Understanding Security Practices Deficiencies: A Contextual Analysis
(2015) Ninth International Symposium on Human Aspects of Information Security & Assurance, HAISA 2015 p.151-160- Abstract
- This paper seeks to provide an overview of how companies assess and manage security risks in practice. For this purpose we referred to data of security surveys to examine the scope of risk analysis and to identify involved entities in this process. Our analysis shows a continuous focus on data system security rather than on real world organizational context as well as a prevalent involvement of top management and security staff in risk analysis process and in
security policy definition and implementation. We therefore suggest that three issues need to be further investigated in the field of information security risk management in order to bridge the gap between design and implementation of secure and usable systems. First, there... (More) - This paper seeks to provide an overview of how companies assess and manage security risks in practice. For this purpose we referred to data of security surveys to examine the scope of risk analysis and to identify involved entities in this process. Our analysis shows a continuous focus on data system security rather than on real world organizational context as well as a prevalent involvement of top management and security staff in risk analysis process and in
security policy definition and implementation. We therefore suggest that three issues need to be further investigated in the field of information security risk management in order to bridge the gap between design and implementation of secure and usable systems. First, there is a need to broaden the horizon to consider information system as human activity system which is different from a data processing system. Second, the involvement of relevant stakeholders in context for risk analysis leads to better appreciation of security risks. Third, it is necessary to develop ad-hoc tools and techniques to facilitate discussions and dialogue between stakeholders in risk analysis context. (Less)
Please use this url to cite or link to this publication:
https://lup.lub.lu.se/record/7518012
- author
- Sadok, Moufida and Bednar, Peter LU
- organization
- publishing date
- 2015
- type
- Chapter in Book/Report/Conference proceeding
- publication status
- published
- subject
- keywords
- Security surveys, Contextual analysis, Security practices, Risk analysis, Information security
- host publication
- Human Aspects of Information Security and Assurance Conference Proceedings
- editor
- Furnell, Steven and Clarke, Nathan
- pages
- 10 pages
- publisher
- Centre for Security, Communications and Network Research, Plymouth University, UK
- conference name
- Ninth International Symposium on Human Aspects of Information Security & Assurance, HAISA 2015
- conference location
- Mytilene, Greece
- conference dates
- 2015-07-01 - 2015-07-03
- external identifiers
-
- scopus:85021997523
- ISBN
- 978-1-84102-388-5
- language
- English
- LU publication?
- yes
- id
- 976a2484-8e0d-471a-b80a-41199817f1df (old id 7518012)
- alternative location
- http://www.cscan.org/openaccess/?id=266
- date added to LUP
- 2016-04-04 12:06:23
- date last changed
- 2022-01-29 22:57:58
@inproceedings{976a2484-8e0d-471a-b80a-41199817f1df, abstract = {{This paper seeks to provide an overview of how companies assess and manage security risks in practice. For this purpose we referred to data of security surveys to examine the scope of risk analysis and to identify involved entities in this process. Our analysis shows a continuous focus on data system security rather than on real world organizational context as well as a prevalent involvement of top management and security staff in risk analysis process and in<br/><br> security policy definition and implementation. We therefore suggest that three issues need to be further investigated in the field of information security risk management in order to bridge the gap between design and implementation of secure and usable systems. First, there is a need to broaden the horizon to consider information system as human activity system which is different from a data processing system. Second, the involvement of relevant stakeholders in context for risk analysis leads to better appreciation of security risks. Third, it is necessary to develop ad-hoc tools and techniques to facilitate discussions and dialogue between stakeholders in risk analysis context.}}, author = {{Sadok, Moufida and Bednar, Peter}}, booktitle = {{Human Aspects of Information Security and Assurance Conference Proceedings}}, editor = {{Furnell, Steven and Clarke, Nathan}}, isbn = {{978-1-84102-388-5}}, keywords = {{Security surveys; Contextual analysis; Security practices; Risk analysis; Information security}}, language = {{eng}}, pages = {{151--160}}, publisher = {{Centre for Security, Communications and Network Research, Plymouth University, UK}}, title = {{Understanding Security Practices Deficiencies: A Contextual Analysis}}, url = {{https://lup.lub.lu.se/search/files/5928691/7518074.pdf}}, year = {{2015}}, }