|

The human factor in the information security of an organization: areas of research, countermeasures, prospects for study

Authors: Vanin A.V., Marchenko A.V.
Published in issue: #4(45)/2020
DOI: 10.18698/2541-8009-2020-4-601


Category: Informatics, Computer Engineering and Control | Chapter: Methods and Systems of Information Protection, Information Security

Keywords: human factor, information security, information security culture, socio-organizational and psychological aspects, security policy, security threats, awareness, holistic approach
Published: 08.05.2020

Over the past 20 years, there has been an increasing interest in human issues and the socio-organizational problems of information security. End users (organization employees) are recognized as the weakest link because of their vulnerability to numerous security threats. Against this background, the study of employee behavior in the field of information security is becoming a new, promising and rapidly developing area of scientific research. This publication presents the main directions of research on the socio-organizational and psychological aspects of ensuring information security. The paper considers the main threats to the integrity and confidentiality of the organization’s information on the part of the human factor, presents countermeasures. An analysis of the prospects for further development in the study of this scientific problem is proposed.


References

[1] Furnell S., Clarke N. Power to the people? The evolving recognition of human aspects of security. Comput. Secur., 2012, vol. 31, no. 8, pp. 983–988. DOI: https://doi.org/10.1016/j.cose.2012.08.004

[2] Schneier B. Secrets and lies: digital security in a networked world. Wiley, 2015.

[3] Padayachee K. Taxonomy of compliant information security behavior. Comput. Secur.,, 2012, vol. 31, no. 5, pp. 673–680. DOI: https://doi.org/10.1016/j.cose.2012.04.004

[4] Gudaitis T.M. The missing link in information security: three dimensional profiling. Cyberpsychol. Behav. Soc. Netw., 1998, vol. 1, no. 4, pp. 321–340. DOI: https://doi.org/10.1089/cpb.1998.1.321

[5] Straub D.W., Nance W.D. Discovering and disciplining computer abuse in organizations: a field study. Manag. Inf. Syst. Q., 1990, vol. 14, no. 1, pp. 45–60. DOI: https://doi.org/10.2307/249307

[6] Lee Y., Larsen K.R.T. Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software. Eur. J. Inf. Syst., 2009, vol. 18, no. 2, pp. 177–187. DOI: https://doi.org/10.1057/ejis.2009.11

[7] Crossler R.E. Protection motivation theory: understanding determinants to backing up personal data. 43rd Hawaii Int. Conf. Syst. Sci., 2010. DOI: https://doi.org/10.1109/HICSS.2010.311

[8] Woon I., Tan G.-W., Low R. A protection motivation theory approach to home wireless security. ICIS, 2005. aisel.aisnet.org: website. URL: https://aisel.aisnet.org/cgi/viewcontent.cgi?article=1237&context=icis2005 (дата обращения: 15.01.2020).

[9] Bulgurcu B., Cavusoglu H., Benbasat I. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. Manag. Inf. Syst. Q., 2010, vol. 34, no. 3, pp. 523–548. DOI: https://doi.org/10.2307/25750690

[10] D’Arcy J., Hovav A., Galletta D. User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res., 2009, vol. 20, no. 1, pp. 79–98. DOI: https://doi.org/10.1287/isre.1070.0160

[11] Kabay M. Social Psychology holds lessons for security experts. The Risks Digest, 1993, vol. 15, no. 16, p. 33.

[12] Crossler R.E., Johnston A.C., Lowry P.B., et al. Future directions for behavioral information security research. Comput. Secur., 2013, vol. 32, pp. 90–101. DOI: https://doi.org/10.1016/j.cose.2012.09.010

[13] Guo K., Yuan Y., Archer N., et al. Understanding nonmalicious security violations in the workplace: a composite behavior model. J. Inf. Technol. Manag., 2011, vol. 28, no. 2, pp. 203–236. DOI: https://doi.org/10.2753/MIS0742-1222280208

[14] Rhee H.-S., Kim C., Ryu Y.U. Self-efficacy in information security: its influence on end users’ information security practice behavior. Comput. Secur., 2009, vol. 28, no. 8, pp. 816–826. DOI: https://doi.org/10.1016/j.cose.2009.05.008

[15] Huang D.-L., Rau P.-L.P., Salvendy G., et al. Factors affecting perception of information security and their impacts on IT adoption and security practices. Int. J. Hum. Comput. Stud., 2011, vol. 69, no. 12, pp. 870–883. DOI: https://doi.org/10.1016/j.ijhcs.2011.07.007

[16] Schultz E.E. A framework for understanding and predicting insider attacks. Comput. Secur., 2002, vol. 21, no. 6, pp. 526–531. DOI: https://doi.org/10.1016/S0167-4048(02)01009-X

[17] Posey C., Bennett R.J., Roberts T.L. Understanding the mindset of the abusive insider: an examination of insiders’ causal reasoning following internal security changes. Comput. Secur., 2011, vol. 30, no. 6-7, pp. 486–497. DOI: https://doi.org/10.1016/j.cose.2011.05.002

[18] Lineberry S. The human element: the weakest link in information security. JOFA, 2007, vol. 204, no. 5, p. 44.

[19] Straub D.W. Effective IS security: an empirical study. Inf. Syst. Res., 1990, vol. 1, no. 3, pp. 255–276. DOI: https://doi.org/10.1287/isre.1.3.255

[20] Zhang J., Reithel B.J., Li H. Impact of perceived technical protection on security behaviors. Inform. Manag. Comp. Sec., 2009, vol. 17, no. 4, pp. 330–340. DOI: https://doi.org/10.1108/09685220910993980

[21] Warkentin M., Johnston A.C., Shropshire J. The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. Eur. J. Inf. Syst., 2011, vol. 20, no. 3, pp. 267–284. DOI: https://doi.org/10.1057/ejis.2010.72

[22] Dang D. Predicting insider’s malicious security behaviours: a General Strain Theory-based conceptual model. Conf-IRM, 2014, p. 1–11.

[23] Straub D.W., Welke R.J. Coping with systems risk: security planning models for management decision making. Manag. Inf. Syst. Q., 1998, vol. 22, no. 4, pp. 441–469. DOI: https://doi.org/10.2307/249551

[24] Kurland N.B. Ethical intentions and the theories of reasoned action and planned behavior. J. Appl. Soc. Psychol., 1995, vol. 25, no. 4, pp. 297–313. DOI: https://doi.org/10.1111/j.1559-1816.1995.tb02393.x

[25] Debar H., Viinikka J. Security information management as an outsourced service. Inform. Manag. Comp. Sec., 2006, vol. 14, no. 5, pp. 417–435.

[26] Albrechtsen E., Hovden J. Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Comput. Secur., 2010, vol. 29, no. 4, pp. 432–445. DOI: https://doi.org/10.1016/j.cose.2009.12.005

[27] Feledi D., Fenz S., Lechner L. Toward web-based information security knowledge sharing. Inform. Sec. Tech. Rep., 2013, vol. 17, no. 4, pp. 199–209. DOI: https://doi.org/10.1016/j.istr.2013.03.004

[28] Soomro Z.A., Shah M.H., Ahmed J. Information security management needs more holistic approach. Int. J. Inf. Manage., 2016, vol. 36, no. 2, pp. 215–225. DOI: https://doi.org/10.1016/j.ijinfomgt.2015.11.009