Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Information Technology for Managers: Uber Data Breach Report

Verified

Added on 2023/04/21

AI Summary

This report provides a detailed analysis of the Uber data breach, focusing on the security attack that compromised the personal information of millions of customers and drivers. It begins with an introduction to information security, defining key concepts such as confidentiality, integrity, and availability (CIA triad) and exploring various threats and vulnerabilities. The report then describes Uber's organizational structure and its reliance on technology. A thorough literature review is conducted, examining definitions of information security systems, concepts, and organizational security policies. The core of the report analyzes the Uber data breach, identifying the root causes of the attack and its impact on the organization, including reputational damage and financial repercussions. Finally, the report proposes a comprehensive mitigation process and information security solutions to enhance Uber's security posture, including incident response planning and layered defense strategies. The report concludes with a summary of findings and recommendations.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: INFORMATION TECHNOLOGY FOR MANAGERS
Information Technology for Managers
Name of Student-
Name of University-
Author’s Note-

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1INFORMATION TECHNOLOGY FOR MANAGERS
Table of Contents
1. Introduction..................................................................................................................................2
2. Description of the Organization...................................................................................................4
3. Literature Review........................................................................................................................5
3.1 Definition of Information Security System...........................................................................5
3.2 Concepts of Information Security..........................................................................................6
3.3 Organizational Security Policy..............................................................................................9
3.4 Benefits of Network Security:.............................................................................................10
3.5 Need of System security......................................................................................................10
4. Security Attack on Uber............................................................................................................12
4.1 Cause of Attack....................................................................................................................13
4.2 Impact on Organization.......................................................................................................14
5. Mitigation process for Information Security.............................................................................14
6. Conclusion.................................................................................................................................16
References......................................................................................................................................19

2INFORMATION TECHNOLOGY FOR MANAGERS
1. Introduction
With the increasing use of internet and with the wide use of telecommunication
technologies as well as systems, the rate of using the technologies has become more intense.
With the increasing use of internet and technologies, the vulnerabilities have also increased in
the companies and organizations by using the advance modern technologies. The networks that
becomes vulnerable mostly gets infiltrated or gets subverted in many different ways. So, the
result of vulnerable networks might lead to threats in the organizations or in the companies that
use information technology (Peltier, 2016). There are many threats for the information system
that varies from place to place and are commonly known as inside threats and the external threats
in the organizations. For making the information system secured, the most important mitigation
and prevention process that are to be carried out in the organizations is identify the threats and
type of threats that company can face and the ways the threat can affect the information system
of the organization (Safa, Solms & Furnell, 2016). There are many such threats that are
commonly known as unauthorized threats such as computer virus, sabotage, accidents, computer
viruses and these unauthorized threats are mainly carried out by hackers and crackers.
The information system is mainly designed for protecting confidentiality, availability, as
well as integrity of the computer system that is used in the organization (Soomro, Shah &
Ahmed, 2016). The design for protecting the system in the organizations is commonly known as
CIA Traid and protection should be given to the CIA Traid from the malicious attack in the
organizations and companies. This particular triad is also known as Parkerian Hexad that
includes confidentiality, integrity, availability, authenticity, possession and utility.

3INFORMATION TECHNOLOGY FOR MANAGERS
The information security that is included in the organizations mainly includes many
strategies that helps to manage all the processes, the policies, as well as tools that are needed in
an organization or company to prevent the data, detect the threat, and document the threat and
mitigation process that can be processed to counter the threats in the organizations for protecting
the digital information as well as non-digital information (Safa et al., 2015). The responsibility of
information security is to establish a business process rule that will protect the assets of
information irrespective of the data format or transit of data that are in the data storage.
Threats that are sensitive in the organization and are used privately in many different
forms such as phishing and malware attacks, ransomware attacks, and identity theft attack. For
detecting the attacks as well as mitigating the attacks are vulnerable at different points having
many security controls that are implemented as well as coordinated as a strategy of layered
defence. This particular strategy might help to mitigate the impact of the attack (Gordon, Fairhall
& Landman, 2017). For being prepared for the security breach, the groups having security
responsibility is responsible for making the IRP (Incident response plan) in the organization. The
IRP plan will allow the organizations to contain as well as limit all the damages, removes the
cause of threats, as well as include updated defence control in the organization to mitigate threat
of information security.
This report details the information security of the Uber data breach that took place in
2016. The information security data breach took place in the company resulting massive data
breach of the personal information of 57 million associated customers including the drivers. The
details of the Uber data breach is explained in this report explaining the security attack on Uber
and the cause of the attack. This report below also explains the impact that Uber has because of

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4INFORMATION TECHNOLOGY FOR MANAGERS
data breach and the mitigation process that the organization has carried out for enhancing
information security.
2. Description of the Organization
Uber Technologies is a transportation network company that offers service including
ridesharing, ride service, bicycle sharing as well as food delivery. The head quarter of Uber
Technology is in San Francisco and has its operations in more than 785 areas all over the world.
The platforms of Uber technology are mainly accessed through websites as well as mobile
applications. Uber deals with millions of data of its customers and its drivers and it is very much
important for the company to protect the data that are associated with the company (Thomas &
Thomson, 2018). The data that Uber technology data includes serving million rides as well as
food deliveries along with the transaction data. As Uber always thinks about improving its
services and always finds out ways to mitigate the anomalies related to data and find a solution
for the root cause.
For maintaining its data, the company includes operational analysis and the organization
has a data warehouse team that helps to maintain parallel database and a popular platform of data
analytic within the system. Uber includes many policies that describes the way that Uber and the
affiliates collects as well as use personal information to provide the services in the world
(Robbins & Sechooler, 2018). The policy of data security is applied to all the users who uses the
application, the features, websites as well as features that includes privacy policies.
Instead of having such security policies, Uber underwent data breach misleading their
consumers to its privacy and the security practices. The company faced data breach where the
information including name and license number of the drivers were stolen and it effected the

5INFORMATION TECHNOLOGY FOR MANAGERS
Uber drivers working for the company. About 57 million riders personal information was stolen
which included names, email addresses, as well as mobile numbers of the riders. According to
the CEO of Uber, the data stolen were not misused by the hackers and according to them they
were continuously monitoring the accounts that were stolen and have flagged them by providing
additional protection to those particular accounts. For the data breach, security team of Uber took
no particular action because as per their opinion, there are many things to be done after data
breach and the data was not misused.
3. Literature Review
3.1 Definition of Information Security System
According to McCormac et al. (2017), the information security is mainly designed for
protecting the data confidentiality, integrity, as well as data availability that may be prone to
malicious intentions. As per the author, these three parameters are commonly known as CIA
Traid for providing security to information. This particular triad includes confidentiality of the
data, possession of the data authenticity of data, utility of data, availability of data as well as
integrity of data.
Another author Rahman & Choo (2015), stated that information security mainly handles
the risk management. Any data in an organization according to the author may be at risk or
threat. The information that are related with the organization includes sensitive information that
must be kept confidential and the data are not to be changed, transferred or altered without the
permission of the user. Data confidentiality includes a message that could be modified in the
transmission by some other people who intercept the data before reaching the actual user or the

6INFORMATION TECHNOLOGY FOR MANAGERS
recipient. As per the author, this can be mitigated through cryptography tools that helps to
mitigate security threat.
As per Safa, Solms & Futcher (2016), the digital signatures helps to improve all the
information security to enhance the authenticity of all the processes as well as promoting the
individual for proving identity before the user can get access to the computer data that are
available.
As stated by Stamp (2017), the information security is not only securing the information
from all the unauthorized access. There are many threats for the information system that varies
from place to place and are commonly known as inside threats and the external threats in the
organizations. For making the information system secured, the most important mitigation and
prevention process that are to be carried out in the organizations is identify the threats and type
of threats that company can face and the ways the threat can affect the information system of the
organization The information security according to the author is considered as a practice to
prevent all the unauthorized access, using of data, disclosing of data, modification of the data,
recording, inspection, as well as destruction of the data. The information that are related with
data security might be electronic or can be physical.
3.2 Concepts of Information Security
As stated by Hsu et al. (2015), concepts of information security includes access of the
data. Accessing of data includes subject or the ability of an object for using the data,
manipulating data, affecting the data, or modifying the data that are related with subject or the
object. All the authorized user that are related with the data should have legal access to the
system and the hackers might have illegal access to any other system. The ability of a user is

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7INFORMATION TECHNOLOGY FOR MANAGERS
mainly regulated by the access control in an information security. The concepts that are
associated with the information security are discussed below:
Asset: Pathan (2016) stated that assets are defined as the organizational resource that are
to be protected. The asset that are related with the organization are to be logical that has to
include the information, or the data related with the organization. Assets that are included are to
be physical that includes a person, the computer system, or some tangible objects that are related
with the information security. The assets that are related to information are mainly focused on
the security of the information that includes protecting the data security.
Attack: Some intentional as well as unintentional activities that helps to cause damage or
compromise the information of the system that helps to support the attack. The attack that are
included in information security might be active attack or passive attack, intentional attack or
might be unintentional attack (Bhattarai, Joyce & Dutta, 2016). The attack on information
security might also be direct or indirect attack. As for instance, someone reading some sensitive
information are not actually intended for using the data in passive attack. Some hacker who
wants to break the information system by their own and that is known to be as intentional attack.
The hacker directly attacks the information security with some personal system so that they can
break in the system. Indirect attack includes hackers to compromise a system as well as using
them to attack the other systems. Example of indirect attack can be botnet. This particular group
of compromised computers mainly runs to the software of hacker to choose direct control to the
system attack as well as steal the user information or can conduct DOS service attack. The direct
attacks mainly originates from threat. The indirect threats mainly originates from some
compromised system as well as resource that includes malfunctioning or working under some
threat control process.

8INFORMATION TECHNOLOGY FOR MANAGERS
Safeguard, control on information, as well as countermeasure on data: The security
policies, mechanism, as well as security procedures includes counter attacks that helps to reduce
the risk of data breach, resolve the vulnerabilities, as also improve security in the organization.
Exploit: Exploit is known as a technique that helps to compromise a system. The threat
agents mainly attempts in exploitation of the system and include all other information asset by
the using that particular asset for their personal gain (Cavusoglu et al., 2015). Exploitation can
also be considered as documentation process that can take advantage to vulnerability or to
exposure that happens usually in software that can be inherited in the software or can be created
by the hacker. Exploits generally make use of all the existing tools or the software components
that are custom made.
Exposure: Exposure in information security includes a particular condition or some state
that is being exposed. In information security, the exposure mainly exists when there is a security
breach exits in the system by some unknown attacker.
Loss: There might be loss of data in the information system that suffers damage or the
unauthorized, unintended, disclosure, as well as modification of data in the system. When the
data of the organization is stolen, it might suffer loss in the system.
Profile Protection and security posture: According to Parsons et al. (2015), the control
set and the safeguard set in information security mainly includes policy, training, technologies,
awareness, education as well as regulations that the organizations incorporates in its working
process to protect the system from being hacked by some attackers. The profile protection is
sometimes used alternatively with the security programs throughout the security programs that

9INFORMATION TECHNOLOGY FOR MANAGERS
helps to compromise all managerial aspects including personnel programs, planning programs,
and carry out subordinate programs in the organization.
Risk: Risk includes the probability of something unwanted that might happen which is
unexpected. The organization might face risks related to information security so that they can
match the risk appetite which includes quantity as well as risk nature for the organization that
might accept.
Threat: Threat resembles to category of persons, entities or object who can face danger
because of an asset. Threats present in an organization can be done purposefully or can be
accidental.
3.3 Organizational Security Policy
As per the authors, there is always a need of implementing security policy in an
organization. The security policy should not be simple and should convey an action plan that
includes the purpose, the applicability, the activities, the importance as well as goals of the
organization. The organization should carry out security agenda throughout its working process
and responsibility should be taken by an organization to follow all such security measures within
the system. As per the author Cram, Proudfoot & D’Arcy (2017), all the employees in the
organization should be given appropriate training related to policy of information security and
the security expectation of the organization. The security expectation of the organization
includes all the functional roles that are being carried out in the working process of the
organization. As for instance, the corporate internet includes the policy that has to be
communicated in a proper way, and the employees in the organization should understand it and
acknowledge it clearly. There should be a specific policy that includes the policy of managing
the software in the organization and should be scoped that includes all other personnel who are

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

10INFORMATION TECHNOLOGY FOR MANAGERS
related with the system. As per the security policies in the organizations and the procedures,
there should be employee attestation. Which helps to provide valuable input to put the policy
enforcement as well as education process in the organization.
3.4 Benefits of Network Security:
The benefits that information security incorporates in an organization are stated below:
The network security mainly helps to protect al personal data of the clients that exists on
the network.
The network security in an organization helps to facilitate the protection of the
information that is shared between the computer networks.
Hacking mainly includes virus attacks or spyware attacks from internet that might harm
the physical computers connected with the organization. All the external attacks are to be
prevented (Bhattarai, Joyce & Dutta, 2016).
The network security mainly provides different access levels. In an organization, there
are different computer systems that are attached to the network of the enterprise and there
can be many other computers that have greater access to all the information compared to
others.
The private networks are mainly provided with protection from all external attacks that
might help them to close the network system form the internet. The network security
makes the private attacks safe from malicious attacks.
3.5 Need of System security
As per Montesdioca & Maçada (2015), there is a need of system security within all the
organizations and there should network technology which is the main factor that is included in
the information technology. There are wide variety of applications that are included in

11INFORMATION TECHNOLOGY FOR MANAGERS
information technology. Security is very much important to the networks as well as the
applications. The security of the network as per the authors is very critical requirement and
includes lack of security methods that can be implemented for ensuring the security of the
system.
As per the authors Dhillon et al. (2016), there is always a communication gap in between
the developers of the security technology and the network developers. The network design is
commonly known as well-developed process that is designed on the OSI model of the computer
system. The OSI model has different advantages that helps to design the networks in an
organization (Cavusoglu et al., 2017). The OSI model mainly offers modularity, ease-of-use, the
standardization process, and the flexibility that are included in the network protocol. There are
different layers of protocols that can be easily combined for creating the stacks that allows
development of modules in the organization.
The authors have also stated that the implementation of the individual layer has to be
changed without making any adjustments, or including flexibility in the development process
(Yazdanmehr & Wang 2016). Other researchers have also stated that securing the network
design is not a well-developed process. There is not particular methodology that can manage
complexity involved in security requirement of an organization. The secure designs of network
does not provide any advantage compared to the network design. When the network security is
considered in an organization, it is stated that the whole network has security and offers all
possible security that are needed in an organization. The network security only does not contain
security in the system of communication chain. To transmit the data communication channel, the
channel should be free from vulnerable attack (Da Veiga & Martins, 2017). A hacker might
target the communication channel and also cause harm to the network system, obtain all data that

12INFORMATION TECHNOLOGY FOR MANAGERS
are needed in the organization, and decrypt the data and integrate the data. Network security as
per the authors is very much important as because securing the network computers as well as
encrypting messages are important in the organization. As per the authors, there must be some
features that must be followed. The following states the features that are to be considered for
developing the network security.
1. Access- As per the author Burns et al. (2017), access involves authorized persons accessing
the data or information and provide a communication process to the network and from the
network.
2. Confidentiality- This includes the information in some particular network that are to remain
private for the trusted staffs or the users.
3. Authentication: This ensures that the right person is having access to the network.
4. Integrity: Integrity ensures that message that is to be transmitted is not to be modified and
remains secured in the transmission process.
5. Non‐repudiation: This ensures that the user should not refute the network.
4. Security Attack on Uber
Uber in 2016 has confirmed that it has faced a massive data breach risking the personal
data of the 57 million customers along with the personal information of the drivers associated
with the organization. Uber was not aware of the security attack and failed to notify its customers
about the data breach that took place (Cherdantseva et al., 2016). The hackers who have stolen
the data included the names of the customers, email address of the customers and drivers, as well
as the phone numbers who are associated with the Uber system. The personal information of the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

13INFORMATION TECHNOLOGY FOR MANAGERS
drivers were also at risk that included the names of the drivers and the license number of the
drivers.
57 million information of the customers along with personal information of about 60,000
drivers in United States were stolen by the hackers (Cram, Proudfoot & Arcy, 2017). However,
the company was able to confirm that the sensitive information of the victims that is location,
bank account details, the SSN numbers, the credit card numbers and the birth dates of the
customers were not stolen. They were kept safe within the company network.
To compensate the data security breach in the organization, Uber paid $100,000 to the
hackers as a ransom amount so that they can delete the data and settle the matter secretly not
publishing the scam to the media or the regulators (Fielder et al., 2016). The CEO of the
company assured that they were changing the way of business process as how they are working
and are planning to improve the network security within the organization.
As the hack included the names, contact numbers, and email address of the customers and
the names and driving license number of the driver, it was a loss for the company and the users
as well who were associated with the company (Gupta, Agrawal & Yamaguchi, 2016). The Uber
security group was questioned for its security policies that were included in the system. Uber was
accused for mishandling the personal data of the customer and settling the security violation in
secret. The customers who were the victims in the data breach should have been informed about
their personal data being stolen and corresponding data security measure should have been taken
to avoid security breach in future.

14INFORMATION TECHNOLOGY FOR MANAGERS
4.1 Cause of Attack
The data breach that occurred in Uber was quite straight forward as stated by Bloomberg.
The hackers who attacked the personal information of the customers, had access to the public
GitHub repository code that was used by the Uber engineers. From the repository code, the
hackers were able to get the private login credentials connected with the Amazon Cloud server
(Graham, Olson & Howard, 2016). By logging in with the private login credentials in the
Amazon cloud, the hacker was able to get the list of the riders and the data of the drivers. After
getting the access of the data, the hackers demanded for ransom to delete the data stolen. The
data that were mainly hacked by the attackers were the name, email address, and contact number
of the riders and the names and driver license number of the drivers associated with the
company. The hackers demanded $100,000 as ransom from the company.
4.2 Impact on Organization
As per the Uber CEO, they took immediate steps when the incident took place in the
organization (Carr, 2016). As per their stating, the when they got to know about the data breach,
they took immediate actions and stopped the unauthorized access in the organization network.
They have implemented proper mitigation controls methods in the organization.
The organization was fined with $491,000 by privacy watch dog of UK. They stated that
for failing to protect the data of the organization, the organization has to pay a fine of $491,000
(Wong, 2017). Uber has lastly confessed about the extortion of the cyber-attack that took place
in 2016 and that included names, addresses as well as phone number of the riders associated with
the company and the details of the drivers containing the driver’s name and the driving license of
the driver.
5. Mitigation process for Information Security

15INFORMATION TECHNOLOGY FOR MANAGERS
Three mitigation process that can be implemented to enhance the security of the
information system in the organizations are stated below:
Stop Ongoing Data Breach and Access Damage- The first process that an organization
needs to do after noticing a data breach is to stop the data breach. Data breach mainly depends on
the nature of attack done by the attacker and the systems that are affected by the data breach. The
developer should start isolating all the systems that are accessed by the attacker so that the data
breach can be prevented from spreading to other networks (Thomas & Thomson, 2018). The first
motive of the security developer should be to disconnect all the user accounts that was breached
and if possible, particular departments are to be closed down from stopping virus being spread.
After stopping the data breach, the security group should investigate all the networks and
computer system to find out the actual damages that the data breach has caused in the
organization (Robbins & Sechooler, 2018). The group should know about initiation of the data
breach, should find out the process to mitigate the data breach in future. All the affected systems
should be mitigated to check whether any malware were left in the computer systems.
Notify Victims and Security Audits: The victims should investigate the users who were
the victims of the data breach and instruct them to take all such preventive measures to mitigate
data breach in future (Green, 2018). All the higher authorities should be informed along with the
third party organizations who are associated with the organizations. In the notification process,
the security group of the organization should clearly state the data and time of data breach, total
number of data that was breached and should take necessary steps to maintain the reputation of
the organization. After notifying the victims, the security audit is to be done. Security audit is
done by the security team to audit the current systems that were in use in the organization and
also prepare a security plan in the near future. Proper IT security plans are to be made so mitigate

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

16INFORMATION TECHNOLOGY FOR MANAGERS
data breach in future (Burns et al., 2017). All the fixes that are needed for the system and
preventive software are to be installed in the system in the affected network and in all the
networks of the organization. DNS audit recommended to carry out in the organization as that
will help to secure the infrastructure and the system architecture.
Updating Recovery Plan: After all the previous steps being completed, the next step is
to take all the necessary steps that are to be included to prevent the next attack in the
organization. When an organization is being attacked by some intruder, there always remain a
chance of being attacked again (Dhillon et al., 2016). So, prevention is to be taken regarding the
all possibilities of attack in the future.
In an organization, the security audit and the internal investigation associated with the
working process are always valuable. More details information are to be documented in the
organization so that the employees get advantage from the documentation in near future. This
might help others to guide other in the near future to implement recovery plan and any other such
kind of vulnerabilities (Montesdioca & Maçada, 2015). The recovery plan might include many
new policies that are to be implemented, incorporates training of the employees, enforcing the
policies that are implemented in the organization with other third party vendors. All the
employees in the organization should be trained enforcing the security policies that are to be
used for improving the security policies of information system in the organization.
6. Conclusion
There are many large enterprises who employs security group for implementing as well
as maintaining the information security of the organization. The information security group is
generally led by chief officer appointed for information security. This particular group is

17INFORMATION TECHNOLOGY FOR MANAGERS
responsible to conduct the risk management process analysing all the vulnerabilities as well as
threats that are associated with the organization and they have the responsibility to incorporate
proper protective measures in the organization. The value for a particular organization mainly
lies with the information or the data that are elated with the organization providing security is the
main activity for the business operations that are to be carried out. This will bring out customer
trusts and retain the credibility in the organization.
The above report deals with the information security threat undertaken by Uber in 2016.
As Uber is a large organization who incorporated security measures for maintaining security in
the organization. Uber organization has its own information security group of officials who are
involved in monitoring the security of the organization. But the security group of Uber was
unable to detect the breach that the organization faced in the year 2016. The information security
threats that were to be undertaken for information security program was to include the CIA
Traid, but the confidentiality, integrity as well as the availability of the organization was not
maintained in the organization.
The confidentiality was not maintained in the organization as because the data or the
information that were breached contained personal information of the drivers and the riders who
were associated with the organization. The security group of Uber were to implement more
secured way of securing data by using encryption as well as the encryption keys. As per the
discussion stated above, integrity should have been involved in the working process of Uber to
enhance the data security of the organization. Uber organization should have integrity which
states that the data when read long after, the data remains the same as it was saved and uploaded.
The data should not be altered while sending from one location to another. The third that Uber
should have incorporated is availability. The availability of the data indicates that the data should

18INFORMATION TECHNOLOGY FOR MANAGERS
always be available to the users and no other third party gets the access to the data that are
available in the organization. If all these security concerns were satisfied in the working process
of Uber, the data breach would have been mitigated.
The processes that are related to information security as well as policies mainly involves
physical security measure and digital security measures to protect the data from any other
unauthorized access, using of data as well as destruction and replication of data. As per the
discussion Uber organization should have taken some security measures to protect its data from
being data breached. The sensitive information of the organization should have been protected
wherever it is stored. It can also be recommended that Uber should not shift the data from a
particular device to some other external device. This might lessen the possibility of data breach
risk in the organization. The organization should also have limited the access of the valuable data
that are in the organization. No third party should be involved in organization data as because
involving third party vendor, the risk of data breach increases more. Training should be provided
to the employees and the riders should have been instructed about the data breach so that they
could have taken preventive measures to mitigate the risk of information breach in the company.
All the software that are associated with the organization should have been updated from time to
time to prevent data breach.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

19INFORMATION TECHNOLOGY FOR MANAGERS
References
Ab Rahman, N. H., & Choo, K. K. R. (2015). A survey of information security incident handling
in the cloud. computers & security, 49, 45-69.
Bhattarai, R., Joyce, G., & Dutta, S. (2016, July). Information security application design:
understanding your users. In International Conference on Human Aspects of Information
Security, Privacy, and Trust (pp. 103-113). Springer, Cham.
Burns, A. J., Posey, C., Courtney, J. F., Roberts, T. L., & Nanayakkara, P. (2017).
Organizational information security as a complex adaptive system: insights from three
agent-based models. Information Systems Frontiers, 19(3), 509-524.
Carr, M. (2016). Public–private partnerships in national cyber-security strategies. International
Affairs, 92(1), 43-62.
Cavusoglu, H., Cavusoglu, H., Son, J. Y., & Benbasat, I. (2015). Institutional pressures in
security management: Direct and indirect influences on organizational investment in
information security control resources. Information & Management, 52(4), 385-400.
Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., & Stoddart, K. (2016).
A review of cyber security risk assessment methods for SCADA systems. Computers &
security, 56, 1-27.
Cram, W. A., Proudfoot, J. G., & D’Arcy, J. (2017). Organizational information security
policies: a review and research framework. European Journal of Information
Systems, 26(6), 605-641.

20INFORMATION TECHNOLOGY FOR MANAGERS
Da Veiga, A., & Martins, N. (2017). Defining and identifying dominant information security
cultures and subcultures. computers & security, 70, 72-94.
Dhillon, G., Oliveira, T., Susarapu, S., & Caldeira, M. (2016). Deciding between information
security and usability: Developing value based objectives. Computers in Human
Behavior, 61, 656-666.
Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., & Smeraldi, F. (2016). Decision support
approaches for cyber security investment. Decision Support Systems, 86, 13-23.
Gordon, W. J., Fairhall, A., & Landman, A. (2017). Threats to information security—public
health implications. N Engl J Med, 377(8), 707-709.
Graham, J., Olson, R., & Howard, R. (2016). Cyber security essentials. Auerbach Publications.
Green, J. M. (2018). Risk radar: Security breach. Company Director, 34(5), 30.
Gupta, B., Agrawal, D. P., & Yamaguchi, S. (Eds.). (2016). Handbook of research on modern
cryptographic solutions for computer and cyber security. IGI global.
Hsu, J. S. C., Shih, S. P., Hung, Y. W., & Lowry, P. B. (2015). The role of extra-role behaviors
and social controls in information security policy effectiveness. Information Systems
Research, 26(2), 282-300.
McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., & Pattinson, M. (2017).
Individual differences and information security awareness. Computers in Human
Behavior, 69, 151-156.
Montesdioca, G. P. Z., & Maçada, A. C. G. (2015). Measuring user satisfaction with information
security practices. Computers & Security, 48, 267-280.

21INFORMATION TECHNOLOGY FOR MANAGERS
Parsons, K. M., Young, E., Butavicius, M. A., McCormac, A., Pattinson, M. R., & Jerram, C.
(2015). The influence of organizational information security culture on information
security decision making. Journal of Cognitive Engineering and Decision Making, 9(2),
117-129.
Pathan, A. S. K. (Ed.). (2016). Security of self-organizing networks: MANET, WSN, WMN,
VANET. CRC press.
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. Auerbach Publications.
Robbins, J. M., & Sechooler, A. M. (2018). Once more unto the breach: What the equifax and
uber data breaches reveal about the intersection of information security and the
enforecement of securities laws. Criminal Justice, 33(1), 4-7.
Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015).
Information security conscious care behaviour formation in organizations. Computers &
Security, 53, 65-78.
Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model
in organizations. Computers & Security, 56, 70-82.
Safa, N. S., Von Solms, R., & Futcher, L. (2016). Human aspects of information security in
organisations. Computer Fraud & Security, 2016(2), 15-18.
Smith, R. E. (2015). Elementary information security. Jones & Bartlett Publishers.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

22INFORMATION TECHNOLOGY FOR MANAGERS
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more
holistic approach: A literature review. International Journal of Information
Management, 36(2), 215-225.
Stamp, M. (2017). Introduction to machine learning with applications in information security.
Chapman and Hall/CRC.
Thomas, L., & Thomson, A. C. (2018). From panic to pragmatism: De-escalating and managing
commercial data breaches. Cyber Security: A Peer-Reviewed Journal, 2(1), 17-22.
Wong, J. C. (2017). Uber concealed massive hack that exposed data of 57m users and
drivers. The Guardian) Retrieved from https://www. theguardian.
com/technology/2017/nov/21/uber-data-hack-cyber-attack.
Yazdanmehr, A., & Wang, J. (2016). Employees' information security policy compliance: A
norm activation perspective. Decision Support Systems, 92, 36-46.