Information Security - Risk Management Framework

Name: Information Security - Risk Management Framework | For Social Engineering Attacks and Digital Prevention Techniques
Brand: Academica Press
Price: 110.99 EUR
Availability: OnlineOnly

For Social Engineering Attacks and Digital Prevention Techniques

Shekh Abdullah-Al-Musa Ahmed(Author)

Academica Press

Published on 8. September 2024

206 pages

E-Book

ePUB with digital watermarking

System requirements

978-1-68053-424-5 (ISBN)

€110.99incl. 7% vat

System requirements

for ePUB with digital watermarking

E-Book Single Licence

Available for download

Description

More details

Other editions

Person

Content

Information Security - Risk Management Framework:
For Social Engineering Attacksand Digital Prevention Techniques
Dr. Shekh Abdullah-Al-Musa Ahmed
Proposed framework user manual. Recommended related worksheets for use in the proposed framework.
Proposed framework. Draft of the proposed framework.
Refined High-level Framework.
Information Security - Risk Management Framework:
For Social Engineering Attacksand Digital Prevention Techniques
Dr. Shekh Abdullah-Al-Musa Ahmed
Academica PressWashington~London
Library of Congress Cataloging-in-Publication Data
Names: Ahmed, Shekh Abdullah-Al-Musa (author)
Title: Information security - risk management framework : for social engineering attacks and digital prevention techniques | Ahmed, Shekh Abdullah-Al-Musa.
Description: Washington : Academica Press, 2025. | Includes references.
Identifiers: LCCN 2024944093 | ISBN 9781680534238 (hardcover) | 9781680534245 (e-book)
About the Author
/
Dr. Shekh Abdullah-Al-Musa Ahmed is Assistant Professor in the Department of Computing and Information System at Daffodil International University (DIU). Before joining DIU, he was Assistant Professor in the Faculty of Information and Communication Technology and Department of Computer and Communication Technology at Universiti Tunku Abdul Rahman (UTAR), in Malaysia. He has also worked at Bangladesh University of Business and Technology (BUBT) and Stamford University, Bangladesh. Dr. Ahmed obtai
About the Technical Editor
/
Assoc. Prof. Ts. Dr. Nik Zulkarnaen Khidzir. He is a Certified MBOT Professional Technologist
Associate Professor, Faculty of Creative Technology and Heritage. Currently is a Deputy Director of University Malaysia Kelantan (UMK) International. He is also a member of Technology Advisory Board for Bayarcash, digital financial merchant payment gateway online solution owned by Web Impian Sdn Bhd. In his spare time, he moderates the book "Information Security Risk Management Framework for Social Eng
The Author Dedicated this book to the Poet and Lyricist
Sheikh Rana
Preface
In today's digital age, where information preservation is the cornerstone for security and communication, safeguarding this invaluable asset has never been more critical. This book is designed to serve as a dedicated framework for prevention techniques and to navigate the complex and ever evolving landscape of digital data protection from social engineering attacks. It is imperative to recognize the profound significance of role as an information security risk management framework. Every bit and
This is not only a book on information security and risk management, but a comprehensive compendium meticulously crafted to empower individuals and organizations with the knowledge, tools, and strategies necessary to defend against a multitude of cyber threats. Throughout these pages, the author embarks on multifaceted exploration, beginning with a deep dive into the very essence of digital data protection from social engineering attacks. From understanding the diverse types and classifications
Your comprehensive academic guide to digital data protection awaits.
Contents
Preface xi
Chapter OneFoundations of Information Security risk management:Understanding of social engineering attacks 1
1.1. Overview of Information Security risk management 1
1.2. Aims and Objectives 4
1.3. Significance of the work 5
1.4. Novelty of the work 6
1.5. Contribution to the society 7
Chapter Two"Navigating the Digital Terrain:Understanding Data, Risks, and Regulations" 15
2.1. Definition of digital data Types of digital data(personal, sensitive, corporate, etc.) 15
2.2. Fundamentals of Digital Evidence 20
2.3. SoE Attacking Risks 23
2.4. Fundamental Risk Management Concepts 31
2.5. Risk Management for the Prevention Technique of SoE Attacks 33
2.6. Risk Management Methodologies andApproaches for the Prevention Technique of SoE Attacks 34
2.7. Information security framework for the preventiontechnique of SoE attacks, Standards and Guidelines 36
2.8. Expert Judgment Method: Definition of elicitations objectives 41
Chapter ThreeFramework Methodology: Processing Data and Threat Landscapes 45
3.1. Overview of framework methodology 45
3.2. Theoretical study 49
3.3. SoE attack risks of threats and vulnerability effects on digital evidence 50
3.4. Questionnaire Design 53
3.5. Pilot Study Results Summary 55
3.6. Empirical Study 58
3.7. Conceptual Framework 60
3.8. Exploratory Study 64
3.9. Framework Development 66
Chapter FourFramework Alongside the Risk Management: "analyze SoE attack risks" 71
4.1. Data Analysis Strategies 71
4.2. Descriptive analysis 72
4.3. Reflective Measurement Analysis for the Study Model 78
4.4. Significance and relevance of the formative indicator for the model 82
4.5. Moderator variable for the Model 103
Chapter FiveFortifying the Fortress: Strategies for Risk Management Framework 119
5.1. Overview of Risk Management Framework 119
5.2. The Framework Stages, Processes, Activities and Worksheets 127
5.3. Conduct necessary training or workshops 130
Chapter SixBuilding a Culture of Security: Framework Confirmatory 139
6.1. Overview of Framework Verified 139
6.2. Results and discussion of the framework of the confirmatory study 141
6.3. Expert Judgment Results: Setting the Scope of the SoE attack risks: 146
6.4. Supplementary Findings: Organizational risk of SoE attacks 160
References 163
Appendix 173
List of Tables
Table 1.1: Objectives, questions and analysis 5
Table 1.2: Exploratory study phase: study approach 10
Table 1.3: Framework development phase: Study approach 11
Table 1.4: Confirmatory study phase: Study approach 11
Table 2.1: The risk category descriptions and examples are shown 17
Table 2.2: SoE Attacking Risks 19
Table 2.3: Digital evidence in the organization 22
Table 2.4: Literature review of the risk of SoE attacking threat items 24
Table 2.5: Literature review of the risk of SoE attacking vulnerabilities 25
Table 2.6: Literature on the risk of managingdefeats attacking the SoE in organizations 26
Table 2.7: Literature on the risk of unexpectedchange in management resulting from SoE attacks 27
Table 2.8: Literature on the risk of managingdefeats attacking the SoE in organizations 28
Table 2.9: SoE attack risks based on the confidentiality,integrity and availability (CIA) concept. 29
Table 2.10: shows common SoE attack risks during organizational activities. 31
Table 2.11: summarization of the organizations 32
Table 2.12: Information Security Risk ManagementConcepts, Methodologies and Approaches 35
Table 2.13: Information Security Management Standards and Guidelines. 37
Table 2.14: highlights the basic concepts of riskmanagement for preventing SoE attacks. 40
Table 2.15: Characteristics of the experts involved in the confirmatory study 42
Table 3.1: Study activities and objectives. 46
Table 3.2: Theoretical Study Phase: Study Approach. 49
Table 3.3: Reliability test of the risk factors associatedwith SoE attacks (pilot study) 57
Table 3.4: RMs for preventing SoE attacksin the organizations according to the constructed reliability test. 57
Table 3.5: Organizational activity reliability test. 58
Table 3.6: The empirical phase research approach 58
Table 3.7: Illustrates the empirical roadmap and analysis techniqueused to answer the research questions and realize the research objectives. 59
Table 3.8: Detailed explanations of the input,research approach and output in the exploratory study phase 65
Table 3.9: Framework development phase: Research approach 66
Table 3.10: Confirmatory phase study approach. 67
Table 4.1: shows the results. 72
Table 4.2: SoE attack risk ranking of threats 74
Table 4.3: SoE attack risk ranking of vulnerabilities 75
Table 4.4: SoE attack risk ranking of management defects in the organization 76
Table 4.5: Ranking of unexpected changesin management risk due to SoE attacks 77
Table 4.6: SoE attack risk ranking of digital evidence 78
Table 4.7: Reflective measurement for the model 79
Table 4.8: The bias -corrected confidence intervals 82
Table 4.9: Collinearity statistics (VIF): 84
Table 4.10: R2 values 85
Table 4.11: shows the path coefficients with t values and p values. 86
Table 4.12: Confidence intervals 87
Table 4.13: Results of hypothesis testing 89
Table 4.14: shows the specific indirect effects. 90
Table 4.15: Direct effect values. 94
Table 4.16: Confidence interval bias corrected 95
Table 4.17: The direct and indirect effects of SoE attacks and prevention techniques on digital evidence based solutions. 97
Table 4.18: Moderating effect values 103
Table 4.19: Content analysis for the socialengineering attack risk identification phase 107
Table 4.20: Content analysis for the socialengineering attack risk analysis phase. 112
Table 5.1: Breakdown of the framework component according to stage 127
Table 5.2: Breakdown of the framework component(processes and activities in stage I) 129
Table 5.3: Breakdown of the Framework Component(Processes and Worksheet in Stage II) 131
Table 6.1: Key Summary of Expert Judgment Evaluation - Stage I 144
Table 6.2: Key Summary of Expert Judgment Evaluation - Stage II 148
Table 6.3: Key Summary of Expert Judgment Evaluation - Stage III 157
List Of Figures
Figure 1.1: Methodology of study 8
Figure 1.2: Exploration of the inputs, researchapproach and results of the conceptual study phase 9
Figure 1.3: Empirical Study Phase Approach 9
Figure 2.1: Generic information security managementin organizations and supported theories 16
Figure 3.1: provides an overview of the methodology adopted for the study. 48
Figure 3.2 Development of the questionnaire for the purpose of this study. 54
Figure 3.3: Overview structure and content of the questionnaire 54
Figure 3.4: Data analysis using SmartPLS. 59
Figure 3.5: Conceptual framework diagram of SoE attacks and prevention techniques in risk management-based solutions for organizations. 62
Figure 3.6: Diagram showing the hypothesized relationships 64
Figure 3.7: Generic Expert Judgment Methods 69
Figure 4.1: Model diagram with constructs and items relatedto SoE attacks and prevention techniques in digitalevidence-based solutions for organizations 79
Figure 4.2: The mediating effect of the Model 96
Figure 4.3: Moderating effect of the research model 103
Figure 4.4: illustrates the steps applied in this study. 105
Figure 5.1: Stage of the Framework 120
Figure 5.2 Details of the notation used 122
Figure 5.3: Stage I of the risk management frameworkfor social engineering attacks and digital prevention techniques 123
Figure 5.4: Stage III of the risk management frameworkfor social engineering attack and digital prevention techniques 126
Figure 5.5: Structure of the framework componentfor Stage I (Process SARP1 -Getting with Senior Management) 130
Figure 6.1: Adopted expert judgment methodfor the proposed framework validation 140
Chapter One Foundations of Information Security risk management: Understanding of social engineering attacks
1.1. Overview of Information Security risk management
1.2. Aims and Objectives
1.3. Significance of the work
1.4. Novelty of the work
1.5. Contribution to the society
Social Engineering is a domain of study in the area of information security. However, every organization currently has its own strategy to protect its own data. On the other hand, social engineering addresses the targeting of humans and machines or technology. This method is popular because human elements are frequently the weakest part of a system and are most prone to mistakes. Human factors cause the security system to start and stop. Weakening of the system occurs when the element fails. The
A reactive or proactive approach might involve human factors, where security incidents and system termination may cause problems before they become problems. The role of an information security specialist is to increase awareness of SoE attack risks among employees and to provide brief descriptions of SoE attack risks, such as threats, vulnerabilities, management defects, unexpected changes and digital evidence factors. This is evidence that social engineering is a very basic level of attack. On
Thus, even though business continuity concepts are widely recognized within organizations, with the success of integrating the prevention technique of social engineering attack risks and SoE attack risk management practices. Hence, this study attempts to develop an information security risk management framework for the prevention of social engineering attacks. An appropriate risk management process and activities can manage social engineering risks in the information security domain. A literatur
Hence, vulnerability reflects the weakness of the system. Threats express how to exploit this weakness of the system, management defects show the management weakness of the organization, and unexpected changes show the lack of awareness inside the organization. Digital evidence indicates essential or sensitive information that SoE attackers are interested in collecting from the organization. However, different organizations have different impacts from social engineering attacks. Subsequently, a
The banking sector began to become aware of any kind of information security attack, such as social engineering attack. After that, other local banks implemented the protection of assets against information security attacks or any kind of critical or disaster situations. Some other Banks started initiative regarding the protection against any kind of social engineering attack in the banking system. Subsequently, other organizations began to practice awareness of social engineering attacks in an
The broad nature of the internet has allowed the social engineering crimes worldwide. Therefore, it is important to have a framework for the prevention of social engineering attacks and proper management of such attacks. Proper risk management approaches in various organizations could lead to successful proper implementation. Previous research has been conducted to provide evidence that incorporating social engineering attack risks can improve the success of framework implementation and reduce t
Thus, there are still significant gaps in knowledge that need to be investigated to develop a robust understanding of such social engineering attack risks, leading to a comprehensive approach to risk management for healthcare centers, education, government agencies and the banking sector. To meet the objectives of the present research, a mixed method technique was applied. The use of quantitative research methods establishes purposiveness, rigor, testability, explication, precision and confidenc
In fact, an information system is a unit that includes people, processes and systems. There are numerous risks that organizations must handle, and these can have catastrophic outcomes on the continuing future of the organization. In the previous few years, a proliferation of automatic information systems, reliance on the internet to permit all of the fundamental service and infrastructures and the growing risk of organizing social engineering attacks with the capability of creating debilitated d
Hence, information and communication technology has the potential to increase the risk of social engineering attacks. However, the SoE attack risks associated with SoE attack risk management practices theory must be evaluated and managed. Therefore, an awareness program is required for SoE attacks because the technology can cause problems due to malicious human activity.
Hence, a variety of standard frameworks have been developed to address multiple business operations and specific technical processes. Therefore, there is a need for organizations to formulate an appropriate framework to secure digital evidence to support continuous business operation. However, there are several established risk management and analysis approaches for information security risk management, such as OCTAVE, CORA, and the IS Business Model, has been developed around the globe. Unfortu
The overall aim of this study is to develop an information security risk management framework for the prevention technique of social engineering attacks that can assist organizations in managing to reduced social engineering attack risks.
Specifically, the objectives of the study are as follows:
1. To identify various SoE attack risks.
2. To analyze SoE attack risks in various organizations.
3. The purpose of this study was to integrate SoE attack risks with risk management practices for the prevention of SoE attacks.
4. To develop an information security risk management framework for preventing SoE attacks through expert judgment.
Table 1.1: Objectives, questions and analysis
Study Analysis
Study Question
Study Objective
Exploratory study.
Q1 What is the results for descriptive analysis of the study?
Objective 1:
To identify various SoE attacking risks.
Empirical approach of study. Furthermore,
Q1. What are the ranking
Objective 2:
of critical SoE attacking
To analyze SoE attacking
risks items in the
empirical analysis
organizations?
risks in various
such as assessment
Q2. What are the
organization.
measurement model
significant characteristics
and assessment
associated with
structural model done
attacking risks in the
on the framework.
organizations?
Q3. What are the
relationship of SoE
attacking risk with
Organizational Activities?
Exploratory approach of research study.
Q1. What are the component of SoE attacking risk management?
Objective 3:
To integrate SoE
Q2. What are the relationship of risk management practice with Organizational Activities?
attacking risks with risk management practice for the prevention technique of SoE attacks.
Expert judgment approach and technique for the confirmatory study.
Q1. What is the results of confirmatory study?
Objective 4:
To develop information security risk management framework for the prevention technique of SoE attacks through
Q2. How do the result of the expert judgment support the suitability and applicability of the proposed framework?
expert judgment.
Ppp'pp[p[p[p[p[pp[p[
The activity provides empirical data for social engineering risks in the organization. These findings are useful for understanding organizational perceptions of SoE attack risks. These activities also provide exploratory data for SoE attack risk management practices in organizations, and an information security risk management framework is finally proposed for preventing SoE attacks. Understanding the social engineering attack risk construct and its implications will further enhance decision-mak
A prior activity showed that SoE attack risk management practices contribute to reduced SoE attack risk in various organizations, and a closer analysis of these risks and their management practices will assist organizations in further improving the process of identifying and analyzing, planning and managing SoE attack risks. Fundamentally, the findings from the organization clarify that the impact is valuable if any kind of SoE attack risk occurs in the organization. However, these attacks can c
Finally, the information security risk management framework for preventing SoE attacks proposed in this study could be used as a point of reference and to provide guidelines for managing social engineering risks in various organizations.
This activity extends the existing work on SoE attack risk areas in the domain of information security, capabilities and strategies. First, specific empirical studies on social engineering attack risks and SoE attack risk management practices and this type of work have never been conducted before. While previous activities have identified and classified the major SoE attack risks in this field, the broader question of how these challenges should be managed, has yet to be answered. Furthermore, f
In addition, previous studies have typically examined SoE attack risks in information and communication technology and SoE attack risk management. There is also limited work thus that has investigated the level of security of digital evidence in organizations. Additionally, the in activity has identified new SoE attack risks as realized by information security professionals or experts. These new SoE attack risks contributed to the originality of the study.
A dedicated framework was introduced to manage the prevention technique of SoE attack risks in various organizations to further the existing work in this area. There are limited numbers of researchers who have focused on comprehensive and structured guidelines for managing SoE attack risks in various sectors. This in activity focuses on the specific information security risk management framework for the prevention technique of SoE attacks in the organization to reap the full benefits of improvin
The study has significant empirical, academic and managerial contributions. From the managerial perspective, the findings contribute to improving the way an organization manages SoE attack risks in various organizations. This was made possible by the discovery of the SoE attack risks that influence the practices of SoE risk management for various organizations. This finding also provides insight into how organizations practice the prevention technique of SoE attack risk management, thus contribu
Moreover, the findings provide empirical support for establishing the relationship between SoE risks and risk management practices for preventing SoE attacks. The risks of SoE attacks have been identified from the literature review and consequently investigated. This was further substantiated by empirical evidence based on the organization's perceptions regarding SoE attack risks, which have been ranked based on their level of criticalness in various organizations. This part would be the empiric
However, there has not been much related work on SoE attacking risks for in-house organization implementation and the approach used in managing them, this study extends its managerial and academic contributions by identifying the risk management of SoE attacks that are relevant to the organizational environment. The semi structured approach was used with professional employees to gain insight into emerging SoE attack risks and the appreciation of managing these risks for various organizations.
The main contribution of this work is the development of a risk management framework for the prevention technique of SoE attack risks for various organizations. In addition to being empirically validated through proven statistical analysis methods and exploratory study applications in the organization, the framework is also theoretically supported, thus making the proposed framework reliable for use in the organization as a guide in managing the prevention technique of SoE attack risks.
In most scientific and technological work, two broad approaches are known as deductive and inductive methods. The inductive approach is usually described as it moves from specific to general. On the other hand, the deductive approach begins with the general and ends with the specific. The methodology is commonly described as a systematic process for collecting, analyzing and interpreting data to increase the understanding of phenomena or problems related to the research areas of interest or conc
Qualitative, quantitative and mixed or hybrid methods constitute the main methods used. However, the practices of these methods differ among researchers and depend on the questions and their objectives. The qualitative methods emphasize the meaning of definitions, concepts, context, descriptions and environmental settings. The quantitative method focuses on measurement and statistics. However, both methods focus on the importance of objectivity, observation and data collection in conducting work
For the purpose of this study, both approaches (deductive and inductive) and mixed methods, such as quantitative and qualitative methods, were applied to identify the knowledge gap in the area, answer the related question and fulfill the objectives of the study. Figure 1.1 illustrates the five phases of the methodology used in this study.
/
Figure 1.1: Methodology of study
However, better documents for comprehending related areas and identifying existing knowledge gaps. The conceptual study focused on two knowledge areas, SoE attack risks and prevention techniques, such as risk management, which would help to build an information security risk management framework for the prevention technique of SoE attacks. Other related concepts and theories were also reviewed as supplementary support for the conceptual study. The exploratory inputs, research approach and result
/
Figure 1.2: Exploration of the inputs,research approach and results of the conceptual study phase
In phase 2, the empirical study phase, the pilot questionnaire was validated through appropriate statistical analysis. Then, to refine the questionnaire suitability for the activity, subject-matter experts (SMEs) verified and validated the questionnaire. The details of the validation process are explained in chapter 3. A refined questionnaire was distributed to investigate the factors that influence the practice of preventing SoE attacks. And to assess the risk management practices of SoE attack
/
Figure 1.3: Empirical Study Phase Approach
In phase 3, the exploratory study phase, semi structured methods were used with focus groups of eight organizations that were directly involved in SoE awareness implementation. Each focus group consisted of personnel who possessed wide experience in understanding SoE attack risks and risk management practices in the organization. The second part of the exploratory study phase, included a comparison of the findings of the results of the empirical study and literature review. An overview and outpu
Table 1.2: Exploratory study phase: study approach
Results (output)
Study Approach
Input
(process)
Confirm existing SoE attacking risk.
Comparison analysis of the focus group
Semi structured way was used to focus group
Prevention technique of SoE attack in the organization and the theme of the risk management
Identify SoE attacking risk management practice for the prevention technique in the organization.
Conceptual study results
process.
Semi structured way was used for the SoE attacking risks in various organizations.
Compare result of focus group with empirical and conceptual study supported with the finding.
Empirical study results
SoE attacking risk.
Identify similar and contradicting practices from empirical results and
Related documents or reports
exploratory study results.
High -Level prevention technique for the development of
Integrating the SoE attacking risk with SoE attacking risk management.
Past literature
framework.
Critical analysis of SoE attacking risk management practices in the organization.
Current or best practices
In phase 4, the framework development phase, the results obtained from the conceptual, empirical and exploratory study phases will be used to develop a framework for the prevention technique of SoE attacks in the organization and the detailed component of the framework. In this phase, related worksheets are also developed to improve the understanding of each component of the framework. A detailed explanation of the inputs, study approach and expected results involved in this phase are provided i
Table 1.3: Framework development phase: Study approach
Results (Output)
Study Approach(process)
Input
Refined high-level framework.
Content analysis of results in previous study phases
SoE attacking risk factors in the organization
Components of the proposed framework.
Synthesize previous phase results
Refined High -level framework
Draft of the proposed framework.
Develop flow of practices in managing SoE attacking risks in the organization
Results from previous phases
Proposed framework user manual
Develop flow and steps in the managing SoE attacking risks in the
organization.
Recommended related worksheets used in the proposed framework.
Develop recommended worksheet that can be used together with the
framework.
In phase 5, a confirmatory study was conducted to test the suitability and applicability of the proposed framework. An expert judgment approach was used in order to verify the acceptability of the framework for the organization and the community. Table 1.4 describes the input, activity and results involved in the confirmatory phase.
Table 1.4: Confirmatory study phase: Study approach
Results (Output)
Study Approach (process)
Input
Verified framework
Review results of previous phase
Related Documents
Validated framework
Review and compare related documents.
Literature articles
Results (Output)
Study Approach (process)
Input
Validated framework by experts
Assess past findings
Proposed framework
In-depth framework validation with experts (expert judgment)
Compile results of validation (comments or recommendations)
To achieve the stated study objectives and to ensure the reliability of the results. The validity of the findings, consistency of the conclusions, and appropriate methodology techniques for data collection and analysis were used.
The study focus areas and scope are as follows:
1. The study is limited to the organization, identifying the SoE attack risks from top management practitioners.
2. The study focused solely on SoE attack risk management practices.
3. The study emphasizes the adoption of the prevention technique of SoE attack risk management and implementation in organizations.
4. The expert-judgment approach focuses on evaluating the suitability and applicability of the proposed framework that would be implemented in the organization.
The challenges and constraints in conducting this study were as follows:
1. The limited access to confidential secondary data and reports meant that recommendations or suggestions were based only on the data provided and supported by previous literature.
2. The number of respondents was limited. When a return rate of 143 was deemed sufficient, more respondents would have produced more accurate results.
3. The semi-structured approach was used during the exploratory study phase, which involved setting a time with the focus groups due to their other work commitments.
The study will unfold in the following manner.
Chapter 1 provides an introduction to the scope of the study area, as well as the methodology approach employed.
Chapter 2 introduces the theoretical background and fundamentals of the study and conceptual framework of the work, engaging with and referring to the recent literature in the areas of various organizations, global information security issues and associated SoE attack risks, SoE attack risk management practices in organizations and information security risk management frameworks for the prevention technique of SoE attacks. The content analysis approach was used in the study of these references.
Chapter 3 discusses the study approach and methodology involved in the data collection and data analysis methods. Through purposive sampling, questionnaires were distributed to 384 respondents in various organizations for a return rate of 36%. Moreover, a semi structured method was used with eight focus groups to further clarify some of the findings of the empirical study.
Chapter 4 focuses on the analysis and results using appropriate data analysis techniques. The results of the analysis provided evidence on how organizations practice risk management for the prevention of SoE attacks. These findings could subsequently contribute to developing a framework for preventing SoE attacks in organizations. Hence, we concentrate on an exploratory analysis based on a semi structured approach with focus groups from eight different organizations. Similarly, the findings were
Chapter 5 discusses the process of framework development and designing the flow of the proposed framework. This chapter also presents the proposed a framework for preventing SoE attacks in organizations. The detailed framework components, such as the stages, processes and activities, are explained further in this chapter.
Chapter 6 discusses the process of conducting a confirmatory study to validate the framework through expert judgment of this area of risk management involving SoE attacks. This chapter also presents the results of the confirmatory study and verifies the usability and applicability of the proposed framework for the organization. The supplementary finding by discussing the answers to the work question and the fulfillment of the objectives. This also discusses the findings, and provides several rec
Chapter Two "Navigating the Digital Terrain: Understanding Data, Risks, and Regulations"
2.1. Definition of digital data Types of digital data (personal, sensitive, corporate, etc.)
2.2. Fundamentals of Digital Evidence
2.3. SoE Attacking Risks
2.4. Fundamental Risk Management Concepts
2.5. Risk Management for the Prevention Technique of SoE Attacks
2.6. Risk Management Methodologies and Approaches for the Prevention Technique of SoE Attacks
2.7. Information security framework for the prevention technique of SoE attacks, Standards and Guidelines
2.8. Expert Judgment Method: Definition of elicitations objectives
This chapter aims to explore the related theories and concepts in the domain, then examine the SoE attack risk approaches and identify knowledge gaps. A review of the literature in the area of various organizations, as well as the approaches and theoretical lens used in SoE attack risk and SoE attack risk management practices, is conducted to position this work within the studies. This chapter clarifies the viewpoints of SoE attack risks and SoE attack risk management practices in organizations
Every organization has the act of delegating or transferring information security related decision making rights, business processes, internal activities and services to external providers who develop, manager and administer these activities in accordance with agreed upon deliverables, performance standards and outputs, as set forth in the contractual agreement. Organizations invest in this strategy to reduce any kind of SoE attack risk. The previous literature review revealed forty- four (44) S
/
Figure 2.1: Generic information security managementin organizations and supported theories
Many organizations are experiencing the fastest growth and evolution of business activities worldwide. Therefore, the term "organizations" encompasses a broad spectrum of technologies, complexities and sizes and takes many forms. The important classes of organizations include contract-manufacturing, facility management, and business process- provisioning processes, namely, human resources, finance, and customer support. Organizations normally call for service providers to cut costs while improvi
Table 2.1: The risk category descriptions and examples are shown
Example
Description
Category
Inconsistent with the
Refers to how well organizations
Strategic risk
organization's strategy
goals of the regulated
have aligned its activities with its overall business strategy and placing the resources and structures in the place to execute them.
entity.
Inadequate management
experience and expertise
can lead to a lack of
understanding and control.
Inadequate expertise to
oversee the service
provider.
Technological failure. Inability to maintain a competitive position.
Refers to the risks of service providers to actually deliver the service to the expected standards, whether that be in terms of quality, quantity or timelines (ability of service provider to response or recover from unforeseen events)
Operational risk
Fraud or error.
Inability to deliver
products or services.
Inability to manage
information.
Inadequate financial
Financial risks occurs throughout many element of the deal, starting with transition. It is common for surprised to appear during the transition, which can driven up costs for organizations.
Financial risk
capacity to fulfill
obligations and provide
remedies. The future unfolding in an unpredicted scenario whereas the pricing
mechanism was designed
as part of the initial
contract.
Example
Description
Category
Privacy are not complied. Service provider has inadequate compliance
Risk caused by violation of law, rules, regulations, prescribed, practices, contract and ethical
Regulator or legal Compliance
systems and controls.
standards.
Incompatible development
Risks relating to the failure of
Technological
tools. Non compliance with
service providers electronic data processing environment to
Risk
embrace methodology.
Conflicting development standards.
effectively and surely process and deliver product to the organizations.
Poor reputation of service provider.
Risks of negative publicity regarding business practice.
Reputational Risk
Service provider practices not in line with stated practice of regulated entity.
Identify theft and personal data or information. Loss, damage or destruction of digital evidence. SoE who destroy or threaten to destroy digital evidence. Extraction of loss of valuable or private information (Business records and Client's profiles)
SoE attacking risks are caused of threat action on vulnerabilities that contribute to SoE attacking risk incidents. The core information security fundamental principles such as confidentiality, integrity and availability are the basis in deterring the risks.
SoE attacking risk
Other studies also support the view that SoE attack risk is considered to be the most basic level of attack in information security domains, and organizations need to successfully address this risk to ensure maximum benefit and implement strategies to protect digital evidence against such attacks.
Hence, this significant risk in organizations must ensure the confidentiality, integrity and availability of digital evidence. Different areas tend to derive different definitions of risk, especially since the term appears in many fields of study. However, the definitions of SoE attacks are unique descriptions, focusing on risk factors that address prevention techniques for SoE attack risk and managing the risks of SoE attack, such as security breaches, physical security, confidentiality issues,
Table 2.2: SoE Attacking Risks
References
SoE Attacking Risks
SoE Attacking Risks
Description
Abdullah, A et al., 2017
Fan et al., 2017
Gewald et al., 2014
Hartini et al., 2013
Ian Mann., 2018
Ana et al., 2016
Ayesha et al., 2013
Bob et al., 2005
Christopher., 2018
Clif A. Ericson., 2016
Cooke et al., 2017
Cooke et al., 2012
Daniel et al., 2016
Edward., 2015
Fan., 2017
Georg., 2014
Hinson G., 2008.
Security breaches,
SoE attacking risks issues
information leakage,
physical security,
confidentiality issues,
integrity and availability
issues, threats,
vulnerabilities,
unexpected change in
management, management defects in organization, digital evidence.
A breach of security occurs when a stated organizational policy or legal requirement regarding information security has been contravened. SoE activities are some kind of art, such as from outside an organization, that bypasses or contravenes security policies. Recent social engineering attacks include phishing, visiting and impersonation. These attacks reveal data security breaches, involving external malicious persons and company insider attackers hence, this type of activity has increased to e
Information leakage currently yet another critical threat of SoE attack risk in organizations. Information leakage refers to the accidental or intentional release of information to certain people before it is made available to a general employee. It is recognized as an increasingly significant problem, since computing services have made it much easier for SoE attackers to gain access to organizational employee information related to confidential data. Furthermore, the information leakage can be
Physical security is often a discounted discipline, yet attention is given to safeguarding. A physical environment can yield a satisfactory level of protection. A good physical security program is provided in an organization's first line of defense to secure valuable digital evidence. Therefore, organizations should pay more attention to safeguarding their physical environment for their business continuity since they involve external parties. Physical security allows more control over service pr
Other significant SoE attack risk issues need to be considered during the implementation of organizational SoE attack risk of threats, the SoE attack risk of vulnerabilities, the SoE attack risk of management defects, the SoE attack risk of unexpected changes and the SoE attack risk of digital evidence. These risk factors for SoE attacks could directly involve organizational digital evidence and contribute to risk incidents of SoE attacks. Researchers have highlighted several threats and vulnera
Social engineering attacks, are is one kind of criminal proceeding. In addition, the wrong or digital crime can be determined, and the offender can be punished. To achieve the legal system through the machineries of administration of justice and the main agents of these machineries are the courts of lawyers. However, it is a major challenge to the court or lawyers to prove the existence of rights, liabilities or digital crime. This is where the importance of the law of digital evidence lies. How
Generally, the criminal proceeding has the following four stages:
-Preprocessing Stage (Police and Investigation Officers)
-Proceeding Stage (Court)
-Trial stage (court)
-Post trial Stage (Police or Jail authority)
In the initial stages of malicious social engineering personnel activity and the investigation of criminal activity and the preparation of criminal cases, the police and information security investigator officers' role from the beginning to the end of this end stage would be very crucial. This stage has the following sub- heads: -
-FIRs in cognizable offences
-Complaint in no cognizable and cognizable offenses.
-Reporting to the Magistrate.
-Investigating malicious person SoE activity and maintaining case Diary.
-Final Report / Charge sheet
Hardware, software, data or information, people and services are the five relevant assets groups in organizations. Hence, data or information assets are the only digital evidence type associated with information security domains. Close analysis has shown that the success of organizational functions depends on a complex set of requirements that also involve the protection of digital evidence. However, digital evidence refers to a collection of facts in the form of paper or electronic messages, co
In recent years, the importance of digital evidence as a key asset has continued to grow, since its production, complexity, volume and demand accelerated. However, the fulfillment of real digital evidence needs has been limited due to various obstacles. Especially in organizations, one such obstacle is inappropriate classification. The classification of digital evidence concerns its confidentiality, integrity and availability. Hence, anything occurring with three CIAs would cause the SoE to atta
Several different digital evidence characteristics are described in the ISO/IEC 27000 Standards Series (ISO/IEC 27000:2018) and are commonly used in the information security domain, such as the SoE attack risk management system. These characteristics were also well documented in digital evidence inventories and register documents (ISO/IEC 27000:2018, ISO27K Implement's Forum, 2017). Digital data such as personal and financial, legal databases, digital archives, etc. Tangible digital evidence (su
Table 2.3: Digital evidence in the organization
Digital evidence characteristics
Common digital evidence
Digital data, Intangible, IT hardware,
Business and financial Records
Application software.
Digital data, Intangible
Client's profiles
Digital data, Tangible or Intangible
Business Continuity plan
Digital data, Tangible, Application Software
Archived Data or Information
Digital data, Tangible Intangible
Policy and procedures
Digital evidence characteristics
Common digital evidence
Digital data, Tangible
Business Requirements Architecture
Digital data, Tangible
System Documentation
Digital data, tangible, Application Software, IT Services asset
Electronic Files and Records
Digital data, Tangible
Training material of SoE attacks awareness
Digital data, Tangible
Legal and contract Documents
Digital data, Tangible, Application software.
Database and data files
Digital data, Tangible
Financial Proposal Documents
Digital data, Tangible
Technical proposal Documents
Digital data, Tangible
Solution Requirement Specifications
Sources: Sundresan Perumal., 2009
Siti et al., 2008
Manes et al., 2010
Gita Radhakrisna., 2014
Suci et al., 2017.
A malicious person will look for targets of opportunity for organizational digital evidence. SoE attack risks include threats or vulnerabilities that contribute to SoE attack risk incidents. Common SoE attack risks of thefts include personal data on information leakage and unauthorized exploration of intellectual property (IP). These information security risks are caused by a lack of control in the organization. However, the risk of threats being attacked by SoE refers to finding the weakness of
Table 2.4: Literature reviewof the risk of SoE attacking threat items
Literature References
SoE attacking risks of threats item
Algarni et al., 2017
Hinson G,
Poor social engineering attack detection
2012
Jean Boltz., 2015.
studies.
Hinson. G., 2016
Nik. Z. et al,
Directly exploit control weakness in the
2018
Jean Boltz., 2015.
systems.
Hinson. G., 2008
Todd. F., 2016.
Exploit other control weakness involving
printed or other information rather than computer data and system.
Nik. Z. et al, 2018
Jean Boltz., 2015.
Unauthorized access to or modification or disclosure of digital evidence
Louis. A., 2010
Jean Boltz.,
Information leakage (extraction of loss of
2015.
valuable or private information)
Noor. H. et al., 2007
Peltier. T.
Unauthorized exploitation of intellectual
R., 2012.
property (IP)(example : plagiarism, etc.)
Rahul Singh., 2015
Jean Boltz., 2015.
Widespread unauthorized and uncontrolled used of portable devise and transportable computer media.
Rahul Singh., 2015
Nik. Z. et al, 2014.
Identify theft of personal data or Information.
Rai Kaplan., 2005
Sandelowski.
System error and failures
M., 2013.
Suit & Han., 2008
Tim. M et al., 2015.
Loss, damage or destruction of digital evidence in the organization.
Another key element that contributes to SoE attack risks is vulnerability. Vulnerabilities refer to the weaknesses of a safeguard in an asset that make a threat potentially more harmful (can be exploited), more likely to occur, or more likely to occur more frequently. There are twelve (12) common SoE attack risks of vulnerabilities identified from the literature. Vulnerabilities such as user system accounts are not used
insufficient backup, disorganized organizational staff, complex information
Table 2.5: Literature reviewof the risk of SoE attacking vulnerabilities
Literature references
SoE attacking risks of vulnerabilities
item
Nina Godbole., 2017
Rahul Singh., 2015
Noor.
User system accounts not is use.
H. et al, 2010.
Nina Godbole 2017
Jean Boltz., 2015.
Insufficient backup.
Mohamed, N & Zakaria., 2013
Mark Merkow et al., 2015.
Disgruntled of organizational staff.
Nina Godbole 2017
Katharina. K. et al., 2015.
Complexity of information technology
and system.
Jean Boltz., 2015
K. Papadaki., 2015.
Lack of assets inventory management.
Jeb. W. et al., 2015.
Unreliable level of digital evidence protection.
Todd. F., 2016
Hinson. G., 2013.
Inadequate investment in appropriate SoE attacking risk control.
Dwyer. F., et al., 1999.
Lack of suitable control of digital evidence accessibility.
Conway. B.A., 2010
Inadequate controls and practices selection, implementation, performance measurement, monitoring or auditing.
Juhani. A. et al., 2013.
Abawajy, J., 2014.
Tim Bedford., 2015.
Inadequate information system auditing in the organization.
Bill. G. et al., 2016
Applegate., 2009.
Weak identifying processing and preserving digital evidence in a manner that is legally acceptable.
Brill. A. et al., 2013
Todd. F., 2016.
Insufficient enforcement of law.
However, another key element that contributes to SoE attack risks is management defeats in organizations. Management defeats refer to the weaknesses of a safeguard in an asset that organizations do not aware of, are more likely to occur, or are more likely to occur frequently. There are seven (7) common SoE attack risks of management defeats in organizations identified from the previous literature review. Management defeats in organizations include disgruntle of service provider staff, unaddress
Table 2.6: Literature on the risk of managingdefeats attacking the SoE in organizations
Literature references
SoE attacking risks of
management defeats in organization's item
Nina Godbole 2017
Christopher. H., 2018
Noor. H. et al, 2007.
Disgruntle of service provider staff.
Nina Godbole 2017
Hinson. G., 2013
Jean Boltz., 2015.
Unaddressed service provider's responsibility for information security and confidentiality in the contract.
Nina Godbole 2017
Gerben. S. et al., 2015.
Staff negligent of service provider such as programmer, technical architecture, tester and manager.
Hartini. S., 2013
Joseph. F. et al., 2016.
Service provider exploitation control weakness in the processes.
Rahul Singh, 2015
Jean Boltz., 2015
Nik. Z. et al., 2010.
Disgruntled or untrained or ignorant employees who make genuine mistake.
Rahul Singh., 2015
Lack of suitable management and control over the user password.
Hinson G, 2013.
Todd. F., 2016
Posey. C. et al., 2015.
Unorganized access control and privilege on user application account.
However, other key elements that contribute to the risk of an SoE attack are unexpected changes in management. Unexpected change in management refers to rapid change in organizations in which employees sometimes feel difficult to adopt and this type of activity comes from a service provider. There are nine (9) common SoE attack risks of unexpected changes in management identified from the literature. Unexpected changes in management, such as loss of confidentiality of classification information,
Table 2.7: Literature on the risk of unexpected changein management resulting from SoE attacks
Literature references
SoE attacking risks of unexpected change in the management's item
Rahul Singh, 2015
Nik. Z. et al., 2016
Noor. H. et al., 2010.
Loss of confidentiality of classification information.
Rahul Singh, 2015
Jean Boltz., 2015.
Lack of business continuity plan management.
Noor. H. et at., 2010.
Frequently change in business policies.
Nina Godbole., 2017
Jean Boltz., 2015
Noor. H. et al, 2010.
Insufficient attention to human factors of SoE attacks in design implementation.
Jean Boltz., 2015
Nik. Z. et al, 2018.
Lack of information assets owners responsibility.
Nina Godbole, 2017
Noor. H., et al, 2007
Hinson G, 2012.
Unethical competitors (trade secrets, customer list etc).
Todd. F., 2016
Hinson G, 2016
Nik. Z. et al., 2019.
Severely affect the business survivability of organization.
Nina Godbole, 2017
Nik. Z. et al., 2010
Nina Godbole., 2017.
Directly exploit control weakness in the systems.
Rahul Singh, 2015
Jean Boltz., 2015
Nina Godbole., 2017.
Lack of security training and awareness regarding SoE attacks
Thus far, another key element that contributes to SoE attack risks is digital evidence. Digital evidence refers to electronic evidence. The main target of SoE attackers is to collect data or information, which is organizational digital evidence and server data or organizational computer data. Therefore, organizational digital evidence is an asset, and a loss of assets means that an organization is at risk. There have been six (6) Common SoE attack risk of digital evidence identified from the pre
Table 2.8: Literature on the riskof managing defeats attacking the SoE in organizations
Literature references
SoE attacking risks of digital evidence item
Sundresan Perumal,2009
Rahul Singh, 2015
Hinson G, 2012
Nik. Z.et al., 2016
Suci et al., 2017.
Legal activity and documentation.
Sundresan Perumal, 2009
Suci et al., 2017
Digital documentation of policy and procedure.
Siti Rahayu et al., 2008
Suci et al., 2017.
Organization policy of employee online information update.
Siti Rahayu et a l., 2008
Jean Bolt z., 2015
Suci et al., 2017.
Digital Evidence must be preserved and hold up according in court Evidence Act.
Siti Rahayu et al., 2008
Jean Boltz., 2015
Suci et al., 2017.
Organizational perception of Evidence Act.
Mustaruddin et al., 2010
Jean Boltz., 2015
Suci et al., 2017.
Digital Evidence perception for risk Management importance for SoE attacking risk control.
Around the globe, SoE attacks such as phishing, spam, intrusion, Trojan horse malware, sabotage of disgruntled employees and stealing data for monetary gains are not uncommon. A survey of 2506 organizations conducted by the Federal Bureau of Investigation (FBI) revealed that in the U.S.A. alone, social engineering attacks and similar crimes cost U.S. businesses a staggering U.S. 57.2 billion a year. This trend is similar in Malaysia, where the number of cases reported to their respective Interna
Moreover, the information security incidents reported to the China in CERT in 2017 were SoE attacks, such as phishing, trojan horse malware, SMS spoofing attack vectors, wireless access point attack, vectors, and third-party modules, which represented 11668, 2293, 1329, 1197 and 1157, respectively.
Various organizations should be able to manage and control the aggressive growth of these risk incidents related to SoE attacks to minimize the losses of digital evidence. Therefore, highlighting the risk of SoE attacks in various types of organizations is necessary to evaluate and manage them effectively. However, there is still a significant gap in the research investigating SoE attack risks in organizations.
As mentioned earlier, the organization consists of five main phases. The first phase is the analysis of decisions inside the organization. This step concerns the decision of whether to consider the possibility of an SoE attacking risk. Confidentiality, integrity and availability are the three key concepts of information security requirements that prevent SoE attacks. Therefore, SoE attack risk studies are the domain of study in the area of information security. Therefore, confidentiality, integr
The second phase involves the selection of the service provider. It is important to select the service provider who may emphasize SoE attack risk management and who can provide a secure environment for their clients. Hence, the confidentiality, integrity and availability of risks to the organization's digital evidence sufficiently managed the prevention technique of SoE attacks. Additionally, the organization should monitor the service provider's activities to have better control of SoE attack r
Consideration of SoE attack risks comprises five phases of organizational activities, which is relevant because the validation of these activities has been confirmed by previous studies. From the extensive literature review, key principles of information security (CIA) were used to categorize the nature of SoE attack risk, which are classified as digital evidence confidentiality of SoE attack risks, and digital evidence integrity of SoE attack risks and digital evidence availability of SoE attac
Table 2.9: SoE attack risks based on the confidentiality,integrity and availability (CIA) concept.
Nature of risks
SoE attacking risks
Confidentiality
Organizational digital evidence leakage.
Confidentiality
Extraction of loss of valuable or private information (Businesses Records and client's profiles).
Nature of risks
SoE attacking risks
Confidentiality
Introduction of unauthorized or malicious software through the widespread unauthorized and uncontrolled use of portable devices and transportable computer media.
Availability, Integrity
Severely affect the business survivability of organization due to lack of BCM and DRP
Availability, Integrity
Poor SoE attack studies, risk assessment practice or excessive or otherwise inadequate controls and practices selection.
Confidentiality
Unauthorized exploitation of intellectual property (IP) including plagiarism.
Availability, Integrity
Disruption of organizational routines and processes with consequent interruption to trading capabilities, loss of income.
Confidentiality, Availability
Direct information loss through information theft and fraud (devaluation of organizational image).
Availability, Integrity
Loss of confidence in IT, seeding doubts and holding back valid commercial or noncommercial exploitation of IT.
Confidentiality, Integrity
Loss of competitive advantage.
The International Organization of Standardization (ISO) defines information confidentiality as ensuring that information is accessible only to those authorized to access. The confidentiality of information, also called the 'confidentiality bubble,' restricts information flow, with both positive and negative consequences. In the case of SoE attacks, risks such as selected threats or vulnerabilities may contribute to digital evidence confidentiality risks. For example, in social engineering attack
In information security, integrity means that data or information cannot be modified without authorization. Information integrity issues or incidents usually occur when unauthorized users delete or modify important data files, when a trojan horse malware infects a computer, when unauthorized users vandalize a website, or when someone is able to cast a very large number of votes in an online poll. The integrity of data or information in an organization requires serious monitoring, as the parties
For an information system to serve its purpose, digital evidence must be immediately available when needed. This means that the computing system or mobile device used to store and process digital evidence, the security control used to protect it, and the communication channels used to access it must function at optimum levels. High -availability systems aim to maintain function at all times, preventing service disruptions due to power outages, hardware failures and system upgrades. Information a
Table 2.10: Shows common SoE attack risksduring organizational activities.
References
SoE attacking risks
Phases in the organization
Algarni, et al., 2017
Amanda. A. et al., 2003
Georg. D., 2014.
Information leakage, poor SoE attacking risks study.
Analysis of decision in the organization.
Heidi. W. et al., 2016
Marian, C. et al., 2017
Todd. F., 2016)
Veiga. A.
Unauthorized exploitation of intellectual property rights (IPR).
Selection of service provider.
etal., 2009.
Applegate, et al., (2009)
digital evidence leakage.
Contract Management.
Juhani. A. et al., 2013
Hinson. G., 2011.
Heidi. W. et al., 2014
Environmental Disaster, digital evidence leakage.
On-Going Monitoring.
Hawkins. S. et al., 2000
Bill. G. et al., 2016.
Risk and management have been studied in a variety of fields, such as insurance, economics, management, medicine, and operation research and engineering. Each field addresses risk in a fashion relevant to its object of analysis and adopts a particular perspective. Hence, the literature reveals several conceptualizations of risk and risk management applications. These multiple perspectives, which are relevant to the study of risk in organizations, are summarized in Table 2.11.
Table 2.11: Summarization of the organizations
Reference
Description
Risk Perspective
Ayesha. M. et al., 2013)
Lund. S. et al., 2015.
Risks are the multiple undesirable events that may occur in organizations
Risk as an undesirable event
This perspective is widely used in many fields of studies.
Duff.A., 2007
Ana.
Insurance adopts this perspective and uses mortality tables to estimate probabilities. In this context, a "good risk" will be a person with a low probability of during within a given period (and hence, for the insurance company, a low probability of having to pay a compensation) and a "bad risk" would be a person with a high
Risk as a probability function
F. et al., 2016.
probability of dying within the period.
Aubert. et al., 2015
Bill. G. et al,.2016.
Finance adopts a different perspective of risk, where risk is equated to the variance of the distribution of outcomes. The extent of the variability in results (whether positive or negative) is the measure of risk. Risk management means arbitrating between risk and returns.
Risk as variance
Christopher. H., 2013.
Car insurance adopt a perspective of risk as expected loss, they define risk as the product of two function: a loss function and a probability function.
Risk as expected loss
Basically, risk management is an activity directed toward assessing, mitigating and monitoring risks. Risk management helps to answer questions such as whether passing on the new database upgrade will increase changes in being hacked. The need to implement a secure email system, and whether to purchase the latest intrusion-detection technology will reduce the likelihood that web servers will be successfully attacked. Furthermore, risk management helps prioritize issues. Prioritization helps dete
Since the early days of information security risk studies in the late 1990s, there has been explosive growth in the development of frameworks, methodologies, management studies and standards to safeguard digital evidence. Although SoE attacking risks is the domain of study in information security risk. Therefore, managing risk is the basic precept for managing SoE attack risks. Securing management should be part of the agency's overall risk management. These findings point to the need for approp
The management of prevention techniques for SoE attacks in organizations must approach maintaining the confidentiality, availability, integrity, nonrepudiation, accountability, authenticity and reliability of organizational systems. Commonly, information might be improperly disclosed because its confidentiality could be exposed or modified in an inappropriate way because its integrity could be jeopardized and destroyed or lost because its availability could be threatened. Risk management and ana
In sum, risk management for the prevention of SoE attacks is a concept in which a systematic approach is used to control SoE attack risk and develop an appropriate protection strategy as a major component of protecting digital evidence.
At present, numerous comprehensive prevention techniques for SoE attack risk guides integrating various approaches have been developed to encourage best practices of risk management for the prevention of SoE attacks and to ensure that digital evidence remains secure. The available risk management practices for preventing SoE attacks, methodologies and analysis approaches are either qualitative or quantitative in nature. These methodologies have the common goal of estimating overall risk. The ris
Another initiative is to strengthen ICT security management. The guideline emphasizes information security risk assessment steps to identify and evaluate information security risks for self - -development or in -house organization implementation. These guidelines have also been used to assess information security risk levels in government agencies through organizations' high-level risk assessments. Even though the guidelines are considered comprehensive, they concern more in - -house development
Furthermore, an appropriate framework for preventing SoE attacks on risk management is needed. Currently, addressing specific SoE attack risks is considered crucial. Thus, different risk factors could arise, and the proposed framework would differ from those preceding it. Other related risk assessment approaches and tools used to manage information security risks include historical analysis, event tree analysis, failure mode and effect analysis, probabilistic risk assessment, human error analysi
Table 2.12: Information Security Risk Management Concepts, Methodologies and Approaches
References
Description
Related Risk Management Methodology
and Approach
Algarni, A. et al., 2017.
Approach concentrates on assets, threats and vulnerabilities.
OCTAVE
Peltier. T., 2012.
Integration of risk management and systems development process as one of the pillars to focus on lies on the tight integration of viewpoint oriented UML - like modeling in
CORAS
risk management process.
Mohamed, N. et al.,
Security based model applying a quantitative approach to risk analysis that allows for participation of the management and staff of the organization but does not use techniques such as single occurrence losses (SOL) or annual loss expectancy (ALE).
Information Security Risk Analysis Methodology (ISRAM)
2013.
Louis. A., 2010.
Risk Model uses data collection on threat function and assets and vulnerabilities of the function and assets to the threats to calculate the consequences, which are the loses due to the occurrences of the threats.
Cost-of-Risk
Analysis (CORA)
Clif Ericson, 2016.
Translation of the failure behavior of a physical system into a visual diagram and logic model. Event trees, attack trees and
Event Tree Analysis
fault trees.
Clif Ericson. 2016.
Examines frequency of past incidents to determine the probability of recurrence.
Historical Analysis
Marian, C. et al., 2017.
Studies the possible impact of human error and intervention.
Human error analysis
References
Description
Related Risk Management Methodology
and Approach
Nik. Z.et al., 2018
Tim Bed ford., 2016.
Investigates the probability that a combination of events will lead to a particular condition (Quantitative Risk Analysis, originated from across space program, 1960s)
Probabilistic Risk Assessment
Sumner, M., 2011
Peltier,
Examines each potential failure condition in the system to determine the severity of the impact.
Failure Model and effect
T., 2016.
analysis
Nik. Z. et al., 2018.
Examines process and engineering intentions to access the potential hazards (Risk) that can arise from deviation in design specifications.
HAZOP (Hazard and operability)
Suit & Han., 2008.
Defines assets value, based the analysis on its replacement cost and measures the tangible assets value from the viewpoint of
Information System (IS) analysis based on a business model.
operational continuity.
Malaysian Cyber Security., 2019.
Malaysian organization Risk Assessment guideline and methodologies focuses on ICT security, vulnerabilities, threats and safeguards for information assets in the organization.
Malaysian Cyber Security
National Library of Malaysia., 2019.
Malaysian Public Sector Information Security High level Risk Assessment
HiLRA
A review of several related information security standards and guidelines available in the industry provides ideas on how to develop a dedicated information security risk management framework for the prevention technique of SoE attacks, for organizations. For example, the standards and guidelines for risk management and analysis for security management extensively described in the ISO/IEC 27000 Series and ISO/IEC 27005 provide insight into information security risk management. It supports the ge
Researchers have claimed that information security is an organization's approach to maintaining the confidentiality, availability, accountability, integrity, nonrepudiation, accountability, authenticity and reliability of its IT/ICT system Moreover, identifying and analyzing risk factors for SoE attacks are key components of a security management plan for preventing SoE attacks. Risk management of SoE attacks relies on an information security risk management strategy to ensure that digital evide
Table 2.13: Information Security Management Standards and Guidelines.
References
Description
Information
Security Management Standards or
Guidelines
Mohamed. G. et al., 2016.
Information Security as a combination of people, process and technology.
ISO 27001 (Global Standard)
Neeta. S. et al., 2016
Malaysian Cyber Security, 2019
Parker.
Overview and vocabulary: Information Technology Secure technique -Information security management Systems.
ISO/IEC 27007
(Global Standard)
D., 2017.
References
Description
Information
Security Management Standards or
Guidelines
MAMPU., 2018.
Part1: Concepts and models for information and communication technology security management (Descriptions of the major security elements and their relationships that are involved in ICT security management) Current revised title is BS ISO/IEC 13335-1
ISO/IEC 13335-1
GMITS (Global Standard)
Malaysian Cyber Security, 2018
Part 2: Information Security Risk Management (Standards originally from Switzerland. Currently widely user Current revised title is ISO/IEC 27005
ISO/IEC 13335-2
GMITS (Global Standard)
Christopher. H., 2018.
Malaysian Cyber Security.,
Guidelines of the Management of IT Security Part 3: Techniques for the
ISO/IEC 13335-3
GMITS (Global Standard)
2018
Christopher. H., 2018.
management of IT Security.
MAMPU, 2018
Guidelines for the management of IT Security Part 4: Selection of safeguards. Current revised title is ISO/IEC 13335-4
ISO/IEC 13335-4
Christopher. H., 2015.
GMITS (Global Standard)
Malaysian Cyber Security, 2018
Cooke. M.
Guidelines for the management of IT Security Part 5: Management Guideline on Network Security. Currently revised title is ISO/IEC TR 13335-5
ISO/IEC 13335-5
GMITS (Global Standards)
et al., 2017.
Eloff, M. et al., 2014.
Guidelines for the management of Trusted Third Parties Services. Current revised title is ISO/IEC TR 14516
ISO-IEC 14516
(Global Standard)
Appin Security Group., 2017.
Information technology security technique. Code of practices for Information Security Management (Origin British Standard BS 7799) Current revised title is ISO/IEC 17799:2000 Malaysia Standards MS ISO
BS 7799 (ISO IEC 17799:2000)-
Organization/Nation
17799
Malaysian Cyber Security, 2018
Malaysian organization Management of Information and communication technology Security Guideline and methodologies.
Malaysian Cyber Security
Common digital evidence
Digital evidence characteristics
Common digital evidence
Appin Security Group., 2017.
IT intrusion detection framework (computer technology, Data Security, Data storage protection, safety measures, Data processing, Information exchange, Data transmission, Risk management Current revised title is ISO/IEC TR 15947
ISO/IEC
15947 (Domain Specific
Malaysian Cyber Security, 2018
Ana. F. et al., 2016.
Information technology security techniques. Information security programmed for financial service industry. Policies, organizations and the structural, legal and regulation components. Selection and implementation of security controls.
ISO/TR
13569 (Domain Specific)
Elements required to manage information security risk. Currently revised title is ISO/TR 13569
Jean Boltz., 2016.
Site/web security Handbook Guide to developing computer security policies and procedures for sites that have systems on the internet. Provide practical guidance to administrators trying to secure them information and services. Web security Risk Assessment or Analysis.
IETF RFC
2196 (Domain Specific
Through robust understanding of the current standards and guidelines, this research attempts to establish contexts and findings that are globally and nationally acceptable. Social engineering is the context of the area of information security. The purpose of SoE attacks is to obtain confidential digital evidence from the system. However, the concept of risk management for preventing SoE attacks relies on a systematic approach in which information security risks are assessed for SoE attacks, so t
Table 2.14: Highlights the basic concepts of risk management for preventing SoE attacks.
References
Description
Risk Management approach for the prevention technique of
SoE attacks
Rahul Singh., 2015
Nina Godbole., 2017.
A process of identifying
Risk identification
the risk to the system's security.
Rahul Singh., 2015 Nik.
A process of determining the probability of occurrences, the resulting impact and additional safeguards that would
Risk Analysis
Z. et al., 2018
Peltier, T., 2016
mitigate impact.
Nina Godbole., 2017
Georg. D., 2014
Jean Boltz., 2015.
Countermeasure that reduce risks associated with specific threats (risks reduction, assignment and transference, avoidance or acceptance).
Risk Response
References
Description
Risk Management approach for the prevention technique of
SoE attacks
Nina Godbole., 2017
Jean Boltz., 2015.
Maintenance of records of incidents, identification new risks and determining if any of the known risks have changed, control and countermeasure effectiveness, compliance with standards and regulations, providing vulnerabilities and incident alters, maintaining the risk management plan.
Risk Monitoring
Identification of risks involves the SoE attack risk of digital evidence valuation, the SoE attack risk of threat analysis and the SoE attack risk of vulnerability assessment. The basic elements required to determine the value of an element required to determine the value of an SoE attack risk of digital evidence are the initial and organizational values. Digital evidence valuation facilities analyze and support management decisions regarding the selection of appropriate safeguards. Identificati
One of the key stages in the expert elicitation process is the definition of the problem or issue to be judged. For the purpose of the confirmatory study, the objectives to be achieved were defined as follows:
To collect, combine, and synthesize expert opinions regarding the acceptability of the proposed framework in general organization practices.
To collect, combine and synthesize expert opinions regarding the applicability of the proposed framework in managing SoE attack risk for the organization.
A unique evaluation form was then created to enable the experts to assess the framework and meet the stated objectives. To increase the reliability of the confirmatory study, the expert judgment method was adopted, thus making the identification of appropriate knowledgeable experts to validate the framework components, mandatory. The main criterion for selection was that these personnel have responsibilities and experience in dealing with the organization and SoE attack risk management practices
Despite the number of years of experience, educational background, cognitive skills, and criteria to be integrated together in the selection process, none of the criteria are considered disqualifiers of expertise, as expertise is an integrated summation of the characteristics (criteria) described. For the purpose of this study, three (3) trials were selected to verify and validate the framework components.
Table 2.15: Characteristics ofthe experts involved in the confirmatory study
Expert Characteristics Appropriate to validate and verity the framework applicability and acceptability
Expert Characteristics
21 years of experience Information Security Professional Certification (CISSP), Master Degree, Chief Information Security Consultant, senior
Domain Knowledge:
Years of experience
Education Background
Manager, Certified Professional or specialist
Designation Level
Knowledge and technical skill about SoE attacking risk and risk management.
Cognitive Skills
Ability to differentiate usefulness of data
Expert possess decision making and consulting roles
Decision Strategies
Similar interests in research subject (SARM) for the organization.
Expert-Task Congruence
Appropriate expertise for discipline specific task
However, the risk management practices for preventing SoE attacks, as suggested and described by other researchers. The SoE is the domain of study in information security. Therefore, it is necessary to review the previous literature to understand information security risk management. However, the gap in the literature is attributed to the fact that most of the researchers who address SoE attack risks are isolated, and only a small number of researchers have produced a structured approach and ste
In addition to the risk management practices for SoE attacks, the literature has identified digital evidence involved in such organizations. However, studies on the security requirement levels for these digital evidence sets still pose several questions. The classification of digital evidence security requirements in each organizational activity still needs to be determined clearly based on the core principles for the prevention technique of SoE attacks. Here, information security experts and se
In sum, a review of the literature highlights the scarcity of research on risk management for preventing SoE attacks in organizations. The aim of the study thus, is also to contribute to the literature, specifically, to the work on providing guidelines for managing risks in organizations. The focus of the literature that has helped to construct the framework has been the conceptual theories of SoE attack risks, the general concept of digital evidence, risk management fundamentals and information
Chapter Three Framework Methodology: Processing Data and Threat Landscapes
3.1. Overview of framework methodology
3.2. Theoretical study
3.3. SoE attack risks of threats and vulnerability effects on digital evidence
3.4. Questionnaire Design
3.5. Pilot Study Results Summary
3.6. Empirical Study
3.7. Conceptual Framework
3.8. Exploratory Study
3.9. Framework Development
The methodology refers to the manner in which researchers conduct the work. Several methods (such as survey, and experimental methods) are deployed around the world to create new knowledge in specific fields. The three generic research methods are qualitative, quantitative and hybrid or mixed. Qualitative research refers to the what, why, When and how the phenomenon works, while qualitative research refers to how researchers quantify the research subject. Qualitative methods rely on the meaning
The key objective of the mixed methodology was to explore supporting evidence for the development of a framework for the management of risk regarding the prevention technique of SoE attacks in organizations. The study approach involved five phases theoretical, empirical, exploratory, framework development and confirmatory. In each phase, the activities involved in the research process were described. This chapter explains each of the phases and activities involved in this mixed methods approach.
Table 3.1: Study activities and objectives.
Objective 4
Objective 3
Objective 2
Objective 1
To develop
To integrate
To analyze SoE
To identify
Research
Objectives
information
SoE attacking
various SoE
security
risks with SoE
attacking risks
attacking risks.
framework for
attacking risk
in various
the prevention
management
organization
technique of
for developing
such
SoE attacks
of information
as healthcare,
through expert
security
banking
judgment.
framework for
, education and
the prevention
government
technique of
agencies.
SoE attacks.
Confirmatory Study
Framework Development
Exploratory Study
Empirical Study
Theoretical
Study
Verify the
Compile and
Identify the
Identify
Information
proposed
consolidate
risk
Research
gathering
framework
empirical and
management
Construct
through expert
exploratory
practice for
and
judgment.
findings.
the
attributes
prevention
technique of SoE attacks in the organizations
Confirmatory Study
Framework Development
Exploratory Study
Empirical Study
Theoretical
Study
Conclude
Identify
Semi
Conduct
Identify
Research
confirmatory
components
structured
statistical
related
activity
findings.
of proposed
way was
analysis
theoretical
framework.
used.
aspect and
concept of
the study.
Develop
To access and
Conclude
Design Data
proposed
analyze
empirical
collection
framework.
organizational
findings.
tools.
risk management
To integrate
SoE attacking
risks with risk
management
practices for
develop information security framework
Conclude exploratory findings.
The study methodology involved data collection and data analysis methods and activities. A detailed explanation of each method and technique is included in the next section. As the study deployed quantitative and qualitative methods, the quantitative approach was first used to measure and describe connections and variables on a specific scale to enable the testing of specific hypotheses. Subsequently, a qualitative approach, which concerns human phenomena and seeks to uncover the meaning that pe
/
Figure 3.1: Provides an overview ofthe methodology adopted for the study.
Theoretical Study:
1. Literature review of the theoretical background and fundamental concepts.
2. Questionnaire design and plot study.
Empirical Study:
1. The questionnaire was distributed to 384 respondents from various organizations, such as banking sectors, healthcare centers, education sectors and government agencies.
2. Empirical analysis (SoE attack risks, SoE attack risk management practices).
Explore further empirical results:
1. Hypothesis testing and other relevant statistical testing.
2. Analysis (Results and Findings)
Exploratory Study:
1. A semi-structured approach was used to reveal relevant information.
To identify the SoE attack risk management practices in the organization.
Framework development
1. Reanalyze the results from previous findings (empirical and exploratory)
2. Identify the framework's components.
3. A critical review of existing theories, models, frameworks and related documents is still needed.
4. Draft framework for confirmatory study.
Confirmatory Study through Expert Judgment:
1. Framework validation by experts in related fields.
2. Verify the reliability and acceptability of the framework.
A theoretical study defines the fundamental theories and key concepts of the framework as well as the variables and components involved in the study. This phase involved the gathering of information related to the research areas organizations such as banking sectors, education sectors, and healthcare sectors
and government agencies. SoE attack risks and risk management practices for preventing SoE attacks in organizations. This theoretical study focuses on the relevant literature to determine t
Table 3.2: Theoretical Study Phase: Study Approach.
Results(output)
Research
Input
Approach (process)
Literature review summary.
Review related area to study.
Article, Books, Journals, Conference Proceeding, Magazine, News, Online Database Journal, ISO Standard Guidelines, Research Article.
Established area of research.
Access online journal database.
Theoretical foundation and key concept of study.
Identify issues in the knowledge research areas.
Pilot questionnaire.
Identify knowledge gap of the study.
Design questionnaire for pilot study.
Results(output)
Input
Research
Approach (process)
Refined questionnaire (validated)
Validate pilot questionnaire through Expert -Judgment approach.
Pilot questionnaire.
Reliability Test.
This research begins with an extensive literature review of relevant articles, theories and concepts from three interrelated knowledge sources. A review of published documents was performed to better identify the knowledge gap. The conceptual study focused on three knowledge areas, organizational activity, social engineering attack risks and risk management practices, for the prevention of SoE attacks. Other related concepts and theories were also reviewed as supplementary support for the theore
The theoretical framework reflects the position and gives direction to the study. The model used in a previous study. may have been adopted. These modifications are appropriate for the inquiry. In addition to providing the direction of the study, through the theoretical framework, the researcher is able to show the relationships among the different constructs to be investigated. Generally, the theoretical framework was developed to structure and organize several theories and concepts related to
Beyond the principle of basic security fundamentals, the concept of risk management is the most important and complex part of SoE attacks and risk management in the information security domain. Risk management for preventing SoE attacks is primarily concerned with the risk of SoE attack threats and vulnerabilities that can affect digital evidence. The SoE attack risk of threats refers to any natural or manmade circumstances or events that could have an adverse or undesirable impact on organizati
The threats and vulnerabilities of SoE attack risks have a great influence on the organization. This could occur because service providers may not reveal the proper identity of their services that could contribute to the risk of contracting SoE. Digital evidence may be tangible, such as computer data, software and records, or intangible, such as privacy, access, public image and ethics, and may likewise have tangible value (purchase price) or intangible value (competitive advantage). Therefore,
As a matter of the principle of basic security fundamentals, the concepts of risk management are the most important and complex part of SoE attacks and risk management in the information security domain. Risk management for the prevention technique of SoE is primarily concerned with the risk of SoE attacking management defects and the risk of SoE attacking unexpected changes in management, influencing the risk of SoE attacking digital evidence. Apart from the risk of the threat and vulnerability
As a matter of the principle of basic security fundamentals, the concepts of risk management are the most important and complex part of SoE attacks and risk management in the information security domain. Risk management for the prevention technique of SoE is primarily concerned with the risk of SoE attacking management defects and the risk of SoE attacking unexpected changes in management, influencing the risk of SoE attacking digital evidence. Apart from the risk of the threat and vulnerability
The basic security fundamentals, the concepts of the SoE attack risk of threats, the SoE attack risk of vulnerability, the SoE attack risk of management defeats in the organization and the SoE attack risk of unexpected change in management are the most common SoE attack risks in the information security domain and have a great influence on the SoE attack risk of digital evidence. Risk management for the prevention technique of SoE attacks the primary concern of protecting digital evidence as an
The risk management plan for preventing SoE attacks is another vital concept on which the study is based. This concept requires practitioners to integrate risk identification of SoE attacks and analysis results to format an appropriate management plan for the prevention technique of SoE attacks to monitor risks. Moreover, rigorous standards and guidelines such as the ISO/IEC 27000 series are used as a reference source for formulate an internationally acceptable management plan for preventing SoE
Based on the concepts and theoretical foundations, literature review and research questions, however, the questionnaire of the constructs proposed in this study was developed through expert judgment. The constructs and attributes in the questionnaire were also tested using a reliability test.
Figure 3.2: Development of thequestionnaire for the purpose of this study.
/
Figure: 3.2: Data collection tool (questionnaire) design flow
Two Subject Matter Experts (SMEs) were appointed to validate the questionnaire constructs, one being an academic expert (PhD) and the other being a manager in the organization (with more than 7 years of experience in the organization). Based on the comments and suggestions of the SMEs, improvements were made to the entire questionnaire, which was further reviewed and verified by the experts before distribution. Figure 3.3 shows the structure and overview of the questionnaire content.
/
Figure 3.3: Overview structure and content of the questionnaire
A refined questionnaire was distributed to investigate the factors that influence the practice of preventing SoE attack risks and to assess SoE attack risk management practices as well as digital evidence security requirements in the organization.
A pilot study was conducted to test the validity and reliability of the constructs and attributes of the questionnaire and validate the respondents' understanding of the content of the questionnaires. A total of 89 questionnaires were distributed to various organizational sectors. Of these, 30 were returned, and their data were analyzed. The participants were informed of the objectives of the pilot study which were to assess the quality of the questionnaire, thus highlighting the importance of t
Hence, within these four organizations, the male and female response rates were 54% and 46%, respectively. Considering the respondent ages, 26 to 30, years, 13% of the respondents were aged 31 to 35 years, 23% were aged between 36 and 40 years, 20% were aged between 41 and 50 years, 36% were aged between 46 and 50 years, 5% were aged at 5%, and 3% were aged older than 50 years. When considering personal working experience, it was observed that 36% of the participants had less than 5 years of wor
However, the respondents' experience with SoE attacks was considered. The first question asked about suspicious calls or phone calls. Overall, 24% of them had this type of experience and 76% of them did not have this type of experience. Again, the participants were asked about any unexpected mail received regarding organization information or lottery prizes. It was observed that 20% of the employees had this type of experience, while 80% did not. However, employees were asked whether any unautho
The pilot study focused particularly on the most common SoE attack risks, such as the SoE attack risk of threats, the SoE attack risk of vulnerabilities, the SoE attack risk of management defeats in organizations, the SoE attack risk of unexpected changes in management, and the SoE attack risk of digital evidence. There are ten (10) SoE attack risks of threat, twelve (12) SoE attack risks of vulnerabilities, seven (7) SoE attack risk of management defects in the organization, nine (9) SoE attack
Table 3.3: Reliability test of the risk factorsassociated with SoE attacks (pilot study)
N
Cronbach's Alpha value
Items
SoE attacking Risks
30
0.943
10
SoE attacking risk of threats
30
0.924
12
SoE attacking risk of vulnerabilities
30
0.910
7
SoE attacking risk of management defeats in
organization
30
0.920
9
SoE attacking risk of unexpected changes in
management
30
0.950
6
SoE attacking risk of digital evidence
Note: Items - Numbers of variables, N -Total Number of Respondents
The pilot study also focused on risk management practices for the prevention technique of SoE attacks in the organizations. The SoE attack risk of threats and the SoE attack risk of vulnerabilities influence the SoE attack risk of management defeats in organizations, and the SoE attack risk of unexpected changes in management these two constructs influence the SoE attack risk of digital evidence, and digital evidence influences risk management practices. Cronbach's alpha coefficient was used to
Table 3.4: RMs for preventing SoE attacks in the organizationsaccording to the constructed reliability test.
N
Cronbach's Alpha value
Items
Risk Management Practices for the Prevention Technique of SoE attacks in the organizations
30
0.943
10
Risk management practice for SoE attacks
Note: Items - Numbers of variables, N -Total Number of Respondents
The pilot study also focused on organizational activities. For the research data collection, four organizations were selected for data collection. The SoE attack risk of threats and the SoE attack risk of vulnerabilities influence the SoE attack risk of management defeats in organizations, and the SoE attack risk of unexpected changes in management and the SoE attack risk of digital evidence influence risk management practices. Finally, risk management practices influence organizational activiti
Table 3.5: Organizational activity reliability test.
N
Cronbach's Alpha value
Items
Organizational Activities
30
0.833
6
Organizational Activities
Note: Items - Numbers of variables, N -Total Number of Respondents
Based on the questionnaire survey, an empirical study is eminently suited for investigating SoE attack risks and the risk management practices for preventing SoE attacks in organizations. Analysis of the data was conducted using Smart PLS 4, which led to the following conclusions. The explanations of the research approach and results of the empirical study phase are summarized in Table 3.6.
Table 3.6: The empirical phase research approach
Results (Output)
Research Approach (Process)
Input
143 - respondent data valid for data analysis.
Distributed to 384 sample population by using purposive sampling
Refined Questionnaire
SoE attacking risks ranking in the organization.
Conduct an appropriate statistical analysis.
Valid data- for Analysis
SoE attacking risks analysis.
Risk management practices for the prevention technique of SoE attacks.
Primary data collection was conducted via the refined questionnaire. Selection of the 384- population sample was performed through the purposive sampling technique. This generated 143 - respondent data points to be analyzed to determine demographic information, SoE attack risk, and current risk management practices for preventing SoE attacks in organizations. A five- point Likert scale was used to measure these constructs. Additionally, the respondents' demographic profiles provided information
/
Figure 3.4: Data analysis using SmartPLS.
Figure 3.5 Data analysis using SmartPLs
The selection of the statistical analysis techniques was based on their ability to produce reliable and valid results. At the end of this phase, the researcher was able to analyze current risk management practices for preventing SoE attacks. Furthermore, the technique enabled the researcher to examine and explain the relationships among the variables in the study, as shown in Chapter 4 (Empirical Analysis and Discussion). To obtain a clearer picture of how the empirical analysis was conducted in
Table 3.7: Illustrates the empirical roadmap and analysis technique used to answer the research questions and realize the research objectives.
Research Objectives
Statistical Analysis Techniques
Research Questions
Research Objective 1: To identify various SoE attacking risks.
Use of percentages and frequency data to describe respondent's demographics
What is the results for descriptive analysis of the study?
and organization activities.
Research Objectives
Statistical Analysis Techniques
Research Questions
Research Objective 2 To analyze SoE attacking
Use Mean Score to rank SoE attacking risks criticalness.
What are the ranking of critical SoE attacking risks items in the organizations?
risks in various organization.
Research Objective 2 To analyze SoE attacking
Use Assessment of Measurement Model test for association among various SoE attacking risks in the organization. (H1- H6)
What are the significant characteristics associated with SoE attacking risks in the organizations?
risks in various organization.
Research Objective 3 To integrate SoE attacking risks with SoE attacking risk management for developing of information security framework for the prevention technique of SoE attacks.
Use Assessment of Structural Model test for association between SoE attacking risks and risk management practices for SoE attacks. (H6-H7)
What are the component of SoE attacking risk management?
Research Objective 2
Use Assessment of
What are the relationship of SoE attacking risk with
To analyze SoE attacking
Structural Model test for
risks in various organization.
association between SoE
Organizational Activities?
attacking risk of digital
evidence and risk
management practices.
(H6- H7)
Objective 3:
Use Assessment of Structural Model test for association between SoE attacking risk management and organizational activities. (H8-H9)
What are the relationship of risk management practice with Organizational Activities?
To integrate SoE attacking risks with SoE attacking risk management for developing of information security framework for the prevention technique of SoE attacks.
The conceptual framework was developed to conduct this study. These conceptual frameworks were developed to answer the research question and satisfy research objective 1 (identifying various SoE attack risks). Moreover, a conceptual framework was developed to satisfy research objective 2 (to analyze risk management practices for preventing SoE attacks in organizations) and objective 3 (to integrate SoE attack risks with SoE attack risk management to develop an information security framework for
The conceptual framework shown in Figure 3.6 was built based on a combination of several past studies as a single research model. Based on this conceptual framework, the researcher determined the most relevant basic idea of the framework. As previously described, reliability tests were also conducted for items associated with SoE attack risk. There were ten (10) SoE attack risks of threats and twelve (12) SoE attack risks of vulnerabilities, whereas the SoE attack risk of threats and the SoE att
/
Figure 3.5: Conceptual framework diagram of SoE attacks and prevention techniques in risk management-based solutions for organizations.
Essentially, the conceptual framework for SoE attack risk management for an organization consists of these main stages. Each stage consists of several processes and activities. To highlight the contributions of this study, different notations were used to represent the processes and activities involved in the framework. The highlighted areas indicate the original contributions, while the dotted boxes indicate the partial contributions of the processes. Details about the framework components and
A construct is a variable that is not directly observed, therefore, a measurement model is needed for each construct. In this research model, seven constructs (Vul, Thr, Mgt_d, Unxch, DE, R_M_P, and Org_Act) were measured by multiple items. All seven constructs are represented by arrows pointing from the construct to the indicators indicating a reflective measurement model. Each of these constructs is measured by multiple indicators. For instance, the endogenous construct Vul is measured by Vul1
H1: The risk of vulnerability to SoE attacks will have a significant effect on the risk of management defects in an organization.
H2: The risk of vulnerability to SoE attacks will have a significant effect on the risk of digital evidence being stolen.
H3: The risk of the SoE attacking a threat will have a significant effect on the risk of the SoE attacking management defects in the organization.
H4: The risk of an SoE attacking a threat will have a significant effect on the risk of an SoE attacking digital evidence.
H5: The risk of management defects in an organization being attacked by SoE will have a significant effect on the risk of unexpected changes in management.
H6: The risk of the SoE attacking an unexpected change in management will have a significant effect on the risk of the SoE attacking digital evidence.
H7: The risk of digital evidence attacking the SoE will have a significant effect on risk management practices for preventing SoE attacks.
H8: The risk of the SoE attacking digital evidence will have a significant effect on OAs.
H9: Risk management practices for preventing SoE attacks will have a significant effect on organizational activities.
/
Figure 3.6: Diagram showing the hypothesized relationships
The results of these hypothesis tests are discussed in chapter 4 (Empirical analysis and discussion). The purpose of the hypothesis was to understand whether risk management practices are important for preventing SoE attacks in organizations. The results of these hypothesis tests are discussed further in Chapter 4 (Empirical Analysis and discussion). Statistical analysis was used to test the associations among the variables. The descriptive analysis was a part of the empirical analysis. The surv
In the exploratory study phase, semi structured interviews were conducted with focus groups from eight (8) organizations. Questionnaires were distributed to the organization to investigate the wide experience with risk management practices for preventing SoE attacks. Then, comparisons were made among the organizations via a semi- structured approach with a questionnaire.
Table 3.8: Detailed explanations of the input, researchapproach and output in the exploratory study phase
Results (Output)
Study Approach (Process)
Input
Confirm existing risk factor for SoE attacks.
Content Analysis of semi structured way to reveal information.
Semi structured way was used.
Theme of risk management practices for the prevention technique of SoE attacks.
Identify theme of risk management practices for the prevention technique of SoE attacks.
High - level risk management for the prevention technique of
Compare result of focus group of semi structured way with empirical and
Conceptual study results, empirical study results, related documents or
SoE attacks in the framework component.
conceptual study supported with literature.
reports, past literature, current or best practices.
Identify similar and contradictory practices from empirical results and
exploratory study results.
The purpose of the semi structured approach was to further explore risk management practices for preventing SoE attacks in the organizations. A semi-structured way to gain deeper insight into organizational practices of risk management for SoE attacks. The findings on their similarities or differences were compared with the results from previous empirical studies as well as related issues and challenges. Three categories of nominal scales were used as indicators to classify the practices of risk
In the framework development phase, the conceptual study, empirical study and exploratory study results were used as a basis for developing the risk management framework for the prevention technique of SoE attacks with detailed components. Related work was also developed to improve the understanding of each detailed component of the framework.
Table 3.9: Framework development phase: Research approach
Results (components of the output)
Study Approach (process)
Input
Content Analysis of results in previous study phases.
SoE attacking risk factors and risk management practice for the prevention technique of SoE attacks in
the organizations.
Synthesize results of previous phases.
Refined High-level Framework from previous phases
Develop flow of practices managing SoE attacking risk in the organizations. Develop flow and steps managing SoE attacking risk in the organizations. Develop recommended worksheet that can be used together with the framework.
Both empirical and exploratory findings were used to provide supportive evidence to refine the high-level framework components. The results of the empirical analysis were used to complement the exploratory analysis results on current practices of risk management for the prevention technique of SoE attacks in organizations. As a result, core components were identified for the development of the risk management framework. In addition, empirical and exploratory findings and guidelines were used as
Table 3.10: Confirmatory phase study approach.
Results (Output)
Study Approach
Input
Verify framework with expert.
Review previous phases results. Review and compare related documents.
Related Documents, literature articles, proposed framework.
Assess past findings.
Validated framework.
In depth semi structured way was used with experts (expert judgment.
Proposed framework, Expert Knowledge and experiences.
Compile results of expert judgment (comments/ recommendations).
An experienced expert in the field of information security, management and practitioners was identified for the confirmatory study. Based on the empirical and exploratory study, organizations that were actively involved in these activities were considered the best subjects of the confirmatory study. For the purpose of this study, face validity was assessed through expert judgments. The expert judgment method has been defined as an expression of opinion, based on knowledge and experience, which m
Specifically, the use of an expert helps to incorporate experience and study results when models of the processes involved are incomplete or when there is no consensus as to the correct model to apply. Ensuring expert judgment depends on the expert's knowledge, experience and motivation a between the expert and analyst. However, the main reason for adopting the expert judgment method in this study was to complete, validate, interpret and integrate the findings to confirm the acceptability of the
/
Figure 3.7: Generic Expert Judgment Methods
Chapter Four Framework Alongside the Risk Management: "analyze SoE attack risks"
4.1. Data Analysis Strategies
4.2. Descriptive analysis
4.3. Reflective Measurement Analysis for the Study Model
4.4. Significance and relevance of the formative indicator for the model
4.5. Moderator variable for the Model
The authors reported on the data analysis and evaluated the results according to two research objectives: (1) to identify various SoE attack risks and (2) to analyze the SoE attack risks in various organizations. The analysis and discussion are presented in two parts. First, the chapter provides a descript summary of the demographic profile data, focusing on the presentation of percentage frequencies. Second, this chapter reports on the exploratory SoE attack risks conducted to achieve objective
Through purposive sampling, questionnaires were distributed to 384 respondents in various organizations, such as healthcare, education, banking and government agencies, who were directly involved in information and communication technology activities inside the organization. A total of 37% of the respondents (143 respondents) responded to the survey, and the following section provides a descriptive analysis of the respondents' demographic profiles obtained from the survey. The demographic profil
Table 4.1: Shows the results
Percentile
Cf
Rel f
f
Organizational name
100
143
0.18
26
Government agencies
81.33
117
0.24
35
Healthcare
Percentile
Cf
Rel f
f
Organizational name
57.15
82
0.32
46
Education
25.27
36
0.25
36
Banking
143
Total
Percentile
Cf
Rel f
f
Gender
100
143
0.44
63
Female
55.94
80
0.55
80
Male
143
Total
Percentile
Cf
Rel f
f
Age
100
143
0.17
25
&50 years
82.51
118
0.20
30
46- 50 years
61.53
88
0.16
24
36- 40 years
44.75
64
0.21
31
31-35 years
23.07
33
0.23
33
26-30 years
143
Total
Percentile
Cf
Rel f
f
Personal working experience
100
143
0.20
29
& 20 years
79.72
114
0.13
19
15-20 years
66.43
95
0.23
34
11-15 years
42.65
61
0.22
32
5 years
20.27
29
0.20
29
4 years
143
Total
Percentile
cf
Rel f
f
Experience of SoE attacks_1
100
143
0.42
61
No
57.34
82
0.57
82
Yes
143
Total
Percentile
cf
Rel f
f
Experience of SoE attacks_2
100
143
0.49
71
No
57.11
72
0.50
72
Yes
143
Total
Percentile
cf
Rel f
f
Experience of SoE attacks_3
100
143
0.35
51
No
64.33
92
0.69
92
Yes
143
Total
Percentile
cf
Rel f
f
Experience of SoE attacks_3
100
143
0.17
25
Block the mail
82.51
118
0.23
34
Contract with security expert
58.74
84
0.18
26
Delete the mail
Percentile
cf
Rel f
f
Experience of SoE attacks_3
40.55
58
0.22
26
Cancel the call
18.18
26
0.18
26
Block the number
143
Total
The level of SoE attack risk ranking and the questionnaire was administered to various organizations. The purpose is to determine the highest value of the ranking, to identify the highest SoE attack risk in the organization, which is relevant to research objective 2.
However, the SoE attack risks consist of
-SoE attacking risks of threats.
-SoE attack risks of vulnerabilities.
-SoE attacks the risks of management defects in the organization.
-SoE attacks the risks of unexpected change in management.
-SoE attacking risks of Digital Evidence.
The questionnaires were prepared according to the abovementioned SoE attack risks and distributed it among various organizations. Beyond the principle of basic security, the concept of SoE attacking risks of threats is the most complex part of SoE attacking risks. From the previous literature review, journal and other sources of book and scholarly articles, the following conclusions can be drawn: (10) The risk of the threat being identified is an example of an SoE attack. The questionnaires were
Table 4.2: SoE attack risk ranking of threats
No. of ranking
Standard Deviation
Mean
SoE attacking risks of threats
1
1.328
3.18
Loss, damage or destruction of digital evidence in the organization
2
1.554
3.00
Information leakage (extraction of loss of valuable or private information
3
1.375
2.91
Widespread unauthorized and uncontrolled used of portable device and transportable computer media
3
1.446
2.91
Unauthorized access or modification or disclosure of digital evidence.
No. of ranking
Standard Deviation
Mean
SoE attacking risks of threats
4
1.401
2.82
System error and failure
4
1.401
2.82
Unauthorized exploitation of intellectual property (IP) example: plagiarism etc.
5
1.471
2.82
Poor SoE attacking risk detection studies
6
1.421
2.73
Identify theft of personal data or information
7
1.368
2.55
Exploit other control weakness involving printed or other information rather than computer data and system.
8
1.433
2.38
Directly exploit
control weakness in the system
The vulnerability of SoE attacks refers to the weakness of safeguards in assets that make the system more harmful. The previous literature review, journal and other sources of book and scholarly articles reveal the following: (12) The authors identify the risk of attack on vulnerabilities. These questionnaires can be distributed to several organizations to determine the ranking of SoE attack risks of vulnerabilities in organizations.
Table 4.3: SoE attack risk ranking of vulnerabilities
No. of ranking
Standard Deviation
Mean
SoE attacking risks of vulnerability
1
1.368
3.45
The process of identifying and preserving digital evidence in a
manner that is legally acceptable
2
1.502
3.36
Complexity of information technology and system
3
1.348
3.27
Lack of suitable control of digital evidence accessibility
3
1.421
3.17
Insufficient enforcement of law
4
1.537
3.18
The process of identifying and preserving digital evidence in a manner that is legally acceptable
5
1.549
3.00
Insufficient backup
6
1.446
2.91
Inadequate investment in appropriate SoE attacking risk control
6
1.446
2.91
Lack of assets inventory management
7
1.401
2.82
User system accounts not in use
7
1.401
2.61
Disgruntled of organizational staff
No. of ranking
Standard Deviation
Mean
SoE attacking risks of vulnerability
8
1.502
2.64
Unreliable level of digital evidence protection
A breach of security occurs when stated organizational policies require an information security framework for the prevention technique of SoE attacks, whereas there are management defects in the organization. SoE activities are activities in which the attacker can perform bypass attacks if there are any management defects or unawareness of the organization. Therefore, identifying these issues is necessary for building a framework for preventing SoE attacks. A review of the previous literature an
Table 4.4: SoE attack risk rankingof management defects in the organization
No. of ranking
Standard Deviation
Mean
SoE attacking risks of management defects in the organization
1
1.368
3.45
Lack of suitable management and control over the user password
2
1.489
3.27
Disgruntled of service provider staff
2
1.555
3.27
Service provider exploitation control weakness in the process
3
1.446
3.09
Unaddressed service provider's responsibility for the information security and confidentiality in contract
3
1.375
3.09
Staff negligent of service provider such as programmer technical architecture, tester and manager
4
1.541
2.91
Disgruntled or untrained or ignorant employee who make genuine human error
4
1.445
2.91
Unorganized access control and privilege on user application accounts
An element that contributes to SoE attack risk is unexpected change in management. Unexpected change in management refers to rapid change in the organization in which employees sometimes feel difficult to adopt and that happens by a service provider. This approach is another way to increase the ease with which SoE attackers to attack in the organization. However, from the previous literature studies and various scholarly articles, there were nine (9) SoE attack risks of unexpected change in an o
Table 4.5: Ranking of unexpectedchanges in management risk due to SoE attacks
No. of ranking
Standard Deviation
Mean
SoE attacking risk of unexpected change in management
1
1.272
3.73
Lack of security training and awareness regarding SoE attacks
2
1.286
3.64
Directly exploit control weakness in the system
3
1.214
3.45
Insufficient attention to human factors of SoE attacks in design implementation
3
1.368
3.45
Lack of digital evidence owners responsibility
4
1.328
3.18
Lack of business continuity plan management
4
1.250
3.18
Unethical competitors (trade secrets, customer list etc)
5
1.265
3.00
Frequently change in business policies
6
1.544
2.91
Loss of confidentiality of classification
information
6
1.446
2.91
Severely affect the business survivability of organization
As described in the previous section, risk has been assessed in a variety of fields, such as insurance, economics, management, medicine, operation research and engineering. However, in the information security domain, SoE attacks are one kind of bypass attack. The intruder is interested only in digital files and folder. Digital files and folder refer to important documents for any organization. Hence, missing this document by SoE attacks is a very harmful matter for any organization. However, di
Table 4.6: SoE attack risk ranking of digital evidence
No. of ranking
Standard Deviation
Mean
SoE attacking risk of digital evidence
1
1.009
3.73
Digital Evidence must be preserved and hold up according in court of Evidence Act.
1
1.191
3.73
Digital Evidence perception for risk management importance for SoE attacking risk control
2
1.440
3.55
Digital documentation of policy and procedure
3
1.211
3.41
Legal activity and documentation
4
1.192
3.38
Organizational perception of Evidence Act.
5
1.746
3.37
Organization policy of employee online information update
The path model was prepared for the study model. This approach would demonstrate the relationships and hypotheses of the variables that have already been described. However, in this study the term construct is used to describe a variable that was not directly measured by indicators
for that reason, it was referred to as a latent variable. However, in this study, a conceptual model for SoE attacks and prevention techniques in digital evidence -based solutions was developed in Chapter 3 on two th
/
Figure 4.1: Model diagram with constructs and items related to SoE attacks and prevention techniques in digital evidence-based solutions for organizations
All seven constructs have arrows pointing from the construct to the indicators to indicate a reflective measurement model. Each of these constructs was measured by multiple indicators. For instance, the endogenous construct vulnerabilities were measured by Vul1, Vul2.Vul12 and as were other constructs. The results Summary of reflective measurements for the model.
Table 4.7: Reflective measurement for the model
Discriminant validity
Convergent Validity
Internal consistency
Indicator
Latent variable
AVE
Loading
Cronbach
Composite
Alpha
Reliability
&0.5
&0.7
0.6-0.9
0.6-0.9
HTMT
confidence interval does
not include 1
Yes
0.613
0.639
0.928
0.940
Thr1
SoE Attacking Risk of Threats
0.880
Thr2
0.803
Thr3
0.860
Thr4
0.651
Thr5
0.836
Thr6
0.878
Thr7
0.863
Thr8
0.741
Thr9
0.617
Thr10
Discriminant validity
Convergent Validity
Internal consistency
Indicator
Latent variable
Loading
AVE
Cronbach
Composite
Alpha
Reliability
&0.5
&0.7
0.6-0.9
0.6-0.9
HTMT
confidence interval does
not include 1
Yes
0.707
0.784
0.962
0.966
Vul1
SoE Attacking Risk of Vulnerabilities
0.766
Vul2
0.689
Vul3
0.857
Vul4
0.905
Vul5
0.924
Vul6
0.854
Vul7
0.837
Vul8
0.876
Vul9
0.858
Vul10
0.915
Vul11
0.792
Vul12
Yes
0.6250.625
0.853
0.897
0.920
Mgt_d1
SoE Attacking Risk of Management Defects in the organization
0.829
Mgt_d2
0.861
Mgt_d3
0.674
Mgt_d4
0.790
Mgt_d5
0.623
Mgt_d6
0.867
Mgt_d7
Yes
0.616
0.624
0.921
0.935
Unxch1
0.864
Unxch2
SoE Attacking Risk of Unexpected change in management
0.804
Unxch3
0.729
Unxch4
0.797
Unxch5
0.764
Unxch6
0.825
Unxch7
0.815
Unxch8
0.814
Unxch9
Discriminant validity
Convergent Validity
Internal consistency
Indicator
Latent variable
Loading
Cronbach
AVE
Composite
Alpha
Reliability
&0.5
&0.7
0.6-0.9
0.6-0.9
HTMT
confidence interval does
not include 1
Yes
0.567
0.820
0.813
0.873
DE1
SoE Attacking
0.819
DE2
Risk of Digital Evidence
0.865
DE3
0.863
DE4
0.783
DE5
0.110
DE6
Yes
0.792
0.181
0.962
0.973
R_P_M1
Risk
Management
Practice for
the prevention
technique of
SoE attacks
0.965
R_M_P2
0.983
R_M_P3
0.919
R_M_P4
0.902
R_M_P5
0.927
R_M_P6
0.922
R_M_P7
0.911
R_M_P8
0.927
R_M_P9
0.965
R_M_P10
Yes
0.810
0.968
0.925
0.962
Org_Act1
Organizational Activities
0.895
Org_Act2
0.906
Org_Act3
0.936
Org_Act4
0.965
Org_Act5
0.699
Org_Act6
Another criterion for evaluating the formative measurement model was the significance and relevance of the participants' outer weight. The values of the outer weights express the contributions of each indicator to the construct. The estimated outer weights in formative measurements were often lower than the outer loading of the reflective indicator, because they were influenced by the other relationship is the construct of SoE attacks and prevention techniques in digital evidence -based solution
However, the t- values are used for the measurement of the structure of the research model relationship. Researchers could compare the t values with the critical values from the standard normal distribution to determine whether the coefficients of SoE attacks and prevention technique in digital evidence -based solutions were significantly different from zero. The critical value for a significance of 5% (alpha =0.05) probability of error was 1.96 (two -tailed) (Cohen., 1998). Researchers could ob
Table 4.8: The bias -corrected confidence intervals
Significance (P&0.05)?
95% Bca
P-
T-Statistics (O/STDEV)
Outer loading
Outer weight
Formative Indicator
Formative Construct
Confidence Interval
value
Yes
0.751
0.496
0.000
9.257
0.639
0.090
Thr1
SoE Attacking Risk of Threats
Yes
0.925
0.818
0.000
31.784
0.617
0.144
Thr2
Yes
0.870
0.723
0.000
20.786
0.880
0.125
Thr3
Yes
0.905
0.773
0.000
29.786
0.860
0.146
Thr4
Yes
0.773
0.492
0.000
9.129
0.651
0.092
Thr5
Yes
0.883
0.749
0.000
26.651
0.836
0.136
Thr6
Yes
0.919
0.800
0.000
31.991
0.878
0.150
Thr7
Yes
0.907
0.783
0.000
30.255
0.863
0.147
Thr8
Yes
0.840
0.614
0.000
12.664
0.741
0.126
Thr9
Yes
0.739
0.441
0.000
8.254
0.617
0.990
Thr10
Yes
0.853
0.637
0.000
16.979
0.784
0.092
Vul1
SoE Attacking Risk of Vulnerabilities
Yes
0.848
0.641
0.000
15.273
0.766
0.093
Vul2
Yes
0.808
0.540
0.000
10.358
0.689
0.085
Vul3
Yes
0.909
0.766
0.000
25.722
0.857
0.099
Vul4
Yes
0.944
0.837
0.000
35.303
0.689
0.107
Vul5
Yes
0.948
0.889
0.000
60.157
0.857
0.108
Vul6
Significance (P&0.05)?
95% Bca
P-
T-Statistics (O/STDEV)
Outer loading
Outer weight
Formative Indicator
Formative Construct
Confidence Interval
value
Yes
0.925
0.797
0.000
14.475
0.905
0.099
Vul7
SoE Attacking Risk of Vulnerabilities
Yes
0.918
0.773
0.000
21.381
0.924
0.098
Vul8
Yes
0.944
0.837
0.000
28.139
0.854
0.104
Vul9
Yes
0.948
0.889
0.000
24.296
0.837
0.099
Vul10
Yes
0.942
0.797
0.000
41.376
0.876
0.109
Vul11
Yes
0.902
0.687
0.000
15.273
0.792
0.093
Vul12
Yes
0.821
0.703
0.000
17.544
0.853
0.203
Mgt_d1
SoE Attacking
Yes
0.887
0.797
0.000
27.609
0.825
0.198
Mgt_d2
Risk of Management defects in the organization
Yes
0.918
0.775
0.000
10.902
0.861
0.193
Mgt_d3
Yes
0.917
0.588
0.000
15.642
0.790
0.175
Mgt_d4
Yes
0.843
0.682
0.000
10.094
0.795
0.144
Mgt_d5
Yes
0.812
0.770
0.000
28.828
0.623
0.196
Mgt_d6
Yes
0.899
0.643
0.000
38.602
0.864
0.208
Mgt_d7
Yes
0.724
0.510
0.000
10.902
0.624
0.101
Unxch1
SoE Attacking Risk of Unexpected change in management
Yes
0.904
0.817
0.000
36.635
0.864
0.163
Unxch2
Yes
0.878
0.722
0.000
20.264
0.804
0.154
Unxch3
Yes
0.839
0.594
0.000
11.808
0.729
0.120
Unxch4
Yes
0.871
0.700
0.000
17.994
0.797
0.144
Unxch5
Yes
0.850
0.650
0.000
15.805
0.825
0.142
Unxch6
Yes
0.891
0.723
0.000
19.424
0.815
0.151
Unxch7
Yes
0.882
0.730
0.000
21.382
0.811
0.142
Unxch8
Yes
0.899
0.715
0.000
17.773
0.732
0.147
Unxch9
Yes
0.899
0.685
0.000
15.013
0.820
0.240
DE1
SoEAttacking
Yes
0.923
0.704
0.000
17.628
0.819
0.217
DE2
Risk ofDigitalEvidence
Yes
0.921
0.792
0.000
25.844
0.865
0.243
DE3
Yes
0.855
0.634
0.000
24.844
0.863
0.255
DE4
Yes
0.790
0.679
0.000
12.812
0.748
0.256
DE5
No
0.257
-0.079
0.250
1.151
0.110
0.032
DE6
No
0.355
-0002
0.058
1.900
0.181
0.023
R_M_P1
RiskManagement
Yes
0.995
0.930
0.000
56.438
0.965
0.122
R_M_P2
Yes
0.994
0.963
0.000
131.054
0.985
0.124
R_M_P3
Yes
0.983
0.821
0.000
22.061
0.919
0.117
R_M_P4
Yes
0.988
0.739
0.000
15.729
0.902
0.116
R_M_P5
Yes
0.983
0.860
0.000
28.799
0.927
0.117
Practice for the prevention technique of SoE attacks
R_M_P6
Yes
0.943
0.840
0.000
22.645
0.922
0.119
R_M_P7
Yes
0.890
0.750
0.000
25.295
0.911
0.113
R_M_P8
Yes
0.945
0.833
0.000
26.925
0.927
0.115
R_M_P9
Yes
0.980
0.844
0.000
52.483
0.965
0.121
R_M_P10
Significance (P&0.05)?
95% Bca
P-
T-Statistics (O/STDEV)
Outer loading
Outer weight
Formative Indicator
Formative Construct
Confidence Interval
value
Yes
0.984
0.924
0.000
89.729
0.968
0.207
Org_Act1
Organizational
Activities
Yes
0.905
0.808
0.000
22.222
0.895
0.176
Org_Act2
Yes
0.943
0.841
0.000
29.921
0.906
0.187
Org_Act3
Yes
0.958
0.871
0.000
36.500
0.936
0.194
Org_Act4
Yes
0.984
0.932
0.000
72.874
0.965
0.199
Org_Act5
Yes
0.806
0.594
0.000
13.189
0.699
0.141
Org_Act6
This model estimates parameters with the purpose of maximizing the explained variance of the endogenous latent variables. The research model was evaluated in terms of how well it predicted the endogenous variables.
Table 4.9: Collinearity statistics (VIF):
Vul
Unxch
Thr
R_M_P
Org_Act
Mgt_d
DE
1.000
3.861
DE
1.000
Mgt_d
Org_Act
3.861
R_M_P
3.581
4.311
Thr
2.949
Unxch
4.856
4.856
Vul
All the VIF values were below the threshold of 5. Therefore, collinearity should be below the threshold of 5. Therefore, collinearity among the predictive constructs was not a critical issue in the structural model. A VIF higher than 5, indicates that the tolerance value was 0.2, indicating a potential collinearity problem, should consider removing one of the constructs, merging predictors or creating higher order constructs. The R2 was the most commonly used parameter for evaluating the structu
Table 4.10: R2 values
R Square Adjusted
R - Square
0.936
0.937
DE
0.899
0.800
Mgt_d
0.868
0.861
Unxch
0.740
0.741
R_M_P
0.860
0.862
Org_Act
In fact, the path coefficient for SoE attacks and prevention techniques in digital evidence-based solutions had standardized values between -1 and +1. A path coefficient close to +1 represents a strong positive relationship and is statistically significant. However, sometimes the path coefficient values are very low or close to 0 and are not significantly different from zero. The SoE attack risk of vulnerabilities (Vul) having a path effect on the SoE attack risk of management defects (Mgt_d) is
Table 4.11: Shows the path coefficients with t values and p values.
P value
T-Statistics (O|STDEV)
Standard deviation (STDEV)
Sample Mean (M)
Original
Sample (O)
0.000
6.580
0.091
0.592
0.596
Vul-
&Mgt_d
0.000
4.480
0.098
0.433
0.437
Vul-&DE
0.000
3.760
0.098
0.373
0.368
Thr-
&Mgt_d
0.000
3.351
0.094
0.319
0.315
Thr-&DE
P value
T-Statistics (O|STDEV)
Standard deviation (STDEV)
Sample Mean (M)
Original
Sample (O)
0.000
52.555
0.018
0.930
0.928
Mgt_d-
&Unxch
0.010
2.572
0.092
0.234
0.237
Unxch-
&DE
0.000
4.307
0.034
0.859
0.861
DE-
&R_M_P
0.000
4.307
0.034
0.146
1.146
DE-
&Org_Act
0.000
26.938
0.032
0.827
0.852
R_M_P-
&Org_Act
The table shows that the path coefficients are as follows: (Vul)-& (DE), (Vul)-&(Mgt_d), (Unxch)-&(DE), (Thr)-&(Mgt_d), (R_M_P)-&(Org_Act), (Mgt_d)-&(Unxch), (DE)&(R_M_P), (DE)-& (R_M_P), (DE)-& (Org_Act) are significant for SoE attacks and prevention techniques in digital evidence -based solutions. The hypothesis that the path equals zero was rejected, if the confidence interval for an estimated path coefficient did not include zero, it would be assumed that the effect was significant. In other
Table 4.12: Confidence intervals
97.5%
2.5%
Sample Mean (M)
Original
Sample (O)
0.772
0.417
0.592
0.596
Vul-
&Mgt_d
0.636
0.248
0.433
0.437
Vul-&DE
0.546
0.168
0.373
0.368
Thr-
&Mgt_d
97.5%
2.5%
Sample Mean (M)
Original
Sample (O)
0.489
0.121
0.319
0.315
Thr-&DE
0.962
0.893
0.930
0.928
Mgt_d-
&Unxch
0.425
0.064
0.234
0.237
Unxch-
&DE
0.915
0.787
0.859
0.861
DE-
&R_M_P
0.209
0.075
0.146
1.146
DE-
&Org_Act
0.916
0.792
0.827
0.852
R_M_P-
&Org_Act
By observing at the significance level, we found that in the relationship (Vul)-&(Mgt_d). For a probability error (significance level of 5%), the confidence interval has a lower bound of 0.417 and an upper bound of 0.772. Another observation revealed that (Vul)-&(DE). For a probability error (significance level of 5%), the confidence interval has a lower bound of 0.248 and an upper bound of 0.636. Found that (Thr)-&(Mgt_d), p (0.000), for a probability error (significance level of 5%), the confi
Table 4.13: Results of hypothesis testing
Findings
Confidence Interval
p-value
t-value
Relationship between construct
H1
(0.417-
0.000
6.580
(Vul)-&(Mgt_d)
H1
supported
0.772)
H2
(0.248-
0.000
4.480
(Vul)-&(DE)
H2
supported
0.637)
H3
(0.168-
0.000
3.760
(Thr)-
H3
supported
0.546)
&(Mgt_d)
H4
(0.121-
0.001
3.351
(Thr)-&(DE)
H4
supported
0.489)
H5
(0.893-
0.000
52.555
(Mgt_d)-
H5
supported
0.962)
&(Unxch)
H6
(0.064-
0.000
2.572
(Unxch)-
H6
supported
0.415)
&(DE)
H7
(0.787-
0.000
25.932
(DE)-
H7
supported
0.915)
&(R_M_P)
H8
(0.075-
0.000
4.307
(DE)-
H8
supported
0.209)
&(Org_Act)
H9
(0.792-
0.000
26.938
(R_M_P)-
H9
supported
0.916)
&(Org_Act)
Note: - Significance at 0.05 (2-tailed)
The indirect effects of Thr on Mgt_d on Unxch were the product of the path coefficient (mediation path 1). Thr on Mgt_d on Unxch on DE were the product of the path coefficient of (mediation path 2)
, Thr on DE on R_M_P were the path coefficient (mediation path 3)
, Thr on Mgt_d on Unxch on DE on R_M_P were the path coefficient (mediation path 4), Thr on DE on Org_Act were the path coefficient of (mediation path 5), Thr on DE on R_M_P on Org_Act were the path coefficient (mediation path 6) and Th
Table 4.14: Shows the specific indirect effects.
p - value
T
Standard
Sample
Original
Statistics
Deviation (STDEV)
Mean(M)
Sample(O)
0.000
3.616
0.094
0.346
0.342
Thr-
&Mgt_d-
&Unxch
0.085
1.725
0.047
0.086
0.081
Thr-
&Mgt_d-
&Unxch-
&DE
0.002
3.192
0.085
0.277
0.271
Thr-&DE-
&R_M_P
p - value
T
Standard
Sample
Original
Statistics
Deviation (STDEV)
Mean(M)
Sample(O)
0.083
1.735
0.040
0.073
0.070
Thr-
&Mgt_d-
&Unxch-
&DE-
&R_M_P
0.113
1.587
0.007
0.013
0.012
Thr-
&Mgt_d-
&Unxch-
&DE-
&Org_Act
0.013
2.505
0.018
0.047
0.046
Thr-&DE-
&Org_Act
0.002
3.161
0.073
0.236
0.231
Thr-&DE-
&R_M_P -
& Org_Act
0.084
1.730
0.034
0.063
0.059
Thr-
&Mgt_d-
&Unxch-
&DE-
&R_M_P-
&Org_Act
p - value
T
Standard
Sample
Original
Statistics
Deviation (STDEV)
Mean(M)
Sample(O)
0.000
6.606
0.084
0.552
0.553
Vul-
&Mgt_d-
&Unxch
0.014
2.456
0.053
0.132
0.131
Vul-
&Mgt_d-
&Unxch-
&DE
0.000
4.276
0.088
0.366
0.376
Vul-&DE-
&R_M_P
0.015
2.435
0.039
0.097
0.096
Vul-
&Mgt_d-
&Unxch-
&DE-
&R_M_P-
&Org_Act
0.028
2.207
0.009
0.017
0.019
Vul-
&Mgt_d-
&Unxch-
&DE--
&Org_Act
0.002
3.055
0.021
0.062
0.064
Vul-&DE-
&Org_Chr
p - value
T
Standard
Sample
Original
Statistics
Deviation (STDEV)
Mean(M)
Sample(O)
0.000
4.235
0.075
0.312
0.320
Vul-&DE-
&R_M_P-
&Org_Act
0.015
2.435
0.039
0.097
0.096
Vul-
&Mgt_d-
&DE-
&R_M_P-
&Org_Act
0.018
2.364
0.093
0.226
0.220
Mgt_d-
&Unxch-
&DE
0.018
2.375
0.080
0.193
0.189
Mgt_d-
&Unxch-
&DE-
&R_M_P
0.036
2.106
0.015
0.033
0.032
Mgt_d_-
&Unxch-
&DE-
&Org_Act
0.019
2.359
0.068
0.165
0.161
Mgt_d-
&Unxch-
p - value
T
Standard
Sample
Original
Statistics
Deviation (STDEV)
Mean(M)
Sample(O)
&DE-
&R_M_P-
&Org_Act
0.016
2.419
0.084
0.207
0.204
Unxch-
&DE-
&R_M_P
0.033
2.141
0.016
0.033
0.035
Unxch-
&DE-
&Org_Act
0.017
2.402
0.072
0.177
0.174
Unxch-
&DE-
&R_M_P -
&Org_Act
0.000
18.413
0.040
0.738
0.733
DE-
&R_M_P-
&Org_Act
After testing the indirect effect with a bootstrapping procedure, we similarly tested the significance of the direct effect on a path coefficient.
Table 4.15: Direct effect values.
p - value
T Statistics
Standard
Sample
Original
Deviation (STDEV)
Mean(M)
Sample(O)
0.001
3.396
0.108
0.370
0.368
Thr-
&Mgt_d
0.001
3.423
0.092
0.312
0.315
Thr-&DE
p - value
T Statistics
Standard
Sample
Original
Deviation (STDEV)
Mean(M)
Sample (O)
0.000
5.864
0.102
0.598
0.596
Vul-
&Mgt_d
0.000
4.426
0.099
0.434
0.437
Vul-&DE
0.000
56.420
0.016
0.931
0.928
Mgt_d-
&Unxch
0.012
2.529
0.094
0.243
0.237
Unxch-
&DE
0.000
26.278
0.033
0.863
0.861
DE-
&R_M_P
0.000
4.038
0.036
0.144
0.146
DE-
&Org_Act
0.000
25.206
0.034
0.855
0.852
R_M_P-
&Org_Act
Table 4.16: Confidence interval bias corrected
97.5%
2.5%
Bias
Sample
Original
Mean(M)
Sample(O)
0.501
0.105
0.002
0.370
0.368
Thr-&Mgt_d
0.504
0.150
-0.003
0.312
0.315
Thr-&DE
0.834
0.417
-0.000
0.598
0.596
Vul-&Mgt_d
0.828
0.413
-0.000
0.434
0.437
Vul-&DE
0.954
0.885
0.003
0.931
0.928
Mgt_d-
&Unxch
0.428
0.072
0.006
0.243
0.237
Unxch-&DE
0.912
0.769
0.002
0.863
0.861
DE-
&R_M_P
0.226
0.078
-0.003
0.144
0.146
DE-
&Org_Act
0.914
0.777
0.003
0.855
0.852
R_M_P-
&Org_Act
Mediation implies a situation in which a third variable could explain the effect of the independent variable on the dependent variable better (Joseph F. et al., 2019). For example, in the SoE, attacks and prevention technique in a digital evidence -based solution model, the SoE attack risks such as the risk of the SoE attacking, threats, the risk of the SoE attacking vulnerability, the risk of the SoE attacking management defects, the risk of the SoE attacking unexpected change in management, an
/
Figure 4.2: The mediating effect of the Model
In the diagram, the intervening process (mediating effect) is modeled as a risk management practice for the prevention technique of SoE attacks (R_M_P), and the other words, risk management practice (R_M_P) is a mediating variable. A change in the exogenous construct resulted in a change in the mediator variable, which in turn changed the endogenous construct. Direct effects were defined as the relationship connecting two constructs with a single arrow. Therefore, the direct effect p3 between So
Table 4.17: The direct and indirect effects of SoE attacks andprevention techniques on digital evidence based solutions.
Conclusion
Dir ect effe ct Sig.
Indi rect effec t Sig.
P -
T-
95%
Indir ect effect
Sig. p&0.0 5?
T-
95%
dire ct effe ct
valu e
confide nce interval effect
valu e
confide nce interval of direct
val ue
effect
Partial Mediation
Yes
Yes
0.0
3.32
(0.098-
0.342
0.001
3.39
(0.105-
0.36
Thr-
01
5
0.512)
6
0.541)
8
&Mgt_ d-
&Unxc h
Full Mediation
Yes
No
0.0
1.78
(0.017-
0.081
0.000
3.42
(0.143-
0.31
Thr-
&Mgt_ d-
76
0
0.183)
3
0.501)
5
&Unxc
h-&DE
Partial Mediation
Yes
Yes
0.0
3.41
(0.122-
0.271
0.000
26.2
(0.791-
0.86
Thr-
01
5
0.420)
78
0.919)
1
&DE-
&R_M
_P
Full
Yes
No
0.0
1.77
(0.014-
0.070
0.012
2.52
(0.076-
0.23
Thr-
Mediation
77
1
0.158)
9
0.443)
7
&Mgt_ d-
&Unxc h-
&DE-
&R_M
_P
Partial
Yes
Yes
0.0
3.32
(0.098-
0.342
0.001
3.39
(0.105-
0.36
Thr-
Mediation
01
5
0.512)
6
0.541)
8
&Mgt_ d-
&Unxc h
Conclusion
Dir ect effe ct Sig.
Indi rect effec t Sig.
P -
T-
95%
Indir ect effect
Sig. p&0.0 5?
T-
95%
dire ct effe ct
valu e
confide nce interval effect
valu e
confide nce interval of direct
val ue
effect
Full Mediation
Yes
No
0.0
1.78
(0.017-
0.081
0.000
3.42
(0.143-
0.31
Thr-
76
0
0.183)
3
0.501)
5
&Mgt_ d-
&Unxc h-&DE
Partial
Yes
Yes
0.0
3.41
(0.122-
0.271
0.000
26.2
(0.791-
0.86
Thr-
Mediation
01
5
0.420)
78
0.919)
1
&DE-
&R_M
_P
Full Mediation
Yes
No
0.0
1.77
(0.014-
0.070
0.012
2.52
(0.076-
0.23
Thr-
77
1
0.158
9
0.443)
7
&Mgt_ d-
&Unxc h-
&DE-
&R_M
_P
Full
No
Yes
0.0
1.66
(0.002-
0.012
0.000
4.03
(0.070-
0.14
Thr-
Mediation
97
8
0.028)
8
0.215)
6
&Mgt_ d-
&Unxc h-
&DE-
&Org_ Act
Partial Mediation
Yes
Yes
0.0
2.51
(0.018-
0.046
0.000
4.03
(0.070-
0.14
Thr-
12
0
0.096)
8
0.215)
6
&DE-
&Org_ Act
Partial Mediation
Yes
Yes
0.0
3.37
(0.104-
0.231
0.000
25.2
(0.777-
0.85
Thr-
01
4
0.374)
06
0.914)
2
&DE-
&R_M
_P-
&Org_ Act
Conclusion
Dir ect effe ct Sig.
Indi rect effec t Sig.
P -
T-
95%
Indir ect effect
Sig. p&0.0 5?
T-
95%
dire ct effe ct
valu e
confide nce interval effect
valu e
confide nce interval of direct
val ue
effect
Full
No
Yes
0.0
1.66
(0.003-
0.012
0.000
25.2
(0.777-
0.85
Thr-
Mediation
97
4
0.031)
06
0.914)
2
&Mgt_ d-
&Unxc h-
&DE-
&R_M
_P-
&Org_ Act
Partial
Yes
Yes
0.0
5.99
(0.388-
0.553
0.000
5.86
(0.417-
0.59
Vul-
Mediation
00
7
0.759)
4
0.828)
6
&Mgt_ d-
&Unxc
h
Partial Mediation
Yes
Yes
0.0
2.49
(0.045-
0.313
0.000
56.4
(0.885-
0.92
Vul-
13
5
0.235)
20
0.912)
8
&Mgt_ d-
&Unxc h-&DE
Partial
Yes
Yes
0.0
4.42
(0.210-
0.376
0.000
4.58
(0.241-
0.43
Vul-
Mediation
00
3
0.552)
8
0.626)
7
&DE-
&R_M
_P
Partial Mediation
Yes
Yes
0.0
2.24
(0.006-
0.019
0.000
4.37
(0.077-
0.14
Vul-
25
9
0.042)
7
0.205)
6
&Mgt_ d-
&Unxc h-
&DE-
&Org_ Act
Conclusion
Dir ect effe ct Sig.
Indi rect effec t Sig.
P -
T-
95%
Indir ect effect
Sig. p&0.0 5?
T-
95%
dire ct effe ct
valu e
confide nce interval effect
valu e
confide nce interval of direct
val ue
effect
Partial
Yes
Yes
0.0
2.39
(0.030-
0.096
0.009
2.61
(0.071-
0.23
Vul-
Mediation
17
4
0.187)
6
0.434)
7
&Mgt_ d-
&Unxc h-
&DE-
&R_M
_P-
&Org_ Act
Partial Mediation
Yes
Yes
0.0
3.15
(0.028-
0.064
0.000
4.58
(0.241-
0.43
Vul-
02
1
0.106)
8
0.626)
7
&DE-
&Org_ Act
Partial
Yes
Yes
0.0
4.38
(0.179-
0.320
0.000
27.5
(0.795-
0.85
Vul-
Mediation
00
5
0.472)
55
0.915)
2
&DE-
&R_M
_P-
&Org_ Act
Partial Mediation
Yes
Yes
0.0
2.39
(0.030-
0.096
0.000
27.5
(0.795-
0.85
Vul-
17
4
0.187)
55
0.915)
2
&Mgt_ d-
&Unxc h-
&DE-
&R_M
_P-
&Org_ Act
Partial Mediation
Yes
Yes
0.0
2.59
(0.064-
0.220
0.000
55.9
(0.886-
0.92
Mgt_d
10
1
0.392)
46
0.955)
8
-
&Unxc h-&DE
Conclusion
Dir ect effe ct Sig.
Indi rect effec t Sig.
P -
T-
95%
Indir ect effect
Sig. p&0.0 5?
T-
95%
dire ct effe ct
valu e
confide nce interval effect
valu e
confide nce interval of direct
val ue
effect
Partial
Yes
Yes
0.0
2.57
(0.048-
0.189
0.009
2.61
(0.071-
0.23
Mgt_d
Mediation
10
3
0.288)
6
0.434)
7
-
&Unxc h-
&DE-
&R_M
_P
Partial Mediation
Yes
Yes
0.0
2.28
(0.011-
0.032
0.009
2.61
(0.071-
0.23
Mgt_d
25
4
0.068)
6
0.434)
7
-
&Unxc h-
&DE-
&Org_ Act
Partial Mediation
Yes
Yes
0.0
2.54
(0.048-
0.161
0.000
27.5
(0.795-
0.85
Mgt_d
11
2
0.288)
55
0.915)
2
-
&Unxc h-
&DE-
&R_M
_P-
&Org_ Chr
Partial Mediation
Yes
Yes
0.0
2.60
(0.061-
0.204
0.009
2.61
(0.071-
0.23
Unxch
10
4
0.359)
6
0.434)
7
-&DE-
&R_M
_P
Partial
Yes
Yes
0.0
2.30
(0.012-
0.035
0.000
4.37
(0.077-
0.14
Unxch
Mediation
21
7
0.071)
7
0.205)
6
-&DE-
&Org_ Act
Conclusion
Dir ect effe ct Sig.
Indi rect effec t Sig.
P -
T-
95%
Indir ect effect
Sig. p&0.0 5?
T-
95%
dire ct effe ct
valu e
confide nce interval effect
valu e
confide nce interval of direct
val ue
effect
Partial Mediation
Yes
Yes
0.0
2.57
(0.052-
0.174
0.000
27.5
(0.773-
0.85
Unxch
10
1
0.307)
55
0.914)
2
-&DE-
&R_M
_P-
&Org_ Act
Partial
Yes
Yes
0.0
20.2
(0.658-
0.733
0.000
27.5
(0.773-
0.85
DE-
Mediation
00
05
0.799)
55
0.914)
2
&R_M
_P-
&Org_ Act
The indirect effects were defined as the sequence of relationships that involved at least one intervening construct, as shown in the diagram. Here, the indirect effect p1.p2 represents the mediating effect of the risk management practice construct (R_M_P) on the relationship between SoE attack risk (Vul, Thr, Mgt_d, Unxch, DE) and Organizational Characteristics (Org_Act). From the observation, it was shown that Thr-&Mgt_d-&Unxch-&DE &Mgt_d-&Unxch-&DE-&R_M_P-& Org_Act were fully mediated. This me
The moderator variable could change the strength of the relationship between the exogenous and endogenous latent variables.
/
Figure 4.3: Moderating effect of the research model
Table 4.18: Moderating effect values
97.5%
2.5%
Sample
Original
Mean(M)
Sample(O)
0.215
0.083
0.148
0.150
DE-&Org_Act
0.915
0.797
0.860
0.861
DE-&R_M_P
0.958
0.897
0.931
0.928
Mgt_d-&Unxch
0.024
0.019
0.007
0.008
Moderating Effect
&Org_Act
0.913
0.796
0.858
0.857
R_M_P
&Org_Act
0.483
0.142
0.316
0.315
Thr-&DE
0.550
0.149
0.364
0.368
Thr-&Mgt_d
0.425
0.077
0.241
0.237
Unxch-&DE
0.625
0.234
0.432
0.437
Vul-&DE
0.802
0.421
0.601
0.596
Vul-&Mgt_d
The moderating effect provides evidence that, risk management is necessary for preventing SoE attacks in organizations. An exploratory analysis digs deeper into the risk management practices for preventing SoE attacks in organizations. A quantitative approach was used to explore these issues, as this method allows the inner experience of the participants to be captured, to determine how meanings are formed, rather than merely through testing variables. The method is often used when the researche
Figure 4.4 illustrates the steps applied in this study.
/
Figure 4.4: Exploratory Study Activities
To obtain deeper insights into SoE attack risk management practices in organizations. A semi structured method was used to distribute the questionnaires to eight organizations. The organizations involved in this semi structured process included various organizations, such as education sectors, the health care sector, banking and government agencies. The managers as and administrative employees were involved in these semi structured procedures
their ages ranged from 28 to 55 years, and they were
Semi structured methods were used to investigate key practices during the SoE attack risk identification phase. Five organizations thoroughly practiced identifying the SoE attacks on digital evidence. Moreover, the other three organizations (A, B and C) partially practiced the identification phase of SoE attacks of digital evidence in the organizations. The analysis showed that all the organizations identified the SoE attack risks of digital evidence. Organizations A, B, C, D and E thoroughly id
Finally, only organizations A, D and E reported that the SoE attack risk awareness practice was conducted. Despite having prepared for the necessary training, the other organizations did not directly report the completed SoE attack risk awareness to their outsider attackers. However, risk profiles were used among managers and SoE attack risk awareness experts in managing and mitigating SoE attack risks in organizations. Table 4.20 summarizes the results of the content analysis extracted from the
Table 4.19: Content analysis forthe social engineering attack risk identification phase
semi structured way was used of focus groups by distributed relevant questionnaire
Social engineering attacking risk identification phase: For the risk management practice for the prevention technique of SoE attacks in the organizations
H
G
F
E
D
C
B
A
Yes
Yes
Yes
Yes
Yes
Partial
Partial
Partial
1. Identify preliminary study for SoE attacking
risk.
Yes
Yes
No
No
No
No
Yes
No
2. Preparing proposal of list of SoE attacking risks.
H
G
F
E
D
C
B
A
Partial
Partial
Partial
Yes
Yes
Partial
Yes
Partial
3. Senior Management Evaluating the
Proposal of the list of SoE attacking risk.
No
Partial
No
No
Yes
No
No
No
4. Senior Management
designate organization's staff to responsible for the entire stages of SoE attacking risks study, work together with SoE attacking risk awareness team members.
Partial
Partial
Partial
Yes
Yes
Partial
Partial
Yes
5. Defining SoE attacks and its
awareness to each
team member roles and responsibilities for the entire
process of study.
Partial
Partial
Yes
Yes
Partial
Partial
Partial
Yes
6. Conducting a necessary training or work shop to the awareness of SoE attacking risks to
the team on the process or procedure involved implementing the
framework.
H
G
F
E
D
C
B
A
No
Partial
No
Partial
Partial
Partial
Partial
No
7. Setting scope of evaluation for SoE attacking risk management Study for the prevention technique of SoE attacks (Evaluation scope for digital
evidence).
Partial
Yes
No
No
No
Yes
No
No
8. Describing and defining SoE attacking risk
evaluation (human, process, technological risk
related in the organization).
Partial
Yes
Yes
Partial
Partial
Partial
Partial
Partial
9. Describing and defining scope of SoE attacking risks such as (threats,
vulnerability, management defects, unexpected change
and digital evidence).
Partial
Yes
Partial
Partial
Partial
Yes
Yes
Partial
10. Describing and defining scope of SoE attacking risks treatment, protection strategy, mitigation plan and activities plan to manage the prevention
technique of SoE attacking risk.
Identification of SoE attack risk begins with identifying how organizational digital evidence is protected from SoE attacks. Semi structured methods were used by most of the organizations that conducted this activity. It was found that all the respondents identified the risk of the SoE attacking their organization. These SoE attack risks were classified into three categories (technology, human, process). The majority of the respondents identified digital evidence security requirements during thi
Semi structured methods were used to investigate the risk analysis phase preventing SoE attacks. The semi structured approach revealed the key activities conducted during this phase. The key activities identified from the exploratory study were as follows:
-Reviewing Organizational daily activity. Preparing a proposal of a list of SoE attack risks.
-Discussing and identifying SoE attacking risks attack risk issues or areas of concern.
-Creating awareness practices regarding SoE attacks.
-Defining SoE attacks and their awareness of each team member's roles and responsibilities for the entire process of study.
-Creating a vulnerability profile for digital evidence.
-Creating a threat profile for digital evidence.
-Creating a management defect profile for digital evidence.
-Creating an unexpected change profile for digital evidence.
-Creating an SoE attack risk from a digital evidence profile.
-Compelling and consolidating digital evidence, and security requirements to produce SoE attack risk descriptions. Organizations A, C and H reviewed the value of SoE attacks on digital evidence and thoroughly identified digital evidence related to organizational activities. Organization A partially conducted this activity, while two organizations (C and H) also conducted it altogether. Despite this, the two organizations also agreed that reviewing the value of SoE attacking risks on digital evid
Table 4.20: Content analysis for the social engineering attackrisk analysis phase.
Semi structured way of focus groups by distributed relevant questionnaire
Social engineering attacking risk analysis phase:
the risk management practice for the prevention technique of SoE attacks in the
organizations
H
G
F
E
D
C
B
A
Yes
No
No
No
No
Yes
No
Yes
1. Reviewing Organizational daily
activity.
Partial
Partial
Partial
Yes
Partial
Yes
Partial
Partial
2. Discussing and Identify SoE attacking risks issues or areas of concerns.
H
G
F
E
D
C
B
A
No
Partial
Partial
No
No
Yes
No
No
3. Creating awareness practice regarding
SoE attacks.
Yes
No
No
Yes
No
No
Yes
Yes
4. Creating Vulnerability Profile for digital evidence.
No
Partial
Partial
No
Yes
No
No
No
5. Creating Threat Profile for digital
evidence.
No
No
No
Yes
No
Yes
Partial
No
6. Creating management defects
profile for digital evidence.
No
Partial
No
Yes
No
No
No
Partial
7. Creating unexpected change profile for digital
evidence.
No
Partial
No
Yes
No
No
No
Partial
8. Creating SoE attacking risk of digital evidence
profile.
No
Yes
No
Yes
No
No
No
Yes
9. Compelling and consolidating digital evidence, security
requirement, to produce SoE attacking risks
description.
The exploratory analysis concluded that most of the organizations practiced the nine (9) Key activities during the SoE attack risk analysis phase. Therefore, these nine (9) key activities are recommended during this phase.
The analysis results and highlights the importance of identifying SoE attack risks, such as the risk of SoE attack threats, the risk of SoE attack vulnerabilities, the risk of SoE attack management defects, the risk of SoE attack unexpected changes in management and the risk of SoE attack digital evidence. The association between risk management practices for preventing SoE attacks and organizational activities. In this research model, an advanced technique was used to access a complex higher-or
In addition, the chapter highlights and analyses the measurement latent variables by reflective and formative measurements. Hence, the objective of this research was to investigate the structural model and explain the target constructs. However, the estimated coefficients of the path model relationship maximize the R square values for the target endogenous constructs. However, the formative measurement indicators of this research model were assumed to be error free. However, the reflective measu
Fundamentally, the empirical findings suggest analyzing of the prevention technique of SoE attacks, which is vital for developing an information security framework for preventing SoE attacks. This was an exploratory study in which semi structured interviews were analyzed by various organizations to determine the impact of risk management practices on prevention techniques for SoE attacks. However, to analyze risk management practices for preventing SoE attacks in organizations, a distributed que
Chapter Five Fortifying the Fortress: Strategies for Risk Management Framework
5.1. Overview of Risk Management Framework
5.2. The Framework Stages, Processes, Activities and Worksheets
5.3. Conduct necessary training or workshops
Social Engineering Attacking Risks are the major concern for organizations, particularly when implementing organizational activities. Despite the benefits of risk management practices for preventing SoE attacks, such practices provide protection from digital evidence. Thus, the viability of the strategy is dependent upon the security measures taken to minimize the risk of SoE attacks. In that case, if these SoE attack risks are not effectively and appropriately managed, then the full benefits of
Various researchers have introduced their own methods to manage SoE attack risks. However, most of these studies are anecdotal and have empirical validation, especially because it is necessary to practice risk management practices to prevent SoE attacks during the implementation of organizational activities. Therefore, this study proposes a risk management framework for preventing SoE attacks in organizations. The framework takes into consideration previous literature for managing SoE attack ris
Additionally, Chapter V also discusses the issues and challenges of risk management practices for preventing SoE attack risks in organizations. The prevailing issues and challenges were analyzed and explored in view of the development of the proposed framework. The framework comprises a broad range of processes and activities (as shown in Figure 5.1), covering the entire spectrum of three stages (Stage 1: SoE attack risk of Preliminary Study, Stage II: SoE attack risk evaluation and planning
St
/
Figure 5.1: Stage of the Framework
Essentially, the framework for managing the risk of attack by SoE consists of these main stages. Each stage consists of several processes and activities. To highlight the contributions of this study, different notations were used to represent the processes and activities involved in the framework. The highlighted areas indicate the original contributions, while the dotted boxes indicate the partial contributions of the processes. Details about the framework components and contributions are discu
Description
Degree of Contribution
Graphical Representation of the component
Notation Name
No
Apply current common practices of the approaches or processes or activities managing SoE attacking risk.
Common Practice (Improvised 20%-40% of
Common Component (Activity)
1
common practice)
Description
Degree of Contribution
Graphical Representation of the component
Notation Name
No
Improvise current common practices to apply in new environment, new application of activities, new factors involved, and application of common practices (process or activities) in new environment managing SoE attacking risks.
Partial Contribution (Improvised 40%- 70% of
Improvised Component (Activity)
2
Common Practices)
Proposed new practices (processes or activities) factors and approached, new focus perspective managing SoE attacking risks. Shown in square shape.
Solid contribution (Practice, Process, Perspective, Factor Subject area)
New Proposed Component Activity
3
Figure 5.2: Details of the notation used
The detailed components of these framework stages are illustrated in Figures 5.3, 5.4 and 5.5. The detailed elated processes and activities for each specific stage will be discussed in the next sections.
/
Figure 5.3: Stage I of the risk management framework for social engineering attacks and digital prevention techniques
/
/
Therefore, the overall model would be:
/
/
/
Figure 5.4: Stage III of the risk management framework forsocial engineering attack and digital prevention techniques
Therefore, the overall process and activities are as follows:
/
In each stage, the process and activity components of the framework on information security risk management for the prevention technique of SoE attacks describe its own high-level principles and objectives. The principles detail what needs to be done to meet the objective of each component.
The framework is divided into three different stages, each of which comprises several processes, and detailed activities
Figure 5.2 below shows the number of processes and activities involved in implementing the framework.
Table 5.1: Breakdown of the frameworkcomponent according to stage
Number of Activities
Number of Processes
Stage
10 Activities
3 Processes
Stage I : SoE attacking risk study preparation (SAR-SP)
23 Activities
3 Processes
Stage II : SoE attacking risk evaluation and planning (SAR-EP)
9 Activities
3 Processes
Stage III : SoE Attacking Risks Monitor and Control Execution plan (SAR-MC)
42 Activities
9 Processes
Total
Stage I of the framework consists of three major processes, namely, getting with senior management (SARSP1), team selection (SARSP2) and setting the scope of the SoE attack risk study (SARSP3). Each of these processes entails specific activities. Stage II of the framework also comprises three major processes, namely, SoE attack risk identification (SAREP1), SoE attack risk analysis (SAREP2) and SoE attack risk treatment planning (SAREP3). Each of these processes also involves the conduct of spec
Accordingly, this part of the framework provides the following:
-Explanation of the three stages and summary table of each related process involved in the framework.
-Outline structure of the framework component.
The framework was uniquely designed to guide an appropriate and effective process and procedures for managing SoE attack risk in organizations. Details about each stage, process, activity and related form or template will be discussed further in the following section.
Several preparatory processes are required to ensure successful implementation of the entire process of management for the prevention technique of SoE attacks particularly in the organization. The three processes involve senior management in the organization, risk management team selection for the prevention technique of SoE attacks and setting the scope of risk management for SoE attacks. Stage I of the framework consists of three major processes, namely, getting with senior management (SARSP1)
Accordingly, this part of the framework provides the following:
-Explanation of the three stages and summary table of each related process involved in the framework.
-Outline structure of the framework component.
The framework was uniquely designed to guide an appropriate and effective process and procedures for managing SoE attack risk in organizations. Details about each stage, process, activity and related form or template will be discussed further in the following section. The three processes within Stage I are composed of a number of activities, each covering a specific task for the activities, each of which contains a set of descriptions required to conduct the activity. Each component comprises se
Table 5.2: Breakdown of the frameworkcomponent (processes and activities in stage I)
Stage I
SoE attacking risk study preparation (SAR- SP)
Number of Activities
Processes
Process SARSP1
3 Activities
Getting with senior management
Process SARSP2
3 activities
SoE attacking risk management team selection
Process SARSP 3
4 activities
Setting scope for SoE attacking risk management
10 Activities
Total
The overall component structure (processes and activities) and relevant worksheet outlines for this stage of the framework are illustrated in the following figures:
Figure 5.6 Stage I- Getting with Senior Management (Process SARP1). Figure 5.7 Stage I- SoE Attacking Risk Management Team Selection (Process SARP2). Figure 5.8 Stage I- Setting Scope for SoE Attacking Risk Study (Process SARP3).
/
Figure 5.5: Structure of the framework component for Stage I(Process SARP1 -Getting with Senior Management)
It is recommended that training or workshops be conducted to improve SARAT members' understanding of the processes and procedures to be implemented. Organizations could hire experts from outside to provide training or team members attached to any supplementary training available in the industry. The SoE attack risk evaluation and planning (Stage II) concentrate on evaluating the SoE attack risk, such as identifying and planning for the treatment of the risk. This is a critical stage, as identify
Table 5.3: Breakdown of the Framework Component(Processes and Worksheet in Stage II)
Stage II
SoE Attacking Risk Treatment Plan Evaluation and Planning (SAR- EP)
Number of
Number of
Processes
Worksheets
Activities
Process SAREP1 SoE attacking risk identification
2 Worksheet
9 Activities
Process SAREP2
1 Worksheet
7 Activities
SoE attacking risk analysis
Process SAREP3
SoE attacking risk treatment planning
1 Worksheet
7 Activities
4 Worksheet
23 Activities
Total
The SARAT team is responsible for review -related information to capture information for risk identification during the SoE attack. The main objective of these reviews is to collect relevant information on SoE attack risk issues or areas of concern, related digital evidence, the location of key component infrastructures, indications of threats and vulnerabilities, etc.
SARAT should review the following documents, but not be limited to:
System and software user manual.
Operation manual and procedure documents.
System software requirement specification.
System and software functional specification.
Team profile (management and implementation).
Service provider profile.
Enterprise network design architecture.
Database design architecture.
SoE attacking risk incidents.
Organizational digital evidence stored security policy.
Service provider's digital evidence security policy.
It is recommended that a checklist of reviewed documents be prepared for the SoE attack risk identification worksheet to manage the number of documents to review. Please include additional document to be reviewed if any or remove documents which are not relevant. The SARAT team is responsible for conducting a brainstorming session to discuss and identify SoE attack risk issues and areas. A team is required to capture information on related information security issues, an organization's digital e
Section A - SoE Attacking Risk Issues.
Section B - Digital Evidence and Rationale.
Section C - Digital Evidence, Source of Potential Threats, Vulnerabilities and Outcomes.
Section D - Organization Digital Evidence Potential Source of Threats, Vulnerabilities and Outcomes Scenario Diagram.
Initially, the descriptions, such as name, brief description, owner, user, service provider and duration, were recorded. Section A captures SoE attack risk issues and the severity of digital evidence. Section B describes the list of digital evidence and the rationale for why it is considered digital evidence. Moreover, Section C assists the SoE attack risk analysis team (SARAT) in identifying sources of threats, sources of vulnerabilities and outcomes related to digital evidence. Section D provi
SARAT is also responsible for creating a vulnerability profile for digital evidence. The team captured all the possibilities of treatment through the combination of reviewing related documents and brainstorming among team members. Generally, there are several questions to consider when creating the SoE attack risk of vulnerability profiles. There are (but not limited):
What is the related digital evidence?
How does the SoE attack risk of vulnerabilities occur? (Access Mode)
Who determines the risk of the SoE attacking vulnerabilities? (Actor)
SoE attack risk of vulnerability outcomes?
SoE attack risk of vulnerability impact?
The team is required to create three groups of SoE attack risk vulnerability profiles, which are (1) vulnerability profiles for human factor problems, (2) vulnerability profiles for technology or system problems, and (3) vulnerability profiles for digital evidence. In creating the SoE attack risk of vulnerability profiles for human factor problems, SARAT is required to specifically identify the name of digital evidence, physical or logical access, actor, motive, outcome and impact in graphical n
Strategic and operational plans that streamline with an organization's business objectives.
Legal requirements, regulations, and standards of due care with the organization should comply.
Insurance information related to information security and information protection.
Results from other risk management processes used by organizations.
Impact description worksheet (result from previous activity).
The objective is to develop an understanding of any existing organizational risk limits based on strategic and operational plans, liabilities and insurance-related issues. These data are important in establishing evaluation criteria, as these criteria are highly contextual. In some cases, organizations will have risks that could result in loss of life, but others may not. Thus, it is crucial for organizations to define their own evaluation criteria by reviewing relevant background information.
The following questions are asked about each area of impact.
What defines a "high" impact on the organization?
What defines a "medium" impact on the organization?
What defines a "low" impact on the organization?
SARAT seeks to define specific details that constitute high, medium and low risk for its organization. For example, when measuring productivity as an area of impact, a low impact on productivity might occur after three lost days, whereas a high impact might occur after three weeks. At the end of this process of SoE attack risk analysis, SARAT is required to review the entire analysis results and identify the most appropriate strategy for addressing the impacts identified earlier during the proce
Stage I: The SoE Attacking Risk Study Preparation, covers processes and activities relating to the SoE attacking risk study preparation for the organization. The processes conducted at this stage include (1) working with senior management, (2) performing risk management team selection, on SoE attacks, and (3) setting the scope of the risk management study on SoE attacks.
Stage II: The SoE attack risk evaluation and planning covers processes and activities related to the process of evaluating the SoE attack risk and treatment plan to mitigate the risks involved in the organization. The processes conducted at this stage are-
(1) The risk identification of SoE attacks, (2) the risk analysis, of SoE attacks, and (3) the risk treatment plan for SoE attacks.
Stage III: The SoE attack risk monitor and control execution plan, covers processes and activities relating to the execution, monitoring and control of the risk treatment plan. Processes conducted at this stage include (1) executing the SoE attack risk treatment plan, (2) monitoring the SoE attack risk, and (3) controlling the SoE attack risk. This chapter also provides a comprehensive template, worksheets of checklist used within the framework, and references for each component of the framework
Fundamentally, the contribution of the framework is that it provides a structured guide. This includes the categorization of several stages of the SoE attack risk management approach, the design of appropriate processes and activities tailored to the organization, the introduction of additional processes and activities to cater to emerging SoE attack risk factors and the development of comprehensive stages, processes and steps activities. All these are further supplemented with related worksheet
Chapter Six Building a Culture of Security: Framework Confirmatory
6.1. Overview of Framework Verified
6.2. Results and discussion of the framework of the confirmatory study
6.3. Expert Judgment Results: Setting the Scope of the SoE attack risks:
6.4. Supplementary Findings: Organizational risk of SoE attacks
The proposed framework will be verified through an expert-judgment approach to verify its acceptability and applicability for the organization, practitioner and research community. Experts in the field of information security, and managers were identified for the confirmatory study. For the purpose of this study, subject-matter- experts (SMEs) were selected to verify and validate the stages, processes, activities, tasks and worksheets of the framework. Furthermore, the substantial feedback, reco
/
Figure 6.1: Adopted expert judgment methodfor the proposed framework validation
Expert judgments can, and routinely are, employed in a host of varying manners, from roundtable discussions to more formalized forecast assessments such as the Delphi Method. Expert judgment requires the synthesis of expert opinions about a subject for whom there is uncertainty due to insufficient data or when such data are unavailable because of physical constraints or lack of resources. However, a generic expert judgment method tailored to the purpose of the study was adopted, as illustrated.
Elicitation of expert opinion through a questionnaire was acknowledged to be more difficult than through a face-to-face, one-on-one interview. Moreover, by keeping the questions simple, the study attempted to avoid the pitfalls of potential misunderstanding. Patients were asked for self-assessment of those judgment where the expert felt less certain. For the purpose of this research, the Expert Judgment evaluation Worksheet was used as the primary evidence for verification and validation of the
Previous findings identified SoE attack risk as one of the most critical risks in the organization. Therefore, a dedicated framework must be established to address this issue. Before the framework components were proposed, a survey was conducted on 384 respondents from various organizations. Crucially, three additional SoE attack risk factors were discovered in addition to the SoE attack risk of threats and the SoE attack risk of vulnerabilities when dealing with organizational activities. The r
Stage 1 of the framework involves the processes and activities required before the organization embarks on SoE attacking risk study for the organization. Therefore, the three processes in stage I were verified and validated by capturing the necessary data to assess the framework's acceptability. The following section describes the results and findings elicited from experts. The expert judgment on Stage I (SoE attack risk study preparation) and its components generally affirmed its high applicabi
Table 6.1: Key Summary ofExpert Judgment Evaluation - Stage I
Stage I: SoE Attacking Risk Study Preparation
Acceptability
Applicability
Framework Components
Experts feedback
Important
High
High
A1
SARSP 1
identify scope
(Preliminary
(Getting with
Study for
Senior
SARM)
Management)
Proposal must be
High
High
A2
brief
(Prepare
SARM
Proposal)
Define evaluation criteria
High
High
A3 (Senior Management Evaluate SARM
Proposal)
Normally
Moderate
Moderate
A4 (Senior
SARSP 2
Management
(SARM-
Evaluate
SARAT
SARM-
Team
SARAT
Selection)
Proposal
Clearly define the awareness of SoE attacks
High
Moderate
A5 (Define SARAT roles and Responsibilities for the entire process of study
Sometimes
Moderate
Moderate
A6 (Conduct necessary training or workshop for
SARAT team members)
Experts feedback
Acceptability
Applicability
Framework Components
Relate SoE to technological issues
Moderate
Moderate
A7 (Setting Scope of Evaluation for SoE Attacking Risk Study)
SARSP 3
(Setting Scope of SoE
Attacking Risk Study)
SoE attacking risk must be define clearly
Moderate
high
A8
(Describe and define SoE Attacking Risk scope for the evaluation)
Common practices
Moderate
Moderate
A9
(Describe and define the scope of SoE
attacking risk)
Applicable but a lot of time and resource needed
Moderate
Moderate
A10
(Describe and define scope of SoE attacking risk treatment)
The captured data on the preliminary study of risk management for SoE attacks and related input for proposal preparation. The experts strongly agreed that senior management was the key element in ensuring the success of SARM in the organization. Specifically, the data captured show that identifying the preliminary impact is also necessary. For example, the availability of a Data Recovery Centre (DRC) is one of the SoE attack risks of digital evidence issues. The potential impact normally involve
Experts verified that the application of this process, as well as well-defined scopes facilitated the management and delivery. The expert judgment verified the importance of information security professionals being able to link the protection strategy, mitigation plan and action plan list with SoE attack risk. The scope of the protection strategy focuses on how the organization sets up a strategy to safeguard digital evidence for the organization. The scope of the mitigation plan explains how th
Framework Stage II involves the processes and activities required during SoE attack risk evaluation and planning. Three processes for stage II were verified and validated by experts to capture the necessary data to assess the framework acceptability, applicability and acceptability of the practices. The following section describes the results and findings of the application. Almost all the processes in Stage II were highly recommended by the experts, based on their applicability and acceptabilit
The expert's assessment of the third component, such as the SoE attack risk treatment planning and its seven (7) steps, also affirmed its high applicability and acceptability. Generally, the experts viewed SoE attack risk treatment plan workshop preparation as good practice and should be conducted if time is allowed. The next five steps were considered to be highly applicable. First, developing an integrated protection strategy was seen as a key strengthening process, while the third step, devel
Table 6.2: Key Summary ofExpert Judgment Evaluation - Stage II
Stage II: SoE Attacking Risk Evaluation and Planning (SAREP)
Experts
Acceptability
Applicability
Framework Components
feedback
Defined in terms of human, technology and process
Moderate
High
B1 (Review organizational activity)
SAR-EP 1 (SoE
attacking risk Identification)
Experts feedback
Acceptability
Applicability
Framework Components
Applicable, requires team member
Moderate
Moderate
B2 (Discuss and identity SoE attacking risk Issues and Area
participation
of Concerns)
Provide full description of security requirement
Moderate
Moderate
B3 (Create awareness practice about
(CIA)
SoE attacks)
Assist identification of digital evidence
Moderate
High
B4 (Create SoE attacking risk of vulnerability profile for
digital evidence)
Assist identification of service provider uncertainties
Moderate
High
B5 (Create SoE attacking risk of threat profile for digital evidence)
Assist identification of SoE attacking risk of management defects profile
Moderate
High
B6 (Create SoE attacking risk of management defects profile for digital evidence)
Provide complete description of SoE attacking risk of unexpected change profile for digital evidence
Moderate
High
B7 (Create SoE attacking risk of unexpected change profile for digital evidence)
Experts feedback
Acceptability
Applicability
Framework Components
Define CIA trend of digital evidence
High
High
B 8 (Create SoE attacking risk of digital evidence)
B9 (Compile and consolidate digital evidence, Security Requirements Threats, Vulnerabilities, to SoE attacking risk
Clear view of SoE attacking risk identification
Moderate
Moderate
description)
Acceptable the worksheet
Moderate
Moderate
Worksheets
Needed when necessary
Moderate
Moderate
B10 (Risk Analysis Workshop
SAR-EP 2 (SoE
Attacking
Preparation)
Risk
Analysis)
Needed careful assessment
Moderate
Moderate
B11 (Identify
the impact of the SoE Attacking Risk of Threats)
Key activity for risk evaluation
Moderate
Moderate
B12 (Identify the impact of the SoE Attacking Risk of
Vulnerability)
Measure impact against digital evidence
Moderate
Moderate
B 13 (Identify the impact of the SoE Attacking Risk of management
defects)
Experts feedback
Acceptability
Applicability
Framework Components
Lead to organize mitigation preparation
Moderate
Moderate
B14 (Identify the impact of the SoE Attacking Risk of unexpected
change)
As and when required
Moderate
High
B15 (Review Priority of SoE Attacking
Risk)
Depend on nature of risk
Moderate
High
B16
(Selection of Mitigation Approach accept or mitigate or
transfer)
Acceptable but simplified the worksheet
Moderate
Moderate
Worksheets
Must be clearly identity the digital evidence in the organization
Moderate
Moderate
B17 (SoE
SAREP 3 (SoE
Attacking Risk Treatment
Attacking Risk Treatment plan workshop Preparation)
Planning)
SoE attacking risk management practice
Moderate
Moderate
B18 (Develop an Integrated
Protection Strategy)
Consider the technology, human and process in the
Moderate
Moderate
B19 (Develop an Integrated mitigation Plan)
organization
Carefully consider the SoE attacking risk in the
Moderate
Moderate
B 20 (Create Risk Treatment Action List)
organization
Experts feedback
Acceptability
Applicability
Framework Components
Carefully consider the SoE attacking risk treatment plan
High
Moderate
B21 (Prioritize SoE Attacking Risk Treatment
in the organization
Plan Execution)
Documentation should be clear
Moderate
Moderate
B22 (Prepare Risk Treatment Plan Document and Presentation for Senior
Management)
Senior management actually decide what type of prevention technique they should use to their organization
Moderate
Moderate
B23 (Conduct Risk Treatment Plan Presentation for Senior Management
Review)
Depend on the organizations
Moderate
Moderate
Worksheet
As part of the evaluation process, a review of related documents provided SARAT with a clear understanding from a conceptual view of the necessary input to identify the inherent risk of an SoE attack. Systems-related and operational user manuals, the organization's digital evidence storage policy, the service provider's information security policies and the enterprise network design architecture are among the major documents reviewed to identify SoE attack risk. SARAT discusses related issues wi
Asset: Name of digital evidence (Exam Question Papers)
Access: Type of access to the Exam Question Papers (Mobile Aps, Web page)
Actor: Persons who exploit the SoE attack risk of threats (internal/external)
Motives: Collect the digital version of exam question papers (Deliberate)
Outcome: Effect showing the weakness of the organization (disclosure of the weakness of the organizational security)
Impact: Bad impact (organizational reputation)
According to the experts, the inclusion of the SoE attack risk of vulnerability profiles for digital evidence creation in the framework provides a clear view of vulnerability-related activities in the organization. In reviewing current information security practices for preventing SoE attacks, the experts attest that the creation of this profile allows the SARAT to compile and consolidate the properties of the risk of vulnerability factors being attacked by the SoE. For example, before creating
Asset: Name of digital evidence (personal data)
Key Classes: SoE attack risk of the vulnerability class (software and telecommunication)
Vulnerability Component: Software Application (Code Defects)
Outcome: Lost or Destruction (Unreasonable Telco charges because of code defects)
Impact: Reputation of the organization initiator and Telco companies, monetary losses to system users, high expenses of legal attorney and payment for reputation damage by Telco companies.
By creating the SoE attack risk Management Defect (Mgt_d), SARAT can think of the possibility of defects when managing the risk of SoE attack in the organization. Through the expert judgment exercise, the SARAT was required to identify sources of SoE attack risks of management defects for digital evidence. The source of defects could originate from related persons, processes or technology. Other relevant sources of defects could also be identified, and their description was provided in the SoE a
Asset: Name of digital evidence (personal data)
Source of SoE attacking risk Management Defect: Network Communication Technology (Business Process failures or recovery)
Outcome: Interruptions (Business Process)
Impact: Business process reliability, and user confidence to in the service.
Similarly, creating a profile to of the SoE attack risk of unexpected change or uncertainty in the service provider (Unxch) also gives the SARAT another different dimension to consider. An evaluation of its applicability and acceptability by experts also showed that creating this kind of profile contributes to additional efforts in minimizing potential SoE attack risk. Specifically, creating the "Unxch" required answering the following question (Unxch - Technological Changes):
Asset: Name of digital evidence (personal data)
Source of the risk of unexpected change caused by SoE attacks: Technological changes (development platform and system integration)
Outcome: Interruption of the business process.
Impact: Wastage of organization investment and time on the business process.
At the end of the process of identifying the risk of SoE attack, all the profiles were consolidated to create a profile of the risk of SoE attack, together with digital evidence security requirements. All the experts commented that the consolidation of all the profiles from multiple types of profiles allows analysts to view multiple dimensions of SoE attack risk. Therefore, managing SoE attack risks becomes more systematic and more effective. Generally, the worksheets prepared for this framework
Expert Judgment Results: The risk management framework component is logical but depends on organizational activity. SoE attack risk analysis for the organization. Analyses of SARs focus on the probability and impact of risk. Before evaluating the impact. SARAT is required to establish risk evaluation criteria. SARAT uses these criteria to measure and evaluate the impact on the organization. The main reason for analyzing SoE attack risk is to prioritize the risks to enable an appropriate mitigati
SoE attacking risk of threats - Unauthorized access to digital evidence such as the National Level Examination Question.
SoE Attacking Risk of Vulnerabilities -- Network Service Provider.
SoE attack risk of management defects (Mgt_d) - Business process recovery defects
SoE attack risk of unexpected change (Unxch) - Technological changes.
The mitigation approach to handling unauthorized access to digital evidence was through strengthening the processes and procedures of identity management and database user accounts. Mitigation approaches include seeking legal resources to address network service provider vulnerabilities of source code that cause monetary losses to users. To minimize the risk of management defects such as recovery failures at the data center, the business continuity plan (BCP) should be revised more frequently to
Expert judgment results: The risk of treating planning for the organization according to the SoE attack results from the experts' evaluation of the framework components demonstrate that a well -prepared SoE attack risk in the treatment plan determines its successful execution. Therefore, a workshop to streamline all related mitigation plans is important. This workshop will enable the involved parties to contribute their thoughts on preparing the plan for risk treatment involving SoE attacks. The
The Framework Stage III involves the processes and activities required during the implantation of the treatment plan for the organization. Three processes were reviewed by the experts to capture the necessary data to assess the framework acceptability. The following section describes the results and findings from the expert verification and validation of Stage III in the confirmatory study. In essence, the final stage of the SARM framework was highly recommended by experts. The first component o
Table 6.3: Key Summaryof Expert Judgment Evaluation - Stage III
Stage III: SoE attacking risk Monitor and Control
Experts Feedback
Acceptability
Applicability
Framework Components
Provides
High
Moderate
C1
SAR-MC 1
understanding
(Briefing
(SoE
about
the
attacking
the
SARAT
risk
execution
approved
Treatment
plan
version of
execution)
SoE
attacking risk
Treatment
Plan)
Common practice
Moderate
High
C2
(Prepare
For Risk
Treatment
Execution)
Execution
Moderate
High
C3
of treatment
Execute
depend on
Risk
priorities
Treatment
of risk
Action
Plan)
Depend on the
Moderate
Moderate
Worksheets
organization
Experts Feedback
Acceptability
Applicability
Framework Components
Need
Moderate
Moderate
C4
SARMC 2
Sufficient
(Acquire
(SoE
information
Data
attacking
Tracking
risk of
The
treatment
Progress
monitoring)
Of action
Plan)
Need
Moderate
Moderate
C5
Sufficient
(Analyze the
information
progress of
action items
and risk indicator data)
Need Sufficient information
Moderate
Moderate
C6
(Report analyzed Action plan progress and risk indicator
data)
Depend on the organization
Moderate
Moderate
Worksheets
Applicable and practical
Moderate
Moderate
C7
SARMC 3 (SoE
(Analyzing Risk Treatment Performance And
attacking risk of Treatment Control)
Risk Data)
Consider Existing Treatment Action plan
Moderate
Moderate
C8
(Making Decision About
Changes in Treatment Action Plan)
Experts Feedback
Acceptability
Applicability
Framework Components
Evaluate
Moderate
Moderate
C9
The indicator of risk
(Execute New Decision Changes in treatment
action plan)
Logical but depend on the organization
Moderate
Moderate
Worksheets
Expert Judgment Results: To increase the risk of attack during treatment execution for the organization, it is necessary to execute the SoE attack risk during treatment, and that would be necessary to clarify the roles of each team member in addition to individual skills and experiences. Briefing the SARAT and other related teams on the approved version of the SoE attack risk treatment provided a picture of the actual treatment work. Before the execution of the treatment plan, necessary preparat
Expert Judgment Results: The SoE attack risk of treatment monitoring for the organization results from the experts' judgment verification and validation confirmed that the SoE attack risk treatment and monitoring are important in the process of mitigating the SoE attack risk of for the organization. SARAT was used to measure the effectiveness of specific treatments or action plans. The progress of treatment plans was monitored using the risk treatment action plan item performance worksheet. This
Expert Judgment Results: The purpose of the risk treatment control process is to make informed, timely and effective decisions about corrective measures or changes in current risk treatment plans and action lists, if necessary. Generally, experts verify the importance of such a component because it can affect the entire allocation of resources in managing SoE attack risk, moreover, the risk indicator trend, deviation and abnormality need to be unalloyed in SARAT. The purpose of this analysis is
SoE attack risk issues are the most important when dealing with the confidentiality, integrity and availability of digital evidence. An information security expert ensures that the infrastructure is equipped with security features to prevent the intrusion of irresponsible individuals. Moreover, data security is provided to ensure that services do not compromise the safety of consumer data and government agencies. Digital evidence can be accessed only by authorized users, and a verification proce
The expert judgment confirmed the introduction of the five SoE attack risk factors (SoE attack risk of threats, SoE attack risk of vulnerabilities, SoE attack risk of management defects, SoE attack risk of unexpected changes and SoE attack risk of digital evidence) into the framework. Thus, the entire process of managing the risk of attack by the SoE considers these information security risk factors. Through several meetings with personnel, it was found that a limited comprehensive SoE attack ri
SARM focuses on the operational level of organizational activities.
The preliminary SoE attack risk of study for the organization began when it was awarded to the service provider.
No specific team for SoE attack risk assessment was presented.
Insufficient monitoring of service providers' (vendors') SoE attack risk of management practices and operations.
SoE attack risk management covered only threats and vulnerability risk factors.
Accordingly, the experts agreed that the introduction of the framework is significant and could improve how the organization manages SoE attack risk. Through the expert judgment method, overlooked or unobserved SoE attack risk management efforts were highlighted. Highlighting these security risk management efforts allowed the organizations to improve the way they handled the security of digital evidence in their organizational activities. Before the SoE attack risk study was conducted, the invol
The objective of the framework is to manage SoE attack risk in the organization. The inclusion of the theoretical foundation and empirical and exploratory validation make this framework reliable and robust. Even when all these constructs are included in the SARM framework, their impact on organizations remains unknown since the previous framework has combined all the above-mentioned constructs. Consequently, using an expert judgment method, the framework was verified and validated in a scientifi
Without a dedicated framework and guidelines, significant stages, processes and activities in SARM for organizational practices could be omitted, thus hampering the achievement of optimum benefit. Supplementary findings were also gathered from this study. Even though organizations have tried to apply SoE attack risk management, some of the overlooked challenges should be overcome to improve SARM practices. Furthermore, investing time and effort in structured SARM practices, as proposed in the fr
References
Abawajy, J. (2014). User preference of cyber security awareness delivery methods. Behavior & Information Technology, 33 (3), 237-248.
Adrian. M. (2017). Running the Risk IT - More Perception and Less Probabilities in Uncertain Systems. Information & Computer Security, 25 (3), 45-59.
Alberts, C., & Carol, W. (2007). Considering Operational Security Risk during System Development, IEEE Security & Privacy, 5 (1), 30 - 35.
Alfonsi, C., Rabiti, D., Mandelli, J.J., Cogliati, R.A., Kinoshita. (2013). Raven As A Tool For Dynamic Probabilistic Risk Assessment: Software Overview. International Conference on Mathematics and Computational Methods Applied to Nuclear Science & Engineering, 5 (4), 456- 467.
Algarni, A., Xue, Y., & Chan, T. (2017). An empirical study on the susceptibility to social engineering in social networking sites: the case of Facebook. European Journal of Information Systems, 26 (6), 661-687.
Amanda Andress. (2003). Surviving Security: How to integrate People, Process and Technology, 2nd ed., Auerbach Publications.
Anita, V., & Les Labuschagne. (2009). A framework for comparing different information security risk analysis methodologies. ACM Digital Library, 28 (4), 651-667.
Ana. F., Gabriele. L. (2016). An analysis of social engineering principles in effective phishing. IEEE, 3 (5), 33-49.
APCERT. (2014). Computer Security Incident Response Teams (CSIRTs) Report, 2014. Appin Security Group. (2017). Information Security Management Practices Report.
Applegate, S.D. (2009). A Global Perspective of Social Engineering: Hacking the Wetware. Information Security Journal: A Global Perspective, 18 (1), 40-46.
Ayesha. M. & Muhammad. M. (2013). Security Framework for Cloud Computing Environment: A Review. Journal of Emerging Trends in Computing and Information Sciences, 3 (3), 91-101.
Bill. G. & Valerie. T. (2016). Building an information security awareness program: Defending against social engineering and technical threats. Elsevier. Copyright.
Bob. B., Ellen. M., Dan. G. (2005). Information security is information risk management. Proceedings of the 2001 workshop on New security, 4 (1), 97-104.
Brill. A., Pollit, M., & Whitcomb, C. M. (2013). The Evolution of Computer Forensic Best Practices: An Update on Programs and Publications. Journal of Digital Forensic Practice, 1 (1), 3- 11.
Buskirk, E.V. & Liu, V.T. (2006). Digital Evidence: Challenging the Presumption of Reliability. Journal of Digital Forensic Practice, 1 (1), 19-26.
Cheung, S. K. S. (2014). Information Security Management for Higher Education Institutions. Intelligent Data analysis and its Applications, 1 (2), 55-68.
Christopher. H. (2018). Social Engineering: The Science of Human Hacking. John Wiley & Sons.
Christopher. H. (2013). Managing Information Security Risks: The Octave Approach. Addison- Wesley Longman Publishing.
Clif A. Ericson (2016). Hazard analysis techniques for system safety. John Wiley & Sons.
Cojazzi. G (1996). Preliminary Requirements for a Knowledge Engineering Approach to Expert Judgment Elicitation in Probabilistic Safety Assessment. International Conference on Probabilistic Safety Assessment and Management, 24 (2), 491-498.
Cojazzi G., Keejam (2003). Benchmark exercise on expert judgment techniques. Nuclear Engineering and Design, 21 (1), 211-221.
Cooke & Goossens (2010). TU Delft expert judgment data base. Reliability Engineering & System Safety, 93 (5), 657-674.
Cooke. M., & Abigail, R. (2017). Cross validation for the classical model of structured expert judgment. Reliability Engineering & System Safety, 163 (1), 109-120.
Cooke, M., Julie. C., Ryana.T. (2012). Quantifying information security risks using expert judgment elicitation. Computers & Operations Research, 39 (4), 774-784.
Cojazzi & G. Fogli.D (2001). Benchmark Exercise on Expert Judgment Techniques in PSA Level 2. Nuclear Engineering and Design, 1 (3), 211-221.
Conway. B.A. (2010). Calibrating Expert Assessments of Advanced Aerospace Technology Adoption Impact. Dominion University Journal, 3 (1), 22-29.
Cremonini, M. & Nizovtsev, D., (2009). Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers. Journal of Management Information Systems, 26 (3), 241- 274.
D'Arcy, J., Herath, T.& Shoss, M.K. (2014). Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective. Journal of Management Information Systems, 31 (2), 285-318.
Daniel, D., Yuval, E. (2016). A model of the information security investment decision- making process. Computers & Security, 63 (4), 1-13.
Donn. B. (2013). Toward a New Framework for Information Security. John Wiley & Sons.
Duff, A. S. (2007) Social Engineering in the Information Age. An International Journal, 21 (1), 67- 71.
Dwyer. F., Schurr, P., & Ohior, S. (1999). Developing Buyer--Seller Relationship. Journal of Marketing, 51 (2), 11-19.
Edward. H. (2015). Implementing the ISO/IEC 27001 Information Security Management System Standard. The ACM Digital Library, 11 (2), 109-120.
Ekelhart. A., Fenz. S., & Neubauer.T. (2009). AURUM: A Framework for Information Security Risk Management. System Sciences (HICSS), Annual Hawaii International Conference, 4 (2), 30- 39.
Ekelhart. A., Fenz. S., & Neubauer. T. (2009). Ontology-Based Decision Support for Information Security Risk Management. ICONS International Conference, 2 (1), 79-87.
Eisenhardt, K. M. (1989). Agency Theory: An Assessment and Review, Academy of Management. The Academy of Management Review, 14 (1), 57-61.
Eyong. K. (2014). Recommendations for information security awareness training for college students. Information Management & Computer Security, 3 (2), 33-45.
Eloff, M., & Solms, S. (2014). Information Security Management: A Hierarchical Framework for Various Approaches. Computers & Security, 19 (3), 243-256.
Fan. W., Kevin. L. (2017). Social Engineering: I-E based Model of Human Weakness for Attack and Defense Investigations. Computer Network and Information Security, 9 (1), 1 - 11.
Feriel. D., Selmin. N. (2014). A benchmarking framework for methods to design flexible business processes. Software Process: Improvement and Practice, 12 (1), 51-63.
Georg. D. (2014). ISO/IEC 27000, 27001 and 27002 for Information Security Management. Journal of Information Security, 4 (2), 92-100.
Gewald. H., Wollemscbcr, K. & Weitzel, T (2014). The Influence of perceived risks on banking managers intention to organizational business process - A Study of German banking and finance industry. Journal of Electronic Commerce Research, 7 (2), 78-96.
Gerben. S., Peter. E., Margareta. W., Gerard. G. (2015). Managing Risk and Resilience. Academy of Management Journal, 58 (4), 305-314.
Gita Radhakrisna. (2014). Digital evidence in Malaysia. Journal of Digital Evidence and Electronic Signature Law Review, 31 (5), 220-240.
Gregory. R., Hancock. L., Stapleton. R. (2018). The Reviewer's Guide to Quantitative Methods in the Social Sciences. Taylor & Francis Group.
Gurpreet. D., Romilla. Syed. & Cristiane. P. (2016). Interpreting information security culture: An organizational transformation case study. Computers & Security, 56 (2), 63- 69.
Hartini. S., Zaiton. H. (2013). The application of the digital signature law in securing internet banking: Some preliminary evidence from Malaysia. Procedia Computer Science, 3 (2), 248-253.
Heidi. W. & Maumita. B. (2016). Countering Social Engineering Through Social Media: An Enterprise Security Perspective. Journal of Computational Collective Intelligence, 14 (2), 54-64.
Ian Mann. (2018). Hacking the human: social engineering techniques and security countermeasures. Taylor & Francis Group.
Isabella McMurray & Charlotte Brownlow. (2016). SPSS explained. Taylor & Francis Group.
Jacques, B & Rossouw V. A cyclic approach to business continuity planning. Information Management & Computer Security, 12 (4), 328-337.
Joe. F., Christian. M., & Marko. S. (2012). PLS-SEM: Indeed a Silver Bullet. Journal of Marketing Theory and Practice, 19 (2), 139-152.
Joe. F., Hair. J., Marko. S., Lucas. H., & Volker. G. (2015). Partial least squares structural equation modeling (PLS-SEM): An emerging tool in business research. European. Business Review, 7 (2), 79-89.
Joseph. F., Tomas. M. (2016). A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM). SAGE Publications.
Juhani. A., Kari. J., Jorma. K., Ilkka. K. (2013). Integrating ISO/IEC 27001 and other Managerial Discipline Standards with Processes of Management in Organizations, 6 (2), 73-89.
Justin, W., Eggstaff, T., Mazzuchi S. (2014). The Development of Progress Plans Using a Performance-Based Expert Judgment Model to Assess Technical Performance and Risk. Systems Engineering, 22 (6), 471-484.
Halliday Badenhorst. S. and Solms, V. (2003). A Business Approach to Effective Information Technology Risk Analysis and Management. Information Management and Computer Security, 4 (1), 19-31.
Harold. F., Micki. k. (2013). Information security management handbook. Taylor & Francis Group.
Harwood, I. A. (2006). Confidentiality constraints with mergers and acquisitions. Gaining insights through a 'bubble' metaphor. British Journal of Management, 1 (7), 347-359.
Hartini, S.& Zaiton, H. (2011). The application of the digital signature law in securing internet banking: Some preliminary evidence from Malaysia. Procedia Computer Science, 3 (1), 248-253.
Hawkins, S. M., Yen, D.C., and Chou, D.C. (2000). Disaster Recovery Planning. A Strategy for Data Security. Information Management and Computer Security, 8 (3), 222- 230.
Heidi. W., Maumita B., Rafiqul I. (2014). Social Engineering through Social Media: An Investigation on Enterprise Security. International Conference on Applications and Techniques in Information Security, 5 (3), 243-255.
Hinson, G. (2011), Handbook of Research on Social and Organizational Liabilities in Information Security. Taylor & Francis Group.
Hinson G. (2013). Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement. The EDP Audit, Control, and Security Newsletter, 43 (3), 9-15.
Hinson, G. (2007). The State of IT Auditing in 2007. The EDP Audit, Control, and Security Newsletter, 36 (1), 13-31.
Hinson, G. & Brotby, W.K. (2016). PRAGMATIC Security Metrics: Applying Metametrics to Information Security. CRC Press, Taylor & Francis Group.
Hinson, G. (2008). Social Engineering Techniques, Risks, and Controls. The EDP Audit, Control, and Security Newsletter, 37 (4), 32-46.
Jean Boltz (2015). Informational Security Risk Assessment: Practices of Leading Organizations. Diane Publishing.
Jeb.W., Atif.A., Maynard.G. (2015). A situation awareness model for information security risk management. Computers & Security, 44 (2), 1-15.
Joseph F. & Tomas. M. (2016). A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM). SAGE Publications.
Joseph F., Jeffrey. R., Marko. S. & Christian. M. (2019). When to use and how to report the results of PLS-SEM. European Business Review, 25 (3), 456-469.
John Gerring. (2015). Social science methodology: A criterial framework. Cambridge University Press.
K. Papadaki. K., & Nineta. P. (2015). Towards a Systematic Approach for Improving Information Security Risk Management Methods. IEEE 18th International Symposium on Personal, Indoor and Mobile Radio Communications, 4 (2), 55-61.
Katharina. K., Heidelinde. H., Markus. H., Edgar. W. (2015). Advanced social engineering attacks. Journal of Information Security and Applications, 22 (3), 113-122.
Kebande. V. R. & Venter, H. S. (2018). Novel digital forensic readiness technique in the cloud environment. Australian Journal of Forensic Sciences, 50 (5), 552-591.
Kebande, V. R. & Venter, H. S. (2018). On digital forensic readiness in the cloud using a distributed agent-based solution: issues and challenges. Australian Journal of Forensic Sciences, 50 (2), 209-238.
Kim, E.B. (2013). Information Security Awareness Status of Business College: Undergraduate Students. Information Security Journal: A Global Perspective, 22 (4), 171- 179.
Kliem. R. (2008). Managing the Risks of Offshore IT Development. The EDP Audit, Control, and Security Newsletter, 32 (4), 12-20.
Korchenko, O., Vasiliu, Y. & Gnatyuk, S. (2014). Modern quantum technologies of information security against cyber-terrorist attacks. Journal of Aviation, 14 (2), 58-69.
Leandre. R., Fabrigar & Duane. T. (2014). Exploratory Factor Analysis. Oxford University Press. Linstone. M. (1999), The Delphi Method Techniques and Applications. Addison Wesley.
Louis. A. (2010). What's Wrong with Risk Matrices? Wiley Online Library, 28 (2), 497 - 512.
Logan, M. S. (2000). Using Agency Theory to Design Successful Organizational Relationship. International Journal of Logistics Management, 11 (2), 21-31.
Lund, S., Den Braber, F., Stolen, K. & Vraalscn
F. (2015). A UML profile for the identification and analysis of security risks during structured brainstorming, STEF Technical Journal, 4 (3), 220- 234.
MAMPU (2019). The Malaysian Public Sector Information Security High-Level Risk Assessment (HiLRA) Guide. National Library of Malaysia.
Marian, C., Karen, R., Stephen, M, & Conor O'Brien. (2017). A Framework for Information Security Governance and Management. IT Professional, 18 (2), 22 - 30.
Maria. E., Garcia. U., Josefina. L., Murillo. L. (2017). Application of the Delphi Method for the Analysis of the Factors Determining Social Entrepreneurship, 9 (1), 43-66.
Malaysian Cyber Security (2018), The Malaysian public and private Sector Information Security Risk Assessment Methodology.
Manes, G. W. & Downing, E. (2010). What Security Professionals Need to Know About Digital Evidence. Information Security Journal: A Global Perspective, 19 (3), 124- 131.
Manske.K. (2008). An introduction to social engineering. Information Systems Security, 9 (5), 1-7.
Malacaria, P. (2007). Assessing security threats of looping constructs. Proc. ACM Symposium on Principles of Programming Language, 3 (1), 56-67.
Malacaria, P. & Chen (2008). Lagrange Multipliers and Maximum Information Leakage in Different Observational Models. Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security Journal, 5 (1), 135-146.
Malhotra. N K (1996), Marketing Research and Applied Orientation. 4th Edition, New York. Prentice Hall.
Markus. H., Stewart. K., Marcus. N. (2009). Towards Automating Social Engineering Using Social Networking Sites. International Conference on Computational Science and Engineering, 8 (1), 65-77.
Menezes. A., van. P. &Vanstone. S. (1997). Handbook of Applied Cryptography. CRC Press.
Mingscong Ju, Scoksoo Kim, and Tai-Noon Kim. (2017). A Study on Digital Media Security by Hopfield Neural Network. Advances in Neural Networks, 5 (1), 140-153.
Marshall, K., Matthew, S. &Philip, K. (2018). Cyber Risk Management for Critical Infrastructure: A Risk Analysis Model and Three Case Studies. Wiley Online Library, 38 (2), 226-241.
Michael. J. (2007). Information Management System: The Organizational Dimension. Oxford University Press.
Muhammad, S., Maimoona, S., Alain, F., Norizan, J. (2018). Impact of service quality on customer satisfaction in Malaysia airlines: A PLS-SEM approach. Journal of Air Transport Management, 67 (1), 169-180.
Mohamed. G., Sophia. F., Hicham. M., Adil. S. (2016). Information Security Risk Assessment - A Practical Approach with a Mathematical Formulation of Risk. International Journal of Computer Applications, 103 (8), 89-99.
Mustaruddin, S., Norhayah Z. & Rusnah M. (2010). Malaysian Corporate social responsibility disclosure and its relation on institutional ownership. Managerial Auditing Journal, 2 (6), 349-350.
Manske, K. (2006). An Introduction to Social Engineering. Information Systems Security, 9 (5), 1- 7.
Mohamed, N., Nawawi, A., Ismail, I. S., Ahmad., S.A., Azmi, N.A. & Zakaria, N.B. (2013). Cyber fraud challenges and the analysts competency: Evidence from digital forensic department of Cyber Security Malaysia. Recent Trends in Social Sciences -Proceedings of the 2nd International Congress on Interdisciplinary Behavior and Social Sciences, 3 (2), 581-583.
Molok, N.N.A., Ahmad, A. & Chang, S. (2018). A case analysis of securing organisations against information leakage through online social networking. International Journal of Information Management, 43 (4), 351-356.
Myyry, L., Siponen, M., Pahnila, S. & Vartiainen, A. (2009). What levels of moral reasoning and values explain adherence to information security rules? An empirical study. European Journal of Information Systems, 18 (2), 126-139.
Nabie. Y., Conteh P., Schmick. (2016). Cybersecurity: risks, vulnerabilities and countermeasures to prevent social engineering attacks. International Journal of Advanced Computer Research, 23 (6), 345-360.
Nader. S., Safa. R. & Solms. L. (2016). Human aspects of information security in organizations. Computer Fraud & Security, 3 (2), 15-18.
Ned. K. (2016). Common method bias in PLS-SEM: A full collinearity assessment approach. International Journal of e-Collaboration, 5 (2), 70-89.
Neeta. S., & Sachin. K. (2014). A Comparative Study on Information Security Risk Analysis Practices. International Journal of Computer Applications, 11 (3), 123-139.
Nikolaos.A., Konstantinos. A., Haralambos. M., Andrew. F. (2017). Decision-Making in Security Requirements Engineering with Constrained Goal Models. Computer Security, 34 (2), 262-280.
Nik.Z., Azlinah. M. & Noor. H. (2010). Information security risk factors: Critical threats vulnerabilities in ICT outsourcing. IEEE, 23 (4), 65-79.
Nik.Z., Azlinah. M. & Noor. H. (2013). ICT Outsourcing Information Security Risk Factors: An Exploratory Analysis of Threat Risks Factor for Critical Project Characteristics. Journal of Industrial and Intelligent Information, 1 (4), 44-59.
Nik. Z., Shekh. A. (2019). Toward Fact- Based Digital Forensic Evidence Collection Methodology. International Journal for Information Security Research (IJISR), 9 (1), 67- 79.
Nik. Z., Shekh. A. (2018). Legal Protection of intellectual property rights (IPR) in Bangladesh. International Journal of Law. Government and Communication, 3 (12), 71- 89.
Nik. Z., Shekh. A. &Tan. T. (2018). Viewpoint of Probabilistic Risk Assessment in Artificial Enabled Social Engineering Attacks. BITARA International Journal of Civilizational Studies and Human Sciences, 1 (4), 32-39.
Nik. Z., Noor. H. & Azlinah. M. (2010). Conceptual Framework on Information Security Risk Management in Information Technology. Journal of Media and Information Warfare, 3 (4), 77 - 104.
Nina Godbole (2017). Information System Security, Security Management, Metrics, Framework and Best Practices. John Wiley & Sons, Inc.
Noor. H., Yap. M., Azlinah. M. (2007) Inherent risks in ICT. Proceeding of the 8th WSEAS Conference, 8 (1), 141 - 146.
Noor. H., Azlinah. M. (2012). Chaos issues on communication in Agile Global Software Development. IEEE Business, 6 (2) 55-68.
Noor. H., Azlinah. M. (2010). IT governance practices model in IT project approval and implementation in Malaysian public sector. IEEE, 12 (1), 442-456.
Noor. H., Azlinah. M. (2010). Information Technology governance practices in Malaysian public sector. IEEE, 2 (1), 44-56.
Otway. H. and Wintcrfeldt, D. von, (1999). Expert judgment in risk analysis and management: Process, context, and pitfalls. The Journal of Risk Analysis, 12 (1), 83-93.
Parker Donn (2014). Toward a New Framework for Information Security, Computer Security Handbook New York: John Wiley & Sons.
Peltier. T. R. (2012). Information Security Risk Analysis. 3rd Edition CRC Press, Taylor & Francis Group.
Peltier, T. R. (2006). Social Engineering: Concepts and Solutions. Information Systems Security, 15 (5), 13-21.
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Taylor & Francis Group.
Price Waterhouse Coopers (2010). Information Security Breach Survey. Journal of Current research in computing, 4 (2), 67-73.
Patton, M.Q. (2004). Two Decades of Developments in Qualitative Inquiry: A Personal, Experiential Perspective. Journal of Developmental Child Welfare, 1 (3), 261-283.
Poppo, L. & Zenger. T. (1998). Testing Alternative Theories of the Finn: Transaction Cost, Knowledge-Based, and Measurement Explanations in Information Services. Strategic Management Journal, 19 (9), 853-862.
Posey. C., Roberts. T.& Lowry. P. (2015). The Impact of Organizational Commitment on Insiders' Motivation to Protect Organizational Information Assets. Journal of Management Information Systems, 32 (4), 179-214.
Rahul Singh (2015). Kali Linux Social Engineering - Effectively perform efficient and organized social engineering tests and penetration testing using Kali Linux. Packt Publishing Inc. Ltd.
Rai Kaplan. (2010), A Matter of Trust, Information Security Management, Handbook. 5 Edition.
Rossouw. V., Solms. J. Niekerk. (2014). From information security to cyber security. Computers & Security, 38 (4), 97-102.
Sameer, H., Bharanidharan, S., Ganthan, N., Norbik, B., Azuan, A. (2014). Security risk assessment framework for cloud computing environments. Wiley Online Library, 7 (11), 114-124.
Sandelowski, M. (2013). Focus on Research Method, Combining Qualitative and Quantitative Sampling, Data Collection, and Analysis Techniques in Mixed-Method studies. Research in Nursing and Health, 23 (1), 246-255.
Selcaran, U. (2016). Research Methods for Business, 5rd Edition. New York: John Wiley an Sons.
Shaun. P. & Rossouw. V. (2006). A framework for the governance of information security. Computers & Security, 23 (8), 638-646.
Shekh. A., Nik. Z., Tan. T. (2019). Toward the Data Security and Digital Evidence-based Solution in Bangladesh Perspective, ZULFAQAR International Journal of Defense Science, Engineering & Technology, 21 (1), 20-19.
Shekh. A., Nik. Z., Tan. T. (2019). Towards the Big Data and Digital Evidence Integrity. Journal of Intelek, 14 (1), 56-63.
Shekh. A. (2019). Security of Electronic Mail System, Folio, FTKW Magazine.
Shekh. A. (2018). Mobile Device Security, 1E- Proceeding of the 1st International MedLit Media Literacy for social change conference 2018, 2 (1), 342-350.
Shekh. A., Nik. Z., Tan. T. (2018). An Investigation of AI enabled Social Engineering (SoE) Attacking Impact in Higher Learning Institute: Structural Equation Modeling (SEM) Approach. Journal of Applied & Computational Mathematics, 23 (2), 562-570.
Shekh. A., Nik. Z. (2018). An Exploratory Factor Analysis of AI Enabled Social Engineering (SoE) Attacking Risk in Higher Learning Institute, Journal of Mass Communication & Journalism, 15 (1), 32-40.
Singleton, T. W. & Singleton, A. J. (2014). The Potential for a Synergistic Relationship Between Information Security and a Financial Audit. Information Security Journal: A Global Perspective, 17 (2), 80-86.
Siti Rahayu, S., Robiah Y., Shahrin S. (2014). Malaysian Mapping Process of Digital Forensic Investigation Framework. International Journal of Computer Science and Network Security, 8 (10), 26-35.
Suci. R., Yasmirah. M., Robbi. R & Andysah. P. (2017). Post-Genesis Digital Forensics Investigation. International Journal of Science and Technology, 3 (6), 123-133.
Sumner, M. (2011). Information Security Threats: A Comparative Analysis of Impact, Probability, and Preparedness. Information Systems Management, 26 (1), 2-12.
Sundresan Perumal (2009). Digital Forensic Model Based On Malaysian Investigation Process. International Journal of Computer Science and Network Security, 9 (8), 119- 126.
Suit & Han. (2008). Information System (IS) analysis based on a business model. Journal of Global Information Management, 14 (3), 39-49.
Tim Bedford, Roger M. Cooke. (2015). Probabilistic Risk Analysis: Foundations and Methods, Cambridge University Press.
Todd. F. (2016). Physical Security. Handbook of Information Security Management. Taylor & Francis Group.
Veiga. A. & Eloff. J. (2009). An Information Security Governance Framework. Information Systems Management, 24 (4), 361-372.
Wiebke, A. (2009). Agents, Trojans and tags: The next generation of investigators. International Review of Law, Computers & Technology, 23 (1-2), 99-108.
Yin, R.K. (1984), Case Study Research Design and Method Newbury Park. CA. SAGE Publications.
Yudistira. A., Paolo. G. (2010). Modeling Risk and Identifying Countermeasure in Organizations. International Workshop on Critical Information Infrastructures Security, 4 (3), 55-66.
Appendix
Introduction
SAREP: SoE ATTACKING RISK IDENTIFICATION WORKSHEET
This worksheet was created by the SoE Attacking Risk Analysis Team (SARAT) to document discussions and the results of a brainstorming session conducted during the SoE Attacking Risk Identification Workshop (Workshop 1). This worksheet consists of the following section:
Section A - SoE Attacking Risk Issues
Section B - Digital evidence and Rationale
Section C - Digital Evidence, Source of Potential Threats, Vulnerabilities and Outcomes
Section D -Organization Digital Evidence Potential Source of Threats, Vulnerabilities and Outcomes Scenario Diagram
Section E - Digital Evidence Description
Section F - Digital Evidence Security Requirement Profile
Section G - SoE Attacking Risk of Threats Profile for Digital Evidence
o Human Factor Problems
o Technology/System Problems
o Other Problems
Section H - Information Security Practices and the SoE Attacking Risk of Vulnerabilities for Systems of Interest
Section I - Relevant Key Class Components for SoE Attacking Risk of Vulnerabilities
Section J - SoE Attacking Risk of Vulnerability Profiles for Digital Evidence
Section K- SoE Attacking Risk of Management Defect
Section L - SoE Attacking Risk of Unexpected Change
Section M- SoE Attacking Risk Profile
ORGANIZATIONAL DESCRIPTION
Duration
Service Provider
User
Owner
Description
Name
SECTION A (ACTIVITY B2) SoE ATTACKING RISK ISSUES
Severity (How serious the issues?)
SoE Attacking Risk Issues
No
Business activity interruptions
1
Data or information theft (Financial Records)
2
Information Leakage (Confidential data or reports)
3
Intellectual Property (IP) Right
4
Information Privacy (Personal or Organization)
5
.................................................................
6
SAREP: SoE ATTACKING RISK IDENTIFICATION WORKSHEET
SECTION B (ACTIVITY)
DIGITAL EVIDENCE AND RATIONALE
Rationale (provide the reason of your selections)
Digital Evidence
No
Business & Financial Records
1
Client's Profiles
2
Archived Data/Information
3
Policy & Procedures
4
Legal & Contract Documents
5
Database & Data Files
6
System Documentation
7
............................................
8
SECTION C (ACTIVITY)
DIGTIAL EVIDENCE, SOURCE OF POTENTIAL THREATS, VULNERABILITIES AND OUTCOMES
Outcomes
Source of SoE attacking risk of
Source of SoE attacking risk of threats
Information
vulnerabilities
Disclosure of
Technology
Deliberate or
Name Of Digital Evidence
Viewing
or
Accidental Human Actor (Internal or
of Sensitive Information or Modification of
Human Process
or
External) or System
defects or Software defects or unavailable
Important or Sensitive
of Malicious Code-
Information or
Virus, Worm, Trojan Horse, Backdoor, etc)
Destruction or loss of
important information,
or Other Problem
(Power outages or Telecommunication Networking or ISP unavailable, etc)
hardware, software etc or Interruption of access
to important
information, software application.
Disclosure
Technology
Deliberate Human Actor
Business & Financial Records
........................
........................
...................................
...............................
............
SAREP: SoE ATTACKING RISK IDENTIFICATION WORKSHEET
SECTION D (ACTIVITY )
ORGANIZATION DIGITAL EVIDENCE POTENTIAL SOURCE OF SoE ATTACKING RISK OF THREATS AND SoE ATTACKING RISK OF VULNERABILITIES AND
OUTCOMES SCENARIO DIAGRAM
SoE ATTACKING RISK AREAS OF CONCERN SCENARIO
SoE Attacking Risk Areas of Concern Scenarios (Please consider digital evidence, source of SoE attacking risk of threats, SoE attacking risk of vulnerabilities and outcomes)
No
Disclosure of Business and Financial Record to unauthorized external user through deliberate action caused by internet or Computer Network Security Vulnerabilities
1
2.
............... of .......................... to unauthorized....................................................................
caused by ...........................................................................
3.
............... of .......................... to unauthorized....................................................................
caused by .........................................................................
4.
............... of .......................... to unauthorized....................................................................
caused by .........................................................................
5.
...................................................................................................................................................
...................................................................................................................................................
SAREP: SoE ATTACKING RISK IDENTIFICATION WORKSHEET
SECTION G (ACTIVITY)
SoE ATTACKING RISK OF VULNERABILITY PROFILE FOR DIGITAL EVIDENCE (HUMAN FACTOR PROBLEMS)
Please consider how the vulnerability occur? who operate the vulnerability? vulnerability outcomes?
Vulnerability Profiles Name
Impact?)
(name of Digital Evidence)
Digital Evidence
Nature of vulnerability
SAREP: SoE ATTACKING RISK IDENTIFICATION WORKSHEET
SECTION G (ACTIVITY)
SoE ATTACKING RISK MANAGEMENT PRACTICES AND VULNERABILITIES FOR THE ORGANIZATION
Please consider to these questions
No
which system(s) is most closely linked to the digital evidence? In which system(s) is the digital evidence stored and processed?
1
Where outside the system of interest do digital evidence move? Backup system? Off-site storage? other?
2
Based on the digital evidence, which system(s) would be the best target of a vulnerability actor acting deliberately?
3
What are the natures of vulnerabilities? Technology? Human? Process? What are the key class of vulnerabilities components?
4
Impact of the vulnerabilities to digital evidence? Impact to organization impact to services? Other?
5
SAREP: SoE ATTACKING RISK IDENTIFICATION WORKSHEET
SECTION G (ACTIVITY)
RELEVANT KEY CLASS COMPONENT FOR SoE ATTACKING RISK OF VULNERABILITIES
INFORMATION
Source of SoE Attacking Risk of Vulnerabilities: Technology Vulnerabilities
Rationale of Selection
Key Classes of Component
Software or Application System
Hardware or Application System
Telecommunication
Source of SoE Attacking Risk of Vulnerabilities: Human
Rationale of Selection
Key Classes of Component
Knowledge/Skills
Culture
Attitude
Source of SoE Attacking Risk of Vulnerabilities: Process
Rationale of Selection
Key Classes of Component
Policies and Procedures
Guidelines
Legal/law
Information security Practices
Source of SoE Attacking Risk of Vulnerabilities: Others
Rationale of Selection
Key Classes of Component
.................................................
................................................
................................................
................................................
SAREP: SoE ATTACKING RISK IDENTIFICATION WORKSHEET
SECTION I (ACTIVITY )
(SoE ATTACKING RISK OF MANAGEMENT DEFECTS PROFILES)
Please consider how the Management Defects occur? What nature of defects? What caused the defects? Key caned by the defects?Impact?)
Management Defects Profile Name
(name of digital evidence)
Digital Evidence
/
SAREP SoE ATTACKING RISK TREATMENT PLANNING WORKSHEET
SECTION H (ACTIVITY)
SoE ATTACKING RISK TREATMENT PLAN WORKSHOP PREPARATION
Service Provider
Organization
Strategic Practices
Security of SoE Attacking Risk Treatment Plan and Training
Protection Strategy
1. Maintain/improve the level of SoE Attacking Risk awareness training among staff
2. Sufficient in-house expertise for all supported technology
3. Initiative to improve staff's technology exporting
4. Ensure staff member understand their security roles and responsibility through training, seminar, examination
5. Continues security SoE attacking risk awareness and training programs
6. Organization Member understand their security roles and responsibilities
Security Strategy for SoE attacking risk
1. Incorporate security Consideration into organization's business strategy
2. Security strategy and policies take into consideration the business strategy
and goal
3. Well documented of the security strategy, goal and objectives
4. Security Strategy related-document widely disseminate relevant staff in the organization
5. Flexible Security Strategy to adopt unexpected changing environment
Security of SoE Attacking Risk Management
1. Make sure secure sufficient fund and resources to conduct information security activities for the prevention technique of SoE attacks
2. Ensure the staff security roles and responsibility defined clearly
3. Make sure consider the SoE Attacking Risk issues when hiring new staff?new service provider
4. Design an effective ways how to manage SoE Attacking Risk
5. Should minimize the communication gap between technology expertise and management regarding to security-related issue
Security Policies and Regulations
1. Ensure that organization has comprehensive set of documented, current security policies regarding SoE attacks
2. Improve the way organization create, updates and communicates security
policies
3. Should have procedures to ensure their policies compliance with law and
regulation affecting security
4. Should consistently enforces their security policies
5. Reliable and consistent of security policies and Regulation
Collaborative Security Management
1. Should have policies and procedures to protect their information when working with external parties.
2. Excellent initiative to protects digital evidence when working with external parties
3. Monitor and verifies that external parties are taking appropriate steps to protect organization's digital evidence.
Mutual understanding about security of SoE attacking risk management and its scope
Contingency Planning/Disaster Recovery
1. Should have clearly defined Business Continuity Plan (BCP)
2. BCP should be tested and reliable
3. Make sure that DRP definition/tested BCP well documented and easy to access when required
4. Should have clearly defines Date Recovery Plan (DRP)
DRP should be tested, workable and reliable
SAREP SoE ATTACKING RISK TREATMENT PLANNING WORKSHEET
SECTION I (ACTIVITY) DEVELOP INTRGRATION PROTECTION STRATEGY WORKSHEET PROBABILITY EVALUATION CRITERIA WORKSHEET
FREQUENCY OF OCCORERENCE (SUBJECTIVE)
PROBABILITY VALUE
High
Medium
Law
SECTION J (ACTIVITY B19)
DEVELOP INTREGRATED MITIGATION PLAN WORKSHEET
Probability Measure
Probability Description
Outcomes
Disclosure of Digital Evidence
Modification of Digital Evidence
Loss/destruction
of a Digital Evidence
Interruption of Digital Evidence
SAREP
SoE ATTACKING RISK TREATMENT PLANNING WORKSHEET
SECTION K (ACTIVITY)
SoE ATTACKING RISK TRATMENT ACTION LIST
Servic e Provid er
Organizat ion
Operational Practices
Physical Security
Protection Strategy
1. Education and training provided to maintain/improve physical security practices
2. Sufficient policy and procedures for physical security needs
4. Dedicated personnel responsible for physical security
5. Every staff should responsible for physical security
6. Relevant departments should involve with physical security
7. Physical security requirement clearly understand by Information Security External Expert
8. Physical security requirement verified
9. Physical security plans and procedures for safeguarding the premises. building and any restricted areas are documented and tested
10. Documented policies and procedures created for managing visitor
11. Documented policies and procedures created for physical control of hardware and software
12. Documented policies and procedures created for controlling physical access to work areas and hardware (computers, communication devices etc and software media
13. Workstation and other components that allow access to sensitive information are physically safeguarded and to prevent unauthorized
access
14. Maintenance records are kept to document the repairs and modifications of facility's physical components
15. As individual group's actions with respect to all physically controlled media can be accounted for
Organizational Security
1. Education and training provided to maintain improve physical security practices.
2. Sufficient policy and procedures for Organizational Security
4. Dedicated personnel responsible for Organizational Security
5. Every staff should responsible for Organizational Security
6. Relevant departments should involve with Organizational Security
7. Organizational Security requirement clearly understand by Information Security External Expert
8. Organizational Security requirement verified
9. Audit and monitoring records are routinely examined for anomalies and corrective action is taken as needed
10. There are documented and rested security plan (s) for safeguarding the system and networks
11. Sensitive digital evidence is protected by secure storage (backups stored offsite, discard process for sensitive digital evidence)
12. The integrity of installed software is regularly, verified
13. All system are up to date with respect to revisions, patches, and recommendations in security advisories.
14. There are documented and tested data backup plan for backups or both software and data. All staff understands their responsibilities under the backup plans.
Blank Page

System requirements

Save as PDF Copy link into clipboard

Schweitzer Fachinformationen

Information Security - Risk Management Framework

Description

More details

Other editions

Additional editions

Person

Content

System requirements