Towards Comprehensive Approach to Information Security Management: Empowering the Human Factor for Enhanced Security
  IJCTT-book-cover
 		          
 
© 2023 by IJCTT Journal
Volume-71 Issue-8
Year of Publication : 2023
Authors : Abbas H. Imam
DOI :  10.14445/22312803/IJCTT-V71I8P101

How to Cite?

Abbas H. Imam, "Towards Comprehensive Approach to Information Security Management: Empowering the Human Factor for Enhanced Security," International Journal of Computer Trends and Technology, vol. 71, no. 8, pp. 1-11, 2023. Crossref, https://doi.org/10.14445/22312803/IJCTT-V71I8P101

Abstract
Effective information security management necessitates a holistic approach that recognizes the crucial role of the human factor. While technical controls and policies are essential, the behaviors, decisions, and actions of individuals within organizations significantly influence the success of information security measures. This abstract explores the integration of the Behavior Change Theory, specifically the Motivation, Opportunity, and Capability (MOC) model, into information security management. Drawing upon the Dunning-Kruger effect as a theoretical framework, the impact of cognitive biases on human behavior and decision-making is examined. Additionally, relevant literature on self-perception, emotions, personal values, and organizational culture in the context of information security is reviewed. Practical insights are provided, suggesting the implementation of training programs, simulations, awareness campaigns, cross-functional collaboration, leadership support, metrics, and feedback mechanisms to empower employees and foster a security-conscious culture. By prioritizing the human factor and adopting these strategies, organizations can enhance their information security management practices, mitigate risks, and safeguard valuable assets in an ever-evolving threat landscape.

Keywords
Behavior Change Theory, Dunning-Kruger effect, Cognitive biases, Human factor, Information security.

Reference

[1] Kwesi Hughes-Lartey et al., “Human Factor, A Critical Weak Point in the Information Security of an Organization's Internet of Things, ” Heliyon, vol. 7, no. 3, 2021.
[CrossRef] [Google Scholar] [Publisher Link]
[2] Imam, and Abbas. H, Examining the Impact of Nontechnical Security Management Factors on Information Security Management in Health Informatics, Northcentral University, ProQuest, United States, California, p. 205, 2013.
[Google Scholar] [Publisher Link]
[3] Neeshe Khan, Robert J. Houghton, and Sarah Sharples, “Understanding Factors that Influence Unintentional Insider Threat: A Framework to Counteract Unintentional Risks,” Cognition, Technology and Work, vol. 24, no. 3, pp. 393-421, 2021.
[CrossRef] [Google Scholar] [Publisher Link]
[4] A. Imam, and MS Hammoud, “The Impact of Nontechnical Security Management Factors on Information Security Management in Health Informatics,” International Journal of Information Technology and Business Management, vol. 26, no. 1, pp. 13-28, 2014.
[Google Scholar]
[5] Anat Hovav, and John D'Arcy, “The Impact of Denial-of-Service Attack Announcements on the Market Value of Firms,” International Journal of Electronic Commerce, vol. 6, pp. 97-121, 2003.
[CrossRef] [Google Scholar] [Publisher Link]
[6] Kruger et al., “Unskilled and Unaware of it: How Difficulties in Recognizing One's Own Incompetence Lead to Inflated Self-assessments,” Risk Management and Insurance Review, vol. 77, no. 6, pp. 1121-134, 1999.
[CrossRef] [Google Scholar] [Publisher Link]
[7] Anat Hovav, and John D'Arcy, and Dennis Galletta, “The Impact of Individualism and Collectivism on the Perception of Software Quality and Security,” Journal of Management Information Systems, vol. 21, no. 4, pp. 197-234, 2004.
[8] Ana Kovačević, and Radenković, “SAWIT -Security Awareness Improvement Tool in the Workplace,” Applied Sciences, vol. 10, no. 9, P. 3065, 2020.
[CrossRef] [Publisher Link]
[9] John D'Arcy, Anat Hovav, and Dennis Galletta, “User Awareness of Security Countermeasures and its Impact on Information Systems Misuse: A Deterrence Approach,” Information Systems Research, vol. 20, no. 1, pp. 79-98, 2009.
[CrossRef] [Google Scholar] [Publisher Link]
[10] Kim. D. H, and Solomon. O, “The Effects of Personal Values on Information Security Awareness: A Cross-Cultural Study,” Computers & Security, vol. 31, no. 4, pp. 470-478, 2012.
[11] William Triplett, “Addressing Human Factors in Cybersecurity Leadership,” Journal of Cybersecurity Privacy, vol. 2, no. 3, pp. 573-586, 2022.
[CrossRef] [Google Scholar] [Publisher Link]
[12] J Dawson, and R Thomson, “The Future Cybersecurity Workforce: Going Beyond Technical Skills for Successful Cyber Performance,” Frontiers Psychology, vol. 9, no. 744, pp. 1-12, 2018.
[CrossRef] [Google Scholar] [Publisher Link]
[13] A. Pollini et al., “Leveraging Human Factors in Cybersecurity: An Integrated Methodological Approach,” Cognition, Technology and Work, vol. 24, pp. 371-390, 2022.
[CrossRef] [Google Scholar] [Publisher Link]
[14] Smith. M, “The Role of Technical Controls in Security Management: A Review,” Journal of Security Engineering, vol. 8, no. 1, pp. 47- 62, 2016.
[15] Johnson L and Brown k, “Assessing and Mitigating Information Security Risks: A Traditional Approach,” Information Systems Management, vol. 35, no. 3, pp. 214-231, 2018.
[16] Ross Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, John Wiley & Sons, p. 1232, 2020.
[Google Scholar] [Publisher Link]
[17] Pfleeger C P, and S L Pfleeger, “Security in Computing” (5th ed), Prentice Hall, 2018.
[18] Michael E. Whitman, and Herbert J. Mattord, Management of Information Security (5th ed), Cengage Learning, p. 592, 2016.
[Publisher Link]
[19] Gary Stoneburner, Alice Goguen, and Alexis Feringa, “Risk Management Guide for Information Technology Systems,” National Institute of Standards and Technology, pp. 1-54, 2002.
[Google Scholar] [Publisher Link]
[20] Schweizerische. S. N. V, “Information Technology - Security Techniques - Information Security Management Systems -Requirements,” ISO/IEC International Standards Organization, 2013.
[Google Scholar] [Publisher Link]
[21] Burrell et al., “The Critical Need for Formal Leadership Development Programs for Cybersecurity and Information Technology Professionals,” In International Conference on Cyber Warfare and Security, pp. 82-91, 2018.
 [Publisher Link]
[22] Basie von Solms, “Information Security-The Third Wave?,” Computers & Security, vol. 19, no. 7, pp. 615-620, 2000.
[CrossRef] [Google Scholar] [Publisher Link]
[23] Calvin Nobles et al., “Straight from the Human Factors Professionals’ Mouth: The Need to Teach Human Factors in Cybersecurity,” Proceedings of the 23rd Annual Conference on Information Technology Education, pp. 157-158, 2022.
[CrossRef] [Google Scholar] [Publisher Link]
[24] Mikko T. Siponen, “A Conceptual Foundation of Organizational Information Security Awareness,” Information Management & Computer Security, vol. 8, no. 1, pp. 31-34, 2000.
[CrossRef] [Google Scholar] [Publisher Link]
[25] Ruighaver A. B, Maynard S. B, and Chang V, “An Information Security Awareness Creation Ontology,” Computers & Security, vol. 29, no. 3, pp. 307-319, 2010.
[26] Tejaswini Herath, and H Raghav Rao, “Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organizations,” European Journal of Information Systems, vol. 1, no. 2, pp. 106-125, 2009.
[CrossRef] [Google Scholar] [Publisher Link]
[27] Sara Kraemer, and Pascale Carayon, “Human Errors and Violations in Computer and Information Security: The Viewpoint of Network Administrators and Security Specialists,” Applied Ergonomics, vol. 38, no. 2, pp. 143-154, 2007.
[CrossRef] [Google Scholar] [Publisher Link]
[28] V Zimmermann, and K Renaud, “Moving from a “Human-as-Problem” to a “Human-as-Solution” Cybersecurity Mindset,” International Journal of Human-Computer Studies, vol. 131, pp. 169-187, 2019.
[CrossRef] [Google Scholar] [Publisher Link]
[29] Koletsi S, and Pieters W, “Taking a Closer Look at the Human Factor: A Systematic Review and Taxonomy of Technology-Related Trust studies,” ACM Computing Surveys, vol. 51, no. 6, pp. 1-35, 2018.
[30] Van Niekerk J. F, Von Solms R, and Snyman R, “The Role of Organizational Culture in Information Security Awareness Computers & Security, vol. 32, pp. 376-387, 2013.
[31] Identity Theft Resource Center (ITRC), 2020 Data Breach Category Summary Report, 2021.[Online]. Available: https://www.idtheftcenter.org/wp-content/uploads/2021/02/2020-ID-Theft-Breach-Categories-2.pdf
[32]Ponemon Institute, 2020 Cost of a Data Breach Report, 2020.[Online]. Available: https://www.ibm.com/security/digital-assets/cost-databreach-report/#/
[33]Herley. C, “The Economics of Cybercrime,” Journal of Economic Perspectives, vol. 32, no. 4, pp. 171-192, 2018.
[34]Verizon, 2021 Data Breach Investigations Report. Retrieved from 2021. [Online]. Available: https://enterprise.verizon.com/resources/reports/dbir/2021/data-breaches-have-multiple-causes-and-outcomes/
[35]Krebs. B, Breach at Equifax May Impact 143M Americans, Krebs on Security, 2017. [Online]. Available: https://krebsonsecurity.com/2017/09/breach-at-equi fax-may-impact-143 m-americans/
[36]Gartner, 2023 Gartner Identifies the Top Cybersecurity Trends for 2023. [Online]. Available: https://www.gartner.com/en/newsroom/press-releases/04-12-2023-gartner-identifies-the-top-cybersecurity-trends-for-2023
[37]Vance A, Lowry P. B, and Eggett D. L, “The Effects of System Complexity, Task Structure, and Information Sufficiency on Systems Analysts' Risk Propensity,” Journal of Information Systems, vol. 27, no. 2, pp. 229-252, 2013.