Sean B Maynard
University of Melbourne, Computing and Information Systems, Faculty Member
- I research information security management from a human perspective. In this research I have focused on information s... moreI research information security management from a human perspective. In this research I have focused on information security policy, information security culture and information security governance. My PhD is in Information Securty Management and focuses on Security Policy quality. Additionally, in conjunction with my past work on decision support systems and decision making I am interested in the decision making processes involved with information security and information security analytics.edit
This paper proposes a theory on information security. We argue that information security is imperfectly understood and aim to bring about an altered understanding of why efforts are made to engage in information security. The goal of... more
This paper proposes a theory on information security. We argue that information security is imperfectly understood and aim to bring about an altered understanding of why efforts are made to engage in information security. The goal of information security is widely recognised as the confidentiality, integrity and availability of information however we argue that the goal is actually to simply create resources. This paper responds to calls for more theory in information systems, places the discussion in philosophical context and compares various definitions. It then identifies the key concepts of information security, describes the relationships between these concepts, as well as scope and causal explanations. The paper provides the theoretical base for understanding why information is protected, in addition to theoretical and practical implications and suggestions for future research.
Research Interests:
Organisations that allow employees to Bring Your Own Device (BYOD) in the workplace trade off the convenience of allowing employees to use their own device against higher risks to the confidentiality, integrity, and availability of... more
Organisations that allow employees to Bring Your Own Device (BYOD) in the workplace trade off the convenience of allowing employees to use their own device against higher risks to the confidentiality, integrity, and availability of organisational information assets. While BYOD is a well-defined and accepted trend in some organisations, there is little research on how policies can address the information security risks posed by BYOD. This paper reviews the extant literature and develops a comprehensive list of information security risks that are associated with allowing BYOD in organisations. This list is then used to evaluate five BYOD policy documents to determine how comprehensively BYOD information security risks are addressed. The outcome of this research shows that of the 13 identified BYOD risks, only 8 were adequately addressed by most of the organisations.
Research Interests:
Supply Chain Agility is important for organisations to stay competitive in today's dynamic business environment. There is increasing interest in deploying Business Intelligence (BI) in the Supply Chain Management (SCM) context to... more
Supply Chain Agility is important for organisations to stay competitive in today's dynamic business environment. There is increasing interest in deploying Business Intelligence (BI) in the Supply Chain Management (SCM) context to improve Supply Chain (SC) Agility. However, there is limited research exploring BI contributions to SC Agility. In this research-in-progress paper we propose a model based on a conceptual analysis of the literature showing how BI can help organisations achieve SC Agility by supporting the key areas of SCM (Plan, Source, Make, Deliver and Return). In the next stage of this project, we will conduct a series of case studies investigating how organisations use BI when managing their SC activities and how BI contributes to SC Agility. The result of the study will help organizations deploy BI effectively to support SCM and improve SC Agility.
Research Interests:
Research Interests:
Case-based learning (CBL) is a powerful pedagogical method of creating dialogue between theory and practice. CBL is particularly suited to executive learning as it instigates critical discussion and draws out relevant experiences. In this... more
Case-based learning (CBL) is a powerful pedagogical method of creating dialogue between theory and practice. CBL is particularly suited to executive learning as it instigates critical discussion and draws out relevant experiences. In this paper we used a real-world case to teach Information Security Management to students in Management Information Systems. The real-world case is described in a legal indictment (T-mobile USA Inc v. Huawei Device USA Inc. and Huawei Technologies Co. LTD) alleging theft of intellectual property (trade secrets) and breaches of contract concerning confidentiality and disclosure of sensitive information. The incident concerns a mobile phone testing robot (Tappy) developed by T-mobile USA to automate testing of mobile phones prior to launch. Tmobile alleges Huawei stole the technology by copying the robot’s specifications and stealing parts and software to develop its own testing robot. The incident scenario is interesting as it relates to a business asset...
Research Interests:
The internet can be broadly divided into three parts: surface, deep and dark. The dark web has become notorious in the media for being a hidden part of the web where all manner of illegal activities take place. This review investigates... more
The internet can be broadly divided into three parts: surface, deep and dark. The dark web has become notorious in the media for being a hidden part of the web where all manner of illegal activities take place. This review investigates how the dark web is being utilised with an emphasis on cybercrime, and how law enforcement plays the role of its adversary. The review describes these hidden spaces, sheds light on their history, the activities that they harbour including cybercrime, the nature of attention they receive, and methodologies employed by law enforcement in an attempt to defeat their purpose. More importantly, it is argued that these spaces should be considered a phenomenon and not an isolated occurrence to be taken as merely a natural consequence of technology. This paper contributes to the area of dark web research by serving as a reference document and by proposing a research agenda.
Research Interests:
Considerable research effort has been devoted to the study of Policy in the domain of Information Security Management (ISM). However, our review of ISM literature identified four key deficiencies that reduce the utility of the guidance to... more
Considerable research effort has been devoted to the study of Policy in the domain of Information Security Management (ISM). However, our review of ISM literature identified four key deficiencies that reduce the utility of the guidance to organisations implementing policy management practices. This paper provides a comprehensive overview of the management practices of information security policy and develops a practice-based model that addresses the four aforementioned deficiencies. The model provides comprehensive guidance to practitioners on the activities security managers must undertake for security policy development and allows practitioners to benchmark their current practice with the models suggested best practice. The model contributes to theory by mapping existing information security policy research in terms of the defined management practices.
Research Interests:
Teaching cases based on stories about real organizations are a powerful means of storytelling. These cases closely parallel real-world situations and can deliver on pedagogical objectives as writers can use their creative license to craft... more
Teaching cases based on stories about real organizations are a powerful means of storytelling. These cases closely parallel real-world situations and can deliver on pedagogical objectives as writers can use their creative license to craft a storyline that better focuses on the specific principles, concepts, and challenges they want to address in their teaching. The method instigates critical discussion, draws out relevant experiences from students, encourages questioning of accepted practices, and creates dialogue between theory and practice We present ‘Horizon’, a case study of a firm that suffers a catastrophic incident of Intellectual Property (IP) theft. The case study was developed to teach information security management (ISM) principles in key areas such as strategy, risk, policy and training to postgraduate Information Systems and Information Technology students at the University of Melbourne, Australia.
Research Interests:
Knowledge sharing drives innovation and the opportunity to develop a sustainable competitive advantage. However, in the extant knowledge management and information security literature, leakage from sharing activities is neglected. The... more
Knowledge sharing drives innovation and the opportunity to develop a sustainable competitive advantage. However, in the extant knowledge management and information security literature, leakage from sharing activities is neglected. The risk of knowledge leakage is exacerbated with the pervasive use of mobile devices and the adoption of BYOD (Bring Your Own Device). Thus, this research-in-progress paper examines the role of the behavior of mobile workers that engage in accidental knowledge leakage through the use of BYOD. We use the Decomposed Theory of Planned Behavior (DTPB) to explain the causes behind this phenomenon and how it negatively impacts organization's competitive advantage. The contributions of this study are the following. First, it posits that the reasons of knowledge leakage by mobile workers through BYOD can be explained using DTPB. Second, the paper proposes a conceptual model for research based on DTPB constructs whilst adding other variables such as BYOD and m...
Research Interests:
Dependence on information, including for some of the world's largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their... more
Dependence on information, including for some of the world's largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these information-based activities. Clearly, more research is needed to better understand how organisations should formulate strategy to secure their information. Through a thematic review of academic security literature, we (1) analyse the antecedent conditions that motivate the potential adoption of a comprehensive information security strategy, (2) the current perspectives of strategy and (3) the yields and benefits that could be enjoyed post-adoption. Our contributions include a definition of information security strategy. We argue for a paradigm shift to extend from internally-focussed protection of organisation-wide information towards ...
Research Interests:
Today’s organizations use control-centred security management systems as a preventative shield against a broad spectrum of attacks. However, these have proven to be less effective against the customized and innovative strategies and... more
Today’s organizations use control-centred security management systems as a preventative shield against a broad spectrum of attacks. However, these have proven to be less effective against the customized and innovative strategies and operational techniques used by Advanced Persistent Threats (APTs). In this short paper we argue that to combat APTs, organizations need a strategic-level shift away from a traditional prevention-cantered approach to that of a response-cantered one. Drawing on the information warfare (IW) paradigm in military studies, and using Dynamic Capability Theory (DCT), this research examines the applicability of IW capabilities in the corporate domain. We propose a research framework to argue that conventional prevention-centred response capabilities; such as incident response capabilities and IW-centred security capabilities can be integrated into IW-enabled dynamic response capabilities that improve enterprise security performance.
Research Interests:
Security governance influences the quality of strategic decision-making towards ensuring that investments in security are not wasted. Security governance involves a range of activities including adjusting organisational structures,... more
Security governance influences the quality of strategic decision-making towards ensuring that investments in security are not wasted. Security governance involves a range of activities including adjusting organisational structures, designating roles and responsibilities, allocating resources, managing risks, measuring results, and gauging the adequacy of security audits and reviews. We draw on a case study to identify three security issues in an organisation around strategic context. These are (1) limited diversity in decision-making; (2) lack of guidance in corporate-level mission statements to security decision-makers; (3) a bottom-up approach to security strategic context development. We further argue that instead of an approach that is based on risk and controls, organisations should address objectives and strategies through developing depth in their security strategic context.
Research Interests:
Knowledge leakage is a key risk for start-ups particularly when that knowledge relates to the firm’s innovation and is therefore competitively sensitive. Leakage of competitively sensitive knowledge can lead to financial losses and... more
Knowledge leakage is a key risk for start-ups particularly when that knowledge relates to the firm’s innovation and is therefore competitively sensitive. Leakage of competitively sensitive knowledge can lead to financial losses and erosion of competitive advantage. Start-ups are particularly vulnerable to knowledge leakage compared to mature enterprises since they have limited resources to devote to protective measures and information systems, rely on relatively fewer product lines to sustain business success, and experience greater organisational change making it difficult to control the complex and evolving security risk landscape. Current research on (knowledge) leakage mitigation methods do not adequately address the needs of start-ups. This paper sets out to address the gaps in current research relating to leakage mitigation particularly focusing on knowledge protection in start-ups. We propose a new knowledge-leakage mitigation framework as a precursor to a process model to as...
Research Interests:
The increasing frequency, impact, consequence and sophistication of cybersecurity attacks is becoming a strategic concern for boards and executive management of organisations. Consequently, in addition to focusing on productivity and... more
The increasing frequency, impact, consequence and sophistication of cybersecurity attacks is becoming a strategic concern for boards and executive management of organisations. Consequently, in addition to focusing on productivity and performance, organisations are prioritizing Information Security Management (ISM). However, research has revealed little or no conceptualisation of a dynamic ISM capability and its link to organisational performance. In this research, we set out to 1) define and describe an organisational level dynamic ISM capability, 2) to develop a strategic model that links resources with this dynamic capability, and then 3) empirically demonstrate how dynamic ISM capability contributes to firm performance. By drawing on Resource-Based Theory (RBT) and Dynamic Capabilities View (DCV), we have developed the Dynamic ISM Capability model to address the identified gap. As we develop this research, we will empirically test this model to demonstrate causality between ISM c...
Research Interests:
The importance of information security risk management (ISRM) and its potential strategic role in protecting organisational information assets is widely studied in literature. Less attention is given to how ISRM can be enhanced using... more
The importance of information security risk management (ISRM) and its potential strategic role in protecting organisational information assets is widely studied in literature. Less attention is given to how ISRM can be enhanced using security analytics to contribute to a competitive advantage. This paper proposes a model showing that security analytics capabilities (the ability to effectively use security data for informed security related decision making) and ISRM capabilities (the ability to effectively identify and protect organizational information assets) indirectly influence competitive advantage in ISRM through two key mediating links: analytics-enabled ISRM capabilities (the ability to effectively leverage insights gleaned from security data to make informed ISRM decisions) and ISRM dynamic capabilities (the ability to reconfigure analytics-enabled ISRM capabilities to address turbulent environments). Environmental turbulence moderates the process by which security analytics...
Research Interests:
© 26th European Conference on Information Systems: Beyond Digitization - Facets of Socio-Technical Change, ECIS 2018. All Rights Reserved. The use of mobile devices in knowledge-intensive organizations while effective and cost-efficient... more
© 26th European Conference on Information Systems: Beyond Digitization - Facets of Socio-Technical Change, ECIS 2018. All Rights Reserved. The use of mobile devices in knowledge-intensive organizations while effective and cost-efficient also pose a challenging management problem. Often employees whether deliberately or inadvertently are the cause of knowledge leakage in organizations and the use of mobile devices further exacerbates it. This problem is the result of overly focusing on technical controls while neglecting human factors. Knowledge leakage is a multidimensional problem, and in this paper, we highlight the different dimensions that constitute it. In this study, our contributions are threefold. First, we study knowledge leakage risk (KLR) within the context of mobile devices in knowledge-intensive organizations in Australia. Second, we present a conceptual framework to explain and categorize the mitigation strategies to combat KLR through the use of mobile devices grounde...
Research articles can support teaching by introducing the latest expert thinking on relevant topics and trends and describing practical real-world case studies to encourage discussion and analysis. However, from the point of view of the... more
Research articles can support teaching by introducing the latest expert thinking on relevant topics and trends and describing practical real-world case studies to encourage discussion and analysis. However, from the point of view of the instructor, a common challenge is identifying the most suitable papers for classroom teaching amongst a very large pool of potential candidates that are not typically written for teaching purposes. Further, even in practice-oriented disciplines such as Information Security Management (ISM), high-quality journals emphasise theoretical contribution and research method rather than relevance to practice. Our review of the relevant literature did not find a comprehensive set of criteria to assist instructors in evaluating the suitability of research articles to teaching. Therefore, this research-in-progress paper presents a framework to support academics in the process of evaluating the suitability of research articles for their teaching programs.
Research Interests:
Sensemaking is a critical activity in organizations. It is a process through which individuals ascribe meanings to events which forms the basis to facilitate collective action. However, the role of organizations, technology and... more
Sensemaking is a critical activity in organizations. It is a process through which individuals ascribe meanings to events which forms the basis to facilitate collective action. However, the role of organizations, technology and individuals and their interaction in the process of sensemaking has not been sufficiently explored. This novel study seeks to address this gap by proposing a framework that explains how the interplay among organizations, technology and individuals enables sensemaking in the process of cybersecurity incident response. We propose that Organizations, Technology, and Individuals are the key components that interact in various ways to facilitate enactment, selection and retention activities (Sensemaking activities) in Incident Response. We argue that sensemaking in Incident Response is the outcome of this interaction. This interaction allows organizations to respond to cybersecurity incidents in a comprehensive manner.
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Dependence on information, including for some of the world’s largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their... more
Dependence on information, including for some of the world’s largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences indicate that attacks are escalating on organisations conducting these information-based activities. Organisations need to formulate strategy to secure their information, however gaps exist in knowledge. Through a thematic review of academic security literature, (1) we analyse the antecedent conditions that motivate the adoption of a comprehensive information security strategy, (2) the conceptual elements of strategy and (3) the benefits that are enjoyed post-adoption. Our contributions include a definition of information security strategy that moves from an internally-focussed protection of information towards a strategic view that considers the organisation, its resources and capabilities, and its external environment. Our finding...
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
While there is an overwhelming amount of literature that recognises the need for organisations to create a security culture in order to effectively manage security, little is known about how to create a good security culture or even what... more
While there is an overwhelming amount of literature that recognises the need for organisations to create a security culture in order to effectively manage security, little is known about how to create a good security culture or even what constitutes a good security culture. In this paper, we report on one of two case studies performed to examine how security
Research Interests:
Research Interests:
Although digital forensics has traditionally been associated with law enforcement, the impact of new regulations, industry standards and cyber-attacks, combined with a heavy reliance on digital assets, has resulted in a more prominent... more
Although digital forensics has traditionally been associated with law enforcement, the impact of new regulations, industry standards and cyber-attacks, combined with a heavy reliance on digital assets, has resulted in a more prominent role for digital forensics in organizations. Modern organizations, therefore, need to be forensically ready in order to maximize their potential to respond to forensic events and demonstrate compliance with laws and regulations. However, little research exists on the assessment of organizational digital forensic readiness. This paper describes a comprehensive approach to identifying the factors that contribute to digital forensic readiness and how these factors work together to achieve forensic readiness in an organization. We develop a conceptual framework for organizational forensic readiness and define future work towards the empirical validation and refinement of the framework.
Research Interests:
ABSTRACT Modern organizations need to develop ‘digital forensic readiness’ to comply with their legal, contractual, regulatory, security and operational obligations. A review of academic and practitioner literature revealed a lack of... more
ABSTRACT Modern organizations need to develop ‘digital forensic readiness’ to comply with their legal, contractual, regulatory, security and operational obligations. A review of academic and practitioner literature revealed a lack of comprehensive and coherent guidance on how forensic readiness can be achieved. This is compounded by the lack of maturity in the discourse of digital forensics rooted in the informal definitions of key terms and concepts. In this paper we validate and refine a digital forensic readiness framework through a series of expert focus groups. Drawing on the deliberations of experts in the focus groups, we discuss the critical issues facing practitioners in achieving digital forensic readiness.
Research Interests:
ABSTRACT Purpose This paper describes the development, design, delivery and evaluation of a post-graduate information security subject that focuses on a managerial, rather than the more frequently reported technical perspective. The... more
ABSTRACT Purpose This paper describes the development, design, delivery and evaluation of a post-graduate information security subject that focuses on a managerial, rather than the more frequently reported technical perspective. The authors aimed to create an atmosphere of intellectual excitement and discovery so that students felt empowered by new ideas, tools and techniques and realized the potential value of what they were learning in industry. Design/methodology/approach The paper develops fundamental principles and arguments that inform the design and development of the teaching curriculum. The curriculum is aimed at security management professionals in general and consultants in particular. The paper explains the teaching method in detail including the specific topics of lectures, representative reading material, assessment tasks and feedback mechanisms. Finally, lessons learned by the authors and their conclusions are presented as a form of reflection. Findings The instructors recognized four key factors that played a role in the atmosphere of intellectual excitement and motivation. These were new concepts and ideas, an increased level of engagement, opportunities for students to make their own discoveries, and knowledge presented in a practical context. Maintaining a high quality of teaching resources, catering for diverse student needs and incorporating learning cycles of assessment in a short period of time were additional challenges. Originality/value Most ‘information security’ curricula described in research literature take a technology-oriented perspective. This paper presents a much-needed management point of view. The teaching curriculum (including assessment tasks) and experiences will be useful to existing and future teaching and research academics in ‘information security management’. Those interested in developing their own teaching material will benefit from the discussion on potential topic areas, choice of assessment tasks and selection of recommended reading material.
Research Interests:
Research Interests:
ABSTRACT ***BEST PAPER AWARD*** Information Security (InfoSec) education varies in its content, focus and level of technicality across the world. In this paper we investigate the differences between graduate InfoSec programs in top... more
ABSTRACT ***BEST PAPER AWARD*** Information Security (InfoSec) education varies in its content, focus and level of technicality across the world. In this paper we investigate the differences between graduate InfoSec programs in top universities in China and in the United States of America (USA). In China, curriculum emphasises Telecommunication, Computer Science and InfoSec Technology, whilst in the USA in addition to Computer Science and InfoSec Technology the curriculum also emphasises Enterprise-level Security Strategy and Policy, InfoSec Management, and Cyber Law. The differences are significant and will have a profound impact on both the perceptions and capabilities of future generations of information security professionals on the one hand, and the management of information security in public and private organizations in the respective countries on the other.