Abstract
This study aims to identify the implications of security behaviour determinants for security management to propose respective guidelines which can be integrated with current security management practices, including those following the widely adopted information security standards ISO 27001, 27002, 27003 and 27005. Based on an exhaustive analysis of related literature, the authors identify critical factors influencing employee security behaviour and ISP compliance. The authors use these factors to perform a gap analysis of widely adopted information security standards ISO 27001, 27002, 27003 and 27005 and identify issues not covered or only partially addressed. Drawing on the implications of security behaviour determinants and the identified gaps, the authors provide guidelines which can enhance security management practices. The authors uncover the factors shaping security behaviour barely or partly considered in the ISO information security standards ISO 27001, 27002, 27003 and 27005, including top management participation, accommodating individual characteristics, embracing the cultural context, encouraging employees to comply out of habit and considering the cost of compliance. Furthermore, the authors provide guidelines to security managers on enhancing their security management practices when implementing the above ISO Standards. This study offers guidelines on how to create and design security management practices whilst implementing ISO standards (ISO 27001, ISO 27002, ISO 27003, ISO 27005) so as to enhance ISP compliance. This study analyses the role and implications of security behaviour determinants, discusses discrepancies and conflicting findings in related literature, provides a gap analysis of commonly used information security standards (ISO 27001, 27002, 27003 and 27005) and proposes guidelines on enhancing security management practices towards improving ISP compliance.

Abstract
Abstract. Use of security and privacy tools is still limited for various reasons, including usability issues. This paper analyses usability characteristics of security and privacy tools by drawing on relevant literature and employing scenario-based questionnaires and interviews with 150 users to capture their views. Based on users’ feedback, we analyse the role of usability characteristics and identify critical issues such as transparency, control of personal data, design and accessibility and consistency. This paper provides insights into the multifaceted issue of usability of security tools from the users’ perspective and a comprehensive picture of users’ needs and expectations. Some of the findings of this study show that users regard as important that security and privacy tools incorporate usability characteristics relevant to installation, design and accessibility, control and automation, visible feedback, and locatable security settings. Furthermore, users encounter problems with understanding technical terms and report that the availability of tools among smartphones and operating systems is a usability issue.

Abstract
Extant literature has identified a wide range of factors that influence employees’ compliance to organisational ISPs and shape security behaviour. Security management, however, has not embodied this knowledge as many studies employ different terms to refer to similar concepts or focus only on a specific aspect (e.g. cognitive or environmental issues), depending on the theoretical approach used. Literature provides limited directions to security managers on the effect of security behaviour determinants on security management. This paper provides a comprehensive analyis of factors that have been identified, through an extensive literature review. It also provides an analysis and discussion of how these factors can enhance information security policy compliance. This work provides a conceptual framework that can facilitate security managers understand employee security behaviour and assist them to improve current security management. The paper also identifies controversial findings in relevant literature and suggests issues that need further investigation.

Abstract
Organizations apply information security policies to foster secure use of information systems but very often employees fail to comply with them. Employees’ security behavior has been the unit of analysis of research from different theoretical approaches, in an effort to identify the factors that influence security policy compliance. Through a systematic analysis of extant literature this paper identifies and categorizes critical factors that shape employee security behavior and proposes security management practices that can enhance security compliance. Research findings inform theory by identifying research gaps and support security management.

Abstract
Industrial Control Systems (ICSs) are of the most important compo- nents of National Critical Infrastructure. They can provide control capabilities in complex systems of critical importance such as energy production and distribution, transportation, telecoms etc. Protection of such systems is the cornerstone of essential service provision with resilience and in timely manner. Effective risk management methods form the basis for the protection of an Industrial Control System. However, the nature of ICSs render traditional risk management methods insufficient. The proprietary character and the complex interrelationships of the various systems that form an ICS, the potential impacts outside its boundaries, along with emerging trends such as the exposure to the Internet, necessitate revisiting traditional risk management methods, in a way that treat an ICS as a system-of-systems rather than a single, one-off entity. Towards this direction, in this paper we present enhancements to the traditional risk management methods at the phase of risk assessment, by utilising the cybernetic construct of the Viable System Model (VSM) as a means towards a holistic view of the risks against Critical Infrastructure. For the purposes of our research, utilising VSM’s recur- sive nature, we model the Supervisory Control and Data Acquisition (SCADA) system, a most commonly used ICS, as a VSM and identify the various assets, in- teractions with the internal and external environment, threats and vulnerabilities.