Human Factor and Information Security

Security Awareness

“Technical advances are not enough to produce secure environments (Metalidou, Marinagi, Trivellas, Eberhagen, Giannnakopulos, and Skourias, 2014)”. Consequences spread as technical advances occur. More problems arise when you put humans and technology together because humans are allowed to use their mind and sometimes depending on their mood things can be seen differently, based on good or evil. Problems can be spotted but it is again up to a human to try and resolve it or get help resolving it. Technology is no longer a thing of its own, security has to be implemented in every aspect of it now-a-days. Humans are more susceptible to social engineering because most humans do not think someone would use their information against them and that is exactly why employees are the weakest link when it comes to keeping assets secure. Technology was not created to solve security problems.

Employees for the most part, show irresponsible behavior by not using secure passwords, using simple passwords, not using two-factor authentication on devices or applications, all in which are very careless things that should be prevented by the organization. Many network and security leaders within organizations assume that using intrusion detection devices, firewalls, bio-metrics and other devices to help protect the network and the information within it is preventing things from occurring 100% of the time, but they are wrong because their employees can still give out that confidential information.

Since, employees have been educated about their organization and systems they can be the first point of contact to an attack. Employees are also more likely to click on links without proper education on how to inspect the links prior to opening them such as hovering over the link, viewing who sent the information, checking for misspelling in the message and seeing if the recipient is actually listed on the message verses a generic salutation.

Companies need to see that if they raise awareness within their organization it could be one of the most cost effective security measures they could implement. Many humans believe that their organization is protecting them and they have nothing to worry about, but they are absolutely wrong. It takes everyone and I mean everyone who uses a device of any sort to help protect the organization and its network. So the key to help protecting it all, is security awareness training and the need for it to be performed on a continuous basis due to employees possibility needing to be re-education every now and then and getting new employee’s who have not been training yet.

In general, to control the organization as much as possible leaders need to focus on the people, processes and technology.

Serious implications found of end-user behavior include:

  • lack of motivation to follow security procedures
  • lack of general knowledge about attacks
  • user’s risky behavior
  • user’s risky belief
  • inadequate use of technology

Main factors of all risks include:

  • excess privilege
  • error and omission
  • denial of service
  • unauthorized access
  • phishing
  • identity theft
  • malware
  • unauthorized copy

Many companies do not set aside enough to invest in security awareness understanding that improve the knowledge level for users and managers. Most security programs should include: discussion forms, risk events, awareness activities, newsletters, article sharing and a management center to help get the employee to understand why it is important for everyone to understand security.

Security awareness training can be performed in various ways such as computer-based learning via CD, web-based learning via internet or intranet and distance learning via mail or catalog. Within security awareness there are various topics that can be discusses using one of the methods above. Topics include discussing information security policies, system access control, system development and maintenance, personnel security, physical and environment security, security organization, asset classification and control, communication and operations management as well as business continuity management compliance. Each topic will give the employee a breakdown on how to remain aware of security issues related to the organization and how to respond to each situation if it occurs.

Overall, every organization should help their employees understand how to behave responsibly and how to report issues should they arise. With open and clear communication of these matters, it could help decrease the chances of the organization getting attacked. More companies need to implement so sort of security awareness program to help prevent humans from exposing information related to the organizations network and systems. Since there are various ways to promote awareness such as via computer, web and mail/catalog, there should be no reason not to implement some sort of security program within an organization with available technology. Security awareness is one of the most cost effective ways to protect employees from attackers and without that proper employee education attackers will continue to take advantage of them via phishing, malware, identity theft and other ways, making it costlier in the long run for the organization itself.

PI Awareness

Reference:

Chen, C., Shaw, K. and Yang, S. (2006). Mitigation Information Security Risk by Increasing User Security Awareness: A Case Study of an Information Security Awareness System. Information Technology Learning and Performance Journal. Vol 24 (1). pp. 1-14. Retrieved from http://resolver.ebscohost.com.ezproxy.bellevue.edu/openurl?sid=EBSCO%3aedsemr&genre=article&issn=13287265&ISBN=&volume=16&issue=3&date=20140805&spage=210&pages=210-221&title=Journal+of+Systems+and+Information+Technology&atitle=Human+factor+and+information+security+in+higher+education&aulast=Georgios+Giannakopoulos+and+Professor+Damianos+Sakas+Professor&id=DOI%3a10.1108%2fJSIT-01-2014-0007&site=ftf-live

Metalidou, E., Marinagi, C., Trivellas, P, Eberhagen, N., Giannakopoulos, G. and Skourlas, C. (2014). Human Factor and Information Security in Higher Education. Journal of Systems and Information Technology. Vol. 16(3). pp. 210-221. Retrieved from http://resolver.ebscohost.com.ezproxy.bellevue.edu/openurl?sid=EBSCO%3aedsemr&genre=article&issn=13287265&ISBN=&volume=16&issue=3&date=20140805&spage=210&pages=210-221&title=Journal+of+Systems+and+Information+Technology&atitle=Human+factor+and+information+security+in+higher+education&aulast=Georgios+Giannakopoulos+and+Professor+Damianos+Sakas+Professor&id=DOI%3a10.1108%2fJSIT-01-2014-0007&site=ftf-live

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s