The Role of Employee in Information Security Risk Management

  • Authors

    • David Lau Keat Jin
    • Noor Hafizah Hassan
    • Nurazean Maarop
    • Ganthan Narayana Samy
    • Rasimah Che Mohd Yusof
    https://doi.org/10.14419/ijet.v7i4.31.23358

    Received date: December 7, 2018

    Accepted date: December 7, 2018

    Published date: December 9, 2018

  • Information Security Risk Management, Risk Assessment, Employee Risk, Information Security

  • Abstract

    Information security risk management (ISRM) is become essential for establishing safe and reliable environment for online and e-transactional activities. With the coming Industrial Revolution 4.0, there is a huge interest of the organization for involving user in their risk management activity to minimize any security incidents. Limited research has been conducted in investigating involvement of user in ISRM. Therefore, this paper examines the involvement of user in ISRM in financial organization. Besides, this paper discusses the existing theories of risk management use in assessing ISRM. This paper investigates user participation in ISRM implemented in the organization using mixed-method approach. This study use questionnaire survey and follow-up with interview in one financial organization. Besides, Strength, Weakness, Opportunities and Threat (SWOT) analysis is presented based on the result found for the organisation to focus on their improvements needed. This study shows that a well-known procedure and standards must be implemented in the organisation to ensure that employee participate more in the ISRM process and activities.

  • References

    1. Stoneburner, A., Goguen, A. and Feringa, A, “Risk Management Guide for Information Technology Systems Recommendations of the National Institute of Standards and Technology”, NIST Special Publication., (2002), available online: https://www.archives.gov/files/era/recompete/sp800-30.pdf, last vis-it: 20.06.2018
    2. Zahoor Ahmed Soomro, Mahmood Hussain Shah; Javed Ahmed, “Information Security Management Needs More Holistic Approach: A Literature Review”, International Journal of Information Man-agement, Vol. 36, No. 1, (2016), pp. 215–225, available online: https://www.sciencedirect.com/science/article/pii/S0268401215001103, last visit: 20.07.2018
    3. Safa, Nader Sohrabi, et al. "Information security conscious care be-haviour formation in organizations", Computers & Security, Vol. 53 (2015), pp. 65-78, available online: http://www.mihantarjomeh.com/wp-content/uploads/2016/02/Information-security-management-needs___sder85t2d3gf0gg0g.pdf, last visit: 19.06.208.
    4. S Dzazali, Suhazimah, Ainin Sulaiman, and Ali Hussein Zolait. "In-formation security landscape and maturity level: Case study of Ma-laysian Public Service (MPS) organizations." Government Infor-mation Quarterly, Vol. 26, No. 4, (2009), pp. 584-593.
    5. Spears, Janine L., and Henri Barki. "User participation in infor-mation systems security risk management." MIS quarterly, Vol. 34, No. 3, (2010), pp. 503-522.
    6. Deli, M. S. M., Ahmad, J. F., Hassan, N. H., Maarop, N., Samy, G. N., Abdullah, M. S., & Yaacob, S. (2018). Understanding User Par-ticipation in Information Security Risk Management. Open Interna-tional Journal of Informatics, vol. 5, No. 1, (2017), pp 1-8, available online: http://publication.ais.utm.my/ojs/index.php/oiji/article/view/35, last visit: 1.07.2018.
    7. Sadowsky, G., Dempsey, J. X., Greenberg, A., Mack, B. J., & Schwartz, A., Information technology security handbook. Washing-ton, DC: World Bank. G (2003).
    8. Wheeler, E. Security risk management: Building an information se-curity risk management program from the Ground Up. Elsevier, (2011).
    9. Behnia, A., Rashid, R. A., & Chaudhry, J. A.. “A survey of infor-mation security risk analysis methods”, SmartCR, Vol. 2, No. 1, (2012), pp. 79–94.
    10. Salleh, K. A., Janczewski, L. J., & Beltran, F.. “SEC-TOE Frame-work: Exploring Security Determinants in Big Data Solutions Adoption”, Proceedings of The Pacific Asia Conference on Infor-mation Systems, 2015.
    11. Wangen, G., Hallstensen, C., & Snekkenes, E.“A framework for estimating information security risk assessment method complete-ness”. International Journal of Information Security, (2016), pp. 1–19.
    12. Caralli, R. A., Stevens, J. F., Young, L. R., & Wilson, W. R.. Intro-ducing octave allegro: Improving the information security risk as-sessment process (No. CMU/SEI-2007-TR-012). CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEER-ING INST (2007).
    13. Peltier, Thomas R. "Facilitated risk analysis process (FRAP)." Auer-bach Publication, CRC Press LLC (2000).
    14. United Nations Development Programme, “Community Based Resilience Assessment (CoBRA) Conceptual Framework and Methodology,” (2013).
    15. Francis O., “Community Based Resilience Analysis (COBRA) As-sessment”, (2013), available online : https://www.researchgate.net/publication/279534526_Community_Based_Resilience_CoBRA_Assessment, last visit: 1.07.2018
    16. Karabacak, B., and Ibrahim S., "ISRAM: information security risk analysis method", Computers & Security, Vol. 24, No. 2 (2005), pp. 147-159.
    17. Chandrashekhar, A. M., Yadunandan Huded, and HS Sachin Ku-mar. "Advances in Information security risk practices." International Journal of Advanced Research in data mining and Cloud computing (IJARDC), Vol. 3, No. 5, (2015).
    18. Shameli-Sendi, A. , Rouzbeh Aghababaei-Barzegar, and Mohamed Cheriet. "Taxonomy of information security risk assessment (IS-RA)." Computers & Security,Vol. 57, (2016), pp. 14-30.
    19. MAMPU, “Panduan Keperluan Dan Persediaan Pelaksanaan Pensi-jilan MS ISO/IEC 27001:2007 Dalam Sektor Awam,” 2010.
    20. MAMPU, “The Malaysian Public Sector Information Security Risk Assessment Methodology (MyRAM) Handbook,” 2005.
    21. Creswell J. and Plano Clark, V., Designing and Conducting Mixed Methods Research, SAGE publication, (2017).

  • Downloads

  • How to Cite

    Lau Keat Jin, D., Hafizah Hassan, N., Maarop, N., Narayana Samy, G., & Che Mohd Yusof, R. (2018). The Role of Employee in Information Security Risk Management. International Journal of Engineering and Technology, 7(4.31), 145-150. https://doi.org/10.14419/ijet.v7i4.31.23358