Information Security Awareness and Its Impact on the CISO's Responsibilities — A Study of the Portuguese Environment
Full text | |||
Source | Journal of Information Systems Security Volume 17, Number 2 (2021)
Pages 81–102
ISSN 1551-0123 (Print)ISSN 1551-0808 (Online) |
||
Authors | Pedro Monzelo — ISEG, Universidade de Lisboa, Portugal
Sérgio Nunes — ISEG, Universidade de Lisboa, Portugal
|
||
Publisher | Information Institute Publishing, Washington DC, USA |
Abstract
In an increasingly connected and digital world, information – which is seen as a business enabler and source of sustained competitive advantage – is becoming way more exposed and vulnerable. Information assets have been increasingly recognized as critical business assets, turning information security into an essential tool for the resilience of organizations, driving them to align their information security strategy with the business strategy. This paper aims to study the main areas where information security should act, the roles and responsibilities of the Chief Information Security Officer (CISO) and to understand how information security culture and awareness impacts on the CISO’s corporate responsibilities. Interviews were carried out with experienced information security consultants and information systems and information security directors, which led to the conclusion that organizations in Portugal still need to increase their maturity when it comes to information security, and that this may be due to the absence of an established security culture in the country. On the other hand, it has been recognized that the CISO’s role has been increasing in relevance, being considered that it should have a close and independent relationship with organizations’ boards.
Keywords
Chief Information Security Officer (CISO); Information Security Awareness; Information Security Culture; Information Security Management; Board of Directors.
References
Allianz (2016). Allianz Risk Barometer - Top Business Risks 2016. Consulted on 9th October 2017. Available in http://www.agcs.allianz.com/assets/PDFs/Reports/Allianz
RiskBarometer2016.pdf
Approach (2017). Why do you need a CISO? Consulted on 18th March 2018. Available in https://www.approach.be/en/images/gdpr_-_why_you_need_a_ciso-short.pdf
Ataya, G. (2017). Can a CISO act as a DPO? Consulted in 18th March 2018. Available in https://www.linkedin.com/pulse/can-ciso-act-dpo-georges-ataya/
Augustinos, T. P., Bauer, L., Cappelletti, A., Chaudhery, J., Goddijn, I., Heslault, L., ... and Leverett, E. (2016). Cyber Insurance: recent advances, good practices & challenges.
Bardin, L. (2010). Content analysis. (1977). Lisbon (Portugal): Edições, 70, 225.
Bowen, P., Hash, J., and Wilson, M. (2007). Information security handbook: a guide for managers. In NIST Special Publication 800-100, National Institute of Standards and Technology.
Brown, D. (2017). Is New Regulation a Threat or an Opportunity for Security Strategy? Consulted on 18th March 2018. Available in https://www.fireeye.com/blog/executive-perspective/2017/05/new-regulation-security-strategy.html
Cadete, G. (2015). Using Enterprise Architecture for COBIT 5 Process Assessment and Process Improvement. IST, Portugal.
Carr, N. G. (2003). IT doesn't matter. Educause Review, 38, 24-38.
Catarino, T. M., Vasconcelos, A., and da Silva, M. M. (2016). The Role of the Chief Information Security Officer. IST, Portugal.
Cave, K. (2017). Does the CISO role need to be formalised? Consulted on 18th March 2018. Available in https://www.nacdonline.org/AboutUs/NACDInTheNews.cfm?ItemNumber=40736
Dhillon, G., Abdul Talib, Y. Y., and Picoto, W. N. (2020). The mediating role of psychological empowerment in information security compliance intentions. Journal of the Association for Information Systems, 21(1), 5.
Dhillon, S. and Nunes, S. (2020). Interpreting Individual Values for Information Privacy and Security. Journal of Information System Security, 16(3).
Dhillon, G., Smith, K., and Dissanayaka, I. (2021). Information systems security research agenda: Exploring the gap between research and practice. The Journal of Strategic Information Systems, 30(4).
Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for information security management. Journal of Information Security, 4(02), 92.
Doughty, K. (2003). Implementing enterprise security: a case study. Computers & Security, 22(2), 99-114.
Feldman, M. S. and March, J. G. (1981). Information in organizations as signal and symbol. Administrative science quarterly, 26(2), 171-186.
Fitzgerald, T. (2007). Clarifying the roles of information security: 13 questions the CEO, CIO, and CISO must ask each other. Information Systems Security, 16(5), 257-263.
Goodyear, M., Goerdel, H., Portillo, S., and Williams, L. (2010). Cybersecurity management in the states: The emerging role of chief information security officers. Available at SSRN 2187412.
Homeland Security Today (2017). Oversight Transparency of Cyber Risks at Publicly Traded Companies Addressed in New Bill. Consulted on 18th March 2018. Available in https://www.hstoday.us/channels/global/oversight-transparency-of-cyber-risks-at-publicly-traded-companies-addressed-in-new-bill/
International Organization for Standardization. (2013). ISO/IEC 27001: 2013: Information Technology--Security Techniques--Information Security Management Systems--Requirements. International Organization for Standardization.
International Organization for Standardization. (2014). ISO/IEC 27001: 2014: Information security management systems - Overview and vocabulary. International Organization for Standardization.
International Organization for Standardization. (2018). ISO Survey of certifications to management system standards - Full results. Consulted in 18th March 2018. Available at https://isotc.iso.org/livelink/livelink?func=ll&objAction=browse&objId=18808772&viewType=1
ISACA. (2016). State of Cibersecurity Implications for 2016: An ISACA and RSA Conference Survey. Consulted in 18th March 2018. Available in http://www.isaca.org/cyber/Documents/state-of-cybersecurity_res_eng_0316.pdf
IT Governance Institute (2015). Cyber Security & ISO 27001: A short introduction.
IT Governance Institute (2015). Cyber Security & ISO 27001: A short introduction. Rolling Meadows: ITGI.
Josi, M. (2016). What does the new EU Network Information Security Directive imply?. Consulted on 18th March 2018. Available in https://www.cyan.network/news/what-does-the-new-eu-information-security-directive-implies
Médice, R. (2013). O Papel do Security Officer (Agente de Segurança). Consulted in 18th March 2018. Available at https://www.profissionaisti.com.br/2013/07/o-papel-do-security-officer-agente-de-seguranca/
Morimoto, S. (2009). Application of COBIT to security management in information systems development. In 2009 Fourth International Conference on Frontier of Computer Science and Technology (pp. 625-630). IEEE.
National Cyber Security Center (2017). Networks and Information Systems (NIS) Directive: Security objectives and principles. National Cyber Security Center
Olijnyk, N. V. (2015). A quantitative examination of the intellectual profile and evolution of information security from 1965 to 2015. Scientometrics, 105(2), 883-904.
Peltier, T. R. (2013). Information security fundamentals. CRC press.
Posthumus, S. and Von Solms, R. (2004). A framework for the governance of information security. Computers & security, 23(8), 638-646.
Regulation, P. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council. REGULATION (EU), 679.
Roland, N. (2017). Would my CISO be my DPO? Information Technology Privacy. Consulted in 18th March 2018. Available in https://commyounity1.wordpress.com/2017/06/23/would-my-ciso-be-my-dpo/
Ross, A. (2017). What is the Cybersecurity Disclosure Act of 2017?. Consulted in 18th March 2018. Available in https://baydynamics.com/blog/video-cybersecurity-disclosure-act-2017/
Sajko, M., Hadjina, N., and Sedinić, I. (2011). Information security governance and how to accomplish it. MIPRO, 2011 Proceedings of the 34th International Convention. IEEE.
Saloojee, R., Groenewald, D., and Du Toit, A. S. A. (2007). Investigating the business value of information management. SA Journal of Information Management, 9(1).
Saunders, M., Lewis, P., and Thornhill, A. (2009). Research methods for business students 5th ed. England: Pearson Education Limited.
S. C. Jobs (2017). Job Description: Chief information security officer. Consulted in 18th March 2018. Available in https://www.scmagazineuk.com/job-description-chief-information-security-officer/article/629762/
The British Standards Institution, (n.d.). ISO/IEC 27001 - Information Security Management - Transition guide. Consulted on 7th March 2020. Available in https://www.bsigroup.com/LocalFiles/en-IN/Certification/ISO%2027001/BSI-ISO-IEC-27001%20Transition%20guide.pdf
Van Niekerk, J. F. and Von Solms, R. (2010). Information security culture: A management perspective. Computers & security, 29(4), 476-486.
Vala, J. (1986). A análise de conteúdo. In A. S. Silva, & J. M. Pinto, Metodologia das Ciências Sociais (pp. 101-128). Porto: Edições Afrontamento
Von Solms, B. (2001). Information security – a multidimensional discipline. Computers & Security, 20(6), 504-508.
Von Solms, R. (1998). Information security management (3): the code of practice for information security management (BS 7799). Information Management & Computer Security, 6(5), 224-225.
Wolden, M., Valverde, R., and Talla, M. (2015). The effectiveness of COBIT 5 Information Security Framework for reducing Cyber Attacks on Supply Chain Management System. IFAC-PapersOnLine, 48(3), 1846-1852.