Advanced

Understanding Security Practices Deficiencies: A Contextual Analysis

Sadok, Moufida and Bednar, Peter LU (2015) Ninth International Symposium on Human Aspects of Information Security & Assurance, HAISA 2015 In Human Aspects of Information Security and Assurance Conference Proceedings p.151-160
Abstract
This paper seeks to provide an overview of how companies assess and manage security risks in practice. For this purpose we referred to data of security surveys to examine the scope of risk analysis and to identify involved entities in this process. Our analysis shows a continuous focus on data system security rather than on real world organizational context as well as a prevalent involvement of top management and security staff in risk analysis process and in

security policy definition and implementation. We therefore suggest that three issues need to be further investigated in the field of information security risk management in order to bridge the gap between design and implementation of secure and usable systems. First, there... (More)
This paper seeks to provide an overview of how companies assess and manage security risks in practice. For this purpose we referred to data of security surveys to examine the scope of risk analysis and to identify involved entities in this process. Our analysis shows a continuous focus on data system security rather than on real world organizational context as well as a prevalent involvement of top management and security staff in risk analysis process and in

security policy definition and implementation. We therefore suggest that three issues need to be further investigated in the field of information security risk management in order to bridge the gap between design and implementation of secure and usable systems. First, there is a need to broaden the horizon to consider information system as human activity system which is different from a data processing system. Second, the involvement of relevant stakeholders in context for risk analysis leads to better appreciation of security risks. Third, it is necessary to develop ad-hoc tools and techniques to facilitate discussions and dialogue between stakeholders in risk analysis context. (Less)
Please use this url to cite or link to this publication:
author
organization
publishing date
type
Chapter in Book/Report/Conference proceeding
publication status
published
subject
keywords
Security surveys, Contextual analysis, Security practices, Risk analysis, Information security
in
Human Aspects of Information Security and Assurance Conference Proceedings
editor
Furnell, Steven and Clarke, Nathan
pages
10 pages
publisher
Centre for Security, Communications and Network Research, Plymouth University, UK
conference name
Ninth International Symposium on Human Aspects of Information Security & Assurance, HAISA 2015
ISBN
978-1-84102-388-5
language
English
LU publication?
yes
id
976a2484-8e0d-471a-b80a-41199817f1df (old id 7518012)
alternative location
http://www.cscan.org/openaccess/?id=266
date added to LUP
2015-08-03 10:28:31
date last changed
2016-04-16 10:07:46
@inproceedings{976a2484-8e0d-471a-b80a-41199817f1df,
  abstract     = {This paper seeks to provide an overview of how companies assess and manage security risks in practice. For this purpose we referred to data of security surveys to examine the scope of risk analysis and to identify involved entities in this process. Our analysis shows a continuous focus on data system security rather than on real world organizational context as well as a prevalent involvement of top management and security staff in risk analysis process and in<br/><br>
security policy definition and implementation. We therefore suggest that three issues need to be further investigated in the field of information security risk management in order to bridge the gap between design and implementation of secure and usable systems. First, there is a need to broaden the horizon to consider information system as human activity system which is different from a data processing system. Second, the involvement of relevant stakeholders in context for risk analysis leads to better appreciation of security risks. Third, it is necessary to develop ad-hoc tools and techniques to facilitate discussions and dialogue between stakeholders in risk analysis context.},
  author       = {Sadok, Moufida and Bednar, Peter},
  booktitle    = {Human Aspects of Information Security and Assurance Conference Proceedings},
  editor       = {Furnell, Steven and Clarke, Nathan},
  isbn         = {978-1-84102-388-5},
  keyword      = {Security surveys,Contextual analysis,Security practices,Risk analysis,Information security},
  language     = {eng},
  pages        = {151--160},
  publisher    = {Centre for Security, Communications and Network Research, Plymouth University, UK},
  title        = {Understanding Security Practices Deficiencies: A Contextual Analysis},
  year         = {2015},
}