Reza Alavi - Academia.edu (original) (raw)

Papers by Reza Alavi

Soliciting and managing the protection of information assets has become a objective of paramount ... more Soliciting and managing the protection of information assets has become a objective of paramount importance in an organizational context. Information Security Management System (ISMS) has the unique role of ensuring that adequate and appropriate security tools are in place in order to protect information assets. Security is always seen in three dimensions of technology, organization, and people. Undoubtedly, the socio-technical challenges have proven to be the most difficult ones to tackle. Social Engineering Attacks (SEAs) are a sociotechnical challenge and considerably increase security risks by seeking access to information assets by exploiting the vulnerabilities in organizations as they target human frailties. Dealing effectively and adequately with SEAs requires practical security benchmarking together with control mechanism tools, which in turn requires investment to support security and ultimately organizational goals. This paper contributes in this area. In particular, the paper proposes a language for managing SEAs using several concepts such as actor, risks, goals, security investment and vulnerabilities. The language supports in-depth investigation of human factors as one of the main causes of SEAs. It also assists in the selection of appropriate mechanisms considering security investment to mitigate risks. Finally, the paper uses a real incident in a financial institution to demonstrate the applicability of the approach.

Information and Computer Security, 2016

Purpose The purpose of this paper is to introduce a risk-driven investment process model for anal... more Purpose The purpose of this paper is to introduce a risk-driven investment process model for analysing human factors that allows information security managers to capture possible risk–investment relationships and to reason about them. The overall success of an information security system depends on analysis of the risks and threats so that appropriate protection mechanism can be in place to protect them. However, lack of appropriate analysis of risks may potentially results in failure of information security systems. Existing literature does not provide adequate guidelines for a systematic process or an appropriate modelling language to support such analysis. This work aims to fill this gap by introducing the process and reason about the risks considering human factors. Design/methodology/approach To develop risk-driven investment model along with the activities that support the process. These objectives were achieved through the collection of quantitative and qualitative data utili...

Communications in Computer and Information Science, 2015

Conventional patterns of the ways information systems run are rapidly evolving. Cloud computing u... more Conventional patterns of the ways information systems run are rapidly evolving. Cloud computing undisputedly has influenced profoundly in this direction by providing many benefits such as accessibility and availability of resources to organisations. But the economical advantage and the cost impacts are far more attractive to organisations than anything else when it comes to cloud computing. This convenient and attractiveness comes with new phases of security and risk challenges for both cloud providers and clients which requires investment for managing and mitigating them. The challenges get more complicated as the service itself passes geographical and national boundaries which create a completely new paradigm for security, risk, privacy, and more importantly cost implications. Social Engineering Attacks (SEAs) are example of those risks that are very attractive way for attackers for accessing classified data. There are certain constraints for employees when they use LAN. These limitations reduced greatly by the introduction of Cloud and off-site services. This allows attackers to use any compromised passwords from any web-connected device. This paper discusses main issues in migrating to a cloud environment by organisations regarding the human factors of SEAs threats and risks related concepts. The approach provides a set of recommendations for appropriate control actions to mitigate related risks.

Lecture Notes in Computer Science, 2014

Safeguarding and securing information assets is critical and challenging for organizations using ... more Safeguarding and securing information assets is critical and challenging for organizations using information system to support their key business processes. Information Security Management System (ISMS) defines to setup a solid security framework and regulates systematic way how securely information system can use its resources. However technical advancements of information security do not always guarantee the overall security. All kinds of human factors can deeply affect the management of security in an organizational context despite of all security measures. But analyzing, modeling, quantifying and controlling human factors are difficult due to their subjective and context specific nature. This is because individuals tend to have distinct degree of personal and social status. This papers attempts to propose a conceptual framework for analyzing and reasoning three main human factors in an organizational context that supported by goal-modeling language based on concepts of human factors, driving and resisting forces of Force-Field Analysis (FFA) tool, goals, risks, vulnerability, controls, and Threats. This framework is beneficial to better understanding of human factors in the process of ISMS that eventually leads to reasoning a rationale change in organizational context whilst providing reasonable metrics for security. One would be ROI issue that is concern of all organization.

International Journal of Secure Software Engineering, 2013

Managing security is essential for organizations doing business in a globally networked environme... more Managing security is essential for organizations doing business in a globally networked environment and for organizations that are at the same time seeking to achieve their missions and goals. However, numerous technical advancements do not always produce a more secure environment. All kinds of human factors can deeply affect the management of security in an organizational context. Therefore, security is not solely a technical problem; rather, the authors need to understand human factors, which need adequate attention to achieve an effective information security management system practice. This paper identifies direct and indirect human factors that have impact on information security. These factors were analyzed through the study of two security incidents of the UK’s financial organizations using the SWOT (Strength, Weaknesses, Opportunities, and Threats) technique. The study’s results show that human factors are the main causes for these security incidents. Factors such as trainin...

The information security experts are finding it challenging to timely response the emerging threa... more The information security experts are finding it challenging to timely response the emerging threats. The rapid changing of security landscape and dependency on the agile software and system development projects make it challenging to address these threats in a real time. This could create potential risks to the overall business continuity. Furthermore, critical human factors, cost and investment in the information security field will add more anxiety in dealing with risks in an agile environment. There is a need for a unified approach to address the principles of information security, human factors and security investment in an agile environment. This paper provides a solution for constructing an effective information security system by taking into consideration an adequate risk assessment and controls, considering critical human factors and security investment within agile changes of security landscape. A list of concepts is considered for the purpose of an effective information se...

Public …, 2003

In this article, the relationship between self-esteem and job satisfaction (satisfaction from the... more In this article, the relationship between self-esteem and job satisfaction (satisfaction from the kind and the nature of work, satisfaction from the manager or supervisor, satisfaction from co-workers, satisfaction from promotion, satisfaction from salary and wages) are considered and examined. A random sample of 310 personnel in the Kerman province of Iran was selected. Two valid and reliable questionnaires, the Kruskal-Wallis test and the median test, were used in data analysis. The results indicated that there is a meaningful (significant) relationship between self-esteem and the following factors: The degree of job satisfaction; the degree of satisfaction from the kind and the nature of work; the degree of satisfaction from the manager or the supervisor; the degree of satisfaction from the co-workers; the degree of self-esteem and the degree of satisfaction from promotion; and the degree of satisfaction from salary and wages. There is no significant difference between the degree of job satisfaction and its five dimensions, in the different levels of each of the modifying variables: sex, age, salary, marriage, the number of family and the record of service.

Soliciting and managing the protection of information assets has become a objective of paramount ... more Soliciting and managing the protection of information assets has become a objective of paramount importance in an organizational context. Information Security Management System (ISMS) has the unique role of ensuring that adequate and appropriate security tools are in place in order to protect information assets. Security is always seen in three dimensions of technology, organization, and people. Undoubtedly, the socio-technical challenges have proven to be the most difficult ones to tackle. Social Engineering Attacks (SEAs) are a sociotechnical challenge and considerably increase security risks by seeking access to information assets by exploiting the vulnerabilities in organizations as they target human frailties. Dealing effectively and adequately with SEAs requires practical security benchmarking together with control mechanism tools, which in turn requires investment to support security and ultimately organizational goals. This paper contributes in this area. In particular, the paper proposes a language for managing SEAs using several concepts such as actor, risks, goals, security investment and vulnerabilities. The language supports in-depth investigation of human factors as one of the main causes of SEAs. It also assists in the selection of appropriate mechanisms considering security investment to mitigate risks. Finally, the paper uses a real incident in a financial institution to demonstrate the applicability of the approach.

Information and Computer Security, 2016

Purpose The purpose of this paper is to introduce a risk-driven investment process model for anal... more Purpose The purpose of this paper is to introduce a risk-driven investment process model for analysing human factors that allows information security managers to capture possible risk–investment relationships and to reason about them. The overall success of an information security system depends on analysis of the risks and threats so that appropriate protection mechanism can be in place to protect them. However, lack of appropriate analysis of risks may potentially results in failure of information security systems. Existing literature does not provide adequate guidelines for a systematic process or an appropriate modelling language to support such analysis. This work aims to fill this gap by introducing the process and reason about the risks considering human factors. Design/methodology/approach To develop risk-driven investment model along with the activities that support the process. These objectives were achieved through the collection of quantitative and qualitative data utili...

Communications in Computer and Information Science, 2015

Conventional patterns of the ways information systems run are rapidly evolving. Cloud computing u... more Conventional patterns of the ways information systems run are rapidly evolving. Cloud computing undisputedly has influenced profoundly in this direction by providing many benefits such as accessibility and availability of resources to organisations. But the economical advantage and the cost impacts are far more attractive to organisations than anything else when it comes to cloud computing. This convenient and attractiveness comes with new phases of security and risk challenges for both cloud providers and clients which requires investment for managing and mitigating them. The challenges get more complicated as the service itself passes geographical and national boundaries which create a completely new paradigm for security, risk, privacy, and more importantly cost implications. Social Engineering Attacks (SEAs) are example of those risks that are very attractive way for attackers for accessing classified data. There are certain constraints for employees when they use LAN. These limitations reduced greatly by the introduction of Cloud and off-site services. This allows attackers to use any compromised passwords from any web-connected device. This paper discusses main issues in migrating to a cloud environment by organisations regarding the human factors of SEAs threats and risks related concepts. The approach provides a set of recommendations for appropriate control actions to mitigate related risks.

Lecture Notes in Computer Science, 2014

Safeguarding and securing information assets is critical and challenging for organizations using ... more Safeguarding and securing information assets is critical and challenging for organizations using information system to support their key business processes. Information Security Management System (ISMS) defines to setup a solid security framework and regulates systematic way how securely information system can use its resources. However technical advancements of information security do not always guarantee the overall security. All kinds of human factors can deeply affect the management of security in an organizational context despite of all security measures. But analyzing, modeling, quantifying and controlling human factors are difficult due to their subjective and context specific nature. This is because individuals tend to have distinct degree of personal and social status. This papers attempts to propose a conceptual framework for analyzing and reasoning three main human factors in an organizational context that supported by goal-modeling language based on concepts of human factors, driving and resisting forces of Force-Field Analysis (FFA) tool, goals, risks, vulnerability, controls, and Threats. This framework is beneficial to better understanding of human factors in the process of ISMS that eventually leads to reasoning a rationale change in organizational context whilst providing reasonable metrics for security. One would be ROI issue that is concern of all organization.

International Journal of Secure Software Engineering, 2013

Managing security is essential for organizations doing business in a globally networked environme... more Managing security is essential for organizations doing business in a globally networked environment and for organizations that are at the same time seeking to achieve their missions and goals. However, numerous technical advancements do not always produce a more secure environment. All kinds of human factors can deeply affect the management of security in an organizational context. Therefore, security is not solely a technical problem; rather, the authors need to understand human factors, which need adequate attention to achieve an effective information security management system practice. This paper identifies direct and indirect human factors that have impact on information security. These factors were analyzed through the study of two security incidents of the UK’s financial organizations using the SWOT (Strength, Weaknesses, Opportunities, and Threats) technique. The study’s results show that human factors are the main causes for these security incidents. Factors such as trainin...

The information security experts are finding it challenging to timely response the emerging threa... more The information security experts are finding it challenging to timely response the emerging threats. The rapid changing of security landscape and dependency on the agile software and system development projects make it challenging to address these threats in a real time. This could create potential risks to the overall business continuity. Furthermore, critical human factors, cost and investment in the information security field will add more anxiety in dealing with risks in an agile environment. There is a need for a unified approach to address the principles of information security, human factors and security investment in an agile environment. This paper provides a solution for constructing an effective information security system by taking into consideration an adequate risk assessment and controls, considering critical human factors and security investment within agile changes of security landscape. A list of concepts is considered for the purpose of an effective information se...

Public …, 2003

In this article, the relationship between self-esteem and job satisfaction (satisfaction from the... more In this article, the relationship between self-esteem and job satisfaction (satisfaction from the kind and the nature of work, satisfaction from the manager or supervisor, satisfaction from co-workers, satisfaction from promotion, satisfaction from salary and wages) are considered and examined. A random sample of 310 personnel in the Kerman province of Iran was selected. Two valid and reliable questionnaires, the Kruskal-Wallis test and the median test, were used in data analysis. The results indicated that there is a meaningful (significant) relationship between self-esteem and the following factors: The degree of job satisfaction; the degree of satisfaction from the kind and the nature of work; the degree of satisfaction from the manager or the supervisor; the degree of satisfaction from the co-workers; the degree of self-esteem and the degree of satisfaction from promotion; and the degree of satisfaction from salary and wages. There is no significant difference between the degree of job satisfaction and its five dimensions, in the different levels of each of the modifying variables: sex, age, salary, marriage, the number of family and the record of service.