{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T17:46:08Z","timestamp":1778175968940,"version":"3.51.4"},"reference-count":31,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2016,6,13]],"date-time":"2016-06-13T00:00:00Z","timestamp":1465776000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2016,6,13]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>The purpose of this paper is to introduce a risk-driven investment process model for analysing human factors that allows information security managers to capture possible risk\u2013investment relationships and to reason about them. The overall success of an information security system depends on analysis of the risks and threats so that appropriate protection mechanism can be in place to protect them. However, lack of appropriate analysis of risks may potentially results in failure of information security systems. Existing literature does not provide adequate guidelines for a systematic process or an appropriate modelling language to support such analysis. This work aims to fill this gap by introducing the process and reason about the risks considering human factors.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>To develop risk-driven investment model along with the activities that support the process. These objectives were achieved through the collection of quantitative and qualitative data utilising requirements engineering and secure tropos methods.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The proposed process and model lead to define a clear relationship between risks, incidents and investment and allows organisations to calculate them based on their own figures.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>One of the major limitations of this model is that it only supports incident-based investment. This creates some sort of difficulties to be presented to the executive board. Secondly, because of the nature of human factors, quantification does not exactly reflect the monetary value of the factors.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>Applying the information security risk-driven investment model in a real case study shows that this can help organisations apply and use it in other incidents, and more importantly, to the incidents which critical human factors are a grave concern of organisations. The importance of providing a financial justification is clearly highlighted and provided for seeking investment in information security.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Social implications<\/jats:title>\n<jats:p>It has a big social impact that technically could lead for cost justifications and decision-making process. This would impact the whole society by helping individuals to keep their data safe.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>The novel contribution of this work is to analyse specific critical human factors which have subjective natures in an objective and dynamic domain of risk, security and investment.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-01-2016-0006","type":"journal-article","created":{"date-parts":[[2016,6,20]],"date-time":"2016-06-20T04:51:07Z","timestamp":1466398267000},"page":"205-227","source":"Crossref","is-referenced-by-count":30,"title":["An information security risk-driven investment model for analysing human factors"],"prefix":"10.1108","volume":"24","author":[{"given":"Reza","family":"Alavi","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Shareeful","family":"Islam","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Haralambos","family":"Mouratidis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"issue":"1","key":"key2020121520411530900_ref009","doi-asserted-by":"crossref","first-page":"50","DOI":"10.4018\/jsse.2013010104","article-title":"Analyzing human factors for an effective information security management system","volume":"4","year":"2013","journal-title":"International Journal of Secure Software Engineering (IJSSE)"},{"key":"key2020121520411530900_ref010","first-page":"297","article-title":"A conceptual framework to analyze human factors of information security management system (ISMS) in organizations","volume-title":"HAS 2014 LNCS","year":"2014"},{"key":"key2020121520411530900_ref012","article-title":"A closer look at information security costs","volume-title":"The Economics of Information Security and Privacy","year":"2013"},{"key":"key2020121520411530900_ref014","volume-title":"Information Security Management Metrics","year":"2009"},{"issue":"1","key":"key2020121520411530900_ref025","doi-asserted-by":"crossref","first-page":"50","DOI":"10.1109\/MS.2003.1159029","article-title":"Reducing internet-based intrusions: effective security patch management","volume":"20","year":"2003","journal-title":"IEEE Software"},{"key":"key2020121520411530900_ref011","unstructured":"Corporation, S. (2013), \u201cPonemon and symantec find most data breaches caused by human and system errors\u201d, Symantec Corporation, available: www.symantec.com\/about\/news\/release\/article.jsp?prid=20130605_01 (accessed 20 July 2013)."},{"key":"key2020121520411530900_ref003","unstructured":"Cyberthreat (2006), available at: www.pwc.co.uk\/en_UK\/uk\/assets\/pdf\/olpapp\/uk-information-security-breaches-survey-technical-report.pdf (accessed 10 May 2012)."},{"issue":"5","key":"key2020121520411530900_ref013","doi-asserted-by":"crossref","first-page":"511","DOI":"10.1007\/s11573-007-0039-y","article-title":"Ein Modell zur dynamischen Investitionsrechnung von IT-Sicherheitsma\u00dfnahmen","volume":"77","year":"2007","journal-title":"Zeitschrift f\u00fcr Betriebswirtschaft"},{"key":"key2020121520411530900_ref021","first-page":"236","article-title":"Analysis of unintentional insider threats deriving from social engineering exploits","year":"2014"},{"key":"key2020121520411530900_ref008","article-title":"Document-oriented heterogeneous business process integration through collaborative e-marketplace","year":"2008"},{"key":"key2020121520411530900_ref018","volume-title":"Social Engineering: The Art of Human Hacking","year":"2010"},{"issue":"5","key":"key2020121520411530900_ref016","doi-asserted-by":"crossref","first-page":"409","DOI":"10.1016\/j.cose.2005.02.003","article-title":"Capital market reaction to defective IT products: the case of computer viruses","volume":"24","year":"2005","journal-title":"Computers & Security"},{"key":"key2020121520411530900_ref015","volume-title":"ISO\/IEC 27001 \u2013 Information Security Management","author":"(ISO) I.O.F.S","year":"2013"},{"issue":"10","key":"key2020121520411530900_ref023","doi-asserted-by":"crossref","first-page":"94","DOI":"10.1145\/1290958.1290968","article-title":"Social phishing","volume":"50","year":"2007","journal-title":"Communications of the ACM"},{"key":"key2020121520411530900_ref017","first-page":"847","article-title":"Social engineering-based attacks: model and New Zealand perspective","year":"2010"},{"issue":"2","key":"key2020121520411530900_ref036","doi-asserted-by":"crossref","first-page":"54","DOI":"10.4018\/jsse.2012040103","article-title":"Comparing misuse case and mal-activity diagrams for modelling social engineering attacks","volume":"3","year":"2012","journal-title":"International Journal of Secure Software Engineering (IJSSE)"},{"key":"key2020121520411530900_ref002","unstructured":"Kraemer, S. and Carayon, P. (2006), An Adversarial Viewpoint of Human and Organisational Factors in Computer and Information Security: Final Report, Wisconsin-Madison, University of Wisconsin-Madison & Information Design Assurance Red Team (IDART), Sandia National Laboratories, Madison, WI."},{"key":"key2020121520411530900_ref029","first-page":"6","article-title":"Hybrid VFT\/Delphi Method to Facilitate the Development of Information Security Strategies in Developing Countries","year":"2014"},{"issue":"8","key":"key2020121520411530900_ref028","doi-asserted-by":"crossref","first-page":"647","DOI":"10.1016\/S0378-7206(01)00117-3","article-title":"Specification of a capability-based IT classification framework","volume":"39","year":"2002","journal-title":"Information & Management"},{"issue":"1","key":"key2020121520411530900_ref027","doi-asserted-by":"crossref","first-page":"15","DOI":"10.1016\/j.im.2003.11.002","article-title":"The Delphi method as a research tool: an example, design considerations and applications","volume":"42","year":"2004","journal-title":"Information & Management"},{"issue":"2","key":"key2020121520411530900_ref022","doi-asserted-by":"crossref","first-page":"54","DOI":"10.4018\/jsse.2012040103","article-title":"Comparing misuse case and mal-activity diagrams for modelling social engineering attacks","volume":"3","year":"2012","journal-title":"International Journal of Secure Software Engineering (IJSSE)"},{"issue":"4","key":"key2020121520411530900_ref001","doi-asserted-by":"crossref","first-page":"361","DOI":"10.1504\/EG.2009.027783","article-title":"Management support and information security: an empirical study of Texas state agencies in the USA","volume":"6","year":"2009","journal-title":"Electronic Government, an International Journal"},{"key":"key2020121520411530900_ref024","volume-title":"Introduction to Cyber-warfare: A Multidisciplinary Approach","year":"2013"},{"issue":"2","key":"key2020121520411530900_ref020","doi-asserted-by":"crossref","first-page":"64","DOI":"10.1109\/MC.2010.35","article-title":"Compliance with information security policies: an empirical investigation","volume":"43","year":"2010","journal-title":"Computer"},{"key":"key2020121520411530900_ref019","unstructured":"Solutions, V.E. (2014), Data Breach Investigations Report (DBIR)."},{"key":"key2020121520411530900_ref005","volume-title":"Information Security: Principles and Practice","year":"2011"},{"key":"key2020121520411530900_ref035","unstructured":"Verizon (2014), Data Breach Investigations Report (DBIR), Verizon Enterprise Solutions, available: www.verizonenterprise.com\/DBIR\/2014\/ (accessed 10 December 2015)."},{"issue":"2","key":"key2020121520411530900_ref007","doi-asserted-by":"crossref","first-page":"91","DOI":"10.1007\/s10796-006-7973-z","article-title":"Business architecture: a new paradigm to relate business strategy to ICT","volume":"8","year":"2006","journal-title":"Information Systems Frontiers"},{"key":"key2020121520411530900_ref030","volume-title":"International Guide to Privacy","year":"2004"},{"issue":"5","key":"key2020121520411530900_ref006","doi-asserted-by":"crossref","first-page":"480","DOI":"10.1016\/j.im.2007.05.003","article-title":"Threats and countermeasures for information system security: a cross-industry study","volume":"44","year":"2007","journal-title":"Information & Management"},{"key":"key2020121520411530900_ref004","article-title":"Towards design principles for effective context- and perspective-based web mining","year":"2009"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/ICS-01-2016-0006","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-01-2016-0006\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-01-2016-0006\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:34Z","timestamp":1753406554000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/24\/2\/205-227\/112209"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,6,13]]},"references-count":31,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2016,6,13]]}},"alternative-id":["10.1108\/ICS-01-2016-0006"],"URL":"https:\/\/doi.org\/10.1108\/ics-01-2016-0006","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2016,6,13]]}}}