Information Security Management - Risk, Controls, Behaviour, Standardisation, and Technologies - Research Paper Example

REVIEW OF ACADEMIC RESEARCH UNDERTAKEN SINCE 2000 IN THE DOMAIN OF INFORMATION SECURITY MANAGEMENT By Name Course Instructor Institution City/State Date Table of Contents REVIEW OF ACADEMIC RESEARCH UNDERTAKEN SINCE 2000 IN THE DOMAIN OF INFORMATION SECURITY MANAGEMENT 1 Table of Contents 2 Summary 3 Research Problem 3 Aims 3 Significance of Research Project 3 Methodology Used 4 Outcomes 4 1.0 Introduction 5 1.1 Background 5 1.2 Significance 5 1.3 Research Focus 6 1.3.1 Research question 6 1.3.2 Research aim 6 2.0 Literature review 7 2.1 Information Security Management System 7 2.2 Risk Assessment 9 2.3 Controls 10 2.4 Behaviour 12 2.5 Standardisation 13 2.6 Technologies 15 3.0 Research Method 16 4.0 Results and Discussion 16 5.0 Conclusion 18 6.0 References 18 Review of Academic Research Undertaken Since 2000 in the Domain of Information Security Management Summary Research Problem This research report identifies and reviews research papers in the information security domains such as risk, controls, behaviour, standardisation, and technologies with the objective of determining whether they have increased or decreased since 2000. Besides that, this piece seeks to determine whether paper sponsors or supporters in these domains have increased or decreased since 2000. Given that, the Information Security Management Systems (ISMSs) are a crucial part of the modern-day business management system; this report examines the existing works of literature that focus on information security domains. Aims The objective of this piece is to determine whether the research papers and paper sponsors/supporters in the information security domains have increased or decreased since 2000. Another objective is to critically examine the findings of the existing works of literature in the information security domains and analyse the security policy compliance within the information security context. Significance of Research Project This paper is important because it demonstrates how the increasing vulnerability of the information technology risk, especially the information security risk has been examined in the existing works of literature. A number of studies have emphasised the significance of incorporating information security as part of the organisational Corporate Governance. Accordingly, the information security risk’s emergence exposure necessitates information security to be considered as a crucial part of the organisation’s corporate governance. This paper demonstrates how the modern-day organisations have become increasingly reliant on the information systems (IS). Still, the threats to information systems are increasing as demonstrated in many studies. Methodology Used Literature review method was used to facilitate the critical examination of the current knowledge within the information security domains. The literature review was important because it helps identify the strengths and flaws of the previous work; thus, allowing for elimination of possible weaknesses and capitalising on the potential strengths. The literature search offers a context and up-to-date knowledge in the information security management. The literature review helped in identification of techniques utilised in previous research on information security and offered comparisons for the research findings. Outcomes It was established that research on information security since 2000 have main focused on risks and threats, technologies, and controls. There is little research on behaviour and standardisation. Furthermore, the majority of the reviewed papers have not been supported by theoretical foundations, but instead relied on previous works and case studies. 1.0 Introduction 1.1 Background Without a doubt, information is a crucial organisational asset; for that reason, Information Security Management System (ISMS) is considered to be crucially important for all organisations. The ISMS is important because it ensures the availability, integrity as well as the confidentiality of the information in the business organisation. Roles and privileges are the special rules commonly utilised to access information asset. The significance of unified information security management process defines the formation of standard procedures and mechanisms as well as the special structures in the organisations for its enactment. The information security significance for the success of businesses in concurrency milieu needs ISMS to be certified and accredited. The ISMS according to Pavlov and Karakaneva (2011, p.20) can be described as a set of organisational structure, technological and technical tools, practices, procedures, security policy, processes, and responsibilities. These resources complexity relies on certain priorities and conditions of the organisation. The international guiding principles on information security such as ISO/IEC 27002 recommend that organisations should carry out risk assessments in order to establish security expenditure priorities. Considering that security risk assessments’ processes are complex and costly, Ng et al. (2013, p.60) observed that it is imperative to include a specialist expertise while implementing ISMS. 1.2 Significance In the 2ist century, information has turned out to be a crucial strategic resource; therefore, the information security is associated with social stability and national security. For that reason, measures must be taken in order to ensure information security. Recently, researchers in the domain of information security have made some accomplishments in studying the rapid information security technology development. Still, information systems are vulnerable to different threats that can result in varying damages, which could result in substantial financial losses. This study will demonstrate how the effects associated with various threats differ significantly since some affect the integrity or confidentiality of data and other affect the system’s availability. Presently, business organisations are finding it hard to understand the main threats and risks to their information and means of combating them. This study will demonstrate how information security standards such as ISO 27001 and ISO27002 could be utilised to eliminate such threats and risks. Information security has become a critical organisational function thanks to the information security threats’ growing complexity as well as the increasing regulation bodies. 1.3 Research Focus 1.3.1 Research question a) Have the research papers in the information security domains such as risk, controls, behaviour, standardisation, and technologies increased or decreased since 2000? b) Have the paper sponsors or supporters in the information security domains increased or decreased since 2000? 1.3.2 Research aim 1. To determine whether the research papers in the information security domains such as risk, controls, behaviour, standardisation, and technologies have increased or decreased since 2000. 2. To examine whether the paper sponsors or supporters in the information security domains have increased or decreased since 2000? 3. To critically analyse the existing pieces of literature in the information security domains 4. To examine the security policy compliance within the information security context 2.0 Literature review In Ng et al. (2013, p.61) study, they define information security as the protection of information as well as IS from unauthorised destruction, use, access, modification, or disclosure with the objective of providing availability, integrity, and confidentiality. Therefore, information security is concerned with protecting both information infrastructure and information itself from unauthorised access, which could lead to damage, modification or disclosure of the information, as well disruption or as a modification of information technology services. Ng et al. (2013, p.61) maintain that this could be malicious or unintentional activity committed by outsiders or insiders. Ng et al. (2013) study indicates that information security management involves some processes through which technical, informal, as well as formal controls are utilised with the objective of addressing the security risks. Technical controls involve systems that detect intrusion, firewalls, as well as other devices capable of regulating resources access while informal controls are meant to influence security culture through education and training. On the other hand, formal controls consist of policies and procedures, risk assessments, legal mechanisms, and audits, which offer advice as well as outline disciplinary measures for failing to comply. 2.1 Information Security Management System Using the case study approach, Ng et al. (2013, p.63) examined the factors influencing investment decision making processes in Small medium Enterprises (SMEs) to information security. Their research was exploratory in nature, whereby the primary purpose is examining a phenomenon or issue that is little understood with the objective of developing preliminary ideas. The authors utilised the case study approach in order to capture different perspectives regarding information security and also to facilitate cross analysis of the case studies. After conducting 25 case studies, Ng et al. (2013, p.68) found out that most SMEs’ decision makers were willing to lessen information risks. This is attributed mainly to the external parties, like the potential and current customers who rate their organisations according to products’ quality, reputation and trustworthiness. Ng et al. (2013) established that trust is considered a crucial factor by the decision makers, which can be earned through protection of the client’s data confidentiality. Ng et al. (2013, p.68) cite a number of previous studies like Bandyopadhyay (1999) as well as Gerber (2005) who established that perceptions are crucial in identifying risks in the information security. Risk analysis according to Bandyopadhyay (1999) and Gerber (2005) is subjective since it relies on a person’s feelings, mood and opinion (Ng et al., 2013, p.68). Therefore, perceiving information security wrongly could result in erroneous information risks analysis. Besides that, a security incident misperception can lead to a series of intensifying effects on the decision by the organisation to implement information security. Gupta and Saini (2013, p.34) mention that information system security involves scores of techniques, facts and concepts. A number of practitioners and researchers have formulated as well as defined the IT risk policies and information security differently with the aim of achieving the goals set to secure the organisation’s information assets in different forms of organisations. Gupta and Saini (2013, p.34) argue that there are numerous information security methods, but the main focus should be on risk management because of its integration with the development of Information System. 2.2 Risk Assessment In their study, Fazlida and Said (2015, p.244) observed that the increasing IT risk vulnerability, especially the information security risk has been surveyed extensively by companies like PricewaterhouseCoopers as well as Ernst and Young. In Fazlida and Said (2015) survey, the majority of respondents indicated that cyber threats and risks, disaster recovery and business continuity, prevention of data loss and leakage, compliance monitoring, and transformation of information security transformation are the key areas in information security risk. The Information Security main objective according to the authors is preserving and protecting the information integrity, confidentiality, as well as availability. Fazlida and Said (2015, p.247) observed that the overall attitude of the company towards information security can be signalled by a sound governance of the information security. Jouini et al. (2014) mention that the advancement of ICTs and the growing Internet accessibility has made organisations become vulnerable to different forms of threats. Actually, their information can be easily damaged through cyber-attacks. Jouini et al. (2014) point out that threats to information security source from hacker’s attacks or employees’ activities. Normally, it is difficult to detect the financial losses attributed to the breach of information security due to losses caused by smaller-scale incidents. When the information security system has vulnerabilities, Jouini et al. (2014) posit that the threat could be manifested through a threat agent utilising a certain penetration method with the objective of causing negative effects. The existing studies as cited by Jouini et al. (2014) have suggested taxonomies, whereby attacks are classified according to the projected attack effect such as a DoS attack. Gerić and Hutinski (2007, p.60) agrees with Jouini et al. (2014) that security threat classification is a crucial factor for successful information security management. This is because classification makes it easier to protect the information system efficiently using the limited resources by making investments in protective controls, which manage the normal threats. Ghazouani et al. (2014, p.37) study indicate numerous methodologies for risk management like SP 800-30 (NIST), CRAMM, Ebios, and Mehari, which utilise a common step anchored on probability, vulnerability, and threat that are measured intuitively by means of verbal hazard scales like high, medium, or low. Due to their subjectivity, Ghazouani et al. (2014, p.37) posit that assigning such categories to threats is very challenging, probability or vulnerabilities, or certainly, interpreting with some confidence level. For this reason, Ghazouani et al. (2014) propose a mathematical risk formulation through utilisation of lower granularity level of its elements: criteria, probability, and threat utilised in determining the available protection measures, exposure, value and frequency of information assets. The authors integrate SP 800-30 (NIST), CRAMM, Ebios, and Mehari in order to develop a new approach that facilitates the new mathematical risk formulation. Yalman and Yesilyurt (2013) observed that information assurance approach together with its elements has become more important in the contemporary world. 2.3 Controls Controls in information security main objective according to Pavlov and Karakaneva (2011, p.25) is to reduce risks or threats attributed to security incidents. Decision making criteria are important componenta under the control schema development; therefore, the criterion should be standard, appropriate, applicable, and admissible. Given that the human factor plays a crucial role in ISMS, Pavlov and Karakaneva (2011, p.25) assert that it important to train and educate employees regarding information security. This can be achieved through computer assisted exercises while executing different scenarios within the information security field. In so doing, the management would be able to verify the controls and find ways of effectively protecting the information. Protecting information it is very important for organisations. All through the years, most of the organisations have been experiencing different forms of system losses that have directly impacted their information, which is the most valued asset. For this reason, Otero et al. (2010, p.1) posit that organisations have to look for ways to that would ensure effective and appropriate controls for information security are espoused to secure their most sensitive or critical information. Some of the control techniques used include: risk management and analysis, random approaches, and baseline manuals. Otero et al. (2010) argue that these techniques ignore some constraints in the organisation like resources availability, implementation cost, and scheduling while searching for the suitable set of controls. Otero et al. (2010) study propose a new model that facilitates the evaluation of information security controls, which could assist decision-makers to choose the most suitable controls in environments with limited resources. In this case, desirability functions have been integrated into the new model to quantify with the objective of quantifying all the information security controls’ desirability considering the restrictions and benefits related to the implementation of the control. In their study, Mohlabeng et al. (2012, p.1482) analysed a number of articles sourced from IEEE and Science direct databases with the objective of illustrating the various views of the researchers’ on challenges encountered and future work in the field of information security control. They observed that the main challenge appears to be attributed to the inadequate profound knowledge regarding the strategies of the information security control. This impedes the ability to determine the security needs, identify security technologies, monitor resources as well as find means of securing technology management. Besides that, a number of problems could be encountered because of poor approach towards security model development while other problems are attributed to regulatory laws (Mohlabeng et al., 2012, p.1482). 2.4 Behaviour As observed by Stephanou and Dagada (2008, p.17), the existing research on behavioural information security is very little; therefore, their study sought to build on the current research about behavioural information security and propose a theoretical paradigm, anchored on the organisational learning approach. Their theoretical paradigm expounds how learning in the organisation happens, exhibiting why both implicit knowledge and explicit knowledge are needed. The proposed model according to the authors could assist practitioners and scholars understand the significance of awareness on security behaviour. The failure by employees to pursue information security policy may place the organisation in a dangerous situation; thus, forcing organisations to espouse information security controls with the objective of motivating secure behaviour. Research on information security has examined scores of control-related motivations such as behavioural control, response efficacy, as well as, self-efficacy in the ISP compliance context; still, the behavioural effects of autonomous functioning perceptions have not been studied extensively in the context of information security. Wall et al. (2013, p.72) observed that managers must be engaged in the development of security controls that reduces reactance and encourages self-determination. Using three exploratory case studies, Alfawaz et al. (2010, p.54) propose an information security framework which can facilitate information security management through identification of behaviours associated with the information security approaches. The objective of their study was to classify individual behaviours with regard to information security in order to facilitate the creation of information security cultures. Alfawaz et al. (2010) found out that even though individual skills are and knowledge are crucial, they cannot singlehandedly contribute positively towards the culture of information security that depends on the employee behaviours. Besides that, they also established that persons’ culture or set of beliefs influence their approach to their security behaviour. Therefore, it is imperative to understand employees’ underlying beliefs during the behavioural change process. Herath and Rao (2009, p.163) agrees with alfawaz et al. (2010) that end-user security behaviours are a crucially important for information security. In their study, Herath and Rao (2009) security behaviours could be influenced by both extrinsic as well as intrinsic motivators. The major challenge facing most companies according to Greene and D‟Arcy (2010, p.1) is motivating their employees to adhere to the IS security policies considering that the majority of users normally breach such policies while expediting their work or improving their individual productivity. Greene and D‟Arcy (2010) observed that almost 50% of all information security breaches are caused by the users’ inability to comply with the IS security. 2.5 Standardisation The ISO 27001 implementation according to Saint-Germain (2005, p.66) is a practice toward improved knowledge regarding the current inventory of ISMS implementation stages, information availability as well as IT initiatives. Without a well-developed as well as well-defined plan for ISO 27001 project, Saint-Germain (2005, p.66) posit that putting ISO 27001 into practice could be cost- and time-consuming exercise. In order for the organisation to realise the return on investment, the plan for implementation must be created having the end goal in mind. More importantly, internal audit and training are crucial part in the implementation of ISO 27001 implementation (Arora, 2010, p.8). Because of the increased information security risks, organisations need a flexible, comprehensive framework that could facilitate the implementation of economical compliance, set out through a governing system capable of maintaining security controls and policies. ISO/IEC 27001:2005 according to Rezakhani et al. (2011) is a standard that deploys the Information Security Management System requirements and enables organisations to identify, minimise as well as manage different forms of threats that are normally subjected to information. ISO 27001 is purposely designed to facilitate selection of proportionate as well as adequate security controls, whereby information assets are protected. As mentioned by Rezakhani et al. (2011), the standard is suitable for different forms of organisational application, such as creating security objectives and requirements, ensuring that security risks are managed cost and so forth. On the other hand, ISO/IEC 27002:2005 provide general principles as well as guidelines that improve the information security management at the organisation. As pointed out by Rezakhani et al. (2011), ISO/IEC 27002 offers the general guidance on the information security management goals that are commonly accepted. According to Disterer (2013, p.98), the ‘best practices’ are provided as methods and procedures in ISO 27002, which may be adapted to s certain requirements in the organisations. ISO 27001 enables IT providers to document their security processes conformity with a recognisable standard. In their study, Tyali and Pottas (2010, p.185) observed that mechanisms or structure that are not mentioned in the ISO 27001 are offered by ISO 27799. 2.6 Technologies In Waliullah et al. (2012, p.143) study, the observed that Balanced IT Security (BITS) model has become a crucial and useful information security method, especially in higher education. The BITS approach was originally proposed by Kavavik and Voludakis (2003) and since then different researchers have enhanced and tailored it in order to get rid of some of its limitations (Waliullah et al., 2012, p.143). Thanks to their efforts, BITS approach has become a significant and formidable standard. Maqousi et al. (2011, p.71) posit that organisations have come part and parcel of the electronic society where mobile devices, computers, and the Internet have turned out to be the fundamental tools, which enable people to take part as users and carry out their day-to-day activities. Still, the electronic business brings about new challenges to information security given that its users are employees and businesses. For the IT assets in the organisation to be protected against the emerging risks and threats, Maqousi et al. (2011, p.71) propose that organisations should train and educate the users of the information security systems users to enable them to understand the possible threats. In their study, Maqousi et al. (2011) exhibit the essence of including the awareness program regarding information security into the website of the organisation. Gonzalez et al. (2011, p.1) assert that because of the increasing attention towards cloud computing, a need to constantly and explicitly analyse the current security trends for technology has increased. 3.0 Research Method The research methodology espoused for this study is literature review method, which would help offer a concise findings summary and provide a rationale for carrying out future research. This study has used the developed themes in the existing studies to create a conceptual model regarding the information security. The literature review has evaluated, summarised, and clarified the literature on information security. Furthermore, it offered a theoretical research basis that helped determine the nature of information security domains. Numerous works, which are fundamental to the topic area were selected and were used to articulate and identify the relationships that exist between the literature and the researched topic. Literature review method was used because it facilitates access to valuable information at a low cost; it is relatively easy to access; helps clarify the research questions; and help answer the research questions. 4.0 Results and Discussion Generally, the approach presented in a number of the reviewed studies such as Otero et al. (2010), Stephanou and Dagada (2008) and Waliullah et al. (2012) have offered feasible approaches for efficiently examining the quality of information security system in the organisations. The majority of the reviewed studies focus on the significance of information security awareness (Stephanou & Dagada, 2008; Xiang et al., 2007; Maqousi et al., 2011). Furthermore, most of the studies are not anchored on the theoretical paradigm, but rather offers guidance on the techniques to utilise (Saint-Germain, 2005; Rezakhani et al., 2011; Tyali & Pottas, 2010; Disterer, 2013). As mentioned earlier, the research on behaviour is very little and the existing studies have focused on the behavioural information security and complying with the security policies (Alfawaz et al., 2010; Wall et al., 2013; Herath & Rao, 2009; Greene & D‟Arcy, 2010). Clearly, the reviewed studies aside from Greene and D‟Arcy (2010) have not holistically analysed security culture considering that the dimensions of the information security culture have an effect on the user behaviour. Herath and Rao (2009) offered an indirect support to the assertion that compliance can be increased by monitoring, but they do not demonstrate how organisational security culture can demonstrate compliant behaviour as evidenced in Greene and D‟Arcy (2010) study. In terms of standardisation, only Disterer ( 2013) demonstrate the extent to which ISO 27000, 27001 and 27002 standards have been disseminated. The other studies have focused more on the value of these standards (Arora, 2010; Saint-Germain, 2005; Pelnekar, 2011). Furthermore, numerous describe the different techniques that could be utilised to overcome limitations and difficulties associated with information security (Pavlov & Karakaneva, 2011; Otero et al., 2010; Mohlabeng et al., 2012). These studies have highlighted the significance of developing proper awareness programs and controls so as to reduce information security system vulnerability. Having efficient information security controls according to Munir and Manarvi (2010, p.54) can help reduce deficiencies associated with information security management. Armstrong (2011, p.11) emphasises that lack of enough studies in the field of information security makes it challenging for researchers to carry out their doctoral research effectively. The Royal Society (2016, p.7) agrees that digital system research in the academia and industry have made crucial contributions to the creation of trusted as well as resilient digital environment. These studies exhibited ways of building, examining and improving information security systems, integrating finding from various sectors, disciplines, and across the world. Still, as evidenced by Sinclaire (2005, p.294) there is little research in information security and privacy, especially at the firm level. A number of researchers in the area of information security as cited by Lee (2014) have utilised both qualitative and quantitative methods to study the model of information security risk. Several studies have also explored the effect of enforcing security policy on employees, and have suggested that employees must be trained and educated and regarding the security procedures and policies in order to motivate information security behaviour (Chen et al., 2015). The research sponsors for these studies include private and federal sources, government agencies, as well as research institutes such as the University of Wisconsin-Milwaukee, National Kaohsiung University of Applied Studies, and Turgut Ozal University, and The Royal Society. 5.0 Conclusion In conclusion, this paper has demonstrated that the information security field is still at its infancy stages; therefore, new knowledge in information security is developed continuously. The majority of contemporary businesses depend on information systems, but they often have fewer resources for successful implementation. The existing studies have not clearly described how the information security risks can be addressed by organisations with minimal resources. This paper ha highlighted the reasons why information security implementation needs more resources, like controls in order to become effective. The existing studies have underlined that information security strategies’ safety measures are mostly ineffective; hence, vulnerabilities have been introduced into organisations’ networks, like data theft and loss of data. 6.0 References Alfawaz, S., Nelson, K. & Mohannak, K., 2010. Information security culture: A Behaviour Compliance Conceptual Framework. In Proc. 8th Australasian Information Security Conference. Brisbane, Australia, 2010. Armstrong, H., 2011. Two Approaches to Information Security Doctoral Research. In Proceedings of the 7th World Conference on Information Security Education. Lucerne, Switzerland, 2011. Arora, V., 2010. Comparing different information security standards: COBIT v s. ISO 27001. Research paper. Doha, Qatar. Chen, Y., Ramamurthy, K.(. & Wen, K.-W., 2015. Impacts of Comprehensive Information Security Programs on Information Security Culture. Journal of Computer Information Systems,vol. 55, no . 3, pp.11-19. Dimitriadis, C.K., 2011. Information Security From a Business Perspective: A Lottery Sector Case Study. ISACA JOURNAL, vol. 4, pp.43-48. Disterer, G., 2013. ISO/IEC 27000, 27001 and 27002 for Information Security Management. Journal of Information Security, vol. 4, pp.92-100. Fazlida, M.R. & Said, J., 2015. Information Security: Risk, Governance and Implementation Setback. Procedia Economics and Finance, vol. 28, pp.243 – 248. Gerić, S. & Hutinski, Ž., 2007. INFORMATION SYSTEM SECURITY THREATS CLASSIFICATIONS. Journal of Information and Organizational Sciences, vol. 31, no. 1, pp.51-61. Ghazouani, M., Faris, S., Medromi, H. & Sayouti, A., 2014. Information Security Risk Assessment — A Practical Approach with a Mathematical Formulation of Risk. International Journal of Computer Applications, vol. 103, no. 8, pp.36-42. Gonzalez, N. et al., 2011. A quantitative analysis of current security concerns and solutions for cloud computing. Journal of Cloud Computing: Advances, Systems and Applications, vol. 1, no. 11, pp.1-18. Greene, G. & D‟Arcy, J., 2010. Assessing the Impact of Security Culture and the Employee-Organization Relationship on IS Security Compliance. In 5th annual symposium on information assurance (ASIA’10). Albany, NY, 2010. Gupta, S. & Saini, A.K., 2013. Information System Security and Risk Management: Issues and Impact on Organizations. Global Journal of Enterprise Information System, vol. 5, no. 1, pp.31-35. Herath, T. & Rao, H.R., 2009. Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, vol. 47, pp.154–65. Jouini, M., Rabai, L.B.A. & Aissa, A.B., 2014. Classification of security threats in information systems. Procedia Computer Science, vol. 32, pp.489 – 496. Lee, M.-C., 2014. Information Security Risk Analysis Methods and Research Trends: AHP and Fuzzy Comprehensive Method. International Journal of Computer Science & Information Technology, 6(1), pp.29-45. Maqousi, A., Balikhina, T. & Mackay, M., 2011. An Effective Method For Information Security Awareness Raising Initiatives. International Journal of Computer Science & Information Technology, vol. 5, no. 2, pp.63-72. Mohlabeng, M.R., Mokwena, S.N. & Osunmakinde, I.O., 2012. Towards Implementation of the Information Security Strategies in South Africa. Journal of Emerging Trends in Computing and Information Sciences, vol. 3, no. 11, pp.1472 - 1486. Munir, U. & Manarvi, I., 2010. Information Security Risk Assessment for Banking Sector-A Case study of Pakistani Banks. Global Journal of Computer Science and Technology, vol. 10, no. 10, pp.44-55. Ng, Z.X., Ahmad, A. & Maynard, S.B., 2013. Information Security Management: Factors That Influence Security Investments in SMEs. In 11th Australian Information Security Management Conference. Perth, Australia, 2013. Edith Cowan University. Otero, A.R., Otero, C.E. & Qureshi, A., 2010. A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FEATURES. International Journal of Network Security & Its Applications, vol. 2, no. 4, pp.1-11. Pavlov, G. & Karakaneva, J., 2011. INFORMATION SECURITY MANAGEMENT SYSTEM IN ORGANIZATION. Trakia Journal of Sciences, vol. 9, no. 4, pp.20-25. Pelnekar, C., 2011. Planning for and Implementing ISO 27001. ISACA Journal, vol. 4, pp.1-8. Rezakhani, A., Hajebi, A. & Mohammad, N., 2011. Standardization of all Information Security Management Systems. International Journal of Computer Applications, vol. 18, no. 8, pp.4-8. Saint-Germain, R., 2005. Information Security Management Best Practice Based on ISO/IEC 17799. The Information Management Journal, vol. 39, no. 4, pp.60-66. Sinclaire, J.K., 2005. CURRENT RESEARCH IN INFORMATION SECURITY AND PRIVACY. In Proceedings of the 2005 Southern Association of Information Systems Conference. Illinois, 2005. The University of Memphis. Stephanou, A. & Dagada, R., 2008. The impact of information security awareness training on information security behaviour: the case of further research. In ISSA 2008 Conference. Johannesburg, 2008. University of Johannesburg. The Royal Society, 2016. Progress and research in cybersecurity Supporting a resilient and trustworthy system for the UK. Working Paper. London: The Royal Society. Tyali, S. & Pottas, D., 2010. Information Security Management Systems in the Healthcare Context. In Proceedings of the South African Information Security Multi-Conference (SAISMC 2010). ort Elizabeth, South Africa, 2010. Nelson Mandela Metropolitan University. Waliullah, M., Arafat, J. & Daiyan, G.M., 2012. Information Technology Security, Strategies and Practices in Higher Education: A Literature Review. JOURNAL OF COMPUTING, vol. 4, no. 7, pp.138-44. Wall, J.D., Palvia, P. & Lowry, P.B., 2013. Control-Related Motivations and Information Security Policy Compliance: The Role of Autonomy and Efficacy. Journal of Information Privacy & Security, vol. 9, no. 4, pp.52-79. Xiang, S.C., Guo, Z.H.G.F.D., Fuk, C.Z. & Wu, H.J., 2007. Survey of information security. Science in China Series F: Information Sciences, vol. 50, no. 3, pp.273-98. Yalman, Y. & Yesilyurt, M., 2013. Information Security Threats and Information Assurance. TEM Journal, vol. 2, no. 3, pp.247-52. Read More