The information security digital divide between information security managers and users

Albrechtsen, Eirik; Hovden, Jan Fredrik

doi:10.1016/j.cose.2009.01.003

Cited by 104 publications

(75 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Previous research indicated that the slight response rate which uncovered that the main reasons that the related information security is regarded as confidentiality and the policy of information secrecy is implemented extensively in enterprise. These above-mentioned actualities, the sufficient quantity of received survey is more arduous, hence, the amount of received survey in information security research generally are slighter than other research issues (Albrechtsen & Hovden, 2009;Department of Trade & Industry, 2004;Kotulic & Clark, 2004;Vance, Siponen, & Pahnila, 2012). On the other hand, the majority of studies on computer virus propagation published in the IS security literature a technical perspective and lack of management perspectives.…”

Section: Introductionmentioning

confidence: 99%

Using System Dynamics to Investigate the Effect of the Information Medium Contact Policy on the Information Security Management

Sung¹,

Su²

2013

IJBM

View full text Add to dashboard Cite

Computer viruses remain the information security threat for business and result a devastating effect on business continuity and profitability. In order to deploy antivirus countermeasures, it is necessary to understand and explore the computer virus propagation. This research explored further the users who contact with media and discuss information security controls, including management and technical. First, we propose the computer viruses propagation model and analysis from system viewpoint. Second, we explore and evaluate the effectiveness of preventive countermeasures. Finally, we suggest several considerations for manager to practice. The simulation results show that users contact with media for network had a significant effect on infection rate and policy enforcement has powerful influence than firewall on restrain infection rate. Based on these results, we suggest: (1) information security management policy development takes precedence over the physical security; (2) it is very important to identify all assets, define the classification of assets, and identify security roles and responsibilities of employees; (3) it is necessary to audit regularly the configurations and the parameters of security techniques; (4) the operating system and the application software on hosts and servers should be updated and patched regularly; (5) the removable storage and removable/mobile access media should be restricted.

show abstract

Section: Introductionmentioning

confidence: 99%

Using System Dynamics to Investigate the Effect of the Information Medium Contact Policy on the Information Security Management

Sung¹,

Su²

2013

IJBM

View full text Add to dashboard Cite

show abstract

“…Employees who are frustrated with high security overhead and do not feel trusted are likely to develop a negative attitude towards security. This leads to the creation of a value gap between security and production parts of an organization, and reduces employee's willingness to collaborate to keep the organization secure [28]. When that negative attitude becomes prominent, it leads to widespread non-compliance [32], insider attacks [14] and valuable employees that feel untrusted leaving organization (loss of human capital) [29].…”

Section: Enforcement Leads To Distrustmentioning

confidence: 99%

What Usable Security Really Means: Trusting and Engaging Users

Kirlappos

Sasse

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Non-compliance with security mechanisms and processes poses a significant risk to organizational security. Current approaches focus on designing systems that restrict user actions to make them 'secure', or providing user interfaces to make security tools 'easy to use'. We argue that an important but often-neglected aspect of compliance is trusting employees to 'do what's right' for security. Previous studies suggest that most employees are intrinsically motivated to behave securely, and that contextual elements of their relationship with the organization provide further motivation to stay secure. Drawing on research on trust, usable security, and economics of information security, we outline how the organization-employee trust relationship can be leveraged by security designers.Keywords: trust, usable security, information security management. Current State of Security Implementations in OrganizationsFor most people, the term 'information security' evokes technical mechanisms -such as authentication and access control -implemented to protect organizational assets [1]. Over the past two decades, awareness has been growing that many information security breaches were results of human error and social engineering; Bruce Schneier described people as the "weakest link" in the security chain [2]. Whilst some security experts have, unhelpfully, described users as stupid or careless [3], others have tried to increase compliance by providing 'more usable' security in some form. An implicit assumption of this work has been that -if people are able to use a security mechanism correctly, they would be motivated to do so [4][5][6][7][8][9] . Users look for efficiencies in their daily lives, and that means 'the less I have to think about security, the better'. And given that is the case, trust becomes important. The traditional "command-and-control" approach to information security management treats employees as untrustworthy components, whose behavior has to be constrained [4]. But recent research has revealed that even employees who do not comply with some security policies are motivated and act responsible when they recognize a security risk, and the cost to them is reasonable [10], [11],[15].Thus, designers of security mechanisms should consider how trust between an organization and its employees affects security behaviors. The role of trust in technology design has been examined by research aiming to create technology platforms that enable the development of trust relationships in online commerce and gaming [16][17][18][19][20][21]. In this paper we take a different path, building on the trust model by Riegelsberger et al. [16] to explain the benefits of treating employees as trusted entities in organizational security implementations. We (1) use the model explain the creation of a trust relationship between employees and organization, (2) analyze how that affects employee compliance decisions with security policies and mechanisms, and (3) present how the organization-employee trust relationship can be leverag...

show abstract

“…We regard the lack of sufficient consideration of the current practice in the design and implementation of ISSPs as a considerable shortcoming, especially in light of the central role that ISSPs play in managing the users' ISS behaviors. ISSPs are often expressions of management's values and beliefs about how to manage ISS in the organization [8] while employees' behaviors are often anchored in deeply held values and beliefs often related to their profession and work practices [9,10]. Previous research shows that tensions and value conflicts are a natural part of ISS management [9][10][11].…”

Section: Introductionmentioning

confidence: 99%

“…ISSPs are often expressions of management's values and beliefs about how to manage ISS in the organization [8] while employees' behaviors are often anchored in deeply held values and beliefs often related to their profession and work practices [9,10]. Previous research shows that tensions and value conflicts are a natural part of ISS management [9][10][11]. We claim that the current limited focus on changing users' values do not consider the complexity of ISS management and practice where different groups and collaborating actors adhere to different and sometimes even conflicting values.…”

Section: Introductionmentioning

confidence: 99%

Analyzing Value Conflicts for a Work-Friendly ISS Policy Implementation

Kolkowska

Decker

2012

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Abstract. Existing research shows that the Information Systems Security policies' (ISSPs) inability to reflect current practice is a perennial problem resulting in users' non-compliant behaviors. While the existing compliance approaches are beneficial in many ways, they do not consider the complexity of Information Systems Security (ISS) management and practice where different actors adhere to different and sometimes conflicting values. The unsolved value conflicts often lead to unworkable ISS processes and users' resistance. To address this shortcoming, this paper suggests a value conflicts analysis as a starting point for implementing work-friendly ISSPs. We show that the design and implementation of a work-friendly ISSP should involve the negotiation for different values held by the different actors within an organization.

show abstract

The information security digital divide between information security managers and users

Cited by 104 publications

References 24 publications

Using System Dynamics to Investigate the Effect of the Information Medium Contact Policy on the Information Security Management

Using System Dynamics to Investigate the Effect of the Information Medium Contact Policy on the Information Security Management

What Usable Security Really Means: Trusting and Engaging Users

Analyzing Value Conflicts for a Work-Friendly ISS Policy Implementation

Contact Info

Product

Resources

About