Use this URL to cite or link to this record in EThOS:
Title: Aiding information security decisions with human factors using quantitative and qualitative techniques
Author: Turland, James Kevin
ISNI:       0000 0004 6057 0080
Awarding Body: Newcastle University
Current Institution: University of Newcastle upon Tyne
Date of Award: 2016
Availability of Full Text:
Access from EThOS:
Access from Institution:
The Information Security Decision Making Process is comprised of an extremely complex and dynamic set of sub-tasks, sub-goals and inter-disciplinary practices. In order to be effective and appropriate, this process must balance both the requirements of the stakeholder as well as the users within the system. Without careful consideration of users’ behaviours and preferences, interventions are often seen as obstacles towards productivity and subsequently circumvented or simply not adhered to. The approach detailed herein requires an intimate knowledge of both Information Security and Human Behaviour. An effective security policy must adequately protect a given set of assets (human and non-human) or systems as well as preserve maximal productivity. Companies rely on their Intellectual Property Rights which are often stored in a digital format. This presents a plethora of issues regarding security, access management and locality (whether on or off the premises). Furthermore, there is the added complexity of employees and how they operate within this environment (a subset of compliance, competence and policy). With the continued increase in consumerisation, more specifically the rise of Bring Your Own Device, there is a significant threat towards data security that persists outside of the typical working environment. This trend enables employees to access and transfer corporate assets remotely but in doing so creates a conflict over identity, ownership and data management. The governance of these activities creates an extremely complex problem space which requires the need to balance these requirements relying on an accurate assessment of risk, identification of security vulnerabilities and knowledge pertaining to the behaviour of employees. The risks to company assets can be estimated by the analysis of the following issues: • Threats to your assets. These are unwanted events that could cause the deliberate or accidental loss, damage or misuse of the assets. • Vulnerabilities. How susceptible your assets are to attack. • Impact. The magnitude of the potential loss or the seriousness of the event. The ability to quantify and accurately represent these variables is critical in developing, implementing and supporting a successful security policy. The dissertation is structured as follows. Chapter 1 provides an abstract overview of the problem space and highlights our aims, objectives and publications. Chapter 2 details an in-depth literature review of the cross-disciplinary problem space. This involves both the analysis of industry standards, practices and reports as well as a summary of academic literature pertaining to theoretical frameworks and simulations for discussion. Chapter 3 introduces our problem space and documents the rationale for designing our methodology. Each successive chapter (4, 5, & 6) documents a separate investigative strategy for populating specific data sets with respect to the behaviours and practices highlighted from our pilot study and CISO interaction. This provides the rationale behind each approach as well as a documented implementation and evaluation of our experimental design with reference to publications in the field. Chapter 7 documents our modelling strategy and highlights the extensions we propose to the BPMN 2.0 formalism. Chapter 8 concludes our work with reference to our contributions, limitations and the direction of future study.
Supervisor: Not available Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available