Article

Human and organizational factors in computer and information security: Pathways to vulnerabilities

Wisconsin Center for Education Research, University of Wisconsin-Madison, 1025 West Johnson Street, Madison, WI 53706, USA; Center for Quality and Productivity Improvement, Department of Industrial and Systems Engineering, University of Wisconsin-Madison, 3126 Engineering Centers Building, 1515 Engineering Drive, Madison, WI 53706-1609, USA; Information Design Assurance Red Team, Sandia National Laboratories, P.O. Box 5800, MS 0671, Albuquerque, NM 87185-0671, USA
Computers & Security 01/2009; DOI: 10.1016/j.cose.2009.04.006
Source: DBLP

ABSTRACT The purpose of this study was to identify and describe how human and organizational factors may be related to technical computer and information security (CIS) vulnerabilities. A qualitative study of CIS experts was performed, which consisted of 2, 5-member focus groups sessions. The participants in the focus groups each produced a causal network analysis of human and organizational factors pathways to types of CIS vulnerabilities. Findings suggested that human and organizational factors play a significant role in the development of CIS vulnerabilities and emphasized the relationship complexities among human and organizational factors. The factors were categorized into 9 areas: external influences, human error, management, organization, performance and resource management, policy issues, technology, and training. Security practitioners and management should be aware of the multifarious roles of human and organizational factors and CIS vulnerabilities and that CIS vulnerabilities are not the sole result of a technological problem or programming mistake. The design and management of CIS systems need an integrative, multi-layered approach to improve CIS performance (suggestions for analysis provided).

1 Bookmark
 · 
98 Views
  • [Show abstract] [Hide abstract]
    ABSTRACT: Purpose – This paper aims to assess the influence of a set of human and organizational factors in information system deployments on the probability that a number of security-related mistakes are in the deployment. Design/methodology/approach – A Bayesian network (BN) is created and analyzed over the relationship between mistakes and causes. The BN is created by eliciting qualitative and quantitative data from experts of industrial control system deployments in the critical infrastructure domain. Findings – The data collected in this study show that domain experts have a shared perception of how strong the influence of human and organizational factors are. According to domain experts, this influence is strong. This study also finds that security flaws are common in industrial control systems operating critical infrastructure. Research limitations/implications – The model presented in this study is created with the help of a number of domain experts. While they agree on qualitative structure and quantitative parameters, future work should assure that their opinion is generally accurate. Practical implications – The influence of a set of important variables related to organizational/human aspects on information security flaws is presented. Social implications – The context of this study is deployments of systems that operate nations' critical infrastructure. The findings suggest that initiatives to secure such infrastructures should not be purely technical. Originality/value – Previous studies have focused on either the causes of security flaws or the actual flaws that can exist in installed information systems. However, little research has been spent on the relationship between them. The model presented in this paper quantifies such relationships.
    Information Management &amp Computer Security 01/2011; 19.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: RESUMO A segurança dos ativos informacionais sempre foi uma necessidade corporativa. Esses ativos podem ser dimensionados em três esferas principais, a saber, as pessoas, os processos organizacionais e as tecnologias. A internet, a difusão da web, as redes, além da presença cada vez mais marcante das tecnologias na vida das pessoas e das organizações têm provocado profundas transformações nos processos intrínsecos às rotinas pessoais e organizacionais. Essas mudanças promovidas pelos avanços tecnológicos têm gerado maior competitividade e descentralização e, em contrapartida, necessidade de gestão, controle, segurança e a proteção das informações e do conhecimento. Este artigo apresenta os resultados de uma investigação sobre segurança da informação, enfatizando a interferência dos aspectos humanos nas práticas de gestão da informação e do conhecimento relacionadas à segurança informacional. Através de uma pesquisa quali-quantitativa são identificados perfis e ações comportamentais dos colaboradores de uma empresa da área de saúde e sua inter-relação com falhas de segurança da informação. Conclui-se que o elemento "pessoas" é uma variável importante, até mesmo crítica, para a gestão de segurança informacional nas organizações.
    05/2013; 18(37):175-202.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The objective of this paper is to report back on an organizational framework, which consisted of human, organization and technology (HOT) dimensions in holistically addressing aspects associated with phishing. Most anti-phishing literature studied either focused on technical controls or education in isolation however; education is core to all aspects in the above-mentioned framework. It is evident, from literature, that little work has been conducted on anti-phishing preventative measures in the context of organizations but rather from a personal user-level. In the framework, the emphasis is placed on the human factors in addressing phishing attacks.
    World Conference on Information Security Education (WISE7), Lucerne, Switzerland; 03/2011

Full-text (2 Sources)

View
144 Downloads
Available from
May 22, 2014