Toward web-based information security knowledge sharing

Today IT security professionals are working hard to keep a high security standard for their information systems. In doing so, they often face similar problems, for which they have to create appropriate solutions. An exchange of knowledge between experts would be desirable in order to prevent developing always the same solutions by independent persons. Such an exchange could also lead to solutions of higher quality, as existing approaches could be advanced, instead of always reinventing the security wheel.This paper examines how information security knowledge can be shared between different organizations on the basis of a web portal utilizing Web-Protégé. It can be shown that through the use of ontologies the domain of information security can be modeled and stored in a human- and a machine-readable format, enabling both human editing and automation (e.g. for risk calculations). The evaluation of the web portal has shown that the most important challenge a tool for knowledge sharing has to face is the aspect of motivating users to participate in a knowledge exchange.Results from the evaluation have been used to further develop and enhance the web portal by implementing additional facilitating features. These features include a credit system, which rewards users for contributions, as well as the ability to select multiple entities, improving the system's usability.     

The role of external and internal influences on information systems security – a neo-institutional perspective

This research is an attempt to better understand how external and internal organizational influences shape organizational actions for improving information systems security. A case study of a multi-national company is presented and then analyzed from the perspective of neo-institutional theory. The analysis indicates that coercive, normative, and mimetic isomorphic processes were evident, although it was difficult to distinguish normative from mimetic influences. Two internal forces related to work practices were identified representing resistance to initiatives to improve security: the institutionalization of work mobility and the institutionalization of efficiency outcomes expected with the adoption of company initiatives, especially those involving information technology. The interweaving of top–down and bottom–up influences resulted in an effort to reinforce, and perhaps reinstitutionalize the systems component of information security. The success of this effort appeared to hinge on top management championing information system security initiatives and propagating an awareness of the importance of information security among employees at all levels of the company. The case shows that while regulatory forces, such as the Sarbanes-Oxley Act, are powerful drivers for change, other institutional influences play significant roles in shaping the synthesis of organizational change.     

An information security knowledge sharing model in organizations

Knowledge sharing plays an important role in the domain of information security, due to its positive effect on employees' information security awareness. It is acknowledged that security awareness is the most important factor that mitigates the risk of information security breaches in organizations. In this research, a model has been presented that shows how information security knowledge sharing (ISKS) forms and decreases the risk of information security incidents. The Motivation Theory and Theory of Planned Behavior besides Triandis model were applied as the theoretical backbone of the conceptual framework. The results of the data analysis showed that earning a reputation, and gaining promotion as an extrinsic motivation and curiosity satisfaction as an intrinsic motivation have positive effects on employees' attitude toward ISKS. However, self-worth satisfaction does not influence ISKS attitude. In addition, the findings revealed that attitude, perceived behavioral control, and subjective norms have positive effects on ISKS intention and ISKS intention affects ISKS behavior. The outcomes also showed that organizational support influences ISKS behavior more than trust. The results of this research should be of interest to academics and practitioners in the domain of information security.     

国际社会信息安全相关法律基础设施的建设

信息安全保障的一个不可或缺的基础支持就是相关的法律、法规等基础设施的建设.目前我国在这方面的建设相对滞后,国际社会在这方面的努力和成果对建设我国信息安全保障法律法规基础设施有着重要的借鉴意义.本文试简要探讨到目前为止国际社会的一些工作.     

Predicting knowledge sharing practices through intention: A test of competing models

In knowledge management (KM)-related research, effective knowledge sharing is considered to be one of the most critical components of KM success. For the present research, the authors conducted a longitudinal, two-phased study to evaluate if the Theory of Reasoned Action (TRA) and three variations of the Theory of Planned Behavior—namely, TPB, decomposed TPB (DTPB), and revised TPB (RTPB)—can adequately predict knowledge sharing behaviors. The first TRA-based study shows a severe limitation in the ability of the intention to predict actual knowledge sharing behaviors collected from a knowledge management platform. In a subsequent study, three variations of TPB-based models were employed to show that, although the independent variables (i.e., attitude, subjective norm, and perceived behavior control that is decomposed into controllability and self-efficacy) give satisfactory explanations of variance in intention (R² > 42%), the intention–behavior gap still exists in each of the three models. Only the perceived self-efficacy in the revised TPB can directly predict knowledge sharing behaviors. This gap highlights the importance of knowledge sharing as a fundamentally social activity for which the actualization of intention into actions may be interrupted due to barriers such as a mistake-free culture or others’ deliberate misinterpretations that may in turn cause unanticipated negative consequences to the person. The theoretical implication of this study is that in applying TPB to study knowledge sharing practices, researchers must focus on control beliefs that reflect people’s capacity to overcome possible environmental challenges encountered in carrying out their knowledge sharing intentions.     

Moving beyond cyber security awareness and training to engendering security knowledge sharing

Information Systems and e-Business Management - Employees play a critical role in improving workplace cyber security, which builds on widespread security knowledge and expertise. To maximise...     

Using conversational agents to support the adoption of knowledge sharing practices

In this paper, we present an agent-based system designed to support the adoption of knowledge sharing practices within communities. The system is based on a conceptual framework that, by modelling the adoption of knowledge management practices as a change process, identifies the pedagogical strategies best suited to support users through the various stages of the adoption process. Learning knowledge management practices is seen as a continuous process, taking place at individual and social level that includes the acquisition of information, as well as the contextual use of the information acquired.The resulting community-based system provides each member of the community with an artificial personal change-management agent capable of guiding users in the acquisition and adoption of new knowledge sharing practices by activating personalised and contextualised intervention.     

Knowledge sharing and investment decisions in information security

We study the relationship between decisions made by two similar firms pertaining to knowledge sharing and investment in information security. The analysis shows that the nature of information assets possessed by the two firms, either complementary or substitutable, plays a crucial role in influencing these decisions. In the complementary case, we show that the firms have a natural incentive to share security knowledge and no external influence to induce sharing is needed. However, the investment levels chosen in equilibrium are lower than optimal, an aberration that can be corrected using coordination mechanisms that reward the firms for increasing their investment levels. In the substitutable case, the firms fall into a Prisoners' Dilemma trap where they do not share security knowledge in equilibrium, despite the fact that it is beneficial for both of them to do so. Here, the beneficial role of a social planner to encourage the firms to share is indicated. However, even when the firms share in accordance to the recommendations of a social planner, the level of investment chosen by the firms is sub-optimal. The firms either enter into an “arms race” where they over-invest or reenact the under-investment behavior found in the complementary case. Once again, this sub-optimal behavior can be corrected using incentive mechanisms that penalize for over-investment and reward for increasing the investment level in regions of under-investment. The proposed coordination schemes, with some modifications, achieve the socially optimal outcome even when the firms are risk-averse. Implications for information security vendors, firms, and social planner are discussed.     

Cultivating security culture for information security success: A mixed-methods study based on anthropological perspective

The continuous information security failures in organizations have led focus toward organizational culture. It is argued that the development of culture of information security would subsequently lead to a secure organization. However, limited studies have been conducted to understand information security culture. This study aims to understand information security culture and its impact on success with information security efforts in an organization. The research model is based on the theory of primary message systems, which is an established theory from the anthropology discipline. We followed a mixed-methods research design involving two phases of the study. In the first phase, 25 semi-structured interviews with experienced cybersecurity practitioners were conducted to develop the research model. The second phase empirically validated the research model using survey data from 473 participants who completed a web-based survey in Southeast USA from multiple companies. For data analysis, we employed Partial Least Squares - Structural Equation Modeling using SmartPLS. Our findings indicate that group cohesiveness, professional code, information security awareness, and informal work practices have significant influence on information security culture. Further, the security culture has positive impact on information security success perception. The contribution of this research lies in establishing the role of security culture and information security awareness in contributing toward information security success.     

Using peer-to-peer technology for knowledge sharing in communities of practices

Communities of Practices (CoPs) are informal structures within organizations that bind people together through informal relationships and the sharing of expertise and experience. As such, they are effective tools for the creation and sharing of organizational knowledge, and an increasing number of organizations are adopting them as part of their knowledge management strategies. In this paper, we examine the knowledge sharing characteristics and roles of CoPs and develop a peer-to-peer knowledge sharing architecture that matches the behavioral characteristics of the members of the CoPs. We also propose a peer-to-peer knowledge sharing tool called KTella that enables a community's members to voluntarily share and retrieve knowledge more effectively.     

Special knowledge sharing incentive mechanism for two clients with complementary knowledge: A principal-agent perspective

In this paper, we study how the firm share the special knowledge of two knowledge-complementarity clients by implementing a large and complex project which the firm out-sourced. Firstly, incentive mechanism for complementarity special knowledge sharing are designed for clients being risk-neutral and risk-averse respectively under the asymmetric information. Further, knowledge complementary effects and other relevant factors on the optimal incentive coefficient are analyzed. Lastly, the numerical results are reported.     

Understanding online knowledge sharing: An interpersonal relationship perspective

The unique features and capabilities of online learning are built on the ability to connect to a wider range of learning resources and peer learners that benefit individual learners, such as through discussion forums, collaborative learning, and community building. The success of online learning thus depends on the participation, engagement, and social interaction of peer learners, which leads to knowledge sharing. Thus, without frequent and persistent interaction, it is doubtful whether knowledge sharing can take place in online learning. This study argues that theories about the development and maintenance of social relationships provide a theoretical foundation for understanding the motivation to engage in online knowledge sharing behavior. An Online Knowledge Sharing Model (OKSM) is proposed and empirically tested among undergraduate students using an online learning environment. The model introduces two new constructs – Perceived Online Attachment Motivation (POAM) and Perceived Online Relationship Commitment (PORC), which together explained 71 percent of the variance observed in self-reported online knowledge sharing behavior. The findings provide some explanations for the motivation to share knowledge, and have several implications for the design of the features and capabilities of online learning environments.     

基于信息安全视角下的智慧城市建设研究

智慧城市建设和运行过程中的信息安全问题不容忽视。文章从基础设施风险、新技术风险、信息安全保障体系以及市民信息安全素养等方面,分析了当前智慧城市信息安全面临的各类风险,并提出了健全法律法规、加强顶层设计、鼓励技术创新、规范安全管理等策略和建议,以提升我国智慧城市信息安全建设水平,促进科学规范的智慧城市信息安全体系建设。     

我国金融业信息安全体系建设策略

金融业是国家经济发展的命脉和社会运行的神经中枢,如何在充分利用新一代信息技术开展业务的同时,保障金融业信息安全成为当今的热点问题。分析归纳了金融业在信息安全领域面临的突出问题,提出了以改造+升级作为在推进金融业信息安全体系建设过程中的任务目标,阐述了四个结合的行动策略,为金融业逐步完成软、硬件产品的安全可靠、高效可用提出了措施建议。     

Factors affecting perception of information security and their impacts on IT adoption and security practices

The gap between the perceived security of an information system and its real security level can influence people' decisions and behavior. The objective of this study is to find effective ways to adjust people's perception of information security, in order to enhance their intention to adopt IT appliances and compliance to security practices. Two separate experiments were conducted. In experiment I, 64 participants were asked to transfer money through an e-banking system. Their intention to adopt e-banking was measured by a questionnaire. In experiment II, 64 participants were asked to register on an online forum. Their subjective intention to create a strong password was measured by a questionnaire, and the objective strength of the passwords they created was calculated. Results of the ANOVA and the path models derived from the path analysis indicated that people's adoption intention, such as their intention to adopt e-banking, can be enhanced by changing their perceived Knowledge, Controllability and Awareness, while changing the perceived Controllability is most effective. The results also indicated that people's compliance to security practices, such as setting strong passwords for IT systems, can be enhanced by changing their perceived Knowledge, Severity and Possibility, while changing their perceived Knowledge and Severity is most effective. Implications for further research and practice were also discussed.     

Economic incentives in security information sharing: the effects of market structures

The past few years have witnessed numerous information security incidents throughout the world, which unfortunately become increasingly tough to be completely addressed just by technology solutions such as advanced firewalls and intrusion detection systems. In addition to technology components, Internet environment can be viewed as a complex economic system consisting of firms, hackers, government sectors and other participants, whose economic incentives should be taken into account carefully when security solutions are formulated. In order to better protect information assets, information security economics as an emerging and thriving research branch emerges aiming at attempting to solve the problems of distorted incentives of such stakeholders by means of economic approaches. However, how these participants’ economic incentives for information security improvement change when they evolve between different market structures has remained unknown yet. Using game theory, we develop an analytical framework to investigate the effects of market structures on security investments, information sharing, attack investments, expected profits, expected consumer surplus and expected social welfare. We demonstrate that the levels of security investments, information sharing, attack investments, and expected profits are higher while expected consumer surplus and expected social welfare are lower under Cournot competition than under Bertrand competition. In particular, we surprisingly find that under either type of competition, the demand switch ratio caused by security breaches may benefit firms, consumers, government sectors and harm hackers. Our results provide some relevant managerial insights into formulating the strategies of security investments and information sharing for the firms transforming from one type of competition to the other.     

The effects of knowledge mechanisms on employees' information security threat construal

Organisations implement a variety of knowledge mechanisms such as information security education, training and awareness (SETA) programs and information security policies, to influence employees' secure behaviour. Despite increased efforts to provide information systems (IS) security knowledge to employees, data breaches and other security incidents resulting from insider behaviour continue. Recent IS security research, primarily grounded on assumptions of employees' rational assessment of numerous factors, has yielded inconsistent results. Challenging this paradigm, we model secure behaviour on security knowledge mechanisms, which focuses on the multidimensional nature of security knowledge breadth, depth and finesse to represent the full array of managerial levers. We further draw on construal level theory to conceptualise users' perceptual judgements of security messages. Two studies support our model, with the second building on the first. Study 1, an experiment with 312 participants, focused on validating the treatments. Study 2, a survey with 219 participants, validated the entire model. Results showed that our model has significantly more explanatory and predictive power than the orthodox paradigm. Our results have practical implications for optimising the organisation of knowledge mechanisms by emphasising the personal relevance of threats and defining the factors that lead to secure behaviour. We also contribute to the discourse on information security research and provide a template for integrating theories, thus opening new avenues for future research.     

SMEs,co-opetition and knowledge sharing: the role of information systems

Co-opetition, simultaneous cooperation and competition, is a recent phenomenon. Co-opetition entails sharing knowledge that may be a key source of competitive advantage. Yet, the knowledge gained by cooperation may also be used for competition. However, there is little investigation of how this problem may be modelled and, hence, managed. A game–theoretic framework for analysing interorganisational knowledge sharing under co-opetition and guidelines for the management of explicit knowledge predicated on coordination and control theory has been proposed, but remains untested. This research empirically investigates these issues in the context of small and medium-sized enterprises (SMEs). SMEs provide an interesting setting as they are knowledge generators, but are poor at knowledge exploitation. The paper uses data from U.K. SMEs to investigate co-opetition, management of knowledge sharing and the role of IS.     

总体国家安全观视野中的信息网络安全法治研究

信息与网络安全法治既是坚持总体国家安全观的要求,也是坚持全面依法治国的要求。依法维护信息网络安全十分必要。新时代的信息安全法治研究,必须贯彻落实总体国家安全观,把实现信息安全作为实现国家安全总体战略部署的关键环节。信息网络安全法治研究要回顾历史,从历史成就中获取自信、总结经验,同时也要吸取历史教训。信息网络安全研究也要注重本土实践,着力解决突出问题,并进行长远谋划。     

The impact of cultural collectivism on knowledge sharing among information technology majoring undergraduates

The aim of the present study is to investigate the impact of cultural collectivism on knowledge sharing among information technology majoring undergraduates in Turkey. The study proposes a research model based on the theory of reasoned action (TRA). A structural equation model was used to test the research model against the data collected by means of a self-report questionnaire. Results show that cultural collectivism has a positive and significant impact on attitudes toward and subjective norms with regard to knowledge sharing. Confirming the TRA, results also suggest that behavioral intentions are jointly determined by attitudes and subjective norms. Implications of these findings are discussed.