Academic literature on the topic 'Chief Information Security Officer (CISO)'

Purpose The aim of this study is to advance research on the position of the CISO by investigating the role that CISOs play before and after an IT security breach. There is a dearth of academic research literature on the role of a chief information security officer (CISO) in the management of Information Technology (IT) security. The limited research literature exists despite the increasing number and complexity of IT security breaches that lead to significant erosions in business value. Design/methodology/approach The study makes use of content analysis and agency theory to explore a sample of US firms that experienced IT security breaches between 2009 and 2015 and how these firms reacted to the IT security breaches. Findings The results indicate that following the IT security breaches, a number of the impacted firms adopted a reactive plan that entailed a re-organization of the existing IT security strategy and the hiring of a CISO. Also, there is no consensus on the CISO reporting structure since most of the firms that hired a CISO for the first time had the CISO report either to the Chief Executive Officer or Chief Information Officer. Research limitations/implications The findings will inform researchers, IT educators and industry practitioners on the roles of CISOs as well as advance research on how to mitigate IT security vulnerabilities. Originality/value The need for research that advances an understanding of how to effectively manage the security of IT resources is timely and is driven by the growing frequency and sophistication of the IT security breaches as well as the significant direct and indirect costs incurred by both the affected firms and their stakeholders.

Ohne funktionierende IT steht ein Krankenhaus weitgehend still, das belegen zahlreiche Beispiele von Hackerangriffen. Damit ein solcher Fall nicht eintritt, brauchen Krankenhäuser redundante IT-Systeme, ein fehlerfreies Zusammenspiel der eingesetzten Anwendungssysteme sowie einen wirksamen Schutz gegen Cyberattacken. Und: einen CISO.

Commercial organisations continue to face a growing and evolving threat of data breaches and system compromises, making their cyber-security function critically important. Many organisations employ a Chief Information Security Officer (CISO) to lead such a function. We conducted in-depth, semi-structured interviews with 15 CISOs and six senior organisational leaders, between October 2019 and July 2020, as part of a wider exploration into the purpose of CISOs and cyber-security functions. In this paper, we employ broader security scholarship related to ontological security and sociological notions of identity work to provide an interpretative analysis of the CISO role in organisations. Research findings reveal that cyber security is an expert system that positions the CISO as an interpreter of something that is mystical, unknown and fearful to the uninitiated. They show how the fearful nature of cyber security contributes to it being considered an ontological threat by the organisation, while responding to that threat contributes to the organisation's overall identity. We further show how cyber security is analogous to a belief system and how one of the roles of the CISO is akin to that of a modern-day soothsayer for senior management; that this role is precarious and, at the same time, superior, leading to alienation within the organisation. Our study also highlights that the CISO identity of protector-from-threat, linked to the precarious position, motivates self-serving actions that we term 'cyber sophistry'. We conclude by outlining a series of implications for both organisations and CISOs.

Expected growth of the job market for cyber security professionals in both the US and the UK remains strong for the foreseeable future. While there are many roles to be found in cyber security, that vary from penetration tester to chief information security officer (CISO). One job of particular interest is security architect. The rise in Zero Trust Architecture (ZTA) implementations, especially in the cloud environment, promises an increase in the demand for these security professionals. A security architect requires a set of knowledge, skills, and abilities covering the responsibility for integrating the various security components to successfully support an organization’s goals. In order to achieve the goal of seamless integrated security, the architect must combine technical skills with business, and interpersonal skills. Many of these same skills are required of the CISO, suggesting that the role of security architect may be a professional stepping-stone to the role of CISO. We expected degreed programs to offer courses in security architecture. Accredited university cyber security programs in the United Kingdom (UK) and the United States of America (USA) were examined for course offerings in security architecture. Results found the majority of programs did not offer a course in security architecture. Considering the role of the universities in preparing C-suite executives, the absence of cyber security architecture offerings is both troubling and surprising.

Data security breaches (DSBs) are increasing investor and regulator pressure on firms to improve their IT governance (ITG) in an effort to mitigate the related risk. We argue that DSB risk cannot be mitigated by one executive alone, but, rather, is a shared leadership responsibility of the top management team (TMT) (i.e., Chief Executive Officer [CEO], Chief Financial Officer [CFO], and Chief Information Officer [CIO]). Our results suggest that IT-savvy CEOs see technologies related to mitigating DSBs as a top-three most important type of digital methodology for their firm. Similarly, the results related to CFOs with IT expertise single out the critical investment in controls designed to prevent DSBs. Our strong findings for CIOs on the TMT add to the related guidance from COBIT 5 for information security and consistently suggest that they are the key executive for securing IT systems. Finally, our granular explanation of each executive’s DSB-related responsibility could potentially provide firms the start of a governance-led roadmap for compliance to the Securities and Exchange Commission’s and Justice Department’s cyber regulations.

Previous studies concerning the economic impact of security events on publicly listed companies have focussed on the negative effect of data breaches and cyberattacks with a view to encouraging firms to improve their cyber security posture to avoid such incidents. This paper is an initial study on the impact of investment in human capital related to security, specifically appointments of chief information security officers (CISO), chief security officers (CSO) or similar overall head of security roles. Using event study techniques, a dataset of 37 CISO type appointment announcements spanning multiple world markets between 2012 and 2019 was analysed and statistically significant (at the 5% level) positive cumulative abnormal returns (CAR) of around 0.8% on average were observed over the three-day period before, during and after the announcement. Furthermore, this positive CAR was found to be highest, at nearly 1.8% on average, within the financial services sector and showing statistical significance at the 1% level. In addition to the industry sector, other characteristics were investigated such as job title, reporting structure, comparison of internal versus external appointments, gender and variations between markets. Although these findings were not as conclusive they are, nevertheless, good pointers for future research in this area. This overall positive market reaction to CISO related announcements is a strong case for publicly listed firms to be transparent in such appointments and to, perhaps, review where that function sits within their organisation to ensure it delivers the greatest benefits. As 24% of the firms analysed were listed outside the US, this study also begins to counter the strong US bias seen in similar and related studies. This research is expected to be of interest to business management, cyber security practitioners, investors and shareholders as well as researchers in cyber security or related fields.

A client of a security services firm has received an email from the dark web demanding a ransom or it will start selling data it has stolen from the client. The client as asked for the firm’s assistance in paying the ransom. How should the company proceed? It was late on a Friday afternoon. The ReliaQuest Security Operations Center was busy as usual, but nothing was out of the ordinary. ReliaQuest Chief Technology Officer, Joe Partlow, was in his office working on a new technology innovation when his cell phone rang. It was the Chief Information Security Officer (CISO) for ABC Company, one of ReliaQuest’s clients–a company with millions of customers across the United States. ABC Company’s CISO had a crisis on his hands. He had just gotten word from his public relations staff that a journalist had called asking for a comment about a supposed leak of millions of customer records containing personally identifiable information (PTT) that could potentially be used to steal identities. Apparently, the data was listed “for sale” on the “dark web” portion of the Internet by an anonymous hacker. The CISO wanted ReliaQuest’s help figuring out whether the data had, in fact, been stolen. If so, who stole it, and how? And what could be done now to re-procure the data lost? The journalist had given the company a 24-hour window before he said he would post a story. There was also the question of whether the supposed data leak was legitimate at all. ABC Company’s security team had not been able to verify that any of their systems had been breached, and there seemed to be no way to inspect the supposed stolen data without purchasing it from the anonymous hacker–something the company was not comfortable doing on its own. The situation was urgent. The prospect of alleged customer data floating around the dark web was deeply troubling to the CISO and to Joe, yet he knew that finding the underlying cause of the situation could require members of the ReliaQuest team to use tactics outside the scope of work formally agreed upon by ReliaQuest and ABC Company. Joe also knew that if the breach was real, any tactics to identify and secure the data that ReliaQuest used could be subject to discovery in a criminal case. Moreover, Joe worried that if the breach was real and had somehow happened while under ReliaQuest’s watch, the incident could create a public relations crisis not only for ABC Company, but also for ReliaQuest. Joe was at a high stakes crossroad for making a decision and time was of the essence. ReliaQuest prided itself on team members’ willingness to do whatever it took to make security possible for customers. Nonetheless, Joe needed to decide: How far should ReliaQuest go to verify the breach? How would they find the underlying cause of the breach? How would they recover stolen data? And who should he consult with both within and outside of ReliaQuest to solve the problem while protecting stakeholders?

ABSTRACT We investigate the relationship between security breaches and chief information officer (CIO) turnover. Because CIOs are directly responsible for IT performance, we argue that their turnover likelihood is higher when they fail to meet IT performance expectations, as reflected by information security breaches. Specifically, we find that breaches caused by system deficiency increase CIO turnover likelihood by 72 percent. However, we find no such association for breaches caused by criminal fraud or human error. We extend our analyses to other executives and document that CEOs are more likely to turn over following breaches caused by both system deficiency and human error, consistent with their broader role within the firm. By contrast, we find no evidence suggesting that CFOs are more likely to turn over following breaches. The findings indicate negative labor market consequences for executives who fail to meet performance expectations within the scope of their duties.

Purpose The purpose of this paper is to contribute to a growing body of research on information systems security, by studying open source alternatives for cloud computing. Several questions have been raised about the reliability of these promising but ambiguous offers, as the adoption of a cloud solution within an enterprise is generally accompanied by a change in the chief information officer (CIOs) role and loss of expertise. Design/methodology/approach The research uses a mixed research methodology: a first step is based on a questionnaire survey to investigate the security aspects of open source and understand the role of CIOs in the migration process. The investigation involved nearly 800 companies operating in the cloud computing sector in 16 European countries between November 2015 and January 2016. Then, this paper completes the research with a qualitative study by examining the activity of two sample companies. Findings Research confirms that open source cloud solutions offer a higher level of security than proprietary solutions. It is also noted that the role of CIOs is delegated to a third external actor: a transition CIO. Transition CIO is the guarantor of the strategic and security choices of small and medium enterprises. Research limitations/implications These findings have important implications and great value to managers and cloud computing providers, in terms of formulating better cloud computing solutions. This study can also assist in increasing their understanding of the new role of CIO in the migration process to cloud computing. Originality/value This study contributes to the body of research on cloud computing. It is first of its kind with its focus on open source alternatives. Another novelty of this research is that it suggests a new conception for the CIOs role in the migration to cloud computing. Finally, the findings of this study would serve as a European market study to different companies interested in cloud computing.

This paper examines the challenges that small, medium, and large businesses in the financial services industry are facing concerning data security and providing relevant tools and strategies to protect the same. A qualitative research-based approach has been used where one-on-one interviews were conducted with 10 CIOs (chief information officers) and CISOs (chief information security officers). This data was compared with secondary data sources to validate the findings. This paper presents an in-depth analysis regarding security technologies and their efficacy to protect data assets and sensitive information. It will also opine about the technologies that each business type can use economically to cover the gamut of cyber-attacks. Existing research is restricted to either addressing small and medium businesses (SMBs) or large businesses. This paper attempts a comprehensive review for all sizes of businesses.

Mestrado em Gestão de Sistemas de Informação
Num mundo cada vez mais conectado e digital, a informação é crescentemente vista como potenciador do negócio e fonte de vantagem competitiva. Assim, a segurança de informação torna-se crítica ao proteger os ativos de informação, pelo que a estratégia de segurança organizacional tem vindo a alinhar-se com os seus objetivos de negócio. Por outro lado, as recentes alterações legais, tais como a Diretiva Segurança das Redes e da Informação e o Regulamento Geral de Proteção de Dados, vêm impor regras relativamente à privacidade e à segurança da informação, permitindo às organizações um redesenho ou ajuste dos seus processos de forma a garantir que a informação se encontra efetivamente segura. Neste contexto, o Chief Information Security Officer assume um papel de destaque na coordenação da confidencialidade, integridade e disponibilidade da informação na organização. Este trabalho pretende estudar o ambiente geral da segurança de informação nas organizações, analisar o papel do CISO, e compreender onde este deverá estar integrado na estrutura organizacional. Para tal, foram realizadas entrevistas a consultores especialistas e a pessoas com cargos diretivos nas áreas de sistemas de informação e de segurança da informação, que permitiram concluir que ainda é necessário um grande amadurecimento a nível das organizações em Portugal relativamente ao tema, e que tal poderá dever-se à ausência de uma cultura de segurança estabelecida no país. Por outro lado, o papel do CISO tem assumido uma maior relevância, sendo que é uma opinião geral que o mesmo deverá ter uma relação próxima com a administração das organizações.
In an increasingly connected and digital world, information is seen as a business enabler and a source of sustained competitive advantage. Thus, information security is becoming critical so to protect these information assets, which is why the concern with organizations’ security strategy has been aligning with their strategic objectives. On the other hand, recent changes in regulation, as Network and Information Security (NIS) directive and the General Data Protection Regulation (GDPR), come to regulate and create rules when it comes to information security, and allow organizations to redesign or adjust these processes in order to ensure that information is, in fact, safe. In this context, the Chief Information Security Officer (CISO) comes to play an important role in coordinating confidentiality, integrity, and availability of information in the organization. This paper aims to study organizations’ information security environment in general, analyse the CISO’s role inside them, and understand where they should be integrated in the corporate structure. To do so, interviews were conducted on experienced information security consultants and information systems and information security directors, which allowed to conclude that organizations in Portugal still need a great amount of maturing when it comes to information security, and that this may eventually be due to the absence of an established security culture in the country. On the other hand, the CISO’s role has been increasing in relevance, being a general opinion that their relationship with organizations’ boards should be close.
info:eu-repo/semantics/publishedVersion

Globally, most organisations are powerless to protect their information assets against the constant threat of hostile intruders, and leaders are uncomfortable with the potential threat and disruption to the deep-seated norms, patterns, and systems in their organisational setting. Yet little research exists on Leadership in Cyber security and existing cyber research is splintered across literature specific to individual disciplines that are only component domains of the broader cyber security multidiscipline. This study identifies and addresses “the role of strategic leadership in the complex issue of organisational cyber security”. This thesis argues that cyber security is a complex multidisciplinary leadership issue that must be – but usually is not – addressed systemically. This premise was formulated during employment in the cyber domain and my and colleagues’ experiences provided empirical drivers to investigate this phenomenon. Experience and anecdotal evidence indicated absence of corporate governance in organisational cyber security and ill-defined cyber-OAR (Ownership, Accountability and Responsibility). Chief Information Security Officers (CISOs) lack requisite status, and despite multiple stakeholders and government publications, most executives remain cyber-unaware and have no relationship with the CISO – if they have a CISO at all. Yet these vital issues remain unaddressed in academic publications. ii In late 2017, almost no literature existed on the topic and the focus issues were largely unrecognised and ignored. In ensuing years, some recognition and changes have emerged. Promising regulations have been introduced, previously unrecognised aspects researched and published, and visionary cyber leadership has emerged – which might suppose the research topic to be obsolete and unnecessary. But in 2022, the situation is unresolved and despite visionaries, and increased government spending and awareness-building efforts, organisational cyber security is still not understood or practised by most executives. As an academic discipline and organisational practice, cyber security is still in its infancy. An emerging stream of research reveals multiple issues, including fragmentation across multiple academic and practitioner disciplines. Focus has typically remained on technical issues and challenges as computer science and information technology disciplines contribute the majority of published cyber security research, and only scattered articles address non-technology aspects of cyber security. Despite burgeoning interest in the ‘human aspects of cyber security’, when first scoped – with one exception – no research addressed cyber corporate leadership and/or cyber governance ecosystems. This accumulation of worrisome issues is increasingly critical for organisational survival and wellbeing and is substantive evidence of the need for research to address organisational cyber security and leadership. Planned as a thesis-by-publication, this research was purposefully designed as a three-phase study spanning five–six years. An exploratory study, the approach had to be qualitative and emergent. As an infant multidisciplinary domain, the first phase needed to be a scoping review to explore and compare literature across the principal sub-domains. Research commenced with exploring cyber security as a strategic, corporate governance issue that is complex, multidisciplinary, and currently fragmented. Analysis of the scoping review findings confirmed the original premise sufficiently to require a targeted literature review and permitted early conceptual models to be developed, graphically depicting the issues and their interrelationships, and to shape potential solutions and an aspirational future state of organisational cyber security and leadership. The Phase 2 targeted review led to the design of an empirical investigation. Guided by review findings, participants were selected, and questions designed. Interviews were conducted with 31 participants from 24 organisations from the Finance sector, following guidelines approved in HREC (H-2019-127). Analysis was primarily conducted using a series of coding passes; constant comparison, pattern and theme, and reduction of the multiple produced theme-codes to a few tightly focussed supra-codes. Graphic analysis was used throughout, creating a series of models to illustrate and synthesise findings, and develop conceptual frameworks. This coding method of analysis was also used for the literature reviews. Stakeholder theory was the primary filter for all analysis, selected due to the original premise that organisational cyber security is multidisciplinary but siloed and fragmented in academia and praxis. In Phase 3, the principal focus was deeper exploration through theoretical lenses and to develop new theory. Stakeholder theory remained the foundation, but all findings were revisited using a theoretical filter of Triple-loop learning. Papers for each of the three phases have been submitted to a leading journal. The body of this thesis is comprised of these papers in entirety, preceded and followed by a whole-of-work introduction and conclusion. The three papers are co-authored but all the initial foundations, including premises, questions, research objectives, interviews, analysis, and models are my original work. Therefore, from Chapter 4 onwards, I refer to the researcher/ author in the plural, acknowledging the contribution of my supervisor/co-author, Dr Cate Jerram. Findings, conclusions, and recommendations are documented in the three abstracts, but briefly recapitulated here. Phase 1 concluded that traditional silos must be bridged or discarded, and a new common lexicon developed. Cyber security lexicons and approaches must align with corporate strategy. Organisational executives must acknowledge and take ownership, accountability, and responsibility for their organisation's cyber security, and immediately address the role, status, and budget of the CISO. Phase 2, building from Phase 1, revealed that key mechanisms of corporate governance must promote a shared stewardship approach. The CEO and the CISO must work together and resolve cyber-OAR issues, and the corporate governance system and mechanisms need to simultaneously change and align with the CEO-CISO-OAR relationship. Any aspirational future state cyber security must be embedded in a cyber corporate governance ecosystem. Phase 3 concluded our study with theoretical development and found Triple-loop learning approaches can reinvent and transform organisational cyber security. Clear and coherent cyber security must be directed by strategic leadership and the business and cyber ecosystems must be integrated and intrinsically link. As evidenced by the dearth of quality literature discussing the issues addressed here, few resources are available in this domain and all work in this thesis is original, except where referenced. This study makes three major contributions to theory and practice. Firstly, organisational safety and wellbeing requires corporate cyber governance that is led by the Executive. Secondly, it is imperative that the CISO be a strategic trusted advisor in cyber corporate governance, security, and resilience. Thirdly, any progress in advancing organisational cyber security is dependent on eliminating disciplinary fragmentation based in academic and professional silos, instead building cooperation and co-opetition, collaboration, and eventually a coherent, systemic multidiscipline. Finally, models are provided to illustrate these three major contributions and subsidiary contributions, culminating in the proffered concept of an aspirational future state of what we refer to as – ‘cyber corporate governance ecosystem’. This research has produced contributions of value to research and praxis, and frequently to both. The contributions have significant implications that should affect current practice in organisational cyber security and leadership and pave the way for important new fields of research. Significant secondary contributions to practice include the recommendation that silos be discarded to enable a strong and holistic multidiscipline of cyber security. The first implication is that disciplines, professional bodies, and cyber educators (and all extended enterprise) need to strengthen collaboration and establish synergies. Government and quasi-governmental regulators play a vital lead role in cyber security but need to improve dissemination for wider uptake. Organisations, however, need both to become more aware and adoptive of regulations and government provisions, but must improve their ability to adapt any such adoptions to ensure appropriate cultural alignment. Principally, however, Executives must lead and coordinate, determine priorities, and break down barriers to meet organisational need, starting with recognition of the strategic value of cyber security and trusting the CISO as a vital strategic advisor. This research was conducted part-time over six–years in a rapidly changing digital environment that preceded and included the COVID-19 pandemic and its aftermath (and ongoing ‘new normal’), which has inevitably affected the results. This is, though timely, a date-specific limitation. The span of time also saw changes eventuating in the cyber security domain that is the focus of the study. Nevertheless, though the constantly changing cyber landscape has been an impediment to conducting the research, effects on results, conclusions and recommendations have been minimised as much as possible. Primary research limitations are those inherent to qualitative approaches. Empirical investigation through semi-structured interviews provided depth but prohibited large numbers for generalisability. Transferability to other sectors is a possibility, but the original field of enquiry was restricted to the Finance sector. Although an investigation into leadership in organisational cyber security, few participants were themselves CEOs or organisational Board members. Further research is needed across different industry-sectors, qualitative research directly engaging with Executive and Board members is needed, and sufficient explorative studies are required to eventually enable broader, generalisable studies.
Thesis (Ph.D.) -- University of Adelaide, Business School, 2022

碩士
南臺科技大學
資訊管理系
107
Air Force Information Security Officers are specialists in force information requiring outstanding “professional capacity”, “work performance”, and “professional capacity”. Information security preparedness of a unit showcases the comprehensive performance from Information Security Officers and all colleagues. In the military, information education is the key to whether soldiers have sound development of information security literacy and other forms of information. With the information learning experience in the military, an information security officer could hold a position at the Communications Electronics and Information Division, whose good working environment allows the officer to keep advancing professional competency. Multiple resources, such as persons in charge of information facilities and other units, could also be used for the information security officer to devote oneself to information security in the military, further fulfilling the goal of applying what have learned. Guiding colleagues in the unit with correct information security behaviors and keeping modifying and thinking about personal instruction and information security policies to better fit the guide from important information security units make cybersecurity in the military secure from impediment. Following the literature review of teaching quality, a semi-structured interview was drafted and administered to senior information security officers in all military aviation units, with content analysis adopted for data analysis. A self-developed interview outline, titled “Investigation into information security literacy among Air Force Information Security Officers”, served as the major research instrument. The conclusion section, addressing the application of “key factors to enhance information security literacy among Air Force Information Security Officers”, respectively analyzed the effects of leadership, work performance, personality trait, and professional capacity on information security officers’ information security literacy. It is proposed that personnel should be screened out based on related traits, so as to select staff most suitable to the given position to extend affairs related to the unit’s information security, and to enhance the unit’s overall information competency to maintain information security.

This chapter explores the role of the Chief Information Officer (CIO). A detailed review of the existing literature traces the evolution of this role and highlights its characteristics and configurations. CIO role effectiveness can be described in terms of three demand-side roles: strategist, relationship architect, integrator, and three supply-side roles: educator, information steward, and utility provider. To explore the configuration of roles of CIOs in Australia, a large-scale survey of CIOs was conducted. The Australian results, based on 174 responses, are compared with those from similar studies in USA. The top priority for the Australian CIO was information steward, ensuring organizational data quality and security and recruiting and retaining IT skilled staff. In comparison, the first priority for the USA CIOs was utility provider - building and sustaining solid, dependable, and responsive IT infrastructure services. This study's findings have implications for CIO career development and recruitment.

The XYZ Hardware Company, Inc. infrastructure features high volumes of sensitive and confi- dential corporate data relevant to internal and external transactions. From 1999 to the middle of 2004, XYZ has utilized the Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM) Model version 1e to protect its network. The OCTAVESM Model has proven to be helpful for XYZ by identifying over 198 potential security breaches. However, in 2004, when XYZ began to enhance its existing network infrastructure to include telework, 210 security breaches occurred. These breaches cost the company over $350,000 in lost profits between July and December of 2004. To safeguard their network, upper management wanted to invest the money in a series of generalized training including working ethics, virus scanning, and backing up files. However, instead, XYZ’S chief information officer (CIO) invested over $100,000 in research in order to modify their existing protection strategy, to better safeguard their new telework infrastructure by identifying its specific strengths and weakness in an effort to create more concentrated and specialized training at the root of the problem.

Small and medium-sized (SME) manufacturing enterprises have been described as a sector that traditionally has not been data-intensive, with low spending on IT and cybersecurity and employees with low cybersecurity awareness. SMEs have also been described as agile and under pressure to adopt new technology and embrace digitalization to gain a competitive advantage. Entering this data-intensive world also comes with new risks, making them extra vulnerable. Not much attention has been directed at how SMEs in the manufacturing sector are working with improving employees’ cybersecurity awareness. Especially not where cybersecurity training programs are in focus. To investigate these aspects, we opted for a set of five SMEs in the manufacturing industry where it was possible to perform in-depth semi-structured interviews with chief information security officers’ (CISO) and employees. The results show several interesting results, for example, regarding the view on contextualization of training material and the relevance of microlearning. The study also presents several practical implications, including recommendations for improving cybersecurity training measures for SMEs in the manufacturing sector.

This chapter provides literature-grounded definitions of contemporary Web services and marketing theories, which can model business demand through procurement decision-making behavior. First, the literature was reviewed to identify contemporary Web 2.0 and Web service ontology alongside marketing theories, which can describe individual decision making in an organizational or personal context. The Web services included cloud computing, social networking, data storage, security, and hosted applications. Then selected models for assessing procurement decision-making behavior were discussed in more detail. The constructed grounded theory method was applied by interviewing Chief Information Officers (CIO) at large organizations across four industries in the USA: healthcare, higher education, energy creation, and banking. The purpose was to determine which marketing theories could effectively model their Web service procurement behavior. An empirical procurement decision-making model was developed and fitted with data collected from the participants. The results indicated that Web service procurement decision-making behavior in businesses could easily be modeled, and this was ratified by the CIOs. The chapter proposes a state-of-the-art ontology and model for continued empirical research about organizational procurement decision-making behavior for Web services or other products.

This chapter provides literature-grounded definitions of contemporary Web services and marketing theories, which can model business demand through procurement decision-making behavior. First, the literature was reviewed to identify contemporary Web 2.0 and Web service ontology alongside marketing theories, which can describe individual decision making in an organizational or personal context. The Web services included cloud computing, social networking, data storage, security, and hosted applications. Then selected models for assessing procurement decision-making behavior were discussed in more detail. The constructed grounded theory method was applied by interviewing Chief Information Officers (CIO) at large organizations across four industries in the USA: healthcare, higher education, energy creation, and banking. The purpose was to determine which marketing theories could effectively model their Web service procurement behavior. An empirical procurement decision-making model was developed and fitted with data collected from the participants. The results indicated that Web service procurement decision-making behavior in businesses could easily be modeled, and this was ratified by the CIOs. The chapter proposes a state-of-the-art ontology and model for continued empirical research about organizational procurement decision-making behavior for Web services or other products.

This chapter provides literature-grounded definitions of contemporary Web services and marketing theories, which can model business demand through procurement decision-making behavior. First, the literature was reviewed to identify contemporary Web 2.0 and Web service ontology alongside marketing theories, which can describe individual decision making in an organizational or personal context. The Web services included cloud computing, social networking, data storage, security, and hosted applications. Then selected models for assessing procurement decision-making behavior were discussed in more detail. The constructed grounded theory method was applied by interviewing Chief Information Officers (CIO) at large organizations across four industries in the USA: healthcare, higher education, energy creation, and banking. The purpose was to determine which marketing theories could effectively model their Web service procurement behavior. An empirical procurement decision-making model was developed and fitted with data collected from the participants. The results indicated that Web service procurement decision-making behavior in businesses could easily be modeled, and this was ratified by the CIOs. The chapter proposes a state-of-the-art ontology and model for continued empirical research about organizational procurement decision-making behavior for Web services or other products.

Telemedicine has drawn increasing attention as a beneficial healthcare delivery medium, especially in developing countries that struggle with physician and health professional shortages, through providing health services in remote areas. This paper presents the findings of a survey conducted to investigate the national factors influencing the adoption of telemedicine technology in Iran, as a less developed country. Designing a self-administered questionnaire the data were collected from the Chief Information Officers (CIOs) of Iranian healthcare system. The findings indicate that political factors such as Information and Communication Technology (ICT) policies, national data security policies, national e-health policies, national ICT infrastructures and rational decision-making, along with organizational factors such as organizational readiness and implementation effectiveness, are positively associated with telemedicine capability in Iran. However, no evidence was found to support the direct impact of cultural factors on transferring telemedicine technology in the country.

This study addresses the role of a Dutch chief information security officer (CISO) and the soft skills required in this leadership role. The overview of soft skills is the outcome of the CISO perspectives in a Delphi study combined with an analysis of soft skills mentioned in job ads. A comparison with an earlier US-based study revealed that soft skills are ranked differently by Dutch CISOs. Moreover, we found that soft skills are not clearly described in job ads – none of these ads had explicitly listed soft skills. The present study demonstrates that CISOs with soft skills are in demand. The development of soft skills starts at a young age through various social activities and is also the result of self-actuation. The practical implications of this study are that it offers insights into the soft skills required for the role and discusses best-fitting leadership styles and ways in which organisations should include soft skills in recruitment.