A policy driven, human oriented information security model: a case study in UAE banking sector

As companies continue to invest in information security, human weaknesses continue to remain a root cause of data breaches in organisations. Several security models have been proposed in the literature but largely remain ineffective at addressing this human vulnerability. In this paper, a policy-driven, human-oriented information security model is proposed. By adopting an information security policy, organizations set strong foundations on which sound security practices can be disseminated and enforced within the organisation. Instead of viewing human as the source of problem, it is a model that put human as the primary source of effectiveness to implement security policy. In this model, staffs in an organization will collectively secure an organisation from attacks. From existing literature and interviews conducted with selected banks in UAE, three primary factors, namely information security policy awareness, security training, and computer & security technology proficiency have been identified and incorporated into the new security model.

[1]  Jody Patilla,et al.  Information Security Policy Framework: Best Practices for Security Policy in the E-commerce Age , 2001, Inf. Secur. J. A Glob. Perspect..

[2]  R. Baskerville,et al.  An information security meta‐policy for emergent organizations , 2002 .

[3]  Agata Sawicka,et al.  A Framework for Human Factors in Information Security , 2002 .

[4]  Reijo Savola,et al.  Measurement of Information Security in Processes and Products , 2004, IICIS.

[5]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[6]  Evangelos A. Kiountouzis,et al.  Investigating Information Security Awareness: Research and Practice Gaps , 2008, Inf. Secur. J. A Glob. Perspect..

[7]  H. D. Vries Data Protection: Laws of the World (losbladig) , 2009 .

[8]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[9]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[10]  Kavoos Mohannak,et al.  Information security culture: A Behaviour Compliance Conceptual Framework , 2010, AISC.

[11]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[12]  Z. M. Sidek,et al.  A Framework for the Governance of Information Security in Banking System , 2011 .

[13]  Prakash S. Teltumde,et al.  Information Security in Banking and Financial Industry , 2011 .

[14]  Hepu Deng,et al.  A Conceptual Framework for Information Security in Public Organizations for E-Government Development , 2014 .

[15]  Niclas Eberhagen,et al.  Human factor and information security in higher education , 2014, J. Syst. Inf. Technol..

[16]  Feng Deng,et al.  Big Data Security and Privacy Protection , 2014 .

[17]  P. Trivellas,et al.  The Human Factor of Information Security: Unintentional Damage Perspective☆ , 2014 .

[18]  Jamaludin Ibrahim,et al.  An Overview on Cyber Security Awareness in Muslim Countries , 2014 .

[19]  Xun Li,et al.  Determinants of Information Security Awareness: An Empirical Investigation in Higher Education , 2015, ICIS.

[20]  Kaja Prislan,et al.  Measuring Information Security Performance with 10 by 10 Model for Holistic State Evaluation , 2016, PloS one.

[21]  K. Pilarczyk Importance of Management Information System in Banking Sector , 2016 .

[22]  Stephen Flowerday,et al.  Information security policy development and implementation: The what, how and who , 2016, Comput. Secur..

[23]  France Bélanger,et al.  Determinants of early conformance with information security policies , 2017, Inf. Manag..