International Journal of Computer Science & Network Security

International Journal of Computer Science & Network Security (국제컴퓨터통신보호논문지학회)
권호 표지
DOI QR코드

DOI QR Code

Identifying Strategies to Address Human Cybersecurity Behavior: A Review Study

  • Hakami, Mazen (University of Jeddah, College of Computer Science and Engineering) ;
  • Alshaikh, Moneer (University of Jeddah, College of Computer Science and Engineering)
  • Received : 2022.04.05
  • Published : 2022.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

Human factor represents a very challenging issue to organizations. Human factor is responsible for many cybersecurity incidents by noncompliance with the organization security policies. In this paper we conduct a comprehensive review of the literature to identify strategies to address human factor. Security awareness, training and education program is the main strategy to address human factor. Scholars have consistently argued that importance of security awareness to prevent incidents from human behavior.

Keywords

References

  1. A. AlHogail and A. Mirza, "Information security culture: A definition and a literature review," in 2014 World Congress on Computer Applications and Information Systems (WCCAIS), 2014, pp. 1-7.
  2. M. Alshaikh and B. Adamson, "From awareness to influence: toward a model for improving employees' security behaviour," Personal and Ubiquitous Computing, 2021/03/15 2021.
  3. M. Alshaikh, S. B. Maynard, and A. Ahmad, "Applying social marketing to evaluate current security education training and awareness programs in organisations," Computers & Security, vol. 100, p. 102090, 2021/01/01/ 2021. https://doi.org/10.1016/j.cose.2020.102090
  4. Verizon, "Data Breach Investigations Report," Verizon Enterprises, 2019," ed, 2019.
  5. P. Carey, Data protection: a practical guide to UK and EU law. Oxford University Press, Inc., 2018.
  6. S. Stolfo, S. M. Bellovin, and D. Evans, "Measuring Security," IEEE Security & Privacy, vol. 9, no. 3, pp. 60-65, 2011.
  7. A. Kovacevic, N. Putnik, and O. Toskovic, "Factors Related to Cyber Security Behavior," (in English), Ieee Access, Article vol. 8, pp. 125140-125148, 2020. https://doi.org/10.1109/access.2020.3007867
  8. T. Cuchta et al., "Human risk factors in cybersecurity," in Proceedings of the 20th Annual SIG Conference on Information Technology Education, 2019, pp. 87-92.
  9. T. Y. Wang and F. H. Wen, "Research on Employee Attribute Correlation of Information Security Awareness in Organization," in International Conference on Artificial Life and Robotics (ICAROB), Japan, 2019, pp. 63-65, OITA: Alife Robotics Co, Ltd, 2019.
  10. N. H. Abd Rahim, S. Hamid, M. L. M. Kiah, S. Shamshirband, and S. Furnell, "A systematic review of approaches to assessing cybersecurity awareness," Kybernetes, 2015.
  11. I. Chong, A. Xiong, and R. W. Proctor, "Human factors in the privacy and security of the internet of things," Ergonomics in design, vol. 27, no. 3, pp. 5-10, 2019. https://doi.org/10.1177/1064804617750321
  12. M. Sas, G. Reniers, K. Ponnet, and W. Hardyns, "The impact of training sessions on physical security awareness: Measuring employees' knowledge, attitude and self-reported behaviour," (in English), Safety Science, Article vol. 144, p. 8, Dec 2021, Art. no. 105447.
  13. J. Abawajy, "User preference of cyber security awareness delivery methods," (in English), Behaviour & Information Technology, vol. 33, no. 3, pp. 237-248, Mar 4 2014. https://doi.org/10.1080/0144929X.2012.708787
  14. M. Alshaikh, "Developing cybersecurity culture to influence employee behavior: A practice perspective," Computers & Security, vol. 98, p. 102003, 2020/11/01/ 2020. https://doi.org/10.1016/j.cose.2020.102003
  15. A. Tolah, S. M. Furnell, and M. Papadaki, "A Comprehensive Framework for Understanding Security Culture in Organizations," in IFIP World Conference on Information Security Education, 2019, pp. 143-156: Springer.
  16. A. Da Veiga, L. V. Astakhova, A. Botha, and M. Herselman, "Defining organisational information security culture-Perspectives from academia and industry," Computers & Security, vol. 92, p. 101713, 2020. https://doi.org/10.1016/j.cose.2020.101713
  17. A. AlHogail, "Design and validation of information security culture framework," Computers in Human Behavior, vol. 49, pp. 567-575, 2015. https://doi.org/10.1016/j.chb.2015.03.054
  18. F. Nel and L. Drevin, "Key elements of an information security culture in organisations," Information & Computer Security, vol. 27, no. 2, pp. 146-164, 2019. https://doi.org/10.1108/ICS-12-2016-0095
  19. ENISA, "Cyber security culture in organisations. European Union Agency for Network and Information Systems.," 2018, Available: https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations.
  20. J. Jang-Jaccard and S. Nepal, "A survey of emerging threats in cybersecurity," Journal of Computer and System Sciences, vol. 80, no. 5, pp. 973-993, 2014. https://doi.org/10.1016/j.jcss.2014.02.005
  21. A. N. Singh, A. Picot, J. Kranz, M. Gupta, and A. Ojha, "Information security management (ISM) practices: Lessons from select cases from India and Germany," Global Journal of Flexible Systems Management, vol. 14, no. 4, pp. 225-239, 2013. https://doi.org/10.1007/s40171-013-0047-4
  22. M. Alshaikh, "Information security management practices in organisations," 2018.
  23. P. Carpenter, Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us about Driving Secure Behaviors. John Wiley & Sons, 2019.
  24. R. Alavi, S. Islam, and H. Mouratidis, "An information security risk-driven investment model for analysing human factors," Information & Computer Security, 2016.
  25. A. Wiley, A. McCormac, and D. Calic, "More than the individual: Examining the relationship between culture and Information Security Awareness," Computers & Security, vol. 88, p. 101640, 2020. https://doi.org/10.1016/j.cose.2019.101640
  26. M. Warkentin and R. Willison, "Behavioral and policy issues in information systems security: the insider threat," European Journal of Information Systems, vol. 18, no. 2, pp. 101-105, 2009/04/01 2009. https://doi.org/10.1057/ejis.2009.12
  27. M. Alshaikh, A. Ahmad, S. Maynard, and S. Chang, "Towards a Taxonomy of Information Security Management Practices in Organisations," in 25th Australasian Conference on Information Systems, Auckland, New Zealand, 2014.
  28. H. Altukruni, S. B. Maynard, M. Alshaikh, and A. Ahmad, "Exploring Knowledge Leakage Risk in Knowledge-Intensive Organisations: behavioural aspects and key controls," presented at the ACIS, Perth, Australia, 2019.
  29. M. Pattinson, M. Butavicius, K. Parsons, A. McCormac, and D. Calic, "Factors that influence information security behavior: An Australian web-based study," in International Conference on Human Aspects of Information Security, Privacy, and Trust, 2015, pp. 231-241: Springer.
  30. A. Shameli-Sendi, R. Aghababaei-Barzegar, and M. Cheriet, "Taxonomy of information security risk assessment (ISRA)," Computers & Security, vol. 57, pp. 14-30, 2016/03/01/ 2016. https://doi.org/10.1016/j.cose.2015.11.001
  31. S. V. Flowerday and T. Tuyikeze, "Information security policy development and implementation: The what, how and who," Computers & Security, vol. 61, pp. 169-183, 8// 2016. https://doi.org/10.1016/j.cose.2016.06.002
  32. A. Tsohou, M. Karyda, S. Kokolakis, and E. Kiountouzis, "Managing the introduction of information security awareness programmes in organisations," European Journal of Information Systems, vol. 24, no. 1, pp. 38-58, 2015. https://doi.org/10.1057/ejis.2013.27
  33. P. Balozian, D. Leidner, and M. Warkentin, "Managers' and Employees' Differing Responses to Security Approaches," Journal of Computer Information Systems, vol. 59, no. 3, pp. 197-210, 2019/05/04 2019. https://doi.org/10.1080/08874417.2017.1318687
  34. M. Alshaikh, S. B. Maynard, A. Ahmad, and S. Chang, "An Exploratory Study of Current Information Security Training and Awareness Practices in Organizations," presented at the Proceedingsofthe51st Hawaii International Conference on System Sciences, Hawaii, US, 2018.
  35. H. W. Glaspie and W. Karwowski, "Human factors in information security culture: A literature review," in International Conference on Applied Human Factors and Ergonomics, 2017, pp. 269-280: Springer.
  36. C. Okoli and K. Schabram, "A guide to conducting a systematic literature review of information systems research," Sprouts: Working Papers on Information Systems, 2010.
  37. W. L. Neuman, "Social research methods: Qualitative and quantitative approaches," 2006.
  38. L. Hadlington, "Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours," Heliyon, vol. 3, no. 7, p. e00346, 2017. https://doi.org/10.1016/j.heliyon.2017.e00346
  39. G. Ogutcu, O. M. Testik, and O. Chouseinoglou, "Analysis of personal information security behavior and awareness," Computers & Security, vol. 56, pp. 83-93, 2// 2016. https://doi.org/10.1016/j.cose.2015.10.002
  40. D. Ki-Aries and S. Faily, "Persona-centred information security awareness," Computers & Security, vol. 70, pp. 663-674, 2017/09/01/ 2017. https://doi.org/10.1016/j.cose.2017.08.001
  41. M. Evans, L. A. Maglaras, Y. He, and H. Janicke, "Human behaviour as an aspect of cybersecurity assurance," Security and Communication Networks, vol. 9, no. 17, pp. 4667-4679, 2016. https://doi.org/10.1002/sec.1657
  42. R. Alavi, S. Islam, H. Jahankhani, and A. Al-Nemrat, "Analyzing human factors for an effective information security management system," International Journal of Secure Software Engineering (IJSSE), vol. 4, no. 1, pp. 50-74, 2013. https://doi.org/10.4018/jsse.2013010104
  43. M. Anwar, W. He, I. Ash, X. Yuan, L. Li, and L. Xu, "Gender difference and employees' cybersecurity behaviors," Computers in Human Behavior, vol. 69, pp. 437-443, 2017. https://doi.org/10.1016/j.chb.2016.12.040
  44. N. Badie and A. H. Lashkari, "A new evaluation criteria for effective security awareness in computer risk management based on AHP," Journal of Basic and Applied Scientific Research, vol. 2, no. 9, pp. 9331-9347, 2012.
  45. E. Metalidou, C. Marinagi, P. Trivellas, N. Eberhagen, C. Skourlas, and G. Giannakopoulos, "The human factor of information security: Unintentional damage perspective," Procedia-Social and Behavioral Sciences, vol. 147, pp. 424-428, 2014. https://doi.org/10.1016/j.sbspro.2014.07.133
  46. V. Ismatullina and I. Voronin, "Gender differences in the relationships between Big Five personality traits and intelligence," Procedia-Social and Behavioral Sciences, vol. 237, pp. 638-642, 2017. https://doi.org/10.1016/j.sbspro.2017.02.031
  47. C. Nobles, "Botching human factors in cybersecurity in business organizations," HOLISTICA-Journal of Business and Public Administration, vol. 9, no. 3, pp. 71-88, 2018. https://doi.org/10.2478/hjbpa-2018-0024
  48. A. Farooq, J. Isoaho, S. Virtanen, and J. Isoaho, "Information security awareness in educational institution: An analysis of students' individual factors," in 2015 IEEE Trustcom/BigDataSE/ISPA, 2015, vol. 1, pp. 352-359: IEEE.