A Management Decision Support System for Evaluating Information Security Behaviour
- 29 Downloads
Information security management is a difficult task in organisations. Owing to skills shortages and the like, there are relatively few managerial staff that possess the required expertise to confidently make security decisions. The purpose of this paper is to present a decision support system that can analyse, and provide insight into, information security behaviour in an organisation, all the while supporting management decision-making for organisational factors. Behavioural threshold analysis is employed by the system to predict eventual information security behaviour for different groupings in an organisation. The decision support system that is presented here, which is the first of its kind, can be helpful in understanding the current state of organisational information security behaviour, and what can be done to improve upon the current state. After intervention measures the system may be used to test whether these measures had the intended positive effect. The system is discussed in terms of the different information areas that are used to allow insight into the security behaviours. A critical reflection provides an analysis of the contributions and limitations of the system.
KeywordsInformation security Decision support system Behavioural threshold analysis
The authors would like to thank and acknowledge the contributions of Erik Jonker and Arno Strydom for their undertaking in programming the system based on the requirements as set out by the authors.
- 1.Alshaikh, M., Maynard, S.B., Ahmad, A., Chang, S.: An exploratory study of current information security training and awareness practices in organizations. In: 51st Hawaii International Conference on System Sciences, pp. 5085–5094 (2018)Google Scholar
- 4.Shao, X., Siponen, M., Pahnila, S.: To calculate or to follow others: how do information security managers make investment decisions? In: 52nd Hawaii International Conference on System Sciences, pp. 4885–4894 (2019)Google Scholar
- 9.Furnell, S., Fischer, P., Finch, A.: Plugging the cyber-security skills gap. Comput. Fraud Secur. 2013, 5–10 (2013)Google Scholar
- 11.Bada, M., Sasse, A.M., Nurse, J.R.: Cyber security awareness campaigns: why do they fail to change behaviour? In: 1st International Conference on Cyber Security for Sustainable Society, pp. 118–131 (2019)Google Scholar
- 15.Snyman, D.P., Kruger, H.A.: Behavioural thresholds in the context of information security. In: 10th International Symposium on Human Aspects of Information Security & Assurance (HAISA 2016), pp. 22–32. Plymouth University (2016)Google Scholar
- 16.Growney, J.S.: I Will if You Will: Individual Thresholds and Group Behavior - Applications of Algebra to Group Behavior. COMAP Inc., Bedford (1983)Google Scholar
- 17.Hekkala, R., Väyrynen, K., Wiander, T.: Information security challenges of social media for companies. In: 20th European Conference on Information Systems, p. 56 (2012)Google Scholar
- 18.Gardner, B., Thomas, V.: Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats. Elsevier, Amsterdam (2014)Google Scholar