July – Dec 2017
Editorial
Welcome to the final edition for 2017. In this edition, we have five papers, an invited opinion piece and the ‘Last Word’. In keeping with our practice of inviting colleagues to undertake the not inconsiderable task of editing an edition of IJSS, Dr Moufida Sadok, has taken on the task. Dr Sadok is currently a Lecturer in cyber-crime and cyber-security at the Institute of Criminal Justice Studies, University of Portsmouth. Her main areas of research include socio-technical approaches to Information Systems Security and business systems analysis. Not surprisingly Moufida has chosen papers that deal with the importance of IT security and its impact upon us all. The papers are varied and highlight aspects of a world in which personal and nationally sensitive data can be exploited unless we take steps to protect it from those who wish to do us harm.
Although the papers tackle the importance of cyber security they are included in this edition because it is the human element that is the important consideration. The papers remind us that it not merely a technological problem, but one of which we stakeholders should all be aware. ‘Systems’ is a broad church and embraces a wide range of ideas, but all dimensions share the same belief in taking a holistic approach to understanding problems. Although in this edition the overriding theme is security, IT security, each paper raises the importance of taking the human element into account and highlights the point that such matters should not be driven by technology alone. Baskerville raises many valuable points in the Last Word. He reminds us that digital technology offers an exciting future [if used in the right way] but with it grows a new threat: a threat that we can loosely call cyber crime. This is a catchall phrase but one we all understand whether it be from a personal point of view, such as a bank fraud, through to cyber attacks at a national level from malevolent forces. It is a new world we are entering and need to take steps to protect our data, but at the same time we must also guard against knee-jerk reactions that result in loss of freedom. By raising such issues and adopting, what we refer to here as a Socio Technical approach, this edition adds to the portfolio of human affairs in which systems thinking can play an important part. The Socio-Technical approach was pioneered by Enid Mumford in the 1970’s and is enjoying a renaissance as it is seen as relevant to our modern, digitally dominated, world. I hope that you enjoy this edition.
Frank Stowell
Guest Editorial Preface
Special Issue on Socio-technical perspectives on Information Systems Security
Dr Moufida Sadok, Institute of Criminal Justice Studies, University of Portsmouth, UK.
Editorial
Research suggests that many of the existing risk analysis models and frameworks in information systems security (ISS) focus on technical modules and pay scant attention to the influence of contextual variables. Human interaction can affect the reliability of the provided solutions, for example, security policies can privilege certain groups of stakeholders particularly managers and IT professionals. Exclusive emphasis on a technology-centred view as well as centralized security controls and top-down management may lead to flaws in the design and implementation of security solutions. By failing to appreciate the complex relationships between use, usability and usefulness, imposed security procedures are not only subject to possible misuse but they are likely to create difficulties for work functionality and efficiency. The weakest link is not necessarily in the technical system itself but the difference between the formal model of usage and real usage of system content (data) as such in a human activity system.
There are examples where the workforce finds ways of working around security compliance or bypass security controls in order to do their work effectively. By raising questions about security failures in context would address the relevance of security policies and measures from a stakeholders’ perspective. A systemic and value-focused view of security would result in a better understanding of the role and application of security functions in situated practices and promote the attainment of contextually relevant risk analysis. Some researchers suggest that an integrative and multi-layered approach to information security should include human, organizational and technical factors in the design and management of a secure and usable system.
This Special Issue of the International Journal of Systems and Society brings contributions that highlight the potential benefits and effectiveness of adopting a socio-technical perspective on ISS in order to bridge the gap between design and implementation of secure and usable information systems.
This issue comprises six papers including an invited paper from Professor Steven Alter and the last word written by Professor Richard Baskerville. Steven Alter from the University of San Francisco has a long-standing history of US-based research within the Socio-Technical subject area and is well known for his focus on “work systems”. The last word is written by Richard Baskerville, suggests that digital reality has drastically changed “conventional” security models and practices.
In the first paper, Hart adopts a socio-technical approach to discuss and to address different perceptions of information security by individual virtual team members. Hart’s approach provides the opportunity to conciliate between technical, organisational and human factors for an effective implementation of information security policy. The author suggests a future research agenda in order to gain a better understanding of attitudes and practices in virtual teams and information security practices.
In the second paper, AlSabbagh and Kowalski point to issues with current incident response practices and suggest examining these practices through a socio-technical lens. The authors make use of design research framework to develop an artefact that combines technical metrics of security warnings with social security metrics. The implementation of such artefact is expected to effectively support organisations in managing security incidents.
The next paper by Thiem, Kautz, Pittayachawan and Bruno deals directly with a perceived divide between design and use of information security controls. Drawing on social network analysis (SNA) methods, the authors design and implement a cascading information system training/diffusion. Using canonical action research, the authors sought to enhance the information security related interactions between the employees in a large construction organisation in Southeast Asia.
Mühe and Drechsler question the applicability of structured and formalised information security frameworks mainly designed for the use of big companies. The authors point out that an IT risk management framework for SMEs should reflect and be associated to their particular socio-technical context.
The final paper by Serketzis, Katos, Ilioudis, Baltatzis and Pangalos also highlights the lack of contextualisation in most digital forensic frameworks. They argue that there is a dearth of research in this area that focuses on contextual factors, which they say have the potential to significantly influence cybercrime investigations. The authors suggest that forensics and incident response represent a socio-technical challenge from an analyst perspective and they propose a framework that supports the investigation process by offering means for informed investigation and mitigation decisions.
This edition concludes with the invited paper and the last word.
In the invited paper Alter argues that work system theory has the potential to provide a background to understanding IS security. Alter discusses six lenses for describing, analysing, and evaluating IS security practices in order to complement data processing systems focused security approaches. The main contribution of the paper is showing that a work system perspective might provide a coherent container for describing, analyzing, and evaluating situations related to IS security and for studying IS.
The Last Word written by Baskerville is thought provoking. He says that digital machinery, such as computing and communications devices influence our physical world, leading to a digital reality that overlays physical and social reality. This digital reality is exciting, he says, because it holds wonderful promise for the future world of convenience and access together with the release of human labour from repetitive and programmable tasks. But he reminds us that digital security and digital safety is now security of the first kind. It is growing impossible, he says, for there to be any security or safety, either physical or social in the presence of digital insecurity or digitally unsafe situations. The wonderful promise of the future before us he argues has changed the goal of information security. It is now a much grander challenge than ever before.
Articles
A Canonical Action Research Approach to the Effective Diffusion of Information Security: with Social Network Analysis
Duy Dang Pham Thiem, Karlheinz Kautz, Siddhi Pittayachawan, Vince Bruno
Towards a Framework to Improve IT Security and IT Risk Management in Small and Medium Enterprises
Stephan Mühe and Andreas Drechsler
Socio-Technical SIEM (ST-SIEM) Toward Bridging the Gap in Security Incident Response
Bilal AlSabbagh and Stewart Kowalski
Towards a Threat Intelligence Informed Digital Forensic Readiness Framework
Nikolaos Serketzis, Vasilis Katos, Christos Ilioudis, Dimitrios Baltatzis and George J Pangalos
Information Security and Virtual Teams
Penny Hart
Opinion Piece written by Steven Alter
Last Word written by Richard Baskerville