It is hard to accept that nowadays, organizations get along without having an astute and decisive information system. Providing a reliable and coherence information system requires a solid security framework that ensures confidentiality, integrity, availability, and authenticity of the critical organizational assets.
Information Security Management System (ISMS) defines to setup a solid security framework and regulates systematic way which information technology can use resources. But technical advancements of ISMS do not always guarantee to secure overall organizational environment. Human factors play a significant role for information security.
In particular, human characteristics behaviour impacts information security and ultimately associated risks. This article provides an overview of our research for analysing the human factors and their influence for an effective information security management system.
Research uses force field analysis to understand driving and restraining forces of human issues and consider these forces as goals and obstacles of information security. Then the research will model the human factors whilst attempting to understand the current ISMS situation of an organization and its improvement considering ideal situation. It will provide measures for investment in factors that fulfill the goals of ISMS.
Increasingly, information security incidents result from interactions among people who work across organizations in dealing with ISMS. This has major implications for the role of human factors and challenging their roles in the process of information security.
Technology is quite an essential part relating to securing information assets but people are responsible for design, implementation and operation of these technological tools (Lacey 2009; Islam2008). Technology evolved enormously in terms of its advancement, but IS incidents still happen and this can be translated to the failure of ISMS.
As result, the ISMS guidelines and standards face a serious credibility threat. Recent studies concluded various technical, non-technical, and regulatory related issues for the failure of ISMS (D’Arcy et al. 2009; Herzog 2010; Lim et al. 2010). It has been noted that 92% of large organizations admitted, they had information security incidents, which increased 72% in 2010 comparing to 2008 (Deloitte, 2011).
According to this report and as far as this study concerns, UK financial organizations face a real threat from information security risks. Information security studies were primarily focused on the effects of security on computer abuse and misuse without providing any quantification which could assist Chief Information Security Officers (CISO) to make decisions on resource allocations to deal with security threats (Lee et al. 2004, D’Arcy et al. 2009, Kankanhalli et al. 2003).
IS risks have adverse consequences on organizational operations and assets. Security systems do not depend solely on preventing technical problems, but rather, they also depend on humans who use the systems and behave in “a certain way” in the system environment (Alavi et al, 2013). The real challenges are from non-technical forces, i.e., human and organizational issues. Therefore it is necessary to understand and address the issues relating to human factors.
This research proposes a model for analyzing human factors using force field analysis. For this purpose, human factors are considered from author’s previous work, and will be mapping with force field analysis and goal-driven risk management model. This model contemplated human factors into two categories, driving and restraining forces, whilst driving forces promotes goals as objective and expectation from the information security and restraining forces deemed as obstacles as a consequence of ineffective ISMS.
Then the approach identifies current and ideal situation of ISMS in organizations. Finally, the study provides a quantification of human factors in which control actions countermeasure risks, the effectiveness of the actions and possible emerge of new risks. This quantification can be demonstrated in Excel, using responses, which received from interviews in previous study.
In the next installment of Human Factors in ISMS we will explore some of the Background Knowledge, including Force Field Analysis (FFA), and the GOAL-Driven Risk Management Model… Stay tuned!
About the Author: Reza Alavi (@SecurityVPeople) is currently conducting his research in the School of Architecture, Computing and Engineering (ACE) in the University of East London. His research topic is: “Modeling a Human-Centric Approach For An Effective Information Security Management System (ISMS) – British Financial Institutions Perspective”. His research interests are the role of people and organizations in Information Security Management System (ISMS) with special interest in Information Assurance (IA). Reza has been working in various IT and business management positions such as Networking, IT Audit, and Sales and Marketing Management for the last 23 years.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Are Security Metrics Too Complicated for Management?
- Majority of Organizations Committed to Risk-Based Security Management
- Security Professionals Split on Risk-Based Security Management
- Don’t Be Baffled by BS Security Metrics
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock
- D’Arcy J, Hovav A & Galletta DF (2009). User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach. Information Systems Research 20(1): 79–98.
- Deloitte Report (2006). Deloitte global financial report, www.deloitte.com
- Kankanhalli A, Teo HH, Tan BCY & Wei KK (2003). An integrative study of information systems security effectiveness. International Journal of Information Management 23(2): 139–154.
- Herzog, P. (2010). Security, trust, and how we are broken. ISECOM.
- Islam, S., & Dong, W. (2008). Human factors in software security risk management. Proceedings of the first international workshop on Leadership and management in software architecture(LMSA2008). Leipzig, Germany, ACM.
- Lacy, D. (2009). Managing the Human Factor in Information Security, How to win over staff and influence business managers, Chichester, John Wiley & Sons Ltd.
- Lee SM, Lee S & Yoo S (2004) An integrative model of computer abuse based on social control and general deterrence theories. Information & Management 41(6): 707–718.
- Lim, J.S., Ahmad, A., Chang, S., & Maynard, S. (2010). “Embedding Information Security Culture Emerging Concerns and Challenges”. PACIS 2010.