Balanced Design in

Information Systems Security Planning

Daniel A. Stern

University of Denver

1225 17th

St #3200, Denver, CO 80202

danielasherstern@gmail.com

ABSTRACT

Information security is traditionally understood to

involve technical security measures, such as

intrusion prevention systems, to establish a secure

perimeter around an organization’s sensitive

information. Threats, then, are any potential attack

on that secure perimeter with the intent of either

obtaining unauthorized access or damaging

availability or information. With modern

organizations using tools to allow every employee

to access information, and even allowing employees

to control access restrictions on sensitive

information, information security managers must

expand their information security program to

educate personnel and establish a culture of

security. The expanded information systems

security program must address technical, policy,

standards and norms, education and cultural

initiatives.

KEYWORDS

Information security, security policy, information

security planning, ISSP, human factor, information

security design, security architecture

1 INTRODUCTION

Information is vital to operating a

business. Every organization uses personal

information about its employees for its business

operations and employee collaboration. The

business relies on maintaining the

confidentiality, integrity and availability of that

information to operate privately and effectively

[1]. Shortcomings in any of these categories

can quickly cause significant impact, such as

“infringements of human rights, financial

damage to corporations and the failure of the

entire information system” [2].

While securing a system from

intentional attack is a scientific process with

specific requirements and measurable

performance [1], guaranteeing user compliance

and security-affirming behavior is much more

challenging. “No matter how well designed,

security methods rely on individuals to

implement and use them” [3]. Sensitive

information is handled by most, if not all,

employees in an organization. Every employee

must comply with policies and processes, act

carefully with information and be prepared to

make decisions when facing new risks.

Even respected information security

techniques involving compliance and audit may

fail to address real contemporary information

risk. “Traditional approaches to information

security, such as publishing a thick manual of

policies and standards, no longer work. They

might be fine for enabling you, and your

management, to tick your compliance boxes, to

demonstrate that you’re discharging your

corporate responsibilities. But lengthy edicts

are ineffective as a means of influencing staff”

[4]. While detailed policies and standards may

have been effective when technical users were

all experts with such documentation and they

were the only ones with access to sensitive

information, they are not effective now.

2 GROWTH AND TRENDS IN

INFORMATION

Information systems use continues to

grow worldwide. In 2012, 34% of households

1

The Proceedings of the International Conference in Information Security and Digital Forensics, Thessaloniki, Greece, 2014

ISBN: 978-1-941968-03-1 ©2014 SDIWC 110

worldwide had internet access and six billion

people used a mobile phone or tablet [3].

Gartner [5] predicted that by 2014, two billion

computers would be installed and the

International Telecommunication Union [6]

reported that number has already been

exceeded. In the United States, more than 75%

of households have computers compared to

61.8% in 2003 and just 8.2% in 1984 [7].

Internet access is nearly as widespread with

71.7% of U.S. households having access in

2011 and 48% of adults (15 years old or older)

accessing the internet using smartphones [7].

With growing information technology

use is faster processing capability and growing

electronic information (data) storage. Mark H.

Kryder in 1989 predicted by 2000, personal

computer (PC) RAM would have a capacity of

one gigabyte and PC information storage

capacity would need to reach ten gigabytes.

“Since the introduction of the disk drive in

1956, the density of information it can record

has swelled from a paltry 2,000 bits to 100

billion bits (gigabits), all crowded in the small

space of a square inch. That represents a 50-

million-fold increase” [8]. While at the time

Kryder’s predictions may have appeared lofty,

his vision has become reality and information

storage has grown far beyond levels realized in

2000.

Smaller and more efficient storage

media increases vulnerability to physical attack

and makes security more complex and increases

risk [9]. While at one time sensitive

information may have only been stored on

mainframe computers, “the problem is now

being compounded as organizations must start

paying attention to the small personal

computers spreading throughout their

organization. The problem, rather than

decreasing in complexity, grows more acute as

each terminal is added” [5].

Information storage is not the same now

as it was even just a few years ago during the

shift away from mainframe computers. In

addition to small and portable storage, new

“cloud” technology offers server-side

processing and storage [10], sometimes

distributing user data among multiple

datacenters. Cloud solutions are especially

valuable for long term information storage

when the data may not need frequent access.

Consistent security of cloud information

storage is still somewhat unknown. Few

standards exist for cloud storage [11] and most

providers offer proprietary applications for

access. Although some concepts used in today’s

cloud storage are not new, such as the network

being the computer [11], cloud storage has

exploded and may continue its significant

growth for the foreseeable future. John Toigo

[11] highlighted the economy as a key driver of

cloud solutions. Along with much faster and

more secure networks and reduced hardware

needs due to virtualization, economies of scale

enable storage providers to “use the same pool

of storage capacity to meet the needs of many

customers and pass along the cost savings”

[11].

Cloud file storage and file sharing tools

present a convenient option for consumers and

businesses to share information and replace

slow and limited traditional network drives. It

also offers a strong example of how humans

can pose a risk to information security, often

without their knowledge. Data has also

become increasingly “personalized” in the past

few years [9]. Employees bring their own

mobile devices to work and often transfer

company data to those devices, potentially

allowing untrained personnel to control

proliferation of sensitive information.

Current technology trends, such as

mobility, grid computing, and software-

as-a-service, are moving the focus of

corporate data flows outside of the

corporate perimeter. That demands a

more outward-looking security

perspective. We need to shift our

attention away from merely securing

our own backyards, towards working

together with business colleagues to

build community solutions, for an

2

The Proceedings of the International Conference in Information Security and Digital Forensics, Thessaloniki, Greece, 2014

ISBN: 978-1-941968-03-1 ©2014 SDIWC 111

emerging business environment that is

based on open networks and shared

services” [4]

While these tools do provide helpful

mechanisms for employees to use and share

information, they also reduce the organization’s

direct control of information and yield more

access control decisions to potentially untrained

employees [10]. An alarming number of

security breaches are being reported. A PWC

[9] survey revealed 93% of large organizations

and 76% of small businesses had a security

breach in the prior year, costing tens to

hundreds of thousands of dollars per breach for

major breaches. Breaches are frequent and

their scope and impact continues to grow as

“malicious breaches affected a majority of

respondents across all sectors” [9].

3 INFORMATION SYSTEMS SECURITY

PLANNING

To secure information, organizations

often begin by developing an information

systems security policy or an information

systems security plan. Such a policy or plan is

intended to unabridged and define “who may

access what information in what manner; basis

on which the access decision is made;

maximized sharing versus least privilege;

separation of duties; who controls and who

owns the information; and authority issues” [1].

The organization’s information

technology department supplements its policy

by enacting technical security measures to

protect the organization’s logical and physical

boundaries from unauthorized access or attacks.

The policy or plan along with technical security

then comprises the organization’s information

security program. The policy guides employees

“to appropriate or acceptable use” [12] of “all

electronic media” in the workplace [13].

Policies are subject to continual change by

authorized personnel to stay consistent with

new situations and risks. Benson [14]

recommended an “if-then-else” model of

security planning to aid an organization in

preparing for security challenges.

Although the devices and

infrastructure we use to consume

information have changed, the way we

protect that information and the users

that depend on it hasn’t. We still rely on

perimeter defenses when the reality is

that there are no boundaries. We

continue to believe that we have control

over devices when we don’t. We hope

that users adhere to policies, but we’ve

lost control over policy enforcement. We

defend the enterprise as if it were static,

when in reality it’s dynamic. [15]

4 HUMAN ROLES IN INFORMATION

SECURITY

Security policies often neglect to

address culture and execution. Human factors

were reported by the National Institute of

Standards and Technology to represent 84% of

economic loss attributed to information security

breach, with human error accounting for 65%

of loss and dishonest and disgruntled

employees representing an additional 19% of

loss [16]. Infrastructure loss such as physical

damage due to flooding or fires, combined with

malicious outsiders accounted for only 16% of

loss [16]. McCauley-Bell and Crumpton [16]

refer to users as “the most dynamic system

component.” Sasse, Brostoff and Weirich [17]

further highlighted from Kevin Mitnick’s

testimony to US Senate Committee that “the

human side of computer security is easily

exploited and constantly overlooked.

Companies spend millions of dollars on

firewalls, encryption and secure access devices,

and it’s money wasted, because none of these

measures address the weakest link in the

security chain.”

Although Mitnick’s testimony was more

than ten years ago, it is difficult to identify

changes in the industry to minimize human risk.

3

The Proceedings of the International Conference in Information Security and Digital Forensics, Thessaloniki, Greece, 2014

ISBN: 978-1-941968-03-1 ©2014 SDIWC 112

Information Security standards such as

ISO/IEC270001, ISO/IEC27002,

ISO/IEC27005, ISO/IEC27006, SP800 and the

ISF Standard of Good Practice for Information

Security provide paths for organizations to

optimize their information security program

without addressing the human element [18].

ISO/IEC27001 focuses on Information Security

Management Systems (ISMS) and the

organization’s ability to establish, implement,

operate, monitor, review, maintain and improve

the ISMS. “ISO 27001 defines the

management aspects of Information Security as

‘organizational structure, policies, planning

activities, responsibilities, practices,

procedures, processes and resources’” [18].

ISO/IEC27002 offers best practices for the

company’s security policy, organization of

information security, asset management, human

resources security, physical and environmental

security, communications and operations

management, development and maintenance,

information security incident management,

business continuity management and

compliance [19].

Information systems security

professionals strive to become a Certified

Information Systems Security Professional

(CISSP), a credential requiring years of

experience and an 80% score on the 250-

question CISSP candidate exam. The exam

includes questions from ten domains: access

control, telecommunications and network

security, information security governance and

risk management, software development

security, cryptography, security architecture

and design, operations security, business

continuity and disaster recovery planning, legal,

regulations, investigations and compliance, and

physical (environmental) security [19]. Yet

these experienced professionals earn their

credential without any verification of ability to

craft policies or design security architecture

with regard for human behavior.

Before modern information security

standards and practices, even prior to mass

adoption of confidentiality, integrity and

availability as primary goals in the field,

industry professionals began assessing

information security and the influence of people

on maintaining secure systems. “Managers

concentrate on hardware and software rather

than on personnel as a means of checking

computer abuse. ‘But security is, first and last,

a people problem’, says Parker” [20].

“management must recognize that the ‘nuts and

bolts, bells-alarms-whistles approach to data

security is only a ‘band-aid’ approach. The real

vulnerability lies in the people who are

operating the computers, accessing information,

and handling vital data on a daily basis. Only

when the ‘people problem’ is fully addressed

can a company consider their security program

complete” [20]. People control every piece of

information stored on any type of electronic

storage. While storage technologies evolve

over time, people will always control those

technologies. The “hard boundaries

(geographical, physical and logical) are

breaking down and Information Security has to

be managed across a network of partnerships,

alliances and outsourcing relationships” [18].

5 HUMAN RISKS IN INFORMATION

SYSTEMS SECURITY

The behavior of people is quite different

than that of computer systems. While

computers do as they are instructed and their

strengths and weaknesses are a science of

design and operation, people react to their

surroundings and make decisions based on

variable conditions. Gonzalez and Sawicka

[21] went so far as to refer to human

interactions as “the Achilles heel of information

security.”

As new collaboration tools and storage

mechanisms give information access to a

variety of individuals, organizations must

understand the risks caused by human access

and interaction. The “new information

technologies create not only new common

opportunities, but also common vulnerabilities”

[22]. It is those same enabling technologies

4

The Proceedings of the International Conference in Information Security and Digital Forensics, Thessaloniki, Greece, 2014

ISBN: 978-1-941968-03-1 ©2014 SDIWC 113

which increase risk, as “the potential of

networks is only limited by our imagination.

Unfortunately, in the security field, it’s been the

bad guys who’ve been first to recognize this

potential. Mass mailers hijacked our address

books and contact lists a decade ago, and social

networks are already being exploited to

distribute malware” [4]. Risk is posed by not

just the “bad guys.”

Sasse, Brostoff and Weirich [17] studied

several situational password rule violations

victimizing common workplace interactions.

The first situation, “ambushing,” takes

advantage of a user under pressure to force

them into changing their password to something

easy to guess. Another, “conflicting goals,”

takes advantage of a user keeping their

passwords easily accessible after being

reprimanded for missing a deadline due to a

forgotten password. A third, “requested

disclosure,” features a caller falsely stating that

he works for the company’s IT support and

outright asking the user to share their password

for an application update. Each of these simple

situations gives unauthorized access based on

how a user perceives the security of their

password and how strongly they are motivated

to suspect nonstandard requests. Kraemer and

Carayon [23] further described accidental or

human error breaches as being “violations of a

non-malicious nature, the deliberate actions that

deviate from CIS processes that may or may not

result in decreased CIS performance.” Kraemer

and Carayon also discussed Smith and

Carayon’s concept of work systems as “having

five elements: the individual, task, tools and

technologies, environment and the

organization” [23]. Later, Kraemer, Carayon

and Clem [2] divided vulnerability themes into

“external influences, human error,

management, organization of CIS, performance

management, policy, resource management,

technology, and training.”

6 CASE STUDIES

Chu, Zhu, Han, Liu, Xu and Zhou [10]

studied file-sharing options using DropBox.

One feature is sharing data with a “secret

URL,” where anyone with the special random-

generated URL “can access the data without

further authentication or authorization.”

Content in DropBox can also be set to “public,”

whereby anyone with the URL (a normal path

with filename) can access the material, or

“private,” where the data owner defines which

users are allowed access. The secret URL

option though has no visibility to file versions,

it is truly just a randomly generated redirector

to an existing file or folder location. If the file

or folder is changed or deleted, the URL stays

active and when another file or folder is

uploaded with the same name, the secret URL

will continue to function. A Google search for

part of DropBox’s “secret” URL standard short

path of “site:db.tt” offers tens of thousands of

files which can be accessed without any

authentication. Further, anyone with access to

one folder can see each other person with

access to that folder and if the folder was

shared with a secret URL, they can share that

URL and access with anyone else. The

“uncertain identities” risk [10] allows an

unregistered user to take a sharing invitation

link and register any email address with

DropBox to access the shared content.

Although DropBox offers several options to

users to make their data available only to

intended parties, it is also very easy to

inadvertently share information with others.

Standard discretionary access control requires

each employee to set, manage and remove

permissions for their data.

Several recent major breaches have

been attributed to human decisions or errors. In

2011, email service provider Epsilon was

breached by a “spear-phishing attack” in which

a link to malicious software was sent to

employees and their choice to click the link

installed the software hackers used to access

sensitive [24]. Employees at credit card

processing company CardSystems Solutions

stored unencrypted Mastercard credit card

numbers leading to a 2005 breach of 40 million

5

The Proceedings of the International Conference in Information Security and Digital Forensics, Thessaloniki, Greece, 2014

ISBN: 978-1-941968-03-1 ©2014 SDIWC 114

credit card numbers [25]. HM Revenue and

Customs, the tax authority of the United

Kingdom, lost unencrypted computer discs in

the mail in 2007 containing personal

information about 25 million UK citizens, and

in 2009 a similar mistake by employees at the

United States Department of Veterans Affairs

released personal information for 76 million

American veterans from a shipped unencrypted

disk [25]. The South Carolina Department of

Revenue was attacked with a malware

application which stole employee usernames

and passwords to grant malicious access to

government data and systems [26]. eBay was

also recently victim to a spear phishing attack

[26]. Attackers sent an email to employees

with links to a malware installation that gave

them access to eBay systems. [26]. Both

incidents required employees to click links

which installed malicious software on their

organization’s computers.

7 ADAPTING INFORMATION SYSTEMS

SECURITY PLANNING FOR THE

HUMAN ELEMENT

While we understand that people

account for significant risk in information

security, organizations seem less sure of how to

adapt to mitigate such risk. Murphy,

Schlarman and Boren [27] recommend

leveraging organizational support from “four

pillars that support the information security

framework: senior management commitment,

security vision and strategy, information

security management structure, and training and

awareness.” Fischhoff identified factors that

can be used to build an evaluation matrix for

risks based on an “Items x Hazards matrix”

translated into “technological risk” and

“severity” [27]. While this gives us a matrix,

appropriate remediation requires planning for

the people interacting with such risks.

Training is a key shortcoming in

information systems security planning. PWC’s

“Information Security Breaches Survey

Technical Report” [9] surveyed organizations

for their “main driver for information security

expenditure” and found more than half of

responses to be “protecting customer

information” and “preventing downtime and

outages.” Despite their dedicating funds to

these initiatives, only “26% of respondents with

a security policy believe their staff have a very

good understanding of it; 21% think the level of

staff understanding is poor” [9]. They directly

correlate ongoing security awareness training

for employees with stronger understanding of

security policy as a whole, with “36% of

organisations that have an ongoing [security

awareness] programme feel their staff have a

very good understanding of policy, versus only

13% of those that train on induction only and

9% of those that do nothing” [9]. The impact

of any security awareness training program is

already evident. “Even the best firewall will

not stop the best attack or recognize a new one.

The only thing that helps are people who have

been properly trained” [28]. But the number of

organizations with ongoing staff education

programs still lags behind the number of

organizations suffering security breaches.

Culture is sometimes difficult to define

and can be challenging to control, but is

important in driving people to understand and

behave in accordance with information security

objectives. Johnson and Scholes defined

organizational culture as those patterns of

assumptions, or heuristics, that individuals will

use as guidance when responding to a situation

in the organization that they have not faced

previously [18]. Three dimensions of

organizational culture were defined by

Aschenden [18], observable behavior of

individuals; norms, attitudes and perceptions

that can be inferred from what they say and do;

and core values. Such core values are often

discussed by organizational leadership but

usually in terms of teamwork, integrity,

community involvement and other highly

visible or obvious ethics. Culture then is a

combination of behaviors and attitudes in the

workplace which play into the decision making

of employees. But do executives discuss the

6

The Proceedings of the International Conference in Information Security and Digital Forensics, Thessaloniki, Greece, 2014

ISBN: 978-1-941968-03-1 ©2014 SDIWC 115

importance of diligence in handling sensitive

information and the organization’s information

systems security plan and expected behavior?

To further understand employee

behavior and plan to encourage acting in

accordance with best practices for secure

information, we need to look at modern human

behavioral theories. Functionalism suggests

that culture serves the needs of an individual

and the key role is “played by customs, rituals,

and moral standards, which regulate the

behavior of people” [22]. Astakhova [22]

further defined information security culture as

“a specific mode of the organization and

development of a subject’s information activity,

which is represented in the value-oriented

models of his information interaction as a

sender and receiver of information, under

which he determines and controls the unity of

existence and development of information

objects in their cognitive and communicative

manifestations.” The mention here of value

orientation and subject control hold significant

weight in the role of users in information

security. The organization needs to offer value

or at least perceived value to employees for

following best practices for secure information.

Its processes must encompass best practices for

security without complicating tasks.

Other behavioral theories also help

explain how employees may react in the

workplace. The elaboration likelihood model

(ELM) by Petty and Cacioppo [29] explains

attitudinal change caused by personal

circumstances upon receiving a persuasive

message. ELM defines two processing routes

for persuasive messages, either the central route

by which a message is scrutinized, understood,

and then behavior chosen, or the peripheral

route when the receiver does not understand the

message and is more affected by other indirect

factors such as trust for the sender of the

message [30]. Rogers’ protection motivation

theory [30] suggests threat perception is

constructed by several factors, “perceived

severity,” “probability of occurrence,” and

“cost” [30]. Negative factors influencing

perception would include “response efficacy”

and “self-efficacy [30].

Another key component of human

behavior is perception. “Perception is a major

part of human intelligence and a key

component to understand human behaviour… it

is the mechanism with which a person evaluates

external inputs, which, in turn, determines the

behavioural response” [2]. People need to

understand the technology they use in the

workplace, its risks and all the security controls

designed to use with it. “Whether people are

willing to adopt an IT appliance depends not

only on its ‘real security level’, but also on its

‘perceived security’” [2]. The psychometric

paradigm suggests people perceive risk by

considering familiarity of risk, severity of

consequences, and knowledge about risk [31].

Employees are therefore surrounded by

influencers and the organization and its

leadership controls what information reaches

the employee, helps craft perception and guides

response. An organization’s influence on

perception can then help control behavior.

To build an effective information

security function, we need to take

account of the skills available, the needs

of the business, and the politics of the

day. There is no single structure that

will work best in all circumstances. And

new structures rarely survive for long,

because of frequent business

restructuring. We also need to take

account of the periodic ‘pendulum

swing’ between centralization and

devolution of political power. [4]

8 CONCLUSIONS

With information being key to business

operations and success, and the security of that

information reliant on employees, several

components must work in harmony to form the

organization’s information systems security

plan. Scholars have identified the human

component of information security as a key and

7

The Proceedings of the International Conference in Information Security and Digital Forensics, Thessaloniki, Greece, 2014

ISBN: 978-1-941968-03-1 ©2014 SDIWC 116

sweeping risk, yet few have proposed

actionable solutions. They clearly emphasize

the importance of understanding employee

behavior and molding information systems

security planning to nurture and direct that

behavior. Yoon and Kim [32] found multiple

influencers of employee behavioral intent,

including security policy, organizational norm,

moral obligation, subjective norm (social

pressure), perceived threat severity, perceived

threat vulnerability, response efficacy

(effectiveness), self-efficacy and attitude.

Huang, Rau and Salvendy [2] focused more on

human perception of issues and information

which influence user behavior. Gonzalez and

Sawicka [33] recommended an

“interdisciplinary approach” to improve

information systems security, combining

components from technology, information

science, psychology and management.

Astakhova [22] defined information security

culture as “a specific mode of the organization

and development of a subject’s information

activity, which is represented in the value-

oriented models of his information interaction

as a sender and receiver of information, under

which he determines and controls the unity of

existence and development of information

objects in their cognitive and communicative

manifestations.” Thompson [15] expands on

planning for the human element, encouraging

“abstract and conceptual” education for users

rather than specific “prescriptive and

actionable” advice to encourage users to truly

understand information security threats. Sasse,

Brostoff and Weirich [17] proposed the

Information Security Management Protocol

(ISMP) to provide a framework for information

security management planning including

planning for human interaction. Each study

recognized the importance of a more diverse

information systems security program and the

value of appealing to employees as people,

rather than focusing on tools and technical

security.

We know human behavior favors job

efficiency rather than emphasizing secure

practices. We understand the importance of

managerial support and security culture. The

security policy is the basis for telling

employees how to safely interact with computer

systems. The cliché interviewee comment,

“I’m a people person,” suggests that an

individual enjoys interacting with colleagues at

the workplace and prefers human to human

communication over working with machines.

Why then do we show them on a screen or hand

them in writing the company security policy

and expect their thorough understanding,

precise compliance and safe decision making?

9 RECOMMENDATIONS

Planning for human use and behavior is

vital in information systems security. A

balanced information systems security program

in any organization, then, must involve careful

planning for technology, policy, standards and

norms, education, and culture. As shown in

Figure 1, the core I.T. technology and policy

can be outweighed by the effects of the

organization’s standards and norms, education

and culture. Each component has unique

requirements and demands different actions

from the business, such as technology requiring

the largest financial investment and culture

necessitating political savvy. Each category

must also have an established governance

process, be regularly reviewed by senior

management for effectiveness, and be updated

for continual improvement.

8

The Proceedings of the International Conference in Information Security and Digital Forensics, Thessaloniki, Greece, 2014

ISBN: 978-1-941968-03-1 ©2014 SDIWC 117

Figure 1

Technology: Provide provide sufficient

funding to purchase, configure and test security

hardware and software based on international

standards, and all such purchases should be

reviewed for effectiveness and return on

investment.

Policy: Write policies in a people-

friendly language avoiding jargon and

acronyms. It should be readable,

understandable, and brief.

Standards and Norms: Craft processes

in a simple, security friendly manner. To avoid

employees working around security, processes

requiring additional effort to maintain security

should be changed. Default configurations

should be as secure as possible to allow

workers to complete their jobs securely,

without the need to create their own secure

processes.

Education: Conduct training sessions

focusing on information security concepts,

including best practices, practical skills sessions

such as how to create a secure but memorable

password and updates on new and frequent

threats.

Culture: Senior management must

champion the security culture, bringing security

concepts into normal business meetings and

supporting security initiatives and training.

10 REFERENCES

[1] Abrams, Marshall D., Sushil Jajodia, and Harold

J. Podell, ed. Information Security: An

Integrated Collection of Essays (Los Alamitos,

CA: IEEE Computer Society Press 1994). Pp

160-161. Accessed 4 Jun 2014.

http://www.acsac.org/secshelf/book001/book00

1.html.

[2] Huang, Ding-Long, Pei-Luen Patrick Rau and

Gavriel Salvendy. 2008. “Perception of

Information Security.” Behavior & Information

Technology, 29:3, Pp 221-232. Accessed 14

June 2014.

http://dx.doi.org/10.1080/01449290701679361.

[3] International Telecommunications Union. 2012.

“Measuring the Information Society,” P1.

Accessed 14 June 2014.

http://www.itu.int/dms_pub/itu-d/opb/ind/D-

IND-ICTOI-2012-SUM-PDF-E.pdf

[4] Lacey, David. 2009. Managing the Human

Factor in Information Security: How to win over

staff and influence business managers.

Glichester, England: John Wiley and Sons, Ltd.

Pp 2-17, 348-351. Accessed 15 May 2014.

Google Books.

[5] Gartner. 2008. “Gartner Says More than 1

Billion PCs In Use Worldwide and Headed to 2

Billion Units by 2014.” Accessed 23 June 2014.

http://www.gartner.com/newsroom/id/703807.

[6] International Telecommunications Union. 2014.

“The World in 2014.” Accessed 4 Aug 2014.

http://www.itu.int/en/ITU-

D/Statistics/Documents/facts/ICTFactsFigures2

014-e.pdf

[7] File, Thom. “Computer and Internet Use in the

United States.” United States Department of

Commerce, Pp 1-2. May 2013. Accessed 22

June 2014.

http://www.census.gov/prod/2013pubs/p20-

569.pdf.

[8] Walter, Chip. 2005. “Kryder’s Law.”

Scientific American. Accessed 17 Jul 2014.

9

The Proceedings of the International Conference in Information Security and Digital Forensics, Thessaloniki, Greece, 2014

ISBN: 978-1-941968-03-1 ©2014 SDIWC 118

EBSCOHost.

[9] PWC. 2012. “Information Security Breaches

Survey Technical Report.” Accessed 17 Jul

2014.

https://www.gov.uk/government/uploads/system

/uploads/attachment_data/file/307296/bi

s-14-767-information-security-breaches-survey-

2014-technical-report-revision1.pdf.

[10] Chu, Cheng-Kang, Wen-Tao Zhu, Jin Han,

Joseph K. Liu, Jia Xu, and Jianying Zhou.

2013. “Security Concerns in Popular Cloud

Storage Services.” Pervasive Computing, Pp

50-52. Accessed 7 June 2014. IEEE Xplore.

[11] Toigo, Jon. 2009. “Storage In The Cloud.”

InformationWeek 1230, Pp 33-45. Accessed 19

May 2014. ProQuest.

[12] Stern, Daniel. “Information Systems Security

Planning” (ICT 4605 Information Systems

Security Principles, University of Denver,

2014). Accessed 17 Jul 2014.

[13] Jarmon, David. 2002. “A Preparation Guide to

Information Security Policies.” SANS

InstituteInfoSec Reading Room. Accessed 15

Feb 2014. http://www.sans.org/reading-

room/whitepapers/policyissues/preparation-

guide-information-security-policies-503.

[14] Benson, Christopher. 2014. “Security

Planning.” Microsoft TechNet. Accessed 4 Aug

2014. http://technet.microsoft.com/en-

us/library/cc723503.aspx.

[15] Thompson, Hugh. 2013. “The Human Element

of Information Security.” IEEE Computer

Society. Accessed 22 Jun 2014. Proquest.

[16] McCauley-Bell, Pamela R. and Lesia L

Crumpton. 1998. “The human factors issues in

information security: What are they and do they

matter?” Human Factors and Ergonomics

Society 42nd Annual Meeting. Accessed 14 Jun

2014. ProQuest.

[17] Sasse, M.A., S. Brostoff and D Weirich. 2001.

“Transforming the ‘weakest link’ — a

human/computer interaction approach to usable

and effective security.” Accessed 14 Jun 2014.

http://hornbeam.cs.ucl.ac.uk/hcs/publications/Sa

sse+Brostoff+Weirich_Transforming%20the%2

0weakest%20link_Technology%20Journal2001.

pdf

[18] Ashenden, Debi. 2008. “Information Security

Management: A Human Challenge?”

Information

Security Technical Report, 12, Pp 195-201.

Accessed 7 June 2014. Science Direct.

[19] ISC2. “CISSP - Certified Information Systems

Security Professional.” 2014. Accessed 17 July

2014.

[20] Forcht, Dr. Karen A. 1986. “The ‘People

Problem’ Issue of Data Security.” ACM

SIGSAC Review, 4:3, Pp 12-14. Accessed 22

Jun 2014. ACM Digital Library.

[21] Glyer, Christopher and Marshall Heilman. 2012.

“South Carolina Department of Revenue Public

Incident Response Report.” Mandiant.

http://governor.sc.gov/Documents/MANDIANT

%20Public%20IR%20Report%20-

%20Department%20of%20Revenue%20-

%2011%2020%202012.pdf

[22] Astakhova, L.V. 2013. “The Concept of the

Information-security Culture.” Scientific and

Technical Information Processing, 41:1, Pp 22-

28. Accessed 7 June 2014. SpringerLink.

[23] Kraemer, Sara and Pascale Carayon. 2007.

“Human errors and violations in computer and

information security: The viewpoint of network

administrators and security specialists.” Applied

Ergonomics, 38, Pp 143-154. Accessed 14 Jun

2014. Science Direct.

[24] Schwartz, Matthew J. 2011. “Epsilon Fell To

Spear-Phishing Attack.” InformationWeek

DarkReading.

Accessed 2 Aug 2014.

http://www.darkreading.com/attacks-and-

breaches/epsilon-fell-to-spear-phishing-

attack/d/d-id/1097119

[25] Widman, Jake. 2011. “10 Massive Security

Breaches.” InformationWeek DarkReading.

Accessed 2 Aug 2014.

http://www.darkreading.com/attacks-and-

breaches/10-massive-security-breaches/d/d-

id/10

96539?page_number=2

[26] Leger, Donna Leinwand. 2014. “Experts

Dissect the eBay Privacy Breach.” USA Today.

Accessed 26 Sep 2014.

http://www.usatoday.com/story/tech/2014/05/21

/ebay-security-breach-passwords-spear-

phishing-attack/9399235/

[27] Murphy, Bruce, Steve Schlarman, and Rik

Boren. 2000. “Enterprise Security Architecture.”

10

The Proceedings of the International Conference in Information Security and Digital Forensics, Thessaloniki, Greece, 2014

ISBN: 978-1-941968-03-1 ©2014 SDIWC 119

Information Systems Security, 9:2. Accessed 9

July 2014. Taylor & Francis Online.

[28] Stone, Adam. 2006. “Data security relies on

people more than software.” Federal Times,

October 2006: Pp 14. Accessed 14 Jun 2014.

ProQuest.

[29] Kraemer, Sara, Pascale Carayon and John Clem.

2009. “Human and organizational factors in

computer

and information security: Pathways to

vulnerabilities.” Computers and Security, 28,

Pp 509-520.

Accessed 14 Jun 2014. Science Direct.

[30] Komatsu, Ayako, Daisuke Takagi and

Toshihiko Takemura. “Human aspects of

information security.” Information

Management & Computer Security, 21:1, Pp 5-

15. Accessed 14 Jun 2014. Emerald Insight.

[31] Siegrist, Michael, Carmen Keller and Henk A.

L. Kiers. 2005. “A New Look at the

Psychometric Paradigm of Perception of

Hazards.” Risk Analysis, 25:1. Accessed 3 Aug

2014. Wiley Online Library.

[32] Yoon, Cheolho and Hyungon Kim. 2013.

“Understanding computer security behavioral

intention in the workplace.” Information

Technology & People, 26:4. Accessed 3 Aug

2014. Emerald Insight.

[33] Gonzalez, Jose J. and Agata Sawicka. 2002.

"A framework for human factors in information

security." WSEAS International Conference on

Information Security, Rio de Janeiro. Accessed

22 June 2014. http://www.wseas.us/e-

library/conferences/brazil2002/papers/448-

187.pdf.

https://www.isc2.org/CISSP/Default.aspx.

11

The Proceedings of the International Conference in Information Security and Digital Forensics, Thessaloniki, Greece, 2014

ISBN: 978-1-941968-03-1 ©2014 SDIWC 120