Human and organizational factors in computer and information security: Pathways to vulnerabilities (original) (raw)
Related papers
Human Factors in Information Security
2017
Some organizations view "technical solutions" as the immediate answer to their information security problems. This attitude is promoted by several suppliers of you guessed it those very same “technical solutions”. Don’t get me wrong: technology-based information security products such as firewalls, antivirus software, VPNs and SIEMs are valuable weapons in the security manager’s armory but there are severe drawbacks to a pure-play technological approach: • Firstly, technology is fallible. Despite the best efforts of the software quality engineering movement, hackers, testers and users continue to find unchecked buffers, unexpected exceptions, backdoors and other gross vulnerabilities in commercial and in-house developed software. If anything, they are being discovered and exploited at an increasing rate, despite the enormous investment in secure coding practices and system security testing. This problem is compounded by the complexity of IT systems. Organizations that empl...
International Journal of Computer Applications, 2016
Researches in information security have all these while been concerned only with technical problems and efforts to improve information security have been software-centered or hardware-oriented. There have been limited attempts in addressing the people who use the computers though they are the greatest loophole in information systems security. This paper examines and addresses the threats end-users pose to systems security. Regardless of the countlessly introduced technological solutions aimed at addressing system vulnerabilities, the human factor is still of greater threat to systems security. The study draws its data from a survey conducted on people who frequently use information systems. Professional and technical inputs were also solicited from IT personnel through interviews. Four experiments were conducted to test the accuracy of the survey. A phony phish system was developed to test respondents" information security consciousness. The goal of the phony phish system was to send phishing emails that can be used to measure the accuracy of the survey. The rest of the experiments were SQL injection, cross site scripting and brute force attack.
Review of Information Security Vulnerability: Human Perspective
Information security is about confidentiality, integrity and availability of the data and due to complexity of human resources the information security has always been exposed to the internal threat by the users. This study is an attempt to address the human factors of information security vulnerability which may present as an inter-organizational threat and contribute in information security breach. Based on the study, lack of training, lack of team working skill, having no control on emotions , having different risk perceptions, improper attitudes, improper security culture, improper risk communication, hiring inexperienced staff and having demotivated staff are found to be the significant factors of information security vulnerability from the human 's perspective.
The Human Factor of Information Security: Unintentional Damage Perspective
Procedia - Social and Behavioral Sciences, 2014
It is widely acknowledged that employees of an organization are often a weak link in the protection of its information assets. Information security has not been given enough attention in the literature in terms of the human factor effect; researchers have called for more examination in this area. Human factors play a significant role in computer security. In this paper, we focus on the relationship of the human factor on information security presenting the human weaknesses that may lead to unintentional harm to the organization and discuss how information security awareness can be a major tool in overcoming these weaknesses. A framework for a field research is also presented in order to identify the human factors and the major attacks that threat computer security.
Deriving Cyber Security Risks from Human and Organizational Factors – A Socio-technical Approach
Complex Systems Informatics and Modeling Quarterly, 2019
Cyber security risks are socio-technical in nature. They result not just from technical vulnerabilities but also, more fundamentally, from the degradation of working practices over timewhich move an organization across the boundary of secure practice to a place where attacks will not only succeed, but also have a significantly greater impact on the organization. Yet current risk analysis and management methodologies are not designed to detect these kinds of systemic risks. We present an approach, devised in the field, to deriving these risksusing a qualitative research methodology, akin to grounded theory, but based on preset coding descriptors. This allows organizational and individual behavior identified during interviews, observations or document research to be thematically analyzed, collated and mapped to potential risks, linked to poor working practices. The resulting risk factors can be linked together forming "risk narratives", showing how the degradation of working practices in one part of the organization can contribute to undermining its ability to respond to cyber security threats in another part of the organization.
Human errors in the information security realm – and how to fix them
Computer Fraud & Security, 2016
Information security breaches and privacy violations are major concerns of many organizations. Human behaviour, either intentionally or through negligence, is a great potential of risk to information assets. It is acknowledged that technology alone cannot guarantee a secure environment for information assets; human considerations should be taken into account as well as technological and procedural aspects. This article strives to present a useful classification of users' mistakes in the domain of information security. The outputs of this study shed some light for both academics and practitioners.
Analyzing Human Factors for an Effective Information Security Management System
International Journal of Secure Software Engineering, 2013
Managing security is essential for organizations doing business in a globally networked environment and for organizations that are at the same time seeking to achieve their missions and goals. However, numerous technical advancements do not always produce a more secure environment. All kinds of human factors can deeply affect the management of security in an organizational context. Therefore, security is not solely a technical problem; rather, the authors need to understand human factors, which need adequate attention to achieve an effective information security management system practice. This paper identifies direct and indirect human factors that have impact on information security. These factors were analyzed through the study of two security incidents of the UK’s financial organizations using the SWOT (Strength, Weaknesses, Opportunities, and Threats) technique. The study’s results show that human factors are the main causes for these security incidents. Factors such as trainin...
Human Factors Influence in Information Systems Security: Towards a Conceptual Framework
Proceedings of the 2nd African International Conference on Industrial Engineering and Operations Management, 2020
The importance of protecting information in banks and mitigating security breach is becoming more important than ever. Human factors represent essential issues in information systems security in organizations, since human factors determine the behavior of employees toward information systems security. Extant literature revealed that the human factor aspect is one of the emerging research areas in information security. Thus, this research tries to explore information systems security countermeasures that are used to reduce internal threat and how employees perceive them and create a human factors model to address human factor gaps in information systems security in commercial banks in Ethiopia. Accordingly, a conceptual human factor model is developed from literature. A qualitative case study research design is employed to validate the proposed conceptual framework in selected banks in Ethiopia. Purposive sampling is employed to select the sampled banks. The samples are selected based on eligibility criteria that the respondents should have experience and expertise in information systems security and the banking activities. The research contributes to the current knowledge of information security by demonstrating the importance and critical role of human factors in the development of an information systems security model. The main contribution would be the advancement of the theoretical and practical basis for information systems security in proposing a model framework for developing, assessing and modeling a human factor model. Furthermore, it improves the understanding of risks in the security incident stages in relation to human factors.
Threat Analysis and Response Solutions, 2009
The goal of our study is to contribute to a better understanding of role conflict, skill expectations, and the value of information technology (IT) security professionals in organizations. Previous literature has focused primarily on the role of information professionals in general but has not evaluated the specific role expectations and skills required by IT security professionals in today's organizations. In this chapter, we take into consideration the internal and external factors that affect the security infrastructure of an organization and therefore influence the role expectations and skills required by those who are in charge of the security of network infrastructures in organizations. First, we describe the factors discussed in the literature and support them with quotes gathered from interviews conducted with information security professionals in small organizations in Central New York. Then, we present a set of common themes that expand the understanding of this role and finally we provide practical recommendations that would facilitate the management of these professionals within organizations.