Human and organizational factors in computer and information security: Pathways to vulnerabilities
Treść / Zawartość
The purpose of this study was to identify and describe how human and organizational factors may be related to technical computer and information security (CIS) vulnerabilities. A qualitative study of CIS experts was performed, which consisted of 2, 5-member focus groups sessions. The participants in the focus groups each produced a causal network analysis of human and organizational factors pathways to types of CIS vulnerabilities. Findings suggested that human and organizational factors play a significant role in the development of CIS vulnerabilities and emphasized the relationship complexities among human and organizational factors. The factors were categorized into 9 areas: external influences, human error, management, organization, performance and resource management, policy issues, technology, and training. Security practitioners and management should be aware of the multifarious roles of human and organizational factors and CIS vulnerabilities and that CIS vulnerabilities are not the sole result of a technological problem or programming mistake. The design and management of CIS systems need an integrative, multi-layered approach to improve CIS performance (suggestions for analysis provided).
- Wisconsin Center for Education Research, University of Wisconsin-Madison, 1025 West Johnson Street, Madison, WI 53706, USA , email@example.com
- Center for Quality and Productivity Improvement, Department of Industrial and Systems Engineering, University of Wisconsin-Madison, 3126 Engineering Centers Building, 1515 Engineering Drive, Madison, WI 53706-1609, USA , firstname.lastname@example.org
- Information Design Assurance Red Team, Sandia National Laboratories, P.O. Box 5800, MS 0671, Albuquerque, NM 87185-0671, USA , email@example.com
- 1. Adams, A.& Sasse, M.A., "Users are not the enemy", Communications of the ACM, vol. 42, 12, 1999, p.41-46
- 2. Adams, A.& Sasse, M.A.& Lunt, P., "Making passwords secure and usable", Thimbleby, H.& O'Conaill, B.& Thomas, P. (Eds.), People & computers XII, proceedings of HCI'97, 1997, p.1-19
- 3. Albrechtsen, E., "A qualitative study of users' view on information security", Computers & Security, vol. 26, 4, 2007, p.276-289
- 4. Besnard, D.& Arief, B., "Computer security impaired by legitimate users", Computers & Security, vol. 23, 2004, p.253-264
- 5. Bishop, M., "Computer security: art and science", 2002
- 6. Computer Science and Telecommunications Board-National Research Council, "Cybersecurity today and tomorrow: pay now or pay later", 2002
- 7. Cresswell A, Hassan S. Organizational impacts of cyber security provisions: a sociotechnical framework. In: 40th Hawaii International Conference on Systems Sciences; 2007.
- 8. Dhillon, G.& Backhouse, J., "Current directions in IS security research: towards socio-organizational perspectives", Information Systems Journal, vol. 11, 2001, p.127-153
- 9. Fontana, A.& Frey, J.H., "The interview: from structured questions to negotiated text", Denzin, N.K.& Lincoln, N.K. (Eds.), Handbook of qualitative research, 2000, p.645-672
- 10. Fulford, H.& Doherty, N.F., "The application of information security policies in large UK-based organizations: an exploratory investigation", Information Management & Computer Security, vol. 11, 3, 2003, p.106-114
- 11. Furnell, S., "Making security usable: are things improving?", Computers & Security, vol. 26, 6, 2007, p.434-443
- 12. Hendrick, H.W.& Kleiner, B.M., "Macroergonomics: an introduction to work system design", 2001
- 13. Herzberg, A., "Why Johnny can't surf (safely)? Attacks and defenses for web users", Computers & Security, vol. 28, 1–2, 2009, p.63-71
- 14. Howard, J.D.& Longstaff, T.A., "A common language for computer security incidents", 1998
- 15. Howard, J.D.& Meunier, P., "Using a “common language” for computer security incident information", Bosworth, S.& Kabay, M.E. (Eds.), Computer security handbook, 2002, p.3.1-3.22
- 16. Karyda, M.& Kiountouzis, E.& Kokolakis, S., "Information systems security policies: a contextual perspective", Computers & Security, vol. 24, 2005, p.246-260
- 17. Knapp, K.& Marshall, T.E.& Rainer, R.K.& Ford, F.N., "Information security: management's effect on culture and policy", Information Management & Computer Security, vol. 14, 1, 2006, p.24-36
- 18. Kraemer S, Carayon P. Computer and information security culture: findings from two studies. In: Human Factors and Ergonomics Society, editor. Proceedings of the human factors and ergonomics society. Orlando, Florida; 2005. p. 1483–87.
- 19. Kraemer, S.& Carayon, P., "Human errors and violations in computer and information security: the viewpoint of network administrators and security specialists", Applied Ergonomics, vol. 38, 2, 2007, p.143-154
- 20. Kraemer S, Carayon C, Clem JF. Characterizing violations in computer and information security systems. In: Proceedings of the 16th triennial congress of the international ergonomics association. Maastricht, The Netherlands; 2006.
- 21. Liginlal, D.& Sim, I.& Khansa, L., "How significant is human error as a cause of privacy breaches? An empirical stud and framework for error management", Computers & Security, vol. 28, 2009, p.215-228
- 22. Miles, M.B.& Huberman, A.M., "Qualitative data analysis: an expanded sourcebook", 1994, 2nd ed.
- 23. Mitchell, J.C., "Case and situational analysis", Sociological Review, vol. 31, 2, 1983, p.87-211
- 24. Mizuno, S. (Eds.), Management for quality improvement: the seven new QC tools, 1988
- 25. Morgan, D.L. (Eds.), Focus groups as qualitative research, vol. 16, 1988
- 26. Pahnila, S.& Siponen, M.& Mahmood, A., "Employees' behavior towards IS security policy compliance", Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07), 2007
- 27. Pasmore, W.A., "Designing effective organizations: the sociotechnical systems perspective", 1988
- 28. Proctor, R.W.& Lien, M.C.& Salvendy, G.& Schultz, E.E., "A task analysis of usability in third-party authentication", Information Security Bulletin, 2000, p.49-56
- 29. Rasmussen, J., "Risk management, adaption, and design for safety", Brehmer, B.& Sahlin, N.-E. (Eds.), Future risks and risk management, 1994, p.1-36
- 30. Reason, J., "Managing the risks of organizational accidents", 1997
- 31. Richardson, R., "CSI/FBI computer crime and security survey", 2008
- 32. Robertson, M.M.& Kleiner, B.& O'Neill, M.J., "Macroergonomic methods: assessing work system processes", Hendrick, H.W.& Kleiner, B. (Eds.), Marcroergonomics: theory, methods, and applications, 2002, p.67-96
- 33. Ruighaver, A.B.& Maynard, S.B.& Chang, S., "Organisational security culture: extending the end-user perspective", Computers & Security, vol. 26, 1, 2007, p.56-62
- 34. Ryan, G.W.& Bernard, H.R., "Data management and analysis methods", Denzin, N.K.& Lincoln, Y.S. (Eds.), Handbook of qualitative research, 2000, p.769-801
- 35. Sarriegi JM, Torres JM, Santos J. Explaining security management evolution through the analysis of CIOs' mental models. In: 23rd international conference of the system dynamics society. Boston, Massachusetts; 2005.
- 36. Sarriegi JM, Santos J, Torres JM, Imizcoz D, Plandolit A. Modeling security management of information systems: analysis of a ongoing practical case. In: The 24th international conference of the system dynamics society. Nijmegen, The Netherlands; 2006.
- 37. Schudel G, Wood B. Modeling behavior of the cyber-terrorist. In: Conference proceedings: research on mitigating the insider threat to information systems-#2. Rand: Santa Monica, California; 2000.
- 38. Schultz, E., "The human factor in security", Computers & Security, vol. 24, 6, 2005, p.425-426
- 39. Seale, C., "The quality of qualitative research", 1999
- 40. Siponen, M.T., "A conceptual foundation for organizational information security awareness", Information Management & Computer Security, vol. 8, 1, 2000, p.31-41
- 41. Stanton, J.M.& Stam, K.R.& Mastrangelo, P.& Jeffery, J., "Analysis of end user security behaviors", Computers & Security, vol. 24, 2005, p.124-133
- 42. Stewart DW, Shamdasani PN. Focus groups: theory and practice, vol. 20. London: Sage Publications; 1990.
- 43. Trochim, W.M.K., "The research methods knowledge base", 2001, 2nd ed.
- 44. Werlinger, R.& Hawkey, K.& Beznosov, K., "An integrated view of human, organizational, and technological challenges of IT security management", Information Management & Computer Security, vol. 17, 1, 2009, p.4-49
- 45. Whitten, A.& Tygar, J.D., "Usability of security: a case study", 1998
- 46. Whitten A, Tygar JD. Why Johnny can't encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the 8th USENIX security symposium. Washington, DC; 1999.
- 47. Wood BJ. Duggan R. Red teaming of advanced information assurance concepts. In: DISCEX2000 DARPA information survivability conference. Hilton Head, South Carolina; 1999. p. SAND99–2590C.