Feature 34. von Solms, B. ‘Corporate governance and information security’. Computers & Security 20(3), 215-218 (2001). 35. von Solms, B. ‘Information security governance – compliance management vs operational management’. Computers & Security 24(6), 443447 (2005). 36. Sehgal, N; Xiong, Y; Mulia, W; Sohoni, S; Fritz, D; Acken, J. ‘A cross
section of the issues and research activities related to both information security and cloud computing’. IETE Technical Review 28(4), 279-279 (2011). 37. Naor, M; Rothblum, G. ‘The complexity of online memory checking’. In: 46th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2005. pp.573-582 (2005).
Human aspects of information security in organisations
Nader Sohrabi Safa
38. Cachin, C; Keidar, I; Shraer, A. ‘Trusting the cloud’. SIGACT News 40(2), 81-86 (2009). 39. Juels, A; Kaliski, Jr; BS. ‘Pors: Proofs of retrievability for large files’. In: Proceedings of the 14th ACM Conference on Computer and Communications Security. pp.584597. CCS ’07, ACM, New York, NY, USA (2007).
Rossouw von Solms
Lynn Futcher
Nader Sohrabi Safa, Rossouw von Solms and Lynn Futcher, Nelson Mandela Metropolitan University, South Africa Information is core to the well-being of any modern-day organisation. In order to satisfactorily protect this important asset, human, organisational and technological aspects play a core integrative role in information security. Both technological and organisational control aspects are critically important, but both of these are closely related to people. A person can play a variety of roles, such as: the user of information systems; owner of information; and hacker or attacker of information systems. In addition, several studies have implicated people as a weak link in the information security chain.1,2 Sharing the username and password with their colleagues, writing them down on sticky notes which they put on the desk or monitor, opening unknown emails and their attachments, downloading software from the Internet, leaving systems in login status while unattended are examples of human mistakes in the domain of information security. Indeed, users intentionally or unintentionally are a great potential threat to information assets. Apathy, February 2016
ignorance, negligence, lack of awareness, mischievousness and resistance to information security organisational policies are the roots of information security incidents in many cases. Figure 1 shows the core aspects in the process to secure information as an organisational asset. On the other hand, users or employees in organisations can aggregate their efforts, abilities and knowledge against information security breaches. In this regard, information security knowledge sharing (ISKS), information security collaboration (ISC), information security conscious care behaviour (ISCCB) and complying with information security organisational policies and procedures (CISOP) have been mentioned and
researched as effective and efficient people-related approaches that mitigate the risk of information security incidents in organisations.
Security knowledge sharing Knowledge sharing plays an important role in the domain of information security, due to its positive effect on employees’ information security awareness.3 It is acknowledged that security awareness is the most important factor that mitigates the risk of information security breaches in organisations. Hackers use new and ingenious methods to hack others’ computers or systems in line with their own benefits. Recently, online attackers developed a bogus website and requested others to download their free anti-virus software. Many people downloaded their fake anti-virus package, their computers got infected and Computer Fraud & Security
15