Human and organizational factors in computer and information security: Pathways to vulnerabilities

Center for Quality and Productivity Improvement, Department of Industrial and Systems Engineering, University of Wisconsin-Madison, 3126 Engineering Centers Building, 1515 Engineering Drive, Madison, WI 53706-1609, USA
Computers & Security (Impact Factor: 1.03). 10/2009; 28(7):509-520. DOI: 10.1016/j.cose.2009.04.006
Source: DBLP

ABSTRACT The purpose of this study was to identify and describe how human and organizational factors may be related to technical computer and information security (CIS) vulnerabilities. A qualitative study of CIS experts was performed, which consisted of 2, 5-member focus groups sessions. The participants in the focus groups each produced a causal network analysis of human and organizational factors pathways to types of CIS vulnerabilities. Findings suggested that human and organizational factors play a significant role in the development of CIS vulnerabilities and emphasized the relationship complexities among human and organizational factors. The factors were categorized into 9 areas: external influences, human error, management, organization, performance and resource management, policy issues, technology, and training. Security practitioners and management should be aware of the multifarious roles of human and organizational factors and CIS vulnerabilities and that CIS vulnerabilities are not the sole result of a technological problem or programming mistake. The design and management of CIS systems need an integrative, multi-layered approach to improve CIS performance (suggestions for analysis provided).

Download full-text


Available from: Pascale Carayon, Sep 26, 2015
1 Follower
367 Reads
  • Source
    • "From an information security point of view, humans are the main actor that passively or actively influences the security of a system. Generally, humans have two types of " negative " influences on security: they either introduce vulnerabilities in terms of flaws or mistakes in the design, implementation, configuration, and operation of the system ([23]), or pose threats as attackers to exploit the vulnerabilities and comprise the security of the system ([26] [31]). Obviously, different roles typically connected to a business process are able to introduce vulnerabilities and launch attacks. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Information security in Process-aware Information System (PAIS) relies on many factors, including security of business process and the underlying system and technologies. Moreover, humans can be the weakest link that creates pathway to vulnerabilities, or the worst enemy that compromises a well-defended system. Since a system is as secure as its weakest link, information security can only be achieved in PAIS if all factors are secure. In this paper, we address two research questions: how to conduct a cross-layer security analysis that couple security concerns at business process layer as well as at the technical layer; and how to include human factor into the security analysis for the identification of human-oriented vulnerabilities and threats. We propose a methodology that supports the tracking of security interdependencies between functional, technical, and human aspects which contribute to establish a holistic approach to information security in PAIS. We demonstrate the applicability with a scenario from the payment card industry.
  • Source
    • "Various researchers have investigated an information security culture and the mechanisms that could potentially influence the culture and behaviour of employees (Schlienger and Teufel 2005; Thomson et al. 2006; Kraemer, Carayon, & Clem, 2009; Ruighaver et al. 2007; Van Niekerk and Von Solms 2010; Furnell and Thompson 2009; Van Niekerk and Von Solms, 2010; Furnell & Rajendran, 2012). Management, policies, awareness and compliance are some of the prominent mechanisms that could potentially influence information security culture – see table 1. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Information security culture must be considered as part of the information security programme to direct employee behaviour. Such a culture can contribute to the protection of information and minimise the risk that employee behaviour poses. This paper proposes a theoretical model, i.e. an information security culture model (ISCM) with four mechanisms (i.e. management, policies, awareness and compliance) that potentially influence information security culture positively. ISCM is based on the information security culture assessment (ISCA) questionnaire dimensions that are correlated with the theoretical mechanisms (dimensions). The theoretical model is validated through structural equation modelling (SEM) using empirical data derived from an ISCA assessment. This research produces a sound theoretical information security culture model, which is supported by the empirical study and further confirms the research hypothesis that management, policies, awareness and compliance contribute to an information security-positive culture as represented by the validated model.
    Human Aspects of Information Security & Assurance, Greece, Lesvos; 07/2015
  • Source
    • "Information security training and awareness are two of the most effective offsets to mitigate the human risk posed to information security (Parsons et al., 2014). Current and former employees in organisations are still regarded as a risk to the protection of information and are often the cause of information security incidents (Schlienger and Teufel, 2005, Ashenden, 2008, Thomson et al., 2006, Herath and Rao, 2009, Kraemer et al., 2009, Herold, 2011, Furnell and Clarke, 2012, Furnell and Rajendran, 2012, Padayachee, 2012, Crossler et al., 2013, Flores et al., 2014, PwC, 2014). "
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper proposes a unique information security training and awareness approach (ISTAAP) that can be used to instil an information security-positive culture which will assist in addressing the risk that human behaviour poses to the protection of information. An information security culture assessment tool is used as the critical diagnostic instrument to assess the information security culture within the context of ISTAAP. A case study is discussed where the ISTAAP was deployed. This provided empirical data to illustrate the value of ISTAAP to direct employee behaviour through focused training and awareness based on the outcome of the information security culture assessment data.
    Human Aspects of Information Security & Assurance (HAISA 2015), Greece, Lesvos; 07/2015
Show more