1. A real-world information security performance assessment using a multidimensional socio-technical approachKaja Prislan Mihelič, Anže Mihelič, Igor Bernik, 2020, izvirni znanstveni članek Opis: Measuring the performance of information security is an essential part of the information security management system within organisations. Studies in the past mainly focused on establishing qualitative measurement approaches. Since these can lead to ambiguous conclusions, quantitative metrics are being increasingly proposed as a useful alternative. Nevertheless, the literature on quantitative approaches remains scarce. Thus, studies on the evaluation of information security performance are challenging, especially since many approaches are not tested in organisational settings. The paper aims to validate the model used for evaluating the performance of information security management system through a multidimensional socio-technical approach, in a real-world settings among medium-sized enterprises in Slovenia. The results indicate that information security is strategically defined and compliant, however, measures are primarily implemented at technical and operational levels, while its strategic management remains underdeveloped. We found that the biggest issues are related to information resources and risk management, where information security measurement-related activities proved to be particularly problematic. Even though enterprises do possess certain information security capabilities and are aware of the importance of information security, their current practices make it difficult for them to keep up with the fast-paced technological and security trends.
Ključne besede: information security, information security management, organisations, qualitative measurement
Objavljeno v DKUM: 07.02.2025; Ogledov: 0; Prenosov: 3
 Celotno besedilo (1,17 MB)
Gradivo ima več datotek! Več... |
2. Balancing software and training requirements for information securityDamjan Fujs, Simon Vrhovec, Damjan Vavpotič, 2023, izvirni znanstveni članek Opis: Information security is one of the key areas of consideration to assure reliable and dependable information systems (IS). Achieving an appropriate level of IS security requires concurrent consideration of the technical aspects of IS and the human aspects related to the end users of IS. These aspects can be described in the form of information security requirements. We propose an approach that helps select and balance information security software requirements (iSSR) and information security training requirements (iSTR) according to the information security performance of end users. The approach was tested in an experiment involving 128 IS professionals. The results showed that using the proposed approach helps IS professionals with limited experience in information security make significantly better decisions regarding iSSR and iSTR.
Ključne besede: kibernetska varnost, eksperiment, informacijsko varnostni standardi, inženirstvo zahtev, usposabljanje končnih uporabnikov, informacijska varnost, cyber security, experiment, information security standard, requirements engineering, end user training, information security
Objavljeno v DKUM: 13.11.2024; Ogledov: 0; Prenosov: 3
 Povezava na celotno besedilo |
3. Barriers to knowledge sharing in the field of information securityJustyna Żywiołek, Joanna Rosak-Szyrocka, Borut Jereb, 2021, izvirni znanstveni članek Opis: Today, sharing knowledge requires taking into account many aspects. Variable environmental conditions, the people factor, and the security of resources are just a few that should be considered for a noticeable improvement in the functioning of the company. Supporting this course of action requires the identification of all barriers that may exist in the enterprise. Only the owner and senior management by establishing system and organizational changes can influence this element of the business. The aim of the article is to indicate the problems in this respect that block the proper functioning of the company in the field of information and knowledge exchange. The survey was conducted with the help of a questionnaire among 189 respondents. The industry has significantly decreased in the last few decades, currently there are 307 companies operating in Poland. Conclusions from the conducted research were collected on the basis of a questionnaire survey. The further stage of the research will be to compare the collected results with the results from Western European countries.
Ključne besede: knowledge sharing, knowledge management, information security, knowledge exchange, business organization, Poland
Objavljeno v DKUM: 22.10.2024; Ogledov: 0; Prenosov: 7
Celotno besedilo (484,62 KB)
Gradivo ima več datotek! Več... |
4. Data breaches in healthcare: security mechanisms for attack mitigationLili Nemec Zlatolas, Tatjana Welzer Družovec, Lenka Lhotska, 2024, izvirni znanstveni članek Opis: The digitalisation of healthcare has increased the risk of cyberattacks in this sector, targeting sensitive personal information. In this paper, we conduct a systematic review of existing solutions for data breach mitigation in healthcare, analysing 99 research papers. There is a growing trend in research emphasising the security of electronic health records, data storage, access control, and personal health records. The analysis identified the adoption of advanced technologies, including Blockchain and Artificial Intelligence, alongside encryption in developing resilient solutions. These technologies lay the foundations for addressing the prevailing cybersecurity threats, with a particular focus on hacking or malicious attacks, followed by unauthorised access. The research highlights the development of strategies to mitigate data breaches and stresses the importance of technological progress in strengthening data security. The paper outlines future directions, highlighting the need for continuous technological progress and identifying the gaps in the attack mitigations.
Ključne besede: data security, privacy, sensitive personal information, electronic health records, cybersecurity
Objavljeno v DKUM: 23.08.2024; Ogledov: 109; Prenosov: 8
Celotno besedilo (1,51 MB) |
5. Outsource or not? : An AHP based decision model for information security managementLuka Jelovčan, Anže Mihelič, Kaja Prislan Mihelič, 2022, izvirni znanstveni članek Opis: Purpose: Outsourcing information security has proven to be an efficient solution for information security management; however, it may not be the most suitable approach for every organization. This research aimed to develop a multi-criteria decision-making model that would enable organizations to determine which approach to information security management (outsourcing or internal management) is more suitable for their needs and capabilities.
Methods: Our study utilized several different research methods. First, the decision criteria were identified by reviewing related work and then selected by information security experts in a focus group. Second, a survey was conducted among information security practitioners to assign the criteria weights. Third, four use cases were conducted with four real-world organizations to assess the usability, ease of use, and usefulness of the developed model.
Results: We developed a ten-criteria model based on the analytic hierarchy process. The survey results promote performance-related criteria as more important than efficiency-focused criteria. Evidence from use cases proves that the decision model is useful and appropriate for various organizations.
Conclusion: To make informed decisions on approaching information security management, organizations must first conduct a thorough analysis of their capabilities and needs and investigate potential external contractors. In such a case, the proposed model can serve as a useful support tool in the decision-making process to obtain clear recommendations tailored to factual circumstances.
Ključne besede: information security, decision model, analytic hierarchy process, AHP, management, outsourcing
Objavljeno v DKUM: 24.06.2024; Ogledov: 141; Prenosov: 19
Celotno besedilo (1,97 MB)
Gradivo ima več datotek! Več... |
6. Unlimited access to information systems with mobile devices : information security perspectiveIgor Bernik, Blaž Markelj, 2011, pregledni znanstveni članek Opis: Purpose:
Mobile devices have become an indispensible part of modern communications; they enable easy access to the Internet and also remote manipulation of data stored in corporate information systems. The number of mobile device users is on the rise, but most of them don’t comprehend completely the less obvious functions of these devices. Users also have almost no control over background computer programs, because they run without their knowledge and volition. From the standpoint of information security, a lack of awareness of the risks can seriously compromise the integrity of corporate networks and information systems. The weakest links are users, but also the technology itself. To ensure the functioning and security of information systems, corporations and individual users should learn about protective mechanisms. It is also important that users adhere to implemented (internal) safety regulations.
Design/Methods/Approach:
We used descriptive and comparative methods, and made an overview of published literature, as well as processes pertaining to the use of mobile devices and related security issues. We compared general elements of information security in regard to the use of mobile devices.
Findings:
At present mobile devices are more and more frequently used to access information systems. The majority of users are concerned almost exclusively with the question, how to get uninterrupted remote access to data, but far less with security issues. This paper presents some guidelines for achieving and maintaining information security.
Research limitations/implications:
It has been noted, that this is a time of turbulent development and evolution in the field of mobile devices, and also related security issues, so best practices haven’t been defined yet. Corporations and other organizations have just recently begun defining guidelines to eliminate security breaches through mobile devices, therefore a comparison of their implemented solutions is practically impossible. VS_
Practical implications:
We propose guidelines, which can be used to: minimize information security risks posed by mobile devices; evaluate the current state of information security; and implement protective measures against cyber threats encountered by corporations and individual users of mobile devices.
Originality/Value:
Information security is a relatively new field because mobile devices and remote access to the Internet and data have just recently come into wider use. At the same time security issues and protective measures have stayed largely overlooked. Security threats are many, so it is impervious that users learn more about them and adopt some necessary security measures.
Ključne besede: information security, blended threats, mobile devices, corporate information systems, business integrity
Objavljeno v DKUM: 12.05.2020; Ogledov: 1346; Prenosov: 67
Celotno besedilo (884,10 KB)
Gradivo ima več datotek! Več... |
7. The nature of security culture in a military organization : a case study of the Slovenian Armed ForcesDenis Čaleta, Katja Rančigaj, Branko Lobnikar, 2011, izvirni znanstveni članek Opis: Purpose:
The purpose of this research article is to define and explain the role of security culture as an important factor in the provision of effective preparedness of security organisation members for managing new types of security challenges, which are transnational, asymmetric and complex in form. It should be noted that, to a great extent, the internalisation of security awareness and the attitude towards security information depends on the organisational dynamics in an organisation. The article will complement theoretical findings with the analysis of the nature of security culture in a security (military) organisation, the priority of which is a high level of awareness of the effects of security culture and its integration in individual and organisational values.
Design/Methods/Approach:
The article presents views of the Slovenian Armed Forces’ (SAF) members on the perception of factors relevant for the operation of processes forming security culture. The research was carried out on a sample of SAF employees who use classified information in their work. Altogether 53 respondents participated in the survey. The security culture was measured with questions in the form of 31 statements. The respondents answered these statements with the help of a five-level scale. The Cronbach’s alpha coefficient for the listed statements was 0.932. Finally, the nature of security culture was established with the help of a factor analysis.
Findings:
A factor analysis, carried out at the beginning of the analysis, helped establish six factors of security culture which enabled us to explain 71.99 percent of the variance. The identified factors intended for explaining security culture in the context of a military organisation are as follows: personnel requirements for management of classified information, competence for maintenance of security culture, attitude towards the protection of classified information, procedures for ensuring protection of classified information, recording and elimination of violations in the protection of classified information and organisational measures for management of classified information. The results of the survey carried out among the SAF employees demonstrated that the respondents estimated marked all identified security culture sets of contents above average, with marks ranging between 3 and 4 in all statements.
Research limitations:
The survey covered those SAF members who use classified information in their work. Hence the results of the survey are primarily applicable to the military environment and could not be generalized for other security organisations.
Practical implications:
The results of the survey can be directly applied to the management of processes for the protection and management of classified information in the SAF. Furthermore, they also indicate the application of the theoretical understanding of security culture’s significance to the success of security organizations’ performance.
Originality/Value:
The survey introduces an original approach to the measurement of security culture in security organisations. It can serve as a valuable basis for further research on the interaction of security culture with other factors in security organisations, such as for instance organisational culture. Practicians of criminal justice and security, military science and other similar scientific disciplines can also find this article useful in their further study of standpoints and attitudes of security organisations’ members about their role in the processes of establishing an appropriate security culture, as a precondition for effective management of new challenges and threats that we witness in the contemporary security environment.
Ključne besede: security culture, armed forces, classified information, Slovenia
Objavljeno v DKUM: 04.05.2020; Ogledov: 907; Prenosov: 34
Povezava na datoteko
Gradivo ima več datotek! Več... |
8. Quantitative model for economic analyses of information security investment in an enterprise information systemRok Bojanc, Borka Jerman-Blažič, 2012, izvirni znanstveni članek Opis: The paper presents a mathematical model for the optimal security-technology investment evaluation and decision-making processes based on the quantitative analysis of security risks and digital asset assessments in an enterprise. The model makes use of the quantitative analysis of different security measures that counteract individual risks by identifying the information system processes in an enterprise and the potential threats. The model comprises the target security levels for all identified business processes and the probability of a security accident together with the possible loss the enterprise may suffer. The selection of security technology is based on the efficiency of selected security measures. Economic metrics are applied for the efficiency assessment and comparative analysis of different protection technologies. Unlike the existing models for evaluation of the security investment, the proposed model allows direct comparison and quantitative assessment of different security measures. The model allows deep analyses and computations providing quantitative assessments of different options for investments, which translate into recommendations facilitating the selection of the best solution and the decision-making thereof. The model was tested using empirical examples with data from real business environment.
Ključne besede: modelling, security technology, economic metrics, investment, enterprise information system
Objavljeno v DKUM: 22.01.2018; Ogledov: 1235; Prenosov: 412
Celotno besedilo (2,18 MB)
Gradivo ima več datotek! Več... |
9. Mobile devices and effective information securityBlaž Markelj, Igor Bernik, 2013, izvirni znanstveni članek Opis: Rapidly increasing numbers of sophisticated mobile devices (smart phones, tab computers, etc.) all over the world mean that ensuring information security will only become a more pronounced problem for individuals and organizations. It’s important to effectively protect data stored on or accessed by mobile devices, and also during transmission of data between devices and between device and information system. Technological and other trends show, that the cyber threats are also rapidly developing and spreading. It's crucial to educate users about safe usage and to increase their awareness of security issues. Ideally, users should keep-up with technological trends and be well equipped with knowledge otherwise mobile technology will significantly increase security risks. Most important is that we start educating youth so that our next generations of employees will be part of a culture of data and information security awareness.
Ključne besede: information security, blended threats, mobile devices, awareness
Objavljeno v DKUM: 06.07.2017; Ogledov: 1688; Prenosov: 402
Celotno besedilo (237,86 KB)
Gradivo ima več datotek! Več... |
10. Criminal responsibility of students regarding using mobile devices and violating the principles of information securityBlaž Markelj, Sabina Zgaga Markelj, 2014, izvirni znanstveni članek Opis: The combination of information security and criminal law in the case of usage of smart mobile phones among the students is a very relevant and current topic. Namely, the number of smart mobile phones’ users is rising daily, including among the student population, due to the need for perpetual communication and constant access to information. However, the lack of knowledge about recommendations on information security and safe use of smart mobile phone together with their disregard could lead to criminal responsibility of the users of smart mobile phones, including students. The purpose of this paper is therefore to represent the potential consequences of criminal responsibility and how to avoid it.
The knowledge on safe use of smart mobile phones, their software, but also threats and safety solutions is very low among students, as the survey shows. Due to the loss, conveyance or disclosure of protected data, criminal responsibility of a user could therefore be relevant. In certain cases the juvenile criminal justice system is partly still relevant due to the students’ age, whereas in every case the students' culpability should be assessed precisely. This assessment namely distinguishes the cases, when the student is a perpetrator of a criminal act from the cases, when the student is only a victim of a criminal act due to his improper use of smart mobile phones.
Ključne besede: mobile devices, information security, criminal responsibility, criminal act
Objavljeno v DKUM: 06.07.2017; Ogledov: 1307; Prenosov: 346
Celotno besedilo (246,69 KB)
Gradivo ima več datotek! Več... |
