A Conceptual Framework to Analyze Human Factors of Information Security Management System (ISMS) in Organizations
Safeguarding and securing information assets is critical and challenging for organizations using information system to support their key business processes. Information Security Management System (ISMS) defines to setup a solid security framework and regulates systematic way how securely information system can use its resources. However technical advancements of information security do not always guarantee the overall security. All kinds of human factors can deeply affect the management of security in an organizational context despite of all security measures. But analyzing, modeling, quantifying and controlling human factors are difficult due to their subjective and context specific nature. This is because individuals tend to have distinct degree of personal and social status. This papers attempts to propose a conceptual framework for analyzing and reasoning three main human factors in an organizational context that supported by goal-modeling language based on concepts of human factors, driving and resisting forces of Force-Field Analysis (FFA) tool, goals, risks, vulnerability, controls, and Threats. This framework is beneficial to better understanding of human factors in the process of ISMS that eventually leads to reasoning a rationale change in organizational context whilst providing reasonable metrics for security. One would be ROI issue that is concern of all organization.
KeywordsInformation Security Management System (ISMS) Human Factors Goal-modeling Force-Field Analysis (FFA)
Unable to display preview. Download preview PDF.
- 1.Lacey, D.: Managing the Human Factor in Information Security, How to win over staff and influence business managers. John Wiley & Sons Ltd., Chichester (2009)Google Scholar
- 4.Puhakainen, P.: Design Theory for Information Security Awareness. University of Oulu, Oulu (2006)Google Scholar
- 5.Wilson, M., Hash, J.: Building an Information Technology Security Awareness and Training Program. U.S. Department of Commerce, National Institute of Standards and Technology (NIST), Washington (2003)Google Scholar
- 8.Islam, S., Houmb, S.H.: Integrating Risk Management Activities into Requirements Engineering. In: Proceeding of the 4th IEEE International Conference on Research Challenges in Information Science (RCIS 2010), Nice, France (2010)Google Scholar
- 9.Islam, S., Mouratidis, H., Weippl, E.: An Empirical Study on the Implementation and Evaluation of a Goal-driven Software Development Risk Management Model. Journal of Information and Software Technology 56(2) (February 2014)Google Scholar
- 10.Mattord, J., Whitman, M.: Management of Information Security, 2nd edn. Thomson Learning Inc., Canada (2008)Google Scholar
- 11.Mouratidis, H., Giorgini, P.: Integrating Security and Software Engineering: Advances and Future Visions. Idea Group Publication (2007)Google Scholar
- 12.ISO/IEC: Information technology - Security techniques - Information security management systems - Overview and Vocabulary. ISO/IEC 27000, International Organization for Standardization (ISO) and International Electro technical Commission (IEC) (2009)Google Scholar