Computers & Security 90 (2020) 101709

Contents lists available at ScienceDirect

Computers & Security

journal homepage: www.elsevier.com/locate/cose

Information security assessment in public administration

Edyta Karolina Szczepaniuk a, Hubert Szczepaniuk b,∗, Tomasz Rokicki b, Bogdan Klepacki b
a
Polish Air Force University, Dywizjonu 303 no. 35 ST., 08-521 Deblin,
˛ Poland
b
Warsaw University of Life Sciences WULS – SGGW, Nowoursynowska 166 ST., 02-787 Warsaw, Poland

a r t i c l e i n f o a b s t r a c t

Article history: The aim of the article is to characterise and assess information security management in units of public
Received 23 July 2019 administration and to define recommended solutions facilitating an increase in the level of information
Revised 21 November 2019
security. The article is considered a theoretical-empirical research paper. The aim of theoretical research
Accepted 28 December 2019
is to explain the basic terms related to information security management and to define conditions for
Available online 30 December 2019
the implementation of Information Security Management System (ISMS). Within the scope of theoreti-
Keywords: cal considerations, source literature, legislation and reports are being referred to. In the years 2016-2019,
Information security empirical research has been conducted, which aim was to assess the efficiency of information security
Cybersecurity management in public administration offices. The evaluation of results of surveys was accompanied by
Public administration an analysis of statistical relations between the researched variables, which enabled to define effects of
Information security assessment European Union regulations on the delivery of information security in public administration. Results of
Information security management
the empirical data show that in the years 2016-2017, in public administration offices, certain problem
areas in the aspect of information security management were present, which include, among others: lack
of ISMS organisation, incomplete or outdated ISMS documentation, lack of regular risk analysis, lack of
reviews, audits or controls, limited use of physical and technological protection measures, lack of training
or professional development. In the years 2018-2019, European Union solutions, i.e. the GDPR Regulation
and the NIS Directive, have affected the increase in the security level of information in public administra-
tion and have a significantly limited occurrence of identified irregularities. Results of the research enable
to assume that the delivery of information security in public administration requires a systemic approach
arising from the need for permanent improvement.
© 2020 The Authors. Published by Elsevier Ltd.
This is an open access article under the CC BY-NC-ND license.
(http://creativecommons.org/licenses/by-nc-nd/4.0/)

1. Introduction destructive effect on functioning of a public administration institu-

tion. Therefore, information security management in public admin-
Implementation of IT in most of the areas of activity of the istration affects the efficiency, reliability, and quality of the realised
state, the economy and the society, generates many opportunities public tasks.
regarding automation of management processes and increase in ef- Analysis of problems related to global phenomena within field
ficiency and quality of realized services. Simultaneously, the intro- of the information environment of the state enables to perceive
duction of IT solutions in the public sector implies the necessity development trends of threats to information for the elements of
to provide security of the realised services. For this reason, within critical infrastructure of the state (see e.g. WEF, 2019). Countries
public administration institutions, the Information Security Man- where public administration operates on the basis of new tech-
agement System (ISMS) is being implemented, which purpose is nologies, became sensitive regarding interference in information
to provide security of information resources of an institution and processes. Preventing threats and providing security of information
to provide uninterrupted realisation of institution’s mission. ISMS constitutes a significant challenge, both for specific countries, as
covers a set of planning and organisational undertakings and it is well as for international communities.
based on risk management of information threats which can have Many countries and organisations acknowledge the need to de-
velop efficient solutions that facilitate an increase in information
security level (see e.g. Janczewski and Caelli, 2015). In Poland,
∗
Corresponding author.
the National Interoperability Framework (Dz.U. [Journal of Laws]
E-mail addresses: [email protected] (E.K. Szczepaniuk), hubert_szczep
[email protected] (H. Szczepaniuk), [email protected] (T. Rokicki),
of 2012, item 526) have obliged entities in public finances sec-
[email protected] (B. Klepacki). tor to design, develop, establish, implement and improve an in-

https://doi.org/10.1016/j.cose.2019.101709
0167-4048/© 2020 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license. (http://creativecommons.org/licenses/by-nc-nd/4.0/)
2 E.K. Szczepaniuk, H. Szczepaniuk and T. Rokicki et al. / Computers & Security 90 (2020) 101709

formation security management system. The indicated obligations Theoretical foundations of information security management are
regarding information security management in public institutions aimed at indicating the fundamental problem in implementation of
were not reflected in practice multiple times, which is indicated ISMS which is the lack of systemic approach that would include in-
in the results of scientific research (Szczepaniuk, 2016), analysis stitution’s mission and its aspect of providing proper quality of de-
and reports, including the results of control presented by the Pol- livered services. Moreover, evaluation of information security man-
ish Supreme Audit Office (NIK, 2016). A symptom of changes in agement process utilising empirical research required adopting sci-
this aspect was the obligation to implement in the European Union entifically justified assessment criteria.
member states the principles of the so-called General Data Protec- The research issue, presented in a general overview, expresses
tion Regulation (GDPR regulation) (O.J.EU L 119/1, 4.5.2016 2016), the complex and interdisciplinary nature of the object and the
and the directive on measures to boost the overall level of cyber- goal of the research. Due to this fact, a research model proper for
security of networks and IT systems in the European Union (NIS systemic analysis has been adopted (see e.g. Sienkiewicz, 1995).
directive) (O.J. EU L 191/1, 19.7.2016 2016). In Poland, the European The adopted methodological approach enables to research issues
Union documents were implemented in form of passing, amongst present across distant fields of knowledge and to analyse various
others, the Personal Data Protection Act (Dz.U. [Journal of Laws] phenomena in a holistic approach, in which it is presupposed that
of 2018, item 10 0 0) and the Act on the National Cybersecurity the reality is being perceived as whole and not as a collection of
(Dz.U. [Journal of Laws] of 2018 item 1560). Implementation of parts.
the European Union solutions into Polish legal order resulted in The choice of research methods and tools was determined by
increase in information security level and privacy protection. Le- the adopted research process model. In the aspect of theoretical
gal acts of EU affected improvement of the organisation structure deliberation, the source literature, legislations and reports were re-
and security procedures (e.g. risk management procedure, infor- ferred to. Within the range of empirical research, a questionnaire-
mation security audits). Moreover, the number of effective physi- based survey was performed. Evaluation of results of the survey
cal and technical protection measures have increased (e.g. access was followed by analysis of statistical relations between the eval-
control mechanism, backup copies). A significant change also in- uated variables, which were assessed using a Chi-squared test and
cluded regular training and improvement of personnel skills (e.g. C Pearson contingency coefficient.
personal data protection trainings). In some of the public adminis- The Chi-2 (x2 ) test is a nonparametric statistical test which en-
tration institutions there are still many information threat vulner- ables to indicate the presence of relations between examined vari-
abilities present. Moreover, the environment of threats is dynami- ables. The formula of Chi-2 relation test is defined as follows (see
cally changing due to increase in range of advanced tools and at- e.g. Zibran, 2007):
tack techniques. The outlined context indicates a necessity to per-  2
form further research regarding information security in public ad- 
k
Oj − Ej
2
ministration in order to assess and improve the currently imple- x = (1)
Ej
mented solutions. Moreover, the research issues of this article also j=1

include the research priorities of the European Union in the aspect

key:
of cybersecurity (ENISA, 2017).
x2 – Chi-2 relation test
Oj – size observed for a given group
2. Research methodology
Ej – size expected for a given group
The C Pearson contingency coefficient is a measure of the
The subject of the research is the public administration insti-
strength of the relation between evaluated variables, and it is
tutions in Poland, in the context of processes of managing infor-
calculated using the following formula (see e.g. Vogt and John-
mation security. The public administration constitutes a complex
son, 2015):
mega-system comprised of multiple subsystems (see e.g. Możdżeń-
Marcinkowski, 2012). Functional and organisational complexity of

x2
public administration, regarding information security management, C= (2)
constitutes an interdisciplinary subject of research. The theoretical x2 + n
basis of the discussed issue originates in many academic fields, e.g. key:
computer science, management and quality sciences, security sci- C– C Pearson contingency coefficient
ences, legal theory. x2 – Chi-2 relation test
The main goal of the research is to assess information security n – test sample size
management in public administration entities in Poland and to in-
dicate recommended solutions which would facilitate an increase
of the level of security of information. Reaching the adopted goal 3. Theoretical basis of information security management
required realisation of the following, theoretical in nature, detailed
goals: 3.1. Definition of information security in public administration
- defining information security in public administration;
Source literature provides many definitions of information se-
- identification of information security threats in public ad-
curity. Adopting a specific interpretation requires referring to the
ministration institutions;
general theory of security and system security theory. As a conse-
- explaining the essence of security management in public ad-
quence of adopted determinations, it is reasonable to explain the
ministration;
essence of information security and to adopt a specific proposition
- defining conditions for the implementation of Information
of terminology clarifying specificity of information security in pub-
Security Management System.
lic administration.
The need to realise the above theoretical considerations within Security category is a complex and multi-dimensional term,
context of the adopted research goal is justified by the fact, that which is confirmed by a variety of typology and definitions avail-
within source literature, the issue of information security manage- able in source literature (see e.g. Brooks, 2009; Degaut, 2015;
ment in public administration is often analysed in a manner which Stańczyk, 1996). When perceiving public administration in terms
separates it from functioning of a public institution as an entirety. of a system, it is reasonable to interpret security from the point of
 E.K. Szczepaniuk, H. Szczepaniuk and T. Rokicki et al. / Computers & Security 90 (2020) 101709 3

Table 1
Attributes of information security.

No. Attribute Characteristics

1 confidentiality Providing that access to information is restricted only for authorised users
2 integrity Providing that information is preserved in its original form, except a situation when it is updated or erased by authorised personnel.
3 availability Providing that information is available for authorised persons in the required time.
4 accountability Related to unequivocal assigning a given range of actions to a specific user.
5 authentication Providing that identity of a user or resource is as declared

Source: Alhassan and Adjei-Quaye, 2017; Barczak and Sydoruk, 2003; Liderman, 2012.

view of systemic research. On the basis of systemic analysis, there (e.g. providing services for citizens) and external domain (e.g. co-
are two predominant approaches (Sienkiewicz, 2010): operation of public administration units). The functioning of pub-
lic administration is based on gathering, processing and sharing
- system security understood as a property of a researched information, therefore the information is one of the basic assets
object, characterised with resistance toward the occurrence and it is considered a protected value. A security incident may sig-
of dangerous situations (threats), while the focus is on the nificantly lower the quality of administrative service by disrupt-
vulnerability regarding the occurrence of security incidents; ing the process of its providing. In extreme cases, it may result in
- system security defined in terms of ability to protect the in- disabling possibility to provide services by public administrations
ternal values (resources) of an object against threats. (Szczepaniuk, 2016). Information security in public administration
According to the above definition, security is perceived in terms is related to the ability to provide realisation of administrative pro-
of a feature of a given system, which conditions the system’s relia- cesses and information security on every level of activity of public
bility and operational efficiency in case of occurrence of a security institutions.
incident. Therefore, term security should be considered in relation Information security is often defined in the context of providing
to possible threats. attributes of information security, expressed in Table 1. The first
One of the general system security models is the one devel- three attributes refer to information disregarding its form. The fol-
oped by Clements, according to which, the interaction between lowing attributes refer to providing data protection in ICT systems.
threats and a researched object is defined. Let there be a set of Information is considered secured if all attributes of information
all threats Z = {z1 , z2 , z3 , . . . , zn } and a set of all objects O = security are provided.
{o1 , o2 , o3 , . . . , on }. A set of all points which are vulnerable to at- Information security in public administration must be regarded
tack, that is – system penetration paths, can be expressed with a in the context of realisation of missions of an institution and deliv-
Cartesian product R ⊆Z × O, which defines interactions between ery of proper quality of the provided services, simultaneously pro-
the identified threats and objects (Stokłosa et al., 2010). A given viding attributes of information security. It is suggested to define
object may interact with multiple threats or a single threat may in- information security in public administration as a state and a pro-
teract with multiple objects. Threat identification can largely min- cess in which (Szczepaniuk, 2016):
imise the risk of its occurrence, due to the fact, that it provides the - Information security is achieved and sustained on a prede-
possibility to implement adequate security measures. termined level of confidentiality, integrity, and accessibility;
The Clements model defines a security system with the follow- - Security of provided services is achieved and sustained on a
ing set (Hoffman, 1982; Stokłosa et al., 2010): predetermined level of reliability, accessibility, and integrity
S = {O, Z, B, R, P} (3) of services;
- Authentication and accountability of entities, related to au-
key: thentication of users utilising specific information and ser-
O - set of objects at risk of threat, vices are provided;
Z - set of threats, - Elements which constitute the public administration system
B - set of security measures (protections), are characterised with the ability to protect against current
R ⊆ Z × O – set of penetration paths, and future disruptions (threats) for functioning or loss of
P ⊆ Z × B × O - set of penetration paths protected against at- specific values – the system is resistant toward threats (in-
tack. ternal, external, accidental, purposeful);
In the presented approach, a system is considered fully secured - Information and service users (employees in public adminis-
if for each attack-vulnerable point (penetration path) a security tration) and information and service recipients (citizens, en-
measure is provided. Public administration units are characterised trepreneurs, employees working in different public adminis-
with their own specificity, security measures, vulnerabilities, and tration units) are aware of threats and are invulnerable to
the resulting risk. Therefore, in order to provide a sufficient or- them;
ganisation of a security system, it is necessary to identify, analyse, - Perpetuators of security incidents (also internal offenders)
monitor, and improve specific elements of a system. Realisation of have restricted possibilities to use cyberspace for purpose
the adopted assumptions requires a systemic approach, due to the of generating threats by utilising vulnerabilities and gaps
fact, that between elements of a system, a cause-effect, time vary- within the security system.
ing relations occur.
Current deliberations suggest adopting the notion, that term in- 3.2. Information security threats in public administration institutions
formation security refers to the ability to secure legally protected
information against unauthorised interference, e.g. unauthorised Information security threats in public institutions can be anal-
disclosure, modification, erasing of information, or actions which ysed from the point of view of a whole country, a local authority
disable possibility to process information. When referring these unit, or a single institution. In the article, a single institution be-
determinations to information security in public administration, it longing to public administration system was focused on.
must be underlined, that the basic task of public sector institu- A public administration institution can be defined as a whole,
tions is realisation of public tasks both within the internal domain separated from public administration system, established accord-
4 E.K. Szczepaniuk, H. Szczepaniuk and T. Rokicki et al. / Computers & Security 90 (2020) 101709

ing to legal rules, realising tasks (goals) in legally defined forms analysis (Sienkiewicz, 2013):
and utilising available resources. A public administration institu-
 = S, O, R (5)
tion defined as above may be described using the following set of
elements (Szczepaniuk, 2016): key:
 - systemic situation,
U = {L, I, M, F , C, O, R} (4)
S- system which is an object of information threats,
key: O- environment comprising of objects considered source of in-
U - public administration institution, formation threats
L - human resources, R ⊂ S × O – set of relations.
I - information resources, Then, the object of threats (system), which is a public ad-
M - material resources, ministration institution, has a defensive potential: P(s) ≥ 0, s ∈ S,
F - financial resources, whereas the source of threats is characterised with its destructive
C - goals and norms (including the law), potential P(o) ≥ 0, s ∈ O. On the R set, a relation Rz = Rz(o, s ), was
O - organisational, procedural and technical solutions, defined, which results in (Sienkiewicz, 2013):
R - relations between elements of a public administration insti-
Vo,s o Rz s ⇔ P (o) ≥ P (s ) (6)
tution.
The main task of a public administration institution is realisa- That is – object s ∈ S is threaten by o ∈ O.
tion of public tasks related to decision making based on available Within source literature there are multiple classifications of in-
information. Based on the system theory, decision making in an formation security threats (see e.g. Howard and Longstaff, 1998;
institution is realised based on processing input information into Loch et al., 1992; Szczepaniuk, 2016). Security threatening situa-
output information (see e.g. Chikere and Nwoka, 2015). Consider- tions in public administration institutions may occur in multiple
ing definition of an institution defined in (4) and the character of dimensions, amongst others:
decision making in public administration, an institution is a set of
• Natural threats related to natural disasters, e.g. flood;
cooperating elements which gather data (input data) and process
• Traditional information threats related to activities aimed at
them, emit and deliver feedback in order to achieve an adopted
acquiring information, e.g. espionage;
goal (output data). An example of the process described above is
• Threats originating in cyberspace covering attacks on in-
issuing an administrative decision based on documents delivered
formation within ICT systems, e.g. man-in-the-middle at-
by parties of an administrative proceeding.
tack (MITM)
In a public administration institution, an executive subsystem
• Threats resulting from reliability of IT systems, e.g. software
and a management system may be differentiated. First of those re-
errors (gaps);
alises processes related with realisation of public tasks. The other
• Purposeful actions by institution’s employees, e.g. informa-
one realises management processes thus effecting required reali-
tion theft;
sation of environment needs within the executive system. Func-
• Threats occurring due to improper organisation and internal
tioning of a public administration institution may be realised us-
procedures of an institution, e.g. untrained employees gen-
ing paper, electronic or mixed circulation of documents. It must
erate a real threat; for instance, due to vulnerability toward
be noted, that circulation of documents in an institution managed
social engineering attacks;
electronically is realised in a different way than in an institution
• Threats breaching civil rights e.g. breaching personal data,
with paper-based circulation of documents. Those models differ in,
delivering information to unauthorised entities, identity
amongst others, the infrastructure utilised for circulation of docu-
theft.
ments, including also location and form of inflow (input data) and
outflow (output data) of documents and the method of their pro- Information security incidents in public administration institu-
cessing and circulation. Electronic documents flow into an informa- tions are conditioned on vulnerabilities which may occur in case
tion system, not an executive system, as it is realised in case of a of any of the indicated (4) elements of a public administration in-
system with paper-based circulation of documents. Both in Poland, stitution. It must be underlined, that every institution has its own
as well as over the world, many reports assessing level of advance- specific characteristics, e.g. utilised IT hardware, dedicated IT sys-
ment of e-administration (see e.g. e-Government Survey, 2018; The tems, organisation of an IT system, which are characterised with
Global Information Technology Report, 2016) were developed. In specific vulnerability regarding information threats. Therefore, de-
practice, in most institutions in Poland, a mixed circulation of doc- fence level of a public administration institution may be increased
uments with use of IT systems (e.g. Electronic Platform of Public utilising information security management which should be deter-
Administration Services – ePUAP), electronic public registers (e.g. mined by legal obligations, nature of operations realised by an in-
National Registers System – SRP) and circulation of documents us- stitution and the need of continuous improvement.
ing office instructions (e.g. an official letter is delivered in a paper
form to institution’s department of administration) is in place. 3.3. The essence of information security management in public
A public administration institution characterised as above may administration
be affected with various types of threats. It must be noted, that
institutions with paper-based circulation of documents are at risk Information security management in public administration is an
regarding other types of threats than institutions with electronic integral part of system management and it is related to rationalis-
circulation of documents, whereas in a unit utilising simultane- ing the choice of measures which provide functioning of the sys-
ously both solutions, both – information processed electronically tem according to its purpose in a dangerous environment. Informa-
and information processed traditionally may be at risk of security tion security management undergoes the same principles as any
incident. other field of management – it has its goal, plans, policy, solu-
Relating the above considerations to the Clements general se- tions regarding implementation, control and auditing instruments,
curity model discussed in (3) and the definition of information se- accounting management and programs related to sustaining cur-
curity proposed in the article, information threats for information rent results and continuous improvement and quality increase.
security in a public administration institution can be characterised. Takin into account considerations included in (4)–(6), the
For this purpose, the following systemic situation is proposed for essence of information security management can be explained in
 E.K. Szczepaniuk, H. Szczepaniuk and T. Rokicki et al. / Computers & Security 90 (2020) 101709 5

relations to the systemic situation described in (7)–(11), in which institution. In the source literature and in practical solutions, vari-
the following values are given (Sienkiewicz, 2015): ous methods for calculating costs in information security are ap-
plied, e.g. ROI method - Return on Investment, ROT method -
- external threats A(t) resulting from the environment of a
Real Options Theory, UM method - Utility Maximization (see e.g.
system, which correspond to the function of destructive
Schatz and Bashroush, 2017), ABC method - Activity-Based Cost-
threat potential,
ing, TDABC method - Time-Driven Activity-Based Costing (see e.g.
- resistance of a system toward external threats B(t), which
Leszczyna, 2017), ALE method - Annual Loss Expectancy (see e.g.
corresponds to function of defensive potential (securing).
Sklavos and Souras, 2006; Tsiakis and Stephanides, 2005).
The above-indicated characteristics of a situation are random func- In summary, the issue of information security management in
tions with known probability distributions: public administration can be expressed as (Sienkiewicz, 2013):

F (a, t ) = P {A(t ) < a}, - minimising risk function, provided that the value of effects
G(b, t ) = P {B(t ) < b}, (usability) achieved due to operating of a system will not be
below limit value (demanded), or
t∈T (7)
- maximising system efficiency function, provided that the
A generalised security factor of a system may be the probability, risk function will not exceed accepted value.
that threats will not exceed the acceptable (critical) level ao ≥ 0,
while system resistance will be above the bo limit value, that is: This framework should be sustained with regard to the ac-
cepted limit values of effects of threats, and accepted costs ded-
β (t ) ≡ β (ao, bo ) = P{A(t ) ≤ ao, B(t ) > bo } (8) icated for securing a system.
which leads to a system security assessment factor, provided sta-
tistical independence of the analysed values is delivered: 3.4. Implementation of information security management system
β (t ) = F (ao, t )[1 − G(bo, t )] (9)
Realization of the theoretical framework related to providing in-
Adopting the required system security level as β o > 0, it can be formation security in public administration relates to the necessity
indicated that in period T, the system is safe if in a given moment to implement Information Security Management System (ISMS). In
the following condition is realised: the process of implementation of ISMS, various standards are ap-
plied, such as ISO/IEC 27001, BS 7799, ITIL and COBIT (see e.g.
β (t ) ≥ βo, to < t ≤ to + T (10)
Susanto et al., 2011). In the article, the theoretical basis of imple-
System security analysis often includes using simplified procedures mentation of ISMS is driven from the ISO/IEC 27001 norm, which
which result in calculating probability: is the recommended solution in Poland.
According to the ISO/IEC 27001 standard, an Information Secu-
P = p(Ps < Po ) (11)
rity Management System is a „part of a holistic management sys-
that is, the probability of occurrence of an event in which the gen- tem, based on the approach resulting from a business risk, which
eral resistance (defensive potential) Ps is higher than the general refers to establishing, implementing, utilization, monitoring, sus-
threat Po (Sienkiewicz, 2015). taining and improving information security. ISMS includes orga-
Considering the above, the issue of information security man- nizational structure, policies, planning actions, liabilities, practices,
agement can be driven to optimisation of the distribution of se- procedures, processes and resources” (Liderman, 2006).
curity measures in relation to system penetration paths, in order The goal of an operating ISMS is to eliminate or minimize the
to provide protection for the system. In other words, a Ps level, risk of occurring information threats utilizing a set of planning, or-
which maximizes the security level β , can be defined. This gener- ganizational, technical and control activities. ISMS is an element
ates a necessity to choose such security strategy out of the set of of organisation management system, which is characterised by or-
acceptable variants, for which the anticipated value of effects of a ganisational structure, security policy, realised processes and re-
threat takes the minimal value, and the costs of implementation sources. Within the process of development of ISMS, the following
of a strategy will not exceed the accepted value. Therefore, imple- stages, presented on Fig. 1. can be distinguished.
mentation of protection must be preceded with defining limit val- The essence of ISMS includes organizational and technical
ues for results of threats and estimation of accepted value of finan- mechanisms in the aspect of providing information security, which
cial assets which can be spent on security measures. This implies should be adequate to the data interference risk. Analysis and risk
a necessity to adopt a specific methodology of information threat assessment in information security constitutes the basis of im-
risk management, and choice of method for calculating costs. plementation of ISMS in an organisation. The obligation to man-
In the practice of analysis of information threats, various risk age the risk for purpose of personal data protection and to pro-
assessment methods are used, e.g. OCTAVE - Operationally Criti- vide cybersecurity is stated also within European Union documents
cal Threat, Asset and Vulnerability Evaluation (see e.g. Alberts and - GDPR Regulation (O.J. EU L 119/1, 4.5.2016) and NIS Directive
Dorofee, 2003), CRAMM - CCTA Risk Analysis and Management (O.J. EU L 191/1, 19.7.2016). Implementation of ISMS according to
Method (see e.g. Yazar, 2002), MEHARI - Method of Risk Analysis ISO/IEC 27001 and based on solutions indicated by the European
(see e.g. Mihailescu, 2012), FMEA - Failure Mode and Effect Anal- Union and nationally, may be a complementary solution which in-
ysis (see e.g. Schmittner et al., 2014), ISRAM – Information Secu- cludes a wide spectrum of legally protected information.
rity Risk Analysis Method (see e.g. Karaback and Sogukpinar, 2005). Risk management in information security requires stocktaking
Moreover, risk management methods within norms, standards and and assessment of resources which may be at risk. The resources
good practice, e.g. ISO/IEC 27001 norm and the related norms are of specific value to an institution; therefore, the occurrence of
(see e.g. ISO/IEC 27001; ISO 27005), COBIT methodology (see e.g. a security incident generates specific consequences for an organi-
ISACA, 2013), NIST 800–37 (see e.g. NIST, 2018), have been devel- sation. Fundamental for risk analysis is the identification of threats
oped. which are defined as „any phenomenon (process, event), unwanted
As mentioned before, information security management re- from the point of view of an undisturbed operating of a system”
quires an increase in specific costs, which in case of complex so- (Sienkiewicz, 2013). The occurrence of a threat is facilitated by a
lutions may constitute a significant part of the budget of a given so-called vulnerability, which is a weakness or a gap in the security
6 E.K. Szczepaniuk, H. Szczepaniuk and T. Rokicki et al. / Computers & Security 90 (2020) 101709

Fig. 1. The ISMS Framework.

Source: Based on ENISA, 2006

Fig. 2. Diagram of interrelationships in risk management.

Source: Based on Tupa and Steiner, 2006.

system of a given object. The relation between a threat and vulner- grouped list of protection measures is included amongst others: in-
ability, expressed with the probability of occurrence of a threat and formation security policy, organisation of information security, hu-
the amount of loses generated by this threat, is referred to as the man resources security, assets management, access control, cryp-
risk. Risk analysis indicates requirements in the aspect of security, tography, physical and environmental security, operational security,
which are implemented in the form of protection measures which communication security, obtaining, development and maintenance
minimize the risk. The characterised interrelationships in risk man- of a system, managing incidents of information security incidents,
agement are presented in Fig. 2. managing continuity of management and compliance (Brewer and
The key element in the process of implementation of ISMS in Nash, 2010). These groups are detailed with recommended types
a public institution is implementing proper protection measures. of security measures and recommendations regarding implemen-
In the attachment A to the ISO/IEC 27001 norm, the following tation.
 E.K. Szczepaniuk, H. Szczepaniuk and T. Rokicki et al. / Computers & Security 90 (2020) 101709 7

Security environment and internal conditions of an organisation Table 2

Number of elements of ISMS in the researched institutions (years: 2016 – 2019).
are time variant; therefore, it is necessary to monitor and improve
elements of ISMS. Within ISO/IEC norms regarding ISMS, within Researched elements 2016 2017 2018 2019
the whole structure of the processes, the Deming cycle (PDCA Organizational structure, procedures, internal documents
model), developed in the 1950s, was applied. This model illustrates ISMS structural organization 9 14 31 42
a process of continuous upgrading of an institution and it is com- Certified ISMS 0 0 7 11
prised of the following stages: plan, execute, verify, act. Regarding Stocktaking of hardware and software 50 50 50 50
Information security policy 18 21 43 50
ISMS in public administration institutions, the PDCA model is a cy-
Risk management 5 5 23 38
cle of consecutive actions aiming to fulfil the main goal, which is Managing information security incidents 1 3 28 33
achieving information security within an institution. Managing vulnerabilities 0 2 11 29
Managing continuity of operations 0 1 13 29
Overviewing information security 5 8 18 37
3.5. Research results Information security audit 3 7 18 37
External controls 0 1 3 9
Theoretical analysis conducted in the article suggests the con- Physical and technical security measures
clusion that efficient information security management should in- Physical access control 17 27 39 45
IT systems access control 3 9 29 42
clude complex management of the security of information re- Monitoring use of IT systems 0 2 11 27
sources, infrastructure dedicated for its processing, knowledge, and Backup copies 1 5 18 32
competence of workers, and security measures within the whole Anti-virus protection 6 11 29 41
institution of public administration. Cryptographic security measures 0 2 9 23
For the purpose of performing empirical research and present- Human factor
ing research results, it is assumed that the management process in Improving skills within information security 0 1 3 3
Information security trainings 2 2 12 17
the institution of public administration depends on the following
Personal data protection trainings 25 25 42 50
factors: Defining range and responsibilities 7 12 31 42
Security of human resources 2 7 27 38
- legal – defined by the regulations of common law, which en-
Source: own work.
able the creation of conditions and rules of functioning of a
public administration unit;
- procedural and organisational – covering a range of respon- security policy, limited use of risk management, lack of vulnerabil-
sibility and internal regulations of a public administration ities and information security incidents management. In the years
unit; 2018 – 2019, after implementing into Polish legal framework the
- Physical and technical – covering physical and technical pro- European Regulation GDPR and the NIS directive, a significant in-
tection measures implemented in the institution of public crease in the number of entities with applied organizational struc-
administration; ture and ISMS documentation has occurred. In the year 2018, 31
- social (human factor) – related to the competence of em- (62%) of the researched entities have implemented ISMS organiza-
ployees of a unit; tional structure, which indicates an increase in 34% regarding the
- other resources of an organisation (e.g. capital), which influ- previous year. In the year 2019, 84% of entities have established or-
ence the efficiency of the information security management ganizational structure. Research results indicate that also the num-
system. ber of entities with certified ISMS has increased – 7 in the year
2018, and 11 in the year 2019. In the years 2018 – 2019, a signifi-
The adopted in the article research process model is charac- cant increase in the aspect of developing ISMS documentation and
terised by the rejection of the postulate on the dominance of any procedural solutions. The percentage of entities which in the year
of the organisational factors in the systemic concept of an or- 2019 have developed ISMS documentation and procedures shaped
ganisation. Upgrading organisation is equivalent to the demanded as follows: information security policy (100%), risk management
shaping of the all analysed factors (see e.g. Sienkiewicz, 1989). Due (76%), overviewing information security (74%), information security
to this fact, the empirical research has included legal, procedural, audit (74%), managing information security incidents (66%), vulner-
organisational, physical, technical, social and other elements and abilities management (58%), continuity of operations management
resources of an organization. (58%) and external controls (18%). In the years 2016 – 2019 all of
Empirical research was conducted using surveying with survey the researched entities were realizing stocktaking of hardware and
questionnaires. 50 public administration units took part in the re- software.
search. In order to determine the influence of the European Union Another field indicated in Table 2. includes chosen physical and
solutions (i.e. GDPR Regulation and NIS Directive) on information technical security measures. In the years 2016 – 2019, the physical
security management in the public administration in Poland, the access control mechanisms were the most often applied type of
research was performed in the years 2016 – 2019. Table 2 presents security measure in the researched entities. amongst used security
data regarding the number of chosen elements of a Security Man- measures, amongst others, the following were applied: monitoring,
agement System in the researched entities in the years 2016 – PIN code, and magnetic cards. In the years 2016 – 2017, most of the
2019. entities had not applied the mechanism of control of access to IT
Results of the research in the field of organizational structure, systems. Due to this, no measures which could prevent unautho-
procedures and internal documents in the years 2016 – 2017 have rised access to information were applied, e.g. no requirement for
shown a little involvement of public administration units in the password authentication, improper securing of access to a wireless
implementation of elements of ISMS. In the year 2016 – 18% of re- network. In the following years, a significant increase in applying
searched entities have applied organisational structure and in the for protection against unauthorised access to IT systems has oc-
year 2017 – 28%. None of the entities had implemented a certified curred. In the year 2016, none of the researched entities have mon-
ISMS compliant with ISO/IEC 27001. In the years 2016–2017, most itored the use of IT systems. In the following year, this mechanism
entities have not developed documentation or procedures, or they was applied only in two entities. In the following years, a signif-
were incomplete or outdated. amongst the identified irregularities, icant increase in using IT systems monitoring has occurred – 11
amongst others, the following were included: lack of information entities in 2018 and 27 entities in 2019. Another researched field
8 E.K. Szczepaniuk, H. Szczepaniuk and T. Rokicki et al. / Computers & Security 90 (2020) 101709

Table 3
Research on influence of European Union solutions on ISMS in public administration.

Variable A Chi-2 test C Pearson contingency coefficient

Empirical value Critical value Hypothesis verification Empirical value Relation strength
Variable B: years 2016 - 2019

Organizational structure, procedures, 504,9 7,81 positive 0,69 strong

internal documents
Physical and technical security 368,3 positive 0,74 strong
measures
Human factor 235,68 positive 0,7 strong

Source: own work.

was the backup copies which in the years 2016–2017 in most of resources were nullified significantly in most of the researched en-
the researched entities were not developed or were developed and tities.
stored improperly. Research results, amongst others, indicated: lack Analysis of the results enables to suspect, that there is a rela-
of a sufficient number of applications realising backup copies and tion between information security management in public adminis-
little knowledge about the necessity to create them. In the years tration and implementation of European Union solutions – GDPR
2018–2019, the number of entities in which backup copies were Regulation and NIS Directive, in the year 2018 into Polish legal or-
regularly created has increased. Cryptographic mechanisms were der. This hypothesis has been verified using a Chi-2 relation test
the most rarely used solution in the aspect of the researched field and the C Pearson contingency coefficient (Table 3).
of security. Percentage of entities applying cryptographic protection Statistical analysis of relations between elements: variable A
shaped as follows: 0% (year 2016), 4% (year 2017), 18% (year 2018), (organisational structure, procedures, internal documents, physi-
46% (year 2019). cal and technical security measures, human factor) and variable B
Research results in the field of society have revealed that in the (year of research), provides confirmation of the formulated hypoth-
years 2016 – 2019, in most of the researched entities, employees esis. There is a relation between the implementation of elements
were not increasing their skills, e.g. through external courses, train- of ISMS in public administration and the years of research. Since
ing or post-graduate studies. According to directors of these enti- the year 2018, public administration entities in Poland are obliged
ties, insufficient funds were the reason for this situation. In the to comply with the regulations contained in GDPR Regulation and
years 2016 – 2019, only in two entities, training in information NIS Directive, which implicates positive changes in the process of
security, including threats, results and consequences and protec- information security management in public administration.
tion providing measures, were organized. In the following years, In the year 2019, employees of public administration were also
an increase in the number of realized pieces of training occurred: researched in the aspect of knowledge on threats, effects of secu-
12 in 2018 and 17 in 2019. Significantly more often, personal data rity incidents, security measures, regulations of common law and
protection trainings were provided, which in the years 2016–2017 ISMS documentation. The survey’s questionnaire was completed by
were conducted in half of the researched entities. After applying 10 persons from each researched entity (500 respondents over-
the GDPR Regulation in Poland, which regulates personal data pro- all). For the purpose of analysis of research results, a hypothe-
tection, trainings were performed in most entities, i.e. 84% (the sis on the existence of relations between knowledge and aware-
year 2018) and 100% (the year 2019). In the years 2016–2017, defin- ness of respondents and education (IT, not IT) and realised train-
ing range and responsibility for the purpose of ISMS occurred in a ing, was adopted. amongst the respondents, 74 persons had a uni-
limited manner. In the following years, most entities have estab- versity degree in IT, while 170 persons were assigned for training.
lished range and competence in the aspect of information security Table 4 shows knowledge of the respondents within fields defined
management. In the years 2016–2017, in most entities, no security by the variable A, divided according to obtained education and per-
of human resources was delivered. These irregularities were re- formed training (variable B). Relations between variables was re-
lated to excessive granting of permissions in IT systems, i.e. author- searched using Chi-2 test and the C Pearson contingency coefficient
ities beyond the range of duties. Moreover, a problem of not deny- (Table 5).
ing or too late denying of authority in IT systems was identified. Statistical analysis of relations between the researched variables
amongst the reasons of the occurred irregularities, too small num- has shown that there is a strong relation between obtained edu-
ber of employed IT specialists or work overload, were indicated. cation and knowledge on threats and security measures. Research
In the years 2018–2019, irregularities related to security of human results indicated that there is a relation between education and

Table 4
Knowledge of the respondents in the researched entities.

Variable A Variable B: education Variable B: training

IT other realized Not realized

Has knowledge Has no Has knowledge Has no Has knowledge Has no Has knowledge Has no
knowledge knowledge knowledge knowledge

Threats 74 0 62 364 129 41 7 323

Effects 70 4 76 350 132 38 14 316
Security 73 1 51 375 117 53 7 323
measures
Legal regulations 32 42 210 216 145 25 97 233
ISMS 61 13 211 215 160 10 112 218
documentation
Source: own work.
 E.K. Szczepaniuk, H. Szczepaniuk and T. Rokicki et al. / Computers & Security 90 (2020) 101709 9

Table 5
Research on influence of education and training on knowledge of the respondents.

Variable Chi-2 test C Pearson contingency coefficient

A
Empirical value Critical value Hypothesis verification Empirical value Relation strength
Variable B: education

Threats 288,1 3,84 positive 0,61 strong

Effects 235,1 positive 0,57 moderate
Security measures 316,5 positive 0,62 strong
Legal regulations 1,4 negative – –
ISMS documentation 31,2 positive 0,24 weak
Variable A Variable B: training
Threats 348,1 3,84 positive 0,64 strong
Effects 328,4 positive 0,62 strong
Security measures 326,7 positive 0,63 strong
Legal regulations 140,8 positive 0,47 moderate
ISMS documentation 166,4 positive 0,5 moderate

Source: own work.

knowledge, i.e. moderate in the aspect of effects and weak in the - ISMS includes planning, procedural, organisational, physi-
field of ISMS documentation. No relation between IT higher educa- cal, technical and social solutions, which include information
tion and knowledge of regulations of common law was indicated. threat risk management and responsibilities defined in reg-
In summary, research results have shown irregularities in im- ulations of law.
plementation of ISMS in public administration in Poland, in the - ISMS includes planning, procedural, organisational, physical,
years 2016–2017. Implementation of European Union solutions in technical and social solutions which should be adequate to
Poland, in the aspect of personal data protection and cybersecu- the risk of interference in data and responsibilities defined
rity, have implicated positive changes in the aspect of organising in regulations of law. Implementation of ISMS requires es-
ISMS in public administration entities. A need to broaden knowl- tablishing, implementing, utilising, monitoring and improv-
edge and to raise the awareness of employees of public offices, in ing all elements of the system.
the aspect of information security management, was indicated. - Empirical research in the aspect of the implementation of
ISMS has shown, that in the practice of operating of ad-
4. Conclusions and recommendations ministrative entities, approaches to the protection of infor-
mation are various. In the years 2016–2017, in most enti-
Growth tendencies of information threats and changes in the le- ties, no basic elements of ISMS were implemented, or provi-
gal system impose on public administration entities an obligation sional attempts to implement a security system were under-
to introduce, implement and improve Information Security Man- taken, e.g. actions of individual departments which were not
agement System. With regard to the object and the aim of the re- coordinated within the whole institution. Problematic fields
search, the following conclusions were formulated: and irregularities were identified, which include amongst
- Providing information security requires a systemic approach others: lack of organising an ISMS, incomplete or outdated
and it should be one of the elements of operations of pub- ISMS documentation, lack of regular risk assessment, lack
lic administration entities. Information security in public ad- of overviews, audits or controls, limited use of physical and
ministration should be perceived in the context of realising technical security measures, no training or professional de-
missions of the institutions and delivering sufficient quality velopment. European Union solutions, i.e. GDPR Regulation
of provided services, simultaneously providing attributes of and NIS Directive, have influenced an increase in the level of
information security. information security in public administration in Poland and
- A public administration institution is an organisational significantly reduced the occurrence of identified irregulari-
structure separated from public administration system, ties.
which realises public tasks. Occurrence of an information - Empirical research in the aspect of knowledge and aware-
security incident may decrease the level of delivered ser- ness of employees of public offices have indicated a lack of
vices, or it may cause lack of availability of services. Situa- common knowledge on information security management.
tions of threats regarding information security in public ad- Moreover, a relation between the level of knowledge of the
ministration institutions may consider its various elements respondents and IT education and realised training, was in-
and resources. Individual units have their characteristic fea- dicated. It is proposed to increase the number of employed
tures, e.g. utilised IT hardware, dedicated IT systems, organi- IT specialists and information security specialists and con-
sation of an IT system, which are characterised with specific ducting obligatory training covering all employees in public
vulnerability regarding information threats. Defence level of administration. Training should provide delivery of knowl-
public administration institutions should be increased utilis- edge, control of knowledge and identification of employees
ing information security management. requiring additional training.
- The efficiency of information security management in pub-
lic administration is determined by its resistance toward the The results of theoretical and empirical research may be use-
occurrence of dangerous situations (information security in- ful in implementation of ISMS in public administration institu-
cidents). The issue of information security management can tions and in continuation of the research regarding information se-
be broken down to optimisation of the distribution of se- curity. The authors recommend the theoretical deliberations con-
curity measures in relation to probable threats, in order to tained in the article to be taken into account while designing and
provide security for an entity. This determination should be implementing ISMS. Effectiveness of mechanisms for protection
realised considering the accepted limit values for the effects against information security in public units depends a systemic ap-
of threats and the accepted costs dedicated to security. proach which includes managing all elements of a public adminis-
10 E.K. Szczepaniuk, H. Szczepaniuk and T. Rokicki et al. / Computers & Security 90 (2020) 101709

tration institution. Realisation of the above provisions should be problems; therefore, the authors recommend conducting research
performed considering specific nature and missions of individual supported by cooperation of Polish and foreign scientific facilities,
public institutions. Identification of information threats and risk higher education facilities and companies. Due to the above, in
management constitute significant elements of ISMS. These pro- further research, it is recommended to discuss the need of con-
cesses facilitate system improvement and they generate a possi- stant international collaboration within scope of information secu-
bility to eliminate vulnerabilities and selection of proper security rity management in public administration institutions.
measures. This enables to reach proper defensive potential of a
system, adequate regarding destructive potential of a threat, which Declaration of Competing Interests
are characterised in (4)–(11). However, it must be underlined, that
public administration units operate within a volatile security envi- The authors declare that they have no known competing finan-
ronment, thus security level is not considered a permanent state cial interests or personal relationships that could have appeared to
and it requires constant monitoring and improvement. influence the work reported in this paper.
Empirical research results presented in Tables 2–5 have shown, References
that there is a statistical relation between information security
management in a public institutions and implementation into Pol- Alberts, Ch., Dorofee, A., 2003. Managing Information Security Risks. The OCTAVE
ish legal order, in 2018, European Union solutions, i.e. the GDPR Approach.. Addison-Wesley. USA, Boston.
Alhassan, M.M., Adjei-Quaye, A., 2017. Information security in an organization. Int. J.
regulation and the NIS Directive. The Authors recommend the indi- Comput. Volume 24 (No. 1), 100–116. https://www.researchgate.net/publication/
cated results of empirical research to be utilised in work of system 314086143_Information_Security_in_an_Organization. Accessed 11 April 2019.
analysts and planners in the process of designing and implementa- Barczak, A., Sydoruk, T., 2003. Bezpieczeństwo systemów informatycznych
zarzadzania.
˛ Warsaw: Bellona. Poland.
tion of ISMS in public administration institutions. It is advised, that Brewer, D., Nash, M. (2010). Insights into the iso/iec 27001 annex a, http://www.
the elements of ISMS presented in Table 2 were regarded oblig- gammassl.co.uk/research/27001annexAinsights.pdf. Accessed 27 March 2019.
atory elements of an organisation structure and procedural solu- Brooks, D.J., 2009. What is security: definition through knowledge categorization.
Secur. J. 23 (3), 225–239. doi:10.1057/sj.2008.18.
tions of public administration institutions. These elements consti-
Chikere, C.C., Nwoka, J., 2015. The systems theory of management in modern day
tute an attempt to standardise solutions used in public administra- organizations - A Study of aldgate congress resort limited port harcourt. Int.
tion institutions and they represent possibilities brought about by J. Scientif. Res. Publ. Vol. 5 (Iss. 9), 1–7. https://pdfs.semanticscholar.org/d1e4/
03a4a017d00b081122c2a0abd1d7317f14fe.pdf. Accessed 20 October 2019.
systemic management of information security. Empirical data in-
Degaut, M., 2015. What is security? Revista Brasileira de Inteligência 9–28. https:
dicate practical aspects of designing and maintaining ISMS, which //www.researchgate.net/publication/310495076_What_is_Security. Accessed 09
should be further developed in form of analysis of detailed proce- April 2019.
dures and models regarding, amongst others: Dz.U. [Journal of Laws] of 2012, item 526. (2012) Rozporzadzenie ˛ rady ministrów
z dnia 12 kwietnia 2012 r. w sprawie krajowych ram interoperacyjności, min-
- methods of assessing threat vulnerability of institutions, imalnych wymagań dla rejestrów publicznych i wymiany informacji w postaci
elektronicznej oraz minimalnych wymagań dla systemów teleinformatycznych.
- methods of performing risk management of information Poland.
threats, Dz.U. [Journal of Laws] of 2018, item 10 0 0. (2018) Ustawa z dnia 10 maja 2018 r. o
- methods of training employees of public administration in- ochronie danych osobowych. Poland.
Dz.U. [Journal of Laws] of 2018, item 1560. (2018) Ustawa z dnia 5 lipca 2018 r. o
stitutions, krajowym systemie cyberbezpieczeństwa. Poland.
- methods of selecting security measures, e-Government Survey (2018). Department of economic and social affairs. United
- ISMS auditing methods, Nations. New York 2018. https://publicadministration.un.org/egovkb/Portals/
egovkb/Documents/un/2018- Survey/E- Government%20Survey%202018_FINAL%
- methods of integrating a public services quality manage- 20for%20web.pdf. Accessed 15 October 2019.
ment system with an information security management sys- ENISA, (2006). Risk Management: Implementation principles and Inventories for
tem, Risk Management/Risk Assessment methods and tools: Survey of existing
Risk Management and Risk Assessments Methods. Technical Department of
- programs including practical hints for public administration
ENISA Section Risk Management. https://www.enisa.europa.eu/publications/
units for purposes of ISMS implementation risk- management- principles- and- inventories- for- risk- management- risk-
- directions of cooperation, exchange of experience and good assessment- methods- and- tools. Accessed 16 November 2019.
ENISA. (2017). Priorities for eu research analysis of the ecso strategic re-
practices between institutions.
search and innovation agenda (SRIA). https://www.enisa.europa.eu/publications/
priorities- for- eu- research. Accessed 14 March 2019.
In order to realise the above provisions, it is reasonable to in-
Hoffman, L.J., 1982. Poufność w Systemach Informacyjnych. WNT. Poland, Warsaw.
crease financial outlays for implementation of ISMS in public ad- Howard, J.D. & Longstaff, T.A. (1998). A common language for computer security
ministration units. Moreover, there is a deficit of information se- incidents. https://www.osti.gov/servlets/purl/751004. Accessed 20 October 2019.
curity specialist on the market. The basic task of higher educa- ISACA. (2013). COBIT 5 for risk. https://m.isaca.org/COBIT/Documents/COBIT- 5- for-
Risk-Preview_res_eng_0913.pdf. Accessed 14 April 2019.
tion facilities is development of programs and specialisations ori- ISO/IEC 27001: 2013, Information technology – Security techniques – Information
entated toward educating future information security experts. The security management systems - Requirements.
authors recommend the elements contained in Table 2 to be re- ISO/IEC 27005: 2018, Information technology – Security techniques – Information
security risk management.
flected in learning plans within programs educating future employ- Janczewski, L.J., Cealli, W. (Eds.) (2015). Cyber conflicts and small states, New
ees of public administration. Zealand 2015.
The issue of information security management in public admin- Karaback, B., Sogukpinar, I., 2005. ISRAM: information security risk analysis method.
Comput. Secur. 24 (2), 147–159. https://www.sciencedirect.com/science/article/
istration institutions requires further research. This need is justi- pii/S0167404804001890. Accessed 14 April 2019.
fied by the fact, that security is not considered a permanent state. Leszczyna, R., 2017. Metoda szacowania kosztu zarzadzania˛ bezpieczeństwem infor-
Moreover, both in Poland as well as over the world, there are prob- macji i jej przykład zastosowania w zakładzie opieki zdrowotnej Nr 46 (2017),
pp. 319-330. Warsaw. Poland.
lematic fields in designing and implementation of ISMS. Analysis of
Liderman, K., 2006. Zarzadzanie
˛ ryzykiem jako element zapewnienia odpowied-
global security environment of public administration institutions niego poziomu bezpieczeństwa teleinformatycznego Nr 23/2006, pp. 44, War-
enables to assume, that threats will evolve and more advanced saw. Poland.
Liderman, K., 2012. Bezpieczeństwo Informacyjne. PWN. Poland, Warsaw.
methods of conducting cyberattacks will develop. Public adminis-
Loch, K.D., Carr, H.H., Warkentin, M., 1992. Threats to information systems: to-
tration will be also a participant of further development of digital- day’s reality, yesterday’s understanding. MIS Q. Vol. 16 (No. 2), 173–186.
isation, which will probably render another transformation of local https://www.researchgate.net/publication/220259924_Threats_to_Information_
governments. It can be assumed, that this will lead to changes on Systems_Today’s_Reality_Yesterday’s_Understanding. Accessed 20 October 2019.
Mihailescu, V.L., 2012. Risk analysis and risk management using mehari. J. Appl.
multiple levels, amongst others: legal, organisational, technological. Bus. Inf. Syst. 3 (4), 143–161. 2012 https://pdfs.semanticscholar.org/0d21/
These issues cover a wide spectrum of inter-disciplinary in nature f50d42a2699b4ab5174edf4968b128b7d6b3.pdf. Accessed 11 April 2019.
 E.K. Szczepaniuk, H. Szczepaniuk and T. Rokicki et al. / Computers & Security 90 (2020) 101709 11

Możdżeń-Marcinkowski, M., 2012. Introduction to Polish Administrative Law. C.H. Vogt, W.P., Johnson, R.B., 2015. The SAGE Dictionary of Statistics & Methodology. A
Beck. Poland, Warsaw. Nontechnical Guide for the Social Sciences. SAGE Publications, USA.
NIK, 2016. Zapewnienie Bezpieczeństwa Działania Systemów Informatycznych Yazar, Z., 2002. A qualitative risk analysis and management tool – CRAMM.
Wykorzystywanych Do Realizacji Zadań publicznych. Informacja o wynikach SANS Institute. https://pdfs.semanticscholar.org/3743/6a533bcbcd1bb420 0 038
Kontroli. NIK. Poland, Warsaw https://www.nik.gov.pl/kontrole/P/15/042/KPB/. 3eae445840e5cefc.pdf. Accessed 11 April 2019.
NIST. (2018). Risk management framework for information systems and organiza- The Global Information Technology Report. (2016). Growth and jobs in a hyper-
tions. Accessed 14 April 2019. doi:10.6028/NIST.SP.800-37r2. connected world. word economic forum and INSEAD. Geneva. http://www.cdi.
O.J.EU L 119/1, 4.5.2016. (2016) Regulation (UE) 2016/679 of the European Parlia- org.pe/InformeGlobaldeInformacion/doc/WEF_GITR_Full_Report.pdf. Accessed 20
ment and of the council of 27 april 2016 on the protection of natural persons October 2019.
with regard to the processing of the personal data and on the free movement WEF (2019). The global risks report 2019. 14th edition. world economic fo-
of such data, and repealing directive 95/46/EC (General data protection regula- rum. Geneva. http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.
tion). pdf. Accessed 13 March 2019.
O.J. EU L 191/1, 19.7.2016. (2016) Directive (EU) 2016/1148 of the European Parlia- Zibran, M.F. (2007). CHI-Squared test of independence. https://pdfs.semanticscholar.
ment and of the council of 6. july 2016 concerning measures for a high common org/0822/f125a21cfbd05e5e980c8017499fb966568f.pdf. Accessed 05 April 2019.
level of security of network and information systems across the union.
Schatz, D., Bashroush, R., 2017. Economic valuation for information security invest- Dr inż. Edyta Karolina Szczepaniuk: Doctor of Social Science in the field of se-
ment: a systematic literature review. Inf. Syst. Front. Vol. 19 (Iss. 5), 1205– curity sciences. Graduate with majors in the fields: administration, national secu-
1228. https://link.springer.com/article/10.1007%2Fs10796- 016- 9648- 8. Accessed rity and computer science. She is an academic at the Polish Air Force University
17 April 2019. (Poland). Within the scope of her scientific interests, amongst others, there are:
Schmittner, Ch., Gruber, T., Puschner, P.P. & Schoitsch, E. (2014). Security application information security, cybersecurity, e-administration, Management Information Sys-
of failure mode and effect analysis (FMEA) in computer safety, reliability, tems, databases and systems programming. Author of numerous publications within
and security: 33rd international conference. pp. 310–325. Florence. Italy. this scope.
https://www.researchgate.net/publication/290751391_Security_Application_of_
Failure_Mode_and_Effect_Analysis_FMEA. Accessed 11 April 2019.
Sienkiewicz, P., 1989. Systemy Kierowania. Wiedza Powszechna. Poland, Warsaw. Dr Hubert Szczepaniuk: Graduate of doctoral studies in the field of computer sci-
Sienkiewicz, P., 1995. Analiza Systemowa. Bellona. Poland, Warsaw. ence in technical science at the Faculty of Cybernetics of the Military University of
Sienkiewicz, P., 2010. Systems analysis of security management. Scientif. J. Maritime Technology in Warsaw. In the year 2015 he has defended a Ph.D.dissertation. He
Univ. Szczecin 24 (96), 93–99 2010. is an academic employee at the Warsaw University of Life Sciences WULS-SGGW
Sienkiewicz, P., 2013. 25 Wykładów. AON. Poland, Warsaw. in Warsaw. Research interests apply to computer science, management and qual-
Sienkiewicz, P., 2015. Podstawy inżynierii systemów bezpieczeństwa. In: ity sciences, cybersecurity. Author of numerous publications within this scope. His
Sienkiewicz, P. (Ed.), Inżynieria Systemów Bezpieczeństwa. PWE. Poland, activity also includes programming in Python, Java and C#.
Warsaw, pp. 4–18.
Sklavos, N., Souras, P., 2006. Economic models and approaches in information Professor dr hab. Bogdan Klepacki: Head of the Department of Logistics at the
security for computer networks. Int. J. Netw. Secur. Vol. 2 (No. 1), 14–20. https: Warsaw University of Life Sciences, former Vice-Rector of Warsaw University of Life
//pdfs.semanticscholar.org/16ef/df667e5aee3270d5c2d7987c05dcd15876c2.pdf. Sciences. Doctor honoris causa of the University of Agriculture in Krakow. Author
Accessed 18 April 2019. of 570 articles and books on economics, management and logistics, adaptation of
Stańczyk, J., 1996. Współczesne Pojmowanie Bezpieczeństwa. PAN. Poland, Warsaw. enterprises to changing economic conditions. Promoter in 27 doctoral courses. He
Stokłosa, J., Bilski, T., Pankowski, T., 2010. Bezpieczeństwo Danych w Systemach In- cooperated with universities from several countries, an active participant of several
formatycznych. PWN. Poland, Poznan. dozen foreign, as well as Visiting professor. He managed 2 international and 9 na-
Susanto, H., Almunawar, M.N., Tuan, Y., 2011. Information security management tional research topics. Member of the Committee of Economic Sciences of the Polish
system standards: a comparative study of the big five. Int. J. Electr. Com- Academy of Sciences.
put. Sci. IJECS-IJENS Vol: 11. No: 05, 2011 https://www.researchgate.net/
publication/228444915_Information_Security_Management_System_Standards_ Dr hab. inż. Tomasz Rokicki: In 2006 he obtained academic degree of Ph.D. of
A_Comparative_Study_of_the_Big_Five. Accessed 20 April 2019. economic sciences in terms of economy awarded by a resolution of the Agricultural
Szczepaniuk, E.K., 2016. Bezpieczeństwo Struktur Administracyjnych w Warunkach Economics Department Board in the Warsaw University of Life Sciences (WULS –
Zagrożeń Cyberprzestrzeni Państwa. AON. Poland, Warsaw. SGGW). Since 2007 have been working as an Assistant Professor at the Faculty of
Tsiakis, T., Stephanides, G., 2005. The economic approach of information security. Economic Sciences in the WULS. On February 27, 2018, he obtained a post-doctoral
Comput. Secur. 24 (2), 105–108. 2005 https://www.sciencedirect.com/science/ degree – habilitation. His-academic achievements contains 10 monographs, over 120
article/pii/S01674048050 0 0209?via%3Dihub. Accessed 19 April 2019. articles in scientific journals and collective monographs. Research interests apply
Tupa, J., Steiner, F., 2006. Implementation of information security management sys- to economy, (micro and macro economy), economic geography, logistics (above all
tem in the small healthcare organization. J. Telecommun. Inf. Technol. 52–58. transport problems), management of information.
https://www.il-pib.pl/czasopisma/JTIT/2006/2/52.pdf. Accessed 21 April 2019.