Phd ThesisThe Information Security Decision Making Process is comprised of an extremely complex
and dynamic set of sub-tasks, sub-goals and inter-disciplinary practices. In order to be
effective and appropriate, this process must balance both the requirements of the stakeholder
as well as the users within the system. Without careful consideration of users’ behaviours and
preferences, interventions are often seen as obstacles towards productivity and subsequently
circumvented or simply not adhered to. The approach detailed herein requires an intimate
knowledge of both Information Security and Human Behaviour.
An effective security policy must adequately protect a given set of assets (human and
non-human) or systems as well as preserve maximal productivity. Companies rely on their
Intellectual Property Rights which are often stored in a digital format. This presents a
plethora of issues regarding security, access management and locality (whether on or off
the premises). Furthermore, there is the added complexity of employees and how they
operate within this environment (a subset of compliance, competence and policy). With
the continued increase in consumerisation, more specifically the rise of Bring Your Own
Device, there is a significant threat towards data security that persists outside of the typical
working environment. This trend enables employees to access and transfer corporate assets
remotely but in doing so creates a conflict over identity, ownership and data management. The
governance of these activities creates an extremely complex problem space which requires the
need to balance these requirements relying on an accurate assessment of risk, identification
of security vulnerabilities and knowledge pertaining to the behaviour of employees.
The risks to company assets can be estimated by the analysis of the following issues:
• Threats to your assets. These are unwanted events that could cause the deliberate or
accidental loss, damage or misuse of the assets.
• Vulnerabilities. How susceptible your assets are to attack.
• Impact. The magnitude of the potential loss or the seriousness of the event.
The ability to quantify and accurately represent these variables is critical in developing,
implementing and supporting a successful security policy.
The dissertation is structured as follows. Chapter 1 provides an abstract overview of
the problem space and highlights our aims, objectives and publications. Chapter 2 details
an in-depth literature review of the cross-disciplinary problem space. This involves both
the analysis of industry standards, practices and reports as well as a summary of academic
literature pertaining to theoretical frameworks and simulations for discussion. Chapter 3
introduces our problem space and documents the rationale for designing our methodology.
Each successive chapter (4, 5, & 6) documents a separate investigative strategy for populating
specific data sets with respect to the behaviours and practices highlighted from our pilot
study and CISO interaction. This provides the rationale behind each approach as well as a
documented implementation and evaluation of our experimental design with reference to
publications in the field. Chapter 7 documents our modelling strategy and highlights the
extensions we propose to the BPMN 2.0 formalism. Chapter 8 concludes our work with
reference to our contributions, limitations and the direction of future study
