Article

Human and organizational factors in computer and information security: Pathways to vulnerabilities

Wisconsin Center for Education Research, University of Wisconsin-Madison, 1025 West Johnson Street, Madison, WI 53706, USA; Center for Quality and Productivity Improvement, Department of Industrial and Systems Engineering, University of Wisconsin-Madison, 3126 Engineering Centers Building, 1515 Engineering Drive, Madison, WI 53706-1609, USA; Information Design Assurance Red Team, Sandia National Laboratories, P.O. Box 5800, MS 0671, Albuquerque, NM 87185-0671, USA
Computers & Security 01/2009; DOI: 10.1016/j.cose.2009.04.006
Source: DBLP

ABSTRACT The purpose of this study was to identify and describe how human and organizational factors may be related to technical computer and information security (CIS) vulnerabilities. A qualitative study of CIS experts was performed, which consisted of 2, 5-member focus groups sessions. The participants in the focus groups each produced a causal network analysis of human and organizational factors pathways to types of CIS vulnerabilities. Findings suggested that human and organizational factors play a significant role in the development of CIS vulnerabilities and emphasized the relationship complexities among human and organizational factors. The factors were categorized into 9 areas: external influences, human error, management, organization, performance and resource management, policy issues, technology, and training. Security practitioners and management should be aware of the multifarious roles of human and organizational factors and CIS vulnerabilities and that CIS vulnerabilities are not the sole result of a technological problem or programming mistake. The design and management of CIS systems need an integrative, multi-layered approach to improve CIS performance (suggestions for analysis provided).

1 Bookmark
 · 
113 Views
  • [Show abstract] [Hide abstract]
    ABSTRACT: In recent years critical infrastructures have witnessed rapid developments in the way their services are being implemented and delivered to consumers; this was instigated by the adaptation of the latest technologies in IT. An example of such an infrastructure is smart metering in the energy sector. Despite the evident advantages of such transformation, this lead to the emergence of new challenges facing these infrastructures, such as preserving the security of the information of these systems. Common security implementation practices involve retrofitting security measures into the system rather than incorporating it in early stages of system development life cycle. In this paper we give a brief overview of the consequences resulting from information security breaches, in addition to presenting the main causes behind addressing information security as an after-thought in an ad-hoc manner.
    Networking, Sensing and Control (ICNSC), 2010 International Conference on; 05/2010
  • [Show abstract] [Hide abstract]
    ABSTRACT: The use of computer networks as the key infrastructure of ICT makes new changes and communications in organizations. These changes, in turn, cause new expectations about the network. This results in reviewing and redesigning. The existence of an active organizational structure, that is affected by the use of ICT, in order to move towards the goals of changing organizations is proving more and more and drawing designers' and managers' attention. Exact and standard designing and implementation of computer networks can increase productivity and prove the real position of ICT in organization since there are various characteristics and parameters in designing computer networks of each organization, the exact and scientific understanding of them can help us accomplish these goals which are based on two main elements- Information Technology and Organization-, thus, in this article the influence of dynamic and changing environment on organizational structure and computer networks has been studied and its scientific aspect and various features has taken into consideration.
    01/2010;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: RESUMO A segurança dos ativos informacionais sempre foi uma necessidade corporativa. Esses ativos podem ser dimensionados em três esferas principais, a saber, as pessoas, os processos organizacionais e as tecnologias. A internet, a difusão da web, as redes, além da presença cada vez mais marcante das tecnologias na vida das pessoas e das organizações têm provocado profundas transformações nos processos intrínsecos às rotinas pessoais e organizacionais. Essas mudanças promovidas pelos avanços tecnológicos têm gerado maior competitividade e descentralização e, em contrapartida, necessidade de gestão, controle, segurança e a proteção das informações e do conhecimento. Este artigo apresenta os resultados de uma investigação sobre segurança da informação, enfatizando a interferência dos aspectos humanos nas práticas de gestão da informação e do conhecimento relacionadas à segurança informacional. Através de uma pesquisa quali-quantitativa são identificados perfis e ações comportamentais dos colaboradores de uma empresa da área de saúde e sua inter-relação com falhas de segurança da informação. Conclui-se que o elemento "pessoas" é uma variável importante, até mesmo crítica, para a gestão de segurança informacional nas organizações.
    05/2013; 18(37):175-202.

Full-text (2 Sources)

Download
155 Downloads
Available from
May 22, 2014