Posts Tagged ‘User Centered Security

Approaches to minimizing user-related faults in IS security

Recent research to minimizing user-related faults in information systems (IS) security can be roughly summarized as follows. First, since ancient times, punishment has been used to discourage ’wrongdoing’. It has been debated whether punishment as deterrence is relevant in the context of contemporary IS security or not. Results that support the economic theories of punishment have been published. However, scholars of the behavioural community have presented much evidence of the negative long-run consequences related to the use of punishment, for instance loss of productivity,increased dissatisfaction, and aggression.

Second, the importance of ease of safe use and the related transparency principle have been presented. Similarly, asocial approach, named User Centered Security (UCS), has been put forward. However, some argue that ’ ease of safe use’ has not been properly defined. Moreover, some elements of the mentioned approaches are argued to teach users to take security as granted, which may lead to neglecting or misusing forthcoming security mechanisms. Furthermore,the aforementioned approaches are criticized for not presenting guidelines to modeling let alone resolving conflicting requirements.

Third, the Organizational psychology and incident analysis (OPIA) approach has argued that human errors can only be overcome by understanding human behaviour. However,According to Siponen, the six theses that constitute OPIA do not stand up to closer psychological scrutiny. For instance, the effects of weakness of will and lack of commitment are not taken into account.

Fourth, the importance of awareness has been underlined since it has been perceived instrumental to the effort of reducing ’human error’. The topic has been approached systematically, and program frameworks have been developed. Extending the analysis, Siponen has presented a conceptual foundation for organizational information security awareness that differentiates between the framework (‘hard’, structural) and content (informal, interdisciplinary) aspects.

Tags : , , , , , ,