Addressing The Human Factor In Information Systems Security

In this paper the historically persistent mismatch between the information systems development and security paradigms is revisited. By considering the human activity systems as a point of reference rather than a variable in information systems security, we investigate the necessity for a change in the information systems security agenda, accepting that a viable system would be more user-centric by accommodating and balancing human processes rather then entertaining an expectation of a one sided change of behaviour of the end user. This is done by drawing upon well established information systems methodologies and research

A model to address factors that could influence the information security behaviour of computing graduates

The fact that information is ubiquitous throughout most modern organisations cannot be denied. Information is not merely used as an enabler in modern organisations today, but is also used to gain a competitive advantage over competitors. Thus, information has become one of the most important business assets. It is, therefore, imperative that organisations protect information assets as they would protect other business assets. This is typically achieved through implementing various security measures.Technological and procedural security measures are largely dependent on humans. However, the incorrect behaviour of humans poses a significant threat to the protection of these information assets. Thus, it is vital to understand how human behaviour may impact the protection of information assets. While the focus of much literature is on organisations, the focus of this research is on higher education institutions and the factors of information security, with a specific focus on influencing the information security behaviour of computing graduates. Typically, computing graduates would be employed in organisations in various careers such as software developers, network administrators, database administrators and information systems analysts. Employment in these careers means that they would be closely interacting with information assets and information systems. A real problem, as identified by this research, is that currently, many higher education institutions are not consciously doing enough to positively influence the information security behaviour of their computing graduates. This research presents a model to address various factors that could influence the information security behaviour of computing graduates. The aim of this model is to assist computing educators in influencing computing graduates to adopt more secure behaviour, such as security assurance behaviour. A literature review was conducted to identify the research problem. A number of theories such as the Theory of Planned Behaviour, Protection Motivation Theory and Social Cognitive Theory were identified as being relevant for this research as they provided a theoretical foundation for factors that could influence the information security behaviour of computing graduates. Additionally, a survey was conducted to gather the opinions and perceptions of computing educators relating to information security education in higher education institutions. Results indicated that information security is not pervasively integrated within the higher education institutions surveyed. Furthermore, results revealed that most computing students were perceived to not be behaving in a secure manner with regard to information security. This could negatively influence their information security behaviour as computing graduates employed within organisations. Computing educators therefore require assistance in influencing the information security behaviour of these computing students. The proposed model to provide this assistance was developed through argumentation and modelling

A model to address factors that could influence the information security behaviour of computing graduates

The fact that information is ubiquitous throughout most modern organisations cannot be denied. Information is not merely used as an enabler in modern organisations today, but is also used to gain a competitive advantage over competitors. Thus, information has become one of the most important business assets. It is, therefore, imperative that organisations protect information assets as they would protect other business assets. This is typically achieved through implementing various security measures.Technological and procedural security measures are largely dependent on humans. However, the incorrect behaviour of humans poses a significant threat to the protection of these information assets. Thus, it is vital to understand how human behaviour may impact the protection of information assets. While the focus of much literature is on organisations, the focus of this research is on higher education institutions and the factors of information security, with a specific focus on influencing the information security behaviour of computing graduates. Typically, computing graduates would be employed in organisations in various careers such as software developers, network administrators, database administrators and information systems analysts. Employment in these careers means that they would be closely interacting with information assets and information systems. A real problem, as identified by this research, is that currently, many higher education institutions are not consciously doing enough to positively influence the information security behaviour of their computing graduates. This research presents a model to address various factors that could influence the information security behaviour of computing graduates. The aim of this model is to assist computing educators in influencing computing graduates to adopt more secure behaviour, such as security assurance behaviour. A literature review was conducted to identify the research problem. A number of theories such as the Theory of Planned Behaviour, Protection Motivation Theory and Social Cognitive Theory were identified as being relevant for this research as they provided a theoretical foundation for factors that could influence the information security behaviour of computing graduates. Additionally, a survey was conducted to gather the opinions and perceptions of computing educators relating to information security education in higher education institutions. Results indicated that information security is not pervasively integrated within the higher education institutions surveyed. Furthermore, results revealed that most computing students were perceived to not be behaving in a secure manner with regard to information security. This could negatively influence their information security behaviour as computing graduates employed within organisations. Computing educators therefore require assistance in influencing the information security behaviour of these computing students. The proposed model to provide this assistance was developed through argumentation and modelling

Security enhancement with foreground trust, comfort, and ten commandments for real people

Security as an enabling paradigm has not succeeded half as well as we might have hoped. Systems are broken or breakable, and users (people) have something of a lack of faith, understanding, or patience with security measures that exist. Whilst secure systems and solutions are the backbone of a working interconnected system of systems, they are not people-oriented, and they are oftentimes arcane enough to have an air of ‘security theatre’ about them. We can also assume that they will continue to grow in both complexity and application if we continue as we are in our arms race. To answer what we perceive to be a problem here, we are working on the integration of socio-psychological notions of trust into computational systems where it makes sense (both human- and system-facing). This work includes the development of our Device Comfort paradigm and architecture, wherein mobile devices and nodes in infrastructures have a embedded notion of comfort that they can use to reason about their use, behaviour, and users. This notion, contextually integrated with the environment the device is in, aids in decision making with regard to, for instance, information flow, security posture, and user-oriented advice. Most importantly, the notion embeds trust reasoning and communication into the device, with which the user can be aided to un- derstand situation, risk, and actions by device, infrastructure, and themselves - which we call Foreground Trust, after Dwyer. We conjecture that comfort and foreground trust both enhance security for devices and increase the under- standing of security for the user, through use of human-comprehensible and anthropomorphic concepts. In this paper, we discuss some security problems, address the misnomer of trusted computing, and present an overview of com- fort and foreground trust. Finally, we briely present our ten commandments for trust-reasoning models such as those contained within Device Comfort, in the hope that they are of some use in security also

Investigating the Relationship between Learning Styles and Delivery Methods in Information Security Awareness Programs

Information security threats are continually growing as new technologies emerge. Literature confirms that the human factor is an important issue, as cyber threats and exploitation of vulnerabilities continue to proliferate due to human error. There are significant risks associated with this, such as the organisation's reputational damage and associated costs, to name a few. Information Security Awareness (ISA) programs have proven to be one of the best methods to reduce human linked security vulnerabilities and misbehaviour, which also reduces risks. The purpose of this research is twofold. First, it is to identify and explain the value of aligning ISA programs with user-preferred learning styles and delivery methods. Second, to indicate how aligning ISA programs with preferred learning styles and delivery methods influences security posture. Using the Knowledge, Attitude, and Behaviour (KAB) model as a theoretical lens, the study depicts how information security posture can be improved through the betterment of security knowledge, attitude, and behaviour. Additionally, the aligned learning styles and delivery methods' construct was added to the KAB model to investigate the research questions. The Human Aspect of Information Systems Questionnaire (HAIS-Q) was used to measure ISA levels of organisational employees in South Africa. The chosen parts of these HAIS-Q focused on password management, email and internet use. The ISA scores are essential for this research as they indicate the current ISA levels. This result can be used to improve information security posture. The Visual, Aural, Read/Write, and Kinaesthetic (VARK) inventory model was used to better understand the provided and preferred learning styles. Additionally, ISA programs focused on text-based, video-based, and game-based delivery methods commonly used and applied in prior academic research. Using a survey methodology, the study recruited 322 South African organisational employees to complete an online questionnaire. The questionnaire contained a subset of HAIS-Q, the VARK inventory model, delivery methods, and demographic questions. Bivariate Pearson correlation tests in conjunction with the ISA scores indicated that userpreferred learning styles achieve greater ISA. The results also showed that video-based delivery methods are the most preferred but does not yield the highest ISA scores. The highest ISA scores are achieved from a mixture of delivery methods. The study proposes user aligned learning styles and preferred delivery methods to positively influence the knowledge, attitude, and behaviour leading to improved cybersecurity resilience. As a result, this leads to self-reported and risk-averse behaviour, as end-users' self-efficacy has improved

The engineer-criminologist and "the novelty of cybercrime":a situated genealogical study of timesharing systems

The Novelty of Cybercrime is a research problem in criminology where scholars are asking whether cybercrime is a wholly new form of crime compared with traditional–terrestrial crimes and whether new criminological theories are needed to understand it. Most criminological theories focus on the human rational aspects and downplay the role of non-humans in explaining what may be novel in cybercrime. This paper shows that a sociotechnical perspective can be developed for understanding the Novelty of Cybercrime using some insights from criminology. Working from the agnosticism principle of Actor-Network Theory and a situated genealogical perspective, it is possible to see that a criminological vocabulary can accommodate both the roles and relations of rational human and non-human actors. This is achieved by proposing the concept of the engineer–criminologist, developed by conducting a study of the development of information security for timesharing systems in the 1960s and 1970s. Timesharing security engineers were facing a completely new form of rule-breaking behaviour, that of unauthorised access and at the same time they were constantly using criminological concepts to shape their design of security and explain this behaviour. The concept of engineer–criminologists affords the use of criminological concepts in the sociotechnical study of the Novelty of Cybercrime

Towards anomaly detection for increased security in multibiometric systems: spoofing-resistant 1-median fusion eliminating outliers

Multibiometrics aims at improving biometric security in presence of spoofing attempts, but exposes a larger availability of points of attack. Standard fusion rules have been shown to be highly sensitive to spoofing attempts – even in case of a single fake instance only. This paper presents a novel spoofing-resistant fusion scheme proposing the detection and elimination of anomalous fusion input in an ensemble of evidence with liveness information. This approach aims at making multibiometric systems more resistant to presentation attacks by modeling the typical behaviour of human surveillance operators detecting anomalies as employed in many decision support systems. It is shown to improve security, while retaining the high accuracy level of standard fusion approaches on the latest Fingerprint Liveness Detection Competition (LivDet) 2013 dataset

Vulnerability Identification Errors in Security Risk Assessments

At present, companies rely on information technology systems to achieve their business objectives, making them vulnerable to cybersecurity threats. Information security risk assessments help organisations to identify their risks and vulnerabilities. An accurate identification of risks and vulnerabilities is a challenge, because the input data is uncertain. So-called ’vulnerability identification errors‘ can occur if false positive vulnerabilities are identified, or if vulnerabilities remain unidentified (false negatives). ‘Accurate identification’ in this context means that all vulnerabilities identified do indeed pose a risk of a security breach for the organisation. An experiment performed with German IT security professionals in 2011 confirmed that vulnerability identification errors do occur in practice. In particular, false positive vulnerabilities were identified by participants. In information security (IS) risk assessments, security experts analyze the organisation’s assets in order to identify vulnerabilities. Methods such as brainstorming, checklists, scenario-analysis, impact-analysis, and cause-analysis (ISO, 2009b) are used to identify vulnerabilities. These methods use uncertain input data for vulnerability identification, because the probabilities, effects and losses of vulnerabilities cannot be determined exactly (Fenz and Ekelhart, 2011). Furthermore, business security needs are not considered properly; the security checklists and standards used to identify vulnerabilities do not consider company-specific security requirements (Siponen and Willison, 2009). In addition, the intentional behaviour of an attacker when exploiting vulnerabilities for malicious purposes further increases the uncertainty, because predicting human behaviour is not just about existing vulnerabilities and their consequences (Pieters and Consoli, 2009), rather than preparing for future attacks. As a result, current approaches determine risks and vulnerabilities under a high degree of uncertainty, which can lead to errors. This thesis proposes an approach to resolve vulnerability identification errors using security requirements and business process models. Security requirements represent the business security needs and determine whether any given vulnerability is a security risk for the business. Information assets’ security requirements are evaluated in the context of the business process model, in order to determine whether security functions are implemented and operating correctly. Systems, personnel and physical parts of business processes, as well as IT processes, are considered in the security requirement evaluation, and this approach is validated in three steps. Firstly, the systematic procedure is compared to two best-practice approaches. Secondly, the risk result accuracy is compared to a best-practice risk-assessment approach, as applied to several real-world examples within an insurance company. Thirdly, the capability to determine risk more accurately by using business processes and security requirements is tested in a quasi-experiment, using security professionals. This thesis demonstrates that risk assessment methods can benefit from explicit evaluation of security requirements in the business context during risk identification, in order to resolve vulnerability identification errors and to provide a criterion for security