Applied Economics/Marketing Department

Hackers and negative social media hypes have proven able to bring proud organizations to their knees, yet many information and communications technology (ICT) security managers lack a strategy to anticipate and overcome such unpredictable challenges. A survey conducted among key people in the ICT security field reveals how perilously far behind their strategic thinking has fallen and what managers and board members can do to catch up.

This paper examines research methods for designing and engineering a Business Information Security (BIS) artefact. Preventing and responding to cybercrime is becoming an integral part of management practices which are supervised by the Board of Directors (BoD), and it can no longer be perceived as just traditional IT. In order to improve the maturity of business information security a transformation is needed and this requires adequate reporting and dashboarding. Dashboard functions such as the current versus the desired state of the Maturity of Business Information Security (MBIS) reflect certain parameters that boards can influence. Determining the key dashboard functions that reflect these parameters of control was the main motivation for this research paper and the ultimate goal was to engineer a BIS artefact. We propose a research and design method that could be used to establish an experimental dashboard with initial parameters of control based on a Group Support System (GSS) approach. Finally, GSS is evaluated as a method for a) examining which parameters are effective for BIS, from multiple perspectives and b) helping to implement the artefact (make it fit the purpose) as well as the associated decision-making.

This paper examines research methods for designing and engineering a Business Information Security  (BIS) artefact. Preventing and responding to cybercrime is becoming an integral part of management  practices which are supervised by the Board of Directors (BoD), and it can no longer be perceived as  just traditional IT. In order to improve the maturity of business information security a transformation  is needed and this requires adequate reporting and dashboarding. Dashboard functions such as the  current versus the desired state of the Maturity of Business Information Security (MBIS) reflect  certain parameters that boards can influence. Determining the key dashboard functions that reflect  these parameters of control was the main motivation for this research paper and the ultimate goal was  to engineer a BIS artefact. We propose a research and design method that could be used to establish  an experimental dashboard with initial parameters of control based on a Group Support System (GSS)  approach. Finally, GSS is evaluated as a method for a) examining which parameters are effective for  BIS, from multiple perspectives and b) helping to implement the artefact (make it fit the purpose) as  well as the associated business alignment and decision-making

Implementing and maintaining Information Security (IS) is cumbersome. Frameworks and models are used to implement IS, but these are perceived as complex and hard to maintain. Most companies still use spreadsheets to design, direct and monitor their information security improvement plans. Regulators too use spreadsheets for supervision. This paper reflects on nine years of Design Science Research (DSR) on IS and describes the design and engineering of an artefact architecture which can emancipate boards from silo-based spreadsheet management and improve their visibility, control and assurance via integrated dash-boarding and a reporting tool. Three examples are presented to illustrate the way the artefact works.

Group Support for the Board’s Involvement in a Smart Security Decision-making Process

Decision making during business meetings is an
elusive phenomenon for a couple of reasons.
Business meetings have been defined as “…a
gathering where people speak up, say nothing, and
then all disagree.” In general, the main objectives of
meetings are to facilitate and enable decision makers in exchanging knowledge, discussing complex topics and monitoring large projects, and this all happens under pressure and amid uncertainties...

“Het gebruik van een Group Support System
in Informatiebeveiliging”

Besluitvorming tijdens vergaderingen is een ongrijpbaar fenomeen [1]. Zo definieerde
Thomas Kayser vergaderingen als “a gathering where people speak up, say nothing, and
then all disagree” [2]. Effectiviteit van vergaderingen is wereldwijd veel beschreven. Onder
andere het gebrek aan zogenaamd “evidence trailing”. Dit herleiden wie, wanneer en
waarom een bepaalde beslissing heeft genomen blijkt complex en gezien de stand der
technologie vandaag de dag niet meer nodig. Vergaderingen moeten besluitvormers juist
faciliteren in het delen van kennis, het bespreken van complexe onderwerpen, het
bewaken van voortgang van projecten et cetera en dit alles vaak onder grote tijdsdruk en
onzekerheden [3].

VERGADERSYSTEMEN ALS GROUP SUPPORT SYSTEMS KUNNEN DE KWALITEIT VAN VERGADERINGEN EN DE BESLUITVORMING DIE DAARUIT VOORTKOMT STERK VERBETEREN. ZEKER VOOR EEN COMPLEX EN SNEL VERANDEREND VAKGEBIED ALS INFORMATIEBEVEILIGING HEEFT DEZE VERGADERSOFTWARE
GROTE VOORDELEN, BESCHRIJFT YURI BOBBERT AAN DE HAND VAN ERVARINGEN
IN DE
WETENSCHAP EN DE PRAKTIJK.

This paper examines a Business Information Security (BIS) artefact, with the focus on a comparison study between two artefacts.

Abstract

Preventing and responding to cybercrime is becoming an integral part of management practices which are supervised by the Board of Directors (BoD), and it can no longer be perceived as just traditional IT. In order to improve the maturity of business information security a transformation is needed and this requires adequate reporting and dashboarding. Dashboard functions such as the current versus the desired state of the Maturity of Business Information Security (MBIS) reflect certain parameters that boards can influence. Determining the key dashboard functions that reflect these parameters of control was done in previous studies. The main motivation for this research paper is to rigorously examine the core functionality of a MBIS artefact and execute a comparison study. The final result is a validated expert based core set of MBIS artefact requirements. It concludes with a backlog roadmap for future requirements to be engineered in the artefact.

Implementing and maintaining Business Information Security (BIS) is cumbersome. Frameworks and models are used to implement BIS, but these are perceived as complex and hard to maintain. Most companies still use spreadsheets to design, direct and monitor their information security improvement plans. Regulators too use spreadsheets for supervision. This paper reflects on ten years of Design Science Research (DSR) on BIS and describes the design and engineering of an artefact which can emancipate boards from silo-based spreadsheet management and improve their visibility, control and assurance via an integrated dash-boarding and reporting tool. Three cases are presented to illustrate the way the artefact, of which the realisation is called the Securimeter, works. The paper concludes with an in-depth comparison study acknowledging 91% of the core BIS requirements being present in the artefact.

Implementing and maintaining Business Information Security (BIS) is cumbersome. Frameworks and models are used to implement BIS, but these are perceived as complex and hard to maintain. Most companies still use spreadsheets to design, direct and monitor their information security improvement plans. Regulators too use spreadsheets for supervision. This paper reflects on ten years of Design Science Research (DSR) on BIS and describes the design and engineering of an artefact which can emancipate boards from silo-based spreadsheet management and improve their visibility, control and assurance via an integrated dash-boarding and reporting tool. Three cases are presented to illustrate the way the artefact, of which the realisation is called the Securimeter, works. The paper concludes with an in-depth comparison study acknowledging 91% of the core BIS requirements being present in the artefact

This paper describes the application of Group Support Systems (GSS) in the field of Business Information Security Governance (BISG). The focus is on longitudinal small team collaboration-for instance within Boards of Directors (BoD) and groups of experts-with large amounts of items. Apart from this focus on small groups, there is an operational link to the Information Security Management cycle (Plan, Do, Check, Act i.e. ISO27000 norms). This link results for expert and management teams in collaboration on lots of items (e.g. 133 controls or in this case 228 best practices). This paper presents the findings of an initial research phase and presents a comprehensive, thoroughly selected core set of BISG practices to be used by practitioners. It shows how GSS can play a facilitating role in small team collaboration with large amounts of data. It concludes with suggestions for further empirical research into the BISG topic.

Information Security (IS) is increasingly becoming an integrated business practice instead of just IT. Security breaches are a challenge to organizations. They run the risk of losing revenue, trust and reputation and in extreme cases they might even go under. IS literature emphasizes the necessity to govern Information Security at the level of the Board of Directors (BoD) and to execute (i.e. plan, build, run and monitor) it at management level. This paper describes explorative research into IS-relevant Governance and Executive management practices. Answering the main research question: "Which practices at the level of Governance are relevant for Business Information Security Maturity" The initial phase of this research consists of a review of academic and practice-oriented literature on these relevant practices. This list of practices is then examined and validated through expert panel research using a Group Support System (GSS). The paper ultimately identifies a list of 22 core principles. This list can function as frame of reference for Boards of Directors and Management Teams in order to increase their level of Business Information Security (BIS) Maturity.

This paper examines research methods for designing and engineering a Business Information Security (BIS) artefact. Preventing and responding to cybercrime is becoming an integral part of management practices which are supervised by the Board of Directors (BoD), and it can no longer be perceived as just traditional IT. In order to improve the maturity of business information security a transformation is needed and this requires adequate reporting and dashboarding. Dashboard functions such as the current versus the desired state of the Maturity of Business Information Security (MBIS) reflect certain parameters that boards can influence. Determining the key dashboard functions that reflect these parameters of control was the main motivation for this research paper and the ultimate goal was to engineer a BIS artefact. We propose a research and design method that could be used to establish an experimental dashboard with initial parameters of control based on a Group Support System (GSS) ...

Industrial Control Systems (ICS) were primarily designed to operate air-gapped; however, the pressure for cost reduction and integration with business systems demanded the adoption of open systems architecture and ended up exposing ICS to threats which until then had been restricted only to the Information Technology (IT) systems. Although Cybersecurity Standards for Industrial Control Systems have been in place since the 1990s, providing the foundational knowledge required to Secure Industrial Control Systems; implementation failures and media disclosures revealed that organizations are not yet prepared to deploy Cybersecurity Controls effectively. This research has employed Design Science and interaction with experts on a qualitative manner exploring new insights and allowing to identify the main barriers for deploying and assessing industrial control systems. The results of this research include a list of Practices for effective deployment of Cybersecurity controls; list of Critical Success Factors for assessing ICS; and a list of most effective ways to report Cybersecurity risks to the board. This research counted with the participation of 200 practitioners and experts from Europe, Asia, Americas and Oceania.

Dedico essa dissertação de mestrado à minha mãe que esteve ao meu lado em cada aula que ouvi, que ficou apreensiva em todo seminário que apresentei e que participou muito mais desse trabalho que uma mãe qualquer poderia. VI AGRADECIMENTOS Agradeço em primeiro lugar ao meu pai, Tullio ScoUi, pois sem o seu incentivo, apoio e dedicação este curso de mestrado não seria possível. Ele, minha mãe, Lélia de Medeiros ScoUi e meu irmão, Marcus Tullius ScoUi, estiveram ao meu lado e me ampararam nos obstáculos que encontrei durante essa trajetória. Quero agradecer a Profa. Ora. Elisabeth Igne Ferreira pelo seu carinho, amizade, auxílio aos meus estudos, esclarecimentos burocráticos e, principalmente, por me mostrar a possibilidade que eu teria de prosseguir na carreira farmacêutica. O curso de mestrado não é só um rico aprendizado, também nos dá a chance de se apaixonar pela profissão; fato nem sempre possível na graduação devido a falta de maturidade. Agradeço a Profa. Ora. Maria Amélia Barata da Silveira por toda a sensibilidade que demontrou ter diante meus limites físicos, tomando mais simples meu cotidiano na Faculdade de Ciências Farmacêuticas e mostrando a sociedade que o maior impedimento para se realizar um projeto é o que reside nas nossas mentes. À minha orientadora e amiga, Profa. Ora. Maria Valéria Robles Velasco, meus etemos agradecimentos por sua compreensão e ajuda em diversos assuntos, por me fazer crescer profissionalmente e auxiliar na elaboração da minha dissertação de mestrado. Meus agradecimentos carinhosos aos Profs. Ors. Teresinha de J.

Dedico essa dissertação de mestrado à minha mãe que esteve ao meu lado em cada aula que ouvi, que ficou apreensiva em todo seminário que apresentei e que participou muito mais desse trabalho que uma mãe qualquer poderia. VI AGRADECIMENTOS Agradeço em primeiro lugar ao meu pai, Tullio ScoUi, pois sem o seu incentivo, apoio e dedicação este curso de mestrado não seria possível. Ele, minha mãe, Lélia de Medeiros ScoUi e meu irmão, Marcus Tullius ScoUi, estiveram ao meu lado e me ampararam nos obstáculos que encontrei durante essa trajetória. Quero agradecer a Profa. Ora. Elisabeth Igne Ferreira pelo seu carinho, amizade, auxílio aos meus estudos, esclarecimentos burocráticos e, principalmente, por me mostrar a possibilidade que eu teria de prosseguir na carreira farmacêutica. O curso de mestrado não é só um rico aprendizado, também nos dá a chance de se apaixonar pela profissão; fato nem sempre possível na graduação devido a falta de maturidade. Agradeço a Profa. Ora. Maria Amélia Barata da Silveira por toda a sensibilidade que demontrou ter diante meus limites físicos, tomando mais simples meu cotidiano na Faculdade de Ciências Farmacêuticas e mostrando a sociedade que o maior impedimento para se realizar um projeto é o que reside nas nossas mentes. À minha orientadora e amiga, Profa. Ora. Maria Valéria Robles Velasco, meus etemos agradecimentos por sua compreensão e ajuda em diversos assuntos, por me fazer crescer profissionalmente e auxiliar na elaboração da minha dissertação de mestrado. Meus agradecimentos carinhosos aos Profs. Ors. Teresinha de J.

This paper proposes research methods for designing and engineering a Business Information Security (BIS) artefact. Defining research methods to establish artefact functions (e.g. dash-boarding, risk register) that reflect the parameters of control for Board of Directors, is the main motivation for this research paper. The ultimate goal is to engineer this BIS artefact and thereby solve the problem of a low level of BIS maturity. We propose a research method that can be used to establish an experimental dashboard with initial parameters of control, based on a Design Science Research (DSR) approach. Group Support System (GSS) research can assist organisations applying the artefact into the organisations with the accompanying collaboration and decision making (fit to purpose) processes.