The advent of the European General Data Protection Regulation (GDPR) imposes organizations to cope with radical changes concerning user data protection paradigms. GDPR, by promoting a Privacy by Design approach, obliges organizations to drastically change their methods regarding user data acquisition, management, processing, as well as data breaches monitoring, notification and preparation of prevention plans. This enforces data subjects (e.g., citizens, customers) rights by enabling them to have more information regarding usage of their data, and to take decisions (e.g., revoking usage permissions). Moreover, organizations are required to trace precisely their activities on user data, enabling authorities to monitor and sanction more easily. Indeed, since GDPR has been introduced, authorities have heavily sanctioned companies found as not GDPR compliant. GDPR is difficult to apply also for its length, complexity, covering many aspects, and not providing details concerning technical and organizational security measures to apply. This calls for tools and methods able to support organizations in achieving GDPR compliance. From the industry and the literature, there are many tools and prototypes fulfilling specific/isolated GDPR aspects, however there is not a comprehensive platform able to support organizations in being compliant regarding all GDPR requirements. In this paper, we propose the design of an architecture for such a platform, able to reuse and integrate peculiarities of those heterogeneous tools, and 2 L. Piras et al. to support organizations in achieving GDPR compliance. We describe the architecture, designed within the DEFeND EU project, and discuss challenges and preliminary benefits in applying it to the healthcare and energy domains.
PurposeRecent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations are inadequate. The purpose of the paper is to increase understanding of this phenomenon and illuminate the problems that organizations face when trying to establish an information security awareness program.Design/methodology/approachFollowing an interpretive approach the authors apply a case study method and employ actor network theory (ANT) and the due process for analyzing findings.FindingsThe paper contributes to both understanding and managing security awareness programs in organizations, by providing a framework that enables the analysis of awareness activities and interactions with the various organizational processes and events.Practical implicationsThe application of ANT still remains a challenge for researchers since no practical method or guide exists. In this paper the application of ANT through the due process model extension is enhanced and practically presented. This exploration highlights the fact that information security awareness initiatives involve different stakeholders, with often conflicting interests. Practitioners must acquire, additionally to technical skills, communication, negotiation and management skills in order to address the related organizational and managerial issues. Moreover, the results of this inquiry reveal that the role of artifacts used within the awareness process is not neutral but can actively affect it.Originality/valueThis study is one of the first to examine information security awareness as a managerial and socio‐technical process within an organizational context.
Employee personal use of technology at work (PUTW) -defined as employees' activities using organisational or personal IT resources for non-work-related purposes while at work -is increasingly common. Our review of existing PUTW studies (n = 137) suggests that previous studies widely discussed PUTW outcomes, antecedents, and policies. The literature review also indicates that previous studies proposed opposing viewpoints regarding the effect of PUTW on employee job performance, but few studies offered empirical evidence. Consequently, the conditions under which PUTW can increase or decrease employee job performance have not been discussed. We develop a theoretical model for increasing the understanding of this issue. Our model suggests that executive attention is an important underlying mechanism through which PUTW affects employee job performance. We further suggest the effect of PUTW on executive attention (and job performance) depends on PUTW behavioural characteristics in terms of four dimensions: PUTW cognitive load, PUTW arousal level, PUTW timing, and PUTW frequency/duration. The model can advance researchers' understanding of the possible conditions under which PUTW may increase or decrease employee job performance. The model also offers new insights into existing studies on PUTW antecedents and policies. As a result, our proposed model provides new theoretical guidance for future studies on PUTW.
Purpose -The purpose of this paper is to examine the potential of cultural theory as a tool for identifying patterns in the stakeholders' perception of risk and its effect on information system (IS) risk management. Design/methodology/approach -Risk management involves a number of human activities which are based on the way the various stakeholders perceive risk associated with IS assets. Cultural theory claims that risk perception within social groups and structures is predictable according to group and individual worldviews; therefore this paper examines the implications of cultural theory on IS risk management as a means for security experts to manage stakeholders perceptions. Findings -A basic theoretical element of cultural theory is the grid/group typology, where four cultural groups with differentiating worldviews are identified. This paper presents how these worldviews affect the process of IS risk management and suggests key issues to be considered in developing strategies of risk management according to the different perceptions cultural groups have.Research limitations/implications -The findings of this research are based on theoretical analysis and are not supported by relevant empirical research. Further research is also required for incorporating the identified key issues into information security management systems (ISMS). Originality/value -IS security management overlooks stakeholders' risk perception; for example, there is no scheme developed to understand and manage the perception of IS stakeholders. This paper proposes some key issues that should be taken into account when developing strategies for addressing the issue of understanding and managing the perception of IS stakeholders.
Purpose The purpose of this paper is to propose visualization techniques as a new representation for privacy policies instead of traditional textual representation and to examine empirically their effects on users’ information privacy awareness level. Design/methodology/approach The authors selected as a case the privacy policy of Instagram and conducted two empirical investigations, each one with three interventions and each representing a different version of the Instagram privacy policy to users. Through a pre- and a post-questionnaire, the authors examined the effects that each representation technique had on the users’ privacy awareness level. Findings The paper finds that visualized privacy policies lead to higher privacy awareness levels than conventional textual ones, especially when icons are included. Research limitations/implications The authors implemented two new representation techniques offering beneficial guidelines for designing more attractive privacy policy representations. However, the samples are rather limited for generalization to the wide population; nonetheless, they are significant to demonstrate the effect of visualized techniques. The findings might also be subject to bias (e.g. brand bias), although the authors took necessary methodological actions to prevent bias. Practical implications The results and the methodology of the paper could guide practitioners for the representation of a privacy policy, given that the authors provide systematic and concrete steps. Originality/value This paper examines the value of privacy policy visualization as a new approach for enabling user privacy awareness, as well as implements two visualization techniques for a given privacy policy. The paper and its findings should be useful for researchers, as well as for practitioners.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.