Human and organizational factors in computer and information security: Pathways to vulnerabilities

Article (PDF Available)inComputers & Security 28(7):509-520 · October 2009with1,012 Reads
DOI: 10.1016/j.cose.2009.04.006 · Source: DBLP
The purpose of this study was to identify and describe how human and organizational factors may be related to technical computer and information security (CIS) vulnerabilities. A qualitative study of CIS experts was performed, which consisted of 2, 5-member focus groups sessions. The participants in the focus groups each produced a causal network analysis of human and organizational factors pathways to types of CIS vulnerabilities. Findings suggested that human and organizational factors play a significant role in the development of CIS vulnerabilities and emphasized the relationship complexities among human and organizational factors. The factors were categorized into 9 areas: external influences, human error, management, organization, performance and resource management, policy issues, technology, and training. Security practitioners and management should be aware of the multifarious roles of human and organizational factors and CIS vulnerabilities and that CIS vulnerabilities are not the sole result of a technological problem or programming mistake. The design and management of CIS systems need an integrative, multi-layered approach to improve CIS performance (suggestions for analysis provided).

Full-text (PDF)

Available from: Pascale Carayon
    • "To prevent bias, the backgrounds of the participants differ as well as their current roles. Capability # Top management support [13, 24] Information security policy development IS policy development is supported by senior management A2 "
    [Show abstract] [Hide abstract] ABSTRACT: In the current business environment, many organizations use popular standards such as the ISO 27000x series, COBIT, and related frameworks to protect themselves against security incidents. However, these standards and frameworks are overly complicated for small to medium-sized enterprises, leaving these organizations with no easy to understand toolkit to address their security needs. This research builds upon the recent Information Security Focus Area Maturity (ISFAM) model for SME information security as a cornerstone in the development of an assessment tool for tailor-made, fast, and easy-to-use information security advice for SMEs. By performing an extensive literature review and evaluating the results with security experts, we propose the Characterizing Organizations’ Information Security for SMEs (CHOISS) model to relate measurable organizational characteristics in four categories through 47 parameters to help SMEs distinguish and prioritize which risks to mitigate.
    Full-text · Article · Apr 2016
    • "Often insiders are defined and characterized on the basis of case studies (Wall 2013; Shaw & Fisher, 2005). These case studies point to the importance of technical (Johnson & Dynes, 2007), psychological (Federal Bureau of Investigation 2014; Herbig 2008; Shaw, Ruby and Post, 1999), and organizational features (Kraemer, Carayon, and Clem 2009; Royds, 2009). Much of the work considers the psychological or behavioral factors such as the ability to lie (Hogan and Hogan, 1994), or the level of personal emotional or financial stress. "
    [Show abstract] [Hide abstract] ABSTRACT: A significant volume of information leaks in organizations are inadvertent, a form of information spillage. Because the leakage of information is driven by the complex interaction of technology, social, and behavioral factors, we use a hybrid agent-based and dynamic network model, Construct, to simulate the flow of sensitive information in knowledge-driven organizations. Because interaction patterns often change when an organization is under stress, we simulate stress to the organization with effect-based (reliability and integrity) crisis scenarios. Using a virtual experiment, we vary the crisis scenarios, organization’s structure, IT connections, and pressure to separate personnel based on security ratings. Our experiment suggests that the organization’s structure, IT connections, separation pressure, and typical performance all influence how much an organization suffers from inadvertent leakage. In evaluating how organizations respond to crisis, organizations with stove-piped IT tend to clamp down on leakage in response to the crisis, while organizations with Mesh IT tend to have more leakage. Integrity crises tend to decrease leakage; while reliability crises tend to increase leakage in organizations, especially those with Mesh-based IT.
    Article · Mar 2016
    • "In keeping an organization safe from cyber-attacks, most attention is placed on technology. A great deal of an organization's focus is upon the technical aspects of cybersecurity including enhancing firewall protection or selecting the best anti-virus software [7]. However, a purely technical approach to cybersecurity can present substantial limitations. "
    Full-text · Chapter · Jan 2016 · Computational and Mathematical Organization Theory
Show more