Article

Human and organizational factors in computer and information security: Pathways to vulnerabilities

Wisconsin Center for Education Research, University of Wisconsin-Madison, 1025 West Johnson Street, Madison, WI 53706, USA; Center for Quality and Productivity Improvement, Department of Industrial and Systems Engineering, University of Wisconsin-Madison, 3126 Engineering Centers Building, 1515 Engineering Drive, Madison, WI 53706-1609, USA; Information Design Assurance Red Team, Sandia National Laboratories, P.O. Box 5800, MS 0671, Albuquerque, NM 87185-0671, USA
Computers & Security 01/2009; DOI: 10.1016/j.cose.2009.04.006
Source: DBLP

ABSTRACT The purpose of this study was to identify and describe how human and organizational factors may be related to technical computer and information security (CIS) vulnerabilities. A qualitative study of CIS experts was performed, which consisted of 2, 5-member focus groups sessions. The participants in the focus groups each produced a causal network analysis of human and organizational factors pathways to types of CIS vulnerabilities. Findings suggested that human and organizational factors play a significant role in the development of CIS vulnerabilities and emphasized the relationship complexities among human and organizational factors. The factors were categorized into 9 areas: external influences, human error, management, organization, performance and resource management, policy issues, technology, and training. Security practitioners and management should be aware of the multifarious roles of human and organizational factors and CIS vulnerabilities and that CIS vulnerabilities are not the sole result of a technological problem or programming mistake. The design and management of CIS systems need an integrative, multi-layered approach to improve CIS performance (suggestions for analysis provided).

1 Bookmark
 · 
119 Views
  • [Show abstract] [Hide abstract]
    ABSTRACT: The use of computer networks as the key infrastructure of ICT makes new changes and communications in organizations. These changes, in turn, cause new expectations about the network. This results in reviewing and redesigning. The existence of an active organizational structure, that is affected by the use of ICT, in order to move towards the goals of changing organizations is proving more and more and drawing designers' and managers' attention. Exact and standard designing and implementation of computer networks can increase productivity and prove the real position of ICT in organization since there are various characteristics and parameters in designing computer networks of each organization, the exact and scientific understanding of them can help us accomplish these goals which are based on two main elements- Information Technology and Organization-, thus, in this article the influence of dynamic and changing environment on organizational structure and computer networks has been studied and its scientific aspect and various features has taken into consideration.
    01/2010;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The objective of this paper is to report back on an organizational framework, which consisted of human, organization and technology (HOT) dimensions in holistically addressing aspects associated with phishing. Most anti-phishing literature studied either focused on technical controls or education in isolation however; education is core to all aspects in the above-mentioned framework. It is evident, from literature, that little work has been conducted on anti-phishing preventative measures in the context of organizations but rather from a personal user-level. In the framework, the emphasis is placed on the human factors in addressing phishing attacks.
    World Conference on Information Security Education (WISE7), Lucerne, Switzerland; 03/2011
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: RESUMO A segurança dos ativos informacionais sempre foi uma necessidade corporativa. Esses ativos podem ser dimensionados em três esferas principais, a saber, as pessoas, os processos organizacionais e as tecnologias. A internet, a difusão da web, as redes, além da presença cada vez mais marcante das tecnologias na vida das pessoas e das organizações têm provocado profundas transformações nos processos intrínsecos às rotinas pessoais e organizacionais. Essas mudanças promovidas pelos avanços tecnológicos têm gerado maior competitividade e descentralização e, em contrapartida, necessidade de gestão, controle, segurança e a proteção das informações e do conhecimento. Este artigo apresenta os resultados de uma investigação sobre segurança da informação, enfatizando a interferência dos aspectos humanos nas práticas de gestão da informação e do conhecimento relacionadas à segurança informacional. Através de uma pesquisa quali-quantitativa são identificados perfis e ações comportamentais dos colaboradores de uma empresa da área de saúde e sua inter-relação com falhas de segurança da informação. Conclui-se que o elemento "pessoas" é uma variável importante, até mesmo crítica, para a gestão de segurança informacional nas organizações.
    05/2013; 18(37):175-202.

Full-text (2 Sources)

Download
Available from
May 22, 2014