Emerald | Information Management & Computer Security | Table of Contents http://www.emeraldinsight.com/0968-5227.htm Table of contents from the most recently published issue of Information Management & Computer Security Journal en-gb Tue, 08 Jul 2014 00:00:00 +0100 2013 Emerald Group Publishing Limited editorial@emeraldinsight.com support@emeraldinsight.com 60 Emerald | Information Management & Computer Security | Table of Contents http://www.emeraldinsight.com/common_assets/img/covers_journal/imcscover.gif http://www.emeraldinsight.com/0968-5227.htm 120 157 An empirical investigation of the factors that influence Internet user's ability to correctly identify a phishing website http://www.emeraldinsight.com/journals.htm?issn=0968-5227&volume=22&issue=3&articleid=17113147&show=abstract <strong>Abstract</strong><br /><br /><B>Purpose</B> - This study aims to report on the results of an empirical investigation of the various factors which have significant impacts on the Internet user's ability to correctly identify a phishing website. <B>Design/methodology/approach</B> - The research participants were Internet users who have had at least some experience of financial transactions over the Internet. This study conducted a quantitative research with help of a structured survey questionnaire along with three experimental tasks. A total of 621 valid samples were collected and multiple regression analysis technique was used to deduce the answers to the research question.<B>Findings</B> - The results show that the model is useful and has explanatory power. And adjusted R2 computed as .927, means that 92.7% of the variations in the Internet user's ability to identify phishing website can be explained by the predictors selected for the model. <B>Research limitations/implications</B> - Future research should account for Internet user's general security practices and behaviour, attitude towards online financial activity, risk taking ability or risk behaviour and their potential effects on Internet users ability to identify a phishing website.<B>Practical implications</B> - The implications of this study provide the foundation for future research on the areas that intend to explain the Internet user's necessity to take protection or avoid risky behaviour while performing financial transaction over Internet.<B>Originality/value</B> - This study provides the body of knowledge with an empirical analysis of impact of various factors on an Internet user's ability to identify phishing websites. The results of this study can help practitioners create a more successful research model and help researchers better understand user behaviour on the Internet. Article literatinetwork@emeraldinsight.com (Swapan Purkait, Sadhan Kumar De, Damodar Suar) Tue, 08 Jul 2014 00:00:00 +0100 Information security governance implementation within Ghanaian industry sectors: an empirical study http://www.emeraldinsight.com/journals.htm?issn=0968-5227&volume=22&issue=3&articleid=17113150&show=abstract <strong>Abstract</strong><br /><br /><B>Purpose</B> - The purpose of this study is to assess the levels of information security governance implementation (ISG) among major Ghanaian industry sectors. The intent is to benchmark inter-industry sector ISG implementation and to identify areas that may require improvement.<B>Design/methodology/approach</B> - Random sampling strategy was employed and data were collected via Web survey. The data analysis utilized a one-way ANOVA (Analysis of Variance) to determine the differences in means of the levels of implementation of ISG focus areas among five main industry sectors. <B>Findings</B> - The results showed that, as a whole, all the industry sectors have only partially implemented information security governance. In particular, there existed statistical significant differences in information security governance implementation among the industry sectors. Ranking ISG implementation, financial institutions were close to completion, utility companies, others (IT, Oil and Gas, Manufacturing) and public services had partially implemented information security governance, while health care and educational institutions were at the planning stages. The result also revealed that all the industry sectors made marginal effort trying to align information security to business strategy and performance measurement remained the least implemented focus area. <B>Originality/value</B> - Organizational leaders could use these findings to benchmark industry sectors’ information security governance implementation, which could lead to competitiveness. Again, international enterprises that do businesses with these industry sectors would better understand the level of involvement of the top executives in governing information security towards the protection of valuable information assets. Article literatinetwork@emeraldinsight.com (Winfred Yaokumah) Tue, 08 Jul 2014 00:00:00 +0100 A holistic cyber security implementation framework http://www.emeraldinsight.com/journals.htm?issn=0968-5227&volume=22&issue=3&articleid=17113153&show=abstract <strong>Abstract</strong><br /><br /><B>Purpose</B> - This paper proposes a Holistic Cyber Security Implementation Framework (HCS-IF) that lays out the ground for a conceptual, coherent, systematic, overarching, and consolidated approach to implement Cyber Security Strategies (CSSs ).<B>Design/methodology/approach</B> - The HCS-IF is conceptually proposed to address the actual needs that are extracted from literature review. The HCS-IF employs and integrates a set of high level conceptual security controls, solutions, processes, entities, tools, techniques, or mechanisms that are already known in the domains of information security management, software engineering, and project management to address the identified needs.<B>Findings</B> - The HCS-IF components and controls collectively interact and cooperate in order to implement CSSs. The proposed framework is compared with other related frameworks, and the results show that the HCS-IF outperforms other frameworks on most of the suggested comparison criteria. <B>Originality/value</B> - From a practical standpoint, governments and practitioner’s alike stand to gain from the findings of this research. Governments who want to implement CSSs on a national level will find the proposed framework useful in overseeing cyber security implementation. Practitioners will be prepared to address the anticipated cyber security implementation challenges and the required controls needed to facilitate cyber security implementation in a holistic overarching manner. Article literatinetwork@emeraldinsight.com (Issa Atoum, Ahmed Otoom, Amer Abu Ali) Tue, 08 Jul 2014 00:00:00 +0100 A cyclical evaluation model of information security maturity http://www.emeraldinsight.com/journals.htm?issn=0968-5227&volume=22&issue=3&articleid=17113159&show=abstract <strong>Abstract</strong><br /><br /><B>Purpose</B> - The lack of a security evaluation method might expose organizations to several risky situations. This paper aims at presenting a cyclical evaluation model of information security maturity. <B>Design/methodology/approach</B> - This model was developed through the definition of a set of steps to be followed in order to obtain periodical evaluation of maturity and continuous improvement of controls.<B>Findings</B> - This model is based on controls present in ISO/IEC 27002, provides a means to measure the current situation of information security management through the use of a maturity model and provides a subsidy to take appropriate and feasible improvement actions, based on risks. A case study is performed and the results indicate that the method is efficient for evaluating the current state of information security, to support information security management, risks identification and business and internal control processes. <B>Research limitations/implications</B> - It is possible that modifications to the process may be needed where there is less understanding of security requirements, such as in a less mature organization.<B>Originality/value</B> - This paper presents a generic model applicable to all kinds of organizations. The main contribution of this paper is the use of a maturity scale allied to the cyclical process of evaluation, providing the generation of immediate indicators for the management of information security. Article literatinetwork@emeraldinsight.com (Evandro Alencar Rigon, Carla Merkle Westphall, Daniel Ricardo dos Santos, Carlos Becker Westphall) Tue, 08 Jul 2014 00:00:00 +0100 Information security: critical review and future directions for research http://www.emeraldinsight.com/journals.htm?issn=0968-5227&volume=22&issue=3&articleid=17113164&show=abstract <strong>Abstract</strong><br /><br /><B>Purpose</B> - Purpose of this literature review is to analyze current trends in information security and suggest future directions for research.<B>Design/methodology/approach</B> - We used literature review to analyze 1,588 papers from 23 journals and 5 conferences.<B>Findings</B> - We identified 164 different theories used in 684 publications. Distribution of research methods showed that subjective-argumentative category accounted for 81%, while other methods got very low focus. This research offers implications for future research directions on information security. We also identified existing knowledge gaps and how existing themes were studied in academia.<B>Research limitations/implications</B> - Our literature review did not include some dedicated security journals (i.e. Cryptography).<B>Practical implications</B> - Our study reveals future directions and trend that academia should consider.<B>Originality/value</B> - Information security is top concern for organizations and our research analyzed how academia dealt with the topic since 1977. Also, we suggest future directions for research suggesting new research streams. Article literatinetwork@emeraldinsight.com (MARIO SILIC, Andrea Back) Tue, 08 Jul 2014 00:00:00 +0100 A secure portable execution environment to support teleworking http://www.emeraldinsight.com/journals.htm?issn=0968-5227&volume=22&issue=3&articleid=17113151&show=abstract <strong>Abstract</strong><br /><br /><B>Purpose</B> - Teleworking is an established work practice yet often the information security controls in the teleworking location are weaker than those in a corporate office. Security concerns also prevent organisations allowing personnel to telework. This paper presents the design, development and trialling of the Mobile Execution Environment (MEE), a secure portable execution environment designed to support secure teleworking.<B>Design/methodology/approach</B> - The design science research methodology was applied to develop the MEE and this paper is structured using the process elements of the methodology.<B>Findings</B> - In this paper the problem addressed and the design objectives are defined. The design and implementation is discussed and the testing and trialling approach adopted to demonstrate the MEE is summarised. An evaluation of the demonstration results against the design objectives is presented.<B>Research limitations/implications</B> - The MEE is part of an on-going research project using open source software; the structure and functionality of the software can limit or influence the direction of the research.<B>Practical implications</B> - The MEE provides a secure portable execution environment suitable for transaction oriented work performed remotely, e.g. teleworkers performing customer support work.<B>Originality/value</B> - The MEE builds upon the concept of a portable executable OS that uploads onto a PC through an external port. The MEE extends this concept by providing a hardened secure computing environment that is uploaded from a secure storage device or a standard thumb drive (USB flash drive). Article literatinetwork@emeraldinsight.com (Peter James, Don Griffiths) Tue, 08 Jul 2014 00:00:00 +0100