A Human Centered Framework for Information Security Management: A Healthcare Perspective

Research on the human element of information security is fragmented at best. This paper presents a management framework for organizations in the health care industry who wish to improve their information security procedures in an effort to comply with HIPAA and other regulations. The emphasis is on securing an organization from internal threats by adequately educating employees and building an organizational culture where security initiatives are valued and respected. The premise of the paper is that a cultural approach is the only way to gain the versatile security environment needed to comply with regulations as vast and complex as HIPAA. We argue that this framework demands that empirical data be collected through careful industry research with health care providers so as to prove the real world value of its application

Refining the PoinTER “human firewall” pentesting framework

PurposePenetration tests have become a valuable tool in the cyber security defence strategy, in terms of detecting vulnerabilities. Although penetration testing has traditionally focused on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyber-attacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper we reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. In this paper, we propose improvements to refine our framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny.MethodologyWe conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet our requirements to have an ethical human pentesting framework, we compiled a list of ethical principles from the research literature which we used to filter out techniques deemed unethical.FindingsDrawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, we propose the refined GDPR compliant and privacy respecting PoinTER Framework. The list of ethical principles, we suggest, could also inform ethical technical pentests.OriginalityPrevious work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature

Development of Users' Information Security Awareness Questionnaire (UISAQ) - Ongoing Work

The user is still weakest link regarding information security matters, but studies on this subject are rare. The aim of this work is to develop general Users' Information Security Awareness Questionnaire (UISAQ). Development consists of selecting suitable items for which is assumed that measure the level of security awareness and testing impact of each item in measurement. Questionnaire consisted of 4 parts with total of 37 items. Results showed that first part of questionnaire, that examine the common user’s risk behavior, should consist of 17 items (3 items had low factor loadings) separate in 3 subscales. Second part of questionnaire, which consisted of 6 items that measured the level of user’s information security, had high internal consistency (k=6, α=0.89) and a satisfactory factor loadings. Third part of questionnaire, which consisted of 5 items that measured the level of user’s beliefs about information security, should consist of 3 items (2 items significantly disrupted internal consistency) with high factor loadings and good internal consistency (α=0.76). Descriptive statistics showed that all the questions (n=6) in the fourth part of the questionnaire, which had examined the password quality and security, had a full range of answers and that normal distribution wasn’t significantly violated. Although developed questionnaire requires more work and validation, first results showed that UISAQ has potential to become a good and reliable measure of users’ security awareness in the future

Awareness About Information Security And Privacy Among Healthcare Employees

Aim: The aim of this study was to analyze healthcare employees’ knowledge of information security and potentially risky behavior on the Internet considering demographic parameters and in comparison with the standardized behavioral norms among Internet users in Croatia. Methods: The study was conducted as a cross- sectional study. Healthcare employees from three hospitals in different geographical areas (Osijek, Pula and Zagreb) were included in this study. The validated UISAQ (Users’ Information Security Awareness Questionnaire) was used for data collection. The questionnaire contains 33 questions, grouped in two scales and six subscales, and participants were self-evaluated using Likert scale. The time period of data collection was the summer of 2017. Results: Surveyed healthcare employees show significantly less risky behavior and overall better knowledge than the average Internet user in Croatia. Female participants display online behavior that is less risky than that of the male participants ; participants with a university degree are better at PC maintenance, while participants with a high school diploma are more skeptical in regard to loss of personal or professional data. Older people are significantly more careful and lend their access data to other colleagues at work less often. Conclusion: Healthcare employees included in this study display partially better results than the average Internet users in Croatia when it comes to their knowledge and potentially risky online behavior. However, their average estimations are only partially better than referent estimations and their scores are not very high, especially when it comes to their awareness measured in the “Security in Communications” and “Secured Data” subscales. As there is high risk of losing data because of the nature of business protocols, healthcare employees need more education and training in order for their awareness regarding the importance of information security and privacy to increase

Awareness About Information Security And Privacy Among Healthcare Employees

Aim: The aim of this study was to analyze healthcare employees’ knowledge of information security and potentially risky behavior on the Internet considering demographic parameters and in comparison with the standardized behavioral norms among Internet users in Croatia. Methods: The study was conducted as a cross-sectional study. Healthcare employees from three hospitals in different geographical areas (Osijek, Pula and Zagreb) were included in this study. The validated UISAQ (Users’ Information Security Awareness Questionnaire) was used for data collection. The questionnaire contains 33 questions, grouped in two scales and six subscales, and participants were self-evaluated using Likert scale. The time period of data collection was the summer of 2017. Results: Surveyed healthcare employees show significantly less risky behavior and overall better knowledge than the average Internet user in Croatia. Female participants display online behavior that is less risky than that of the male participants; participants with a university degree are better at PC maintenance, while participants with a high school diploma are more skeptical in regard to loss of personal or professional data. Older people are significantly more careful and lend their access data to other colleagues at work less often. Conclusion: Healthcare employees included in this study display partially better results than the average Internet users in Croatia when it comes to their knowledge and potentially risky online behavior. However, their average estimations are only partially better than referent estimations and their scores are not very high, especially when it comes to their awareness measured in the “Security in Communications” and “Secured Data” subscales. As there is high risk of losing data because of the nature of business protocols, healthcare employees need more education and training in order for their awareness regarding the importance of information security and privacy to increase

Management Perception of Unintentional Information Security Risks

This paper will examine the difference between management’s perception of the information security risks and actual information security risks that occur within their organization, arguing that management’s perceptions are based mostly on (1)technology solutions to protect organizational information and (2) their beliefs that employees follow established information security policies. Slovic’s perception of risk theory will be used as a theoretical foundation for this study. The paper will focus on the neglected human element of information security management, with the primary focus on employees’ actions that unintentionally expose organizational information to security risks. These employee actions can threaten information contained within the organization’s computer-based systems as well as information in the form of computer-based system output, such as printed reports, customer receipts, and backup tapes. There has been substantial literature exploring the human threat to organizational information; however past research has focused on intentional behavior, typically referred to as “computer abuse”. Less research has investigated employees’ actions that unintentionally expose an organization to information security risks. Based upon this premise, the purpose of this study is to draw attention to such human threats and in turn shed light on the relationship between unintentional threats caused by employees’ behavior and information security risks. Using a case study conducted in a financial institution, this study investigates these unintentional threats and management’s perception of potential information security risks that these employees’ actions may cause. The research reveals that many of management’s taken-for-granted assumptions about information security within their organization are inaccurate. It is suggested that by increasing management’s awareness of these risks, they will take precautions to eliminate this behavior to ensure that the organization’s information is better secured

Monitoring IT and Internet Usage of Employees for Sustainable Economic Development in Nigeria: Legal and Ethical Issues.

Globally, organization system resources: hardware, software, data, and communication lines and networks are now handled with better interconnected and interdependent facilities because internet connectivity is widely integrated into ambient or ubiquitous environments through intuitive interfaces or “smart” interactions. Organization enterprises are increasingly becoming competitive, with widespread cyberloafing and lawsuits. Through IT and Internet usage, employees may compromise an organization’s confidential information, deliberately or inadvertently. Such concerns prompt companies to introduce employee monitoring to preserve the integrity, availability, and confidentiality of system resources, track employee performance, avoid legal liability, protect trade secrets, and address security concerns. Despite these laudable benefits, employees feel that monitoring is an invasion of their privacy rights. For this study, organizational ethics and major ethical principles of respect for persons, beneficence, and justice representing the key ethical concerns for human subject protection in research were fully adopted as identified in The Belmont Report of 1979. In this study, the authors explored a narrative review, analysis, and synthesis of prior researches that focused on monitoring of employee IT and Internet usage. The authors also extracted peer-reviewed articles within the last five years from electronic databases, using some search keys such as “employee monitoring”, “legal and ethical issues”, “impact of employee monitoring on economic sustainability”, etc. The result of this study revealed that developing an acceptable monitoring policy will keep both employer and employee on the same page as to what is acceptable in the workplace along with what isn’t. This result may further explain the need for employee monitoring, address the legal and ethical issues involved when monitoring employees in a work environment, and provide strategies and practices for acceptable monitoring policy for improved organizational performance and sustainable economic development. Keywords: Employee Monitoring, Legal and Ethical Issues, IT and Internet Usage. Economic Sustainability. DOI: 10.7176/JIEA/9-5-03 Publication date: August 31st 201

Evidential Reasoning Approach to Behavioural Analysis of ICT Users’ Security Awareness

The role of ICT system’s user should be taken into consideration when developing different information security solutions because user, as its constitutive element, can significantly affect overall system security with his/her potentially risky behaviour depending on the level of user’s security awareness. In this paper authors propose risk assessment approach of ICT users’ behaviour based on the evidential reasoning technique. Performance testing was compared using combination of cluster analysis and discriminant analysis while empirical analysis was conducted on the total of 627 e-mail users grouped regarding gender, age, technical background knowledge and level of experience. Assessment methodology used in this paper has proven to be well suited for evaluation of users’ awareness and identification of their potentially risky behaviour. Results of empirical analysis showed that all groups of users got overall utility grade higher than the simulated "minimally enough aware" user, but less than “average awareness” grade. As users of all groups are highly critical towards collocutor, it can mean that users are quite aware about the importance of information security foundation, but also about lack of knowledge regarding different security issues. Another possible reason may be the users’ negligence toward security guidelines and protocols

Towards an Assessment of Pause Periods on User Habituation in Mitigation of Phishing Attacks

Social engineering is the technique in which the attacker sends messages to build a relationship with the victim and convinces the victim to take some actions that lead to significant damages and losses. Industry and law enforcement reports indicate that social engineering incidents costs organizations billions of dollars. Phishing is the most pervasive social engineering attack. While email filtering and warning messages have been implemented for over three decades, organizations are constantly falling for phishing attacks. Prior research indicated that attackers use phishing emails to create an urgency and fear response in their victims causing them to use quick heuristics, which leads to human errors. Humans use two types of decision-making processes: a heuristic decision, which is a quick, instinctual decision-making process known as ‘System One’, and a second, known as ‘System Two,’ that is a slow, logical process requiring attention. ‘System Two’ is often triggered by a pause in the decision-making process. Additionally, timers were found in other research fields (medicine, transportation, etc.) to affect users’ judgement and reduce human errors. Therefore, the main goal of this work-in-progress research study is to determine through experimental field study whether requiring email users to pause by displaying a phishing email warning with a timer, has any effect on users falling to simulated phishing attacks. This paper will outline the rationale and the process proposed for the validation of the field experiments with Subject Matter Experts (SMEs). Limitations of the proposed study and recommendation for further research are provided

Development and Validation of Users' Information Security Awareness Questionnaire (UISAQ)

Dosadašnja su istraživanja pokazala kako je čovjek najslabija karika u sigurnosnom sustavu te kako ne postoji pouzdan način mjerenja rizičnosti čovjekova ponašanja u vidu narušavanja sigurnosti informacijskog sustava. Cilj je istraživanja bio razviti valjan i pouzdan instrument koji će mjeriti utjecaj korisnika na sigurnost informacijskog sustava. U tu je svrhu kreiran Upitnik znanja i rizičnog ponašanja korisnika informacijskog sustava (UZPK ; Velki i Šolić, 2014 ; prema Velki, Šolić i Očević, 2014). Istraživanje je provedeno u tri vala prikupljanja podataka. Prvi se uzorak sastojao od 135 studenata druge godine preddiplomskog studija na kojem je provjerena konstruktna valjanost, pouzdanost i osjetljivost pojedinih subskala te odabrane odgovarajuće čestice. Drugi se uzorak sastojao od 211 studenata i zaposlenika, a na njemu su provjerene metrijske karakteristike poboljšanog instrumenta te je dobivena konačna verzija UZPK (k=33), koja se dijeli na dvije skale: Skala rizičnog ponašanja računalnih korisnika (k=17) [sastoji se od tri supskale: Supskala uobičajenih rizičnih ponašanja korisnika računala (k=6), Supskala održavanja osobnih računalnih sustava (k=6) i Supskala posuđivanja pristupnih podataka (k=5)] te Skala znanja o informacijskoj sigurnosti (k=16) (također se sastoji od tri supskale: Supskala stupnja sigurnosti računalne komunikacije (k=5), Supskala uvjerenja o sigurnosti računalnih podataka (k=5) i Supskala važnosti pravilne pohrane računalnih podataka (k=6). Treći se uzorak sastajao od 152 zaposlenika i na njemu je validiran UZPK. Dobivena je dobra konstruktna valjanost, sve skale i supskale imaju zadovoljavajuće metrijske karakteristike (pouzdanost i osjetljivost) te je dobivena i dobra kriterijska valjanost. Može se zaključiti kako Upitnik predstavlja valjan i pouzdan mjerni instrument, zadovoljavajućih psihometrijskih karakteristika