Filip Božić (2016) Human factor in information security. MSc thesis.
Abstract
Increasing significance of information security is dictated primarily by technological advancement. Technical or IT solutions help greatly to increase key parameters of information security — confidentiality, integrity and availability. But this same technological advancement can often result in another factor being neglected — the human factor. Even if we secure information using IT solutions, it is installed, configured and maintained by — people. Numerous standards such as established ISO/IEC 27000 series for Information Security Management and ISO 22301 for Business Continuity Management focus increasingly on education and control of employees. This thesis will demonstrate the importance and effect of employees’ awareness in terms of establishing and maintaining information security at the workplace as well as in private environments. A social engineering experiment will serve to show the current state of information security awareness in several Slovenian organizations. Interviews will further demonstrate if any policies are in place and are being followed within these organizations. Furthermore, we will try to measure the effect an awareness workshop can have on increasing information security of key processes and other projects within an organization. And finally, a theoretical risk analysis will serve to demonstrate the weight of human factor regarding threats and vulnerabilities present in an organizational environment. We have found out that human factor is the key to ensuring an acceptable level of information security, but that employees in several Slovenian organizations are not sufficiently trained in information security. Therefore, it would be recommended to educate them properly and improve their awareness of the subject.
Actions (login required)