Evaluating The Human Factor In Information Security Risk Management In Business Organizations

Information Security has become a critical issue in business organizations. Organizations continue to face all kinds of security risks. Technological solutions are being sought to control risks, experts are consulted to impact their specialized knowledge, third-party companies are being outsourced to avail their skilled and experienced staff to curb the menace. One main factor in controlling security risks in business organizations is the human element. This paper takes a look into the human factors that affect information security risk management in business organizations.The paper aims to evaluate the human factors that affect the risk control measures that are implemented in business organizations. This research collects information from employees in business organizations about their security behaviors in the working environment. The study is mainly based on an online survey conducted with the employees in three business organizations. Fictitious names were used in this report because of confidential reasons on the part of the companies. The link to the questions was distributed to the employees by email with the help of the companies’ information technology departments. The questions were based on four user properties that cover various aspects of risk management. They were population, security policy, risk communication and security education, training and awareness. The survey data was analyzed and five proposed hypotheses were evaluated. Some of the hypothesis were confirmed whiles some were refuted based on the analyzed survey data.From the results, a number of conclusions were made. Organizations should include information security briefing as part of this orientation programs. This gives the user a prior security awareness mindset. This research has shown that user risks perception cuts across all employee levels so the same amount of effort should be put in to educate and train all employees on security risk awareness. Users should have some education on organizational policies even if they were involved in the creation process. Policies should be communicated properly to users and the users should be made to sign to agree to the policies that they’ve read. Organizations should implement appropriate measures to penalize employees as this could lead to employees covering their errors and mistakes especially when they themselves are in the wrong. Training programs should address user-training needs. Users’view could be sought before organizing training programs and they should be after training programs to evaluate the effectiveness of the training. This helps to improve on the quality of training programs.