Information Security Management (ISM) Practices: Lessons from Select Cases from India and Germany

Data protection and information security in biomedical research: A sequential explanatory mixed study

PURPOSE

Biomedical research is a pillar of every medical student's career. When collecting data, several regulations are established to ensure the protection of individuals. Most medical students are not compliant with the guidelines, and this is probably due to a lack of knowledge. The aim of our research is to evaluate the knowledge and behavior of medical students regarding these rules, then attempt to explain the results obtained.

METHODS

This is a sequential explanatory mixed study including an initial quantitative section followed by an explanatory qualitative section. For the quantitative part, we administered a questionnaire based on the information security regulation and the GDPR to third- and fourth-year medical students. We evaluated their knowledge and behaviors and their correlation. For the qualitative part, we conducted semi-structured interviews with eight students followed by thematic analysis to explain the results.

RESULTS

Most students have a lack of knowledge. A correlation was found between the non-compliant behavior of keeping the laptop unattended in a public place and a low level of knowledge. For the qualitative section, the thematic analysis represents three groups to explain non-compliant behavior: lack of knowledge, work overload, and consideration of the hospital as a safe place.

CONCLUSION

Data collection and information security rules are rarely followed by medical students. This is mainly due to lack of knowledge, work overload and assuming the hospital as a safe place. Future awareness interventions would be necessary to improve non-compliant behavior and subsequently ensure a more secure environment during medical research.

The Information Security Management Systems in E-Business

Enterprises trading on the electronic markets are exposed to security risks due to the active use of ICT in several transformation process activities. Realized risks cause particular damage to the enterprises that lack ISMS (information security management systems) or a basic process approach to IS management. In this article, the authors identify similarities and differences in information security management models from various aspects. The scientific article compares the presented models, their essence, goal, focus, and starting points. Based on advantages and disadvantages, the authors evaluate the possibilities of applying models in electronic business, which determines which models can be applied to all processes or only to specific processes of e-business. The representative data set was obtained from a sample of e-commerce enterprises using the Slovak electronic market. Research hypotheses based on scientific assumptions and statistical analysis are verified. The research conclusions provide an insight into practice of ISMS and an information security management system in e-commerce.

Producing ‘good enough’ automated transcripts securely: Extending Bokhove and Downey (2018) to address security concerns

Interviews are an established research method across multiple disciplines. Such interviews are typically transcribed orthographically in order to facilitate analysis. Many novice qualitative researchers’ experiences of manual transcription are that it is tedious and time-consuming, although it is generally accepted within much of the literature that quality of analysis is improved through researchers performing this task themselves. This is despite the potential for the exhausting nature of bulk transcription to conversely have a negative impact upon quality. Other researchers have explored the use of automated methods to ease the task of transcription, more recently using cloud-computing services, but such services present challenges to ensuring confidentiality and privacy of data. In the field of cyber-security, these are particularly concerning; however, any researcher dealing with confidential participant speech should also be uneasy with third-party access to such data. As a result, researchers, particularly early-career researchers and students, may find themselves with no option other than manual transcription. This article presents a secure and effective alternative, building on prior work published in this journal, to present a method that significantly reduced, by more than half, interview transcription time for the researcher yet maintained security of audio data. It presents a comparison between this method and a fully manual method, drawing on data from 10 interviews conducted as part of my doctoral research. The method presented requires an investment in specific equipment which currently only supports the English language.

Investigating identity fraud management practices in e-tail sector: a systematic review

Purpose

Identity fraud is a growing issue for online retail organisations. The literature on this issue is scattered, and none of the studies presents a holistic view of identity fraud management practices in the online retail context. Therefore, the purpose of this paper is to investigate the identity fraud management practices and present a comprehensive set of practices for e-tail sector.

Design/methodology/approach

A systematic literature review approach was adopted, and the articles were selected through pre-set inclusion criteria. The authors synthesised existing literature to investigate identity fraud management in e-tail sector.

Findings

The research finds that literature on practices for identity fraud management is scattered. The findings also reveal that firms assume identity fraud issues as a technological challenge, which is one of the major reasons for a gap in effective management of identity frauds. This research suggests e-tailers to deal this issue as a management challenge and counter strategies should be developed in technological, human and organisational aspects.

Research limitations/implications

This study is limited to the published sources of data. Studies, based on empirical data, will be helpful to support the argument of this study; additionally, future studies are recommended to include a wide number of databases.

Practical implications

This research will help e-tail organisations to understand the whole of identity fraud management and help them develop and implement a comprehensive set of practices at each stage, for effective management identity frauds.

Originality/value

This research makes unique contributions by synthesising existing literature at each stage of fraud management and encompasses social, organisational and technological aspects. It will also help academicians understanding a holistic view of available research and opens new lines for future research.

Developing an Information Security Risk Taxonomy and an Assessment Model using Fuzzy Petri Nets

In the digital era, organization-wide information security risk assessment has gained importance because it can impact businesses in many ways. In this article, the authors propose a model to assess the information security risk using Fuzzy Petri Nets (FPN). Deeply rooted in the OCTAVE framework, this research presents a taxonomy of risk practice areas and risk factors. The authors apply the constituents of the taxonomy to risk assessment through a well-defined FPN model. The primary motive of the article is to extend the usability of FPNs to newer and less explored domains like audit and evaluation of information security risks. The unique contribution of this article is the definition and development of a comprehensive and measurable model of risk assessment and quantification. The model can also serve as a tool to capture the risk perception of the respondents for validating the criticality of risk and facilitate the top management to invest in information security control eco-system judiciously.

Strategic value alignment for information security management: a critical success factor analysis

Purpose

Effective information security management is a strategic issue for organizations to safeguard their information resources. Strategic value alignment is a proactive approach to manage value conflict in information security management. Applying a critical success factor (CSF) analysis approach, this paper aims to propose a CSF model based on a strategic alignment approach and test a model of the main factors that contributes to the success of information security management.

Design/methodology/approach

A theoretical model was proposed and empirically tested with data collected from a survey of managers who were involved in decision-making regarding their companies’ information security (N = 219). The research model was validated using partial least squares structural equation modeling approach.

Findings

Overall, the model was successful in capturing the main antecedents of information security management performance. The results suggest that with business alignment, top management support and organizational awareness of security risks and controls, effective information security controls can be developed, resulting in successful information security management.

Originality/value

Findings from this study provide several important contributions to both theory and practice. The theoretical model identifies and verifies key factors that impact the success of information security management at the organizational level from a strategic management perspective. It provides practical guidelines for organizations to make more effective information security management.

Information security management and the human aspect in organizations

Purpose

The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset.

Design/methodology/approach

Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B.

Findings

Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own.

Research limitations/implications

The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings.

Practical implications

In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed.

Social implications

The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps.

Originality/value

The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.