-
Addressing Knowledge Leakage Risk caused by the use of mobile devices in Australian Organizations
Authors:
Carlos Andres Agudelo Serna,
Rachelle Bosua,
Sean B. Maynard,
Atif Ahmad
Abstract:
Information and knowledge leakage has become a significant security risk to Australian organizations. Each security incident in Australian business cost an average US$\$$2.8 million. Furthermore, Australian organisations spend the second most worldwide (US$\$$1.2 million each on average) on investigating and assessing information breaches. The leakage of sensitive organizational information occurs…
▽ More
Information and knowledge leakage has become a significant security risk to Australian organizations. Each security incident in Australian business cost an average US$\$$2.8 million. Furthermore, Australian organisations spend the second most worldwide (US$\$$1.2 million each on average) on investigating and assessing information breaches. The leakage of sensitive organizational information occurs through different avenues, such as social media, cloud computing and mobile devices. In this study, we (1) analyze the knowledge leakage risk (KLR) caused by the use of mobile devices in knowledge-intensive Australian organizations, (2) present a conceptual research model to explain the determinants that influence KLR through the use of mobile devices grounded in the literature, (3) conduct interviews with security and knowledge managers to understand what strategies they use to mitigate KLR caused by the use of mobile devices and (4) use content analysis and the conceptual model to frame the preliminary findings from the interviews. Keywords: Knowledge leakage, mobile devices, mobile contexts, knowledge leakage risk
△ Less
Submitted 21 August, 2023;
originally announced August 2023.
-
Towards a knowledge leakage Mitigation framework for mobile Devices in knowledge-intensive Organizations
Authors:
Carlos Andres Agudelo Serna,
Rachelle Bosua,
Atif Ahmad,
Sean B. Maynard
Abstract:
The use of mobile devices in knowledge-intensive organizations while effective and cost-efficient also pose a challenging management problem. Often employees whether deliberately or inadvertently are the cause of knowledge leakage in organizations and the use of mobile devices further exacerbates it. This problem is the result of overly focusing on technical controls while neglecting human factors…
▽ More
The use of mobile devices in knowledge-intensive organizations while effective and cost-efficient also pose a challenging management problem. Often employees whether deliberately or inadvertently are the cause of knowledge leakage in organizations and the use of mobile devices further exacerbates it. This problem is the result of overly focusing on technical controls while neglecting human factors. Knowledge leakage is a multidimensional problem, and in this paper, we highlight the different dimensions that constitute it. In this study, our contributions are threefold. First, we study knowledge leakage risk (KLR) within the context of mobile devices in knowledge-intensive organizations in Australia. Second, we present a conceptual framework to explain and categorize the mitigation strategies to combat KLR through the use of mobile devices grounded in the literature. And third, we apply the framework to the findings from interviews with security and knowledge managers. Keywords: Knowledge Leakage, Knowledge Risk, Knowledge intensive, Mobile device.
△ Less
Submitted 21 August, 2023;
originally announced August 2023.
-
Enhancing Strategic Information Security Management in Organizations through Information Warfare Practices
Authors:
Abid Hussain Shah,
Atif Ahmad,
Sean B. Maynard,
Humza Naseer
Abstract:
In this short paper we argue that to combat APTs, organizations need a strategic level shift away from a traditional prevention centered approach to that of a response centered one. Drawing on the information warfare (IW) paradigm in military studies, and using Dynamic Capability Theory (DCT), this research examines the applicability of IW capabilities in the corporate domain. We propose a researc…
▽ More
In this short paper we argue that to combat APTs, organizations need a strategic level shift away from a traditional prevention centered approach to that of a response centered one. Drawing on the information warfare (IW) paradigm in military studies, and using Dynamic Capability Theory (DCT), this research examines the applicability of IW capabilities in the corporate domain. We propose a research framework to argue that conventional prevention centred response capabilities; such as incident response capabilities and IW centred security capabilities can be integrated into IW enabled dynamic response capabilities that improve enterprise security performance.
△ Less
Submitted 14 April, 2021;
originally announced April 2021.
-
Dynamic Information Security Management Capability: Strategising for Organisational Performance
Authors:
Mazino Onibere,
Atif Ahmad,
Sean B Maynard
Abstract:
The increasing frequency, impact, consequence and sophistication of cybersecurity attacks is becoming a strategic concern for boards and executive management of organisations. Consequently, in addition to focusing on productivity and performance, organisations are prioritizing Information Security Management (ISM). However, research has revealed little or no conceptualisation of a dynamic ISM capa…
▽ More
The increasing frequency, impact, consequence and sophistication of cybersecurity attacks is becoming a strategic concern for boards and executive management of organisations. Consequently, in addition to focusing on productivity and performance, organisations are prioritizing Information Security Management (ISM). However, research has revealed little or no conceptualisation of a dynamic ISM capability and its link to organisational performance. In this research, we set out to 1) define and describe an organisational level dynamic ISM capability, 2) to develop a strategic model that links resources with this dynamic capability, and then 3) empirically demonstrate how dynamic ISM capability contributes to firm performance. By drawing on Resource-Based Theory (RBT) and Dynamic Capabilities View (DCV), we have developed the Dynamic ISM Capability model to address the identified gap. As we develop this research, we will empirically test this model to demonstrate causality between ISM capability and organisational performance.
△ Less
Submitted 14 April, 2021;
originally announced April 2021.
-
Exploring Knowledge Leakage Risk in Knowledge-Intensive Organisations: Behavioural aspects and Key controls
Authors:
Hibah Altukruni,
Sean B. Maynard,
Moneer Alshaikh,
Atif Ahmad
Abstract:
Knowledge leakage poses a critical risk to the competitive advantage of knowledge-intensive organisations. Although knowledge leakage is a human-centric security issue, little is known about leakage resulting from individual behaviour and the protective strategies and controls that could be effective in mitigating leakage risk. Therefore, this research explores the perspectives of security practit…
▽ More
Knowledge leakage poses a critical risk to the competitive advantage of knowledge-intensive organisations. Although knowledge leakage is a human-centric security issue, little is known about leakage resulting from individual behaviour and the protective strategies and controls that could be effective in mitigating leakage risk. Therefore, this research explores the perspectives of security practitioners on the key factors that influence knowledge leakage risk in the context of knowledge-intensive organisations. We conduct two focus groups to explore these perspectives. The research highlights three types of behavioural controls that mitigate the risk of knowledge leakage: human resource management practices, knowledge security training and awareness practices, and compartmentalisation practices.
△ Less
Submitted 14 April, 2021;
originally announced April 2021.
-
The Dark Web Phenomenon: A Review and Research Agenda
Authors:
Abhineet Gupta,
Sean B Maynard,
Atif Ahmad
Abstract:
The internet can be broadly divided into three parts: surface, deep and dark. The dark web has become notorious in the media for being a hidden part of the web where all manner of illegal activities take place. This review investigates how the dark web is being utilised with an emphasis on cybercrime, and how law enforcement plays the role of its adversary. The review describes these hidden spaces…
▽ More
The internet can be broadly divided into three parts: surface, deep and dark. The dark web has become notorious in the media for being a hidden part of the web where all manner of illegal activities take place. This review investigates how the dark web is being utilised with an emphasis on cybercrime, and how law enforcement plays the role of its adversary. The review describes these hidden spaces, sheds light on their history, the activities that they harbour including cybercrime, the nature of attention they receive, and methodologies employed by law enforcement in an attempt to defeat their purpose. More importantly, it is argued that these spaces should be considered a phenomenon and not an isolated occurrence to be taken as merely a natural consequence of technology. This paper contributes to the area of dark web research by serving as a reference document and by proposing a research agenda.
△ Less
Submitted 14 April, 2021;
originally announced April 2021.
-
Teaching Information Security Management in Postgraduate Tertiary Education: The Case of Horizon Automotive Industries
Authors:
Atif Ahmad,
Sean B. Maynard,
Sameen Motahhir
Abstract:
Teaching cases based on stories about real organizations are a powerful means of storytelling. These cases closely parallel real-world situations and can deliver on pedagogical objectives as writers can use their creative license to craft a storyline that better focuses on the specific principles, concepts, and challenges they want to address in their teaching. The method instigates critical discu…
▽ More
Teaching cases based on stories about real organizations are a powerful means of storytelling. These cases closely parallel real-world situations and can deliver on pedagogical objectives as writers can use their creative license to craft a storyline that better focuses on the specific principles, concepts, and challenges they want to address in their teaching. The method instigates critical discussion, draws out relevant experiences from students, encourages questioning of accepted practices, and creates dialogue between theory and practice. We present Horizon, a case study of a firm that suffers a catastrophic incident of Intellectual Property (IP) theft. The case study was developed to teach information security management (ISM) principles in key areas such as strategy, risk, policy and training to postgraduate Information Systems and Information Technology students at the University of Melbourne, Australia.
△ Less
Submitted 27 March, 2021;
originally announced March 2021.
-
Teaching Information Security Management Using an Incident of Intellectual Property Leakage
Authors:
Atif Ahmad,
Sean B. Maynard,
Sameen Motahhir,
Moneer Alshaikh
Abstract:
Case-based learning is a powerful pedagogical method of creating dialogue between theory and practice. CBL is particularly suited to executive learning as it instigates critical discussion and draws out relevant experiences. In this paper we used a real-world case to teach Information Security Management to students in Management Information Systems. The real-world case is described in a legal ind…
▽ More
Case-based learning is a powerful pedagogical method of creating dialogue between theory and practice. CBL is particularly suited to executive learning as it instigates critical discussion and draws out relevant experiences. In this paper we used a real-world case to teach Information Security Management to students in Management Information Systems. The real-world case is described in a legal indictment, T-mobile USA Inc v Huawei Device USA Inc. and Huawei Technologies Co. LTD, alleging theft of intellectual property and breaches of contract concerning confidentiality and disclosure of sensitive information. The incident scenario is interesting as it relates to a business asset that has both digital and physical components that has been compromised through an unconventional cyber-physical attack facilitated by insiders. The scenario sparked an interesting debate among students about the scope and definition of security incidents, the role and structure of the security unit, the utility of compliance-based approaches to security, and the inadequate use of threat intelligence in modern security strategies.
△ Less
Submitted 27 March, 2021;
originally announced March 2021.
-
Information Security Strategy in Organisations: Review, Discussion and Future Research Directions
Authors:
Craig A. Horne,
Atif Ahmad,
Sean B. Maynard
Abstract:
Dependence on information, including for some of the world's largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these information-based activities. Clearly, more researc…
▽ More
Dependence on information, including for some of the world's largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these information-based activities. Clearly, more research is needed to better understand how organisations should formulate strategy to secure their information. Through a thematic review of academic security literature, we (1) analyse the antecedent conditions that motivate the potential adoption of a comprehensive information security strategy, (2) the current perspectives of strategy and (3) the yields and benefits that could be enjoyed post-adoption. Our contributions include a definition of information security strategy. We argue for a paradigm shift to extend from internally-focussed protection of organisation-wide information towards a strategic view that considers the inter-organisational level. Our findings are then used to suggest future research directions.
△ Less
Submitted 10 June, 2016;
originally announced June 2016.
-
Business Intelligence and Supply Chain Agility
Authors:
Mohammad Moniruzzaman,
Sherah Kurnia,
Alison Parkes,
Sean B. Maynard
Abstract:
Supply Chain Agility is important for organisations to stay competitive in today's dynamic business environment. There is increasing interest in deploying Business Intelligence (BI) in the Supply Chain Management (SCM) context to improve Supply Chain (SC) Agility. However, there is limited research exploring BI contributions to SC Agility. In this research-in-progress paper we propose a model base…
▽ More
Supply Chain Agility is important for organisations to stay competitive in today's dynamic business environment. There is increasing interest in deploying Business Intelligence (BI) in the Supply Chain Management (SCM) context to improve Supply Chain (SC) Agility. However, there is limited research exploring BI contributions to SC Agility. In this research-in-progress paper we propose a model based on a conceptual analysis of the literature showing how BI can help organisations achieve SC Agility by supporting the key areas of SCM (Plan, Source, Make, Deliver and Return). In the next stage of this project, we will conduct a series of case studies investigating how organisations use BI when managing their SC activities and how BI contributes to SC Agility. The result of the study will help organizations deploy BI effectively to support SCM and improve SC Agility.
△ Less
Submitted 10 June, 2016;
originally announced June 2016.
-
Understanding Knowledge Leakage & BYOD (Bring Your Own Device): A Mobile Worker Perspective
Authors:
Carlos Andres Agudelo,
Rachelle Bosua,
Atif Ahmad,
Sean B. Maynard
Abstract:
Knowledge sharing drives innovation and the opportunity to develop a sustainable competitive advantage. However, in the extant knowledge management and information security literature, leakage from sharing activities is neglected. The risk of knowledge leakage is exacerbated with the pervasive use of mobile devices and the adoption of BYOD (Bring Your Own Device). Thus, this research-in-progress p…
▽ More
Knowledge sharing drives innovation and the opportunity to develop a sustainable competitive advantage. However, in the extant knowledge management and information security literature, leakage from sharing activities is neglected. The risk of knowledge leakage is exacerbated with the pervasive use of mobile devices and the adoption of BYOD (Bring Your Own Device). Thus, this research-in-progress paper examines the role of the behavior of mobile workers that engage in accidental knowledge leakage through the use of BYOD. We use the Decomposed Theory of Planned Behavior (DTPB) to explain the causes behind this phenomenon and how it negatively impacts organization's competitive advantage. The contributions of this study are the following. First, it posits that the reasons of knowledge leakage by mobile workers through BYOD can be explained using DTPB. Second, the paper proposes a conceptual model for research based on DTPB constructs whilst adding other variables such as BYOD and mobile device usage context. Finally, the conceptual study outlines the potential contributions and implications of this research.
△ Less
Submitted 4 June, 2016;
originally announced June 2016.
-
Evaluating the Utility of Research Articles for Teaching Information Security Management
Authors:
Harry Zurita,
Sean B. Maynard,
Atif Ahmad
Abstract:
Research articles can support teaching by introducing the latest expert thinking on relevant topics and trends and describing practical real-world case studies to encourage discussion and analysis. However, from the point of view of the instructor, a common challenge is identifying the most suitable papers for classroom teaching amongst a very large pool of potential candidates that are not typica…
▽ More
Research articles can support teaching by introducing the latest expert thinking on relevant topics and trends and describing practical real-world case studies to encourage discussion and analysis. However, from the point of view of the instructor, a common challenge is identifying the most suitable papers for classroom teaching amongst a very large pool of potential candidates that are not typically written for teaching purposes. Further, even in practice-oriented disciplines such as Information Security Management (ISM), high-quality journals emphasise theoretical contribution and research method rather than relevance to practice. Our review of the relevant literature did not find a comprehensive set of criteria to assist instructors in evaluating the suitability of research articles to teaching. Therefore, this research-in-progress paper presents a framework to support academics in the process of evaluating the suitability of research articles for their teaching programs.
△ Less
Submitted 4 June, 2016;
originally announced June 2016.
-
Information Security Policy: A Management Practice Perspective
Authors:
Moneer Alshaikh,
Sean B. Maynard,
Atif Ahmad,
Shanton Chang
Abstract:
Considerable research effort has been devoted to the study of Policy in the domain of Information Security Management (ISM). However, our review of ISM literature identified four key deficiencies that reduce the utility of the guidance to organisations implementing policy management practices. This paper provides a comprehensive overview of the management practices of information security policy a…
▽ More
Considerable research effort has been devoted to the study of Policy in the domain of Information Security Management (ISM). However, our review of ISM literature identified four key deficiencies that reduce the utility of the guidance to organisations implementing policy management practices. This paper provides a comprehensive overview of the management practices of information security policy and develops a practice-based model that addresses the four aforementioned deficiencies. The model provides comprehensive guidance to practitioners on the activities security managers must undertake for security policy development and allows practitioners to benchmark their current practice with the models suggested best practice. The model contributes to theory by mapping existing information security policy research in terms of the defined management practices.
△ Less
Submitted 27 May, 2016;
originally announced June 2016.
