Article

Human and organizational factors in computer and information security: Pathways to vulnerabilities

Center for Quality and Productivity Improvement, Department of Industrial and Systems Engineering, University of Wisconsin-Madison, 3126 Engineering Centers Building, 1515 Engineering Drive, Madison, WI 53706-1609, USA
Computers & Security (Impact Factor: 1.17). 10/2009; DOI: 10.1016/j.cose.2009.04.006
Source: DBLP

ABSTRACT The purpose of this study was to identify and describe how human and organizational factors may be related to technical computer and information security (CIS) vulnerabilities. A qualitative study of CIS experts was performed, which consisted of 2, 5-member focus groups sessions. The participants in the focus groups each produced a causal network analysis of human and organizational factors pathways to types of CIS vulnerabilities. Findings suggested that human and organizational factors play a significant role in the development of CIS vulnerabilities and emphasized the relationship complexities among human and organizational factors. The factors were categorized into 9 areas: external influences, human error, management, organization, performance and resource management, policy issues, technology, and training. Security practitioners and management should be aware of the multifarious roles of human and organizational factors and CIS vulnerabilities and that CIS vulnerabilities are not the sole result of a technological problem or programming mistake. The design and management of CIS systems need an integrative, multi-layered approach to improve CIS performance (suggestions for analysis provided).

1 Follower
 · 
140 Views
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Network security guarantees the protection of valuable and available network assets from viruses, key loggers, hackers and unauthorized access. Intrusion Detection System (IDS) are considered as one of the important network tool in managing the network security. It is found that network practitioners find difficult to use current IDS. The important factor that impacts the effectiveness of IDS is the interface that helps the users to evaluate the software usability. Even security software’s like IDS are working efficiently but user found it difficult to use and understand. As a result user has difficulties in using and judging the quality of the output. Therefore, usability evaluation is important to help users in efficient interaction and enhance usage of IDS. In most of the situation the usability evaluation is done by the usability engineers. In small or large scaled companies software developers are forced to learn different paradigm of usability. This is not easier than training the usability engineers on how to develop software. As a remedy Cognitive Analysis of Software Interface (CASI) system has been designer for software engineer. Moreover this system help software engineer to evaluate the IDS based on user perception and evaluation views. To evaluate new heuristics for IDS are proposed in this paper also a broad literature on software interfaces and evaluating methodologies are discussed. Further challenges associated with interfaces and new methods to evaluate usability of software are reviewed.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: It is widely acknowledged that employees of an organization are often a weak link in the protection of its information assets. Information security has not been given enough attention in the literature in terms of the human factor effect; researchers have called for more examination in this area. Human factors play a significant role in computer security. In this paper, we focus on the relationship of the human factor on information security presenting the human weaknesses that may lead to unintentional harm to the organization and discuss how information security awareness can be a major tool in overcoming these weaknesses. A framework for a field research is also presented in order to identify the human factors and the major attacks that threat computer security.
    Procedia - Social and Behavioral Sciences 08/2014; 147. DOI:10.1016/j.sbspro.2014.07.133
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Usability evaluation methods have gained a sbstantial attention in networks particularly in Intrusion Detection System (IDS) as these evaluation methods are envisioned to achieve usability and define usability defects for a large number of practical software's. Despite a good number of available survey and methods on usability evaluation, we feel that there is a gap in existing literature in terms of usability evaluation methods, IDS interfaces and following usability guidelines in IDS development. This paper reviews the state of the art for improving usability of networks that illustrates the issues and challenges in the context of design matters. Further, we propose the taxonomy of key issues in evaluation methods and usability problems. We also define design heuristics for IDS users and interfaces that improves detection of usability defects and interface usability compared to conventional evaluation heuristics. The similarities and differences of usability evaluation methods and usability problems are summarized on the basis of usability factors, current evaluation methods and interfaces loopholes. 1. INTRODUCTION Network security guarantees protection of valuable and available network assets from viruses, key loggers, hackers and unauthorized access. Network practitioners utilize special tools such as firewall, antivirus, NMAP and Intrusion Detection System (IDS) in order to manage network security. Among all these tools, IDS is considered as the important network tool in managing the network security. Security practitioner interacts with IDS though an interface. This interface may be used to perform administrative function or to support even monitoring and analysis. This interaction of security practitioner with IDS interface is an important aspect of human computer interaction (HCI) indicating that security should inevitably lead to trust of the system by the security practitioners (Heeren & Furnell, 2011). One of the most important parts of IDS systems is the display interface that shows there are many usability issues as well as design deficiencies, which needs to be addressed (Patil, Bhutkar, & Tarapore, 2012). Usability ensures better understanding and efficiency among IDS systems to make them more user-friendly and humanized. This process helps in better understanding and usage of IDS systems by maximum possible users including novice users (Patil et al., 2012). It is observed that users fail to understand the display of IDS systems as it provides unrelated information also it contains too many technical specifications which are not require to user (Patil et al., 2012). For the past few years, internet has evolved. The challenge of network security has also increased. Research shown that human and organization factors have impacts on network security (Kraemer, Carayon, & Clem, 2009). Human in terms of knowledge, experience and background can affect network security; whereas organization who are not familiar with network security tools and data protection will give effect on the network and data security. This is a significantly prominent issue for many organizations who want to protect their useful and confidential data from either inside or outside threats of the organization. Other researches have highlighted various challenges while using IDS such as considerations for deployment, configuration of security settings, availability of information about log storage in IDS and requirement of additional software for better operations (Nielsen & Molich, 1990)(Nurmuliani, Zowghi, & Williams, 2004). These challenges have propelled us to arrive at some vital usability heuristics in our study. Similarly, some research has discussed issues in testing of IDS (Cannady & Harrell, 2000). These issues have guided us in designing heuristics for IDS.