An adversarial viewpoint of human and organizational factors in computer and information security

Posted on:2007-12-12

Degree:Ph.D

Type:Thesis

University:The University of Wisconsin - Madison

Candidate:Kraemer, Sara B

Full Text:PDF

GTID:2448390005977699

Subject:Engineering

Abstract/Summary:

This thesis presents a multi-dimensional examination of the human and organizational factors that affect computer and information security (CIS) and explains how human and organizational factors contribute to CIS vulnerabilities, namely, the various pathways and mechanisms leading to a technical CIS vulnerability. Human factors in CIS, such as password memorability or usability of encryption methods, in addition to organizational factors in CIS, such as implementation and monitoring of security policies or procedures are analyzed.; Research was conducted using an "adversarial" approach. A red team, a group of security analysts who model hacker behavior in order breach CIS systems in a sanctioned environment, was used as a source of information. Data collection methods included interviews, focus groups, and review of red team reports.; Fourteen red team members in individual interviews reported 589 total comments on human and organizational factors consistent with the work system categories (Carayon and Smith, 2000; Smith and Carayon-Sainfort, 1989). The work system categories consist of: organization (372 comments), individual (124 comments), task (46 comments), technology (40 comments), and environment (7 comments).; Two focus groups of five red team members each constructed the various mechanisms and pathways of human and organizational factors related to CIS vulnerabilities: design, implementation, configuration (Howard and Longstaff, 1998; Howard and Meunier, 2002) and operational vulnerabilities. Both focus groups emphasized organizational factors, such as management commitment, resources, funding, and CIS policy.; This study created a work systems framework that characterizes the complex and multivarious nature of CIS systems. This framework serves as a novel contribution to the fields of human factors engineering and computer science, as it provides a systems approach to CIS that incorporates human and organizational factors. This contribution furthers the understanding and etiology of CIS system vulnerabilities, which will allow system defenders to build more secure computer and information systems to remediate CIS breaches and attacks.

Keywords/Search Tags:

Organizational factors, CIS, Computer and information, Security, Systems, Red team, Vulnerabilities

Related items

1	Information Technology Security and Human Risk: Exploring Factors of Unintended Insider Threat and Organizational Resilience
2	The identification of differentiating success factors for students in computer science and computer information systems programs of study
3	The Study Of The Methods For Detecting Security Vulnerabilities In Computer Softwares
4	Real-time Detection Technology For The Classified Information Network Vulnerabilities
5	An empirical investigation of factors influencing the effectiveness of information systems security
6	Evaluation of security vulnerabilities of popular computer and server operating systems under cyber attack
7	Research On Decision-Oriented Entrepreneurs' Information Behavior
8	The Design And Implementation Of Information Management Systems Power Team
9	Analysis Of Organization Factors Influencing Network Information Security
10	Security vulnerabilities: Discovery, prediction, effect, and mitigation