Managing Social Engineering Attacks- Considering Human Factors and Security Investment

Soliciting and managing the protection of information assets has become a objective of paramount importance in an organizational context. Information Security Management System (ISMS) has the unique role of ensuring that adequate and appropriate security tools are in place in order to protect information assets. Security is always seen in three dimensions of technology, organization, and people. Undoubtedly, the socio-technical challenges have proven to be the most difficult ones to tackle. Social Engineering Attacks (SEAs) are a sociotechnical challenge and considerably increase security risks by seeking access to information assets by exploiting the vulnerabilities in organizations as they target human frailties. Dealing effectively and adequately with SEAs requires practical security benchmarking together with control mechanism tools, which in turn requires investment to support security and ultimately organizational goals. This paper contributes in this area. In particular, the paper proposes a language for managing SEAs using several concepts such as actor, risks, goals, security investment and vulnerabilities. The language supports in-depth investigation of human factors as one of the main causes of SEAs. It also assists in the selection of appropriate mechanisms considering security investment to mitigate risks. Finally, the paper uses a real incident in a financial institution to demonstrate the applicability of the approach

Agile Changes of Security Landscape: A Human Factors and Security Investment View

The information security experts are finding it challenging to timely response the emerging threats. The rapid changing of security landscape and dependency on the agile software and system development projects make it challenging to address these threats in a real time. This could create potential risks to the overall business continuity. Furthermore, critical human factors, cost and investment in the information security field will add more anxiety in dealing with risks in an agile environment. There is a need for a unified approach to address the principles of information security, human factors and security investment in an agile environment. This paper provides a solution for constructing an effective information security system by taking into consideration an adequate risk assessment and controls, considering critical human factors and security investment within agile changes of security landscape. A list of concepts is considered for the purpose of an effective information security system. The paper also includes a short review of existing knowledge on the topics of agile development and information security

An information security risk-driven investment model for analysing human factors

Purpose The purpose of this paper is to introduce a risk-driven investment process model for analysing human factors that allows information security managers to capture possible risk–investment relationships and to reason about them. The overall success of an information security system depends on analysis of the risks and threats so that appropriate protection mechanism can be in place to protect them. However, lack of appropriate analysis of risks may potentially results in failure of information security systems. Existing literature does not provide adequate guidelines for a systematic process or an appropriate modelling language to support such analysis. This work aims to fill this gap by introducing the process and reason about the risks considering human factors. Design/methodology/approach To develop risk-driven investment model along with the activities that support the process. These objectives were achieved through the collection of quantitative and qualitative data utilising requirements engineering and secure tropos methods. Findings The proposed process and model lead to define a clear relationship between risks, incidents and investment and allows organisations to calculate them based on their own figures. Research limitations/implications One of the major limitations of this model is that it only supports incident-based investment. This creates some sort of difficulties to be presented to the executive board. Secondly, because of the nature of human factors, quantification does not exactly reflect the monetary value of the factors. Practical implications Applying the information security risk-driven investment model in a real case study shows that this can help organisations apply and use it in other incidents, and more importantly, to the incidents which critical human factors are a grave concern of organisations. The importance of providing a financial justification is clearly highlighted and provided for seeking investment in information security. Social implications It has a big social impact that technically could lead for cost justifications and decision-making process. This would impact the whole society by helping individuals to keep their data safe. Originality/value The novel contribution of this work is to analyse specific critical human factors which have subjective natures in an objective and dynamic domain of risk, security and investment. </jats:sec

Ausgewählte Chancen und Herausforderungen der digitalen Transformation für die Produktentwicklung und Unternehmensorganisation im Finanzdienstleistungssektor

Vor dem Hintergrund der digitalen Transformation sind Finanzdienstleistungsunternehmen auf unterschiedlichen Ebenen zahlreichen Chancen sowie Herausforderungen ausgesetzt. Während der Einsatz neuer Technologien die Optimierung bestehender Geschäftsprozesse sowie das Angebot digitalisierter Finanzdienstleistungen ermöglicht, geht dies zugleich mit veränderten Arbeitsbedingungen innerhalb der Unternehmensorganisation einher. Darüber hinaus sind Finanzdienstleister dazu angehalten die sich ändernden Kundenerwartungen bei den bisherigen Geschäftsaktivitäten sowie bei der Produktentwicklung zu berücksichtigen. Das Ziel der vorliegenden kumulativen Dissertation ist es, bestehende Forschungsdesiderate hinsichtlich der Auswirkungen der digitalen Transformation auf den Finanzdienstleistungssektor, differenziert nach der Kunden- und Produktperspektive sowie der internen Unternehmensperspektive, vertiefend zu analysieren. Das Technology-Organization-Environment (TOE)-Framework von DePietro et al. (1990) wird dabei als theoretischer Rahmen zur Einordnung und Strukturierung der Forschungsmodule verwendet. Die Ergebnisse der acht Module zeigen, dass die Kundenbedürfnisse und –erwartungen im Finanzdienstleistungssektor verstärkt von der digitalen Transformation beeinflusst werden. Dies zeigt sich in der Beratungstätigkeit bspw. durch das Angebot neuer Kundenkanäle sowie der aus dem steigenden Wettbewerbsdruck resultierenden erhöhten Preistransparenz. Im Rahmen der Produktentwicklung sind zudem u. a. ESG-Risiken und Silent Cyber-Risiken zu beachten. Aus der Analyse der Auswirkungen der digitalen Transformation auf die Unternehmensorganisation geht hervor, dass über den Einsatz digitaler Innovationen innerhalb des Backoffice die Realisation von Effizienzgewinnen sowie das Entgegenwirken eines Personalmangels möglich ist. Darüber hinaus wird in den Modulen der Einfluss des Faktors Mensch auf die Cyber-Sicherheit hervorgehoben. Während dieser einerseits als „schwächstes Glied“ und potenzielles Angriffsziel im Sicherheitskonstrukt der Unternehmen dargestellt wird, ist andererseits das Potenzial der Beschäftigten zur Frühwarnung zu berücksichtigen

Organisational vulnerability to intentional insider threat

In recent times there has been a spate of reporting on the counterproductive behaviour of individuals in both private and public organisations. As such, research into insider threat as a form of such behaviour is considered a timely contribution. The Australian Government now mandates that public sector organisations protect against insider threat through best practice recommendations and adopting a risk management approach. Whilst non-government organisations and private businesses are less accountable, these organisations can also benefit from the efficiencies, performance, resilience, and corporate value associated with an insider threat risk management approach. Mitigating against Intentional Insider Threat (IIT) is an organisational priority which requires new ways of thinking about the problem, especially in terms of a multidisciplinary approach that holistically addresses the technical, individual, and organisational aspects of the problem. To date, there has been limited academic and practical contribution and a dearth of literature providing recommendations or practical tools as a means to mitigate IIT. The purpose of this study is to develop a set of diagnostic inventories to assess for Organisational Vulnerability to Intentional Insider Threat (the OVIT). In order to achieve this overall purpose, the study sought to answer three research questions: Research Question 1: What are the main organisational influences on Intentional Insider Threat (IIT) based on available literature? Research Question 2: What are the main organisational influences on IIT based on expert opinion? Research Question 3: How is organisational vulnerability to IIT operationalised by the study? The methodology adopted by the study assumes a pragmatist paradigm and mixed methods design. There were three phases to this research: - Phase One - a thorough review of the extant literature to determine the status of research and applied knowledge and identify factors and variables of IIT. - Phase Two - conduct of a Delphi study to gather expert opinion on IIT and combine this professional knowledge with the literature review outcomes to enhance the factors and variables associated with IIT. - Phase Three - operationalise IIT diagnostic instruments utilising multivariate statistical techniques to determine the validity of the inventories and develop a framework of organisational vulnerability to IIT. Qualitative and quantitative analysis procedures were used throughout the research. The final survey data of phase three was analysed using multivariate statistics. The results from Exploratory Factor Analysis (EFA) demonstrate the underlying factors of each of the three dimensions (individual, technical, and organisational) which operationalise the construct of organisational vulnerability to IIT. The exploratory results indicate that diagnostic inventories of organisational vulnerability to IIT can validly and reliably measure each of the three dimensions. These were triangulated with the Delphi panel results and indicated alignment while further developing the IIT construct. A reflection on additional contributions is an important aspect of pragmatic research. The literature available on insider threat highlights the emerging focus on the topic. Gaps in the literature indicate a number of limitations which were addressed in the current research beginning with the development of a conceptual framework illustrating the relationships of the construct, dimensions, and factors of organisational vulnerability to IIT. Whilst this work-based study had three very specific research questions to operationalise IIT, additional contributions from the research emerged as follows: The research enhanced knowledge through: (1) study of IIT from an Australian perspective, utilising Australian expert opinion and Australian samples; (2) demonstration of the utility of the Delphi method in the study and further development of the insider threat construct; (3) an Australian definition of IIT; (4) integration of risk management standards with the available literature on insider threat; and, (5) contribution to the foresight and futures study of IIT. While this research study has proved beneficial in addressing gaps in current literature, it is not without limitations. The generalisability of findings is hampered by the size and nature of an Australian sample and the study’s exploratory approach. The ability to generalise findings and assert causality is restricted in this research, and this can be overcome by undertaking future longitudinal research or other future studies based on the findings of this study

A Risk-Driven Investment Model for Analysing Human Factors in Information Security

Information systems are of high importance in organisations because of the revolutionary industrial transformation undergone by digital and electronic platforms. A wide range of factors and issues forming the current business environments have created an unprecedented level of uncertainty and exposure to risks in all areas of strategic and operational activities in organisations including IT management and information security. Subsequently, securing these systems, which keep assets safe, serves organisational objectives. The Information Security System (ISS) is a process that organisations can adopt to achieve information security goals. It has gained the attention of academics, businesses, governments, security and IT professionals in recent years. Like any other system, the ISS is highly dependent on human factors as people are the primary concern of such systems and their roles should be taken into consideration. However, identifying reasoning and analysing human factors is a complex task. This is due to the fact that human factors are hugely subjective in nature and depend greatly on the specific organisational context. Every ISS development has unique demands both in terms of human factor specifications and organisational expectations. Developing an ISS often involves a notable proportion of risk due to the nature of technology and business demands; therefore, responding to these demands and technological challenges is critical. Furthermore, every business decision has inherent risk, and it is crucial to understand and make decisions based on the cost and potential value of that risk. Most research is solely concentrated upon the role of human factors in information security without addressing interrelated issues such as risk, cost and return of investment in security. The central focus and novelty of this research is to develop a risk-driven investment model within the security system framework. This model will support the analysis and reasoning of human factors in the information system development process. It contemplates risk, cost and the return of investment on security controls. The model will consider concepts from Requirements Engineering (RE), Security Tropos and organisational context. This model draws from the following theories and techniques: Socio-technical theory, Requirements Engineering (RE), SWOT analysis, Delphi Expert Panel technique and Force Field Analysis (FFA). The findings underline that the roles of human factors in ISSs are not being fully recognised or embedded in organisations and there is a lack of formalisation of main human factors in information security risk management processes. The study results should confirm that a diverse level of understanding of human factors impacts security systems. Security policies and guidelines do not reflect this reality. Moreover, information security has been perceived as being solely the domain of IT departments and not a collective responsibility, with the importance of the support of senior management ignored. A further key finding is the validation of all components of the Security Risk-Driven Model (RIDIM). Model components were found to be iterative and interdependent. The RIDIM model provides a significant opportunity to identify, assess and address these elements. Some elements of ISSs offered in this research can be used to evaluate the role of human factors in enterprise information security; therefore, the research presents some aspects of computer science and information system features to introduce a solution for a business-oriented problem. The question of how to address the psychological dimensions of human factors related to information security would, however, be a rich topic of research on its own. The risk-driven investment model provides tangible methods and values of relevant variables that define the human factors, risk and return on investment that contribute to organisations’ information security systems. Such values and measures need to be interpreted in the context of organisational culture and the risk management model. Further research into the implementation of these measurements and evaluations for improving organisational risk management is required