Social Aspects of Information Security

Social Engineering (SE) threats have constituted a reality for Information Technology (IT) systems for many years. Yet, even the latest editions of the generally accepted Information Security (IS) standards and best practices directives do not effectively address the Social Engineering aspect of IS defences. SE attacks target the human element of IS by exploiting human relations to the maximum possible extent. The social relations between interacting individuals who are involved in an Information Security Management System (ISMS) structure, combined with the frequently unpredictable fashion that humans act and react to stimuli, provide opportunities that Social Engineers may and do exploit. In the ongoing effort against Social Engineering attacks, if the social elements of IS are ignored, fallacious working assumptions may be made. These inadvertently result in the creation of insufficient controls against identified SE threats. Hence, simply put, Information Security scientists can no longer afford to ignore the nature of the social structures that govern all aspects of human relations, and in particular those that lie within the context of an ISMS. This paper attempts to strengthen the pursued research on SE threat identification and control, by applying sociological principles to IT and ISMSs, thus bringing into the light their nature as social structures. This constitutes part of a larger effort by the authors to systematically identify and subsequently cater for SE threats to IS, in the context of which the social foundations of IS are examined.

[1]  T. Bottomore,et al.  Sociology : A guide to problems and literature , 1963 .

[2]  F. H. Hankins,et al.  Sociology: A Guide to Problems and Literature. , 1964 .

[3]  P. Berger,et al.  Social Construction of Reality , 1991, The SAGE International Encyclopedia of Mass Media and Society.

[4]  P. Berger,et al.  The Social Construction of Reality , 1966 .

[5]  B. Latour,et al.  Laboratory Life: The Construction of Scientific Facts , 1979 .

[6]  J. Alexander,et al.  Images of Organization , 1988 .

[7]  Wiebe E. Bijker,et al.  Science in action : how to follow scientists and engineers through society , 1989 .

[8]  John Law,et al.  Notes on the theory of the actor-network: Ordering, strategy, and heterogeneity , 1992 .

[9]  Madeleine Akrich,et al.  The De-scription of Technical Objects , 1992 .

[10]  John Law,et al.  Shaping technology building society: studies in socio-technical change , 1993 .

[11]  Mike Michael,et al.  Actor-Networks and Ambivalence: General Practitioners in the UK Cervical Screening Programme , 1993 .

[12]  Wiebe E. Bijker,et al.  Shaping Technology/Building Society: Studies in Sociotechnical Change ed. by Wiebe E. Bijker, John Law (review) , 1994, Technology and Culture.

[13]  Stephen R. Schach,et al.  Object-oriented and classical software engineering , 1995 .

[14]  Steve Woolgar,et al.  Read this and change the way you feel about software engineering , 1996, Inf. Softw. Technol..

[15]  G. Morgan,et al.  Images of organization, 2nd ed. , 1997 .

[16]  Jussipekka Leiwo,et al.  An analysis of ethics as foundation of information security in distributed systems , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[17]  G. Oakes On the Unity of Max Weber's Methodology , 1998 .

[18]  J. Fitzmaurice Economy and Society , 1998 .

[19]  I. Hacking The Social Construction of What , 1999 .

[20]  Arthur Tatnall,et al.  Actor-Network Theory and Information Systems Research , 1999 .

[21]  Frank Ostroff,et al.  The horizontal organization , 1999 .

[22]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[23]  B. Latour Reassembling the Social: An Introduction to Actor-Network-Theory , 2005 .

[24]  Bruno Latour,et al.  An Introduction to Actor-Network-Theory , 2007 .

[25]  Gabrielle Durepos Reassembling the Social: An Introduction to Actor‐Network‐Theory , 2008 .