System End-User Actions as a Threat to Information System Security (original) (raw)
Related papers
Human errors in the information security realm – and how to fix them
Computer Fraud & Security, 2016
Information security breaches and privacy violations are major concerns of many organizations. Human behaviour, either intentionally or through negligence, is a great potential of risk to information assets. It is acknowledged that technology alone cannot guarantee a secure environment for information assets; human considerations should be taken into account as well as technological and procedural aspects. This article strives to present a useful classification of users' mistakes in the domain of information security. The outputs of this study shed some light for both academics and practitioners.
European Journal of Information Technologies and Computer Science
The use of information and communication technology has been providing the competitive edge for universities globally while Kenyan universities are not an exception. This has in turn made the universities targets of cyber-attacks and hence exposure to unprecedented security risks. The universities need to implement information security best practices and standards in their technological environments to remain secure and operational. The research sought to investigate the information security practices adopted in Kenyan public universities to protect themselves. Descriptive survey method was employed while the study was based on Operationally Critical Threats, Assets and Vulnerability Evaluation (OCTAVE) framework and other industry security best practices. The study targeted the 31 chartered public universities, which were clustered based on their year of establishment. Simple random and purposive sampling methods were utilized to select two target universities per cluster and deter...
A Human-Centric Cybersecurity Framework for Ensuring Cybersecurity Readiness in Universities
2023
The escalating number of cyberattacks on universities worldwide resulted in universities losing valuable information assets leading to disruption of operations and loss of reputation. The research sought to explore a framework for human-factor vulnerabilities related to cybersecurity knowledge and skills, which enabled cybercriminals to manipulate human elements into inadvertently conveying access to critical information assets through social engineering attacks. Descriptive and inferential statistics were used to test the data, and Pearson's correlation statistics were used to measure the statistical relationships and association of variables. The results revealed that students and staff are vulnerable to social engineering attacks and their ability to protect themselves and other information assets is limited mainly due to poor cybersecurity knowledge and skills resulting from poor cybersecurity awareness and education.
SECURING USER EXPERIENCE: A SURVEY ON INFORMATION SECURITYCONTROLS IN A HIGHER EDUCATION INSTITUTION
IAEME PUBLICATION, 2024
Information security in education is more important than ever in a digital world. As educational institutions use technology to improve learning, protecting sensitive data is crucial. Over time, information security has become a socio-technical issue, incorporating both technology and human elements. It is also widely believed that insiders with privileged access to the organization’s systems and data are the key information security concern. For instance, bring your own device, which offers users access to the internal network and sensitive data, benefits enterprisesbut also increases security threats. End users are the most vulnerable aspect of information security, but some researchers believe they are the most important asset in protecting enterprises. As “the first line of defense”, end users must be vigilant and skilled to secure organizations. Thus, organizations must include human factors in security. Despite various security technology studies, end-user factors have been little studied. Therefore, this research evaluates information security controls used by end-users, notably students in an educational setting. A Likert scale-based questionnaire was given to 378 university students as primary data collection. Validated scales and study objectivesrelated items based on the Center of Internet Security (CIS) Controls, which comprise basic security procedures for hygiene and cyber attack protection, were included in a structured survey questionnaire. Overall, the mean score indicates modest information security control maturity, with several areas having strong procedures but others needing improvement to enhance security. This study, like others, has limitations; for instance, the university’s current network infrastructure and security operations organizational setup were not included because of therisk of external and internal attacks. Disclosing this information could compromise the network infrastructure and other critical servers. Furthermore, the generalizability of this study’s findings may be limited to specific organizational contexts, as various qualities, corporate culture, and technology frameworks might have varying impacts on information security controls. Hence, it is imperative for future research to address these constraints by undertaking cross-industry investigations, integrating additional information security measures, employing a longitudinal study framework, and evaluating controls in the face of increasing cybersecurity risks.
International Journal of Computer Applications, 2016
Researches in information security have all these while been concerned only with technical problems and efforts to improve information security have been software-centered or hardware-oriented. There have been limited attempts in addressing the people who use the computers though they are the greatest loophole in information systems security. This paper examines and addresses the threats end-users pose to systems security. Regardless of the countlessly introduced technological solutions aimed at addressing system vulnerabilities, the human factor is still of greater threat to systems security. The study draws its data from a survey conducted on people who frequently use information systems. Professional and technical inputs were also solicited from IT personnel through interviews. Four experiments were conducted to test the accuracy of the survey. A phony phish system was developed to test respondents" information security consciousness. The goal of the phony phish system was to send phishing emails that can be used to measure the accuracy of the survey. The rest of the experiments were SQL injection, cross site scripting and brute force attack.
A Case Study in the Implementation of a Human-Centric Higher Education Cybersecurity Program
2018
This article contains a description of the implementation of a comprehensive cyber security program at a regional comprehensive university. The program was designed to create an effective cyber security management infrastructure and to train end users and other categories of security management personnel in data protection and cyber security. This work addresses the impetus for the program, the rather extensive planning and development that went into the program, its implementation, and insights gleaned from the experience. The paper concludes with a summary of the strengths and weaknesses of the initiative.
TEM Journal, 2016
Universities are the leading institutions that are the sources of educated human population who both produce information and ensure to develop new products and new services by using information effectively, and who are needed in every area. Therefore, universities are expected to be institutions where information and information management are used efficiently. In the present study, the topics such as infrastructure, operation, application, information, policy and human-based information security at universities were examined within the scope of the information security standards which are highly required and intended to be available at each university today, and then a comparative analysis was conducted specific to Turkey. Within the present study, the Microsoft Security Assessment Tool developed by Microsoft was used as the risk analysis tool. The analyses aim to enable the universities to compare their information systems with the information systems of other universities within ...
Leveraging human factors in cybersecurity: an integrated methodological approach
Cognition Technology and Work, 2021
Computer and Information Security (CIS) is usually approached adopting a technology-centric viewpoint, where the human components of sociotechnical systems are generally considered as their weakest part, with little consideration for the end users’ cognitive characteristics, needs and motivations. This paper presents a holistic/Human Factors (HF) approach, where the individual, organisational and technological factors are investigated in pilot healthcare organisations to show how HF vulnerabilities may impact on cybersecurity risks. An overview of current challenges in relation to cybersecurity is first provided, followed by the presentation of an integrated top–down and bottom–up methodology using qualitative and quantitative research methods to assess the level of maturity of the pilot organisations with respect to their capability to face and tackle cyber threats and attacks. This approach adopts a user-centred perspective, involving both the organisations’ management and employees, The results show that a better cyber-security culture does not always correspond with more rule compliant behaviour. In addition, conflicts among cybersecurity rules and procedures may trigger human vulnerabilities. In conclusion, the integration of traditional technical solutions with guidelines to enhance CIS systems by leveraging HF in cybersecurity may lead to the adoption of non-technical countermeasures (such as user awareness) for a comprehensive and holistic way to manage cyber security in organisations.
Human and organizational factors in computer and information security: Pathways to vulnerabilities
Human and organizational factors Design Pathways Vulnerabilities Causal Network Analysis a b s t r a c t The purpose of this study was to identify and describe how human and organizational factors may be related to technical computer and information security (CIS) vulnerabilities. A qualitative study of CIS experts was performed, which consisted of 2, 5-member focus groups sessions. The participants in the focus groups each produced a causal network analysis of human and organizational factors pathways to types of CIS vulnerabilities. Findings suggested that human and organizational factors play a significant role in the development of CIS vulnerabilities and emphasized the relationship complexities among human and organizational factors. The factors were categorized into 9 areas: external influences, human error, management, organization, performance and resource management, policy issues, technology, and training. Security practitioners and management should be aware of the multifarious roles of human and organizational factors and CIS vulnerabilities and that CIS vulnerabilities are not the sole result of a technological problem or programming mistake. The design and management of CIS systems need an integrative, multi-layered approach to improve CIS performance (suggestions for analysis provided).
Enhancing Cybersecurity Resilience: A Comprehensive Analysis of Human Factors and Security Practices Aligned with the NIST Cybersecurity Framework, 2023
Although effective technical countermeasures play a pivotal role in safeguarding organizations' digital assets, the persistent challenge of human factors in cybersecurity cannot be underestimated. This study aims to identify the human factors employed within the cybersecurity research community and the relevant humancentric security practices. These human factors and security practices are subsequently mapped to the functions, categories, and sub-categories of the NIST Cybersecurity Framework (NIST-CSF). The methodology for this research comprises a literature review and qualitative mapping techniques. The findings show the identification of 20 distinct human factors and 12 security practices. Additionally, the mapping reveals that 3 of the NIST-CSF functions, 8 categories, and 19 sub-categories are directly related with human aspects of cybersecurity. By aligning human factors and security practices with established NIST-CSF guidelines, organizations can strengthen their overall security posture. Moreover, it helps identify gaps in cybersecurity related to human factors to address vulnerabilities and mitigate risks associated with human errors, reducing the likelihood of security incidents and data breaches. Ultimately, this study provides valuable insights, presents conclusions, and suggests directions for future work.