A Conceptual Framework to Analyze Human Factors of Information Security Management System (ISMS) in Organizations

  • Reza Alavi
  • Shareeful Islam
  • Haralambos Mouratidis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8533)


Safeguarding and securing information assets is critical and challenging for organizations using information system to support their key business processes. Information Security Management System (ISMS) defines to setup a solid security framework and regulates systematic way how securely information system can use its resources. However technical advancements of information security do not always guarantee the overall security. All kinds of human factors can deeply affect the management of security in an organizational context despite of all security measures. But analyzing, modeling, quantifying and controlling human factors are difficult due to their subjective and context specific nature. This is because individuals tend to have distinct degree of personal and social status. This papers attempts to propose a conceptual framework for analyzing and reasoning three main human factors in an organizational context that supported by goal-modeling language based on concepts of human factors, driving and resisting forces of Force-Field Analysis (FFA) tool, goals, risks, vulnerability, controls, and Threats. This framework is beneficial to better understanding of human factors in the process of ISMS that eventually leads to reasoning a rationale change in organizational context whilst providing reasonable metrics for security. One would be ROI issue that is concern of all organization.


Information Security Management System (ISMS) Human Factors Goal-modeling Force-Field Analysis (FFA) 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Lacey, D.: Managing the Human Factor in Information Security, How to win over staff and influence business managers. John Wiley & Sons Ltd., Chichester (2009)Google Scholar
  2. 2.
    Alavi, R., Islam, S., Jahankhani, H., Al-Nemrat, A.: Analyzing Human Factors for an Eff ective Information Security Management System. International Journal Of Secure Software Engineering (IJSSE) 4, 50–75 (2013)CrossRefGoogle Scholar
  3. 3.
    Lee, J., Lee, Y.: A holistic model of computer abuse within organizations. Information Management & Computer Security 10(2/3), 57–63 (2002)CrossRefGoogle Scholar
  4. 4.
    Puhakainen, P.: Design Theory for Information Security Awareness. University of Oulu, Oulu (2006)Google Scholar
  5. 5.
    Wilson, M., Hash, J.: Building an Information Technology Security Awareness and Training Program. U.S. Department of Commerce, National Institute of Standards and Technology (NIST), Washington (2003)Google Scholar
  6. 6.
    Dhillon, G., Backhouse, J.: Information system security management in the new millennium. Communications of the ACM 43(7), 125–128 (2000)CrossRefGoogle Scholar
  7. 7.
    Reddick, C.G.: Management support and information security: an empirical study of Texas state agencies in the USA. Electronic Government, An International Journal 6, 361–377 (2009)CrossRefGoogle Scholar
  8. 8.
    Islam, S., Houmb, S.H.: Integrating Risk Management Activities into Requirements Engineering. In: Proceeding of the 4th IEEE International Conference on Research Challenges in Information Science (RCIS 2010), Nice, France (2010)Google Scholar
  9. 9.
    Islam, S., Mouratidis, H., Weippl, E.: An Empirical Study on the Implementation and Evaluation of a Goal-driven Software Development Risk Management Model. Journal of Information and Software Technology 56(2) (February 2014)Google Scholar
  10. 10.
    Mattord, J., Whitman, M.: Management of Information Security, 2nd edn. Thomson Learning Inc., Canada (2008)Google Scholar
  11. 11.
    Mouratidis, H., Giorgini, P.: Integrating Security and Software Engineering: Advances and Future Visions. Idea Group Publication (2007)Google Scholar
  12. 12.
    ISO/IEC: Information technology - Security techniques - Information security management systems - Overview and Vocabulary. ISO/IEC 27000, International Organization for Standardization (ISO) and International Electro technical Commission (IEC) (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Reza Alavi
    • 1
  • Shareeful Islam
    • 1
  • Haralambos Mouratidis
    • 2
  1. 1.The University of East LondonUK
  2. 2.University of BrightonUK

Personalised recommendations