/ocj-08-2021-0020

Bennet Simon von Skarczinski, Arne Dreißigacker, Frank Teuteberg

{"title":"Toward enhancing the information base on costs of cyber incidents: implications from literature and a large-scale survey conducted in Germany","authors":"Bennet Simon von Skarczinski, Arne Dreißigacker, Frank Teuteberg","doi":"10.1108/ocj-08-2021-0020","DOIUrl":"https://doi.org/10.1108/ocj-08-2021-0020","url":null,"abstract":"PurposeLiterature repeatedly complains about the lack of empirical data on the costs of cyber incidents within organizations. Simultaneously, managers urgently require transparent and reliable data in order to make well-informed and cost-benefit optimized decisions. The purpose of this paper is to (1) provide managers with differentiated empirical data on costs, and (2) derive an activity plan for organizations, the government and academia to improve the information base on the costs of cyber incidents.Design/methodology/approachThe authors analyze the benchmark potential of costs within existing literature and conduct a large-scale interview survey with 5,000 German organizations. These costs are directly assignable to the most severe incident within the last 12 months, further categorized into attack types, cost items, employee classes and industry types. Based on previous literature, expert interviews and the empirical results, the authors draft an activity plan containing further research questions and action items.FindingsThe findings indicate that the majority of organizations suffer little to no costs, whereas only a small proportion suffers high costs. However, organizations are not affected equally since prevalence rates and costs according to attack types, employee classes, and other variables tend to vary. Moreover, the findings indicate that board members and IS/IT-managers show partly different response behaviors.Originality/valueThe authors present differentiated insights into the direct costs of cyber incidents, based on the authors' knowledge, this is the largest empirical survey in continental Europe and one of the first surveys providing in-depth cost information on German organizations.","PeriodicalId":107089,"journal":{"name":"Organizational Cybersecurity Journal: Practice, Process and People","volume":"55 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-05-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132879972","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 2

Editorial: Time to move away from compliance – cybersecurity in the context of needs and investments of organizations 社论:是时候远离合规性了——网络安全在组织需求和投资的背景下

Organizational Cybersecurity Journal: Practice, Process and People Pub Date : 2022-04-19 DOI: 10.1108/ocj-05-2022-018

G. Tejay, S. Goel

引用次数: 1

Organizational aspects of cybersecurity in German family firms – Do opportunities or risks predominate? 德国家族企业网络安全的组织层面——是机遇还是风险占主导地位?

Organizational Cybersecurity Journal: Practice, Process and People Pub Date : 2021-12-09 DOI: 10.1108/ocj-03-2021-0010

P. Ulrich, Alice Timmermann, Vanessa Frank

{"title":"Organizational aspects of cybersecurity in German family firms – Do opportunities or risks predominate?","authors":"P. Ulrich, Alice Timmermann, Vanessa Frank","doi":"10.1108/ocj-03-2021-0010","DOIUrl":"https://doi.org/10.1108/ocj-03-2021-0010","url":null,"abstract":"PurposeThe starting point for the considerations the authors make in this paper are the special features of family businesses in the area of management discussed in the literature. It has been established here that family businesses sometimes choose different organizational setups than nonfamily businesses. This has not yet been investigated for cybersecurity. In the context of cybersecurity, there has been little theoretical or empirical work addressing the question of whether the qualitative characteristics of family businesses have an impact on the understanding of cybersecurity and the organization of cyber risk defense in the companies. Based on theoretically founded hypotheses, a quantitative empirical study was conducted in German companies.Design/methodology/approachThe article is based on a quantitative-empirical survey of 184 companies, the results of which were analyzed using statistical-empirical methods.FindingsThe article asked – based on the subjective perception of cybersecurity and cyber risks – to what extent family businesses are sensitized to the topic and what conclusions they draw from it. An interesting tension emerges: family businesses see their employees more as a security risk, but do less than nonfamily businesses in terms of both training and organizational establishment. Whether this is due to a lack of technical or managerial expertise, or whether family businesses simply think they can prevent cybersecurity with less formal methods such as trust, is open to conjecture, but cannot be demonstrated with the research approach taken here. Qualitative follow-up studies are needed here.Originality/valueThis paper represents the first quantitative survey on cybersecurity with a specific focus on family businesses. It shows tension between awareness, especially of risks emanating from employees, and organizational routines that have not been implemented or established.","PeriodicalId":107089,"journal":{"name":"Organizational Cybersecurity Journal: Practice, Process and People","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125599169","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 2

Data breach recovery areas: an exploration of organization's recovery strategies for surviving data breaches 数据泄露恢复领域:探索组织在数据泄露中幸存的恢复策略

Organizational Cybersecurity Journal: Practice, Process and People Pub Date : 2021-11-09 DOI: 10.1108/ocj-05-2021-0014

Zareef A. Mohammed

{"title":"Data breach recovery areas: an exploration of organization's recovery strategies for surviving data breaches","authors":"Zareef A. Mohammed","doi":"10.1108/ocj-05-2021-0014","DOIUrl":"https://doi.org/10.1108/ocj-05-2021-0014","url":null,"abstract":"PurposeData breaches are an increasing phenomenon in today's digital society. Despite the preparations an organization must take to prevent a data breach, it is still necessary to develop strategies in the event of a data breach. This paper explores the key recovery areas necessary for data breach recovery.Design/methodology/approachStakeholder theory and three recovery areas (customer, employee and process recovery) are proposed as necessary theoretical lens to study data breach recovery. Three data breach cases (Anthem, Equifax, and Citrix) were presented to provide merit to the argument of the proposed theoretical foundations of stakeholder theory and recovery areas for data breach recovery research.FindingsInsights from these cases reveal four areas of recovery are necessary for data breach recovery – customer recovery, employee recovery, process recovery and regulatory recovery.Originality/valueThese areas are presented in the data recovery areas model and are necessary for: (1) organizations to focus on these areas when resolving data breaches and (2) future data breach recovery researchers in developing their research in the field.","PeriodicalId":107089,"journal":{"name":"Organizational Cybersecurity Journal: Practice, Process and People","volume":"19 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122945195","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Organizational Cybersecurity Journal editorial introduction 组织网络安全期刊编辑导言

Organizational Cybersecurity Journal: Practice, Process and People Pub Date : 2021-09-29 DOI: 10.1108/ocj-09-2021-017

G. Tejay, Gary Klein

引用次数: 2

Impact of digital nudging on information security behavior: an experimental study on framing and priming in cybersecurity 数字轻推对信息安全行为的影响:网络安全框架与启动效应的实验研究

Organizational Cybersecurity Journal: Practice, Process and People Pub Date : 2021-09-20 DOI: 10.1108/ocj-03-2021-0009

Kavya Sharma, Xinhui Zhan, F. Nah, K. Siau, M. Cheng

{"title":"Impact of digital nudging on information security behavior: an experimental study on framing and priming in cybersecurity","authors":"Kavya Sharma, Xinhui Zhan, F. Nah, K. Siau, M. Cheng","doi":"10.1108/ocj-03-2021-0009","DOIUrl":"https://doi.org/10.1108/ocj-03-2021-0009","url":null,"abstract":"PurposePhishing attacks are the most common cyber threats targeted at users. Digital nudging in the form of framing and priming may reduce user susceptibility to phishing. This research focuses on two types of digital nudging, framing and priming, and examines the impact of framing and priming on users' behavior (i.e. action) in a cybersecurity setting. It draws on prospect theory, instance-based learning theory and dual-process theory to generate the research hypotheses.Design/methodology/approachA 3 × 2 experimental study was carried out to test the hypotheses. The experiment consisted of three levels for framing (i.e. no framing, negative framing and positive framing) and two levels for priming (i.e. with and without priming).FindingsThe findings suggest that priming users to information security risks reduces their risk-taking behavior, whereas positive and negative framing of information security messages regarding potential consequences of the available choices do not change users' behavior. The results also indicate that risk-averse cybersecurity behavior is associated with greater confidence with the action, greater perceived severity of cybersecurity risks, lower perceived susceptibility to cybersecurity risks resulting from the action and lower trust in the download link.Originality/valueThis research shows that digital nudging in the form of priming is an effective way to reduce users' exposure to cybersecurity risks.","PeriodicalId":107089,"journal":{"name":"Organizational Cybersecurity Journal: Practice, Process and People","volume":"94 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-09-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134507331","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 6

Empowering professional and ethical balance in digital record management 在数字档案管理中实现专业与道德的平衡

Organizational Cybersecurity Journal: Practice, Process and People Pub Date : 2021-09-14 DOI: 10.1108/ocj-06-2021-0016

M. Huda

{"title":"Empowering professional and ethical balance in digital record management","authors":"M. Huda","doi":"10.1108/ocj-06-2021-0016","DOIUrl":"https://doi.org/10.1108/ocj-06-2021-0016","url":null,"abstract":"PurposeThis paper aims to examine the professional skills and ethical values balanced to generate policies and procedures with significant guidance to give insights into systematic control of integrating simultaneous integrity between the use and maintenance in digital-based recordkeeping.Design/methodology/approachThe investigation was conducted using keywords responsibilities engagement, professional and ethical balance, and records management. Descriptive analysis was applied with the initiative on integrating, evaluating and interpreting the findings of multiple types of research from recent grounded theory.FindingsThe finding reveals that determining the potential value of foregoing effort to provide an ultimate application guideline as a counter measure against the emerging challenges of the dynamic records management system needs to adopt appropriate professional and ethical empowerment across the procedural stage in underlying the demand and the response with the express purpose of promoting appropriate and wise usage for the sustainable positive benefit of responsibilities on recording management.Originality/valueAs a pivotal role in determining the potential value of foregoing effort as aimed in this paper, the initiative to provide an ultimate application guideline as a counter measure against the emerging challenges of the dynamic records management system needs to bring along with urging for an appropriate professional and ethical empowerment across the procedural stage proposed referring to the demand and the response with the express purpose of promoting appropriate and wise usage for the sustainable positive benefit of responsibilities on recording management.","PeriodicalId":107089,"journal":{"name":"Organizational Cybersecurity Journal: Practice, Process and People","volume":"237 ","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-09-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120888186","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 2

Ethical leadership and employee information security policy (ISP) violation: exploring dual-mediation paths 道德领导与员工信息安全政策(ISP)违规:探索双重中介路径

Organizational Cybersecurity Journal: Practice, Process and People Pub Date : 2021-08-02 DOI: 10.1108/ocj-02-2021-0002

B. Xue, Feng Xu, X. Luo, Merrill Warkentin

{"title":"Ethical leadership and employee information security policy (ISP) violation: exploring dual-mediation paths","authors":"B. Xue, Feng Xu, X. Luo, Merrill Warkentin","doi":"10.1108/ocj-02-2021-0002","DOIUrl":"https://doi.org/10.1108/ocj-02-2021-0002","url":null,"abstract":"PurposeA growing number of studies have investigated the effect of ethical leadership on behavioral outcome of employees. However, considering the important role of ethics in IS security, the security literature lacks a theoretical and empirical investigation of the relationship between ethical leadership and employees' security behavior, such as information security policy (ISP) violation. Drawing on social learning and social exchange theories, this paper empirically tests the impact of ethical leadership on employees' ISP violation intention through both information security climate (i.e. from a moral manager's perspective) and affective commitment (i.e. from a moral person's perspective).Design/methodology/approachThe research was developed based on social learning theory and social exchange theory. To measure the variables in the model, the authors used and adapted measurement items from previous studies. The authors conducted a scenario-based survey with 339 valid responses to test and validate the research model.FindingsResults indicated that information security climate fully mediates the relationship between ethical leadership and ISP violation intention. The authors also found that information security climate enhances the negative effect of affective commitment on ISP violation intention.Originality/valueThis research contributes to the literature of information security by introducing the role of ethical leadership and integrating two theories into our research model. This study also calls attention to how information security climate and affective commitment mediate the relationship between ethical leadership and employees' ISP violation intention. The theory-driven study provides important pragmatic guidance for enhancing the understanding of the importance of ethical leadership in information systems security research.","PeriodicalId":107089,"journal":{"name":"Organizational Cybersecurity Journal: Practice, Process and People","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125556058","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 2

A cyber situational awareness model to predict the implementation of cyber security controls and precautions by SMEs 预测中小企业网络安全控制和预防措施实施的网络态势感知模型

Organizational Cybersecurity Journal: Practice, Process and People Pub Date : 2021-07-16 DOI: 10.1108/OCJ-03-2021-0004

K. Renaud, Jacques Ophoff

{"title":"A cyber situational awareness model to predict the implementation of cyber security controls and precautions by SMEs","authors":"K. Renaud, Jacques Ophoff","doi":"10.1108/OCJ-03-2021-0004","DOIUrl":"https://doi.org/10.1108/OCJ-03-2021-0004","url":null,"abstract":"PurposeThere is widespread concern about the fact that small- and medium-sized enterprises (SMEs) seem to be particularly vulnerable to cyberattacks. This is perhaps because smaller businesses lack sufficient situational awareness to make informed decisions in this space, or because they lack the resources to implement security controls and precautions.Design/methodology/approachIn this paper, Endsley’s theory of situation awareness was extended to propose a model of SMEs’ cyber situational awareness, and the extent to which this awareness triggers the implementation of cyber security measures. Empirical data were collected through an online survey of 361 UK-based SMEs; subsequently, the authors used partial least squares modeling to validate the model.FindingsThe results show that heightened situational awareness, as well as resource availability, significantly affects SMEs’ implementation of cyber precautions and controls.Research limitations/implicationsWhile resource limitations are undoubtedly a problem for SMEs, their lack of cyber situational awareness seems to be the area requiring most attention.Practical implicationsThe findings of this study are reported and recommendations were made that can help to improve situational awareness, which will have the effect of encouraging the implementation of cyber security measures.Originality/valueThis is the first study to apply the situational awareness theory to understand why SMEs do not implement cyber security best practice measures.","PeriodicalId":107089,"journal":{"name":"Organizational Cybersecurity Journal: Practice, Process and People","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-07-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131338097","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 11

Heads-up! An alert and warning system for phishing emails 单挑!针对网络钓鱼邮件的警报和警告系统

Organizational Cybersecurity Journal: Practice, Process and People Pub Date : 2021-07-14 DOI: 10.1108/OCJ-03-2021-0006

Molly Cooper, Y. Levy, Ling Wang, L. Dringus

{"title":"Heads-up! An alert and warning system for phishing emails","authors":"Molly Cooper, Y. Levy, Ling Wang, L. Dringus","doi":"10.1108/OCJ-03-2021-0006","DOIUrl":"https://doi.org/10.1108/OCJ-03-2021-0006","url":null,"abstract":"PurposeThis study introduces the concept of audiovisual alerts and warnings as a way to reduce phishing susceptibility on mobile devices.Design/methodology/approachThis study has three phases. The first phase included 32 subject matter experts that provided feedback toward a phishing alert and warning system. The second phase included development and a pilot study to validate a phishing alert and warning system prototype. The third phase included delivery of the Phishing Alert and Warning System (PAWSTM mobile app) to 205 participants. This study designed, developed, as well as empirically tested the PAWSTM mobile app that alerted and warned participants to the signs of phishing in emails on mobile devices.FindingsThe results of this study indicated audio alerts and visual warnings potentially lower phishing susceptibility in emails. Audiovisual warnings appeared to assist study participants in noticing phishing emails more easily and in less time than without audiovisual warnings.Practical implicationsThis study's implications to mitigation of phishing emails are key, as it appears that alerts and warnings added to email applications may play a significant role in the reduction of phishing susceptibility.Originality/valueThis study extends the existing information security body of knowledge on phishing prevention and awareness by using audiovisual alerts and warnings to email recipients tested in real-life applications.","PeriodicalId":107089,"journal":{"name":"Organizational Cybersecurity Journal: Practice, Process and People","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-07-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130563829","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 3