Implementation and effectiveness of organizational information security measures

Information Management and Computer Security

Volumn 16, Issue 4, 2008, Pages 377-397

  Hagen, Janne Merete ^a   Albrechtsen, Eirik ^a,b   Hovden, Jan ^a  

^a NORWEGIAN UNIVERSITY OF SCIENCE AND TECHNOLOGY   (Norway)

^b SINTEF   (Norway)

Author keywords

Data security; Norway; Organizations

Indexed keywords

KETONES; SECURITY SYSTEMS;

DATA SECURITY; DESIGN/METHODOLOGY/APPROACH; INFORMATION SECURITIES; INVERSE RELATIONSHIPS; LESSER EXTENTS; NORWAY; ORGANIZATIONAL INFORMATIONS; ORGANIZATIONS; SECURITY MEASURES; SECURITY POLICIES;

SECURITY OF DATA;

EID: 54949146918     PISSN: 09685227     EISSN: None     Source Type: Journal    
DOI: 10.1108/09685220810908796     Document Type: Article

References (50)

1. Albrechtsen, E. (2007), "A qualitative study of users' view on information security", Computers & Security, Vol. 26 No. 4, pp. 276-89.
2. Albrechtsen, E. and Grøtan, T.O. (2004), "Gammeldags tenkning i moderne organisasjoner? Om IKT-sikkerhet i kunnskapsorganisasjoner" ("Old-fashioned thinking in modern organizations? On ICT-security in knowledge organizations)", in Lydersen, S. (Ed.), Fra flis I fingeren til ragnarokk, Tapir Akademisk, Trondheim, pp. 335-55 (in Norwegian).
3. Albrechtsen, E. and Hovden, J. (2007a), "User participation in information security", The Proceedings of ESREL2007.
4. Albrechtsen, E. and Hovden, J. (2007b), "Industrial safety management and information security management: Risk characteristics and management approaches", The Proceedings of ESREL2007.
5. Albrechtsen, E. and Hovden, J. (unpublished), "Information security digital divide in organizations: Information security managers versus users", manuscript submitted to Computers & Security.
6. Berghel, H. (2005), "The two sides of ROI: Return on investment vs risk of incarceration", Communications of the ACM, Vol. 48 No. 4, pp. 15-20.
7. Blakely, B., McDermott, E. and Geer, D. (2001), "Information security is information risk management", Proceedings of the 2001 Workshop on New Security Paradigms, ACM Press, New York, NY, pp. 97-104.
8. Bolman, L.G. and Deal, T.E. (2003), Reframing Organizations: Artistry, Choice, and Leadership, Jossey-Bass, San Francisco, CA.
9. BSI, Bundesamt für Sicherheit in der Informationstechnik (2004), IT Security Guidelines, IT Baseline Protection in brief.
10. Cashell, B., Jackson, W., Jickling, M. and Webl, B. (2004), "The economic impact of cyber attacks", Congressional Research Service Report for Congress, available at: www.cisco.com/warp/public/779/ govtaffairs/images/CRS_Cyber_Attacks.pdf.
11. Dhillon, G. and Backhose, J. (2001), "Current directions in IS security research: Towards socio-organizational perspectives", Information Systems Journal, Vol. 11 No. 2, pp. 127-53.
12. Doherty, N.F. and Fulford, H. (2006), "Aligning the information security policy with the strategic information systems plan", Computers & Security, Vol. 25 No. 1, pp. 55-63.
13. Ehn, P. (1992), "Scandinavian design: On participation and skill", in Adler, P.S. and Winograd, T.A. (Eds), Usability - Turning Technologies into Tools, Oxford University Press, New York, NY.
14. Gordon, L.A. and Loeb, M.P. (2002), "The economics of information security investment", ACM Transactions on Information and System Security (TISSEC), Vol. 5 No. 4, pp. 438-57.
15. Hagen, J.M. (2007), "Evaluating applied information security measures: An analysis of the data from the Norwegian Computer Crime Survey 2006", FFI/REPORT-2007/02558, pp. 35-48.
16. Hale, A.R. (2000), "Culture's confusion", Safety Science, Vol. 34 Nos 1/3, pp. 1-4.
17. Hale, A.R. and Baram, M.S. (Eds) (1998), Safety Management: The Challenge of Change, Pergamon, Oxford.
18. Hollnagel, E., Woods, D.D. and Leveson, N. (2006), Resilience Engineering: Concepts and Precepts, Ashgate, Aldershot.
19. Höne, K. and Eloff, J.H.P. (2002), "Information security policy - what do international security standards say?", Computers & Security, Vol. 21 No. 5, pp. 402-9.
20. Hubbard, W. (2002), Methods and Techniques of Implementing a Security Awareness Program, SANS Institute, white paper.
21. Ilstad, S., Paasche, T. and Hovden, J. (1977), Survey-metoden (Survey Methods), Tapir, Trondheim (in Norwegian).
22. ISO/IEC 27001:2005 (2005), Information technology - security techniques - information security management systems.
23. Johnson, E. (2006), "Awareness training, security awareness: Switch to a better programme", Network Security, Vol. 2006 No. 2, pp. 15-18.
24. Karyda, M., Kiountouzis, E. and Kokolakis, S. (2005), "Information systems security policies: A contextual perspective", Computers & Security, Vol. 24 No. 3, pp. 246-60.
25. Keeney, M., Kowalski, E., Capelli, D., Moore, A., Shimeall, T. and Rogers, S. (2005), Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, Carnegie Mellon, Software Engineering Institute, Pittsburgh, PA.
26. Kemp, M. (2005), "Beyond trust: Security policies and defence in depth", Network Security, Vol. 2005 No. 8, pp. 14-16.
27. Kotulic, A.G. and Clark, J. (2004), "Why there aren't more information security research studies", Information & Management, Vol. 41 No. 5, pp. 597-607.
28. Levin, M. and Klev, R. (2002), Forandring som praksis. Læring og utvikling i organisasjoner (Change as practice. Learning and development in organizations), Fagbokforlaget, Bergen (in Norwegian).
29. Lie, T., Hovden, J., Karlsen, J.E. and Alteren, B. (2008), "The safety representative under pressure. A study of occupational health and safety management in the Norwegian oil and gas industry", Safety Science, Vol. 46 No. 3.
30. Lobree, B. (2002), "Impact of legislation on information security management", Security Management Practices, November/December, pp. 41-8.
31. Mitropoulos, S., Patsos, D. and Douligeris, C. (2006), "On incident handling and response: A state-of-the-art approach", Computers & Security, Vol. 25 No. 5, pp. 351-70.
32. Morgan, G. (1998), Images of Organizations, Sage, London.
33. Netsec (2004), "Using metrics to improve security, security brief, using metrics to improve security", available at: www1.netsec.net/ content/securitybrief/archive/2004-09_Metrics.pdf.
34. OECD (2002), Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, OECD, Paris.
35. Randazzo, M.R., Keeney, M., Kowalski, E., Capelli, D. and Moore, A. (2004), Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector, Carnegie Mellon, Software Engineering Institute, Pittsburgh, PA.
36. Rasmussen, J. (1997), "Risk management in a dynamic society", Safety Science, Vol. 27 Nos 2/3, pp. 183-213.
37. Reznec, L. (2003), "Which models should be applied to measure computer security and information assurance", The Proceedings of the IEEE International Conference on Fuzzy.
38. Ringdal, K. (2001), Enhet og mangfold: Samfunnsvitenskaplig forskning og kvantitativ metode (Unity and Diversity: Social Science and Quantitative Methods), Fagbokforlaget, Bergen (in Norwegian).
39. Schneier, B. (2000), Secrets & Lies. Digital Security in a Networked World, Wiley, Indianapolis, IN.
40. Siponen, M. (2000), "A conceptual foundation for organizational information security awareness", Information Management and Computer security, Vol. 8 No. 1, pp. 31-41.
41. Siponen, M.T. and Oinas-Kukkonen, H. (2007), "A review of information security issues and respective research contributions", The Database for Advances in Information Systems, Vol. 38 No. 1, pp. 60-81.
42. Sundt, C. (2006), "Information security and the law", Information Security Technical Report, Vol. 11 No. 1, pp. 2-9.
43. Thomson, K-L. and von Solms, R. (2006), "Towards an information security competence maturity model", Computer Fraud & Security, Vol. 2006 No. 5, pp. 11-15.
44. Von Solms, B. (2000), "Information security - the third wave?", Computers & Security, Vol. 19 No. 7, pp. 615-20.
45. Von Solms, B. (2001), "Information security - a multidimensional discipline", Computers & Security, Vol. 20 No. 6, pp. 501-8.
46. Von Solms, B. (2006), "Information security - the fourth wave", Computers & Security, Vol. 25 No. 3, pp. 165-8.
47. Voss, B.D. (2001), The Ultimate Defense of Depth: Security Awareness in Your Company, SANS Institute, white paper.
48. Ward, P. and Smith, C.L. (2002), "The development of access control policies for information technology systems", Computer & Security, Vol. 21 No. 4, pp. 365-71.
49. Wiant, T.L. (2005), "Information security policy's impact on reporting security incidents", Computers & Security, Vol. 24 No. 6, pp. 448-59.
50. Wiencke, H.S., Aven, T. and Hagen, J. (2006), "A framework for selection of methodology for risk and vulnerability assessments of infrastructures depending on ICT", The Proceedings of ESREL2006.