Abstract
This paper seeks to provide an overview of how companies assess and manage security risks in practice. For this purpose we referred to data of security surveys to examine the scope of risk analysis and to identify involved entities in this process. Our analysis shows a continuous focus on data system security rather than on real world organizational context as well as a prevalent involvement of top management and security staff in risk analysis process and in security policy definition and implementation. We therefore suggest that three issues need to be further investigated in the field of information security risk management in order to bridge the gap between design and implementation of secure and usable systems. First, there is a need to broaden the horizon to consider information system as human activity system which is different from a data processing system. Second, the involvement of relevant stakeholders in context for risk analysis leads to better appreciation of security risks. Third, it is necessary to develop ad-hoc tools and techniques to facilitate discussions and dialogue between stakeholders in risk analysis context.
Original language | English |
---|---|
Title of host publication | Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance |
Subtitle of host publication | HAISA 2015 |
Editors | Steven M. Furnell, Nathan L. Clarke |
Publisher | University of Plymouth |
Pages | 151-160 |
Number of pages | 9 |
ISBN (Print) | 978-1-84102-388-5 |
Publication status | Published - 1 Jul 2015 |
Event | 9th International Symposium on Human Aspects of Information Security and Assurance - Lesvos, Lesvos, Greece Duration: 1 Jul 2015 → 3 Jul 2015 Conference number: 128761 https://haisa.org/ |
Conference
Conference | 9th International Symposium on Human Aspects of Information Security and Assurance |
---|---|
Abbreviated title | HAISA 2015 |
Country/Territory | Greece |
City | Lesvos |
Period | 1/07/15 → 3/07/15 |
Internet address |