Background - LITERATURE REVIEW 2.1. Introduction

RESEARCH ROADMAP

CHAPTER 2: LITERATURE REVIEW 2.1. Introduction

2.2. Background

The social order in the current milieu is highly reliant on complex interconnected information systems which are characterised by information security threats (Mirtsch et al., 2021). Both public and private sector entities have been subjected to information security incident threats and events (Riebe et al., 2021). Evidently, leaders of both sectors are increasingly susceptible to uncertainties concerning cyber vulnerabilities and threats (Miloslavskaya & Tolstoy, 2020).

According to a research study, conducted by the Identity Theft Resource Centre (ITRC), the sum of data breaches in 2021 surpassed the total sum of breaches in 2020 by 17%, which is 1,291 data breaches in 2021, in comparison to 1,108 data breaches in 2020 (Henriquez, 2021).

The 2022 Annual Data Breach Report, specified that more than ten (10) million people were impacted by supply chain attacks targeting 1,743 entities (ITRC, 2023). According to the 2021 Interpol African Cyber-threat Assessment Report, African organisations have shown the highest increases (34%) of cyber-attacks from January to April, 2021 – mainly related to ransomware in which government organisations were the main target of the incident (Interpol,

2021). Similarly, according to the Deloitte 2021 study in Nigeria, even financial institutions, who have invested much in cyber security, which involves collaboration with insiders and threat actors, are vulnerable to high profile attacks (Aladenusi, 2022).

“A security incident is an act that threatens the confidentiality, integrity, or availability of information assets and systems” (Sarker et al., 2020, p. 28). An information security incident is defined as a one-time or repeated occurrence of unforeseen events or incidents that have a substantial likelihood of damaging routine business operations or risking organisational information assets (ISO/ IEC, 2016). Information security threats could arise from a myriad of sources with varying damage impacts on organisations (Olav Sveen et al., 2007). The European Union Agency for Network and Information Security (ENISA) attempted to classify the attack vectors which, by their own admission, was an onerous task and the list is by no means exhaustive (Marinos & Lourenço, 2018). However, the attack vectors range from abusive content (e.g. spam), malicious code (e.g. viruses, worms, trojan, spyware), information gathering (i.e. attempts to gather information about hosts, services and accounts to identify vulnerable points, e.g. sniffing, scanning, social engineering), intrusion attempts (e.g.

exploiting vulnerabilities, login attempts), intrusions (i.e. compromising accounts via unauthorised access, application compromise, bots), compromising availability (e.g. denial of service, sabotage), information content security (e.g. unauthorised access and modification of information), fraud (e.g. unauthorised use of resources, copyright infringements, masquerading, phishing) to exploitation of vulnerabilities (e.g. outdated virus signatures).

Jouini et al. (2014) classified the sources of information security incidents as malicious human threats (i.e. insiders or external threats), non-malicious human actions, environmental incidents (i.e. natural disasters) and technological factors (i.e. physical processes). Palmqvist (2022) who conducted a systematic review of information security incidents found that over the past five years, most incidents were attributed to human errors while system failures were sparse, and no reported incidents were attributed to environmental concerns.

ISIM is one of the core mechanisms to control information security incidents in organisations (Dodson, 2001; Humphreys, 2008). According to ISO/IEC (2016), ISIM encompasses the management of both information security incidents and information security vulnerabilities.

An event is an apparent alteration to the normal behaviour of one of an organisational system’s

components (i.e., workflow, data, and person). An incident is a given event associated with a human entity and is administered by an incident response coordinator and managed by an information security incident response team (ISIRT) (ISO/IEC, 2016). The aim of ISIM practices is to mitigate and respond to the incidents while minimising the harm caused by the damage (Tøndel et al., 2014). Dodson (2001) explained that the ISIRT contributes to the protection of organisational resources through appropriate support such as identification, risk analysis, evidence collection and follow-up to reduce escalation. While frameworks for ISIM are useful, research is limited regarding effective awareness delivery methods, which can theoretically influence the employer’s behaviour which in turn improves the management of incidents (Wang et al., 2022).

Evidently internal stakeholders (i.e. employees) are a key threat to information systems security management when they do not comply with existing organisational information security policies and guidelines (Son, 2011). As information resources may be secured by various approaches through non-technical or technical means, hitherto the preponderance of efforts supports the technical perspective (Ifinedo, 2012; Son, 2011). However, protecting information assets from the non-technical and human-centric dimensions is gaining momentum as the exploitation of employees (i.e. internal stakeholders) is viewed as one of the key vectors in organisational information security challenges (Khando et al., 2021). Thus, insiders who are not enculturated to safeguard the availability, confidentiality, and integrity of an organisation’s IT assets, may expose their organisations to external threats.

External threats emanate from individuals or organisations that are peripheral to an organisation and they do not have legitimate access to the organisation’s IT infrastructure (Jouini et al., 2014). Internal employees (i.e. insiders) can be considered as a threat to the organisation as they have legitimate access to organisational infrastructures and systems (Padayachee, 2021). An insider threat is defined as any individual who has legitimate access to an organisation’s IT assets but acts maliciously for personal gains (Van Niekerk, 2017).

Non-compliance with information security policies from an insider is termed as an “insider threat” (Balozian & Leidner, 2017). Insiders have the potential to damage the information assets of the organisation (Son, 2011) either intentionally (e.g. data destruction, theft) or unintentionally (e.g. negligence to change passwords or log off, failure to update systems).

As internal threats, which include all stakeholders that have access to an organisation’s assets, have been advanced as a significant threat to an organisation’s information infrastructure (Ahmad, Hadgkiss, & Ruighaver, 2012; Son, 2011), it is clear that information security concerns must be addressed by a consideration of both non-technical and technical means (Stanton, Stam, Mastrangelo, & Jolton, 2005; Vroom & Von Solms, 2004). However, given the human-centric nature of an insider threat, the non-technical dimension of information security should be considered as a critical means to safeguarding organisational information resources (Leach, 2003; Son, 2011). Ensuring an insider submission to security procedures and policies via non-technical means involves promoting ethical use, policy, awareness, legislation, compliance, corporate governance and auditing (Vroom & Von Solms, 2004).

Clearly considering the human-centric activities of communication, collaboration and promoting awareness may be a means of improving the disjointed processes of ISIM (i.e., planning and preparation, detection and report, assessment, response, and lesson learning). The awareness and communication efforts made by organisations for enhancing ISIM processes are identified as a critical means to ensure routine business operations (Ahmad et al., 2021;

O’Brien et al., 2020), which specifically supports the response phase of ISIM (Tøndel et al., 2014). Padayachee and Worku (2017) emphasised the significance of collaboration among users for incident response to enhance ISIM processes. Organisations need to shift towards the collaborative impact of response teams in incident analysis and standardised threat exchange format through transparent reporting (Riebe et al., 2021). The potential impact of information security incidents could affect the revelation, alteration, and destruction of organisational informational assets, and it will be difficult to investigate the incident and control it if the incident is not reported initially and recognised by the organisation (Miloslavskaya & Tolstoy, 2020).

According to Vroom (2002), it is critical to view information security from diverse perspectives (i.e., human, technical and physical) in that all employees are required to be trained in terms of the implementation of information security standards in their organisation. To demonstrate the human integration, the collaborative organisational model depicted by Werlinger et al. (2010) coordinates various users of an organisation (i.e., executives, management, end-users and experts) in the process of incident management. However, despite the coordination of

stakeholders, the model specifically engages expert users in communicating analysed incidents.

End-users are only involved in the process of notification. In this study, the communication and awareness efforts will be extended to all categories of users. Figure 2-1 depicts the model of collaboration among stakeholders for incident response adapted from Werlinger et al.

(2010).

Figure 2-1: Collaboration among Stakeholders for Incident Response (adapted from Werlinger et al.

(2010))

Clearly organisations cannot combat organised, sophisticated and persistent information security threats by focusing only on technical controls; rather they need to consider coordinating and mobilising their employees (Ahmad et al., 2021). ISIM is not only a technical, human or behavioural concern but also an organisational, management and communication concern (Kraemer et al., 2009). Therefore, the application of effective communication protocols among stakeholders of the organisation (i.e., executives, experts, end-users) is crucial

to safeguarding informational assets (Knight & Nurse, 2020). Policies could be established to promote the communication of information security incidents, thus expediting the corrective actions that need to be undertaken (Cheung, 2014). This underscores the importance of communication and awareness formation within ISIM processes owing to the human dimension, which warrants further study.

Dalam dokumen A coordinated communication and awareness approach towards the enhancement of information security incident management : an empirical study of Ethiopian organisations (Halaman 40-45)