Information Technology Reference
In-Depth Information
As an example of human factors research, Yan et al. (2000) worked on improving authentica-
tion by conducting an experiment with four hundred university students comparing the “cracka-
bility” of passwords that users chose using different mnemonics. By building upon basic research
on learning and memory to devise their experimental conditions, this article shows an imaginative
strategy for using behavioral science as the basis of improving information security. Other
researchers such as Proctor et al. (2002) and Wood (1996) have also taken a human factors
approach in attempts to improve password authentication.
In a different approach, Gonzalez and Sawicka (2002) used their expertise in safety analysis to
create a system dynamics model of behavioral compliance with information security measures.
This research represents a notable example of bringing a systems perspective to bear on behavioral
aspects of information security. Human factors engineers have also made indirect contributions to
information security by providing basic research on visualizing network structures, examining fail-
ures in human-machine systems, and providing an understanding of the limits of vigilance and
attention in danger situations (e.g., Parasuraman and Bowers, 1987).
Traditionally, human factors research focuses on what happens in complex systems at the junc-
tion between individual users and system interfaces. This perspective necessarily and rightly pays
less attention to the larger business context in which behaviors occur. In contrast to the human fac-
tors perspective, management researchers examine information security in the context of risks to
business processes, alternative methods of mitigating those risks, and cost-benefit analyses for
choosing among those alternatives. In the following section, we briefly review the area of informa-
tion security management.
Information Security Management
Management scholars sometimes view information security in terms of the risks that security
problems present to the effective functioning of the business. In this light, one important job role
of managers comprises managing information security risks. Tudor (2000) summarized informa-
tion security management as working “to establish controls and measures to minimize the risk of
loss of information and system resources” (p. 1). The control most frequently mentioned in this
literature is organizational policy: analyzing the business environment and its risks to ascertain an
optimal set of policies; communicating and implementing those policies; and promoting and
assessing compliance with policies (Perry, 1985). Dhillon's (2001) edited topic on information
security management provides a cross-section of the research topics in this area.
Considerable research has occurred at the intersection of information security and organiza-
tional policy development (e.g., Anderson, 1996; Dhillon, 2001; Lichtenstein and Swatman, 1997;
Lindup, 1995; Warman, 1992; Wood, 1995). One stream in this research defines the front end of
the policy development process by focusing first on the analysis of business risk associated with
information security. For example, Straub and Welke (1998) outlined general models for analyz-
ing the risk inherent in information systems. Their efforts described how to link risk analysis with
later managerial decision making. Ettredge and Richardson (2001) conducted a similar analysis
targeted specifically at the risks of e-commerce.
David (2002) contrasted security policies that can be enforced through purely mechanical
means and those that require human detection and judgment: “Enforcement of the first of these
can be aided with automatic log off after some period of no keyboard activity, but the second
requires supervisory action after policy violations are reported” (p. 507). This quote demonstrates
a shared attitude among many who work on information security policy that detection of policy
violations and enforcement of rules through administrative action provides a good connection
Search WWH ::
Custom Search