Guidelines for designing IT security management tools

An important factor that impacts the effectiveness of secu-rity systems within an organization is the usability of secu-rity management tools. In this paper, we present a survey of design guidelines for such tools. We gathered guidelines and recommendations related to IT security management tools from the literature as well as from our own prior studies of IT security management. We categorized and combined these into a set of high level guidelines and identified the relationships between the guidelines and challenges in IT security management. We also illustrated the need for the guidelines, where possible, with quotes from additional in-terviews with five security practitioners. Our framework of guidelines can be used by those developing IT security tools, as well as by practitioners and managers evaluating tools

A stealth approach to usable security: Helping IT security managers to identify workable security solutions

Recent advances in the research of usable security have produced many new security mechanisms that improve usability. However, these mechanisms have not been widely adopted in practice. In most organisations, IT security managers decide on security policies and mechanisms, seemingly without considering usability. IT security managers consider risk reduction and the business impact of information security controls, but not the impact that controls have on users. Rather than trying to remind security managers of usability, we present a new paradigm -- a stealth approach which incorporates the impact of security controls on users' productivity and willingness to comply into business impact and risk reduction. During two 2-hour sessions, 3 IT security managers discussed with us mock-up tool prototypes that embody these principles, alongside a range of potential usage scenarios (e.g. cloud-based password-cracking attacks and "hot-desking" initiatives). Our tool design process elicits findings to help develop mechanisms to visualise these tradeoffs

A framework towards effective control in information security governance

The importance of information in business today has made the need to properly secure this asset evident. Information security has become a responsibility for all managers of an organization. To better support more efficient management of information security, timely information security management information should be made available to all managers. Smaller organizations face special challenges with regard to information security management and reporting due to limited resources (Ross, 2008). This dissertation discusses a Framework for Information Security Management Information (FISMI) that aims to improve the visibility and contribute to better management of information security throughout an organization by enabling the provision of summarized, comprehensive information security management information to all managers in an affordable manner

A framework for the development of a personal information security agent

Nowadays information is everywhere. Organisations process, store and create information in unprecedented quantities to support their business processes. Similarly, people use, share and synthesise information to accomplish their daily tasks. Indeed, information and information technology are the core of business activities, and a part of daily life. Information has become a crucial resource in today‘s information age and any corruption, destruction or leakage of information can have a serious negative impact on an organisation. Thus, information should be kept safe. This requires the successful implementation of information security, which ensures that information assets are only used, modified and accessed by authorised people. Information security faces many challenges; and organisations still have not successfully addressed them. One of the main challenges is the human element. Information security depends to a large extent on people and their ability to follow and apply sound security practices. Unfortunately, people are often not very security-conscious in their behaviour; and this is the cause of many security breaches. There are a variety of reasons for this such as a lack of knowledge and a negative attitude to security. Many organisations are aware of this; and they attempt to remedy the situation by means of information security awareness programs. These programs aim to educate, train and increase the security awareness of individuals. However, information security awareness programs are not always successful. They are not a once-off remedy that can quickly cure information security. The programs need to be implemented effectively, and they require an ongoing effort. Unfortunately, this is where many organisations fail. Furthermore, changing individuals‘ security behaviour is difficult due to the complexity of factors that influence everyday behaviour. In view of the above, this research project proposes an alternative approach in the form of a personal information security agent. The goal of this agent is to influence individuals to adopt more secure behaviour. There are a variety of factors that need to be considered, in order to achieve this goal, and to positively influence security behaviour. Consequently, this research establishes criteria and principles for such an agent, based on the theory and practice. From a theoretical point of view, a variety of factors that influence human behaviour such as self-efficacy and normative beliefs were investigated. Furthermore, the field of persuasive technology has provided for strategies that can be used by technology to influence individuals. On the practical side, a prototype of a personal information security agent was created and evaluated through a technical software review process. The evaluation of the prototype showed that the theoretical criteria have merit but their effectiveness is largely dependent on how they are implemented. The criteria were thus revised, based on the practical findings. The findings also suggest that a personal information security agent, based on the criteria, may be able to positively influence individuals to be more secure in their behaviour. The insights gained by the research are presented in the form of a framework that makes both theoretical and practical recommendations for developing a personal information security agent. One may, consequently, conclude that the purpose of this research is to provide a foundation for the development of a personal information security agent to positively influence computer users to be more security-conscious in their behavior