Skip to main content
SpringerLink
Log in

The Effectiveness of Outsourcing Cybersecurity Practices: A Study of the Italian Context

  • Conference paper
  • First Online:
Proceedings of the Future Technologies Conference (FTC) 2021, Volume 3 (FTC 2021)

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 360))

Included in the following conference series:

Abstract

The increasing number of cyber-attacks requires an organizational awareness about the disruptive effects of fraud attempts and acts of vandalism on business continuity and, sometimes, on company survival. The context influences the way companies use and adapt these theories in practice, so we consider in this study differences in the effectiveness of cybersecurity best practices between organizations that manage internally or outsource the cybersecurity processes. We conducted a study involving 153 managers’ experts in cybersecurity who responded to a survey on the effectiveness of NIST procedures. Results revealed significant differences in the effectiveness of managing cybersecurity in-house or outsource it. Specifically, major differences can be observed in the variables related to the use of disciplinary processes, the protection of log information, and the use of lessons learned to improve recovery plans. These differences provide further insights for cybersecurity management literature and a practical instrument for organizations willing to adapt their cyber processes to their organizational context.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 229.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 299.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Collier, Z.A., Dimase, D., Walters, S., Tehranipoor, M.M., Lambert, J.H., Linkov, I.: Cybersecurity standards: managing risk and creating resilience. IEEE Comput. Soc. 47(9), 70–76 (2014). https://doi.org/10.1109/MC.2013.448

    Article  Google Scholar 

  2. Carayannis, E.G., Grigoroudis, E., Rehman, S.S., Samarakoon, N.: Ambidextrous cybersecurity: the seven pillars (7Ps) of cyber resilience. IEEE Trans. Eng. Manag. 68(1), 223–234 (2021). https://doi.org/10.1109/TEM.2019.2909909

    Article  Google Scholar 

  3. Framework for improving critical infrastructure cybersecurity: Version 1.0, Gaithersburg, MD (Feb 2014). https://doi.org/10.6028/NIST.CSWP.02122014

  4. DiMase, D., Collier, Z.A., Heffner, K., Linkov, I.: Systems engineering framework for cyber physical security and resilience. Environ. Syst. Decis. 35(2), 291–300 (2015). https://doi.org/10.1007/s10669-015-9540-y

    Article  Google Scholar 

  5. Ganin, A.A., et al.: Multicriteria decision framework for cybersecurity risk assessment and management. Risk Anal. 40(1), 183–199 (2020). https://doi.org/10.1111/risa.12891

    Article  Google Scholar 

  6. Li, H., (Robert) Luo, X., Zhang, J., Sarathy, R.: Self-control, organizational context, and rational choice in Internet abuses at work. Inf. Manag. 55(3), 358–367 (2018). https://doi.org/10.1016/j.im.2017.09.002

    Article  Google Scholar 

  7. Annarelli, A., Nonino, F., Palombi, G.: Understanding the management of cyber resilient systems. Comput. Ind. Eng. 149 (Nov 2020). https://doi.org/10.1016/j.cie.2020.106829

  8. Shah, A., Ganesan, R., Jajodia, S., Hasan, C.A.M.: An outsourcing model for alert analysis in a cybersecurity operations center. ACM Trans. Web 14(1) (2020). https://doi.org/10.1145/3372498

  9. Saleem, J., Adebisi, B., Ande, R., Hammoudeh, M.: A state of the art survey – impact of cyber attacks on SME’s. In: ACM International Conference Proceeding Series, vol. Part F130522 (Jul 2017). https://doi.org/10.1145/3102304.3109812

  10. ENISA threat landscape report 2018 — ENISA: https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018. Accessed 29 Jan 2021

  11. Armenia, S., Angelini, M., Nonino, F., Palombi, G., Schlitzer, M.F.: A dynamic simulation approach to support the evaluation of cyber risks and security investments in SMEs. Decis. Support Syst. 147, 113580 (2021). https://doi.org/10.1016/j.dss.2021.113580

    Article  Google Scholar 

  12. Panemon: 2018 State of cybersecurity in small & medium size businesses (2018)

    Google Scholar 

  13. Ikerionwu, C., Edgar, D., Gray, E.: The development of service provider’s BPO-IT framework. Bus. Process Manag. J. 23(5), 897–917 (2017). https://doi.org/10.1108/BPMJ-10-2015-0146

    Article  Google Scholar 

  14. Doran, J., Ryan, G., Bourke, J., Crowley, F.R.: In-house or outsourcing skills: how best to manage for innovation? Int. J. Innov. Manag. 24(01), 2050010 (2020). https://doi.org/10.1142/S1363919620500103

    Article  Google Scholar 

  15. Benaroch, M.: Cybersecurity Risk in IT Outsourcing—Challenges and Emerging Realities, pp. 313–334. Springer, Cham (2020)

    Google Scholar 

  16. ISO/IEC 27001:2013: ISO – ISO/IEC 27001:2013 – Information technology — Security techniques — Information security management systems — Requirements. https://www.iso.org/standard/54534.html (2013). Accessed 19 Jan 2021

  17. Herath, T., Rao, H.R.: Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis. Support Syst. 47(2), 154–165 (2009). https://doi.org/10.1016/j.dss.2009.02.005

    Article  Google Scholar 

  18. D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 20(1), 79–98 (2009). https://doi.org/10.1287/isre.1070.0160

    Article  Google Scholar 

  19. Li, L., He, W., Xu, L., Ash, I., Anwar, M., Yuan, X.: Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. Int. J. Inf. Manage. 45, 13–24 (2019). https://doi.org/10.1016/j.ijinfomgt.2018.10.017

    Article  Google Scholar 

  20. Ng, B.-Y., Kankanhalli, A., (Calvin) Xu, Y.: Studying users’ computer security behavior: a health belief perspective. Decis. Support Syst. 46(4), 815–825 (2009). https://doi.org/10.1016/j.dss.2008.11.010

    Article  Google Scholar 

  21. Ifinedo, P.: Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput. Secur. 31(1), 83–95 (2012). https://doi.org/10.1016/j.cose.2011.10.007

    Article  Google Scholar 

  22. Siponen, M., Adam Mahmood, M., Pahnila, S.: Employees’ adherence to information security policies: an exploratory field study. Inf. Manag. 51(2), 217–224 (2014). https://doi.org/10.1016/j.im.2013.08.006

    Article  Google Scholar 

  23. Vrhovec, S., MiheliÄŤ, A.: Redefining threat appraisals of organizational insiders and exploring the moderating role of fear in cyberattack protection motivation. Comput. Secur. 106 (2021). https://doi.org/10.1016/j.cose.2021.102309

  24. Dhillon, G., Syed, R., de Sá-Soares, F.: Information security concerns in IT outsourcing: identifying (in) congruence between clients and vendors. Inf. Manag. 54(4), 452–464 (2017). https://doi.org/10.1016/j.im.2016.10.002

    Article  Google Scholar 

  25. Akhuseyinoglu, N.B., Joshi, J.: A risk-aware access control framework for cyber-physical systems. In: Proceedings – 2017 IEEE 3rd International Conference on Collaboration and Internet Computing, CIC 2017, vol. 2017-January, pp. 349–358 (Dec. 2017) https://doi.org/10.1109/CIC.2017.00052.

  26. Cao, Y., Huang, Z., Yu, Y., Ke, C., Wang, Z.: A topology and risk-aware access control framework for cyber-physical space. Front. Comp. Sci. 14(4), 1–16 (2020). https://doi.org/10.1007/s11704-019-8454-0

    Article  Google Scholar 

  27. Doomun, M.R.: Multi-level information system security in outsourcing domain. Bus. Process Manag. J. 14(6), 849–857 (2008). https://doi.org/10.1108/14637150810916026

    Article  Google Scholar 

  28. Ahmad, A., Maynard, S.B., Shanks, G.: A case analysis of information systems and security incident responses. Int. J. Inf. Manage. 35(6), 717–723 (2015). https://doi.org/10.1016/j.ijinfomgt.2015.08.001

    Article  Google Scholar 

  29. Cezar, A., Cavusoglu, H., Raghunathan, S.: Outsourcing information security: contracting issues and security implications. Manage. Sci. 60(3), 638–657 (2014). https://doi.org/10.1287/mnsc.2013.1763

    Article  Google Scholar 

  30. Nah, F.F.-H., Lau, J.L.-S., Kuang, J.: Critical factors for successful implementation of enterprise systems. Bus. Process Manag. J. 7(3), 285–296 (2001). https://doi.org/10.1108/14637150110392782

    Article  Google Scholar 

  31. Comfort, L.K., Haase, T.W.: Communication, coherence, and collective action: the impact of Hurricane Katrina on communications infrastructure. Public Work. Manag. Policy 10(4), 328–343 (2006). https://doi.org/10.1177/1087724X06289052

    Article  Google Scholar 

  32. Wieland, A., Wallenburg, C.M.: The influence of relational competencies on supply chain resilience: a relational view. Int. J. Phys. Distrib. Logist. Manag. 43(4), 300–320 (2013). https://doi.org/10.1108/IJPDLM-08-2012-0243

    Article  Google Scholar 

  33. Scholten, K., Schilder, S.: The role of collaboration in supply chain resilience. Supply Chain Manag. 20(4), 471–484 (2015). https://doi.org/10.1108/SCM-11-2014-0386

    Article  Google Scholar 

  34. Knight, R., Nurse, J.R.C.: A framework for effective corporate communication after cyber security incidents. Comput. Secur. 99, 102036 (2020). https://doi.org/10.1016/j.cose.2020.102036

    Article  Google Scholar 

  35. Decreto direttoriale 6 novembre 2019 – Elenco dei manager qualificati e delle società di consulenza: https://www.mise.gov.it/index.php/it/normativa/decreti-direttoriali/2040421-decreto-direttoriale-6-novembre-2019-elenco-dei-manager-qualificati-e-delle-societa-di-consulenza (2019). Accessed 29 Jan 2021

  36. Warmbrod, J.R.: Reporting and interpreting scores derived from Likert-type scales. J. Agric. Educ. 55(5), 30–47 (2014). https://doi.org/10.5032/jae.2014.05030

    Article  Google Scholar 

  37. Cramer, D.: Fundamental Statistics for Social Research: Step-by-Step Calculations and Computer Techniques Using SPSS for Windows. Taylor and Francis (2003)

    Book  Google Scholar 

  38. Aldya, A.P., Sutikno, S., Rosmansyah, Y.: Measuring effectiveness of control of information security management system based on SNI ISO/IEC 27004: 2013 standard. In: IOP Conference Series: Materials Science and Engineering, vol. 550, no. 1 (Aug 2019). https://doi.org/10.1088/1757-899X/550/1/012020

  39. Gutiérrez-Martínez, J., Núñez-Gaona, M.A., Aguirre-Meneses, H.: Business model for the security of a large-scale PACS, compliance with ISO/27002:2013 standard. J. Digit. Imaging 28(4), 481–491 (2015). https://doi.org/10.1007/s10278-014-9746-4

    Article  Google Scholar 

Download references

Acknowledgment

This work is supported by the fund of the Department of Computer, Control and Management Engineering “Antonio Ruberti” of Sapienza University of Rome. The department has been designated by the Italian Ministry of Education (MIUR) for being “Department of Excellence” in advanced training programs in the field of cybersecurity.

Author information

Authors and Affiliations

  1. Department of Computer, Control and Management Engineering, Sapienza University of Rome, Rome, Italy

    Alessandro Annarelli, Silvia Colabianchi, Fabio Nonino & Giulia Palombi

Authors
  1. Alessandro Annarelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Silvia Colabianchi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Fabio Nonino
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Giulia Palombi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Silvia Colabianchi .

Editor information

Editors and Affiliations

  1. Faculty of Science and Engineering, Saga University, Saga, Japan

    Kohei Arai

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Annarelli, A., Colabianchi, S., Nonino, F., Palombi, G. (2022). The Effectiveness of Outsourcing Cybersecurity Practices: A Study of the Italian Context. In: Arai, K. (eds) Proceedings of the Future Technologies Conference (FTC) 2021, Volume 3. FTC 2021. Lecture Notes in Networks and Systems, vol 360. Springer, Cham. https://doi.org/10.1007/978-3-030-89912-7_2

Download citation

Publish with us

Policies and ethics

Search

Navigation