Dissertations / Theses on the topic 'Component of corporate security'

Копча Ю. Ю. Механізм формування потенціалу економічної безпеки підприємств: дисертація на здобуття ступеня доктора філософії за спеціальністю 051 – «Економіка» / Копча Юрій Юрійович. – Київ: Національний авіаційний університет; Львівський державний університет внутрішніх справ МВС України, 2020. - 277 с.
У дисертаційній роботі вирішено важливе науково-практичне завдання, пов’язане з теоретико-методичним обґрунтуванням положень і розробкою практичних рекомендацій щодо розробки механізму формування потенціалу економічної безпеки підприємства та використання системи оцінювання його складових. Доведено, що проблема визначення особливостей ідентифікації економічної стійкості підприємства як основи його потенціалу економічної безпеки дасть змогу виявити дві номенклатурні групи дослідження, а саме – економічну стійкість і потенціал економічної безпеки, які використовуються як ключ до категоризації основного завдання. Аналізуючи внутрішні та зовнішні процеси підприємства через їхні зв’язки та необхідність їхньої координації з внутрішніми складовими підприємства, створено концептуальний підхід до ідентифікації економічної стійкості підприємства як основи його потенціалу економічної безпеки. Визначені складові можна розвивати та задіювати у формуванні економічної стійкості, що реалізується за рахунок здатності мобілізації ресурсів, а отже, й створює основу для підвищення рівня потенціалу економічної безпеки. Особливістю такого концептуального підходу є система ідентифікації його складових за допомогою узагальнених і обґрунтованих ознак, що сприяє адекватному до зовнішнього і внутрішнього середовищ прийняттю рішення і впровадженню його в діяльність підприємства. Запропоновано визначення фінансового забезпечення потенціалу економічної безпеки як створення структурованих системних шляхів для безперервного спрямування різних оплачених видів ресурсів, які за допомогою переносу своїх якостей підвищують можливості підприємства до протидії загрозам його розвитку та ведення господарської діяльності. Це дозволить на підставі обраної модульної архітектоніки на єдиному підґрунті розробити інші типи забезпечення потенціалу економічної безпеки, таких як інформаційне, організаційне, кадрове та інші. Установлено, що управління підприємством як економічною системою вимагає вирішення багатьох проблем, зумовлених як зовнішніми, так і внутрішніми чинниками. Тому концепція контролінгу виступає одним із ключових факторів управління потенціалом економічної безпеки підприємства, яка дозволяє вирішувати в комплексі низку таких питань, як стабільне функціонування підприємства в довгостроковій перспективі; виявлення і приведення в дію наявних резервів; оперативне та ефективне впровадження стратегії управління потенціалом економічної безпеки підприємства та інше. Запропоновано характеризувати контролінг управління потенціалом економічної безпеки підприємством як системою, яка спрямована на досягнення довгострокових цілей шляхом координування стратегічного і оперативного рівнів управління. Мета стратегічного контролінгу – забезпечення відповідного рівня потенціалу економічної безпеки в довгостроковому періоді, мета оперативного – забезпечення відповідного рівня потенціалу економічної безпеки в короткостроковому періоді шляхом розробки та реалізації відповідних заходів щодо використання наявних ресурсів. Проаналізовано сутність організаційно-економічного механізму управління потенціалом економічної безпеки підприємства, що передбачає досягнення ефективних параметрів функціонування, збереження фінансового, виробничого і кадрового потенціалів, формування умов для надійного та конкурентоздатного функціонування. В запропонованій структурі організаційно-економічного механізму управління потенціалом економічної безпеки підприємства відображено компоненти економічної та організаційної складових, де особливе місце належить контролінгу. Виявлено, що розвиток економіки України супроводжується трансформаційними процесами, які створюють певні небезпеки для суб’єктів господарювання машинобудівної галузі, оскільки вона характеризується тривалим операційно-фінансовим циклом, що впливає на посилення ризику інвестування, не дозволяє здійснювати відтворювальні процеси та підтримувати необхідний науково-технічний рівень підприємств. Доведено необхідність упровадження механізму управління економічною стійкістю підприємств машинобудування до динамічних умов сучасної економіки, який є важливою складовою управління потенціалом економічної безпеки підприємств та однією з найважливіших умов ефективного функціонування та розвитку підприємств в економіці країни, умовою досягнення поточних і перспективних цілей, які певною мірою визначаються рівнем конкуренції на внутрішньому та зовнішньому ринках. Запропоновано теоретико-методичний підхід до оцінювання потенціалу економічної безпеки підприємств на підґрунті визначення локальних показників виробничої, фінансової та кадрової складових, що дає змогу охарактеризувати рівень достатності фінансових, кадрових і виробничих ресурсів для забезпечення розширеного відтворення та економічної безпеки підприємства, підвищити потенціал економічної безпеки у процесі діяльності, виявити основні аспекти діяльності підприємства, що негативно впливають на потенціал економічної безпеки, та забезпечити найбільш прийнятні напрями й форми управління потенціалом економічної безпеки машинобудівних підприємств. Зазначено, що підприємства функціонують як відкрита система, тобто відбувається безперервна взаємодія між компаніями і їх зовнішнім середовищем, для якого характерний надзвичайно високий ступінь складності, невизначеності та взаємопов’язаності. Це визначає кількість факторів, на які підприємство зобов’язано реагувати, а також рівень варіантності кожного з них, що визначає вплив на формування потенціалу економічної безпеки. Обґрунтовано, що з метою ефективного функціонування підприємства необхідно оцінювати вплив зовнішнього середовища на його потенціал економічної безпеки, яке може як негативно впливати на економічну безпеку, так і сприяти подальшому економічному розвитку. Найбільш доцільним підходом до визначення впливу зовнішнього середовища на функціонування машинобудівних підприємств є логістичний підхід, який дає змогу простежити зміни в межах окремих складових системи та її підсистем і взаємний вплив. Запропоновано оцінку впливу зовнішнього середовища на потенціал економічної безпеки підприємства здійснювати з використанням кваліметричного прогнозування шляхом розрахунку інтегрального показника, який характеризує вплив соціально-демографічного середовища, науково-технологічного середовища, економічного середовища, політикоінституціонального середовища на потенціал економічної безпеки. Означене дає змогу підприємству швидко адаптуватися до змін і приймати стратегічні рішення щодо подальшого розвитку. Сформовано систему стратегічного та оперативного контролінгу функціонування підприємства, в основі якої є аналіз і контроль зовнішнього середовища, визначення і контроль потенціалу та зони економічної безпеки, формулювання та контроль стратегічних орієнтирів. Це уможливлює розроблення рекомендацій щодо гармонізації управління потенціалом економічної безпеки підприємств. Розроблено та апробовано методичний підхід до оцінки потенціалу економічної безпеки підприємств за виробничою, фінансовою і кадровою складовими на основі відбору найбільш значущих показників шляхом кваліметричного прогнозування та кореляційно-регресійного аналізу. Окреслене забезпечило побудову багатофакторних моделей складових і дозволило визначити напрями підвищення потенціалу економічної безпеки аналізованих підприємств і на зовнішньому, і на внутрішньому ринках. Сформовано визначення рівня потенціалу економічної безпеки підприємств шляхом розрахунку інтегрального показника на основі кваліметричного прогнозування. Це допомагає сформувати стратегічні орієнтири управління потенціалом економічної безпеки підприємств. Запропонована оцінка рівня потенціалу економічної безпеки підприємства дозволяє: адекватно оцінити можливість і готовність підприємства до розвитку і стабільного функціонування; проаналізувати і спрогнозувати тенденції розвитку підприємства, виявити його сильні і слабкі сторони; підготувати рекомендації із підвищення потенціалу економічної безпеки підприємства та механізм їх реалізації. Запропоновано матрицю визначення зони економічної безпеки з урахування чинників зовнішнього середовища функціонування підприємств і наявного потенціалу економічної безпеки, що дозволяє розробити заходи щодо підвищення конкурентоздатності підприємств машинобудування як на зовнішньому, так і на внутрішньому ринках. Обґрунтовано доцільність здійснювати вибір стратегічних орієнтирів управління потенціалом економічної безпеки машинобудівних підприємств шляхом побудови ієрархії, проведення парних порівнянь критеріїв вибору стратегічних орієнтирів щодо фокусу ієрархії. Це дасть змогу забезпечити збалансовані темпи перманентного зростання і безпечного розвитку підприємства з урахуванням його захисту від зміни внутрішніх і зовнішніх загроз на доволі тривалий час. Розроблено модель обґрунтування вибору напрямів підвищення рівня потенціалу економічної безпеки підприємства залежно від його стратегічних орієнтирів, заснованої на визначенні відповідності рівня потенціалу економічної безпеки підприємства рівню впливу зовнішнього середовища та вибору можливих заходів. Розроблено процес формування системи енергоменеджменту машинобудівного підприємства, який ґрунтується на методології функціонального моделювання IDEF0, здійснено деталізацію процесу, ідентифіковано входи і виходи процесу, керуючі впливу і механізми реалізації (персонал, технічні засоби, організаційно-методичне забезпечення і фінанси). Це уможливлює успішну реалізацію будь-якого з вирізнених напрямів і підвищення енергетичної ефективності машинобудівних підприємств. Обґрунтовано стратегічні орієнтири диференційованого зростання і підвищення рівня зони економічної безпеки ПрАТ «Вовчанський агрегатний завод», ДП «Харківський авіаремонтний завод «Тора»», ДП «Одеський авіаційний завод», ДП «Харківський машинобудівний завод» «ФЕД»», ПрАТ «Дніпропетровський агрегатний завод», ДП «Луцький ремонтний завод «Мотор», ПАТ «Мотор Січ». Вибір стратегічних орієнтирів здійснено, спираючись на об’єктивну інформацію про стан їх потенціалу економічної безпеки, а також про фактичний рівень зони їх економічної безпеки. This thesis gives the results of solving an important scientific-practical problem related to the theoretical-methodological substantiation of the provisions and the providing of practical recommendations for the development of the mechanism of formation of the enterprise`s potential of economic security and the use of the system of evaluation of its components. It is proved in the thesis that the problem of detecting the features of identifying the economic stability of an enterprise as the basis of its economic security potential will identify two nomenclature groups of research, namely economic sustainability and economic security potential, which are used as the key to categorization of the main task. Analyzing the internal and external processes of the enterprise through their relationships and the need for their coordination with the internal components of the enterprise, a conceptual approach for identifing the economic stability of the enterprise as the basis of its potential for economic security was created. Certain components can be developed and involved in the formation of economic sustainability, which comes at the expense of the ability to mobilize resources, and therefore creates the basis for increasing the level of economic security potential. The peculiarity of such conceptual approach is the system of identification of its constituents by means of generalized and substantiated features, which contributes to the appropriate decision-making approach according to the conditions of external and internal environment and its implementation in the enterprise. The definition of financial support to the potential of economic security is proposed as creation of structured systematic ways for continuous directing of different paid kinds of resources, which by means of transfer of their qualities increase the ability of the enterprise to counter the threats of its development and conducting economic activity. This will allow, on the basis of the chosen modular architecture, to develop on a single basis other types of providing the potential of economic security such as information, organizational, personnel and other. It is established that the management of the enterprise as an economic system requires solving many problems caused by both external and internal factors, so the concept of controlling is one of the key factors of managing the potential of economic security of the enterprise, which allows to solve a number of issues in the complex, such as : stable operation of the enterprise in the long run; identification and activation of existing reserves; prompt and effective implementation of the enterprise's economic security potential management strategy and other. The author proposes to characterize controlling the management of economic security potential of an enterprise as a system that aims at achieving long-term goals by coordinating the strategic and operational level of management. The purpose of strategic controlling is to ensure an adequate level of economic security potential in the long term, the objective of operational control is to ensure an appropriate level of economic security potential in the short term by developing and implementing appropriate measures to use available resources. The organizational-economic mechanism of managing the potential of economic security of the enterprise, which envisages achievement of effective parameters of functioning, preservation of financial, production and personnel potential, formation of conditions for reliable and competitive functioning is proposed. In the proposed structure of the organizational-economic mechanism for managing the potential of economic security, the enterprises have reflected the components of the economic and organizational component and special place belongs to controlling. It is revealed that the development of the Ukrainian economy is accompanied by transformation processes that pose certain dangers for the economic entities of the engineering industry, as it is characterized by a long operational-financial cycle, which increases the risk of investment, does not allow to carry out reproduction processes and maintain the necessary scientific-technical level of enterprises. The necessity of introduction of the mechanism of management of economic stability of machine-building enterprises to the dynamic conditions of the modern economy, which is an important component of managing the potential of economic security of enterprises and is one of the most important conditions for effective functioning and development of enterprises in the economy of the country, a condition for achieving current and long-term goals, which are determined by the level of competition in the domestic and foreign markets is proved. The theoretical-methodological approach of estimating the potential of economic security of enterprises on the basis of determination of local indicators of production, financial and personnel components is offered, which allows to characterize the level of sufficiency of financial, human and production resources for ensuring extended reproduction and economic security of the enterprise; to increase the potential of economic security in the process of activity, to identify the main aspects of the activity of the enterprise, which negatively affect the potential of economic security and to provide the most acceptable directions and forms of management of the potential of economic security of machine-building enterprises. It is stated that the enterprises function as an open system, i.e. there is a continuous interaction between the companies and their external environment characterized by an extremely high degree of complexity, uncertainty and interconnection, which determines the number of factors that the enterprise is obliged to respond to, as well as the level of variability, which determines the impact on the formation of economic security potential. It is substantiated that for the effective functioning of the enterprise it is necessary to evaluate the influence of the external environment on its potential of economic security, which can both negatively affect the economic security and promote further economic development. The most appropriate approach to determining the impact of the environment on the functioning of machine-building enterprises is a logistical approach, which allows to trace changes within individual components of the system and its subsystems and mutual influence. It is suggested to assess the impact of the external environment on the potential of economic security of the enterprise using qualitative forecasting by calculating an integral indicator that characterizes the impact of socio-demographic environment, scientific-technological environment, economic environment, political-institutional environment on the potential of economic security, which enables the enterprise quickly adapting to change and making strategic decisions for further development. The system of strategic and operational control of the functioning of the enterprise is formed, based on the analysis and control of the environment, the definition and control of the potential and zone of economic security, formulation and control of strategic guidelines, which allows to develop recommendations for harmonization of the management of the potential of economic security of enterprises. A methodical approach to assessing the economic security potential of enterprises by production, financial and personnel components was developed and tested based on the selection of the most significant indicators through qualitative forecasting and correlation-regression analysis, which ensured the construction of multifactor models of components and allowed to determine the directions of increasing the potential of economic security of enterprises both on the domestic and foreign markets. The definition of the level of potential of economic security of enterprises is formed by calculating the integral indicator on the basis of qualimetric forecasting, which makes it possible to form strategic orientations for managing the potential of economic security of enterprises. The proposed assessment of the level of potential of economic security of the enterprise allows: adequately assess the ability and readiness of the enterprise for development and stable functioning; analyze and forecast trends in the enterprise development, identify its strengths and weaknesses; to prepare recommendations for enhancing the economic security potential of the enterprise and the mechanism for their implementation. The matrix of determination of the economic security zone based on the factors of the external environment of functioning of enterprises and the available potential of economic security is offered, which allows to develop measures to increase the competitiveness of machine-building enterprises both in the external and internal market. The choice of strategic guidelines for managing the potential of economic security of machine-building enterprises is substantiated by constructing a hierarchy, making pairwise comparisons of the criteria for choosing strategic benchmarks with respect to the focus of the hierarchy, that allowing to ensure a balanced rate of permanent growth and safe development of the enterprise, taking into account its protection against changes in internal and external threats for a rather long period of time. The model of substantiation of choice of directions of increase of level of enterprise`s potential of economic safety depending on its strategic orientations based on determination of correspondence of level of potential of economic security of enterprise to the level of influence of external environment and choice of possible measures is developed. The process of forming the energy management system of a machine-building enterprise based on the IDEF0 functional modeling methodology has been developed, the process details have been identified, the process inputs and outputs, control influences and mechanisms of implementation (personnel, technical means, organizational-methodological support and finances) have been carried out, which allows successful implementation of any of the selected areas and increase the energy efficiency of machine-building enterprises. Strategic orientations for differentiated growth and increase of the level of economic security zone of PJSC "Volchansk Aggregate Plant", SE "Kharkiv Aircraft Repair Plant "Tora", SE "Odessa Aviation Plant", SE "Kharkiv Machine Building Plant" "Fed", SJSC "Dnipropetrovsk repair plant”, SE "Lutsk repair plant "Motor", PJSC "MOTOR SICH" are justified. Strategic guidelines were selected based on objective information about the state of their economic security potential as well as the actual level of their economic security zone.

An analysis of the current domestic and foreign literature on corporate governance. The questions of analysis, dynamics and control risks associated with the operation and development corporations that allows you to explore a range of challenges, threats, hazards that affect the structure and development of corporate security. Analysis of research on the creation and development of a new direction - a corporate security. When you are citing the document, use the following link http://essuir.sumdu.edu.ua/handle/123456789/36239

Thesis (M.A. in Security Studies (Homeland Security and Defense))--Naval Postgraduate School, June 2004.
Thesis advisor(s): Maria Rasmussen. Includes bibliographical references (p. 57-59). Also available online.

Problem: In the world of today’s business, there is a trend for investors not only to base their decisions whether to invest in a company on the basis of its financial results.

These days more features are taken into consideration. Corporate identity is a crucial aspect to bear in mind for investors, as it demonstrates what the company is, how it works and where it is going. Corporate Communication is a process that allows companies to share their information with the stakeholders. Not every company is aware

of the significance of communicating its corporate identity to investors. These represent a basis for the company, since their support is needed to achieve the organization’s objectives. Furthermore, communication of corporate identity to investors represents an opportunity for a company to achieve its goals. The importance and relation of corporate identity and communication to investors is becoming a relevant issue not only for them but also for stakeholders.

Problem: In the world of today’s business, there is a trend for investors not only to base their decisions whether to invest in a company on the basis of its financial results. These days more features are taken into consideration. Corporate identity is a crucial aspect to bear in mind for investors, as it demonstrates what the company is, how it works and where it is going. Corporate Communication is a process that allows companies to share their information with the stakeholders. Not every company is aware of the significance of communicating its corporate identity to investors. These represent a basis for the company, since their support is needed to achieve the organization’s objectives. Furthermore, communication of corporate identity to investors represents an opportunity for a company to achieve its goals. The importance and relation of corporate identity and communication to investors is becoming a relevant issue not only for them but also for stakeholders.

Purpose: The purpose of this thesis is to investigate corporate identity and its communication, as a key component, to investors.

Method: The authors have conducted a case study of the Chemical and Mining Company of Chile Inc. (SQM). A qualitative method approach has been used to achieve the purpose. Self-administered questionnaires have been used to gather empirical data.

Conclusion: The case study has led to conclusions on how important it is for SQM to communicate its corporate identity to investors. SQM’s corporate identity is seen as an instrument to differentiate, compete and communicate with investors. SQM’s visual identity is an instrument to communicate the evolution of the company. The company is using behavior, symbolism and communication as the main channels to transmit its corporate identity to investors. SQM’s investor relations show a clear awareness of the need for communication with its investors and financial stakeholders. This is supported by the development of their website and the information collected through the questionnaire. Finally, the authors conclude that corporate identity and its communication, as a key component, is essential for SQM. Its investor relations department and website show that it is very important for the company to communicate to investors its identity.

Submitted by Lucas Bubman Dyskant (lucasbubman@hotmail.com) on 2017-11-28T15:33:56Z No. of bitstreams: 2 EPGE - Final.pdf: 765762 bytes, checksum: 516f76f53430680a81d511305bdde1be (MD5) EPGE - Final.pdf: 765762 bytes, checksum: 516f76f53430680a81d511305bdde1be (MD5)
Approved for entry into archive by GILSON ROCHA MIRANDA (gilson.miranda@fgv.br) on 2017-12-07T19:31:14Z (GMT) No. of bitstreams: 2 EPGE - Final.pdf: 765762 bytes, checksum: 516f76f53430680a81d511305bdde1be (MD5) EPGE - Final.pdf: 765762 bytes, checksum: 516f76f53430680a81d511305bdde1be (MD5)
Made available in DSpace on 2017-12-08T17:08:53Z (GMT). No. of bitstreams: 2 EPGE - Final.pdf: 765762 bytes, checksum: 516f76f53430680a81d511305bdde1be (MD5) EPGE - Final.pdf: 765762 bytes, checksum: 516f76f53430680a81d511305bdde1be (MD5)
We find that illiquidity remains a major factor in explaining corporate spreads. Illiquidity is second only to the credit risk itself. This effect is surprising given that the corporate debt trading activity has more than doubled in the US since the financial crisis of 2008. Longer bonds are substantially more illiquid than shorter bonds as one additional year in time to mature dries liquidity by 16%. We regress monthly cross-sectional corporate yield spreads on our return-based illiquidity measure, controlling for other variables such as the CDS spread and volatility. We find that a one standard deviation increase in illiquidity widens spreads by 26 basis points.
Nós encontramos que a iliquidez remanesce um importante fator explicativo em spreads de títulos corporativos. A iliquidez é menos importante somente do que o próprio risco de crédito. Este efeito é surpreendente dado que o volume de negociação de dívida privada mais do que dobrou nos EUA desde a crise financeira de 2008. Títulos longos são substancialmente mais ilíquidos do que títulos mais curtos, uma vez que um ano adicional na maturidade seca a liquidez em 16%. Nós regredimos cross-sections mensais de spreads de taxas privadas em nossa medida de iliquidez baseada em retornos, controlando por outro fatores como o CDS e a volatilidade. Nós encontramos que um aumento de um desvio padrão na iliquidez aumenta os spreads em 26 pontos-base.

In modern conditions of the market economy development, the deepening of integration and globalization, the importance of taxes in providing financial security is growing. Taxes and tax policy in modern conditions is one of the most important objects of market reforms. Taking into account that taxes have a significant impact on the economy, the budget system, financial support of local authorities, tax security is an important element of the system of financial security ensuring. To our mind the tax security of the country is such condition of the tax system, which is characterized by the stability of all its elements and provides the growth of resource potential of the country with the purpose of the providing of socio-economic development of the state.

Introduction: There are many components that are required for an organisation to be successful in its chosen field. These components vary from corporate culture, to corporate leadership, to effective protection of important assets. These and many more contribute to the success of an organisation. One component that should be a definitive part in the strategy of any organisation is information security. Information security is one of the fastest growing sub-disciplines in the Information Technology industry, indicating the importance of this field (Zylt, 2001, online). Information security is concerned with the implementation and support of control measures to protect the confidentiality, integrity and availability of electronically stored information (BS 7799-1, 1999, p 1). Information security is achieved by applying control measures that will lessen the threat, reduce the vulnerability or diminish the impact of losing an information asset. However, as a result of the fact that an increasing number of employees have access to information, the protection of information is no longer only dependent on physical and technical controls, but also, to a large extent, on the actions of employees utilising information resources. All employees have a role to play in safeguarding information and they need guidance in fulfilling these roles (Barnard, 1998, p 12). This guidance should originate from senior management, using good corporate governance practices. The effective leadership resulting from good corporate governance practices is another component in an organisation that contributes to its success (King Report, 2001, p 11). Corporate governance is defined as the exercise of power over and responsibility for corporate entities (Blackwell Publishers, 2000, online). Senior management, as part of its corporate governance duties, should encourage employees to adhere to the behaviour specified by senior management to contribute towards a successful organisation. Senior management should not dictate this behaviour, but encourage it as naturally as possible, resulting in the correct behaviour becoming part of the corporate culture. If the inner workings of organisations are explored it would be found that there are many hidden forces at work that determine how senior management and the employees relate to one another and to customers. These hidden forces are collectively called the culture of the organisation (Hagberg Consulting Group, 2002, online). Cultural assumptions in organisations grow around how people in the organisation relate to each other, but that is only a small part of what corporate culture actually covers (Schein, 1999, p 28). Corporate culture is the outcome of all the collective, taken-for-granted assumptions that a group has learned throughout history. Corporate culture is the residue of success. In other words, it is the set of procedures that senior management and employees of an organisation follow in order to be successful (Schein, 1999, p 29). Cultivating an effective corporate culture, managing an organisation using efficient corporate governance practices and protecting the valuable information assets of an organisation through an effective information security program are, individually, all important components in the success of an organisation. One of the biggest questions with regard to these three fields is the relationship that should exist between information security, corporate governance and corporate culture. In other words, what can the senior management of an organisation, using effective corporate governance practices, do to ensure that information security practices become a subconscious response in the corporate culture?.

Information Security is currently viewed from a technical point of view only. Some authors believe that Information Security is a process that involves more than merely Risk Management at the department level, as it is also a strategic and potentially legal issue. Hence, there is a need to elevate the importance of Information Security to a governance level through Information Security Governance and propose a framework to help guide the Board of Directors in their Information Security Governance efforts. IT is a major facilitator of organizational business processes and these processes manipulate and transmit sensitive customer and financial information. IT, which involves major risks, may threaten the security if corporate information assets. Therefore, IT requires attention at board level to ensure that technology-related information risks are within an organization’s accepted risk appetite. However, IT issues are a neglected topic at board level and this could bring about enronesque disasters. Therefore, there is a need for the Board of Directors to direct and control IT-related risks effectively to reduce the potential for Information Security breaches and bring about a stronger system of internal control. The IT Oversight Committee is a proven means of achieving this, and this study further motivates the necessity for such a committee to solidify an organization’s Information Security posture among other IT-related issues.

The Heimdal Framework presented in this thesis is a step towards an unambiguous framework that reveals the objective strength and weaknesses of the security of components. It provides a way to combine different aspects affecting the security of components - such as category requirements, implemented security functionality and the environment in which it operates - in a modular way, making each module replaceable in the event that a more accurate module is developed.

The environment is assessed and quantified through a methodology presented as a part of the Heimdal Framework. The result of the evaluation is quantitative data, which can be presented with varying degrees of detail, reflecting the needs of the evaluator.

The framework is flexible and divides the problem space into smaller, more accomplishable subtasks with the means to focus on specific problems, aspects or system scopes. The evaluation method is focusing on technological components and is based on, but not limited to, the Security Functional Requirements (SFR) of the Common Criteria.

Thesis (M.A. in Security Studies (Homeland Security and Defense))--Naval Postgraduate School, March 2010.
Thesis Advisor(s): Rollins, John ; Wollman, Lauren. "March 2010." Description based on title screen as viewed on April 23, 2010. Author(s) subject terms: Immigration, Integration, Radicalization, Identity, International, U.S. Citizenship and Immigration Services (USCIS), Citizenship and Immigration Canada Includes bibliographical references (p. 79-89). Also available in print.

La sécurité des systèmes d'information sont primordiales dans la vie d'aujourd'hui, en particulier avec la croissance des systèmes informatiques complexes et fortement interconnectés. Par exemple, les systèmes bancaires ont l'obligation de garantir l'intégrité et la confidentialité de leurs comptes clients. Le vote électronique, des ventes aux enchères et le commerce doit aussi assurer leurs la confidentialité et l'intégrité.Cependant, la vérification de la sécurité et sa mise en œuvre en distribuée sont des processus lourds en général, les compétences de sécurité avancées sont nécessaires puisque les deux configuration de sécurité et l'implementation de systèmes distribué sont complexes et sujette d'erreurs. Avec les attaques de sécurité divers menés par l'environnement Internet, comment pouvons-nous être sûrs que les systèmes informatiques que nous construisons ne satisfont la propriété de sécurité prévu?La propriété de la sécurité que nous étudions dans cette thèse est la non-ingérence, qui est une propriété globale qui permet de suivre les informations sensibles dans l'ensemble du système et de garantir la confidentialité et l'intégrité. La non-ingérence est exprimée par l'exigence selon laquelle aucune information sur des données secrètes est une fuite à travers l'observation de la variation des données publiques. Cette définition est plus subtile qu'une spécification de base de l'accès légitime pour les informations sensibles, ce qui permet d'exploiter et de détecter les dysfonctionnements et malveillants programmes intrusions pour les données sensibles (par exemple, un cheval de Troie qui envoie des données confidentielles aux utilisateurs non fiables). Cependant, comme une propriété globale, la non-interférence est difficile à vérifier et à mettre en œuvre.À cette fin, nous proposons un flux de conception basée sur un modèle qui assure la propriété non-interference dans un logiciel d'application de son modèle de haut niveau conduisant à la mise en œuvre sécurisée décentralisée. Nous présentons la plateforme secureBIP, qui est une extension pour le modèle à base de composants avec des interactions multi-partie pour la sécurité. La non-interference est garantie à l'aide de deux manières pratiques: (1) nous annotons les variables et les ports du modèle, puis selon un ensemble défini de contraintes syntaxiques suffisantes, nous vérifions la satisfaction de la propriété, (2), nous annotons partiellement le modèle, puis en extrayant ses graphes de dépendances de composition nous appliquons un algorithme de synthèse qui calcule la configuration sécurisée moins restrictive du modèle si elle existe.Une fois que la sécurité des flux d'information est établie et la non-interference est établie sur un modèle de haut niveau du système, nous suivons une méthode automatisée pratique pour construire une application distribuée sécurisée. Un ensemble de transformations sont appliquées sur le modèle abstrait de transformer progressivement en bas niveau des modèles distribués et enfin à la mise en œuvre distribuée, tout en préservant la sécurité des flux d'information. La transformations du modèles remplacent coordination de haut niveau en utilisant des interactions multi-partites par des protocoles en utilisant des envoies et reception de messages asynchrone. La distribution est donc prouvé "sécuriser par construction" qui est, le code final est conforme à la politique de sécurité souhaitée. Pour montrer la facilité d'utilisation de notre méthode, nous appliquons et d'expérimenter sur des études et des exemples de cas réels de domaines d'application distincts
The security of information systems are paramount in today’s life, especially with the growth of complex and highly interconnected computer systems. For instance, bank systems have the obligation to guarantee the integrity and confidentiality of their costumers accounts. The electronic voting, auctions and commerce also needs confidentiality and integrity preservation.However, security verification and its distributed implementation are heavy processes in general, advanced security skills are required since both security configuration and coding distributed systems are complex and error-prone. With the diverse security attacks leaded by the Internet advent, how can we be sure that computer systems that we are building do satisfy the intended security property?The security property that we investigate in this thesis is the noninterference, which is a global property that tracks sensitive information in the entire system and ensures confidentiality and integrity. Non-interference is expressed by the requirement that no information about secret data is leaked through the observation of public data variation. Such definition is more subtle than a basic specification of legitimate access for sensitive information, allowing to exploit and detect malfunctioning and malicious programs intrusions for sensitive data (e.g, Trojan horse that sends confidential data to untrusted users). However as a global property, the noninterference is hard to verify and implement.To this end, we propose a model-based design flow that ensures the noninterference property in an application software from its high-level model leading to decentralized secure implementation. We present the secureBIP framework that is an extension for the component-based model with multyparty interactions for security. Non-interference is guaranteed using two practical manners: (1) we annotate the entire variables and ports of the model and then according to a defined set of sufficient syntactic constraints we check the satisfaction of the property, (2) we partially annotate the model way and then by extracting its compositional dependency graphswe apply a synthesis algorithm that computes the less restrictive secure configuration of the model if it exists.Once the information flow security is established and non-interference is established on an high-level model of the system, we follow a practical automated method to build a secure distributed implementation. A set of transformations are applied on the abstract model to progressively transform it into low-level distributed models and finally to distributed implementation, while preserving information flow security. Model transformations replace high-level coordination using multiparty interactions by protocols using asynchronous Send/Receive message-passing. The distributedimplementation is therefore proven ”secure-by-construction” that is, the final code conforms to the desired security policy. To show the usability of our method, we apply and experiment it on real case studies and examples from distinct application domains

The security of digital information is paramount to the success of private organizations. Violating that security is a multi-billion-dollar criminal business and exploiting these vulnerabilities creates a single point of failure for operations. Thus, understanding the detection, identification, and response to information security incidents is critical to protecting all levels of infrastructure. The lived experiences of current professionals indicate 10 unique themes in regards to how information security incidents are addressed in private organizations. These unique themes led the researcher to offer several conclusions related to the importance of planning, communication, offensive capabilities, and integration with third-party organizations. Information security incident management is accomplished as an escalation process with multiple decision points leading to a restoration of services or security. The source of the incident is not often sought beyond the first external IP address but their purpose and intent are essential to information security incident management. The key lessons learned from professionals include the importance of having a plan, training the plan, and incorporating the human elements of security into information security incident response. Penetration testing as well a knowledge about threat and attack patterns are important to information security incident management for detection, containment, and remediation. External organizations play a major role in the management of information security incidents as fear, incompetence, and jurisdictional issues keep the private sector from working with government, military, and law enforcement organizations. These themes have wide reaching implications for practical application and future research projects.

Thesis (Ph.D.)--University of Missouri-Columbia, 2007.
The entire dissertation/thesis text is included in the research.pdf file; the official abstract appears in the short.pdf file (which also appears in the research.pdf); a non-technical general description, or public abstract, appears in the public.pdf file. Title from title screen of research.pdf file (viewed on March 24, 2009) Vita. Includes bibliographical references.

Thesis (M.S. in Software Engineering) Naval Postgraduate School, Sept. 2000.
Thesis advisor(s): LuQi; Shing, Mantak. "September 2000." Includes bibliographical references (p. 63-65). Also available in print.

Approved for public release; distribution is unlimited
There are numerous computer-aided tools to enable Computer Network Defense. However, their effectiveness in countering attacks is less than optimal when they are used independently of one another. Research has identified the requirements for an integrated command and control (C2) system that is able to conduct full-spectrum operations in the cyberspace environment. The most notable of that research revolves around the development and experimentation with the prototype system known as Cyber Command, Control and Information Operations System (C3IOS). C3IOS provides for a loose confederation of the cooperating systems with interaction between systems going through C2 interfaces. In this thesis, the authors introduce into C3IOS a means to support the commander's ability to take measured responses to coercive actions in a timely manner, specifically to facilitate the interaction between experts in the law of information conflict and information warriors responding to a cyber attack. The authors' research results in a set of use cases and requirements for the C2 understanding, planning, and deciding activities involved in such a capability, using Schmitt's analysis as an example.

There is a need for Commercial-off-the-shelf (COTS), Government-off- the-shelf (GOTS) and legacy components to interoperate in a secure distributed computing environment in order to facilitate the development of evolving applications. This thesis researches existing open standards solutions to the distributed component integration problem and proposes an application framework that supports application wrappers and a uniform security policy external to the components. This application framework adopts an Object Request Broker (ORB) standard based on Microsoft Distributed Component Object Model (DCOM). Application wrapper architectures are used to make components conform to the ORB standard. The application framework is shown to operate in a common network architecture. A portion of the Naval Integrated Tactical Environmental System I (NITES I) is used as a case study to demonstrate the utility of this distributed component integration methodology (DCIM).

Thesis (M.S. in Computer Science)--Naval Postgraduate School, March 2010.
Thesis Advisor(s): Michael, James B. Second Reader: Wingfield, Thomas C. ; Sarkesain, John F. "March 2010." Description based on title screen as viewed on April 26, 2010. Author(s) subject terms: Cyberspace, Cyberspace Defense, Network Defense, Distributed Systems, Command and Control, Battle Management, Information Assurance, Situational Awareness. Includes bibliographical references (p. 73-77). Also available in print.

Protecting organization’s assets from various security threats is a necessity for every organization. Efficient security management is vital to effectively protect the organization’s assets. However, the process of implementing efficient security management is complex and needs to address many requirements. The problem that this master’s thesis project addressed was to propose a component assurance process for the Swedish Armed Forces. This process has to be followed in order for a solution or product to be approved at a specific component assurance level. This problem was solved by first performing market research regarding security management. Various security management approaches were examined and the top security management solutions were selected. These solutions were then compared with the assurance requirements stated in Swedish Armed Forces’ KSF v3.1 (Swedish: “Krav på IT-säkerhetsförmågor hos IT-system”, English: Requirements for IT security capabilities of IT systems). This documentation lists the requirements for information technology (IT) security capabilities of IT systems. The solution that satisfied the most of these requirements was selected and modified in order to satisfy the full set of requirements. Finally, a component assurance process is proposed. This process may be used to decide which solutions or products can be used, along with the manner in which each solution or product should be used. The impact of having a component assurance process is that all the solutions and products are approved to a specific component assurance level exclusively based on this process. The ability to include such requirements in the acquisition of any product or service provides the Swedish Armed Forces with assurance that all products or services are approved to specific assurance levels in the same manner and hence provides the Swedish society with assurance that procedures within the Swedish Armed Forces are documented and protect the interests of the country and its citizens.
För varje organisation är det nödvändigt att skydda information från olika säkerhetshot. Att ha en effektiv säkerhetshantering är avgörande för att kunna skydda informationen. Denna process är komplex och många krav måste tillfredsställas. Problemet som detta examensarbete avser att lösa handlar om hur införandet av en assuransprocess kommer påverka Försvarsmakten. Denna process måste följas för att en lösning eller produkt ska godkännas till en specifik komponents säkerhetsnivå. Frågeställningen besvaras i första hand av en marknadsundersökning om säkerhetshantering. Olika säkerhetshanteringsstrategier undersöktes och de bästa säkerhetslösningar valdes. Lösningarna jämfördes därefter med de assuranskrav som anges i Försvarsmaktens KSF V3.1 (Krav på IT säkerhetsförmågor hos IT – system) som är den dokumentation som anger kraven för IT säkerhetsfunktioner i ett IT system. Lösningen som uppfyllde de flesta kraven valdes och modifierades för att uppfylla samtliga kraven. Slutligen rekommenderades en komponent assuransprocess, vilken skulle kunna användas för att avgöra vilken lösning eller produkt som skulle kunna användas samt på vilket sätt det skulle kunna användas. Möjligheten att införa sådana krav i förvärvet av vilken produkt eller tjänst det än gäller förser Försvarsmakten med garantier för att alla produkter eller tjänster är godkända enligt särskilda säkringsnivåer på samma sätt och därmed försäkras det svenska samhället att förfaranden inom svenska väpnade krafter dokumenteras samt skyddar landet och dess medborgare.
Säkerhetshantering, informationssäkerhet, autentisering, auktorisering, styrning, riskhantering, följsamhet, användaradministration

Background: The network-centric defense requires a method for securing vast dynamic distributed information systems. Currently, there are no efficient methods for establishing the level of IT security in vast dynamic distributed information systems.

Purpose: The target of this thesis was to design a method, capable of determining the level of IT security of vast dynamic component-based distributed information systems.

Method: The work was carried out by first defining concepts of IT security and distributed information systems and by reviewing basic measurement and modeling theory. Thereafter, previous evaluation methods aimed at determining the level of IT security of distributed information systems were reviewed. Last, by using the theoretic foundation and the ideas from reviewed efforts, a new evaluation method, aimed at determining the level of IT security of vast dynamic component-based distributed information systems, was developed.

Results: This thesis outlines a new method, CAESAR, capable of predicting the security level in parts of, or an entire, component-based distributed information system. The CAESAR method consists of a modeling technique and an evaluation algorithm. In addition, a Microsoft Windows compliant software, ROME, which allows the user to easily model and evaluate distributed systems using the CAESAR method, is made available.

This thesis presents three essays on the determinants and costs of corporate security offerings. The essays contribute to an ongoing debate in the literature on what determines firms’ security choice by examining the following issues: “Does corporate governance influence convertible debt issuance?”; “The signaling content of security offerings proceeds”; and “The costs of raising capital: New evidence.”In the first essay, we explore the influence of corporate governance on firms’ choice between equity, convertible debt and straight debt. For a sample of Western European corporate security offerings between 1999 and 2010, we find that firms with weaker firm- and country-specific corporate governance are more likely to issue convertible debt. They thus use convertible debt as a substitute for corporate governance, which is confirmed by a more favorable stock price reaction to convertible debt announcements by firms with weaker corporate governance. Moreover, these results suggest that corporate governance is a significant determinant of firms’ security choice. The second essay examines the determinants and signaling content of security offering proceeds, controlling for the endogeneity of issue size. For a sample of US equity, convertible debt and straight debt offerings between 1999 and 2011, the findings show that stockholders can partly predict issue size by analyzing firms’ funding needs and financing costs. We find that stockholders use predicted issue sizes of equity and convertible offerings as signals of growth opportunities, whilst larger than predicted issue sizes signal issuer overvaluation. For straight debt issues, we find that unpredicted issue sizes have a positive impact on announcement returns, which is consistent with them serving as a signal of growth opportunities. Further analysis of firms’ actual uses of predicted and unpredicted offering proceeds confirms these interpretations. The results shed light on previous inconsistent findings on the impact of issue size on security offering announcement returns. The final essay examines the magnitude and determinants of direct issuance costs, controlling for firms self-selecting into different security classes, namely equity, convertible bonds, and straight bonds, and flotation methods, namely non-shelf, shelf and 144a. For a recent sample of US corporate security offerings between 1999 and 2011, findings show that the magnitude of direct issuance costs has decreased over the last decade. These costs are higher for equity than straight bond offerings and of intermediate magnitude for convertible bond offerings. Within each security class, costs are larger for non-shelf than 144a offerings, which again have larger direct issuance costs than shelf offerings. Finally, underwriter spreads are directly related to underwriter effort on due diligence, pricing and selling, and direct issuance costs are truncated by firms’ self-selection into particular security types.

Data-centric security is significant in understanding, assessing and mitigating the various risks and impacts of sharing information outside corporate boundaries. Information generally leaves corporate boundaries through mobile devices. Mobile devices continue to evolve as multi-functional tools for everyday life, surpassing their initial intended use. This added capability and increasingly extensive use of mobile devices does not come without a degree of risk - hence the need to guard and protect information as it exists beyond the corporate boundaries and throughout its lifecycle. Literature on existing models crafted to protect data, rather than infrastructure in which the data resides, is reviewed. Technologies that organisations have implemented to adopt the data-centric model are studied. A utopian model that takes into account the shortcomings of existing technologies and deficiencies of common theories is proposed. Two sets of qualitative studies are reported; the first is a preliminary online survey to assess the ubiquity of mobile devices and extent of technology adoption towards implementation of data-centric model; and the second comprises of a focus survey and expert interviews pertaining on technologies that organisations have implemented to adopt the data-centric model. The latter study revealed insufficient data at the time of writing for the results to be statistically significant; however; indicative trends supported the assertions documented in the literature review. The question that this research answers is whether or not current technology implementations designed to mitigate risks from mobile devices, actually address business requirements. This research question, answered through these two sets qualitative studies, discovered inconsistencies between the technology implementations and business requirements. The thesis concludes by proposing a realistic model, based on the outcome of the qualitative study, which bridges the gap between the technology implementations and business requirements. Future work which could perhaps be conducted in light of the findings and the comments from this research is also considered.

Thesis (Ph.D) - Swinburne University of Technology, Faculty of Information & Communication Technologies, 2008.
Submitted in fulfillment of the requirements of for the degree of Doctor of Philosophy, Faculty of Information and Communication Technologies, Swinburne University of Technology, 2008. Typescript. Includes bibliographical references (p. 228-238)

The key theme of this research is the planning and management of information security and in particular, the research focuses on the involvement of information stakeholders in this process. The main objective of the research is to study the ownership of, and acceptance of responsibility for, information security measures by stakeholders having an interest in that information.

Given the current state of unprecedented global interdependence, and the growing impact that business has on the world?s inhabitants, Corporate Social Responsibility has become something that is not only desirable, but also expected of corporations. The topic of this qualitative study is the conceptual and pragmatic links of Intercultural Relations and Corporate Social Responsibility. This research focused on an identified informational gap in social responsibility literature and investigated the possible impact of culture and intercultural competence on Corporate Social Responsibility work. The scope of this investigation was purposeful and selective; a well-rounded group of professional Corporate Social Responsibility practitioners contributed to the research. At the end of this research it was determined that in order for social responsibility efforts to be reciprocal, inclusive, and effective, it would be beneficial to consider Intercultural Relations and develop intercultural competence.

The paper studies structural credit risk models with incomplete information of the asset value. It is shown that the pricing of typical corporate securities such as equity, corporate bonds or CDSs leads to a nonlinear filtering problem. This problem cannot be tackled with standard techniques as the default time does not have an intensity under full information. We therefore transform the problem to a standard filtering problem for a stopped diffusion process. This problem is analyzed via SPDE results from the filtering literature. In particular we are able to characterize the default intensity under incomplete information in terms of the conditional density of the asset value process. Moreover, we give an explicit description of the dynamics of corporate security prices. Finally, we explain how the model can be applied to the pricing of bond and equity options and we present results from a number of numerical experiments.

Increased internal and external training approaches are elements senior leaders need to know before creating a training plan for security professionals to protect sensitive information. The purpose of this qualitative case study was to explore training strategies telecommunication industry leaders use to ensure security professionals can protect sensitive information. The population consisted of 3 senior leaders in a large telecommunication company located in Dallas, Texas that has a large footprint of securing sensitive information. The conceptual framework on which this study was based was the security risk planning model. Semistructured interviews and document reviews helped to support the findings of this study. Using the thematic approach, 3 major themes emerged. The 3 themes included security training is required for all professionals, different approaches to training are beneficial, and using internal and external training's to complement each other. The findings revealed senior leaders used different variations of training programs to train security professionals on how to protect sensitive information. The senior leaders' highest priority was the ability to ensure all personnel accessing the network received the proper training. The findings may contribute to social change by enhancing area schools' technology programs with evolving cyber security technology, helping kids detect and eradicate threats before any loss of sensitive information occurs.

Thesis (Master of Arts in Security Studies(Homeland Security and Defense))--Naval Postgraduate School, December 2009.
Thesis Advisor: Supinski, Stanley. Second Reader: Lynch, Dean. "December 2009." Description based on title screen as viewed on January 29, 2010. Author(s) subject terms: Anthrax Vaccine Adsorbed; AVA; BioThrax; Homeland Security; Strategic National Stockpile; biodefense; bioterrorism; biological warfare; Amerithrax; Anthrax Vaccine Immunization Program; AVIP; Gulf War Illness; Gulf War Syndrome; Investigational New Drug, IND; Experimental; Civilian Control of the Military, Presidential Study Directive; PSD; Presidential Policy Directive; PPD. Includes bibliographical references (p. 195-237). Also available in print.

The number of mobile applications (i.e., apps) is rapidly growing, as the mobile computing becomes an integral part of the modern user experience. Malicious apps have infiltrated open marketplaces for mobile platforms. These malicious apps can exfiltrate user's private data, abuse of system resources, or disrupting regular services. Despite the recent advances on mobile security, the problem of detecting vulnerable and malicious mobile apps with high detection accuracy remains an open problem. In this thesis, we address the problem of Android security by presenting a new quantitative program analysis framework for security vetting of Android apps. We first introduce a highly accurate proactive detection solution for detecting individual malicious apps. Our approach enforces benign property as opposed of chasing malware signatures, and uses one complex feature rather than multi-feature as in the existing malware detection methods. In particular, we statically extract a data-flow feature on how user inputs trigger sensitive critical operations, a property referred to as the user-trigger dependence. This feature is extracted through nontrivial Android-specific static program analysis, which can be used in various quantitative analytical methods. Our evaluation on thousands of malicious apps and free popular apps gives a detection accuracy (2% false negative rate and false positive rate) that is better than, or at least competitive against, the state-of-the-art. Furthermore, our method discovers new malicious apps available in the Google Play store that have not been previously detected by anti-virus scanning tools. Second, we present a new app collusion detection approach and algorithms to analyze pairs or groups of communicating apps. App collusion is a new technique utilized by the attackers to evade standard detection. It is a new threat where two or more apps, appearing benign, communicate to perform malicious task. Most of the existing solutions assume the attack model of a stand-alone malicious app, and hence cannot detect app collusion. We first demonstrate experimental evidence on the technical challenges associated with detecting app collusion. Then, we address these challenges by introducing a scalable and an in-depth cross-app static flow analysis approach to identify the risk level associated with communicating apps. Our approach statically analyzes the sensitivity and the context of each inter-app communication with low analysis complexity, and defines fine-grained security policies for the inter-app communication risk detection. Our evaluation results on thousands of free popular apps indicate that our technique is effective. It generates four times fewer false positives compared to the state-of-the-art collusion-detection solution, enhancing the detection capability. The advantages of our inter-app communication analysis approach are the analysis scalability with low complexity, and the substantially improved detection accuracy compared to the state-of-the-art solution. These types of proactive defenses solutions allow defenders to stay proactive when defending against constantly evolving malware threats.
Ph. D.

This thesis was completed in cooperation with the Cebrowski Institute for Information Innovation and Superiority.
Approved for public release; distribution is unlimited
A of the NP, but the key requirement for Certification and Accreditation is the creation of a Protection Profile and an understanding of the DITSCAP requirements and process. This thesis creates a Protection Profile for the NP along with a draft Type SSAA for Certification and Accreditation of the NP.
Lieutenant, United States Navy
Lieutenant, United States Navy

Today, aviation security is at the forefront of public consciousness particularly when they think of their own personal safety. The dramatic and catastrophic attacks of 911, utilizing civil aviation resources has made the world view aviation security with a critical eye. It could be argued that the response by States and individual airports and airlines has been positive and rapid, however the effectiveness has been marginal. Many factors have been proffered as the reason, from ineffective conservative governments, out-dated equipment, old infrastructure to a traditional mind-set that does not always accept change. Due to the limited scope of this research paper, the author has chosen to concentrate on Corporate Governance and three associated principles, “ethics”, “accountability” and “oversight” to assess the effectiveness of aviation security. This theme was chosen because, in the 1990s the Hong Kong Government considered Corporate Governance was a key ingredients needed for a positive paradigm shift in the way aviation security was implemented at the Hong Kong International Airport (HKIA). Government and the public felt, that the management of the old “Kai Tak” airport in Kowloon prior to 1998 did not adequately consider Corporate Governance as a key ingredient to successful security resulting in long-standing misgivings about the airport’s ability to meet security requirements. Fortuitously for this research paper, HKIA was relocated from Kowloon to Lantau Island in 1998 and a new Government owned company Aviation Security Company Limited (AVSECO) was set up at that time to provide the security. The Government and the Board of Directors of AVSECO were able to learn from the weaknesses of the old airport and from the outset understood the need for a change in the way the security was provided at the airport. So spurred on by the imminent airport relocation and the establishment of a AVSECO at the new airport, the Government considered it was an ideal time to change the security philosophy and make the new company accountable through good corporate governance. With this background, the aim of this research paper is to review the standards and recommended practices set by the International Civil Aviation Organization (ICAO), which is a Specialized agency of the UN having the aim of safeguarding civil aviation against actual and threats of ‘unlawful interference to civil aviation’. To do this, there is a literature review and observations from within the aviation industry. This review found that the security measures implemented to enforce the standards and therefore counter the real and emerging threats has been poor throughout the world. The question the industry therefore needs to ask is “If all the experts of the world have joined together (through ICAO) to set the standards to mitigate the risk, why does the public still feel the measures are unrealistic or ineffective in most airports?” Also, “Why, when we know in theory what to do, is it that many airports still fail to stop the threats? “In order to solve this puzzle, the paper critically looks at the international standards and their global implementation. Then, utilizing HKIA as a case study, the paper discusses if good corporate governance is a key to the successful implementation of effective aviation security. The literature review and analysis of security data collected over the past 6 years at HKIA suggests that good Corporate Governance is in fact a key ingredient for effective security at airports. The limitations of this paper, only allows for the study of three principles of good corporate governance, namely ‘Oversight’, ‘Ethics’ and ‘Accountability’. It goes without saying that there are many other factors that can influence the success or otherwise of the implementation of effective aviation security – for example organizational culture, equipment employed, staff training, quality control, policies and procedures, to name just a few. The paper only discusses these other variables when they directly relate to the three chosen corporate governance principles at HKIA. To sum up, despite the effective promulgation of international standards, the related effectiveness of the implementation has varied greatly from airport to airport. Many variables, either independently or collectively can be the cause of failure. This paper concentrated only on how the introduction of corporate governance (particularly the three key principles) improved the way HKIA conducted business in relation to Aviation Security forever. The change to good corporate governance did not occur over night and has taken almost 15 years for effective management oversight, company ethics and accountability to become enshrined into the company philosophy. The data reviewed from HKIA, however, does suggest that the transformation has been dramatic and effective, showing that, when emphasized and enshrined into corporate culture, good Corporate Governance will increase the likelihood of success in the on-going fight against unlawful interference against civil aviation.
published_or_final_version
Politics and Public Administration
Master
Master of Public Administration

Cyber attackers targeting large corporations achieved a high perimeter penetration success rate during 2013, resulting in many corporations incurring financial losses. Corporate information technology leaders have a fiduciary responsibility to implement information security domain processes that effectually address the challenges for preventing and deterring information security breaches. Grounded in corporate governance theory, the purpose of this correlational study was to examine the relationship between strategic alignment, resource management, risk management, value delivery, performance measurement implementations, and information security governance (ISG) effectiveness in United States-based corporations. Surveys were used to collect data from 95 strategic and tactical leaders of the 500 largest for-profit United States headquartered corporations. The results of the multiple linear regression indicated the model was able to significantly predict ISG effectiveness, F(5, 89) = 3.08, p = 0.01, R-² = 0.15. Strategic alignment was the only statistically significant (t = 2.401, p <= 0.018) predictor. The implications for positive social change include the potential to constructively understand the correlates of ISG effectiveness, thus increasing the propensity for consumer trust and reducing consumers' costs.

Thesis (MTech (Information Technology))--Cape Peninsula University of Technology, 2018.
In today’s world, organisations cannot exist without having information readily available. The protection of information relies not only on technology but also on the behaviour of employees. The failure to institutionalise an information security culture inside an organisation will cause the continued occurrence of security breaches. The aim of the research is to explore how an information security culture can be institutionalised within a petroleum organisation in the Western Cape. The primary research question is posed as follows: “What are the factors affecting the institutionalisation of an information security culture?” To answer the research question, a study was conducted at a petroleum organisation in the Western Cape. A subjectivist ontological and interpretivist epistemological stance has been adopted and an inductive research approach was followed. The research strategy was a case study. Data for this study were gathered through interviews (12 in total) using semi-structured questionnaires. The data collected were transcribed, summarised, and categorised to provide a clear understanding of the data. For this study, twenty-four findings and seven themes were identified. The themes are: i) user awareness training and education; ii) user management; iii) compliance and monitoring; iv) change management; v) process simplification; vi) communication strategy; and vii) top management support. Guidelines are proposed, comprising four primary components. Ethical clearance to conduct the study was obtained from the Ethics committee of CPUT and permission to conduct the study was obtained from the Chief Information Officer (CIO) of the petroleum organisation. The findings point to collaboration between employees, the Information Security department, and management in order to institute a culture of security inside the organisation.

Today information can be seen as a basic commodity that is crucial to the continuous well-being of modern organizations. Many modern organizations will be unable to do business without access to their information resources. It is therefor of vital importance for organizations to ensure that their infor- mation resources are adequately protected against both internal and external threats. This protection of information resources is known as information security and is, to a large extent, dependent on the behavior of humans in the organization. Humans, at various levels in the organization, play vital roles in the pro- cesses that secure organizational information resources. Many of the prob- lems experienced in information security can be directly contributed to the humans involved in the process. Employees, either intentionally or through negligence, often due to a lack of knowledge, can be seen as the greatest threat to information security. Addressing this human factor in information security is the primary focus of this thesis. The majority of current approaches to dealing with the human factors in information security acknowledge the need to foster an information security culture in the organization. However, very few current approaches attempt to adjust the "generic" model(s) used to define organizational culture to be specific to the needs of information security. This thesis firstly proposes, and argues, such an adapted conceptual model which aims to improve the understanding of what an information security culture is. The thesis secondly focuses on the underlying role that information security educational programs play in the fostering of an organizational information security culture. It is argued that many current information security edu- cational programs are not based on sound pedagogical theory. The use of learning taxonomies during the design of information security educational programs is proposed as a possible way to improve the pedagogical rigor of such programs. The thesis also argues in favor of the use of blended and/or e-learning approaches for the delivery of information security educational content. Finally, this thesis provides a detailed overview demonstrating how the various elements contributed by the thesis integrates into existing trans- formative change management processes for the fostering of an organizational information security culture.

Thesis (MComm)--Stellenbosch University, 2015.
ENGLISH ABSTRACT: The consumerisation of mobile technology is driving the mobile revolution and enterprises are forced to incorporate mobile solutions into their business processes in order to remain competitive. While there are many benefits relating to the investment in and use of mobile technology, significant risks are also being introduced into the business. The fast pace of technological innovation and the rate of adoption of mobile technology by employees has, however, created an environment where enterprises are deploying mobile solutions on an ad hoc basis. Enterprises are only addressing the risks as they are occurring and resulting in losses. The key contributing factor to this lack of governance and management is the fact that those charged with governance do not understand the underlying mobile technology components. The purpose of this research is to improve the understanding of the underlying components of mobile technology. The research further proposes to use this understanding to identify the significant risks related to mobile technology and to formulate appropriate internal controls to address these risks. The findings of the research identified the following underlying components of mobile technology: mobile devices; mobile infrastructure, data delivery mechanisms and enabling technologies; and mobile applications. Based on an understanding of the components and subcategories of mobile technology, a control framework was used to identify the significant risks related to each component and subcategory. The significant risks identified included both risks to the users (including interoperability, user experience, connectivity and IT support) as well as risks to the enterprise’s strategies (including continuity, security, cost and data ownership). The research concludes by formulating internal controls that the enterprise can implement to mitigate the significant risks. This resulted in two matrixes that serve as quick-reference guides to enterprises in the identification of significant risks at an enterprise specific mobile technology component level, as well as the relevant internal controls to consider. The matrixes also assist enterprises in determining the best mobile solutions to deploy in their business, given their strategies, risk evaluation and control environment.
AFRIKAANSE OPSOMMING: Die mobiele revolusie word deur die verbruiker van mobiele tegnologie aangedryf en, ten einde kompeterend te bly, word ondernemings gedwing om mobiele tegnologie in hul besigheidsprosesse te implementeer. Terwyl daar baie voordele verbonde is aan die investering in en gebruik van mobiele tegnologie, word die besigheid egter ook blootgestel aan wesenlike risiko’s. Die vinnige tempo waarteen mobiele tegnologie ontwikkel en deur werknemers aangeneem word, het egter ʼn omgewing geskep waarin ondernemings mobiele tegnologie op ʼn ad hoc basis ontplooi. Besighede spreek eers die risiko’s aan nadat dit reeds voorgekom het en verliese as gevolg gehad het. Die hoof bydraende faktor tot die tekort aan beheer en bestuur van mobiele tegnologie is die feit dat diegene verantwoordelik vir beheer, nie onderliggend mobiele tegnologie komponente verstaan nie. Die doel van hierdie navorsing is om die begrip van die onderliggende komponente van mobiele tegnologie te verbeter. Die navorsing poog verder om die wesenlike risiko’s verbonde aan mobiele tegnologie te identifiseer en om toepaslike interne beheermaatreëls te formuleer wat die risiko’s sal aanspreek. Die bevindinge van die navorsing het die volgende onderliggende komponente van mobiele tegnologie geïdentifiseer: mobiele toestelle; mobiele infrastruktuur, data afleweringsmeganismes, en bemagtigende tegnologieë; en mobiele toepassings. Gebaseer op ʼn begrip van die komponente en subkategorieë van mobiele tegnologie, is ʼn kontrole raamwerk gebruik om die wesenlike risiko’s verbonde aan elke komponent en subkategorie van die tegnologie, te identifiseer. Die wesenlike risiko’s sluit beide risiko’s vir die gebruiker (insluitend kontinuïteit, gebruikerservaring, konnektiwiteit en IT ondersteuning) sowel as risiko’s vir die onderneming se strategieë (insluitend kontinuïteit, sekuriteit, koste en data eienaarskap) in. Die navorsing sluit af met die formulering van die beheermaatreëls wat geïmplementeer kan word om die wesenlike risiko’s aan te spreek. Dit het gelei tot twee tabelle wat as vinnige verwysingsraamwerke deur ondernemings gebruik kan word in die identifisering van wesenlike risiko’s op ʼn onderneming-spesifieke tegnologie komponentvlak asook die oorweging van relevante interne beheermaatreëls. Die tabelle help ondernemings ook om die beste mobiele tegnologie vir hul besigheid te implementeer, gebaseer op hul strategie, risiko evaluering en beheeromgewing.

Thesis (M.S. in Information Technology Management)--Naval Postgraduate School, March 2003.
Thesis advisor(s): George Dinolt, Craig Rasmussen. Includes bibliographical references (p. 155-157). Also available online.

Thesis (Ph. D.)--University of Oregon, 2003.
Typescript. Includes vita and abstract. Includes bibliographical references (leaves 77-82). Also available for download via the World Wide Web; free to University of Oregon users.

There is a common perception among corporate security managers that their occupation is afforded less status and is rewarded less well than the other management functions within business. In response to similar conceptions of the need to raise the value and status of their work, other occupations have historically embarked on so-called ‘professional projects’ whereby they collectively attempt to harness their specialist skills and knowledge as a commodity, the value of which they seek to raise and maintain. This small- scale qualitative study is intended to provide an insight into the analysis of corporate security managers and directors as to the health of their occupation and its standing in the modern corporate world. The study then examines the methods which other occupations have used to successfully improve the status of their practitioners and the value of their work. Finally, based on the analysis of the security managers and directors and the experience of other occupations, a broad strategy for corporate security’s own professional project is proposed. This study suggests that corporate security is currently enjoying divergent fortunes. The most successful security managers and directors enjoy parity of status with their peers from other functions and have taken on responsibilities far in excess of the traditional security department’s remit. However, at the other end of the spectrum there are many security managers who are afforded an inferior status to that of managers from other functions. As a result, they struggle to attract significant responsibility or resources within their organisations. The research suggests that other management functions have historically faced similar problems in their development. These other functions have used strategies of occupational negotiation, boundary work, closure and monopolisation to overcome their problems. Together these measures have constituted professional projects. Based on the appetite for professionalisation among our security managers, and the success of professional projects in comparable occupations, this study concludes that security management should embark on a professional project of its own.

Automotive component manufacturers face significant competitive challenges in the global market and are constantly looking for means to improve their competitive advantage. Organisations then often acquire lean tools as an attractive option to achieve this. Research has however highlighted that the underlying “Lean Culture” is what is really necessary for organisations to achieve and maintain a competitive advantage. According to Rother (2010) lean implementation can be seen as a project or an initiation of an on- going development process where learning is taking place. This implementation implies a change in organisational culture from its existing state to a state where it reflects a lean culture. The literature review into Lean highlights the importance of establishing a Lean Culture. This research relied on an existing Lean Culture Causal Framework to assess cultural readiness for lean implementation at an automotive component manufacturer in Port Elizabeth (Company X). This was done utilising an empirical study which relied on an existing questionnaire associated with the said Lean Culture Causal Frame work. This Framework focuses on four broad categories of leadership actions; Awareness, Engagement, Consistency and Accountability.

Multinational corporations (MNCs) from the global mining industry have become increasingly active in security governance in areas of limited statehood. Since 2000 they have used dialogue and development activities to mitigate security risks associated with their operations. However, despite a proliferation of community engagement initiatives, violent protest in relation to industrial mining has risen globally. Accordingly, I analyze the efficacy of MNCs as security governors within the context of Peru’s mining sector. Over the past fifteen years this country has experienced a dramatic increase in mining-related social conflict, yet industrial mining has had heterogeneous effects locally. Using the subnational comparative method, I examine four cases that exhibit variation in conflict intensity in order to analyze the factors influencing MNCs’ impact on security. I argue that MNCs’ ability to mitigate violent social conflict is best explained using an analytical framework that accounts for the political economy of contention within which firms are embedded, and the intra-firm politics that determine their behaviour vis-à-vis civil society. The political economy of contention exogenous to firms establishes a local security baseline, predicting generic social conflict risks and patterns of violence likely to emerge during specific protest episodes. Given this external milieu, the organizational politics of the firm will determine its marginal effect. Firms that marginalize the voice of their community relations subunit are more likely to utilize coercion and cooptation alongside dialogue and development. However, heterogeneity in their security outputs undermines MNCs’ legitimacy as socially responsible agents, and hence the ability of community engagement to peacefully manage social conflict. This study constitutes one of the first systematic efforts to theorize and empirically evaluate the efficacy of MNCs’ local level security governing activities, a subject that has been understudied within the global governance literature. I find that while some MNCs have made modest short-term contributions to security, most have failed to construct conditions for sustainable, positive peace. The evidence presented challenges the prevailing conceptualization of MNCs as agents imbued with capacity-based governing authority, a form of governing legitimacy that is said to derive from their financial resources and perceived efficacy at achieving objectives.
Arts, Faculty of
Political Science, Department of
Graduate