An information security risk-driven investment model for analysing human factors


As of July 2018 University of Brighton Repository is no longer updated. Please see our new repository at

Alavi, Reza, Islam, Shareeful and Mouratidis, Haralambos (2016) An information security risk-driven investment model for analysing human factors Information Management and Computer Security, 24 (2). pp. 205-227. ISSN 0968-5227

[img] Text
s1-ln2252887895844769-1939656818Hwf-1427067188IdV116828783122528878PDF_HI0001.pdf - Accepted Version

Download (1MB)


Purpose – The purpose of this paper is to introduce a risk-driven investment process model for analysing human factors that allows information security managers to capture possible risk– investment relationships and to reason about them. The overall success of an information security system depends on analysis of the risks and threats so that appropriate protection mechanism can be in place to protect them. However, lack of appropriate analysis of risks may potentially results in failure of information security systems. Existing literature does not provide adequate guidelines for a systematic process or an appropriate modelling language to support such analysis. This work aims to fill this gap by introducing the process and reason about the risks considering human factors. Design/methodology/approach – To develop risk-driven investment model along with the activities that support the process. These objectives were achieved through the collection of quantitative and qualitative data utilising requirements engineering and secure tropos methods. Findings – The proposed process and model lead to define a clear relationship between risks, incidents and investment and allows organisations to calculate them based on their own figures. Research limitations/implications – One of the major limitations of this model is that it only supports incident-based investment. This creates some sort of difficulties to be presented to the executive board. Secondly, because of the nature of human factors, quantification does not exactly reflect the monetary value of the factors. Practical implications – Applying the information security risk-driven investment model in a real case study shows that this can help organisations apply and use it in other incidents, and more importantly, to the incidents which critical human factors are a grave concern of organisations. The importance of providing a financial justification is clearly highlighted and provided for seeking investment in information security. Social implications – It has a big social impact that technically could lead for cost justifications and decision-making process. This would impact the whole society by helping individuals to keep their data safe. Originality/value – The novel contribution of this work is to analyse specific critical human factors which have subjective natures in an objective and dynamic domain of risk, security and investment.

Item Type: Journal article
Subjects: G000 Computing and Mathematical Sciences > G600 Software Engineering
?? G520 ??
G000 Computing and Mathematical Sciences > G500 Information Systems > G510 Information modelling
G000 Computing and Mathematical Sciences > G500 Information Systems > G530 Systems analysis & design
DOI (a stable link to the resource): 10.1108/ICS-01-2016-0006
Depositing User: Converis
Date Deposited: 15 Sep 2016 03:01
Last Modified: 15 Sep 2016 10:59

Actions (login required)

View Item View Item


Downloads per month over past year