A Longitudinal Study of Information System Threat Categories: The Enduring Problem of Human Error

Data Base for Advances in Information Systems

Volumn 36, Issue 4, 2005, Pages 68-79

  Im Paul, Ghi ^a   Baskerville, Richard L ^a  

^a GEORGIA STATE UNIVERSITY   (United States)

Author keywords

Computer Security; Human Error; Information Infrastructure Protection; Information Security; Information System Threat; Information System Threat Taxonomy; Software Defects; Software Quality and Reliability

Indexed keywords

EID: 33751161222     PISSN: 00950033     EISSN: None     Source Type: Journal    
DOI: 10.1145/1104004.1104010     Document Type: Article

References (46)

1. Amoroso, E. G. (1994). Fundamentals of Computer Security Technology, Upper Saddle River, NJ: Prentice-Hall PTR.
2. Argyris, C. (1986). “Skilled Incompetence,” Harvard Business Review, Vol. 64, No. 5, pp. 74–79.
3. Argyris, C. and Schon, D. A. (1978). Organizational Learning: A Theory of Action Perspective, Reading, MA: Addison-Wesley.
4. AusCERT (2003). Australian Computer Crime and Security Survey: Australian Federal Police.
5. Baskerville, R. (1996). “A Taxonomy for Analyzing Hazards to Information Systems,” in Katsikas, S. and Gritzalis, D. (Eds.), Information Systems Security: Facing the Information Society, London: Chapman & Hall, pp. 167–176.
6. Berkowitz, B. (2003). The New Face of War: How War Will Be Fought in the 21st Century, New York: The Free Press.
7. Brown, A. B. and Patterson, D. A. (2001). “To Err is Human,” First Workshop on Evaluating and Architecting System Dependability (EASY ‘01), Goteborg, Sweden.
8. Cohen, F. (1997). “Information System Attacks: A Preliminary Classification Scheme,” Computers & Security, Vol. 16, No. 1, pp. 29–46.
9. Couger, J. D. (1995). Creative Problem Solving and Opportunity Finding, Danvers, MA: Boyd and Fraser.
10. Courtney, R. (1977). Security risk assessment in electronic data processing. AFIPS Conference NCC, Arlington, VA, pp. 97–104.
11. Dhillon, G. (1999). “Managing and controlling computer misuse,” Information Management & Computer Security, Vol. 7, No. 4, pp. 171–175.
12. Dhillon, G. (2001a). “Challenges in Managing Information Security in the New Millennium,” in Dhillon, G. (Ed.), Information Security Management: Global Challenges in the New Millennium, Hershey, PA: Idea Group Publishing, pp. 1–8.
13. Dhillon, G. (2001b). “Principles for Managing Information Security in the New Millennium,” in Dhillon, G. (Ed.), Information Security Management: Global Challenges in the New Millennium, Hershey, PA: Idea Group Publishing, pp. 173–177.
14. Dhillon, G. and Backhouse, J. (2000). “Information system security management in the new millennium,” Communications of the ACM, Vol. 43, No. 7, pp. 125–128.
15. Dhillon, G. and Backhouse, J. (2001). “Current directions in IS security research: Towards socio organizational perspectives.,” Information Systems Journal, Vol. 11, No. 2, pp. 127–153.
16. Forcht, K. A. (1994). Computer Security Management, Danvers, MA: Boyd & Fraser.
17. Gates, W. (2002). Microsoft email on January 15, www.wired.com (accessed in May 2003)
18. Gray, J. (1999). “What Next? A dozen remaining IT problems,” Turing Award Lecture.
19. Hennessy, J. (1999). “The Future of Systems Research,” Computer, Vol. 32, No. 8, pp. 27–33.
20. Howard, J. D. (1997). An Analysis of Security Incidents on The Internet 1989–1995 unpublished doctoral dissertation, Carnegie Mellon University, Pittsburgh, PA.
21. Internet Systems Consortium, Inc. (2004). ISC Internet Domain Survey, http://www.isc.org/ds/(accessed August 2004)
22. Levine, H. G. and Rossmoore, D. (1993). “Diagnosing the human threats to information technology implementation: A missing factor in systems analysis illustrated in a case study,” Journal of Management Information Systems, Vol. 10, No. 2, p. 55.
23. Loch, K. D., Carr, H. H., and Warkentin, M. E. (1992). “Threats to Information Systems: Today's Reality, Yesterday's Understanding,” MIS Quarterly, Vol. 16, No. 2, p. 173.
24. Mckelvey, B. (1982). Organizational Systematics: Taxonomy, Evolution, Classification, Berkeley, CA.: University of California Press.
25. Neumann, P. (1992~1993). “Risks to the Public,” Software Engineering Notes, Vol. 17, No. 1, No. 4.
26. Neumann, P. (2001~2003). “Risks to the Public,” Software Engineering Notes, Vol. 28, No. 2.
27. Neumann, P. G. (1995). Computer-related Risks, New York: ACM Press.
28. Nielsen, J. (1994). Usability Engineering, San Diego, CA: Academic Press.
29. Norman, D. (1983). “Design rules based on analysis of human error,” Communications of The ACM, Vol. 26, No. 4, pp. 254–258.
30. Norman, D. (1988). The Psychology of Everyday Things, New York: Basic Books.
31. Parker, D. (1981). Computer Security Management, Reston, VA: Reston Publishing.
32. Parnas, D. L. (1985). “Software Aspects of Strategic Defense Systems,” Communications of the ACM, Vol. 28, No. 12, pp. 1326–1335.
33. Patterson, D. A., Brown, A. B., Broadwell, P., Candea, G., Chen, M., Cutler, J., Enriquez, P., Fox, A., Kiciman, E., Merzbacher, M., Oppenheimer, D., Sastry, N., Tetzlaff, W., Traupman, J., and Treuhaft, N. (2002). Recovery- Oriented Computing (ROC): Motivation, Definition, Techniques, and Case Studies: UC Berkeley Technical Report UCB/CSD-02-1175.
34. Pethia, R. D. (2003). “Viruses and Worms: What Can We Do About Them?”, Congressional testimony Before the House Committee on Government Reform: CERT Coordination Center.
35. Rasmussen, J. (1986). Information Processing and Human-Machine Interaction, Amsterdam: North- Holland.
36. Reason, J. (1990). Human Error, Cambridge: Cambridge University Press.
37. Richardson, R. (2003). CSI/FBI Computer crime and security survey: Computer Security Institution, http://www.gocsi.com (accessed August 2004)
38. Salter, J. H. and Schroeder, M. D. (1975). “The protection of information in computer systems,” Proceedings of the IEEE, Vol. 63, No. 9, pp. 1278 1308.
39. Schenk, K. D., Vitalari, N. P., and Davis, K. S. (1998). “Differences between novice and expert systems analysts: What do we know and what do we do?,” Journal of Management Information Systems, Vol. 15, No. 1, pp. 9–50.
40. Shimeall, T. and Williams, P. (2002). “Models of Information Security Trend Analysis,” SPIE Aerosense Conference, Orlando, FL.
41. Straub, D. W. and Welke, R. J. (1998). “Coping with systems risk: Security planning models for management decision making,” Mis Quarterly, Vol. 22, No. 4, pp. 441–469.
42. Walker, S. T. (1985). “Network Security Overview,” IEEE Symposium on Security and Privacy, Oakland, CA.
43. Warren, M. and Hutchinson, W. (2001). “Cyber Terrorism and the Contemporary Corporation,” in Dhillon, G. (Ed.), Information Security Management: Global Challenges in the New Millennium, Hershey, PA: Idea Group Publishing, pp. 53–64.
44. Whitman, M. E. (2004). “In defense of the realm: Understanding the threats to information security,” International Journal of Information Management, Vol. 24, No. 1, pp. 43–57.
45. Woodward, D. (2000). “Smart Security,” The British Journal of Administrative Management, Vol. 18, pp. 22–23.
46. Zurko, M. E. and Simon, R. T. (1996). “User-centered security,” ACM New Security Paradigms Workshop, Lake Arrowhead, CA.