Analyzing Human Factors for an Effective Information Security Management System

Managing security is essential for organizations doing business in a globally networked environment and for organizations that are at the same time seeking to achieve their missions and goals. However, numerous technical advancements do not always produce a more secure environment. All kinds of human factors can deeply affect the management of security in an organizational context. Therefore, security is not solely a technical problem; rather, the authors need to understand human factors, which need adequate attention to achieve an effective information security management system practice. This paper identifies direct and indirect human factors that have impact on information security. These factors were analyzed through the study of two security incidents of the UK’s financial organizations using the SWOT (Strength, Weaknesses, Opportunities, and Threats) technique. The study’s results show that human factors are the main causes for these security incidents. Factors such as training, awareness, and security culture influence organizational strength and opportunity relating to information security. People’s irrational behavior and errors are the main weaknesses highlighted in security incidents, which pose threats such as poor reputation and high costs. Reza Alavi University of East London, UK Shareeful Islam University of East London, UK Hamid Jahankhani University of East London, UK Ameer Al-Nemrat University of East London, UK

[1]  Ronald F. DeMara,et al.  Evaluation of the Human Impact of Password Authentication , 2004, Informing Sci. Int. J. an Emerg. Transdiscipl..

[2]  Jan Jürjens,et al.  Eliciting security requirements and tracing them to design: an integration of Common Criteria, heuristics, and UMLsec , 2010, Requirements Engineering.

[3]  Antoine Geissbühler,et al.  Comprehensive management of the access to the electronic patient record: Towards trans-institutional networks , 2007, Int. J. Medical Informatics.

[4]  Haralambos Mouratidis,et al.  Management versus security specialists: an empirical study on security related perceptions , 2008, Inf. Manag. Comput. Secur..

[5]  M. Cruz-cunha,et al.  Information Communication Technology Law, Protection and Access Rights: Global Approaches and Issues , 2010 .

[6]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[7]  Pascale Carayon,et al.  Human and organizational factors in computer and information security: Pathways to vulnerabilities , 2009, Comput. Secur..

[8]  Haralambos Mouratidis,et al.  Towards a Framework to Elicit and Manage Security and Privacy Requirements from Laws and Regulations , 2010, REFSQ.

[9]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[10]  P. Dwivedi,et al.  Stakeholders’ perceptions on forest biomass-based bioenergy development in the southern US , 2009 .

[11]  Peter Naudé,et al.  How is information technology affecting business relationships? Results from a UK survey , 2003 .

[12]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[13]  Johan Van Niekerk,et al.  Combating Information Security Apathy By Encouraging Prosocial Organisational Behaviour , 2011, HAISA.

[14]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[15]  Kregg Aytes,et al.  A Research Model for Investigating Human Behavior Related to Computer Security , 2003, AMCIS.

[16]  Kirstie Hawkey,et al.  An integrated view of human, organizational, and technological challenges of IT security management , 2009, Inf. Manag. Comput. Secur..

[17]  Rossouw von Solms,et al.  Information security management: why standards are important , 1999, Inf. Manag. Comput. Secur..

[18]  Jaroslav Král,et al.  Data Security Legislative as Data Shredding Mill , 2010 .

[19]  Sean B. Maynard,et al.  Embedding Information Security Culture Emerging Concerns and Challenges , 2010, PACIS.

[20]  Felix Redmill Human factors in risk analysis , 2002 .

[21]  M. H. Sherif Standards for Telecommunication Services , 2006 .

[22]  Egon Berghout,et al.  Information technology standards and standardization: A global perspective , 2000, Eur. J. Inf. Syst..

[23]  Rachel Barker,et al.  IT Policy and Ethics: Concepts, Methodologies, Tools, and Applications , 2013 .

[24]  L. Carr,et al.  The strengths and weaknesses of quantitative and qualitative research: what method for nursing? , 1994, Journal of advanced nursing.

[25]  Budi Arief,et al.  Computer security impaired by legitimate users , 2004, Comput. Secur..

[26]  Gary L. Frankwick,et al.  Environment, Management Attitude, and Organizational Learning in Alliances , 2011 .

[27]  Jan Jürjens,et al.  A framework to support alignment of secure software engineering with legal regulations , 2011, Software & Systems Modeling.

[28]  Göran N Ericsson,et al.  Cyber Security and Power System Communication—Essential Parts of a Smart Grid Infrastructure , 2010, IEEE Transactions on Power Delivery.

[29]  Tineke M. Egyedi,et al.  Standards for ICT - A green strategy in a grey sector , 2011, 2011 7th International Conference on Standardization and Innovation in Information Technology (SIIT).

[30]  August Bequai Employee abuses in cyberspace: Management's legal quagmire , 1998, Comput. Secur..

[31]  A. B. Ruighaver,et al.  Organisational security culture: Extending the end-user perspective , 2007, Comput. Secur..

[32]  P. Carayon,et al.  Computer and Information Security Culture: Findings from two Studies , 2005 .

[33]  Robert Willison,et al.  Understanding the perpetration of employee computer crime in the organisational context , 2006, Inf. Organ..

[34]  Susan D. Hansche Designing a Security Awareness Program: Part 1 , 2001, Inf. Secur. J. A Glob. Perspect..

[35]  K. Parry Grounded theory and social process: A new direction for leadership research , 1998 .

[36]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[37]  Irwin King,et al.  Policy and Issues in Deploying Automated Plagiarism Detection Systems in Academic Communities: A Case Study of VeriGuide , 2011 .

[38]  Kuheli Roy Sarkar Assessing insider threats to information security using technical, behavioural and organisational measures , 2010, Inf. Secur. Tech. Rep..

[39]  J. Thomas,et al.  Data-Exchange Standards and International Organizations: Adoption and Diffusion , 2009 .

[40]  George Karlis,et al.  Developing Cyprus as a sport tourism destination: the results of a swot analysis , 2002 .

[41]  G. Dhillon Managing information system security , 1997 .

[42]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[43]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[44]  Nizar Abdelkafi,et al.  Seizing Opportunities for the Support of Innovation through Committee Standards and Standardization: Insights from German Companies , 2014, Int. J. IT Stand. Stand. Res..

[45]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[46]  Jonathan P. Allen,et al.  Value conflicts for information security management , 2011, J. Strateg. Inf. Syst..

[47]  Esharenana E. Adomi Frameworks for ICT Policy: Government, Social and Legal Issues , 2010 .

[48]  Simon Edward Parkin,et al.  An information security ontology incorporating human-behavioural implications , 2009, SIN '09.

[49]  Fariborz Y. Partovi,et al.  Determining What to Benchmark: An Analytic Hierarchy Process Approach , 1994 .

[50]  P. Carayon,et al.  Human errors and violations in computer and information security: the viewpoint of network administrators and security specialists. , 2007, Applied ergonomics.

[51]  Yanqing Zhang,et al.  Towards design principles for effective context- and perspective-based web mining , 2009, DESRIST.

[52]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[53]  Zheng Yanyan,et al.  The Basic Research of Human Factor Analysis Based on Knowledge in Software Engineering , 2008, 2008 International Conference on Computer Science and Software Engineering.

[54]  Geerten van de Kaa,et al.  The Challenge of Establishing a Recognized Interdisciplinary Journal: A Citation Analysis of the International Journal of IT Standards and Standardization Research , 2013, Int. J. IT Stand. Stand. Res..

[55]  Pascale Carayon,et al.  An adversarial viewpoint of human and organizational factors in computer and information security , 2006 .

[56]  Rudy Hirschheim,et al.  Analyzing Information Systems Development a Comparison and Analysis of Eight IS Development Approaches , 1996, Inf. Syst..

[57]  Tim Weitzel,et al.  Network Effects and Diffusion Theory: Network Analysis in Economics , 2003, Int. J. IT Stand. Stand. Res..

[58]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[59]  Karl Best Is Accreditation Important in Standards Work?1 , 2009, Int. J. IT Stand. Stand. Res..

[60]  Malcolm Robert Pattinson,et al.  How well are information risks being communicated to your computer end-users? , 2007, Inf. Manag. Comput. Secur..

[61]  Kai Jakobs Advanced topics in information technology standards and standardization research , 2006 .

[62]  Jintae Lee,et al.  A holistic model of computer abuse within organizations , 2002, Inf. Manag. Comput. Secur..

[63]  Wei Dong,et al.  Human factors in software security risk management , 2008, LMSA '08.

[64]  M. Griffin,et al.  Who Started This? Investigating Different Sources of Organizational Change , 2003 .

[65]  Shareeful Islam,et al.  Integrating risk management activities into requirements engineering , 2010, 2010 Fourth International Conference on Research Challenges in Information Science (RCIS).

[66]  Okon E. Ani,et al.  Framework for Effective Development of Information and Communication Technology (ICT) Policy in University Libraries in Nigeria , 2011 .