An integrated view of human, organizational, and technological challenges of IT security management

Purpose – The purpose of this study is to determine the main challenges that IT security practitioners face in their organizations, including the interplay among human, organizational, and technological factors.Design/methodology/approach – The data set consisted of 36 semi‐structured interviews with IT security practitioners from 17 organizations (academic, government, and private). The interviews were analyzed using qualitative description with constant comparison and inductive analysis of the data to identify the challenges that security practitioners face.Findings – A total of 18 challenges that can affect IT security management within organizations are indentified and described. This analysis is grounded in related work to build an integrated framework of security challenges. The framework illustrates the interplay among human, organizational, and technological factors.Practical implications – The framework can help organizations identify potential challenges when implementing security standards, and...

[1]  P. Carayon,et al.  Human errors and violations in computer and information security: the viewpoint of network administrators and security specialists. , 2007, Applied ergonomics.

[2]  Konstantin Beznosov,et al.  Towards understanding IT security professionals and their tools , 2007, SOUPS '07.

[3]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[4]  Gerald Quirchmayr,et al.  A framework for outsourcing IS/IT security services , 2006, Inf. Manag. Comput. Secur..

[5]  Robert Garigue,et al.  A Structured Approach to Incident Postmortems , 2002, Inf. Secur. J. A Glob. Perspect..

[6]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[7]  Rossouw von Solms,et al.  Information security obedience: a definition , 2005, Comput. Secur..

[8]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[9]  Evangelos A. Kiountouzis,et al.  Information Management & Computer Security Formulating information systems risk management strategies through cultural theory , 2016 .

[10]  M. Angela Sasse,et al.  Stakeholder involvement, motivation, responsibility, communication: How to design usable security in e-Science , 2009, Int. J. Hum. Comput. Stud..

[11]  Malcolm Robert Pattinson,et al.  How well are information risks being communicated to your computer end-users? , 2007, Inf. Manag. Comput. Secur..

[12]  Ray J. Paul,et al.  The interrelationship and effect of culture and risk communication in setting internet banking security goals , 2004, ICEC '04.

[13]  Rayford B. Vaughn,et al.  An empirical study of industrial security-engineering practices , 2002, J. Syst. Softw..

[14]  Finn Olav Sveen,et al.  Helping prevent information security risks in the transition to integrated operations , 2005 .

[15]  Kasia Muldner,et al.  Human, organizational, and technological factors of IT security , 2008, CHI Extended Abstracts.

[16]  Kasia Muldner,et al.  The challenges of using an intrusion detection system: is it worth the effort? , 2008, SOUPS '08.

[17]  Shuchih Ernest Chang,et al.  Organizational factors to the effectiveness of implementing information security management , 2006, Ind. Manag. Data Syst..

[18]  Kirstie Hawkey,et al.  Human, Organizational and Technological Challenges of Implementing IT Security in Organizations , 2007, International Symposium on Human Aspects of Information Security and Assurance.

[19]  Scott D. Lathrop,et al.  Wireless security threat taxonomy , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[20]  Karen Holtzblatt,et al.  Contextual design , 1997, INTR.

[21]  Finn Olav Sveen,et al.  Toward viable information security reporting systems , 2007, Inf. Manag. Comput. Secur..

[22]  Kirstie Hawkey,et al.  Security practitioners in context: their activities and interactions , 2008, CHI Extended Abstracts.

[23]  Marvin V. Zelkowitz,et al.  Maintaining software with a security perspective , 2002, International Conference on Software Maintenance, 2002. Proceedings..

[24]  Konstantin Beznosov,et al.  On the imbalance of the security problem space and its expected consequences , 2007, Inf. Manag. Comput. Secur..

[25]  M. Sandelowski Focus on Research Methods Whatever Happened to Qualitative Description? , 2022 .

[26]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..