{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T18:01:13Z","timestamp":1754157673423,"version":"3.41.2"},"reference-count":35,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2011,6,7]],"date-time":"2011-06-07T00:00:00Z","timestamp":1307404800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2011,6,7]]},"abstract":"Purpose<\/jats:title>This paper aims to assess the influence of a set of human and organizational factors in information system deployments on the probability that a number of security\u2010related mistakes are in the deployment.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>A Bayesian network (BN) is created and analyzed over the relationship between mistakes and causes. The BN is created by eliciting qualitative and quantitative data from experts of industrial control system deployments in the critical infrastructure domain.<\/jats:p><\/jats:sec>Findings<\/jats:title>The data collected in this study show that domain experts have a shared perception of how strong the influence of human and organizational factors are. According to domain experts, this influence is strong. This study also finds that security flaws are common in industrial control systems operating critical infrastructure.<\/jats:p><\/jats:sec>Research limitations\/implications<\/jats:title>The model presented in this study is created with the help of a number of domain experts. While they agree on qualitative structure and quantitative parameters, future work should assure that their opinion is generally accurate.<\/jats:p><\/jats:sec>Practical implications<\/jats:title>The influence of a set of important variables related to organizational\/human aspects on information security flaws is presented.<\/jats:p><\/jats:sec>Social implications<\/jats:title>The context of this study is deployments of systems that operate nations' critical infrastructure. The findings suggest that initiatives to secure such infrastructures should not be purely technical.<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>Previous studies have focused on either the causes of security flaws or the actual flaws that can exist in installed information systems. However, little research has been spent on the relationship between them. The model presented in this paper quantifies such relationships.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685221111143033","type":"journal-article","created":{"date-parts":[[2011,7,25]],"date-time":"2011-07-25T10:48:07Z","timestamp":1311590887000},"page":"80-94","source":"Crossref","is-referenced-by-count":6,"title":["Security mistakes in information system deployment projects"],"prefix":"10.1108","volume":"19","author":[{"given":"Teodor","family":"Sommestad","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mathias","family":"Ekstedt","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Hannes","family":"Holm","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Muhammad","family":"Afzal","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2022020420421296100_b1","doi-asserted-by":"crossref","unstructured":"Adams, A., Sasse, M. and Lunt, P. (1997), \u201cMaking passwords secure and usable\u201d, in Thimbleby, H., OConnaill, B. and Thomas, P. (Eds), Proceedings of HCI on People and Computers XII, Springer\u2010Verlag, London.","DOI":"10.1007\/978-1-4471-3601-9_1"},{"key":"key2022020420421296100_b2","doi-asserted-by":"crossref","unstructured":"Alves\u2010Foss, J. and Barbosa, S. (1995), \u201cAssessing computer security vulnerability\u201d, ACM SIGOPS Operating Systems Review, Vol. 29 No. 3, pp. 3\u201013.","DOI":"10.1145\/206826.206829"},{"key":"key2022020420421296100_b3","unstructured":"Anderson, R. (2008), Security Engineering: A Guide to Building Dependable Distributed Systems, Wiley, New York, NY."},{"key":"key2022020420421296100_b4","unstructured":"Aslam, T., Krsul, I. and Spafford, E. (1996), \u201cUse of a taxonomy of security faults\u201d, Proceedings of the 19th National Information Systems Security Conference, Baltimore, MD, pp. 551\u201060."},{"key":"key2022020420421296100_b5","doi-asserted-by":"crossref","unstructured":"Besnard, D. and Arief, B. (2004), \u201cComputer security impaired by legitimate users\u201d, Computers and Security, Vol. 23 No. 3, pp. 253\u201064.","DOI":"10.1016\/j.cose.2003.09.002"},{"key":"key2022020420421296100_b6","doi-asserted-by":"crossref","unstructured":"Beznosov, K. and Beznosova, O. (2007), \u201cOn the imbalance of the security problem space and its expected consequences\u201d, Information Management & Computer Security, Vol. 15 No. 5, pp. 420\u201031.","DOI":"10.1108\/09685220710831152"},{"key":"key2022020420421296100_b7","doi-asserted-by":"crossref","unstructured":"Bishop, M. and Bailey, D. (1996), \u201cA critical analysis of vulnerability taxonomies\u201d, Technical Report CSE\u201096\u201011, Department of Computer Science, University of California, Davis, CA, September.","DOI":"10.21236\/ADA453251"},{"key":"key2022020420421296100_b8","doi-asserted-by":"crossref","unstructured":"Brostoff, S. and Sasse, M. (2001), \u201cSafe and sound: a safety\u2010critical approach to security\u201d, Proceedings of the 2001 Workshop on New Security Paradigms, ACM, Cloudcroft, New Mexico, pp. 41\u201050.","DOI":"10.1145\/508171.508178"},{"key":"key2022020420421296100_b9","doi-asserted-by":"crossref","unstructured":"Carstens, D., McCauley\u2010Bell, P.R., Malone, L.C. and DeMara, R.F. (2004), \u201cEvaluation of the human impact of password authentication practices on information security\u201d, Informing Science: International Journal of an Emerging Transdiscipline, Vol. 7, pp. 67\u201085.","DOI":"10.28945\/503"},{"key":"key2022020420421296100_b10","doi-asserted-by":"crossref","unstructured":"Clemen, R.T. and Winkler, R.L. (1999), \u201cCombining probability distributions from experts in risk analysis\u201d, Risk Analysis, Vol. 19 No. 187, pp. 187\u2010204.","DOI":"10.1111\/j.1539-6924.1999.tb00399.x"},{"key":"key2022020420421296100_b11","doi-asserted-by":"crossref","unstructured":"Cooke, R.M. (1991) in Shrader\u2010Frechette, K. (Ed.), Experts in Uncertainty \u2013 Opinion and Subjective Probability in Science, Oxford University Press, New York, NY.","DOI":"10.1093\/oso\/9780195064650.001.0001"},{"key":"key2022020420421296100_b12","unstructured":"Dourish, P., de la Flor, J.D. and Joseph, M. (2003), \u201cSecurity as a practical problem: some preliminary observations of everyday mental models\u201d, Proceedings of CHI 2003 Workshop on HCI and Security Systems, Fort Lauderdale, FL."},{"key":"key2022020420421296100_b15","unstructured":"Druzdzel, M.J. (1999), \u201cGeNIe: a development environment for graphical decision\u2010analytic models\u201d, Proceedings of the 1999 Annual Symposium of the American Medical Informatics Association (\u2009AMIA\u20101999), Washington, DC, p. 1206."},{"key":"key2022020420421296100_b13","unstructured":"Druzdzel, M. and van der Gaag, L. (1995), \u201cElicitation of probabilities for belief networks: combining qualitative and quantitative information\u201d, Proceedings of the Eleventh Conference on Uncertainty in Artificial Intelligence, Morgan Kaufmann, San Francisco, CA, pp. 41\u2010148."},{"key":"key2022020420421296100_b14","doi-asserted-by":"crossref","unstructured":"Druzdzel, M. and van der Gaag, L. (2000), \u201cBuilding probabilistic networks: where do the numbers come from?\u201d, IEEE Transactions on Knowledge and Data Engineering, Vol. 12 No. 4, pp. 481\u20106.","DOI":"10.1109\/TKDE.2000.868901"},{"key":"key2022020420421296100_b16","doi-asserted-by":"crossref","unstructured":"Einhorn, H. (1974), \u201cExpert judgment: some necessary conditions and an example\u201d, Journal of Applied Psychology, October, pp. 562\u201071.","DOI":"10.1037\/h0037164"},{"key":"key2022020420421296100_b17","unstructured":"Fink, R., Spencer, D. and Wells, R. (2006), \u201cLessons learned from cyber security assessments of SCADA and energy management systems\u201d, Technical Report: INL\/CON\u201006\u201011665, US Department of Energy, Idaho falls, ID, September."},{"key":"key2022020420421296100_b18","unstructured":"Friedman, N. and Koller, D. (2000), \u201cBeing Bayesian about network structure, a Bayesian approach to structure discovery in Bayesian networks\u201d, Machine Learning, Vol. 50 Nos 1\/2, pp. 1\u201030."},{"key":"key2022020420421296100_b19","doi-asserted-by":"crossref","unstructured":"Hansman, S. and Hunt, R. (2004), \u201cA taxonomy of network and computer attacks\u201d, Computers and Security, Vol. 24 No. 1, pp. 31\u201043.","DOI":"10.1016\/j.cose.2004.06.011"},{"key":"key2022020420421296100_b20","doi-asserted-by":"crossref","unstructured":"Knapp, K., Marshall, T. and Rainer, R. (2006), \u201cInformation security: management's effect on culture and policy\u201d, Information Management & Computer Security, Vol. 14 No. 1, pp. 24\u201036.","DOI":"10.1108\/09685220610648355"},{"key":"key2022020420421296100_b21","doi-asserted-by":"crossref","unstructured":"Kraemer, S. and Carayon, P. (2005), \u201cComputer and information security culture: findings from two studies\u201d, Human Factors and Ergonomics Society Annual Meeting Proceedings, Macroergonomics, Vol. 49, pp. 1483\u20107.","DOI":"10.1177\/154193120504901605"},{"key":"key2022020420421296100_b22","doi-asserted-by":"crossref","unstructured":"Kraemer, S., Carayon, P. and Clem, J. (2009), \u201cHuman and organizational factors in computer and information security: pathways to vulnerabilities\u201d, Computers and Security, Vol. 28 No. 7, pp. 509\u201020.","DOI":"10.1016\/j.cose.2009.04.006"},{"key":"key2022020420421296100_b23","unstructured":"NIST (2010), \u201cNational vulnerability database home page\u201d, available at: http:\/\/nvd.nist.gov\/."},{"key":"key2022020420421296100_b24","doi-asserted-by":"crossref","unstructured":"Pattinson, M. and Anderson, G. (2007), \u201cHow well are information risks being communicated to your computer end\u2010users?\u201d, Information Management & Computer Security, Vol. 15 No. 5, pp. 362\u201071.","DOI":"10.1108\/09685220710831107"},{"key":"key2022020420421296100_b25","unstructured":"Reason, J. (1990), Human Error, Cambridge University Press, Cambridge."},{"key":"key2022020420421296100_b26","doi-asserted-by":"crossref","unstructured":"Renooij, S. (2002), \u201cProbability elicitation for belief networks: issues to consider\u201d, The Knowledge Engineering Review, Vol. 16 No. 3, pp. 255\u201069.","DOI":"10.1017\/S0269888901000145"},{"key":"key2022020420421296100_b27","unstructured":"Sasse, M., Brostoff, S. and Weirich, D. (2001), \u201cTransforming the \u2018weakest link\u2019 a human\/computer interaction approach to usable and effective security\u201d, BT Technology Journal, Vol. 19 No. 3, pp. 122\u201031."},{"key":"key2022020420421296100_b28","doi-asserted-by":"crossref","unstructured":"Stanton, J.M., Stam, K.R., Mastrangelo, P. and Jolton, J. (2005), \u201cAnalysis of end user security behaviors\u201d, Computers and Security, Vol. 24 No. 2, pp. 124\u201033.","DOI":"10.1016\/j.cose.2004.07.001"},{"key":"key2022020420421296100_b29","doi-asserted-by":"crossref","unstructured":"Tsohou, A., Karyda, M. and Kokolakis, S. (2006), \u201cFormulating information systems risk management strategies through cultural theory\u201d, Information Management & Computer Security, Vol. 14 No. 3, pp. 198\u2010217.","DOI":"10.1108\/09685220610670378"},{"key":"key2022020420421296100_b30","doi-asserted-by":"crossref","unstructured":"Veiga, A.D. and Eloff, J. (2009), \u201cA framework and assessment instrument for information security culture\u201d, Computers and Security, Vol. 29 No. 2, pp. 196\u2010207.","DOI":"10.1016\/j.cose.2009.09.002"},{"key":"key2022020420421296100_b35","unstructured":"von Winterfeldt, D. and Edwards, W. (1986), Decision Analysis and Behavioral Research, Cambridge University Press, Cambridge."},{"key":"key2022020420421296100_b31","doi-asserted-by":"crossref","unstructured":"Weiss, D.J. and Shanteau, J. (2003), \u201cEmpirical assessment of expertise\u201d, Human Factors: The Journal of the Human Factors and Ergonomics Society, Vol. 45 No. 1, pp. 104\u201016.","DOI":"10.1518\/hfes.45.1.104.27233"},{"key":"key2022020420421296100_b32","doi-asserted-by":"crossref","unstructured":"Werlinger, R., Hawkey, K. and Beznosov, K. (2009), \u201cAn integrated view of human, organizational, and technological challenges of IT security management\u201d, Information Management & Computer Security, Vol. 17 No. 1, pp. 4\u201019.","DOI":"10.1108\/09685220910944722"},{"key":"key2022020420421296100_b33","unstructured":"Ye, N., Newman, C. and Farley, T. (2006), \u201cA system\u2010fault\u2010risk framework for cyber attack classification\u201d, Information, Knowledge, Systems, Vol. 5, pp. 135\u201051."},{"key":"key2022020420421296100_b34","doi-asserted-by":"crossref","unstructured":"Yoshioka, N., Washizaki, H. and Maruyama, K. (2008), \u201cA survey on security patterns\u201d, Progress in Informatics, Vol. 5 No. 5, pp. 35\u201047.","DOI":"10.2201\/NiiPi.2008.5.5"}],"container-title":["Information Management & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685221111143033","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685221111143033\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685221111143033\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:21Z","timestamp":1753402161000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/19\/2\/80-94\/178439"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2011,6,7]]},"references-count":35,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2011,6,7]]}},"alternative-id":["10.1108\/09685221111143033"],"URL":"https:\/\/doi.org\/10.1108\/09685221111143033","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2011,6,7]]}}}