Amir Zakaria Consulting Group | organisational processes in Information security
There are a number of organisational processes and approaches in the practice of security management that are used to engage with the organisation and to understand different perspectives on information security within an organisation. For example, engagement, communication and interaction are central to many frameworks for developing information security aware organisational cultures (Bauer et al., 2017; Da Veiga and Eloff, 2010). amir zakaria, اميرذكريا, امير ذكريا
information, organizational process, security management, amir zakaria, nazli monajemzadeh, امير ذكريا, اميرذكريا, نازلي منجم زاده
16279
post-template-default,single,single-post,postid-16279,single-format-standard,ajax_fade,page_not_loaded,,qode-child-theme-ver-1.0.0,qode-theme-ver-10.0,wpb-js-composer js-comp-ver-4.12,vc_responsive

Organisational Processes in Information security

Organisational Processes in Information security

There are a number of organisational processes and approaches in the practice of security management that are used to engage with the organisation and to understand different perspectives on information security within an organisation. For example, engagement, communication and interaction are central to many frameworks for developing information security aware organisational cultures (Bauer et al., 2017; Da Veiga and Eloff, 2010).

Published works present a general understanding that humans are the weakest information security link (Parsons et al., 2017; Furnell et al., 2018; Metalidou et al., 2014; Mahfuth et al., 2017; Halevi et al., 2017), the main threat (Mahfuth et al., 2017), and that human characteristics commonly lead to most information security breaches (Parsons et al., 2017; Mahfuth et al., 2017; Lee et al., 2016). Basin, Radomirovic and Schmid (Basin et al., 2016) emphasise that many business practices rely upon humans and that humans are computationally weaker than machines as they can be naïve, careless or gullible. Human error related information security incidents can occur where a person is completing an intended activity but performs an unintentional action caused by human characteristics such as negligence and carelessness (Furnell et al., 2018; Mahfuth et al., 2018). However such incidents can also occur as a result of targeted attacks exploiting specific human weakness (Halevi et al., 2017). Mahfuth et al (2018) point out that on one hand humans are, and create, threats to an organisation but on the other hand are key in protecting against or preventing incidents and breaches. Research has identified that an effective information security culture can lead to employees acting as a ‘human firewall’ safeguarding information and that despite the application of technical security approaches, this is not enough as information security is both a technical and people issue (AlHogail , 2015; Cacciabue and Vella, 2010; Yusof et al., 2008). For the information security community and organisations to focus their attention on technical measures to protect information without consideration of the human factor is inadequate (Mahfuth et al., 2017). Information security is primarily a human factors problem that remains M. Evans, et al. International Journal of Medical Informatics 127 (2019) 109–119 110 unaddressed and on many occasions organisations overlook the human factor (Metalidou et al., 2014).

Reference

  • AlHogail, A. (2015). “Design and validation of information security culture framework, Comput”. Human Behav. 49, 567–575, https://doi.org/10.1016/j.chb.2015. 03.054.
  • Basin, D., Radomirovic, S., Schmid, L. (2016). “Modeling human errors in security protocols”.2016 IEEE 29th Comput. Secur. Found. Symp. 325–340, https://doi.org/10. 1109/CSF.2016.30.
  • Bauer, S., Bernroider, E.W.N., Chudzikowski, K. (2017). “Prevention is better than cure! Designing information security awareness programs to overcome users’ noncompliance with information security policies in banks”. Comput. Secur. 68 (C), 145–159. doi:10.1016/j.cose.2017.04.009.
  • Burdon, M., Coles-Kemp, L. (2019). “The significance of securing as a critical component of information security: An Australian narrative”. Computers & Security, Volume 87, 101601.
  • Cacciabue, P.C., Vella, G. (2010). “Human factors engineering in healthcare systems: the problem of human error and accident management”. Int. J. Med. Inform. 79 (2010) e1–e17, https://doi.org/10.1016/J.IJMEDINF.2008.10.005.
  • Da Veiga, A., Eloff, J.H.P. (2010). “A framework and assessment instrument for information security culture”. Comput. Secur. 29 (2), 196–207. doi:10.1016/j.cose.2009. 09.002.
  • Furnell, S., Khern-am-nuai, W., Esmael, R., Yang, W., Li, N. (2018). “Enhancing security behaviour by supporting the user”. Comput. Secur. 75, 1–9, https://doi.org/10. 1016/j.cose.2018.01.016.
  • Halevi, T., Memon, N., Lewis, J., Kumaraguru, P., Arora, S., Dagar, N., Aloul, F., Chen, J. (2017). “Cultural and psychological factors in cyber-security”. Proc. 18th Int. Conf. Inf. Integr. Web-Based Appl. Serv. 13, 43–56.
  • Lee, C., Lee, C.C., Kim, S. (2016). “Understanding information security stress: focusing on the type of information security compliance activity, Comput. Secur. 59, 60–70, https://doi.org/10.1016/j.cose.2016.02.004.
  • Mahfuth, A., Yussof, S., Baker, A.A., Ali, N. (2017). “A systematic literature review: information security culture”. Int. Conf. Res. Innov. Inf. Syst. 1–6, https://doi. org/10.1109/ICRIIS.2017.8002442.
  • Metalidou, E., Marinagi, C., Trivellas, P., Eberhagen, N., Skourlas, C. (2014). “The human factor of information security: unintentional damage perspective”. Procedia – Soc. Behav. Sci. 147, 424–428, https://doi.org/10.1016/J.SBSPRO.2014.07.133.
  • Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., Zwaans, T. (2017). “The human aspects of information security questionnaire (HAIS-Q): two further validation studies, Comput. Secur. 66, 40–51, https://doi.org/10.1016/j.cose. 2017.01.004.
  • Yusof, M.M., Kuljis, J., Papazafeiropoulou, A., Stergioulas, L.K. “An evaluation framework for health information systems: human, organization and technology-fit factors (HOT-fit)”. Int. J. Med. Inform. 77 (2008) 386–398, https://doi.org/10. 1016/J.IJMEDINF.2007.08.011.

Back To Blog

No Comments

Post A Comment