Lucas M. Venter

Bio: Lucas M. Venter is an academic researcher from North-West University. The author has contributed to research in topics: Information security & Information security standards. The author has an hindex of 6, co-authored 14 publications receiving 93 citations.

A sustainable information security framework for e-Government – case of Tanzania

Abstract: The government of Tanzania adopted an e-Government strategy in 2009 that is aimed at improving efficiency in government and providing better services to citizens. Information security is identified as one of the requirements for the successful e-Government implementation although the government has not adopted any standards or issued guidelines to government agencies with regards to information security. Comprehensive addressing of information security can be an expensive undertaking and without guidelines information security implementations may be more prone to failure. In a resource poor country such as Tanzania, there is a need for a cost effective and sustainable means of addressing information security in e-Government implementations. In this paper the authors present a case study of an e-Government interaction between a ministry and a government agency and the information security challenges identified in the implementation. In order to address these challenges an information security fram...

Psychosocial Risks: can their effects on the Security of Information Systems really be ignored?

Abstract: Purpose – The purpose of this paper is to highlight the relation of psychosocial risks to information security (IS). Although psychosocial risks at the workplace have been extensively researched from a managerial point of view, their effect on IS has not been formally studied to the extent required by the gravity of the topic. Design/methodology/approach – Based on existing research on psychosocial risks, their potential effects on IS are examined. Findings – It is shown that as psychosocial risks affect people at the workplace, they diminish their ability to defend IS. Research limitations/implications – Psychosocial risks are identified as a factor in IS breakdown. Future research should be directed towards assessing the significance of the effects of various psychosocial risks on IS, creating an assessment methodology for the resulting IS posture of the organisation and devising mitigation methodologies. Practical implications – The proposed approach will provide a significant part of the answer to the question of why IS fails when all prescribed measures and controls are in place and active. More effective controls for psychosocial risks at the workplace can be created as the incentive of upholding IS will be added to the equation of their mitigation. Social implications – The organisational environment in which human beings are called upon to function in a secure manner will be redefined, along with what constitutes a “reasonable request” from human operators in the context of IS. Originality/value – Bringing together psychosocial risks and IS in research will provide a better understanding of the shortcomings of human nature with respect to IS. Organisations and employees will benefit from the resulting psychosocial risk mitigation.

Human Aspects of Information Assurance: A Questionnaire-based Quantitative Approach to Assessment

Abstract: In work previously done by the authors, various human aspects of Information Assurance were identified. These comprise Social and Psychological aspects, the effects of Psycho-social risk at the workplace, the application of Influence techniques, user response to Social Engineering Methods and choices based on Economic considerations. Even though these aspects have been shown to gravely affect Information Assurance, the current level of their incorporation in the Plan-Do-Check-Act virtuous cycle of Information Security Management Systems, leaves a lot to be desired. In order to combine the findings of previous research and effectively provide quantified input that is usable in the context of an Information Security Management System (ISMS), an appropriate methodology must be introduced. This paper sets the framework and constraints for the methodology and by examining the merits and shortcomings of existing work in the field, proposes a questionnaire-based quantitative methodology that meets the set requirements. This will ultimately provide a tool for rapid, consistent and repeatable assessment of the Information Assurance level, as this is affected by the identified human aspects of Information Assurance.

Too many laws but very little progress! Is South African highly acclaimed information security legislation redundant?

Abstract: South Africa has myriad laws that address information security related issues. One such law is the Electronic Communications and Transactions Act of 2002 (ECTA), which is highly regarded internationally. A study, which forms the basis of this paper, found that not all provisions of this legislation that deal with information security are implemented by both the government and information security practitioners in corporate South Africa. The study found that the South African government has a relaxed approach to implementing some of the legal provisions regarding information security. The ECT Act agitates for the appointment of cyber inspectors who have powers to inspect, search and seize. A magistrate or a judge may issue a warrant requested by the cyber inspector. Although the legislation had good intentions, the government has not yet appointed the cyber inspectors. Although the ECT Act was in part intended to curb the spam emails, the effect of the Act is practically very little. The study also found that some of the information security laws are ambiguous, for example, the Patent Act. Some of the laws pertaining to information security are very old; they were in effect introduced before the Internet was used for commercial purposes. These include the Merchandise Marks Act of 1941 and Copyright Act of 1978. The findings of this study reflect that information security practitioners were not really familiar with the avalanche of information security related legislation. Be that as it may, the contents of the IT policies from some of the organisations that participated in this study contain the provisions of legislation were catered for in the policies. This should be attributed to the fact that although information security practitioners were not consciously trying to comply with legislation, they relied heavily on the international standards. Most of these standards are in line with the requirements of the South African information security related legislation. In other words, corporate information security policies are within the framework of the Constitution of the Republic and the applicable legislation by default. They are not consistent with constitutional and legislative provisions by conscious effort on the part of the information security practitioners. It is in this premise that this study contains a concept model for legal compliance for information security at the corporate environment. This model embodies the contribution of the study.

Social Aspects of Information Security.

Abstract: Social Engineering (SE) threats have constituted a reality for Information Technology (IT) systems for many years. Yet, even the latest editions of the generally accepted Information Security (IS) standards and best practices directives do not effectively address the Social Engineering aspect of IS defences. SE attacks target the human element of IS by exploiting human relations to the maximum possible extent. The social relations between interacting individuals who are involved in an Information Security Management System (ISMS) structure, combined with the frequently unpredictable fashion that humans act and react to stimuli, provide opportunities that Social Engineers may and do exploit. In the ongoing effort against Social Engineering attacks, if the social elements of IS are ignored, fallacious working assumptions may be made. These inadvertently result in the creation of insufficient controls against identified SE threats. Hence, simply put, Information Security scientists can no longer afford to ignore the nature of the social structures that govern all aspects of human relations, and in particular those that lie within the context of an ISMS. This paper attempts to strengthen the pursued research on SE threat identification and control, by applying sociological principles to IT and ISMSs, thus bringing into the light their nature as social structures. This constitutes part of a larger effort by the authors to systematically identify and subsequently cater for SE threats to IS, in the context of which the social foundations of IS are examined.

Out of the Crisis

Abstract: According to W. Edwards Deming, American companies require nothing less than a transformation of management style and of governmental relations with industry. In Out of the Crisis, originally published in 1982, Deming offers a theory of management based on his famous 14 Points for Management. Management's failure to plan for the future, he claims, brings about loss of market, which brings about loss of jobs. Management must be judged not only by the quarterly dividend, but by innovative plans to stay in business, protect investment, ensure future dividends, and provide more jobs through improved product and service. In simple, direct language, he explains the principles of management transformation and how to apply them.

Economy and Society

Abstract: The four Visegrad states — Poland, the Czech Republic, Slovakia (until 1993 Czechoslovakia) and Hungary — form a compact area between Germany and Austria in the west and the states of the former USSR in the east. They are bounded by the Baltic in the north and the Danube river in the south. They are cut by the Sudeten and Carpathian mountain ranges, which divide Poland off from the other states. Poland is an extension of the North European plain and like the latter is drained by rivers that flow from south to north west — the Oder, the Vlatava and the Elbe, the Vistula and the Bug. The Danube is the great exception, flowing from its source eastward, turning through two 90-degree turns to end up in the Black Sea, forming the barrier and often the political frontier between central Europe and the Balkans. Hungary to the east of the Danube is also an open plain. The region is historically and culturally part of western Europe, but its eastern Marches now represents a vital strategic zone between Germany and the core of the European Union to the west and the Russian zone to the east.

The Service Profit Chain: How Leading Companies Link Profit and Growth to Loyalty, Satisfaction, and Value (Цепочка создания прибыли в сфере услуг: как ведущие компании связывают прибыль и рост с лояльностью, удовлетворением и ценностью)

Abstract: Why are a select few service firms better at what they do - year in and year out - than their competitors? For most senior managers, the profusion of anecdotal "service excellence" books fails to address this key question. In this pathbreaking book, world-renowned Harvard Business School service firm experts James L. Heskett, W. Earl Sasser, Jr. and Leonard A. Schlesinger reveal that leading companies stay on top by managing the service profit chain. Based on five years of painstaking research, the authors show how managers at American Express, Southwest Airlines, Banc One, Waste Management, USAA, MBNA, Intuit, British Airways, Taco Bell, Fairfield Inns, Ritz-Carlton Hotel, and the Merry Maids subsidiary of ServiceMaster employ a quantifiable set of relationships that directly links profit and growth to not only customer loyalty and satisfaction, but to employee loyalty, satisfaction, and productivity. The strongest relationships the authors discovered are those between (1) profit and customer loyalty; (2) employee loyalty and customer loyalty; and (3) employee satisfaction and customer satisfaction. Moreover, these relationships are mutually reinforcing; that is, satisfied customers contribute to employee satisfaction and vice versa. Here, finally, is the foundation for a powerful strategic service vision, a model on which any manager can build more focused operations and marketing capabilities. For example, the authors demonstrate how, in Banc One's operating divisions, a direct relationship between customer loyalty measured by the "depth" of a relationship, the number of banking services a customer utilizes, and profitability led the bank to encourage existing customers to further extend the bank services they use. Taco Bell has found that their stores in the top quadrant of customer satisfaction ratings outperform their other stores on all measures. At American Express Travel Services, offices that ticket quickly and accurately are more profitable than those which don't. With hundreds of examples like these, the authors show how to manage the customer-employee "satisfaction mirror" and the customer value equation to achieve a "customer's eye view" of goods and services. They describe how companies in any service industry can (1) measure service profit chain relationships across operating units; (2) communicate the resulting self-appraisal; (3) develop a "balanced scorecard" of performance; (4) develop a recognitions and rewards system tied to established measures; (5) communicate results company-wide; (6) develop an internal "best practice" information exchange; and (7) improve overall service profit chain performance. What difference can service profit chain management make? A lot. Between 1986 and 1995, the common stock prices of the companies studied by the authors increased 147%, nearly twice as fast as the price of the stocks of their closest competitors. The proven success and high-yielding results from these high-achieving companies will make The Service Profit Chain required reading for senior, division, and business unit managers in all service companies, as well as for students of service management.