Threats to Information Security: Human Behaviour is a Constant Risk

CHAPTER 2: LITERATURE REVIEW

2. Introduction

2.5 Threats to Information Security: Human Behaviour is a Constant Risk

47 decision

regarding ISP compliance by balancing the costs and benefits.

costs and benefits of doing so.

passwords and logins, keys or session tokens, or accepting another enrolled individual's character.

Restriction access to sensitive data: processes as well as tools need to be implemented to login and access data. This implies that there is a need to get rid of generic user accounts such as admin accounts. In order to regular access reviews, there should be a review what data are required to access to fulfil job requirements (Teh et al., 2015). A review of access logs is required to refine the access rules. In some information systems, there is a way around generic admin accounts, which defeats the goal to know who can access the data. The key information management system is that in which the admin can check the use of generic admin accounts.

The management wants to know who can access the sensitive data. Another way of restricting access to sensitive data is to create an owner for the data, using two ways of authentication with the data owner. This will ensure only acceptable people access these data.

Review ways of circulating sensitive client and financial data: ways in which sensitive client data as well as financial data are circulated need to be reviewed. When someone asks question about a client account, an email is sent which provides details of the account which should never be sent via email Kampas et al. (2016). It is helpful to spend time with the client services team as well as the accounts receivable team to observe how exchange of information occurs. It is also an issue where implementation of a secure approach is done for exchange of information. Using password data protection for shared data is a common method that should be implemented to protect the client’s shared data.

2.5.2 Human Behaviour as an Aspect of Information Security Information system knowledge

Antecedents of information security on an individual level include some factors which originate from the users of information security. Siponen et al. (2014) and Tam and Jones (2018) discussed that information security knowledge like IT, self-efficiency in using computers, knowing about advanced technology and others plays a key significant role information security research. Mishra et al. (2014) found that personal innovativeness with computer self-efficacy has positive correlations with the level of respondents’ knowledge, which is in line with protection motivation theory. Safa et al. (2015) argued that the employee’s and human’s understanding about security threats helps them to take proper countermeasures against security issues. Self-efficiency with a computer is defined as an individual’s judgement about using a computer system in various situations. On the other hand, personal innovativeness is defined as an individual’s willingness to try innovative information technology. Almost 97% of IT security practitioners agreed that human behaviour is considered to be the largest security threat by organisations (Malekian et al., 2017). Therefore, humans need to have the knowledge required to understand the information security threats and incidents.

Due to increases in internal as well as external cyber threats, human behaviour as well as technological uncertainty remain prominent barriers to public organisations’ confidence. The greatest vulnerability in information security is human behaviour. The percentage increased to 88% in 2013 as well as 93% in 2014 (Safa et al., 2016). The entire program is designed to take account of human behaviour, and then the organisation provides training to show the individuals how to act with regard to the policies in place to guide those (Kim et al., 2014). Unless the staff are trained to identify scams as well as avoid risks, then there is no elimination of information

security issues. Education awareness is not just for the internal staffs; it rests on the third parties as well (Malekian et al., 2017). In order to reduce vulnerabilities, 24% of companies responding to a survey stated that they used fear, 41% included best practices and 83% are encouraging their employees through policies, awareness and training to become part of cybersecurity solutions (Soomro et al., 2016).

Negative experience with information security threats

Hajli and Lin (2016) mentioned that, if individuals have a negative experience related to understanding information security incidents, then they will gain awareness of the security risks concerning information security. Soomro et al. (2016) argued that people’s awareness of information security can stem from their life experiences, such as their experience of virus attack on the computer system.

Individual education

Vance et al. (2014) found that students from technical universities tend to be aware of the issues related to information security. Therefore, other students should be required to be more focused on understanding information security incidents. This indicates that students in some subjects require specific IS-related education.

51 User’s Perception of security

In their research study on users’ security awareness regarding information security threats, Hsu et al. (2015) argued that the perception of information in information security countermeasures is significantly influencing the awareness of risks as well as the issues.

According to Abbasi, Sarker and Chiang (2016), security perception covers the user’s sense of isolation about the computer system. The users have high expectations of the service provider as well as IT expertise to keep their system protected. Security awareness helps to keep confidential data in a protected place on the computer devices.

2.6 How Human Behaviour can be influenced by Standards, Guidelines and

Dalam dokumen The Influence of Users' Addictive Behaviours on the (Halaman 70-74)