Cyber Criminology

Information Security Landscape in Vietnam: Insights from Two Research Surveys 355 Like large enterprises, small and medium businesses in Vietnam deal with a lot of data and suffer from the risk of being targeted. Most of the companies are working with at least one type of sensitive and critical data for their business, primarily consumer data. The type of sensitive data companies store depends on the industries which they are operating in. There is an increasing amount of businesses as victims of targeted attackss and data breaches over year, however not as much as in a developed country. Information security investment is much less than the global average. There are three potential reasons for this. Filkins (2016) suggested that the investment for InfoSec typically accounts for 4–6% of the total IT budget. If IT budget in Vietnamese companies is small, that explains the tight budget spent on information security. Second, the value of the data stored in organisations is not significant or is underestimated. Industry experts believed that a good InfoSec investment should reflect the cost of data loss caused by a security breach (Schneier 2011). The managerial security awareness might be at a low level, which will then result in managerial non-action regarding improving security infrastructure in the companies (Choi et al. 2014). The InfoSec skills of employees are perceived to be at the intermediate level. However, their behaviours in some stated scenarios in the interview mostly does not follow the best practice. Giving the low security training rate, the awareness about the risk and threats of misbehaviour might as well be low. Alternatively, while working on their devices, employees might weight the benefits of noncompliance over the cost of noncompliance, leading to the noncompliance to best practices (Bulgurcu et al. 2010). References Breaux, T. D., Antón, A. I., & Spafford, E. H. (2009). A distributed requirements management framework for legal compliance and accountability. Computers & Security, 28(1–2), 8–17. https://doi.org/10.1016/j.cose.2008.08.001. Bulgurcu, B., Cabusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An emperical study of rationality- based belief’s and information security awareness. MIS Quarterly, 34(3), 523–548. Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2017). Information security policy compliance : An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548. Caralli, R., & Wilson, W. (2004) The challenges of security management. Pittsburgh: CERT, Software Engineering . . . . Available at: http://www.ready.gov/sites/default/files/documents/ files/challenges_of_security_management[1].pdf. Chang, S. E., & Ho, C. B. (2015). Organisational factors to the effectiveness of implementing information security management. Industrial Management & Data Systems, 106(3), 345–361. https://doi.org/10.1108/02635570810844124. Choi, N., Kim, D., Goo, J., & Whitmore, A. (2014). Knowing is doing: An empirical validation of the relationship between managerial information security awareness and action. Information Management & Computer Security, 16(5). Colwill, C. (2009). Human factors in information security: The insider threat – Who can you trust these days? Information Security Technical Report. Elsevier Ltd, 14(4), 186–196. https://doi.org/10.1016/j.istr.2010.04.004.

356 M. Nkhoma et al. Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioral information security research. Computers & Security. Elsevier Ltd, 32, 90–101. https://doi.org/10.1016/j.cose.2012.09.010. Da Veiga, A., & Eloff, J. H. P. (2007). An information security governance framework. Information Systems Management, 24(4), 361–372. https://doi.org/10.1080/10580530701586136. Dodds, R., & Hague, I. (2004). Information security – More than an IT issue. Chartered Accountants Journal, 83(11), 56. Dzazali, S., Sulaiman, A., & Zolait, A. H. (2009). Information security landscape and maturity level: Case study of Malaysian Public Service (MPS) organisations. Government Information Quarterly. Elsevier Inc., 26(4), 584–593. https://doi.org/10.1016/j.giq.2009.04.004. Eloff, J. H. P., & Eloff, M. M. (2005). Information security architecture. Computer Fraud & Security, 2005(11), 10–16. https://doi.org/10.1016/S1361-3723(05)70275-X. Eminagˇaogˇlu, M., Uçar, E., & Eren, S¸ . (2009). The positive outcomes of information security awareness training in companies – A case study. Information Security Technical Report, 14(4), 223–229. https://doi.org/10.1016/j.istr.2010.05.002. Erevelles, S., Fukawa, N., & Swayne, L. (2016). Big Data consumer analytics and the transformation of marketing. Journal of Business Research. Elsevier Inc., 69(2), 897–904. https://doi.org/10.1016/j.jbusres.2015.07.001. Ernst & Young. (2007). Tenth annual global information security survey: Achieving a balance of risk and performance. Filkins, B. (2016). IT security spending trends. Internet Live Stats. (2016). Internet users by country (2016). Available at: http:// www.internetlivestats.com/internet-users-by-country/. Kaseya. (2013). The top seven causes of major security breaches. McKinsey. (2017). Tackling GDPR compliance before time runs out. Available at: https:// www.mckinsey.com/business-functions/risk/our-insights/tackling-gdpr-compliance-before- time-runs-out. Morrow, B. (2012). BYOD security challenges: Control and protect your most sensitive data. Network Security, 2(12), 5–8. https://doi.org/10.1016/S1353-4858(12)70111-3 Elsevier Ltd. Narain Singh, A., Gupta, M. P., & Ojha, A. (2014). Identifying factors of “organisational information security management”. Journal of Enterprise Information Management, 27(5), 644–667. https://doi.org/10.1108/JEIM-07-2013-0052. Ponemon Institute LLC. (2017). 2017 cost of data breach study (pp. 1–34). Available at: https:// www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN&. Puhakainen, P., & Siponen, M. (2010). ‘Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly, 34(4), 757–778. Roy Sarkar, K. (2010). Assessing insider threats to information security using technical, behavioural and organisational measures. Information Security Technical Report. Elsevier Ltd, 15(3), 112–133. https://doi.org/10.1016/j.istr.2010.11.002. Safa, N. S. (2017). The information security landscape in the supply chain. Computer Fraud and Security. Elsevier Ltd, 2017(6), 16–20. https://doi.org/10.1016/S1361-3723(17)30053-2. Safa, N. S., Maple, C., Watson, T., & Von Solms, R. (2018). Motivation and opportunity based model to reduce information security insider threats in organisations. Journal of Information Security and Applications. Elsevier Ltd, 40, 247–257. https://doi.org/10.1016/j.jisa.2017.11.001. Schneier, B. (2011) Secrets and lies: Digital security in a networked world. Wiley. Silic, M., & Back, A. (2014). Shadow IT – A view from behind the curtain. Computers & Security. Elsevier Ltd, 45, 274–283. https://doi.org/10.1016/j.cose.2014.06.007. Siponen, M. T., & Oinas-kukkonen, H. (2007). A review of information security issues and respective contributions. The Data Base for Advances in Information Systems, 38(1), 60–80. https://doi.org/10.1145/1216218.1216224. Smith, S., Winchester, D., Bunker, D., Jamieson, R., Jamieson, R., & Bunker, D. (2010). Circuits of power: A study of mandated compliance to an information systems security “De Jure” standard in a government organisation. MIS Quarterly, 34(3), 463–486.

Information Security Landscape in Vietnam: Insights from Two Research Surveys 357 Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end user security behaviors. Computers & Security, 24(2), 124–133. Symantec. (2017) 2017 internet security threat report. Tuoi Tre. (2016a) Banks on the defence following Vietnam Airlines data breach. Available at: https://tuoitrenews.vn/business/36271/banks-on-the-defence-following-vietnam-airlines-data- breach. Tuoi Tre. (2016b) Cyberattacks on Vietnam airports were well-planned: Association. Venter, H. S., & Eloff, J. H. P. (2003). A taxonomy for information security technologies. Computers & Security, 22(4), 299–307. https://doi.org/10.1016/S0167-4048(03)00406-1. Vietnam MIC. (2017) White book of Viet Nam information and communication technology 2017. Von Solms, B. (2001). Information security – A multidimensional discipline. Computers & Security, 20(6), 504–508. https://doi.org/10.1016/S0167-4048(01)00608-3. Von Solms, B., & Von Solms, R. (2004). The 10 deadly sins of information security management. Computers & Security, 23(5), 371–376. https://doi.org/10.1016/j.cose.2004.05.002.