Management Perception of Unintentional Information Security Risks

This paper will examine the difference between management’s perception of the information security risks and actual information security risks that occur within their organization, arguing that management’s perceptions are based mostly on (1)technology solutions to protect organizational information and (2) their beliefs that employees follow established information security policies. Slovic’s perception of risk theory will be used as a theoretical foundation for this study. The paper will focus on the neglected human element of information security management, with the primary focus on employees’ actions that unintentionally expose organizational information to security risks. These employee actions can threaten information contained within the organization’s computer-based systems as well as information in the form of computer-based system output, such as printed reports, customer receipts, and backup tapes. There has been substantial literature exploring the human threat to organizational information; however past research has focused on intentional behavior, typically referred to as “computer abuse”. Less research has investigated employees’ actions that unintentionally expose an organization to information security risks. Based upon this premise, the purpose of this study is to draw attention to such human threats and in turn shed light on the relationship between unintentional threats caused by employees’ behavior and information security risks. Using a case study conducted in a financial institution, this study investigates these unintentional threats and management’s perception of potential information security risks that these employees’ actions may cause. The research reveals that many of management’s taken-for-granted assumptions about information security within their organization are inaccurate. It is suggested that by increasing management’s awareness of these risks, they will take precautions to eliminate this behavior to ensure that the organization’s information is better secured

Reve\{a,i\}ling the risks: a phenomenology of information security

In information security research, perceived security usually has a negative meaning, when it is used in contrast to actual security. From a phenomenological perspective, however, perceived security is all we have. In this paper, we develop a phenomenological account of information security, where we distinguish between revealed and reveiled security instead. Linking these notions with the concepts of confidence and trust, we are able to give a phenomenological explanation of the electronic voting controversy in the Netherlands

Combatting electoral traces: the Dutch tempest discussion and beyond

In the Dutch e-voting debate, the crucial issue leading to the abandonment of all electronic voting machines was compromising radiation, or tempest. Other countries, however, do not seem to be bothered by this risk. In this paper, we use actor-network theory to analyse the socio-technical origins of the Dutch tempest issue in e-voting, and its consequences for e-voting beyond the Netherlands. We introduce the term electoral traces to denote any physical, digital or social evidence of a voter's choices in an election. From this perspective, we provide guidelines for risk analysis as well as an overview of countermeasures

The commodification of security in the risk society

Expanding on the works of Beck and others on the growing business of risk, this paper examines the role of private industry in the creation, management and perpetuation of the world risk society. It observes that the replacement of the concept of security with risk over the past decades has permitted private firms to identify a growing range of unknown and unknown-unknown dangers which cannot be eliminated and require continuous risk management. Using the discourse of risk and its strategies of commercialized, individualized and reactive risk management, the private risk industry has thus contributed to the rise of a world risk society in which the demand for security can never be satisfied and so guarantees continuous profits

Human Factors Standards and the Hard Human Factor Problems: Observations on Medical Usability Standards

With increasing variety and sophistication of computer-based medical devices, and more diverse users and use environments, usability is essential, especially to ensure safety. Usability standards and guidelines play an important role. We reviewed several, focusing on the IEC 62366 and 60601 sets. It is plausible that these standards have reduced risks for patients, but we raise concerns regarding: (1) complex design trade-offs that are not addressed, (2) a focus on user interface design (e.g., making alarms audible) to the detriment of other human factors (e.g., ensuring users actually act upon alarms they hear), and (3) some definitions and scope restrictions that may create “blind spots”. We highlight potential related risks, e.g. that clear directives on “easier to understand” risks, though useful, may preclude mitigating other, more “difficult” ones; but ask to what extent these negative effects can be avoided by standard writers, given objective constraints. Our critique is motivated by current research and incident reports, and considers standards from other domains and countries. It is meant to highlight problems, relevant to designers, standards committees, and human factors researchers, and to trigger discussion about the potential and limits of standards