1. World Economic Forum. Global risks 2015; 2015. Available: http://reports.weforum.org/global-risks-2015. 2. Commission European. The European agenda on security; 2015. Available: http://ec.europa.eu/dgs/home-affairs/e-library/documents/basic-documents/docs/eu_agenda_on_security_en.pdf. 3. NATO Public Diplomacy Division. NATO 2020: Assured security; Dynamic engagement. Analysis and Recommendations of the Group of experts on a New Strategic Concept for NATO; 2010. Available: http://www.nato.int/nato_static_fl2014/assets/pdf/pdf_2010_05/20100517_100517_expertsreport.pdf. 4. Xu Q, Ren P, Song H, Du Q. Security Enhancement for IoT Communications Exposed to Eavesdroppers With Uncertain Locations. IEEE Acess. 2016; 4: 2840–2853. 10.1109/ACCESS.2016.2575863 [CrossRef] [Google Scholar] 5. Mehmood A, Song H, Lloret J. Multi-Agent based framework for secure and reliable communication among open clouds. Network Protocols and algorithms. 2014; 6(4): 60–76. 10.5296/npa.v6i4.6028 [CrossRef] [Google Scholar] 6. Li W, Song H. ART: An Attack-Resistant Trust Management Scheme for Securing Vehicular Ad Hoc Networks. IEEE Transactions of Intelligent Transportation Systems. 2016; 17(4): 960–969. 10.1109/TITS.2015.2494017 [CrossRef] [Google Scholar] 7. Whitman ME. Mattord HJ. Principles of information security. Fourth edition Boston, MA: Course Technology, Cengage Learning; 2011. [Google Scholar] 8. Chang SE, Ho CB (2006). Organizational factors to the effectiveness of implementing information security management. Industrial Management & Data Systems. 2006; 106(3): 345–361. 10.1108/02635570610653498 [CrossRef] [Google Scholar] 9. Bojanc R., Jerman Blažič B. An economic modelling approach to information security risk management. International Journal of Information Management. 2008: 28(5): 413–422. 10.1016/j.ijinfomgt.2008.02.002 [CrossRef] [Google Scholar] 10. Mishra S, Chasalow L. Information security effectiveness: A research framework. Issues in Information Systems. 2011; 12(1): 246–255. Available: http://iacis.org/iis/2011/246-255_AL2011_1677.pdf. [Google Scholar] 11. Kong HK, Kim TS, Kim J. An analysis on effect of information security investments: A BSC perspective. Journal of Intelligent Manufacturing. 2012; 23(4): 941–953. 10.1007/s10845-010-0402-7 [CrossRef] [Google Scholar] 12. Rhee HS, Ryu YU, Kim CT. (2012). Unrealistic optimism on information security management. Computers & Security. 2012; 31(2): 221–232. 10.1016/j.cose.2011.12.001 [CrossRef] [Google Scholar] 13. Baskerville R, Spagnoletti P, Kim J. Incident—centred information security: Managing a strategic balance between prevention and response. Information & Management. 2014; 51(1): 138–151. 10.1016/j.im.2013.11.004 [CrossRef] [Google Scholar] 14. Feng N, Wang HJ, Li M. A security risk analysis model for information systems: Casual relationships of risk factors and vulnerability propagation analysis. Information Sciences. 2014; 256: 57–73. 10.1016/j.ins.2013.02.036 [CrossRef] [Google Scholar] 15. Teo TSH. Aligning business and information systems. Review and future research directions In: Planning for Information Systems, Advances in Management Information Systems, volume 14, ed King WR (Armonk, NY: M.E. Sharpe; ); 2009. p. 68–95. Available: http://bschool.nus.edu.sg/staff/bizteosh/TeoAMIS2009.pdf. [Google Scholar] 16. Jacobs MA. Complexity: Toward an empirical measure. Technovation. 2013; 33(4–5): 111–118. 10.1016/j.technovation.2013.01.001 [CrossRef] [Google Scholar] 17. Sqiure R, Song H. Cyber-physical systems opportunities in the chemical industry: A security and emergency management example. Process Safety Progress. 2014; 33(4): 329–332. 10.1002/prs.11676 [CrossRef] [Google Scholar] 18. Xu J, Ge H, Juanjuan X, Yangrui G. Study on the mode of intelligent chemical industry based on cyber-physical system and its implementation. Advances in Engineering software. 2016; 99: 18–26. 10.1016/j.advengsoft.2016.04.010 [CrossRef] [Google Scholar] 19. Institute Ponemon. Security effectiveness framework study; 2010. Available: http://trionlogics.com/wp-content/uploads/Security-Effectiveness-Framework-Study.pdf. 20. Ernst&Young. Global information security survey. Get ahead of cybercrime. Insight on governance, risk and compliance; 2014. Available: http://www.ey.com/Publication/vwLUAssets/EY-global-information-security-survey-2014/$FILE/EY-global-information-security-survey-2014.pdf. 21. PricewaterhouseCoopers [PWC]. Global state of information security survey 2014;. Defending yesterday; 2013. Available: http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml. 22. European Union Agency for Network and Information Security. ENISA threat landscape: Overview of current and emerging cyber-threats; 2013. Available: https://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-2013-overview-of-current-and-emerging-cyber-threats. 23. The Department for Business Innovation & Skills [BIS], PricewaterhouseCoopers [PWC]. Information security breaches survey; 2014. Available: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/307296/bis-14-767-information-security-breaches-survey-2014-technical-report-revision1.pdf. 24. Verizon. Data breach investigation report; 2014. Available: http://www.verizonenterprise.com/DBIR/2014/reports/rp_dbir-2014-executive-summary_en_xg.pdf. 25. Sansage. State of security information and event management processes. The burried truth; 2012. Available: http://www.firmenpresse.de/pdf-pressrelease178292.pdf. 26. Hewlett Packard Development Company [HP]. State of security operations. Report of capabilities and maturity of cyber defense organizations, Business white paper;: 2015. Available: http://h30499.www3.hp.com/t5/HP-Security-Products-Blog/State-of-Security-Operations-2015-Report/ba-p/6697279#.VXbfk0ZqG2m. 27. Hua M, Bapna S. Who can we trust? The economic impact of insider threats. Journal of Global Information Technology Management. 2013; 16(4): 47–67. 10.1080/1097198X.2013.10845648 [CrossRef] [Google Scholar] 28. Kankanhalli A, Teo HH, Tan BCY, Wei KK. An integrative study of information systems security effectiveness. International Journal of Information Management. 2003; 23(2): 139–154. 10.1016/S0268-4012(02)00105-6 [CrossRef] [Google Scholar] 29. Herbane B. Small business research: Time for a crisis-based view. International Small Business Journal. 2010: 28(1): 43–64. 10.1177/0266242609350804 [CrossRef] [Google Scholar] 30. Herath HSB, Herath TC. IT security auditing: A performance evaluation decision model. Decision Support Systems. 2014; 57(1): 54–63. 10.1016/j.dss.2013.07.010 [CrossRef] [Google Scholar] 31. Pironti JP. Developing metrics for effective information security governance. Information Systems Control Journal. 2007; 2: 1–5. Available: http://www.iparchitects.com/wp-content/uploads/Developing-Metrics-and-Measures-for-Information-Security-Governance-ISACA-Member-Journal-March-2007.pdf. 32. von Solms B, von Solms R. The 10 deadly sins of information security management. Computers & Security. 2004; 23(5): 371–376. 10.1016/j.cose.2004.05.002 [CrossRef] [Google Scholar] 33. Nguyen TH, Newby M, Macaulay MJ. Information technology adoption in small business: Confirmation of a proposed framework. Journal of Small Business Management. 2015; 53(1):207–227. 10.1111/jsbm.12058 [CrossRef] [Google Scholar] 34. Savola RM. Quality of security metrics and measurement. Computers & Security. 2013; 37, 78–90. 10.1016/j.cose.2013.05.002 [CrossRef] [Google Scholar] 35. Hoque Z. A contingency model of the association between strategy, environmental uncertainty and performance measurement: Impact on organizational performance. International Business Review. 2004; 13(4): 485–502. 10.1016/j.ibusrev.2004.04.003 [CrossRef] [Google Scholar] 36. The Department for Business Innovation & Skills [BIS]. UK cyber security standards: Research report; 2013. Available: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/261681/bis-13-1294-uk-cyber-security-standards-research-report.pdf. 37. Patel SC, Graham JH, Ralston PAS. (2008). Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancement. International Journal of Information Management. 2008; 6: 28: 483–491. 10.1016/j.ijinfomgt.2008.01.009 [CrossRef] [Google Scholar] 38. Gordon AL, Loeb PM. The economics of information security investment. ACM Transactions on Information and System Security. 2002; 5(4): 438–457. 10.1145/581271.581274 [CrossRef] [Google Scholar] 39. Bayuk JL, Horowitz BM. An architectural system engineering methodology for addressing cyber security. System Engineering. 2011; 14(3): 294–304. 10.1002/sys.20182 [CrossRef] [Google Scholar] 40. Posey C, Roberts TL, Lowry PB, Hightower RT. Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary insiders. Information & Management. 2014; 51(5): 551–567. 10.1016/j.im.2014.03.009 [CrossRef] [Google Scholar] 41. Ifinedo P. Information system policy compliance: An empirical study of the effects of socialisation, influence and cognition. Information & Management. 2014; 51(1): 69–79. 10.1016/j.im.2013.10.001 [CrossRef] [Google Scholar] 42. Son JY. Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies. Information & Management. 2011; 48(7): 286–302. 10.1016/j.im.2011.07.002 [CrossRef] [Google Scholar] 43. Jackson S. Organizational culture and information system adoption: A three-perspective approach. Information and Organization. 2011; 21(2): 57–83. 10.1016/j.infoandorg.2011.03.003 [CrossRef] [Google Scholar] 44. Thompson M. People, practice and technology: Restoring Giddens' broader philosophy to the study of information systems. Information and Organization. 2012; 22(3): 188–207. 10.1016/j.infoandorg.2012.04.001 [CrossRef] [Google Scholar] 45. Cassar G, Gibson B. Forecast rationality in small firms. Journal of Small Business Management. 2007; 45(3): 283–302. 10.1111/j.1540-627X.2007.00213.x [CrossRef] [Google Scholar] 46. Hu Q, Dinev T, Hart P, Cooke D. Managing employee compliance with information security policy: The critical role of top management and organizational culture. Decision Sciences. 2012; 43(4): 615–659. 10.1111/j.1540-5915.2012.00361.x [CrossRef] [Google Scholar] 47. Kim TH, Lee JN, Chun JU, Benbasat I. Understanding the effect of knowledge management strategies on knowledge management performance: A contingency perspective. Information & Management. 2014; 51(4): 398–416. 10.1016/j.im.2014.03.001 [CrossRef] [Google Scholar] 48. Willison R. Understanding the perpetration of employee computer crime in the organizational context. Information and Organization. 2006; 16(4): 304–324. 10.1016/j.infoandorg.2006.08.001 [CrossRef] [Google Scholar] 49. D'Arcy J, Hovav A. Does one size fit all? Examining the differential effects of IS security countermeasures. Journal of Business Ethics. 2009; 89(1 Supplement): 59–71. 10.1007/s10551-008-9909-7 [CrossRef] [Google Scholar] 50. Goel S, Shawky HA. Estimating the market impact of security breach announcements on firm values. Information & Management. 2009; 46(7): 404–410. 10.1016/j.im.2009.06.005 [CrossRef] [Google Scholar] 51. Hagen JM, Albrechtsen E, Hovden J. Implementation and effectiveness of organizational information security measures. Information Management & Computer Security. 2008; 16(4): 377–397. 10.1108/09685220810908796 [CrossRef] [Google Scholar] 52. Kaplan RS, Norton DP. The balanced scorecard—measures that drive performance. Harvard Business Review. 1992; 70(1): 71–79. . [PubMed] [Google Scholar] 53. Thomson KL, von Solms R. Towards an information security competence maturity model. Computer Fraud & Security. 2006; 18(5): 11–15. 10.1016/S1361-3723(06)70356-6 [CrossRef] [Google Scholar] 54. Tornatzky LG, Fleischer M. The process of technology innovation. Lexington, MA: Lexington Books; 1990. [Google Scholar] 55. Da Veiga A, Eloff JHP. A framework and assessment instrument for information security culture. Computers & Security. 2010: 29(2): 196–207. 10.1016/j.cose.2009.09.002 [CrossRef] [Google Scholar] 56. Saleh S. A new approach for assessing the maturity of Information Security. ISACA Journal. 2006; 6(3): 1–7. Available: http://www.isaca.org/Journal/Past-Issues/2006/Volume-3/Documents/jpdf0603-A-New-Approach.pdf. [Google Scholar] 57. Scott WR, Christensen S. (1995). The institutional construction of organizations: International and longitudinal studies. Thousand Oaks, CA: Sage Publications; 1995. [Google Scholar] 58. Kotulic AG, Clark JG. Why there aren't more information security research studies. Information & Management. 2004; 41(5): 597–607. 10.1016/j.im.2003.08.001 [CrossRef] [Google Scholar] 59. Technologies Turning. Turning point polling software for Windows, version 5 Youngstown, OH: Turning Technologies; 2014. [Google Scholar] 60. IBM Corp. IBM SPSS Software for Windows, version 22 Armonk, NY: IBM Corp.; 2013. [Google Scholar] 61. Peterson RA. A meta-analysis of Cronbach's Coefficient Alpha. Journal of Consumer research. 1994; 21(2): 381–391. 10.1086/209405 [CrossRef] [Google Scholar] 62. Garson DG. Testing of statistical assumptions. Asheboro, NC: North Carolina State University & Statistical Associates Publishing; 2012. [Google Scholar] 63. Institute SANS. Critical security controls, version 6; 2016. Available: https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf. 64. Institute Ponemon. Global report on the cost of cyber crime. Benchmark study of global companies; 2014. Available: http://www.ponemon.org/blog/2014-global-report-on-the-cost-of-cyber-crime. 65. Deloitte. TMT global security study. Blurring the lines; 2013. Available: https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Technology-Media-Telecommunications/dttl_TMT_GlobalSecurityStudy_English_final_020113.pdf. 66. Carnegie Mellon University. CMMI for development. Version 1.3; 2010. Available: http://www.sei.cmu.edu/reports/10tr033.pdf. 67. Lee CM, Chang H. A study on security strategy in ICT convergence environment. The Journal of Supercomputing. 2014; 70(1): 211–223. 10.1007/s11227-014-1194-x [CrossRef] [Google Scholar] 68. Solomon P. Basing earned value on technical performance. Crosstalk: Software Project Management—Lessons Learned. 2013; January/February: 25–28. Available: http://www.crosstalkonline.org/storage/issue-archives/2013/201301/201301-Solomon.pdf. Page 2CSFs and KPIs constituting the model.
|