Human and organizational factors in computer and information security: Pathways to vulnerabilities

Computers and Security

Volumn 28, Issue 7, 2009, Pages 509-520

  Kraemer, Sara ^a   Carayon, Pascale ^b   Clem, John ^c  

^a UNIVERSITY OF WISCONSIN MADISON   (United States)

^b University of Wisconsin Madison   (United States)

^c SANDIA NATIONAL LABORATORIES   (United States)

Author keywords

Causal Network Analysis; Computer security; Design; Human and organizational factors; Pathways; Red teams; Vulnerabilities

Indexed keywords

CAUSAL NETWORK ANALYSIS; COMPUTER SECURITY; HUMAN AND ORGANIZATIONAL FACTORS; PATHWAYS; RED TEAMS; VULNERABILITIES;

COMPUTER NETWORKS; ELECTRIC NETWORK ANALYSIS; NETWORK SECURITY; RESOURCE ALLOCATION; SECURITY SYSTEMS;

HUMAN RESOURCE MANAGEMENT;

EID: 70349448077     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2009.04.006     Document Type: Article

References (47)

1. Adams A., and Sasse M.A. Users are not the enemy. Communications of the ACM 42 12 (1999) 41-46
2. Adams A., Sasse M.A., and Lunt P. Making passwords secure and usable. In: Thimbleby H., O'Conaill B., and Thomas P. (Eds). People & computers XII, proceedings of HCI'97 (1997), Springer, Bristol 1-19
3. Albrechtsen E. A qualitative study of users' view on information security. Computers & Security 26 4 (2007) 276-289
4. Besnard D., and Arief B. Computer security impaired by legitimate users. Computers & Security 23 (2004) 253-264
5. Bishop M. Computer security: art and science (2002), Addison Wesley Professional
6. Computer Science and Telecommunications Board-National Research Council. Cybersecurity today and tomorrow: pay now or pay later (2002), National Academy Press,, Washington, DC
7. Cresswell A, Hassan S. Organizational impacts of cyber security provisions: a sociotechnical framework. In: 40th Hawaii International Conference on Systems Sciences; 2007.
8. Dhillon G., and Backhouse J. Current directions in IS security research: towards socio-organizational perspectives. Information Systems Journal 11 (2001) 127-153
9. Fontana A., and Frey J.H. The interview: from structured questions to negotiated text. In: Denzin N.K., and Lincoln N.K. (Eds). Handbook of qualitative research (2000), Sage Publications, Inc., Thousand Oaks 645-672
10. Fulford H., and Doherty N.F. The application of information security policies in large UK-based organizations: an exploratory investigation. Information Management & Computer Security 11 3 (2003) 106-114
11. Furnell S. Making security usable: are things improving?. Computers & Security 26 6 (2007) 434-443
12. Hendrick H.W., and Kleiner B.M. Macroergonomics: an introduction to work system design (2001), Human Factors and Ergonomics Society, Santa Monica
13. Herzberg A. Why Johnny can't surf (safely)? Attacks and defenses for web users. Computers & Security 28 1-2 (2009) 63-71
14. Howard J.D., and Longstaff T.A. A common language for computer security incidents (1998), Sandia National Laboratories
15. Howard J.D., and Meunier P. Using a "common language" for computer security incident information. In: Bosworth S., and Kabay M.E. (Eds). Computer security handbook (2002), John Wiley & Sons, New York 3.1-3.22
16. Karyda M., Kiountouzis E., and Kokolakis S. Information systems security policies: a contextual perspective. Computers & Security 24 (2005) 246-260
17. Knapp K., Marshall T.E., Rainer R.K., and Ford F.N. Information security: management's effect on culture and policy. Information Management & Computer Security 14 1 (2006) 24-36
18. Kraemer S, Carayon P. Computer and information security culture: findings from two studies. In: Human Factors and Ergonomics Society, editor. Proceedings of the human factors and ergonomics society. Orlando, Florida; 2005. p. 1483-87.
19. Kraemer S., and Carayon P. Human errors and violations in computer and information security: the viewpoint of network administrators and security specialists. Applied Ergonomics 38 2 (2007) 143-154
20. Kraemer S, Carayon C, Clem JF. Characterizing violations in computer and information security systems. In: Proceedings of the 16th triennial congress of the international ergonomics association. Maastricht, The Netherlands; 2006.
21. Liginlal D., Sim I., and Khansa L. How significant is human error as a cause of privacy breaches? An empirical stud and framework for error management. Computers & Security 28 (2009) 215-228
22. Miles M.B., and Huberman A.M. Qualitative data analysis: an expanded sourcebook. 2nd ed. (1994), Sage Publications
23. Mitchell J.C. Case and situational analysis. Sociological Review 31 2 (1983) 87-211
24. In: Mizuno S. (Ed). Management for quality improvement: the seven new QC tools (1988), Productivity Press, Cambridge, Massachusetts
25. In: Morgan D.L. (Ed). Focus groups as qualitative research, vol. 16 (1988), Sage Publications, Inc., Newbury Park
26. Pahnila S., Siponen M., and Mahmood A. Employees' behavior towards IS security policy compliance. Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) (2007), IEEE
27. Pasmore W.A. Designing effective organizations: the sociotechnical systems perspective (1988), John Wiley & Sons
28. Proctor R.W., Lien M.C., Salvendy G., and Schultz E.E. A task analysis of usability in third-party authentication. Information Security Bulletin (2000) 49-56
29. Rasmussen J. Risk management, adaption, and design for safety. In: Brehmer B., and Sahlin N.-E. (Eds). Future risks and risk management (1994), Kluwer Academic Publishers, Dordrecht 1-36
30. Reason J. Managing the risks of organizational accidents (1997), Ashgate, Brookfield
31. Richardson R. CSI/FBI computer crime and security survey (2008), Computer Security Institute
32. Robertson M.M., Kleiner B., and O'Neill M.J. Macroergonomic methods: assessing work system processes. In: Hendrick H.W., and Kleiner B. (Eds). Marcroergonomics: theory, methods, and applications (2002), Lawrence Erlbaum Associates, Mahweh, New Jersey 67-96
33. Ruighaver A.B., Maynard S.B., and Chang S. Organisational security culture: extending the end-user perspective. Computers & Security 26 1 (2007) 56-62
34. Ryan G.W., and Bernard H.R. Data management and analysis methods. In: Denzin N.K., and Lincoln Y.S. (Eds). Handbook of qualitative research (2000), Sage Publications, Inc., Thousand Oaks 769-801
35. Sarriegi JM, Torres JM, Santos J. Explaining security management evolution through the analysis of CIOs' mental models. In: 23rd international conference of the system dynamics society. Boston, Massachusetts; 2005.
36. Sarriegi JM, Santos J, Torres JM, Imizcoz D, Plandolit A. Modeling security management of information systems: analysis of a ongoing practical case. In: The 24th international conference of the system dynamics society. Nijmegen, The Netherlands; 2006.
37. Schudel G, Wood B. Modeling behavior of the cyber-terrorist. In: Conference proceedings: research on mitigating the insider threat to information systems-#2. Rand: Santa Monica, California; 2000.
38. Schultz E. The human factor in security. Computers & Security 24 6 (2005) 425-426
39. Seale C. The quality of qualitative research (1999), Sage Publications, London
40. Siponen M.T. A conceptual foundation for organizational information security awareness. Information Management & Computer Security 8 1 (2000) 31-41
41. Stanton J.M., Stam K.R., Mastrangelo P., and Jeffery J. Analysis of end user security behaviors. Computers & Security 24 (2005) 124-133
42. Stewart DW, Shamdasani PN. Focus groups: theory and practice, vol. 20. London: Sage Publications; 1990.
43. Trochim W.M.K. The research methods knowledge base. 2nd ed. (2001), Atomic Dog Publishing, Cincinnati, OH
44. Werlinger R., Hawkey K., and Beznosov K. An integrated view of human, organizational, and technological challenges of IT security management. Information Management & Computer Security 17 1 (2009) 4-49
45. Whitten A., and Tygar J.D. Usability of security: a case study (1998), Carnegie Mellon University, School of Computer Science, Computer Science Department, Pittsburgh, PA
46. Whitten A, Tygar JD. Why Johnny can't encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the 8th USENIX security symposium. Washington, DC; 1999.
47. Wood BJ. Duggan R. Red teaming of advanced information assurance concepts. In: DISCEX2000 DARPA information survivability conference. Hilton Head, South Carolina; 1999. p. SAND99-2590C.