Computing and Information Systems - Theses

Permanent URI for this collection

Search Results

Now showing 1 - 4 of 4
  • Item
    Thumbnail Image
    Exploring knowledge leakage risk in knowledge-intensive organisations: behavioural aspects and key controls
    Altukruni, Hibah Ahmed ( 2019)
    Knowledge leakage poses a critical risk to the competitiveness advantages of knowledge-intensive organisations. Although knowledge leakage is a human-centric security issue, little is known in relation to the key factors of individual-level leaking behaviour. Therefore, the aim of this thesis was to explore security practitioners’ perspectives on the key enablers and inhibitors of behavioural knowledge leakage risk in the context of knowledge-intensive organisations. An exploratory, qualitative design was used to carry out the study. Moreover, seven security practitioners working in Australian organisations were recruited to participate in this research. The data were collected using semi-structured questions via two focus group discussions. The discussion sessions lasted between 90 and 120 minutes, including a 10-minute break. The sessions were audio recorded, transcribed, and thematically analysed following Braun and Clarke’s (2006) strategy. Furthermore, two main trends emerged from the analysed data. First, ‘interpersonal enabling factors’ included leaking behaviours and employees’ personality’ traits. Second, contributing ‘organisational practices around knowledge leakage mitigation’ included poor knowledge sensitivity classification systems and poor knowledge security management practices. In conclusion, it is essential that security practitioners address the key identified factors of behavioural leakage risk to mitigate the leaking incidents effectively. Three key security practices that were found to have a superior impact in mitigating leaking enablers included human resource management practices, knowledge security training and awareness practices, and compartmentalisation.
  • Item
    Thumbnail Image
    A secure innovation process for start-ups: Minimising knowledge leakage and protecting IP
    Pitruzzello, Sam ( 2016)
    Failing to profit from innovations as a result of knowledge leakage is a key business risk for high-tech start-ups. Innovation is central to the success of a start-up and their competitive advantage in the market place therefore methods to protect intellectual property (IP) and minimise knowledge leakage is crucial. However, high-tech start-ups have limited resources rendering them more vulnerable to knowledge leakage risks compared to mature enterprises. Unfortunately, research on knowledge leakage and innovation processes falls short of addressing the needs of high-tech start-ups. Since knowledge leakage can occur in a number of ways involving many scenarios, organisations typically employ a variety of IP protection and knowledge leakage mitigation methods to minimise the risks. This minor thesis fills the research gaps on innovation processes and knowledge leakage for start-ups. A literature review was conducted into the bodies of research on knowledge leakage and innovation. Following the literature review, a secure innovation process (SIP) model was developed from the research. SIP includes the concept of the risk window which allows a start-up to identify, assess and manage knowledge leakage risks at various stages in the innovation process.
  • Item
    Thumbnail Image
    Strategic information security policy quality assessment: a multiple constituency perspective
    MAYNARD, SEAN ( 2010)
    An integral part of any information security management program is the information security policy. The purpose of an information security policy is to define the means by which organisations protect the confidentiality, integrity and availability of information and its supporting infrastructure from a range of security threats. The tenet of this thesis is that the quality of information security policy is inadequately addressed by organisations. Further, although information security policies may undergo multiple revisions as part of a process development lifecycle and, as a result, may generally improve in quality, a more explicit systematic and comprehensive process of quality improvement is required. A key assertion of this research is that a comprehensive assessment of information security policy requires the involvement of the multiple stakeholders in organisations that derive benefit from the directives of the information security policy. Therefore, this dissertation used a multiple-constituency approach to investigate how security policy quality can be addressed in organisations, given the existence of multiple stakeholders. The formal research question under investigation was: How can multiple constituency quality assessment be used to improve strategic information security policy? The primary contribution of this thesis to the Information Systems field of knowledge is the development of a model: the Strategic Information Security Policy Quality Model. This model comprises three components: a comprehensive model of quality components, a model of stakeholder involvement and a model for security policy development. The strategic information security policy quality model gives a holistic perspective to organisations to enable management of the security policy quality assessment process. This research contributes six main contributions as stated below:  This research has demonstrated that a multiple constituency approach is effective for information security policy assessment  This research has developed a set of quality components for information security policy quality assessment  This research has identified that efficiency of the security policy quality assessment process is critical for organisations  This research has formalised security policy quality assessment within policy development  This research has developed a strategic information security policy quality model  This research has identified improvements that can be made to the security policy development lifecycle The outcomes of this research contend that the security policy lifecycle can be improved by: enabling the identification of when different stakeholders should be involved, identifying those quality components that each of the different stakeholders should assess as part of the quality assessment, and showing organisations which quality components to include or to ignore based on their individual circumstances. This leads to a higher quality information security policy, and should impact positively on an organisation’s information security.
  • Item
    Thumbnail Image
    Defining the relationship between information security culture and information security practices
    Lim, Joo Soon ( 2012)
    This thesis investigates the relationship between ‘information security culture’ and ‘information security practices’ in organisations. There has been considerable interest in this relationship due to recent and widespread recognition that poor information security practices, rather than insufficient technical controls, are the primary reason for information security problems. Additionally, it is argued that there is a need for information security culture to cultivate and support security practices. This implies that a relationship exists between them, and through understanding this relationship, improvements to information security in organisations can be made. This research asks the following main research question: What is the relationship between security culture and security practices? This study develops a rigorous conceptual framework that identifies the particular security culture characteristics that support and guide security practices towards improving organisational information security. The framework is then used as the basis for qualitative followed by quantitative studies that empirically examine the precise relationship between security culture and security practices. This ‘mixed method’ approach has resulted in four main contributions. These are: • Empirical establishment of the relationship between security culture and security practices• Refinement of security culture characteristics• Synthesis and empirical demonstration of the existence of security practices• Development of a valid and reliable instrument to measure the relationship between security culture characteristic and security practices. This research found that a shared security vision, sense of employee empowerment, collaboration and cooperation, evidence-based decision making, and proper systems and processes, when simultaneously cultivated, explained most of the variance of existence of security practices in the six case organisations. In particular, ‘employee empowerment’ and ‘shared security vision’ have a favourable effect on the practice of security, which in turn benefits organisations.