Human and organizational factors in computer and information security: Pathways to vulnerabilities

Center for Quality and Productivity Improvement, Department of Industrial and Systems Engineering, University of Wisconsin-Madison, 3126 Engineering Centers Building, 1515 Engineering Drive, Madison, WI 53706-1609, USA
Computers & Security (Impact Factor: 1.03). 10/2009; 28(7):509-520. DOI: 10.1016/j.cose.2009.04.006
Source: DBLP


The purpose of this study was to identify and describe how human and organizational factors may be related to technical computer and information security (CIS) vulnerabilities. A qualitative study of CIS experts was performed, which consisted of 2, 5-member focus groups sessions. The participants in the focus groups each produced a causal network analysis of human and organizational factors pathways to types of CIS vulnerabilities. Findings suggested that human and organizational factors play a significant role in the development of CIS vulnerabilities and emphasized the relationship complexities among human and organizational factors. The factors were categorized into 9 areas: external influences, human error, management, organization, performance and resource management, policy issues, technology, and training. Security practitioners and management should be aware of the multifarious roles of human and organizational factors and CIS vulnerabilities and that CIS vulnerabilities are not the sole result of a technological problem or programming mistake. The design and management of CIS systems need an integrative, multi-layered approach to improve CIS performance (suggestions for analysis provided).

Download full-text


Available from: Pascale Carayon
  • Source
    • "This is a big issue for many organizations who want to protect their useful and confidential data from threats inside or outside the organization. Research shows that human and organization factors also impact on network security [1]. Network practitioners faced challenges to manage security and they utilize special tools like firewall, antivirus, nmap and IDS. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Intrusion Detection System (IDS) are considered as one of the important network tool in managing the network security. It is found that network practitioners find difficult to use current IDS. Even security software's like IDS are working efficiently but user found it difficult to use and understand. As a result user has difficulties in using and judging the quality of the output. Therefore, usability evaluation is important to help users in efficient interaction and enhance usage of IDS. In most of the situation the usability evaluation is done by the usability engineers. In small or large scaled companies software developers are forced to learn different paradigm of usability. This is not easier than training the usability engineers on how to develop software. As a remedy Cognitive Analysis of Software Interface (CASI) system has been designer for software engineer. Moreover this system help software engineer to evaluate the IDS based on user perception and evaluation views. To evaluate new heuristics for IDS are proposed in this paper also a broad literature on software interfaces and evaluating methodologies are discussed. Further challenges associated with interfaces and new methods to evaluate usability of software are reviewed.
    Full-text · Article · Nov 2015
  • Source
    • "From an information security point of view, humans are the main actor that passively or actively influences the security of a system. Generally, humans have two types of " negative " influences on security: they either introduce vulnerabilities in terms of flaws or mistakes in the design, implementation, configuration, and operation of the system ([23]), or pose threats as attackers to exploit the vulnerabilities and comprise the security of the system ([26] [31]). Obviously, different roles typically connected to a business process are able to introduce vulnerabilities and launch attacks. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Information security in Process-aware Information System (PAIS) relies on many factors, including security of business process and the underlying system and technologies. Moreover, humans can be the weakest link that creates pathway to vulnerabilities, or the worst enemy that compromises a well-defended system. Since a system is as secure as its weakest link, information security can only be achieved in PAIS if all factors are secure. In this paper, we address two research questions: how to conduct a cross-layer security analysis that couple security concerns at business process layer as well as at the technical layer; and how to include human factor into the security analysis for the identification of human-oriented vulnerabilities and threats. We propose a methodology that supports the tracking of security interdependencies between functional, technical, and human aspects which contribute to establish a holistic approach to information security in PAIS. We demonstrate the applicability with a scenario from the payment card industry.
    Full-text · Article · Jul 2015
  • Source
    • "Various researchers have investigated an information security culture and the mechanisms that could potentially influence the culture and behaviour of employees (Schlienger and Teufel 2005; Thomson et al. 2006; Kraemer, Carayon, & Clem, 2009; Ruighaver et al. 2007; Van Niekerk and Von Solms 2010; Furnell and Thompson 2009; Van Niekerk and Von Solms, 2010; Furnell & Rajendran, 2012). Management, policies, awareness and compliance are some of the prominent mechanisms that could potentially influence information security culture – see table 1. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Information security culture must be considered as part of the information security programme to direct employee behaviour. Such a culture can contribute to the protection of information and minimise the risk that employee behaviour poses. This paper proposes a theoretical model, i.e. an information security culture model (ISCM) with four mechanisms (i.e. management, policies, awareness and compliance) that potentially influence information security culture positively. ISCM is based on the information security culture assessment (ISCA) questionnaire dimensions that are correlated with the theoretical mechanisms (dimensions). The theoretical model is validated through structural equation modelling (SEM) using empirical data derived from an ISCA assessment. This research produces a sound theoretical information security culture model, which is supported by the empirical study and further confirms the research hypothesis that management, policies, awareness and compliance contribute to an information security-positive culture as represented by the validated model.
    Full-text · Conference Paper · Jul 2015
Show more