Tsohou Aggeliki
agt@aegean.gr
+30-22730-82010
Aggeliki Tsohou was born in Athens, Greece in 1980.
Aggeliki Tsohou holds a Diploma in Informatics from the Department of Informatics, Athens University of Economics and Business, Greece (1998) and a M.Sc. in Information Systems from the Department of Informatics, Athens University of Economics and Business, Greece (2004). She also holds a Ph.D. in Information Systems Security Management completed under the supervision of Prof. S. Kokolakis, at the Department of Information and Communication Systems Engineering, University of the Aegean, Greece (2010).
Aggeliki is an Assistant Professor in the Department of Informatics, Ionian University. She has worked as a Post Doctoral Researcher at the University of Jyväskylä, Department of Computer Science and Information Systems, Finland. In her previous appointments she has worked as a Senior Research Fellow at Brunel Business School, UK from June 2011 to June 2013. She has also worked as a contractual Lecturer at the University of Piraeus, Department of Digital Systems, Greece from September 2010 to June 2011.
Her research interests include information security risk assessment, human behavior in information security, information security policy compliance, information security awareness, privacy perceptions and privacy enhancing tools, and information security and privacy standards. She is a co-author of more than thirty five research publications in international scientific journals and conferences of her interest field, including European Journal of Information Systems, IT & People, ECIS and AMCIS. She is an Editorial Board Member for the Internet Research Journal, Transforming Government: People, Process and Policy and the Information Management & Computer Security Journal. She has served on the Program Committee of twenty international conferences and as a Reviewer in more than fifty international scientific journals and conferences in the information systems and information security field. She has been involved in the FP7 European Projects OASIS, CEES and UbiPOL, and also, in several Greek government-funded R&D projects in the areas of information and communication systems security. She is working as an external consultant to ENISA providing expertise in information security awareness for the preparation of the European Cyber Security Month
Research Interests
- Organizational processes and change management
- Information system risk analysis and management processes
- Risk analysis methods
- Security and privacy perceptions
- Security and privacy management issues at cloud computing
- Information security and privacy standardization
Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.
Journals
A. Skalkos, A. Tsohou, M. Karyda, S. Kokolakis, Exploring users’ attitude towards privacy-preserving search engines: A protection motivation theory approach, Information and Computer Security, 2023, Emerald Publishing Limited, https://www.emerald.com/insight/con...
Abstract
Search engines, the most popular online services, are associated with several concerns. Users are concerned about unauthorized processing of their personal data, as well as about search engines keeping track of their search preferences. Various search engines have been introduced to address these concerns, claiming that they protect users’ privacy. We call these search engines Privacy-Preserving Search Engines (PPSEs). In this paper, we investigate the factors that motivate search engine users to use PPSEs. To this aim, we adopted Protection Motivation Theory (PMT) and associated its constructs with subjective norms to build a comprehensive research model. We tested our research model using survey data from 830 search engine users worldwide. Our results confirm the interpretive power of PMT in privacy-related decision making and show that users are more inclined to take protective measures when they consider that data abuse is a more severe risk and that they are more vulnerable to data abuse. Furthermore, our results highlight the importance of subjective norms in predicting and determining PPSE use. Since subjective norms refer to perceived social influences from important others to engage or refrain from protective behavior, we reveal that the recommendation from people that users consider important motivates them to take protective measures and use PPSE.
Search engines, the most popular online services, are associated with several concerns. Users are concerned about unauthorized processing of their personal data, as well as about search engines keeping track of their search preferences. Various search engines have been introduced to address these concerns, claiming that they protect users’ privacy. We call these search engines Privacy-Preserving Search Engines (PPSEs). In this paper, we investigate the factors that motivate search engine users to use PPSEs. To this aim, we adopted Protection Motivation Theory (PMT) and associated its constructs with subjective norms to build a comprehensive research model. We tested our research model using survey data from 830 search engine users worldwide. Our results confirm the interpretive power of PMT in privacy-related decision making and show that users are more inclined to take protective measures when they consider that data abuse is a more severe risk and that they are more vulnerable to data abuse. Furthermore, our results highlight the importance of subjective norms in predicting and determining PPSE use. Since subjective norms refer to perceived social influences from important others to engage or refrain from protective behavior, we reveal that the recommendation from people that users consider important motivates them to take protective measures and use PPSE.
[2]
[3]
I. Paspatis, A. Tsohou, S. Kokolakis, AppAware: a policy visualization model for mobile applications, Information & Computer Security, Vol. 28, No. 1, pp. 116-132, 2020, https://doi.org/10.1108/ICS-04-2019...
V. Diamantopoulou, A. Tsohou, M. Karyda, From ISO/IEC27001:2013 and ISO/IEC27002:2013 to GDPR Compliance Controls, Information and Computer Security, Vol. 28, No. 4, 2020, Emerald, https://www.emerald.com/insight/con...
Download Abstract
Purpose – This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended in order to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this work i) as a basis for extending the already existing security control modules towards data protection; ii) as guidance for reaching compliance with the Regulation. Design/methodology/approach – This study has followed a two-step approach; First synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013, and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, we identified GDPR requirements not addressed by ISO/IEC 27001:2013. Findings – The findings of this work include i) the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; ii) the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; iii) the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR. Originality/value – This work provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR.
Purpose – This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended in order to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this work i) as a basis for extending the already existing security control modules towards data protection; ii) as guidance for reaching compliance with the Regulation. Design/methodology/approach – This study has followed a two-step approach; First synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013, and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, we identified GDPR requirements not addressed by ISO/IEC 27001:2013. Findings – The findings of this work include i) the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; ii) the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; iii) the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR. Originality/value – This work provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR.
A. Skalkos, A. Tsohou, M. Karyda, S. Kokolakis, Identifying the values associated with users’ behavior towards anonymity tools through means-end analysis, Computers in Human Behavior Reports, Vol. 2C, No. 100034, 2020, Elsevier, http://www.sciencedirect.com/scienc...
A. Tsohou, E. Kosta, Enabling valid informed consent for location tracking through privacy awareness of users: A process theory, Computer Law & Security Review: The International Journal of Technology Law and Practice, 2017, (to_appear), http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 0.373
Abstract
People use mobile applications installed in their smartphones and mobile devices for increasingly more purposes in their everyday life; they check the local weather, road traffic, personalised local news, their personalised favourite social network etc. At the same time, application developers and market stores deploy mobile applications that collect vast amounts of information on mobile users, such as their age, gender, location or specific phone identifiers. Numerous studies illustrate that mobile applications collect valuable information about users and use it for profiling the users for their own purposes or sell this information for commercial interests. Therefore, the topic of consent to information processing becomes increasingly more interesting for researchers, legal experts and practitioners. In this paper, we examine the issue of valid informed consent for location tracking by mobile phone users. We first analyse the legal premises for informed consent that represent requirements for mobile application developers and providers who request consent. However, the ones who actually give consent are the mobile users and therefore their understanding of consent is of paramount importance. Extensive literature is missing on empirical studies examining the topic from the users’ perception perspective. For that reason, we conduct an empirical investigation with mobile users and we present the findings in the form of a process theory. Our process theory reveals how users’ valid informed consent for location tracking can be obtained, starting from enhancing reading the privacy policy to stimulating privacy awareness and enabling informed consent. The paper includes a discussion section in which we describe the implications of the process theory for the different stakeholders and we offer recommendations deriving from the empirical findings. Our contribution is addressed to software and mobile application developers and providers, technology regulation researchers and policy makers, as well as security and privacy researchers.
People use mobile applications installed in their smartphones and mobile devices for increasingly more purposes in their everyday life; they check the local weather, road traffic, personalised local news, their personalised favourite social network etc. At the same time, application developers and market stores deploy mobile applications that collect vast amounts of information on mobile users, such as their age, gender, location or specific phone identifiers. Numerous studies illustrate that mobile applications collect valuable information about users and use it for profiling the users for their own purposes or sell this information for commercial interests. Therefore, the topic of consent to information processing becomes increasingly more interesting for researchers, legal experts and practitioners. In this paper, we examine the issue of valid informed consent for location tracking by mobile phone users. We first analyse the legal premises for informed consent that represent requirements for mobile application developers and providers who request consent. However, the ones who actually give consent are the mobile users and therefore their understanding of consent is of paramount importance. Extensive literature is missing on empirical studies examining the topic from the users’ perception perspective. For that reason, we conduct an empirical investigation with mobile users and we present the findings in the form of a process theory. Our process theory reveals how users’ valid informed consent for location tracking can be obtained, starting from enhancing reading the privacy policy to stimulating privacy awareness and enabling informed consent. The paper includes a discussion section in which we describe the implications of the process theory for the different stakeholders and we offer recommendations deriving from the empirical findings. Our contribution is addressed to software and mobile application developers and providers, technology regulation researchers and policy makers, as well as security and privacy researchers.
A. Tsohou, M. Karyda, S. Kokolakis, Analyzing the role of Cognitive and Cultural Biases in the Internalization of Information Security Policies: Recommendations for Information Security Awareness Programs, Computers & Security, Vol. 52, pp. 128–141, 2015, Elsevier, https://www.researchgate.net/public..., indexed in SCI-E, IF = 1.17
Abstract
Standards and best practices for information security awareness programs focus on the content and processes of the programs, without taking into consideration how individuals internalize security-related information and how individuals make security related decisions. Relevant literature, however has identified that individual perceptions, beliefs, and biases significantly influence security policy compliance behaviour. Security awareness programs need, therefore, to be aligned with the factors affecting the internalization of the communicated security objectives. Τhis paper explores the role of cognitive and cultural biases in shaping information security perceptions and behaviors. We draw upon related literature from contiguous disciplines (namely behavioral economics and health and safety research) to develop a conceptual framework and analyze the role of cognitive and cultural biases in information security behaviour. We discuss the implications of biases for security awareness programs and provide a set of recommendations for planning and implementing awareness programs, and for designing the related material. This paper opens new avenues for information security awareness research with regard to security decision making and proposes practical recommendations for planning and delivering security awareness programs, so as to exploit and alleviate the effect of cognitive and cultural biases on shaping risk perceptions and security behaviour. Analyzing the role of Cognitive and Cultural Biases in the Internalization of Information Security Policies: Recommendations for Information Security Awareness Programs. Available from: https://www.researchgate.net/publication/275898027_Analyzing_the_role_of_Cognitive_and_Cultural_Biases_in_the_Internalization_of_Information_Security_Policies_Recommendations_for_Information_Security_Awareness_Programs [accessed May 13, 2015].
Standards and best practices for information security awareness programs focus on the content and processes of the programs, without taking into consideration how individuals internalize security-related information and how individuals make security related decisions. Relevant literature, however has identified that individual perceptions, beliefs, and biases significantly influence security policy compliance behaviour. Security awareness programs need, therefore, to be aligned with the factors affecting the internalization of the communicated security objectives. Τhis paper explores the role of cognitive and cultural biases in shaping information security perceptions and behaviors. We draw upon related literature from contiguous disciplines (namely behavioral economics and health and safety research) to develop a conceptual framework and analyze the role of cognitive and cultural biases in information security behaviour. We discuss the implications of biases for security awareness programs and provide a set of recommendations for planning and implementing awareness programs, and for designing the related material. This paper opens new avenues for information security awareness research with regard to security decision making and proposes practical recommendations for planning and delivering security awareness programs, so as to exploit and alleviate the effect of cognitive and cultural biases on shaping risk perceptions and security behaviour. Analyzing the role of Cognitive and Cultural Biases in the Internalization of Information Security Policies: Recommendations for Information Security Awareness Programs. Available from: https://www.researchgate.net/publication/275898027_Analyzing_the_role_of_Cognitive_and_Cultural_Biases_in_the_Internalization_of_Information_Security_Policies_Recommendations_for_Information_Security_Awareness_Programs [accessed May 13, 2015].
A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Managing the Introduction of Information Security Awareness Programs in Organisations, European Journal of Information Systems, Vol. 24, No. 1, pp. 38-58, 2015, Palgrave , https://www.researchgate.net/public..., indexed in SCI-E, IF = 2.213
Abstract
Several studies explore information security awareness focusing on individual and/ or organisational aspects. This paper argues that security awareness processes are associated with interrelated changes that occur at the organisational, the technological and the individual level. We introduce an integrated analytical framework that has been developed through action research in a public sector organisation, comprising actor-network theory (ANT), structuration theory and contextualism. We develop and use this framework to analyse and manage changes introduced by the implementation of a security awareness programme in the research setting. The paper illustrates the limitations of each theory (ANT, structuration theory and contextualism) to study multi-level changes when used individually, demonstrates the synergies of the three theories, and proposes how they can be used to study and manage awareness-related changes at the individual, organisational and technological level.
Several studies explore information security awareness focusing on individual and/ or organisational aspects. This paper argues that security awareness processes are associated with interrelated changes that occur at the organisational, the technological and the individual level. We introduce an integrated analytical framework that has been developed through action research in a public sector organisation, comprising actor-network theory (ANT), structuration theory and contextualism. We develop and use this framework to analyse and manage changes introduced by the implementation of a security awareness programme in the research setting. The paper illustrates the limitations of each theory (ANT, structuration theory and contextualism) to study multi-level changes when used individually, demonstrates the synergies of the three theories, and proposes how they can be used to study and manage awareness-related changes at the individual, organisational and technological level.
A. Tsohou, H. Lee, Z. Irani, Innovative Public Governance Through Cloud Computing: Information Privacy, Business Models and Performance Measurement Challenges, Transforming Government: People, Process and Policy, Vol. 8, No. 2, pp. 251-282, 2014, Emerald
Abstract
Purpose: Innovative technologies, such as federation of services and cloud computing, can greatly contribute to the provision of e-government services, through scalable and flexible systems. Furthermore, they can facilitate in reducing costs and overcoming public information segmentation. Nonetheless, when public agencies employ those technologies they encounter several associated organizational and technical changes, as well as significant challenges. The purpose of this paper is to identify and analyse such challenges and discuss proposed solutions. Design/methodology/approach: We followed a multi-disciplinary perspective (social, behavioural, business and technical) and conducted a conceptual analysis for the analyzing the associated challenges. We realized focus groups interviews in two countries for evaluating the performance models that resulted from the conceptual analysis. Findings: This study identifies and analyses several challenges that may emerge while adopting innovative technologies for public governance and e-government services. Furthermore, it presents suggested solutions deriving from the experience of designing a related platform for public governance including solutions for privacy requirements, proposed business models and KPIs for public services on cloud computing. Research limitations: The challenges and solutions discussed are based on the experience gained by designing one platform. However, we rely on issues and challenges collected from four countries. Practical implications: The identification of challenges for innovative design of e-government services through a central portal in Europe and using service federation is expected to inform practitioners in different roles about significant changes across multiple levels that are implied and may accelerate the challenges’ resolution. Originality/value: This is the first study that discusses from multiple perspectives and through empirical investigation the challenges to realise public governance through innovative technologies. The results emerge from an actual portal that will function at a European level.
Purpose: Innovative technologies, such as federation of services and cloud computing, can greatly contribute to the provision of e-government services, through scalable and flexible systems. Furthermore, they can facilitate in reducing costs and overcoming public information segmentation. Nonetheless, when public agencies employ those technologies they encounter several associated organizational and technical changes, as well as significant challenges. The purpose of this paper is to identify and analyse such challenges and discuss proposed solutions. Design/methodology/approach: We followed a multi-disciplinary perspective (social, behavioural, business and technical) and conducted a conceptual analysis for the analyzing the associated challenges. We realized focus groups interviews in two countries for evaluating the performance models that resulted from the conceptual analysis. Findings: This study identifies and analyses several challenges that may emerge while adopting innovative technologies for public governance and e-government services. Furthermore, it presents suggested solutions deriving from the experience of designing a related platform for public governance including solutions for privacy requirements, proposed business models and KPIs for public services on cloud computing. Research limitations: The challenges and solutions discussed are based on the experience gained by designing one platform. However, we rely on issues and challenges collected from four countries. Practical implications: The identification of challenges for innovative design of e-government services through a central portal in Europe and using service federation is expected to inform practitioners in different roles about significant changes across multiple levels that are implied and may accelerate the challenges’ resolution. Originality/value: This is the first study that discusses from multiple perspectives and through empirical investigation the challenges to realise public governance through innovative technologies. The results emerge from an actual portal that will function at a European level.
[10]
A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Analyzing Trajectories of Information Security Awareness, Information Technology & People, Vol. 25, No. 3, 2012, Emerald, http://www.emeraldinsight.com/journ..., indexed in SCI-E, IF = 0.767
Abstract
Purpose – Recent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations are inadequate. The purpose of the paper is to increase understanding of this phenomenon and illuminate the problems that organizations face when trying to establish an information security awareness program. Design/methodology/approach – Following an interpretive approach the authors apply a case study method and employ actor network theory (ANT) and the due process for analyzing findings. Findings – The paper contributes to both understanding and managing security awareness programs in organizations, by providing a framework that enables the analysis of awareness activities and interactions with the various organizational processes and events. Practical implications – The application of ANT still remains a challenge for researchers since no practical method or guide exists. In this paper the application of ANT through the due process model extension is enhanced and practically presented. This exploration highlights the fact that information security awareness initiatives involve different stakeholders, with often conflicting interests. Practitioners must acquire, additionally to technical skills, communication, negotiation and management skills in order to address the related organizational and managerial issues. Moreover, the results of this inquiry reveal that the role of artifacts used within the awareness process is not neutral but can actively affect it. Originality/value – This study is one of the first to examine information security awareness as a managerial and socio-technical process within an organizational context.
Purpose – Recent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations are inadequate. The purpose of the paper is to increase understanding of this phenomenon and illuminate the problems that organizations face when trying to establish an information security awareness program. Design/methodology/approach – Following an interpretive approach the authors apply a case study method and employ actor network theory (ANT) and the due process for analyzing findings. Findings – The paper contributes to both understanding and managing security awareness programs in organizations, by providing a framework that enables the analysis of awareness activities and interactions with the various organizational processes and events. Practical implications – The application of ANT still remains a challenge for researchers since no practical method or guide exists. In this paper the application of ANT through the due process model extension is enhanced and practically presented. This exploration highlights the fact that information security awareness initiatives involve different stakeholders, with often conflicting interests. Practitioners must acquire, additionally to technical skills, communication, negotiation and management skills in order to address the related organizational and managerial issues. Moreover, the results of this inquiry reveal that the role of artifacts used within the awareness process is not neutral but can actively affect it. Originality/value – This study is one of the first to examine information security awareness as a managerial and socio-technical process within an organizational context.
[12]
A. Tsohou, Lee H., K. Al-Yafi, V. Weerakkody , R. El-Haddadeh , Z. Irani, T. Medeni, L. Campos, Supporting Public Policy Making Processes with Workflow Technology: Lessons Learned From Cases in Four European Countries, International Journal of Electronic Government Research, Vol. 8, No. 3, pp. 63-77, 2012, IGI Global,
A. Tsohou, C. Lambrinoudakis, S. Kokolakis, S. Gritzalis, The Importance of Context-Dependent Privacy Requirements and Perceptions to the Design of Privacy-Aware Systems, UPGRADE, Vol. 11, No. 1, pp. 32-37, 2010, CEPIS, http://www.cepis.org/files/cepisupg...
Abstract
The issue of information privacy protection is ensured nowadays by European and national legislation. However, it is not possible to protect information system user privacy adequately without establishing privacy requirements and employing an appropriate privacy assessment process that can identify the required privacy level and the possible countermeasures for achieving it. In this paper we draw upon security management tasks in order to highlight the gaps that need to be explored regarding privacy management, so as to be able to justifiably select the privacy enhancing technologies that fit a system’s privacy requirements.
The issue of information privacy protection is ensured nowadays by European and national legislation. However, it is not possible to protect information system user privacy adequately without establishing privacy requirements and employing an appropriate privacy assessment process that can identify the required privacy level and the possible countermeasures for achieving it. In this paper we draw upon security management tasks in order to highlight the gaps that need to be explored regarding privacy management, so as to be able to justifiably select the privacy enhancing technologies that fit a system’s privacy requirements.
A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Aligning Security Awareness with Information Systems Security Management, Journal of Information Systems Security, Vol. 6, No. 1, pp. 36-64, 2010, http://www.jissec.org/Contents/V6/N...
Abstract
This paper explores the way information security awareness connects to the overall information security management framework it serves. To date, the formulation of security awareness initiatives has tended to ignore the important relationship with the overall security management context, and vice versa. In this paper we show that the two processes can be aligned so as to ensure that awareness activities serve the security management strategy and that security management exploits the benefits of an effective awareness effort. To do so, we analyze the processes of security awareness and security management using a process analysis framework and we explore their interactions. The identification of these interactions results in making us able to place awareness in a security management framework instead of viewing it as an isolated security mechanism.
This paper explores the way information security awareness connects to the overall information security management framework it serves. To date, the formulation of security awareness initiatives has tended to ignore the important relationship with the overall security management context, and vice versa. In this paper we show that the two processes can be aligned so as to ensure that awareness activities serve the security management strategy and that security management exploits the benefits of an effective awareness effort. To do so, we analyze the processes of security awareness and security management using a process analysis framework and we explore their interactions. The identification of these interactions results in making us able to place awareness in a security management framework instead of viewing it as an isolated security mechanism.
A. Tsohou, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, A Security Standards’ Framework to facilitate Best Practices’ Awareness and Conformity, Information Management & Computer Security, Vol. 18, No. 5, pp. 350-365, 2010, Emerald, http://www.emeraldinsight.com/journ...
Abstract
Purpose – Recent information security surveys indicate that both the acceptance of international standards and the relative certifications increase continuously. However, it is noted that still the majority of organizations does not know the dominant security standards or does not fully implement them. The aim of this paper is to facilitate the awareness of information security practitioners regarding globally known and accepted security standards, and thus, contribute to their adoption. Design/methodology/approach – The paper adopts a conceptual approach and results in a classification framework for categorizing available information security standards. The classification framework is built in four layers of abstraction, where the initial layer is founded in ISO/IEC 27001:2005 information security management system. Findings – The paper presents a framework for conceptualizing, categorizing and interconnecting available information security standards dynamically. Research limitations/implications – The completeness of the information provided in the paper relies on the pace of standards’ publications; thus the information security standards that have been classified in this paper need to be updated when new standards are published. However, the proposed framework can be utilized for this constant effort. Practical implications – Information security practitioners can benefit by the proposed framework for available security standards and effectively invoke the relevant standard each time. Guidelines for utilizing the proposed framework are presented through a case study. Originality/value – Although the practices proposed are not innovative by themselves, the originality of this work lies on the best practices’ linkage into a coherent framework that can facilitate the standards diffusion and systematic adoption.
Purpose – Recent information security surveys indicate that both the acceptance of international standards and the relative certifications increase continuously. However, it is noted that still the majority of organizations does not know the dominant security standards or does not fully implement them. The aim of this paper is to facilitate the awareness of information security practitioners regarding globally known and accepted security standards, and thus, contribute to their adoption. Design/methodology/approach – The paper adopts a conceptual approach and results in a classification framework for categorizing available information security standards. The classification framework is built in four layers of abstraction, where the initial layer is founded in ISO/IEC 27001:2005 information security management system. Findings – The paper presents a framework for conceptualizing, categorizing and interconnecting available information security standards dynamically. Research limitations/implications – The completeness of the information provided in the paper relies on the pace of standards’ publications; thus the information security standards that have been classified in this paper need to be updated when new standards are published. However, the proposed framework can be utilized for this constant effort. Practical implications – Information security practitioners can benefit by the proposed framework for available security standards and effectively invoke the relevant standard each time. Guidelines for utilizing the proposed framework are presented through a case study. Originality/value – Although the practices proposed are not innovative by themselves, the originality of this work lies on the best practices’ linkage into a coherent framework that can facilitate the standards diffusion and systematic adoption.
P. Rizomiliotis, A. Tsohou, C. Lambrinoudakis, S. Gritzalis, Security and Privacy Issues in Bipolar Disorder Research, The Journal on Information Technology in Healthcare, Vol. 7, No. 4, pp. 244-250, 2009, HL7 Ramius Corp
Abstract
Mental health diseases are common but research to further knowledge and understanding of them is hampered by data privacy and con.dentiality regulations that apply to medical records. Centralised databases containing the relevant medical history of thousands of patients with an individual mental disease would be of great value for researchers, enabling techniques such as data mining to be applied. The major challenge in achieving this is anonymising the data to satisfy legal and ethical requirements without removing important clinical information. In this paper we propose a model that can be used to create a central repository of anonymised data for patients with bipolar disease. Knowledge obtained from the database is fed into an expert system which can guide clinicians in patient management. Security requirements are provided by access to the database being controlled by RBAC (Role Based Access Control).
Mental health diseases are common but research to further knowledge and understanding of them is hampered by data privacy and con.dentiality regulations that apply to medical records. Centralised databases containing the relevant medical history of thousands of patients with an individual mental disease would be of great value for researchers, enabling techniques such as data mining to be applied. The major challenge in achieving this is anonymising the data to satisfy legal and ethical requirements without removing important clinical information. In this paper we propose a model that can be used to create a central repository of anonymised data for patients with bipolar disease. Knowledge obtained from the database is fed into an expert system which can guide clinicians in patient management. Security requirements are provided by access to the database being controlled by RBAC (Role Based Access Control).
A. Tsohou, S. Kokolakis, M. Karyda, E. Kiountouzis, Investigating information security awareness: research and practice gaps, Information Security Journal: A Global Perspective, Vol. 17, No. 5&6, pp. 207–227, 2008, Taylor & Francis, http://www.tandfonline.com/doi/pdf/...
Abstract
Several studies explore information security awareness focusing on individual and/ or organisational aspects. This paper argues that security awareness processes are associated with interrelated changes that occur at the organisational, the technological and the individual level. We introduce an integrated analytical framework that has been developed through action research in a public sector organisation, comprising actor-network theory (ANT), structuration theory and contextualism. We develop and use this framework to analyse and manage changes introduced by the implementation of a security awareness programme in the research setting. The paper illustrates the limitations of each theory (ANT, structuration theory and contextualism) to study multi-level changes when used individually, demonstrates the synergies of the three theories, and proposes how they can be used to study and manage awareness-related changes at the individual, organisational and technological level.
Several studies explore information security awareness focusing on individual and/ or organisational aspects. This paper argues that security awareness processes are associated with interrelated changes that occur at the organisational, the technological and the individual level. We introduce an integrated analytical framework that has been developed through action research in a public sector organisation, comprising actor-network theory (ANT), structuration theory and contextualism. We develop and use this framework to analyse and manage changes introduced by the implementation of a security awareness programme in the research setting. The paper illustrates the limitations of each theory (ANT, structuration theory and contextualism) to study multi-level changes when used individually, demonstrates the synergies of the three theories, and proposes how they can be used to study and manage awareness-related changes at the individual, organisational and technological level.
A. Tsohou, S. Kokolakis, M. Karyda, E. Kiountouzis, Process-Variance Models in Information Security Awareness Research, Information Management and Computer Security, Vol. 16, No. 3, pp. 271 – 287, 2008, Emerald , http://www.emeraldinsight.com/journ...
Abstract
Purpose – The purpose of this paper is to study the way information systems (IS) security researchers approach information security awareness and examine whether these approaches are consistent with the organization theory and IS approaches for the study of organizational processes. Design/methodology/approach – Open coding analysis was performed on selected publications (articles, surveys, standards, and reports). The chosen publications were classified and the classification results are presented, based on a proposed typology. Findings – The proposed typology allows us to identify different types of research models followed by security researchers and practitioners, and to infer a set of practical implications, for the benefit of those interested in empirically studying information security awareness. Research limitations/implications – The paper represents a pilot survey, performed in a selected number of publications. Practical implications – The paper helps researchers and practitioners to distinguish the research models that can be adopted for the study of information security awareness organizational process, by identifying the key dimensions along which they differ. Originality/value – The proposed typology provides a guide to identify the range of options available to researchers and practitioners when they design their work regarding the security awareness topic. Moreover, it can facilitate the communication between scholars in the field of security awareness.
Purpose – The purpose of this paper is to study the way information systems (IS) security researchers approach information security awareness and examine whether these approaches are consistent with the organization theory and IS approaches for the study of organizational processes. Design/methodology/approach – Open coding analysis was performed on selected publications (articles, surveys, standards, and reports). The chosen publications were classified and the classification results are presented, based on a proposed typology. Findings – The proposed typology allows us to identify different types of research models followed by security researchers and practitioners, and to infer a set of practical implications, for the benefit of those interested in empirically studying information security awareness. Research limitations/implications – The paper represents a pilot survey, performed in a selected number of publications. Practical implications – The paper helps researchers and practitioners to distinguish the research models that can be adopted for the study of information security awareness organizational process, by identifying the key dimensions along which they differ. Originality/value – The proposed typology provides a guide to identify the range of options available to researchers and practitioners when they design their work regarding the security awareness topic. Moreover, it can facilitate the communication between scholars in the field of security awareness.
A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Formulating Information Systems Risk Management Strategies through Cultural Theory, Information Management and Computer Security, Vol. 14, No. 3, pp. 198-217, 2006, Emerald, http://www.emeraldinsight.com/journ...
Abstract
Purpose – The purpose of this paper is to examine the potential of cultural theory as a tool for identifying patterns in the stakeholders’ perception of risk and its effect on information system (IS) risk management. Design/methodology/approach – Risk management involves a number of human activities which are based on the way the various stakeholders perceive risk associated with IS assets. Cultural theory claims that risk perception within social groups and structures is predictable according to group and individual worldviews; therefore this paper examines the implications of cultural theory on IS risk management as a means for security experts to manage stakeholders perceptions. Findings – A basic theoretical element of cultural theory is the grid/group typology, where four cultural groups with differentiating worldviews are identified. This paper presents how these worldviews affect the process of IS risk management and suggests key issues to be considered in developing strategies of risk management according to the different perceptions cultural groups have. Research limitations/implications – The findings of this research are based on theoretical analysis and are not supported by relevant empirical research. Further research is also required for incorporating the identified key issues into information security management systems (ISMS). Originality/value – IS security management overlooks stakeholders’ risk perception; for example,there is no scheme developed to understand and manage the perception of IS stakeholders. This paper proposes some key issues that should be taken into account when developing strategies for addressing the issue of understanding and managing the perception of IS stakeholders.
Purpose – The purpose of this paper is to examine the potential of cultural theory as a tool for identifying patterns in the stakeholders’ perception of risk and its effect on information system (IS) risk management. Design/methodology/approach – Risk management involves a number of human activities which are based on the way the various stakeholders perceive risk associated with IS assets. Cultural theory claims that risk perception within social groups and structures is predictable according to group and individual worldviews; therefore this paper examines the implications of cultural theory on IS risk management as a means for security experts to manage stakeholders perceptions. Findings – A basic theoretical element of cultural theory is the grid/group typology, where four cultural groups with differentiating worldviews are identified. This paper presents how these worldviews affect the process of IS risk management and suggests key issues to be considered in developing strategies of risk management according to the different perceptions cultural groups have. Research limitations/implications – The findings of this research are based on theoretical analysis and are not supported by relevant empirical research. Further research is also required for incorporating the identified key issues into information security management systems (ISMS). Originality/value – IS security management overlooks stakeholders’ risk perception; for example,there is no scheme developed to understand and manage the perception of IS stakeholders. This paper proposes some key issues that should be taken into account when developing strategies for addressing the issue of understanding and managing the perception of IS stakeholders.
Conferences
V. Diamantopoulou, A. Tsohou, M. Karyda, From ISO/IEC 27002:2013 Information Security Controls to Personal Data Protection Controls: Guidelines for GDPR Compliance, SECPRE 2019 3rd International Workshop on SECurity and Privacy Requirements, in conjunction with ESORICS 2019 Engineering, 2019, Springer LNCS, http://samosweb.aegean.gr/secpre201...
Abstract
With the enforcement of the General Data Protection Regulation (GDPR) in EU, organisations must make adjustments in their business processes and apply appropriate technical and organisational measures to ensure the protection of the personal data they process. Further, organisations need to demonstrate compliance with GDPR. Organisational compliance demands a lot of effort both from a technical and from an organisational perspective. Nonetheless, organisations that have already applied ISO27k standards and employ an Information Security Management System and respective security controls need considerably less effort to comply with GDPR requirements. To this end, this paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended in order to adequately meet, if/where possible, the data protection requirements that the GDPR imposes. Thus, an organisation that already follows ISO/IEC 27001:2013, can use this work as a basis for compliance with the GDPR.
With the enforcement of the General Data Protection Regulation (GDPR) in EU, organisations must make adjustments in their business processes and apply appropriate technical and organisational measures to ensure the protection of the personal data they process. Further, organisations need to demonstrate compliance with GDPR. Organisational compliance demands a lot of effort both from a technical and from an organisational perspective. Nonetheless, organisations that have already applied ISO27k standards and employ an Information Security Management System and respective security controls need considerably less effort to comply with GDPR requirements. To this end, this paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended in order to adequately meet, if/where possible, the data protection requirements that the GDPR imposes. Thus, an organisation that already follows ISO/IEC 27001:2013, can use this work as a basis for compliance with the GDPR.
[2]
V. Diamantopoulou, A. Tsohou, M. Karyda, General Data Protection Regulation and ISO/IEC 27001:2013: Synergies of activities towards organisations, TrustBus 2019 16th International Conference on Trust, Privacy and Security in Digital Business, 2019, Springer LNCS, http://www.dexa.org/trustbus2019
Abstract
The General Data Protection Regulation that is already in effect for about a year now, provisions numerous adjustments and controls that need to be implemented by an organisation in order to be able to demonstrate that all the appropriate technical and organisational measures have been taken to ensure the protection of the personal data. Many of the requirements of the GDPR are also included in the ``ISO27k'' family of standards. Consequently, organisations that have applied ISO27k to develop an Information Security Management System (ISMS) are likely to have already accommodated many of the GDPR requirements. This work identifies synergies between the new Regulation and the well-established ISO/IEC 27001:2013 and proposes practices for their exploitation. The proposed alignment framework can be a solid basis for compliance, either for organisations that are already certified with ISO/IEC 27001:2013, or for others that pursue compliance with the Regulation and the ISO/IEC 27001:2013 to manage information security.
The General Data Protection Regulation that is already in effect for about a year now, provisions numerous adjustments and controls that need to be implemented by an organisation in order to be able to demonstrate that all the appropriate technical and organisational measures have been taken to ensure the protection of the personal data. Many of the requirements of the GDPR are also included in the ``ISO27k'' family of standards. Consequently, organisations that have applied ISO27k to develop an Information Security Management System (ISMS) are likely to have already accommodated many of the GDPR requirements. This work identifies synergies between the new Regulation and the well-established ISO/IEC 27001:2013 and proposes practices for their exploitation. The proposed alignment framework can be a solid basis for compliance, either for organisations that are already certified with ISO/IEC 27001:2013, or for others that pursue compliance with the Regulation and the ISO/IEC 27001:2013 to manage information security.
I. Paspatis, A. Tsohou, S. Kokolakis, AppAware: A Model for Privacy Policy Visualization for Mobile Applications, MCIS 2018, 2018, AIS Electronic Library, https://aisel.aisnet.org/cgi/viewco...
Abstract
Privacy policies emerge as the main mechanism to inform users on the way their information is managed by online service providers, and still remain the dominant approach for this purpose. Literature notes that users find difficulties in understanding privacy policies because they are usually written in technical or legal language even, although most users are unfamiliar with them. These difficulties have led most users to skip reading privacy policies and blindly accept them. In an effort to address this challenge this paper presents AppWare, a multiplatform tool that intends to improve the visualization of privacy policies for mobile applications. AppWare formulates a visualized report with the permission set of an application, which is easily understandable by a common user. AppWare aims to bridge the difficulty to read privacy policies and android’s obscure permission set with a new privacy policy visualization model. To validate AppAware we conducted a survey through questionnaire aiming to evaluate AppAware in terms of installability, usability, and viability-purpose. The results demonstrate that AppAware is assessed above average by the users in all categories.
Privacy policies emerge as the main mechanism to inform users on the way their information is managed by online service providers, and still remain the dominant approach for this purpose. Literature notes that users find difficulties in understanding privacy policies because they are usually written in technical or legal language even, although most users are unfamiliar with them. These difficulties have led most users to skip reading privacy policies and blindly accept them. In an effort to address this challenge this paper presents AppWare, a multiplatform tool that intends to improve the visualization of privacy policies for mobile applications. AppWare formulates a visualized report with the permission set of an application, which is easily understandable by a common user. AppWare aims to bridge the difficulty to read privacy policies and android’s obscure permission set with a new privacy policy visualization model. To validate AppAware we conducted a survey through questionnaire aiming to evaluate AppAware in terms of installability, usability, and viability-purpose. The results demonstrate that AppAware is assessed above average by the users in all categories.
[5]
A. Skalkos, A. Tsohou, M. Karyda, S. Kokolakis, INVESTIGATING THE VALUES THAT DRIVE THE ADOPTION OF ANONYMITY TOOLS: A LADDERING APPROACH, 11th Mediterranean Conference on Information Systems (MCIS 2017) , 2017, AIS Electronic Library (AISeL)
I. Paspatis, A. Tsohou, S. Kokolakis, Mobile Application Privacy Risks: Viber Users’ De-Anonymization Using Public Data, MCIS 2017, 2017, AIS Electronic Library, https://aisel.aisnet.org/mcis2017/3...
Abstract
Mobile application developers define the terms of use for the applications they develop, which users may accept or declined during installation. Application developers on the one hand seek to gain access to as many user information as possible, while users on the other hand seem to lack awareness and comprehension of privacy policies. This allows application developers to store an enormous number of personal data, sometimes even irrelevant to the application’s function. It’s also common that users choose not to alter the default settings, even when such an option is provided. In combination, the above conditions jeopardize users’ rights to privacy. In this research, we examined the Viber application to demonstrate how effortless it is to discover the identity of unknown Viber users. We chose a pseudorandom sample of 2000 cellular telephone numbers and examined if we could reveal their personal information. We designed an empirical study that compares the reported behavior with the actual behavior of Viber’s users. The results of this study show that users’ anonymity and privacy is easily deprived and information is exposed to a knowledgeable seeker. We provide guidelines addressed to both mobile application users and developers to increase privacy awareness and prevent privacy violations.
Mobile application developers define the terms of use for the applications they develop, which users may accept or declined during installation. Application developers on the one hand seek to gain access to as many user information as possible, while users on the other hand seem to lack awareness and comprehension of privacy policies. This allows application developers to store an enormous number of personal data, sometimes even irrelevant to the application’s function. It’s also common that users choose not to alter the default settings, even when such an option is provided. In combination, the above conditions jeopardize users’ rights to privacy. In this research, we examined the Viber application to demonstrate how effortless it is to discover the identity of unknown Viber users. We chose a pseudorandom sample of 2000 cellular telephone numbers and examined if we could reveal their personal information. We designed an empirical study that compares the reported behavior with the actual behavior of Viber’s users. The results of this study show that users’ anonymity and privacy is easily deprived and information is exposed to a knowledgeable seeker. We provide guidelines addressed to both mobile application users and developers to increase privacy awareness and prevent privacy violations.
V. Diamantopoulou, A. Tsohou, E. Loukis, S. Gritzalis, Does the Development of Information Systems Resources Lead to the Development of Information Security Resources? An Empirical Investigation, AMCIS 2017 23rd Americas Conference on Information Systems, 2017, AIS, https://amcis2017.aisnet.org/
Abstract
Information Systems (IS) are nowadays considered the most important leverage for organizations to operate and gain a competitive advantage. Investments in IS technology, in the recruitment of high qualified IT personnel and the establishment of internal and external robust IT related partnerships are considered determinant factors for business success and continuity. As organizations increasingly rely on IS resources, they face more advanced IS security challenges. This paper explores the relationship between the development of IS resources and security resources; are organizations willing to invest more in IS security resources as they invest more on IS resources? The authors conduct an empirical investigation in organizations located in five Mediterranean countries. The sample includes responses from 61 CEOs, information security managers and IS managers. The results reveal that IS resources positively affect the IS security resources. The human capital plays the most important role for the adoption of IS security.
Information Systems (IS) are nowadays considered the most important leverage for organizations to operate and gain a competitive advantage. Investments in IS technology, in the recruitment of high qualified IT personnel and the establishment of internal and external robust IT related partnerships are considered determinant factors for business success and continuity. As organizations increasingly rely on IS resources, they face more advanced IS security challenges. This paper explores the relationship between the development of IS resources and security resources; are organizations willing to invest more in IS security resources as they invest more on IS resources? The authors conduct an empirical investigation in organizations located in five Mediterranean countries. The sample includes responses from 61 CEOs, information security managers and IS managers. The results reveal that IS resources positively affect the IS security resources. The human capital plays the most important role for the adoption of IS security.
[8]
[9]
[10]
[11]
Abstract
With the widespread adoption of electronic government services, there has been a need to ensure a seamless flow of information across public sector organizations, while at the same time, maintaining confidentiality, integrity and availability. Governments have put in place various initiatives and programs including information security awareness to provide the needed understanding on how public sector employees can maintain security and privacy. Nonetheless, the implementation of such initiatives often faces a number of challenges that impede further take-up of e-government services. This paper aims to provide a better understanding of the challenges contributing towards the success of information security awareness initiatives implementation in the context of e-government. Political, organizational, social as well as technological challenges have been utilized in a conceptual framework to signify such challenges in e-government projects. An empirical case study conducted in a public sector organization in Greece was exploited in this research to reflect on these challenges. While, the results from this empirical study confirm the role of the identified challenges for the implementation of security awareness programs in e-government, it has been noticed that awareness programmers often pursue different targets of preserving security and privacy, which sometimes results in adding more complexity to the organization.
With the widespread adoption of electronic government services, there has been a need to ensure a seamless flow of information across public sector organizations, while at the same time, maintaining confidentiality, integrity and availability. Governments have put in place various initiatives and programs including information security awareness to provide the needed understanding on how public sector employees can maintain security and privacy. Nonetheless, the implementation of such initiatives often faces a number of challenges that impede further take-up of e-government services. This paper aims to provide a better understanding of the challenges contributing towards the success of information security awareness initiatives implementation in the context of e-government. Political, organizational, social as well as technological challenges have been utilized in a conceptual framework to signify such challenges in e-government projects. An empirical case study conducted in a public sector organization in Greece was exploited in this research to reflect on these challenges. While, the results from this empirical study confirm the role of the identified challenges for the implementation of security awareness programs in e-government, it has been noticed that awareness programmers often pursue different targets of preserving security and privacy, which sometimes results in adding more complexity to the organization.
[13]
[14]
[15]
[16]
Abstract
Information security awareness is a continuous effort to raise attention to information security and its importance, in order to stimulate securityoriented behaviors. Despite the increasing interest of researchers on the topic and the continuous notifications of global security surveys for its significance, awareness remains a critical issue of information security. Related approaches propose techniques and methods for promoting security without theoretical grounding and separately from the overall information security management framework. The aim of this paper is to suggest a theoretical and methodological framework which facilitates the analysis and understanding of the issues that are intertwined with awareness activities, in order to support the organization’s security management.
Information security awareness is a continuous effort to raise attention to information security and its importance, in order to stimulate securityoriented behaviors. Despite the increasing interest of researchers on the topic and the continuous notifications of global security surveys for its significance, awareness remains a critical issue of information security. Related approaches propose techniques and methods for promoting security without theoretical grounding and separately from the overall information security management framework. The aim of this paper is to suggest a theoretical and methodological framework which facilitates the analysis and understanding of the issues that are intertwined with awareness activities, in order to support the organization’s security management.
[18]
[19]
A. Tsohou, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, Unifying ISO Security Standards Practices into a Single Security Framework, 2010 South African Information Security Multi-Conference, 2010, https://www.google.gr/url?sa=t&rct=...
Abstract
Compliance to standards is quite important for numerous reasons, including interoperability, conformity assessment etc. However, even though recent surveys indicate that international security standards do gain acceptance and that a continuously increasing number oforganizations adopt them, still the majority do not know them or do not fully implement them. In this paper we facilitate the awareness of security practitioners on ISO security standards and we propose a security framework that is based on them. In order to explain the different layers of the framework and illustrate its applicability we have used as a case study a Payroll and Pensioner Information System.
Compliance to standards is quite important for numerous reasons, including interoperability, conformity assessment etc. However, even though recent surveys indicate that international security standards do gain acceptance and that a continuously increasing number oforganizations adopt them, still the majority do not know them or do not fully implement them. In this paper we facilitate the awareness of security practitioners on ISO security standards and we propose a security framework that is based on them. In order to explain the different layers of the framework and illustrate its applicability we have used as a case study a Payroll and Pensioner Information System.
A. Tsohou, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, Information Systems Security Management: A review and a classification of the ISO standards, e-Democracy 2009 , pp. 220-235, 2009, Springer Lecture Notes of the ICSSIT Institute for Computer Sciences, Social Informatics, & Telecom, http://link.springer.com/content/pd...
Abstract
The need for common understanding and agreement of functional and non-functional requirements is well known and understood by information system designers. This is necessary for both: designing the “correct” system and achieving interoperability with other systems. Security is maybe the best example of this need. If the understanding of the security requirements is not the same for all involved parties and the security mechanisms that will be implemented do not comply with some globally accepted rules and practices, then the system that will be designed will not necessarily achieve the desired security level and it will be very difficult to securely interoperate with other systems. It is therefore clear that the role and contribution of international standards to the design and implementation of security mechanisms is dominant. In this paper we provide a state of the art review on information security management standards published by the International Organization for Standardization and the International Electrotechnical Commission. Such an analysis is meaningful to security practitioners for an efficient management of information security. Moreover, the classification of the standards in the clauses of ISO/IEC 27001:2005 that results from our analysis is expected to provide assistance in dealing with the plethora of security standards.
The need for common understanding and agreement of functional and non-functional requirements is well known and understood by information system designers. This is necessary for both: designing the “correct” system and achieving interoperability with other systems. Security is maybe the best example of this need. If the understanding of the security requirements is not the same for all involved parties and the security mechanisms that will be implemented do not comply with some globally accepted rules and practices, then the system that will be designed will not necessarily achieve the desired security level and it will be very difficult to securely interoperate with other systems. It is therefore clear that the role and contribution of international standards to the design and implementation of security mechanisms is dominant. In this paper we provide a state of the art review on information security management standards published by the International Organization for Standardization and the International Electrotechnical Commission. Such an analysis is meaningful to security practitioners for an efficient management of information security. Moreover, the classification of the standards in the clauses of ISO/IEC 27001:2005 that results from our analysis is expected to provide assistance in dealing with the plethora of security standards.
Abstract
This paper explores the way information security awareness connects to the overall information security management framework it serves. To date, the formulation of security awareness initiatives has tended to ignore the important relationship with the overall security management context, and vice versa. In this paper we show that the two processes can be aligned so as to ensure that awareness activities serve the security management strategy and that security management exploits the benefits of an effective awareness effort. To do so, we analyze the processes of security awareness and security management using a process analysis framework and we explore their interactions. The identification of these interactions results in making us able to place awareness in a security management framework instead of viewing it as an isolated security mechanism.
This paper explores the way information security awareness connects to the overall information security management framework it serves. To date, the formulation of security awareness initiatives has tended to ignore the important relationship with the overall security management context, and vice versa. In this paper we show that the two processes can be aligned so as to ensure that awareness activities serve the security management strategy and that security management exploits the benefits of an effective awareness effort. To do so, we analyze the processes of security awareness and security management using a process analysis framework and we explore their interactions. The identification of these interactions results in making us able to place awareness in a security management framework instead of viewing it as an isolated security mechanism.
A. Tsohou, P. Rizomiliotis, C. Lambrinoudakis, S. Gritzalis, Security and Privacy Issues in Bipolar Disorder Research, ICICTH 7th International Conference on Information and Communication Technologies in Health, 2009, INEAG
Abstract
Most mental illnesses, including bipolar disorder (BD), cause disability. BD is one of the world’s 10 most disabling conditions, characterized by episodes of full-blown mania and major depression, with devastating consequences on the professional and social life of the patient. A major problem in BD diagnosis and treatment is the absence of objective criteria and lack of understanding of the underlying pathological mechanisms and symptoms linked to episodes. The need for a central repository that will maintain BD related data is therefore a prerequisite for triggering BD-research and address the aforementioned problem. Specifically, it will collect healthcare data for BD cases in Europe, phenotypical information (clinical, cognitive, electrophysiological, brain imaging and biochemical evaluations), genotype information, and other information like sleep activity, actimeter, speech characteristics etc. Even though this approach is highly beneficial for medical research, the processing of medical data raises, by definition, security and privacy issues; protection of data confidentiality and integrity as well as inability to identify the patient. This paper presents an anonymity-preserving mechanism for disclosing electronic health care records to the research community without revealing the identity of the BD patient while taking into account local and international data protection legislation and other related ethical issues. Finally, we will identify the parts of the system where access control is required and will specify the rights that each user role should exhibit over the system resources.
Most mental illnesses, including bipolar disorder (BD), cause disability. BD is one of the world’s 10 most disabling conditions, characterized by episodes of full-blown mania and major depression, with devastating consequences on the professional and social life of the patient. A major problem in BD diagnosis and treatment is the absence of objective criteria and lack of understanding of the underlying pathological mechanisms and symptoms linked to episodes. The need for a central repository that will maintain BD related data is therefore a prerequisite for triggering BD-research and address the aforementioned problem. Specifically, it will collect healthcare data for BD cases in Europe, phenotypical information (clinical, cognitive, electrophysiological, brain imaging and biochemical evaluations), genotype information, and other information like sleep activity, actimeter, speech characteristics etc. Even though this approach is highly beneficial for medical research, the processing of medical data raises, by definition, security and privacy issues; protection of data confidentiality and integrity as well as inability to identify the patient. This paper presents an anonymity-preserving mechanism for disclosing electronic health care records to the research community without revealing the identity of the BD patient while taking into account local and international data protection legislation and other related ethical issues. Finally, we will identify the parts of the system where access control is required and will specify the rights that each user role should exhibit over the system resources.
[24]
A. Tsohou, M. Theoharidou, S. Kokolakis, D. Gritzalis, Addressing Cultural Dissimilarity in the Information Security Management Outsourcing Relationship, TrustBus’07 4th International Conference on Trust, Privacy and Security in Digital Business, 2007, Lecture Notes in Computer Science LNCS, Springer,