Technological advances continue to evolve at a continually increasing rate. Despite these improving increases in technology, the utilization of theoretical frameworks in risk management or information security may be deficient due to the inadequate substantiation of the theory. Furthermore, academic research to corroborate existing theories relevant to risk management or information security is underway, but current research may not be supportive of existing theories. According to Chuy et al. (2010), the roles of theories may not be fully understood and arguably used by others in the research process. In this article, a discussion will be presented on several theories regarding information security and risk management. Additionally, the selected theories will be compared to the implied use to information security and risk. In addition, a brief analysis of each theory will be conducted regarding whether abundant research exists on the specific theory that can be used by the academic community and others. Finally, a discussion will be offered on any challenges that may arise for each theory that does not have sufficient supportive research.
Theoretical Discussion
Information security and risk has become a priority for organization vying to protect a network and organizational data from unscrupulous entities (Zhao, Xue, & Whinston, 2013). In the operation of systems and/or processes, theoretical frameworks may be used to assist organizations in the development of security control measures that support the denial of threats such as phishing attacks and rootkit installations (Sun, Srivastava, & Mock, 2006). In addition, Sun et al. (2006) summarized that theoretical frameworks assist in methodologies associated with the identi...
... middle of paper ...
...g in the Dempster–Shafer theory. International Journal of Approximate Reasoning, 52(8), 1124-1135. doi:10.1016/j.ijar.2011.06.003
Srivastava, R. P., Mock, T. J., & Gao, L. (2011). The Dempster-Shafer theory: An introduction and fraud risk assessment illustration. Australian Accounting Review, 21(3), 282-291. doi:10.1111/j.1835-2561.2011.00135.x
Sun, L., Srivastava, R. P., & Mock, T. J. (2006). An information systems security risk assessment model under the Dempster-Shafer theory of belief functions. Journal of Management Information Systems, 22(4), 109-142. Retrieved from http://www.jmis-web.org/
Zhao, X., Xue, L., & Whinston, A. B. (2013). Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. Journal of Management Information Systems, 30(1), 123-152. Retrieved from 10.2753/MIS0742-1222300104
Weld, L. G., Bergevin, P. M., & Magrath, L. (2004). Anatomy of a financial fraud. The CPA
National Institute of Standards and Technology (NIST): Risk Management Guide for Information Technology Systems. Special Publication 800-30, 2002.
Madura, Jeff. What Every Investor Needs to Know About Accounting Fraud. New York: McGraw-Hill, 2004. 1-156
Whitman, M., & Mattord, H. (2010). Management of information security. (3rd ed., p. 6). Boston, MA: Cengage Learning.
Glaser , C. L. (1997). The Security Dilemma Revisited. Cambridge University press, 50(1), 171-201. Retrieved from http://www.gwu.edu/~iscs/assets/docs/cg-docs/SecurityDilemma-WP-1997.pdf
Security helps the organization meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets through the selection and application of appropriate safeguards. Businesses should establish roles and responsibilities of all personnel and staff members. However, a Chief Information Officer should be appointed to direct an organization’s day to day management of information assets. Supporting roles are performed by the service providers and include systems operations, whose personnel design and operate the computer systems. Each team member must be held accountable in ensuring all of the rules and policies are being followed, as well as, understanding their roles, responsibilities and functions. Organizations information processing systems are vulnerable to many threats that can inflict various types of damage that can result in significant losses (Harris, 2014). Losses can come from actions from trusted employees that defraud the system, outside hackers, or from careless data entry. The major threat to information protection is error and omissions that data entry personnel, users, system operators and programmers make. To better protect business information resources, organizations should conduct a risk analysis to see what
Saluja, U., & Idris, N. B. (2012). Information Risk Management: Qualitative or Quantitative? Cross Industry Lessons from Medical and Financial Fields. Systemics, Cybernetics and Informatics, 10(3), 54-59.
There are number of different models proposed as framework for information security but one of the best model is McCumber model which was designed by John McCumber. In this model the elements to be studied are organized in a cube structure, in which each axis indicates a dissimilar viewpoint of some information security issue and there are three major modules in each axis. This model with 27 little cubes all organized together looks similar like a Rubik's cube. There are three axes in the cube they are: goals desired, Information states, and measures to be taken. At the intersection of three axes you can research on all angles of an information security problem.
Some of the largest brand names on the Internet have fallen victim to cyber attacks, which led to the personal information of millions of users being exposed. There are thousands of companies all over the world making online transactions every day. This means that the number of potential risks is steadily on the rise. You cannot rely on your company’s general liability insurance policy to be adequate to cover the damages if a data breach ever occurs within your system.
In today’s day and age, there is a lot of news that is related to corporate accounting fraud as companies intentionally manipulate their financial statements to show a better picture of their financial health. The objective of financial reporting is to provide financial information about a company to its various stakeholders such as investors and creditors so that these stakeholders can make decisions accordingly. Companies can show a better image of their financial well being by providing misleading information. This can be done by omitting material information from the books or deceitful appropriation of assets such as inventory theft, payroll fraud, check forgery or embezzlement. Fraudulent financial reporting will have an effect on the This includes but is not limited to; check forgery, inventory theft, cash or check theft, payroll fraud or service theft.
After looking into each of the seven layers in the OSI model it is apparent that there are many ways to exploit a security flaw within a system. A good security analyst has to look at the overall picture to keep the entire system secure and not just one or two layers. Information technology security measures are not a one time fix; it is a continuous process that must occur to keep pace with ever changing protocols, applications, and the ingenuity of attackers.
Almost every business deploys the traditional security based, methods to combat the threats of cybercrime; however, this is not sufficient to fully erase the threats. Any risk based method must look at what is leaving the IT environment, as well as the data inflowing, because, what is going out holds possibly greater significance than the traditional bastion based security methods (Peltier, 2010). Organizations must comprehend how visible they are to online criminal in regard to, targets of interest, attack routes, and possible process vulnerabilities. So to better defend against attack, a simple equation provides the underpinnings of the numerical system for rating risks and is expressed by the following: Risk = consequence × (threat × vulnerability) (Peltier, 2010). This equation is superior to the standard equation that only factors in threat and vulnerability and should be used for calculating
The ability to conduct warfare through technological methods has increased information security awareness and the need to protect an entities infrastructure. Subsequently, cyber warfare produces increased risk to security practitioners that employ technology and other methods to mitigate risks to information and the various systems that hold or transmit data. A significant risk to information lies in the conduct of electronic commerce, hereinafter called e-commerce. E-commerce is the purchasing or selling of goods and/or services through the internet or other electronic means (Liu, Chen, Huang, & Yang, 2013). In this article, the researcher will discuss cyber warfare risks, present an evaluation on established security measures, identify potential victims of identity theft, and present an examina...
In the contemporary world, organizations are increasingly under pressure to secure their systems against cyber-attacks that could cripple their operations. While advancements in information technology have enhanced business efficiency and profitability, they have also exposed businesses to new and emerging threats. Currently, they allocate millions of dollars to purchase and maintain programs aimed at preventing virus and malware attacks against their systems. Inevitably, technology-dependent organizations should embrace security awareness as part of their corporate culture. In the modern context, security lapses could cost organizations lots of money, valuable data, and crippled operations.
The principle territory we are planning to address is accounting fraud and how it could impact an organization by answering, the who, what, when and how. Its goal is to increase the awareness of accounting fraud and fraud counteraction. The intriguing thing about accounting fraud is that little disclosure as a rule usually leads to an enormous increase in fraud. A number of categories and sub-categories can be divided up for fraud.