Chapter 3: Research Design and Methodology
As per the opinion of Mayer (2017), the most important section of the research is the research methodology which deals with the understanding and formation of the research study issue in a systematic and well- proportionate method. According to Creswell and Poth (2017), an essential summary of the application of technique or methods used for examining the research study issue describes the research methodology. Research philosophy, design, approach, strategy, data collection method and sampling methods are the various research techniques utilised for the research study. Furthermore, in this section, the researcher has elucidated ethical and accessibility issue, data analysis plan and research limitation experienced by the investigator in the entire research study.
3.2 Research Philosophy
As per the observation of Marshall and Rossman (2014), in the research study, the nature of the facts involved is determined by the research philosophy. The method in which data or information about the phenomenon should be analysed, accumulated and employed in the research study is the concept established by the researcher is called as the research philosophy. As per the view of Mertens (2014), the three divergent of research philosophy are positivism, realism and interpretivism. Positivism defines an unbiased analysis of the research study based on essential details available, while interpretivism raises the subjective analysis of information. Realism focuses on the practical inspection of data.
For conducting the present research study, the researcher has adopted the positivism philosophy as it benefits the investigator to identify the actual content of the research study. Positivism philosophy does not comprise human interests, and they are highly independent of the researcher (Mertens, 2014). This philosophy enables the investigator to acquire the cause-effect association among the study variable involved in the research study. Positivism philosophy offers guidelines to the investigator in examining the impact of Interdependent Security Risks on corporate information security investment in the case of Virgin Mobile and Vodafone, UK. This philosophy also enables the researcher in investigating the efficacy and effectiveness of three most used interdependent security risk mitigation strategies; cyber insurance, risk pooling arrangements (RPAs) and managed security services (MSS’s). By using this philosophy, the researcher evaluated the significance of interdependent security risks in overall corporate information security strategy in the influence of corporate information security investment.
3.3 Research Approach
As per the observation of Smith (2015), the total capability of the investigation claims is implied by the research approach. Research approach defines to amassing trustworthy and effective data for methodically conducting the research study and accepting the assessed facts. The research approach is categorised into two types they are inductive and deductive approaches. In the opinion of Bryman (2015), inductive approach denotes to evolving a new principle created on the information composed for study. Whereas deductive approach is built on the prevailing theory, and the investigation is prepared from this source.
In this present research study, the researcher has adopted the deductive approach since it is expected at examining the existing principal. Deductive approach thoroughly connected to the quantitative studies and positivism philosophy (Smith, 2015). By executing the deductive approach, the investigator was able to gather information regarding the research variables Interdependent Security Risks and corporate information security investment. It also benefits the investigator to acquire more imposing outcomes over the quantitative approach. By employing this approach, it has permitted the investigator in investigating the impact of Interdependent Security Risks on corporate information security investment in the case of Virgin Mobile and Vodafone, UK. By utilizing the deductive approach, the investigator was accomplished of contributing recommendations to the UK in augmenting corporate information security in telecommunication industry consequently exemplifying the quantitative facts with reference to the research issue.
3.4 Research Design
As per the observation of Merriam and Tisdell (2015), the presentation of precise actions for finding the outcome of the research study issues is known as the research design. A research design is a complete strategy chosen for the preparation of the various mechanism utilised for the research study in a systematic manner. The main three divergent of research design are exploratory research design, descriptive research design and explanatory research design. As per the researcher Yin (2013), exploratory research design supports in assessing the surviving difficulties and attains additional information connected with the research study topic. Explanatory research design assesses the association between the independent and dependent variables. Then the descriptive research study compacts with the real participants involved in the research.
The researcher has adopted the explanatory research design as this facilitated the investigator in consenting the evidence and strategies on the research study issue more precisely. This research design endowed the investigator to accomplish more data from the fundamental hypothesis about the study parameters and assessing the fundamental association occurs among them (Merriam and Tisdell, 2015). By employing this research design data gathering concerning the study, issue assisted the researcher in examining the variables, Interdependent Security Risks and corporate information security investment. The explanatory research design benefits the investigator to discover plenty statistics about the strategies that were used in telecommunication industry Virgin Mobile and Vodafone, the UK for evaluating the Interdependent Security Risks on corporate information security investment.
3.5 Research Strategy
As per the opinion of Robson and McCartan (2016), for the data gathering of the research, the finding and deciding the methodical plan or method is known as the research strategy. Both quantitative and qualitative information necessary for the study is assigned by the research strategy. Case study, survey and interview are some of the research strategies included in the study. According to Kratochwill (2013), a case study adds to our awareness of organisational, individual, social and political phenomena. A case study elucidates an occurrence of real cases. Interview methods are employed when the study is in a qualitative form. The survey is the quantitative form which leads to the statistical study of the research study issue.
For conducting the present research study, the researcher has adopted the case study strategy as the information for conducting the research study is accumulated from the secondary sources. When the investigator has got only a slight understanding of the research question only then the case study strategy is implemented (Kratochwill, 2013). For undertaking of the case study in the research, the researcher has chosen several secondary data sources which are accessible to the researcher. The case study method benefited the investigator in determining the impact of Interdependent Security Risks on corporate information security investment in the case of Virgin Mobile and Vodafone in the UK.
3.6 Data Collection Method
As per the view of Creswell (2013), in the research study the data collection technique is an important section as it supports in attaining the research study objectives successfully. The process of data collection links to the procedure of assigning and gathering acquaintance about the study variables in a successive order so as to provide explanations to the study queries to offer a precise conclusion. The two types of data collection techniques are primary and secondary data collection method. In the opinion of Robson and McCartan (2016), with the help of primary data quantitative and qualitative type of data can be accumulated. The primary data is that method of data collection which comprises the investigator in the collecting process and therefore amasses information straightly from the respondents. The secondary data can be amassed from both the internal and external sources such as journals, books, websites, company reports, magazines, etc.
For the present research study the researcher employed the secondary data collection method and therefore exploits secondary data sources for the data gathering on the study variables (Robson and McCartan, 2016). The researcher employs both the sources, the internal sources such as company websites, annual reports, sales reports, etc. and the external sources such as diverse books, journals, newspapers, articles, etc. By relying upon the secondary sources, the investigator could certainly extract pertinent and appropriate data about the research condition. The secondary data congregation was engaged by studying the investigation subject and determining extract which is connected to the matter of the study topic. An in-depth case study could be established by the researcher by using suitable background acquaintance gotten over the already prevailing secondary data. The investigator by utilizing secondary resources progresses an appropriate conceptual framework and theoretical model on the study topic under research. The key advantage of using secondary data accumulation is that this technique needs a less amount of cost, effort and time.
3.7 Sampling Method
As per the observation of Fraley and Hudson (2014), the productive results are produced by the sample based research studies and the formation of sample size and population is required for the research study. The sample is resolved as the subdivision of the population below contemplation. The entire population cannot be assimilated under study, and thus illustration fundamentals are extracted by using sampling methods. Then this is considered as the sample size. According to Rubin and Babbie, (2016) the two major divisions of the sampling technique are non-probability and probability sampling method. Then the various divisions of the probability sampling are the cluster sampling, stratified sampling, simple random sampling, systematic sampling and multistage sampling. The various divergent of non-probability sampling are consecutive sampling, convenience sampling, quota sampling, snowball sampling, criterion sampling and judgment sampling.
The researcher considers the whole set of studies which are associated with the subject of the study topic under research by the researcher for conducting the present research study. By using criterion non-probability sampling a specific sample size is considered from the whole population. For selecting the suitable cases depending on the pre-defined criteria the researcher selected the criterion sampling. By utilizing the criterion sampling method, the researcher has extracted the relevant studies which fulfilled the criteria and therefore the investigator could gain the data which smears to the current research. The investigator has made use of several major cases related to the study topic i.e based on Interdependent Security Risks on corporate information security investment in the case of Virgin Mobile and Vodafone.
3.8 Data Analysis Plan
The development of case studies and the theoretical results have been collected the data pertinent to the study problem methodically. But it is vital to understand this evidence to provide the final results. Over this research, the researcher has utilised descriptive analysis of the secondary data sources to sightsee the study issue in detail. Since this study uses only secondary sources, so the investigator utilised only the secondary data analysis tools. Detailed evaluation of the case study was completed with the assistance of descriptive analysis technique. The investigator by using descriptive technique has assisted the investigator in summarising and describing the outcomes. It has also supported the investigator to draw the point to comparisons and inconsistencies of the current outcomes and formerly prevailing studies.
3.9 Ethical issues
The investigator has taken needed care while doing appropriate referencing and citations, the genuineness of the secondary data, plagiarism concerns, etc. The Data Protection Act 1998 was strictly followed by the researcher to sustain ethical standards in all phases.
3.10 Research Limitations
The only dependency on the secondary resources is one of the main restrictions of the research study. The lack of the main knowledge has completely exaggerated the dependability of the research findings. The time restrictions have instigated the researcher to select a restricted number of sample cases for evolving the case study. The monetary restrictions have produced the accessibility issues while obtaining secondary data as most of the journals and websites necessitated paid subscriptions.
The selected research techniques along with applicable justifications are elucidated by this chapter. The utilisation of positivism philosophy along with the deductive approach permitted the analysis and data gathering procedure. For obtaining the link between Interdependent Security Risks on corporate information security investment in the telecommunication industry and the use of explanatory design has been highly appropriate. The present study has only dependent on the secondary resources for data collection, and the suitable case studies were constructed. The investigator also elucidated the research limitations, ethical considerations and data analysis plan in this chapter.
Chapter 4: Data Analysis and Interpretation
The present chapter deals with the critical evaluation of the collected secondary information. The researcher depended on various internal and external secondary sources for gathering necessary information for evaluating the impact of Interdependent Security Risks on corporate information security investment in the UK. For assessing the research problem, the researcher has discussed the case of leading two telecommunication companies, Vodafone and Virgin Mobile in the UK. In the case study evaluation section, the researcher will cross- evaluate the collected literature review and case study findings. Gaps exist between the collected information and judgment of findings will also cover in this chapter.
4.2 Plan of analysis
For analysing the Interdependent Security Risks on corporate information security investment in the UK telecommunication sector, the researcher has analysed the case of Vodafone and Virgin Mobile in the UK. By reviewing various reliable websites of Vodafone and Virgin Mobile, online newspapers, etc., the researcher has gathered adequate data needed for the present study. By assessing the Interdependent Security Risks faced by Vodafone and Virgin Mobile, various risk management approaches adopted by the companies to ensure information security, etc. the researcher has evaluated the research issue critically.
4.3 Case study of Vodafone, UK
Vodafone is a leading mobile telecom service provider headquartered in the UK. The company offers various telecom services like voice services, messaging services, fixed broadband and fixed voice and data solution, mobile advertising and business managed services, data services, data roaming and Internet on mobile. Vodafone offers personal solutions, branded devices and phones and business solutions. In 2014, the company had 434 million subscribers globally, and in the UK, the firm has 19.4 million subscribers. In the same year, the company achieved £ 43.6 Billion revenue and £ 12.8 billion profit (Vodafone, 2017d).
In telecommunication sector, information security is a key element required for the organisations to gain the trust of the customers and thereby improve customer loyalty and company profitability. Vodafone (2017a) noted that the leading telecommunication company, Vodafone considered the data of the customers as the major assets of the company and provide high importance to protect the customer information appropriately. Daily, the company handle a large amount of customer information in different forms like paper, electric, spoken and written. Vodafone provides high focus to manage and secure the customer information effectively and thereby ensure availability, integrity and confidentiality. For guarantee the confidentiality of the data, the company does not allow unauthorised people to access the customer information. By using authentic, complete and accurate Customer information and software, the company ensured integrity in information security (Palmer, 2014). Apart from this, Vodafone (2017b) reported that for improving the security awareness of the customers and for protecting them from Phishing/Malware practices, the company offers various tips and suggestions to the customers through its official website. This strategy aid the company to reducing the cyber-attacks considerably.
According to Vodafone (2017c), Vodafone maintained effective internal culture to assist the employees to recognise the significance of respecting and protecting the customer information. The strong internal culture also helps the staffs to understand the critical nature of the security and privacy risks and effective methods to manage them. Thus, the company can improve the customer trust and respect of the peers, stakeholders and colleagues. For ensuring the privacy and security of information, the company delivers a range of scalable managed security solutions through its selected partners (Vodafone, 2017a). The main managed security solutions of Vodafone are:
Data Protection: For avoidingmissing and hacking of information both outside and within the corporate firewall, the company uses various tactics like:
- Media Encryption and Port Control: It aids to avoid copying and accessing of the customer data by unauthorised people.
- Data Leak Protection (DLP): It identifies and stop the unauthorised transmission and usage of data.
- Backup and Recovery: For ensuring data protection, the information must be backed up in company PCs and laptops and which aid to reuse the data even if it is used by unauthorised parties.
- Full Disk Encryption: User-friendly encryptions assist the company in protecting data (Vodafone, 2017b).
Network protection: For controlling the unauthorised access to network through remote working, the company use following portfolio:
- Web Content Management: It aids to allow the users to enforce their web browsing policies and ensure data protection from unsafe sites and web- based malware.
- Private APN: It offers direct and secure access to the company LAN.
- Two Factor Authentication: It enhances login security through a cost effective and easy method.
- SSL VPN: It aid to use the virtual private network of the users with a standard and safe web browser (Vodafone, 2017c).
Endpoint Protection: It is beneficial for protecting the hand- held devices from malware attacks. The main endpoint protection portfolio are:
- Patch Management: It guarantees every staff get the newest upgrades.
- Personal Firewall: It ensures safety of the systems through always-on protection against cybercrime and hackers.
- Anti-Malware: It protects the users from risks including pharming and phishing attacks, malicious mobile code and spyware.
- Anti-Virus Update Management: It protects the device from whenever the system connect with the internet.
- Anti-Virus: It offers better protection to control, detect and eliminate computer Trojans, Worms and computer virus (Vodafone, 2017c).
However, Bagchi (2015) reported that even though companies heavily invest in information security for controlling and eliminating the wide range of privacy and security risks and thereby improve customer trust, loyalty and commitment; recently companies faced a large number of issues to ensure the security of customer information. As per the report of PTI (2016), in 2015, the company faced a cyber-attack and which resulted in the theft of private information including banking details of nearly 2000 customers. By using the passwords and email addresses of many customers from unknown sources, the hackers were accessed the customer information including bank sort codes, mobile phone numbers, names, etc. In 2015, November alone the company witnessed two cyber-attacks. The frequent occurrence of the cyber-attacks reduced the trust of the customers in the company and which results in the turnover of many potential customers. In this context, importance of investing more in information security of Vodafone for controlling interdependent security risks in the company.
4.4 Case study of Virgin Mobile, UK
Virgin Mobile is one of the top telecom services provide in the UK. The company provides wireless services to over 4 million customers in the country. The Virgin Mobile also operates in US, India, France, Qatar, Canada, South Africa and Australia. The firm offers services through T-Mobile network, and it operates as a MVNO (mobile virtual network operator). As per the report of Virgin (2017c), in 2014, the company have 4.9 Million subscribers, and it earns £ 161.6 million profit and £ 1.026 billion revenue.
As per Jackson (2017), retention of potential customers is essential for the organisations to attain competitive advantages from the business. By recognizing the significance of ensuring the security and privacy of the information of customers for improving the brand value and recognition in the market, Virgin Mobile has provided high care to ensure data protection. Perez (2017) noted that the company uses industry standard encryption technology, Secure Socket Layer (SSL) technology, for encrypting the information gathered from the customers. This technology assists the company to avoid misuse of the information when it sent over the internet. The company save the customer information in the secure server, and only authorised personnel have the permission to access it. Even though this technology is effective for reducing risks associated with information security, the Virgin Mobile does not promise the safety of personal information sent through online (Virgin Media, 2017b).
According to Jackson (2017), Virgin Mobile offers free Mobile security software, F-Secure SAFE software, for the customers to protect the personal information from attacks and to lose. This software is highly helpful for application privacy protection, parental controls, finder and device wipe, web browsing and banking protection and virus protection. Thus, through adequate investments in information security, the company can improve its brand reputation and customer loyalty. Increase in customer engagement aided the company to boost its revenue and profit and thereby assist to achieve a leading position in the telecom industry.
In the light of the report of The Mail (2017) 9.4 million British people have fallen victim to the cyber crime and Virgin mobile has seen the need for strengthening the mobile security. The report has mentioned that the company is offering a comprehensive and advanced security package to the mobile customers known as F-Secure KEY and F-Secure SAFE premium Password Manager Services. Virgin Media (2017b) noted that the service is provided to the customers for free in the first year and with a 70% saving from onwards. The service could be used free for up to 7 devices including tablets and phones for one year and could be attained via the Virgin Media website.
The F-Secure SAFE entails the services such as Virus protection, Browsing and banking protection, Password remembering, App scanner and anti-theft protection (Virgin Media, 2017b). The fact that the software support both Android and iOS based phones has increased the scope of mitigation level and Virgin Media (2017a) note that the software cost £79.9. The report of Goodin (2012) has outlined that the company has informed the customers to change the passwords for helping themselves from hacking. The report has also mentioned that Virgin Mobile look forward to upgrading the systems regularly for meeting industry standards. BBC (2017) note the company provision of advice to the customers on updates and allow them to update the Hub 3.0 that provide additional security provisions to the customers.
It was also mentioned that Virgin freeze the customer account after five failed login attempt. The company has implemented a two-factor authentication mechanism that controls the user account access in line with the managed authentication service of Virgin Media as the security solution (Virgin Media, 2017b). However, Goodin (2012) note that Virgin subscribers have found vulnerable to the account hijacking after such mitigation practices and the company actions including asking the passwords of customers under the notion were also alleged to be a move that could inflict catastrophe.
4.5 Case study analysis
The current study was conducted for analysing the impact of Interdependent Security Risks on corporate information security investment in the UK. From the analysis of the case study of Vodafone, the researcher understood that, cyber-attacks and hacking are the key challenges faced by the company and which generate great threat for Vodafone to retain potential customers and to improve its brand reputation. Similarly, from the literature review, it was understood that lack of data protection is a significant factor for declining trend in customer trust in most of the organisations (National Cyber Security Centre, 2017; and Crane and Matten; 2016).
It was also noted from the case study that the Vodafone Company uses various managed security solutions strategies for data protection, network protection and endpoint protection and which assisted the company to protect the information of customers effectively and which thereby improved the customer satisfaction and loyalty and which thereby favourably influenced the company performance. Likewise, it was understood from the literature review that the managed security services (MSS) are effective for fulfilling the security needs. This is an effective security risk management approach, and it allowed the companies to guarantee data protection and eliminate the potential risks (National Cyber Security Centre, 2017; Ramona and Cristina, 2011; and Ulltveit-Moe, 2014).
The researcher also understood from the analysis of case study observations that even though the company provide high significance for ensuring security and privacy for personal information of the customers, the company faced high threat to guarantee the data protection and which resulted in the turnover of a large number of customers from the company. Similar to the case study findings, in the literature review, Crane and Matten (2016) and Burnap et al. (2017) highlighted that most of the companies in the UK faced issues to protect data and most of the firms frequently faced cyber- attack issues.
It was found from the case study that, for controlling and managing the information security risks in the company effectively, the organisations needs to invest more in information security. More investments will assist the company to implement better strategies and practices for controlling cyber-attacks. Similar to the case study findings, literature review observations also highlighted the importance of rising the corporate information security investments for controlling and managing the information security risks (Barrett, 2017; Ashford, 2017; and Millman, 2016).
On the other hand identifying the corroboration of Virgin Mobile data and literature, it could be seen that the vertices possess significant correlation (Virgin,2017b). Recalling the statements in literature McGrath (2016) thought underlined the presence of security breaches in organisations and the influence of information sharing in weakening the IT systems. Amin, Schwartz and Sastry (2013) noted the financial and non-financial business losses that interdependent security issues can impose on the firm. The case study evaluation has also outlined the fact that the risk issues could make an impact on the customer volume I which the customer retention is an essential element for the corporate success inferred by Jackson (2017). Matten (2016) views in the literature showcased that the most common security risks in the industry have been the emails spams and fraudulent practices and also the malware and other viruses have produced a significant threat to the customers. The case of Virgin Mobile was no exception in which the report of The Mail (2017) interpreted that the British people have fallen as a prey to the cyber crimes and which induced the need of mobile security strengthening on Virgin Mobile. In the opinion of Perez (2017) the company has used the industry standard encryption technology for eliminating the misuse of pivotal information when it is subjected to the internet. The use of secured server and authorised access to information has been able to mitigate the risks to an extent. Analysing the opinion of Rak et al. (2013) and Perez (2017) it could be evidently stated that both the case study and literature review corroborate in the view that the data encryption is a prominent method that utilised by the organisation in the industry. The literature has also pointed out the importance of cloud computing in the facet which has created a revolutionary era in the technological metric. Scott-Hayward, Natarajan and Sezer (2016) noted the specific initiatives employed by the organisations and the case study had shown alliance with the notion inferring that Virgin Mobile has implemented specific security software such as the F-Secure SAFE software noted by the author Jackson (2017). Virgin Mobile (2017) mentioned that the software supports both the iOS and Android platform entailing services like virus protection, password remembering and app scanner. Thus the notion help in evading the security risks through the spams and emails recognised in the report of Matten (2016).
4.6 Identification of gaps
Shahrasbi et al. (2017) has mentioned the organisation adopting cyber insurance schemes for satisfying the customers however the activities of Virgin Mobile and Vodafone has noted the provision of data protection services including software like antiviruses and personal firewall along with network protection. Thus the statement contradicts the fact that the majority of firms in the UK have adopted the cyber insurance provision. Pearson (2013) viewed in the literature that 55% of the firms in the country do not wield strategic adaptations like mobile device management, however, the observation of Vodafone (2017c), noted the internal supporting culture at Vodafone that encourage employees to protect customer information. The actions of Virgin Mobile inferred by Virgin Media (2017b) was also in line with Vodafone though contradicts the literature. From the examination of Gov. UK (2016) statement in the literature, it could be purported that the UK is considered to have the title of being the safest market in the world. The high-security investment in the market was recognised to be the integral factor that helped in avoiding significant cyber attacks for organisations. However analysing the case study facts, it could be inferred that the report of The Mail (2017) has contradicted the fact of the UK being the safest market in which 9.4 Billion British people have fallen victim to the cyber attack when compared to rest of the world. Finally, the literature was also noted the investment was able to reduce the privacy and security issues which were contradicted by the observation of Bagchi (2015) inferring that even with the strong investment the customer information security at Vodafone questioned in the recent years.
4.7 Judgement of findings
The aim of this research is to evaluate the impact of independent security risks on corporate information security investment in the UK.The researcher has discussed the main risks associated with the interdependent security risks and also about the different security risk management approaches and how interdependent security risks impact the corporate information security investment in the UK to attain a result.It has been identified from the literature studies that major security risk Angeleno approaches such as Cyber insurance, Risk Pooling Arrangement (RPA’s) and Managed Security Services (MSS’s) etc. are cost effective methodologies that are used for dealing with the impending interdependent risks. The researcher has discussed the case study of Vodafone and Virgin mobile for studying the importance of different security risk management approaches.Hence it is understood that these approaches would help the organisations in enhancing their security assurance. From the case study analysis it was identified that company uses various data protection as other tactics for avoiding the missing and hacking of information from both outside and within the corporate firewall.Thus it could be inferred the importance of investing more in the information security of companies and its effect in controlling interdependent security risks in the company.
Through this chapter of the dissertation the analysis, evaluation ad presentation of various data that has been gathered by the reader her were discussed. The researcher has also carried out an in-depth case study of Vodafone and Virgin mobile by evaluating the different sources through this section.
Chapter 5: Conclusions and recommendations
In this final chapter, the present study looks forward to reviewing the accumulated data and the corresponding evaluations for perceiving and interpreting the pivotal outcomes in conclusion. The chapter will cross examine the ability of research in meeting the objectives inferred in the first chapter through recalling the literature and case study details. The section also entails certain recommendation on behalf of the obtained results along with interpreting the limitations and recommendation for similar studies that could be attempted in the future.
Objective 1: To evaluate the interdependent security risks faced by businesses in the UK
The primary objective of this study was to scrutinise the prevalence of interdependent security risks when business undertakings are considered in the UK by considering the case studies of companies like Vodafone and Virgin Mobiles alongside a detailed analysis of literature. According to McGrath (2016), the interdependent risks are common in today’s world due to the integration of a multitude of segments through interconnected networks while business developments are considered. From the previously stated reference, it is observed that the UK, being a technological hub has encountered multiple attacks on interconnected business systems. The recent Petya cyber attack and ‘WannaCry’ ransomware emerged as some of the most terrible UK have ever encountered. Petya affected organisations like Mondelez International, advertising company WPP, oil company Rosneft etc. whereas the ‘WannaCry’ imposed damages to the networks of National Health Service (NHS) affecting the functionality and data security of these firms and service providers. Despite the presence of well-established security systems, telecommunication giants like Virgin Mobiles and Vodafone also encountered multiple cyber-attacks on their interconnected systems (National Cyber Security Centre, 2017).
Objective 2: To analyse how interdependent security risks shape corporate information security investment in UK companies
The second objective of the research was to analyse the investments associated with corporate information security when interdependent security risks are considered. The case study of Vodafone implied that firm endorses financial investments in the areas of Media Encryption and Port Control, Web Content Management, Two Factor Authentication and Full Disk Encryption, etc alongside a plethora of Firewalls and anti-viruses to prevent potential security breaches. The case study of Virgin Mobile also suggested the improvisation of numerous technological integrations like Secure Socket Layer (SSL) technology, App scanner, Browsing, password and banking protection, Virus and anti-theft protection alongside specialised training and developments endorsed for the human resources. From the literature review indicated that the monetary investments mandatory for facilitating technological and strategic integrations associated with information security approximate to thrice the liability claims and insurance associated with general security aspects. However, these investments are inevitable in today’s interconnected and evolving world of business development.
Objective 3: To assess the existing risk management approaches (cyber insurance, risk pooling arrangements (RPAs) and managed security services (MSS’s)) used for mitigating interdependent security risks in UK companies
The third objective of the current research was to assess the risk management approaches in the current UK industry. Through the literature, the study was able to understand the major risk assessment techniques such as risk pooling, cyber insurance and managed security services mentioned above. The study has noted that companies have made strong investments in the information security through provision of data protection, network security and data encryption. The observations in the case studies of Vodafone and Virgin Mobile have also depicted that the companies utilise certain security software and data encryption for managing the risk subjected to the customer information security. Hence it could be stated that the research has met the objective significantly.
The risk management approaches discussed in this paper differ in their effectiveness in reducing the risk exposure.Also, these approaches will induce effective security risk investments to assure the security operations in the organisations. Although Cyber insurance provides complete risk management in organisations, it is recommended by the researcher that much more effective practices have to be introduced for improving the other two strategies such as Management Security Services (MSS’s) and Risk Pooling Arrangement (RPA’s) discussed in the paper.The Management Security Services (MSS’s) and Risk Pooling Arrangement (RPA’s) approaches could be improved to induce more efficient allocation of security resources in the organisation.In addition to this, the researcher also recommended that risk assessment through a process called Risk Rank could also enable managers of an organisation to perform a more effective assessment of the risk exposures.Moreover, the researcher also recommends improving on the cloud infrastructure security so that it could help the organisations to assure security within the cloud computing landscape.Improvement on the current Cyber Insurance practices could also cause effective mitigation of interdependent security risks.
5.4 Research limitations
Even though the research was successful in accomplishing the aims and objectives the researcher has confronted a certain level of impediments that have restricted the study scope. The current study utilised the case study strategy alone evading the primary data which has been the premier limitation. The use of strategies like interview or survey could have strengthened the data accrued laying a better foundation for the analysis. The accessibility to specific secondary data has also restricted the research from information gathering and consumed significant time.
5.5 Recommendations for future researchers
An important recommendation for the researchers who might carry out similar investigations is to encompass primary and secondary information in their study. The primary data enhance the value of gathered information and improve the quality of research outcomes. Acquiring accessibility to significant secondary materials is also recommended so that the both time and data adequacy limitations could be evaded.
AEDT (2016) Lack of cyber security knowledge leads to lazy decisions from executives. Available at: http://theconversation.com/lack-of-cyber-security-knowledge-leads-to-lazy-decisions-from-executives-68065 (Accessed: 21 August 2017).
Alpcan, T., Buttyán, L. and Baras, J.S. (2010) Decision and Game Theory for Security: First International Conference. Berlin: Springer.
Amin, S., Schwartz, G.A. and Sastry, S.S. (2013) Security of interdependent and identical networked control systems. Automatica, 49(1), pp.186-192.
Ashford, W. (2017) Nearly half of UK businesses lack a cyber security strategy. Available at: http://www.computerweekly.com/news/450415607/Nearly-half-of-UK-businesses-lack-a-cyber-security-strategy (Accessed: 21 August 2017).
August, T., Niculescu, M.F. and Shin, H. (2014) Cloud implications on software network structure and security risks. Information Systems Research, 25(3), pp.489-510.
Bagchi, S. (2015) Hackers Access 2000 Vodafone Customers’ Account; Are Telcos Listening?. Available at: http://www.cxotoday.com/story/vodafone-cyber-attack-an-eye-opener-to-telcos/ (Accessed: 02 September 2017).
Barrett, R. (2017) The cyber security skills gap in the UK: a multifaceted problem. Available at: http://www.information-age.com/number-students-taking-computing-classes-major-concern-123466856/ (Accessed: 21 August 2017).
BBC (2017) Virgin Media urges password change over hacking risk. Available at: http://www.bbc.com/news/uk-40371373 (Accessed: 02 September 2017)
Blair, D. and Roth, B. (2017) ‘WannaCry’ lesson for the Japan-U.S. alliance. Available at: https://www.japantimes.co.jp/opinion/2017/05/28/commentary/japan-commentary/wannacry-lesson-japan-u-s-alliance/#.WZUvvlUjGUl (Accessed: 17 August 2017).
Brown, L. (2017) Managing security risks: 5 common security gaps in the workplace. Available at: https://www.shredit.com/en-us/blog/securing-your-information/january-2017/managing-security-risks-5-common-security-gaps-in (Accessed: 21 August 2017).
Bryman, A. (2015) Social research methods. Oxford: Oxford university press.
Burnap, P., Cherdantseva, Y., Blyth, A., Eden, P., Jones, K., Soulsby, H. and Stoddart, K. (2017) Determining and Sharing Risk Data in Distributed Interdependent Systems. Computer, 50(4), pp.72-79.
Cezar, A., Cavusoglu, H. and Raghunathan, S. (2017) Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions. Production and Operations Management, 26(5), pp.860-879.
Clemente, D. (2013) Cyber Security and Global Interdependence: What Is Critical?. Available at: https://www.chathamhouse.org/sites/files/chathamhouse/public/Research/International%20Security/0213pr_cyber.pdf (Accessed: 17 August 2017).
Crane, A. and Matten, D. (2016) Business ethics: Managing corporate citizenship and sustainability in the age of globalization. London: Oxford University Press.
Creswell, J.W. (2013) Research design: Qualitative, quantitative, and mixed methods approaches. London: Sage.
Creswell, J.W. and Poth, C.N. (2017) Qualitative inquiry and research design: Choosing among five approaches. London: Sage.
Daneshkhu, S. and Milne, R. (2017) Companies struggle to recover after Petya cyber attack. Available at: https://www.ft.com/content/884992a8-5da7-11e7-9bc8-8055f264aa8b (Accessed: 21 August 2017).
Duffield, M. (2014) Global governance and the new wars: The merging of development and security. Zed Books Ltd..
Enders, W. and Sandler, T. (2011) The Political Economy of Terrorism. 2nd ed. Cambridge: Cambridge University.
Fraley, R.C. and Hudson, N.W. (2014) Review of intensive longitudinal methods: An introduction to diary and experience sampling research.
Gill, P. (2017) Democracy, law and security: Internal security services in contemporary Europe. Routledge.
Goodin, D. (2012) Millions of Virgin Mobile accounts at risk of password attacks. Available at: https://arstechnica.com/information-technology/2012/09/virgin-mobile-password-crack-risk/ (Accessed: 02 September 2017)
Gov. UK (2016) Britain’s cyber security bolstered by world-class strategy. Available at: https://www.gov.uk/government/news/britains-cyber-security-bolstered-by-world-class-strategy (Accessed: 21 August 2017).
Graham, C. (2017) NHS cyber attack: Everything you need to know about ‘biggest ransomware’ offensive in history. Available at: http://www.telegraph.co.uk/news/2017/05/13/nhs-cyber-attack-everything-need-know-biggest-ransomware-offensive/ (Accessed: 21 August 2017).
Huang, C.D. and Behara, R.S. (2013) Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints. International Journal of Production Economics, 141(1), pp.255-268.
Hull (2015) Risk management and financial institutions. London: John Wiley & Sons.
Jackson, M. (2017) Virgin Media Offer 1 Year of FREE F-Secure Security to Mobile Subscribers. Available at: http://www.ispreview.co.uk/index.php/2017/06/virgin-media-offer-1-year-free-f-secure-security-mobile-subscribers.html (Accessed: 02 September 2017).
Kratochwill, T.R. ed. (2013) Single subject research: Strategies for evaluating change. Haryana: Academic Press.
Laszka, A., Felegyhazi, M. and Buttyan, L. (2015) A survey of interdependent information security games. ACM Computing Surveys (CSUR), 47(2), p.23.
Lindros, K. and Tittel, E. (2016) What is cyber insurance and why you need it. Available at: http://www.cio.com/article/3065655/cyber-attacks-espionage/what-is-cyber-insurance-and-why-you-need-it.html (Accessed: 21 August 2017).
Marshall, C. and Rossman, G.B. (2014) Designing qualitative research. London: Sage.
Mayer, C.H. (2017) Research Design and Methodology. In The Life and Creative Works of Paulo Coelho (pp. 143-179). Boston: Springer
McGrath, S. (2016) Lack of security awareness poses a major threat to businesses. Available at: http://www.computerweekly.com/microscope/news/4500278103/Lack-of-security-awareness-poses-a-major-threat-to-businesses (Accessed: 21 August 2017).
Merriam, S.B. and Tisdell, E.J. (2015) Qualitative research: A guide to design and implementation. New Jersey: John Wiley & Sons.
Mertens, D.M. (2014) Research and evaluation in education and psychology: Integrating diversity with quantitative, qualitative, and mixed methods. London: Sage.
Metzger, M. (2016) Cyber-attack among World Economic Forum’s top global risks. Available at: https://www.scmagazineuk.com/cyber-attack-among-world-economic-forums-top-global-risks/article/531363/ (Accessed: 17 August 2017).
Millman, R. (2016) UK firms at risk due to employees’ lack of cyber-security awareness. Available at: https://www.scmagazineuk.com/uk-firms-at-risk-due-to-employees-lack-of-cyber-security-awareness/article/530513/ (Accessed: 21 August 2017).
National Cyber Security Centre (2017) The cyber threat to UK business. Available at: http://www.nationalcrimeagency.gov.uk/publications/785-the-cyber-threat-to-uk-business/file (Accessed: 21 August 2017).
National Research Council (2009) Department of Homeland Security Bioterrorism Risk Assessment: A Call for Change. Washington: National Academies Press.
Pal, R., Golubchik, L., Psounis, K. and Hui, P. (2014) April. Will cyber-insurance improve network security? A market analysis. In INFOCOM, 2014 Proceedings IEEE (pp. 235-243). IEEE.
Pal, R., Golubchik, L., Psounis, K. and Hui, P. (2017) Security Pricing as Enabler of Cyber-Insurance A First Look at Differentiated Pricing Markets. IEEE Transactions on Dependable and Secure Computing.
Palmer, D. (2014) Information security personnel are ‘unsung hereos,’ says Vodafone awareness manager. Available at: https://www.computing.co.uk/ctg/news/2353075/information-security-personnel-are-unsung-hereos-says-vodafone-awareness-manager (Accessed: 02 September 2017).
Pearson, S. (2013) Privacy, security and trust in cloud computing. In Privacy and Security for Cloud Computing (pp. 3-42). Springer London.
Peltier, T.R. (2016) Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Florida: CRC Press.
Perez, R. (2017) Virgin Media routers contain vulnerability which allows admin access. Available at: https://www.scmagazineuk.com/virgin-media-routers-contain-vulnerability-which-allows-admin-access/article/668398/ (Accessed: 02 September 2017).
Pernul, G., Ryan, P.T.A., and Weippl, E. (2015) Computer Security — ESORICS 2015: 20th European Symposium on Research in Computer Security, Vienna, Austria, September 21-25, 2015, Proceedings, Part 1. New York: Springer.
PTI (2016) Vodafone, Airtel networks witnessed cyberattacks in July: Manoj Sinha. Available at: http://www.bgr.in/news/vodafone-airtel-networks-witnessed-cyberattacks-in-july-manoj-sinha/ (Accessed: 02 September 2017).
PWC (2016) UK organisations double cyber security spend but aren’t seeing the return. Available at: http://pwc.blogs.com/press_room/2016/10/uk-organisations-double-cyber-security-spend-but-arent-seeing-the-return.html (Accessed: 21 August 2017).
Rak, M., Suri, N., Luna, J., Petcu, D., Casola, V. and Villano, U. (2013) December. Security as a service using an SLA-based approach via SPECS. In Cloud Computing Technology and Science (CloudCom), 2013 IEEE 5th International Conference on (Vol. 2, pp. 1-6). IEEE.
Ramona, E. and Cristina, A. (2011) ‘Security Risk Management – Approaches and Methodology’, Informatica Economică, 15, pp.228-240.
Rezvani, M., Sekulic, V., Ignjatovic, A., Bertino, E. and Jha, S. (2015) Interdependent security risk analysis of hosts and flows. IEEE Transactions on Information Forensics and Security, 10(11), pp.2325-2339.
Robson, C. and McCartan, K. (2016) Real world research. New Jersey: John Wiley & Sons.
Rubin, A. and Babbie, E.R. (2016) Empowerment series: Research methods for social work. Boston: Cengage Learning.
Scott-Hayward, S., Natarajan, S. and Sezer, S. (2016) A survey of security in software defined networks. IEEE Communications Surveys & Tutorials, 18(1), pp.623-654.
Shahrasbi, A., Shamizanjani, M., Alavidoost, M.H. and Akhgar, B. (2017) An aggregated fuzzy model for the selection of a managed security service provider. International Journal of Information Technology & Decision Making, 16(03), pp.625-684.
Shim, W. (2010) Interdependent risk and cyber security: An analysis of security investment and cyber insurance. PhD. Michigan State University. Communication Arts and Sciences-Media and Information Studies.
Smith, J.A. ed. (2015) Qualitative psychology: A practical guide to research methods. London: Sage.
Stallings, W. and Tahiliani, M.P. (2014) Cryptography and network security: principles and practice (Vol. 6). London: Pearson.
Sulleyman, A. (2017) ‘Petya’ cyber attack: list of affected companies shows scale of hack. Available at: http://www.independent.co.uk/life-style/gadgets-and-tech/news/petya-cyber-attack-affected-companies-hack-wpp-rosneft-mondelez-deutsche-post-security-problems-a7811056.html (Accessed: 21 August 2017).
The Mail (2017) Lack of awareness’ among mobile phone users about cybercrime threat. Available at: http://www.nwemail.co.uk/news/national/article/Lack-of-awareness-among-mobile-phone-users-about-cybercrime-threat-91e93a79-ee1f-431c-af69-631674ce0fae-ds (Accessed: 02 September 2017)
True, J. (2017) Infographic: how to promote information security in the workplace. Available at: https://thycotic.com/company/blog/2017/01/05/information-security-risks-the-biggest-threats-to-data-security/ (Accessed: 21 August 2017).
Ulltveit-Moe, N. (2014) A roadmap towards improving managed security services from a privacy perspective. Ethics and information technology, 16(3), pp.227-240.
Virgin (2017) About us. Available at: https://www.virgin.com/virgingroup/content/about-us (Accessed: 02 September 2017).
Virgin Media (2017a) Virgin Mobile – security and privacy. Available at: http://store.virginmedia.com/the-legal-stuff/security-privacy-virgin-mobile.html (Accessed: 02 September 2017).
Virgin Media (2017b) Protecting mobile customers against Available at: cybercrime http://www.virginmedia.com/corporate/media-centre/blogs/protecting-mobile-customers-against-cybercrime.html (Accessed: 02 September 2017)
Virgin Media (2017c) Virgin Media returns to revenue growth with 15,000 new TV customers https://www.theguardian.com/media/2014/may/07/virgin-media-revenue-growth-tv-customers-broadband (Accessed: 02 September 2017)
Vodafone (2017a) Privacy and security. Available at: https://www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security.html (Accessed: 02 September 2017).
Vodafone (2017b) Security awareness. Available at: https://www.vodafone.in/phishing-malware-protection (Accessed: 02 September 2017).
Vodafone (2017c) Vodafone security. Available at: http://www.vodafone.co.uk/cs/groups/public/documents/assets/vftst069475.pdf (Accessed: 02 September 2017).
Vodafone (2017d) Company history. Available at: https://www.vodafone.in/about-us/company-history (Accessed: 02 September 2017).
White, R. (2017) Cyber report 2016: UK businesses targeted 230,000 times each by cybercriminals. Available at: https://www.beaming.co.uk/cyber-reports/2016-year-cyber-attacks/ (Accessed: 21 August 2017).
Yin, R.K. (2013) Case study research: Design and methods. London: Sage.
Zhao, X., Xue, L. and Whinston, A.B. (2013) Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. Journal of Management Information Systems, 30(1), pp.123-152.
Zhao, X., Xue, L. and Whinston, A.B. (2013) Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. Journal of Management Information Systems, 30(1), pp.123-152.
Zhu, Q., Alpcan, T., Panaousis, E., Tambe, M. and Casey, W. (2016) Decision and Game Theory for Security: 7th International Conference, GameSec 2016. New York: Springer.