Computing and Information Systems - Theses

Permanent URI for this collection

Search Results

Now showing 1 - 2 of 2
  • Item
    Thumbnail Image
    A Process Model to Improve Information Security Governance in Organisations
    Wong, Chee Kong ( 2022)
    Information security is an increasingly important topic among senior organisational stakeholders (i.e. the board and executive management) as organisations acknowledge the potential for operational disruption, reputational loss, impact to share value and financial penalties. As information resources are a strategic asset to organisations, there is an expectation that these stakeholders will demonstrate their fiduciary duty of care by implementing information security governance (ISG). Compared to corporate governance, ISG is a relatively new and under-researched area. A review of the literature shows the lack of an ISG framework or model that: (1) incorporates the broad areas of ISG; (2) explains how to implement ISG; (3) is empirically grounded; and (4) identifies the processes required to be undertaken by various stakeholder groups involved in ISG. The practical requirement for an ISG framework or model to help organisations improve their implementation of ISG and the research gaps have led to the following research question: “How can ISG be implemented in organisations?” To address the research question, this research has adopted an exploratory research approach. First, a conceptual ISG process model was proposed based on synthesis of extant literature and detailed review of relevant frameworks and models. The conceptual ISG process model was subsequently refined based on empirical data gathered from 3 case study organisations comprising one financial institution in Singapore and two financial institutions in Malaysia. The refined ISG process model was finally validated in 6 expert interviews. This research addresses the aforementioned practice requirements and research gaps by introducing an empirically grounded ISG process model as a practical reference to facilitate the implementation of ISG in organisations. Specifically, the research contributes by: (1) developing ISG process theory, as ISG is a series of events occurring within an organisational context; and (2) developing an information-processing perspective on ISG, as the process model identifies the information and communication flows, and the relationships among stakeholder groups. In addition, the research has: (3) empirically examined and validated the ISG process model based on how ISG is practised in real-world organisations; (4) examined corporate governance theories to provide additional perspectives to ensure that the ISG process model is aligned with corporate governance objectives; (5) identified additional factors that influence the implementation of ISG requiring further research; and finally (6) expanded existing seminal research by introducing an empirically grounded ISG process model that has been developed based on synthesis of cumulative knowledge from previous research and validated with empirical data. This research is the most comprehensive study to date that has developed an empirically grounded ISG process model identifying stakeholder groups and explaining how core ISG processes and sub-processes interact. An ISG process model is easier to visualise for practitioners and easier to implement as it allows practitioners to structure their thinking according to the stages of the process model and change activities in their organisations.
  • Item
    Thumbnail Image
    Mitigating the risk of organisational information leakage through online social networking
    Abdul Molok, Nurul Nuha ( 2013)
    The inadvertent leakage of sensitive organisational information through the proliferation of online social networking (OSN) is a significant challenge in a networked society. Although considerable research has studied information leakage, the advent of OSN amongst employees represents new fundamental problems to organisations. As employees are bringing their own mobile devices to the workplace, which allow them to engage in OSN activities at anytime and anywhere, reported cases involving leakage of organisational information through OSN are on the rise. Despite its opportunities, OSN has the tendency to blur the boundaries between employees’ professional and personal use of social media, presenting challenges for organisations to protect the confidentiality of their valuable information. The thesis investigates two phenomena. First, it explores the disclosure of sensitive organisational information by employees through the use of social media. Second, it looks into organisational security strategies employed to mitigate the associated security risks. During the first multiple-case study, employees across four organisations were interviewed to understand their OSN behaviour and the types of work-related information they disclosed online. In the second multiple-case study, the researcher went back to the same organisations and interviewed security managers to understand potential security impacts of employees’ OSN behaviour, and the various security strategies implemented in the organisations. The findings emerging from these interpretive multiple-case studies, based on rich insights from both employees and security managers, led to the development of a maturity framework. This framework can assist organisations to assess, develop or improve their security strategies to mitigate social media related risks. The framework was evaluated through focus groups with experts in security and social media management. The research, which consists of two sets of multiple case studies and focus groups, has resulted in three main contributions as stated below: 1. Understanding of contextual influences on the disclosure of sensitive organisational information, from multiple perspectives 2. Identification of the influence of managerial attitudes on the deployment of a particular information security strategy, especially in relation to social media use amongst employees 3. Development and evaluation of a Maturity Framework for Mitigating Leakage of Organisational Information through OSN As suggested by the literature, security behaviour can be either intentional or unintentional in nature. However, this research found that information leakage through employees’ OSN was more unintended than intended, which indicated that generally, employees did not mean to cause security problems to organisations. The research also provided evidence that information leakage through OSN was due to influences that could be categorized into personal, organisational and technological factors. Interestingly, employees and security managers had different understandings of why information leakage through OSN happens. Employees demonstrated that leakage was inadvertent, while security managers did not understand that employees had no intention of causing security problems. These findings suggested that information leakage via OSN could be effectively mitigated by organisations, depending on the way the managemet perceived how employees’ OSN behaviour could jeopardise the confidentiality of information. In accordance to the security literature, this research found different kinds of security strategies that organisations employed to mitigate security issues posed by OSN. Interestingly, this research also found that across the organisations, these security strategies varied in their levels of sophistication, revealing certain managerial attitudes which influenced the organisational capability to manage the risk of leakage via employees’ OSN. Since the higher level of strategy sophistication actually results in more risk-averse employee OSN behaviour, this research identified relationships between employee OSN behaviour, OSN security strategies and the managerial attitudes. For example, the organisation that received little management support on security initiatives tended to have poorly developed controls, which resulted in low level of employees’ awareness of risky OSN behaviour. Finally, this research culminated in the development of a Maturity Framework for Mitigating Leakage of Organisational Information through OSN which was evaluated by security experts through focus groups. This framework can be used by organisations to assess how well their current information security measures can be expected to protect them from this insider threat. It can also provide recommendations for organisations to improve their current OSN security strategies.