To read this content please select one of the options below:

An information security risk-driven investment model for analysing human factors

Reza Alavi (University of East London, London, UK)
Shareeful Islam (University of East London, London, UK)
Haralambos Mouratidis (University of Brighton, Brighton, UK)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 13 June 2016

1472

Abstract

Purpose

The purpose of this paper is to introduce a risk-driven investment process model for analysing human factors that allows information security managers to capture possible risk–investment relationships and to reason about them. The overall success of an information security system depends on analysis of the risks and threats so that appropriate protection mechanism can be in place to protect them. However, lack of appropriate analysis of risks may potentially results in failure of information security systems. Existing literature does not provide adequate guidelines for a systematic process or an appropriate modelling language to support such analysis. This work aims to fill this gap by introducing the process and reason about the risks considering human factors.

Design/methodology/approach

To develop risk-driven investment model along with the activities that support the process. These objectives were achieved through the collection of quantitative and qualitative data utilising requirements engineering and secure tropos methods.

Findings

The proposed process and model lead to define a clear relationship between risks, incidents and investment and allows organisations to calculate them based on their own figures.

Research limitations/implications

One of the major limitations of this model is that it only supports incident-based investment. This creates some sort of difficulties to be presented to the executive board. Secondly, because of the nature of human factors, quantification does not exactly reflect the monetary value of the factors.

Practical implications

Applying the information security risk-driven investment model in a real case study shows that this can help organisations apply and use it in other incidents, and more importantly, to the incidents which critical human factors are a grave concern of organisations. The importance of providing a financial justification is clearly highlighted and provided for seeking investment in information security.

Social implications

It has a big social impact that technically could lead for cost justifications and decision-making process. This would impact the whole society by helping individuals to keep their data safe.

Originality/value

The novel contribution of this work is to analyse specific critical human factors which have subjective natures in an objective and dynamic domain of risk, security and investment.

Keywords

Citation

Alavi, R., Islam, S. and Mouratidis, H. (2016), "An information security risk-driven investment model for analysing human factors", Information and Computer Security, Vol. 24 No. 2, pp. 205-227. https://doi.org/10.1108/ICS-01-2016-0006

Publisher

:

Emerald Group Publishing Limited

Copyright © 2016, Emerald Group Publishing Limited

Related articles