Feature 34. von Solms, B. ‘Corporate governance and information security’. Computers & Security 20(3), 215-218 (2001). 35. von Solms, B. ‘Information security governance – compliance management vs operational management’. Computers & Security 24(6), 443447 (2005). 36. Sehgal, N; Xiong, Y; Mulia, W; Sohoni, S; Fritz, D; Acken, J. ‘A cross
section of the issues and research activities related to both information security and cloud computing’. IETE Technical Review 28(4), 279-279 (2011). 37. Naor, M; Rothblum, G. ‘The complexity of online memory checking’. In: 46th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2005. pp.573-582 (2005).
Human aspects of information security in organisations
Nader Sohrabi Safa
38. Cachin, C; Keidar, I; Shraer, A. ‘Trusting the cloud’. SIGACT News 40(2), 81-86 (2009). 39. Juels, A; Kaliski, Jr; BS. ‘Pors: Proofs of retrievability for large files’. In: Proceedings of the 14th ACM Conference on Computer and Communications Security. pp.584597. CCS ’07, ACM, New York, NY, USA (2007).
Rossouw von Solms
Lynn Futcher
Nader Sohrabi Safa, Rossouw von Solms and Lynn Futcher, Nelson Mandela Metropolitan University, South Africa Information is core to the well-being of any modern-day organisation. In order to satisfactorily protect this important asset, human, organisational and technological aspects play a core integrative role in information security. Both technological and organisational control aspects are critically important, but both of these are closely related to people. A person can play a variety of roles, such as: the user of information systems; owner of information; and hacker or attacker of information systems. In addition, several studies have implicated people as a weak link in the information security chain.1,2 Sharing the username and password with their colleagues, writing them down on sticky notes which they put on the desk or monitor, opening unknown emails and their attachments, downloading software from the Internet, leaving systems in login status while unattended are examples of human mistakes in the domain of information security. Indeed, users intentionally or unintentionally are a great potential threat to information assets. Apathy, February 2016
ignorance, negligence, lack of awareness, mischievousness and resistance to information security organisational policies are the roots of information security incidents in many cases. Figure 1 shows the core aspects in the process to secure information as an organisational asset. On the other hand, users or employees in organisations can aggregate their efforts, abilities and knowledge against information security breaches. In this regard, information security knowledge sharing (ISKS), information security collaboration (ISC), information security conscious care behaviour (ISCCB) and complying with information security organisational policies and procedures (CISOP) have been mentioned and
researched as effective and efficient people-related approaches that mitigate the risk of information security incidents in organisations.
Security knowledge sharing Knowledge sharing plays an important role in the domain of information security, due to its positive effect on employees’ information security awareness.3 It is acknowledged that security awareness is the most important factor that mitigates the risk of information security breaches in organisations. Hackers use new and ingenious methods to hack others’ computers or systems in line with their own benefits. Recently, online attackers developed a bogus website and requested others to download their free anti-virus software. Many people downloaded their fake anti-virus package, their computers got infected and Computer Fraud & Security
15
Feature consequently most of their private information was compromised. Falling victim to social engineering methods and phishing are other examples of users’ mistakes in the domain of information security behaviour.4 In this dynamic environment, effective information security knowledge sharing among employees not only increases the level of awareness as an effective approach, but also reduces the cost of information security in organisations. Information security experts face similar problems in this domain and they could also gain a lot by sharing knowledge. Preventing the development of multiple solutions to similar problems by way of sharing knowledge leads to the avoidance of wasting time and extra costs.5 This time and funding could be better spent by improving the quality of solutions, instead of reinventing the security wheel. However, the previous study showed that the motivation for knowledge sharing among employees is the important challenge in this realm. Sharing previous relevant experiences in the domain of information security is a valuable resource in information security awareness.
“Effective information security knowledge sharing (ISKS) is an important aspect in the human approach towards securing information assets” KwangWook and Ravichandran investigated the effect of information security knowledge sharing in the virtual community, and its effect on reducing risks.6 They also mentioned the low level of willingness of members to share knowledge with each other as an important barrier in the information security knowledge sharing realm. Confidence in one’s knowledge ownership, the danger of losing one’s job, the perceived cost, unfamiliarity with the subject, one’s individual attitude and distrust have already been mentioned as obstacles to knowledge sharing. Motivation explains the reasons for individuals’ manners, actions, needs 16
Computer Fraud & Security
Figure 1: Core aspects in information security.
and desires. A motive is what prompts a person to behave in a particular way or direction. Earning a reputation and gaining promotion, as extrinsic motivational factors, and satisfying one’s curiosity as an intrinsic motivation have significant effects on employees’ attitude toward ISKS intention. Companies should establish an appropriate environment in which to develop this culture, due to its advantages. Therefore, effective information security knowledge sharing (ISKS) is an important aspect in the human approach towards securing information assets.
Security collaboration Collaboration refers to working together in order to achieve a shared goal. That goal can be the safeguarding of information assets in an organisation. Information security collaboration means the aggregation of employees’ contributions against information security incidents within an organisation.7 Information security collaboration has been acknowledged, not only as effective and efficient, but also as a necessary approach to mitigate the risk of information security breaches in organisations.8 Personal interests, shared goals, benefits and organisational supports are factors that positively influence ISC in organisations. Collaboration is the main subject in many studies relating to learning, health, controlling projects, organisation, business and so forth. Collaboration increases benefits through sharing expertise and
improves decision making and innovation through sharing ideas. Furthermore, it increases the chance of problem solving, and improves the ability to pursue goals and reduces costs. Improvement of productivity and performance, learning and knowledge sharing are other advantages of inter-organisational collaboration. The lack of commitment, communication, trust, coordination, culture of collaboration, supervision as well as a concentration on technical skills rather than collaboration are barriers to collaboration. To perform security tasks, employees should cooperate, coordinate and collaborate with others. These interactions are distinguished by the level of commitment and intensity of the relationship. Responsibility means sharing our knowledge and experience with each other and knowing that we are working together to have a secure environment. Capturing, integrating, submitting, commenting, reviewing and sharing our information security knowledge are examples of collaboration. Collaborative value refers to the greater knowledge that comes from interactions between collaborators, less cost and more efficiency. Responding to security incidents, developing policies, reporting security breaches and knowledge sharing in the domain of information security are examples of information security collaboration. In this approach, the protection of information assets is the shared goal and organisational information security policies and procedures are the shared rules. However, there is a paucity of research on the formation of information security collaboration in organisations. Thus, information security collaboration (ISC) between human information security role players is critically important. Obviously, this ISC has a close interactive relationship with ISKS.
Conscious care behaviour Conscious care behaviour has been acknowledged as an effective and efficient February 2016
Feature approach against phishing, social engineering, and fake anti-virus and bogus software in order to mitigate information security breaches.9 Technology and the threat environment change frequently and are dynamic due to their nature. For instance, the Internet of Things (IoT) shows the vast number of new applications on the Internet that connect devices, systems, services and even smart objects and covers a variety of protocols, domains and applications. These changes make it difficult to anticipate and quantify the information security risk.10 Conscious care behaviour is an effective approach to counter creative attacks. Conscious care behaviour means that users think about the consequences of their actions in terms of information security when they work with a system, particularly on the Internet. Information security awareness, knowledge and experience play vital roles in this domain. Rhee, Kim asserted that information security risk management encompasses two aspects:11 1. Security software and features such as pop-up blocking function, antispyware, and anti-virus software. 2. Security conscious care behaviour related to computer and Internet usage. The importance of human factors in the domain of information security cannot be understated. Information security management should consider users and their perceptions as important factors in providing a secure environment. In other words, users are the centre of the security concept.
“Information security conscious care behaviour is an effective and efficient approach to mitigating the risk of information security incidents� Mitigating and preventing cybersecurity risks need to be implemented in several stages, and behavioural science plays an important role in the stages of design, development and maintenance of web systems.12 Users consider security as an obstacle when there is no appropriate February 2016
response to their cyber incidents. They may be faced with difficulties in security implementation, and misinterpret, mistrust or override the security controls.13 Users’ attitudes and their resistance behaviour change when they face a mandatory password change. Researchers have realised that such changes are intentionally delayed and are considered an unnecessary interruption. They know that a password breach can have severe consequences, but do not change their attitude toward the implementation of security policy. Users, intentionally or through negligence, are an important threat to information security. Careless information security behaviour is the main problem. In this case, information security conscious care behaviour is an effective and efficient approach to mitigating the risk of information security incidents. However, there is also a paucity of research about the formation of information security conscious care behaviour in this domain. From the abovementioned, it is clear that information security conscious care behaviour (ISCCB) of an employee is a state to strive for. Further, it is also clear that both ISC and ISKS exert a core influence on achieving ISCCB.
Complying with policies The web is a huge and dynamic environment within which hackers use new and various methods to achieve security breaches.14 Misleading applications, such as bogus disk defragmentation or fake anti-virus scanners, are samples of new methods that are designed to mislead users into thinking their computer has a problem or virus. These kinds of misleading applications usually report non-existent problems or threats and they suggest downloading free software that can be spyware or malicious software. Employees should not download any software from the Internet; they should report these kind of incidents to the experts in this domain before any action based on information
security organisational policies and procedures. Organisational information security policies and procedures forbid the downloading of software from unauthorised websites. In these cases, employees should think about the consequences of their behaviour. In this regard, awareness plays a vital role that can come from knowledge sharing in organisations. Information security breaches not only lead to extra cost for organisations, but also affect their reputation significantly.15 Proper information security behaviour, alongside the technological and organisational aspects of information security, mitigates the risk of information security breaches in organisations. Previous studies have indicated that organisations that neglected to focus on individuals fail to achieve success in their efforts.16 Insider threats and abuse by employees continue to plague organisations; therefore, complying with information security policies and procedures is an effective approach in this domain. Although sound information security policies (ISPs) are core to the organisational aspect of securing information, the subsequent complying with information security organisational policies (CISOP) is critically important. It is common knowledge that non-compliance to such policies will render such policies useless. From this argument it is also clear that ISCCB will indeed add towards the effective CISOP. This is actually the eventual goal in rendering the organisational information security policies effective. This relationship is depicted in Figure 2 where it is indicated that the effective interaction between ISKS and ISC will lead to effective ISCCB and result in the CISOP which will render these ISPs
Figure 2: Human and organisational aspects of information security.
Computer Fraud & Security
17
Feature highly effective. It is important that all of ISKS, ISC, ISCCB and CISOP collectively contribute towards addressing the human aspect in securing valuable company information assets.
Conclusion In this article, we mentioned that human aspects of information security should be taken into consideration besides technological and organisational aspects to mitigate the risk of information security incidents in organisations. Online attackers target people due to their mistakes in this domain. We presented some inspirational examples of users’ mistakes and the roots of them that can be clues for future research. The significant aspect of this article is derived from the inclusion of approaches that emphasise human aspects of information security in organisations such as: Information security knowledge sharing. Information security collaboration. • Information security conscious care behaviour. • Complying with organisational information security policies and procedures. The aforementioned approaches have many advantages for organisations and shed some light for academics and practitioners in this domain.
About the authors Nader Sohrabi Safa is a postdoctoral fellow at the Centre for Research in Information and Cyber Security at Nelson Mandela Metropolitan University (NMMU), Port Elizabeth, South Africa. He received his PhD degree in information systems in 2014 from the Faculty of Computer Science and Information Technology, University of Malaya. His research interest is in the domain of human aspects of information security. He has presented several modules in the domain of human aspects of information security in organisations. Rossouw von Solms is a professor at and director of the Centre for Research in Information and Cyber Security at Nelson 18
Computer Fraud & Security
Mandela Metropolitan University. He supervises many students at the PhD and postdoctoral level in the fields of information security and IT governance. He has published and presented in excess of 150 academic papers in journals and conferences, both internationally and nationally. Most of these papers were published and presented in the field of information security. Lynn Futcher is currently an academic within the School of ICT at the Nelson Mandela Metropolitan University. She holds a PhD in information technology from the NMMU. Her main areas of research include information security education, secure software development and usable security. She has been an active IFIP member for over 10 years and is currently the chair of IFIP WG 11.8 which focuses on information security education. She is also involved in research pertaining to the integration of information and cyber-security into computing-related curricula.
References 1. Safa, NS et al. ‘Information security conscious care behaviour formation in organisations’. Computers & Security, 2015. 53(0): p.65-78. 2. Safa, NS; Von Solms, R; Furnell, S. ‘Information security policy compliance model in organisations’. Computers & Security, 2016. 56: p.70-82. 3. Kampanakis, P. ‘Security Automation and Threat Information-Sharing Options’. Security & Privacy, IEEE, 2014. 12(5): p.42-51. 4. Islam, R; Abawajy, J. ‘A multi-tier phishing detection and filtering approach’. Journal of Network and Computer Applications, 2013. 36(1): p.324-335. 5. Feledi, D; Fenz, S; Lechner, L. ‘Toward web-based information security knowledge sharing’. Information Security Technical Report, 2013. 17(4): p.199-209. 6. KwangWook, G; Ravichandran, T. ‘Accessing External Knowledge: Intention of Knowledge Exchange in Virtual Community of Practice’. In
System Sciences (HICSS), 2011 44th Hawaii International Conference. 2011. 7. Woodland, RH; Hutton, MS. ‘Evaluating Organisational Collaborations: Suggested Entry Points and Strategies’. American Journal of Evaluation, 2012. 33(3): p.366-383. 8. Tøndel, IA; Line, MB; Jaatun, MG. ‘Information security incident management: Current practice as reported in the literature’. Computers & Security, 2014. 45(0): p.42-57. 9. Kim, DW; Yan, P; Zhang, J. ‘Detecting fake anti-virus software distribution web pages’. Computers & Security, 2015. 49(0): p.95-106. 10. Pfleeger, SL; Caputo, DD. ‘Leveraging behavioral science to mitigate cybersecurity risk’. Computers & Security, 2012. 31(4): p.597-611. 11. Rhee, H-S; Kim, C; Ryu, YU. ‘Selfefficacy in information security: Its influence on end users’ information security practice behavior’. Computers & Security, 2009. 28(8): p.816-826. 12. Padayachee, K. ‘Taxonomy of compliant information security behavior’. Computers & Security, 2012. 31(5): p.673-680. 13. Cox, J. ‘Information systems user security: A structured model of the knowing-doing gap’. Computers in Human Behavior, 2012. 28(5): p.1849-1858. 14. Safa, NS; Ghani, NA; Ismail, MA. ‘An Artificial Neural Network Classification Approach For Improving Accuracy Of Customer Identification In E-Commerce’. Malaysian Journal of Computer Science, 2014. 27(3): p.171-185. 15. Safa, NS; Ismail, MA. ‘A customer loyalty formation model in electronic commerce’. Economic Modelling, 2013. 35(0): p.559-564. 16. Furnell, S; Clarke, N. ‘Power to the people? The evolving recognition of human aspects of security’. Computers & Security, 2012. 31(8): p.983-988. February 2016