{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T16:44:26Z","timestamp":1781109866235,"version":"3.54.1"},"reference-count":87,"publisher":"IGI Global Scientific Publishing","issue":"1","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2013,1]]},"abstract":"<jats:p>Managing security is essential for organizations doing business in a globally networked environment and for organizations that are at the same time seeking to achieve their missions and goals. However, numerous technical advancements do not always produce a more secure environment. All kinds of human factors can deeply affect the management of security in an organizational context. Therefore, security is not solely a technical problem; rather, the authors need to understand human factors, which need adequate attention to achieve an effective information security management system practice. This paper identifies direct and indirect human factors that have impact on information security. These factors were analyzed through the study of two security incidents of the UK\u2019s financial organizations using the SWOT (Strength, Weaknesses, Opportunities, and Threats) technique. The study\u2019s results show that human factors are the main causes for these security incidents. Factors such as training, awareness, and security culture influence organizational strength and opportunity relating to information security. People\u2019s irrational behavior and errors are the main weaknesses highlighted in security incidents, which pose threats such as poor reputation and high costs.<\/jats:p>","DOI":"10.4018\/jsse.2013010104","type":"journal-article","created":{"date-parts":[[2013,4,9]],"date-time":"2013-04-09T15:28:15Z","timestamp":1365521295000},"page":"50-74","source":"Crossref","is-referenced-by-count":15,"title":["Analyzing Human Factors for an Effective Information Security Management System"],"prefix":"10.4018","volume":"4","author":[{"given":"Reza","family":"Alavi","sequence":"first","affiliation":[{"name":"School of Architecture, Computing and Engineering, University of East London, London, UK"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Shareeful","family":"Islam","sequence":"additional","affiliation":[{"name":"School of Architecture, Computing and Engineering, University of East London, London, UK"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Hamid","family":"Jahankhani","sequence":"additional","affiliation":[{"name":"School of Architecture, Computing and Engineering, University of East London, London, UK"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Ameer","family":"Al-Nemrat","sequence":"additional","affiliation":[{"name":"School of Architecture, Computing and Engineering, University of East London, London, UK"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"2432","reference":[{"key":"jsse.2013010104-0","doi-asserted-by":"publisher","DOI":"10.1145\/322796.322806"},{"key":"jsse.2013010104-1","unstructured":"Al-Awadi, M., & Renaud, K. (2007, July 3-6). Success factors in information security implementation in organizations. In Kommers, P., Isaias, P., & Chen, N. S. (Eds.), In Proceedings of the IADIS International Conference e-Society, Lisbon, Portugal."},{"key":"jsse.2013010104-2","doi-asserted-by":"publisher","DOI":"10.4018\/978-1-59140-999-1"},{"key":"jsse.2013010104-3","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2004.2"},{"key":"jsse.2013010104-4","unstructured":"Aytes, K., & Connolly, T. (2003, August 4-6). A research model for investigating human behavior related to computer security. In Proceedings of the Ninth Americas Conference on Information Systems, Tampa, FL."},{"key":"jsse.2013010104-5","author":"K.Barbara","year":"2007","journal-title":"Guideline for performing systematic literature reviews in software engineering (Version 2.3.)"},{"key":"jsse.2013010104-6","author":"K. M.Bartol","year":"1994","journal-title":"Management"},{"key":"jsse.2013010104-7","author":"I.Bazavan","year":"2007","journal-title":"Information security cost management"},{"key":"jsse.2013010104-8","doi-asserted-by":"publisher","DOI":"10.1016\/S0167-4048(98)80097-7"},{"key":"jsse.2013010104-9","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2003.09.002"},{"key":"jsse.2013010104-10","author":"R.Briggs","year":"2006","journal-title":"The business of resilience: Corporate security for the 21st century"},{"key":"jsse.2013010104-11","author":"A.Bryman","year":"2008","journal-title":"Social research methods"},{"key":"jsse.2013010104-12","doi-asserted-by":"crossref","first-page":"431","DOI":"10.3233\/JCS-2003-11308","article-title":"The economic cost of publicly announced information security breaches: Empirical evidence from the stock market.","volume":"11","author":"K.Campbell","year":"2003","journal-title":"Journal of Computer Security"},{"key":"jsse.2013010104-13","doi-asserted-by":"publisher","DOI":"10.1046\/j.1365-2648.1994.20040716.x"},{"key":"jsse.2013010104-14","first-page":"67","article-title":"Evaluation of the human impact of password authentication practices on information security.","volume":"7","author":"D. S.Carstens","year":"2004","journal-title":"Information Science Journal"},{"key":"jsse.2013010104-15","doi-asserted-by":"crossref","DOI":"10.1093\/oso\/9780199247288.003.0007","article-title":"The representational character of experience","author":"D.Chalmers","year":"2004","journal-title":"The future for philosophy"},{"key":"jsse.2013010104-16","article-title":"Penetrating computer systems","author":"C.Cobb","year":"2002","journal-title":"Computer security handbook"},{"key":"jsse.2013010104-17","unstructured":"Cyberthreat. (2006). Information security breaches survey (Tech. rep.). Retrieved from http:\/\/www.pwc.co.uk\/en_UK\/uk\/assets\/pdf\/olpapp\/uk-information-security-breaches-survey-technical-report.pdf"},{"key":"jsse.2013010104-18","unstructured":"DeloitteReport. (2006). Deloitte global financial report. Retrieved from www.deloitte.com"},{"key":"jsse.2013010104-19","doi-asserted-by":"crossref","DOI":"10.1007\/978-1-349-14454-9","author":"G.Dhillon","year":"1997","journal-title":"Managing information system security"},{"key":"jsse.2013010104-20","doi-asserted-by":"publisher","DOI":"10.1145\/341852.341877"},{"key":"jsse.2013010104-21","doi-asserted-by":"publisher","DOI":"10.1016\/j.enpol.2009.02.004"},{"key":"jsse.2013010104-22","doi-asserted-by":"publisher","DOI":"10.1109\/TPWRD.2010.2046654"},{"key":"jsse.2013010104-23","year":"2008","journal-title":"10th annual global information security survey achieving a balance of risk and performance"},{"key":"jsse.2013010104-24","unstructured":"Fishbein, M., & Ajzen, I. (1975). Belief, attitude, intention and behaviour: An introduction to theory and research. Boston, MA: Addison-Wesley. Retrieved from http:\/\/www.people.umass.edu\/aizen\/f&a1975.html"},{"key":"jsse.2013010104-25","author":"U.Flick","year":"2004","journal-title":"A companion to qualitative research"},{"key":"jsse.2013010104-26","author":"P.Fung","year":"2002","journal-title":"Implementation of information security: A knowledge-based approach"},{"key":"jsse.2013010104-27","doi-asserted-by":"publisher","DOI":"10.1023\/B:JOBU.0000028451.22685.a4"},{"key":"jsse.2013010104-28","doi-asserted-by":"publisher","DOI":"10.1201\/1086\/43298.9.6.20010102\/30985.4"},{"key":"jsse.2013010104-29","doi-asserted-by":"publisher","DOI":"10.1016\/j.jsis.2011.06.001"},{"key":"jsse.2013010104-30","doi-asserted-by":"publisher","DOI":"10.1057\/ejis.2009.6"},{"key":"jsse.2013010104-31","author":"P.Herzog","year":"2010","journal-title":"Security, trust, and how we are broken"},{"key":"jsse.2013010104-32","doi-asserted-by":"publisher","DOI":"10.1007\/s00766-009-0093-9"},{"key":"jsse.2013010104-33","doi-asserted-by":"publisher","DOI":"10.1016\/S0306-4379(96)00028-2"},{"key":"jsse.2013010104-34","doi-asserted-by":"crossref","unstructured":"Islam, S., & Dong, W. (2008). Human factors in software security risk management. In Proceedings of the 1st International Workshop on Leadership and Management in Software Architecture (LMSA.08), Leipzig, Germany. ACM Press.","DOI":"10.1145\/1373307.1373312"},{"key":"jsse.2013010104-35","doi-asserted-by":"crossref","unstructured":"Islam, S., & Houmb, S. H. (2010, May 19-21). Integrating risk management activities into requirements engineering. In Proceeding of the 4th IEEE International Conference on Research Challenges in Information Science (RCIS2010), Nice, France.","DOI":"10.1109\/RCIS.2010.5507389"},{"key":"jsse.2013010104-36","doi-asserted-by":"publisher","DOI":"10.1007\/s10270-010-0154-z"},{"key":"jsse.2013010104-37","doi-asserted-by":"crossref","unstructured":"Islam, S., Mouratidis, H., & Wagner, S. (2010). Towards a framework to elicit and manage security and privacy requirements from laws and regulations. In Proceedings of the 16th International Working Conference on Requirements Engineering: Foundation for Software Quality (REFSQ '10), Essen, Germany.","DOI":"10.1007\/978-3-642-14192-8_23"},{"key":"jsse.2013010104-38","doi-asserted-by":"publisher","DOI":"10.1108\/09685220810879645"},{"key":"jsse.2013010104-39","doi-asserted-by":"publisher","DOI":"10.4018\/978-1-60566-210-7.ch003"},{"key":"jsse.2013010104-40","unstructured":"Jones, A., & Colwill, C. (2006, December 1-3). Dealing with the malicious insider. In Proceedings of the 6th Australian Information Security Management Conference, Perth, Western Australia."},{"key":"jsse.2013010104-41","first-page":"1","article-title":"Using social psychology to implement security policies","author":"M. E.Kabay","year":"2002","journal-title":"Computer security handbook"},{"key":"jsse.2013010104-42","doi-asserted-by":"publisher","DOI":"10.1016\/S0268-4012(02)00105-6"},{"key":"jsse.2013010104-43","doi-asserted-by":"publisher","DOI":"10.1080\/10295390208718740"},{"key":"jsse.2013010104-44","doi-asserted-by":"crossref","unstructured":"Kraemer, S., & Carayon, P. (2005). Computer and information security culture: Findings from two studies. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting (Vol. 49, pp. 1483-7).","DOI":"10.1177\/154193120504901605"},{"key":"jsse.2013010104-45","unstructured":"Kraemer, S., & Carayon, P. (2006). An adversarial viewpoint of human and organizational factors in computer and information security: Final report. Madison, WI: University of Wisconsin-Madison & Information Design Assurance Red Team (IDART), Sandia National Laboratories."},{"key":"jsse.2013010104-46","doi-asserted-by":"publisher","DOI":"10.1016\/j.apergo.2006.03.010"},{"key":"jsse.2013010104-47","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2009.04.006"},{"key":"jsse.2013010104-48","author":"D.Lacy","year":"2009","journal-title":"Managing the human factor in information security: How to win over staff and influence business managers"},{"key":"jsse.2013010104-49","author":"T. P.Layton","year":"2005","journal-title":"Information security awareness \u2013 The psychology behind the technology"},{"key":"jsse.2013010104-50","author":"E. P.Learned","year":"1969","journal-title":"Business policy: Tax and cases"},{"key":"jsse.2013010104-51","doi-asserted-by":"publisher","DOI":"10.1108\/09685220210424104"},{"key":"jsse.2013010104-52","doi-asserted-by":"publisher","DOI":"10.1016\/S0019-8501(02)00226-2"},{"key":"jsse.2013010104-53","unstructured":"Lim, J. S., Ahmad, A., Chang, S., & Maynard, S. (2010, July 9-12). Embedding information security culture emerging concerns and challenges. In Proceedings of the Pacific Asia Conference on Information Systems 2010, Taipei, Taiwan."},{"key":"jsse.2013010104-54","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijmedinf.2006.09.014"},{"issue":"12","key":"jsse.2013010104-55","first-page":"14","article-title":"Experiences in eliciting security requirements, crosstalk.","volume":"19","author":"N. R.Mead","year":"2006","journal-title":"The Journal of Defense Software Engineering"},{"key":"jsse.2013010104-56","unstructured":"Mead, N. R., Ellison, R. J., Linger, R. C., Longstaff, T. A., & McHugh, J. (2000). Survivable network analysis method (CMU\/SEI-2000-TR-013). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University. Retrieved May 12, 2012 from http:\/\/www.sei.cmu.edu\/library\/abstracts\/reports\/00tr013.cfm"},{"key":"jsse.2013010104-57","doi-asserted-by":"publisher","DOI":"10.1108\/09685220010371394"},{"key":"jsse.2013010104-58","first-page":"15","article-title":"Security motivation, the mother of all controls, must precede awareness.","volume":"15","author":"D.Parker","year":"1999","journal-title":"Computer Security Journal"},{"key":"jsse.2013010104-59","doi-asserted-by":"publisher","DOI":"10.1016\/S1048-9843(98)90043-1"},{"key":"jsse.2013010104-60","doi-asserted-by":"publisher","DOI":"10.1108\/01443579410062068"},{"key":"jsse.2013010104-61","doi-asserted-by":"publisher","DOI":"10.1108\/09685220710831107"},{"key":"jsse.2013010104-62","first-page":"23","article-title":"How to build a comprehensive security awareness program.","volume":"16","author":"T.Peltier","year":"2002","journal-title":"Computer Security Journal"},{"key":"jsse.2013010104-63","author":"C.Potter","year":"2012","journal-title":"Information security breaches survey (Tech. rep.)"},{"key":"jsse.2013010104-64","author":"P.Puhakainen","year":"2006","journal-title":"Design theory for information security awareness"},{"key":"jsse.2013010104-65","first-page":"171","article-title":"Human factors in risk analysis.","volume":"12","author":"F.Redmill","year":"2002","journal-title":"Engineering Management Journal"},{"key":"jsse.2013010104-66","doi-asserted-by":"publisher","DOI":"10.1016\/j.istr.2010.11.002"},{"key":"jsse.2013010104-67","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2006.10.008"},{"key":"jsse.2013010104-68","unstructured":"Schein, E. H. (1992). Organisational leadership and culture. Retrieved May 15, 2012 from www.tnellen.com\/ted\/tc\/schein.html"},{"key":"jsse.2013010104-69","author":"E. H.Schein","year":"1999","journal-title":"The corporate culture survival guide"},{"key":"jsse.2013010104-70","unstructured":"Shoemaker, D., & Conklin, W. A. (2011). Cybersecurity: The essential body of knowledge. Clifton Park, NY: Delmare Cengage Learning. Perkin, S. E., Moorsel, A. V., & Coles, R. (2009). An information security ontology incorporating human-behavioural implications. In Proceedings of the 2nd International Conference on Security of Information and Networks, Famagusta, North Cyprus."},{"key":"jsse.2013010104-71","doi-asserted-by":"publisher","DOI":"10.1108\/09685220010371394"},{"key":"jsse.2013010104-72","first-page":"37","article-title":"Information security management programs: Assessment analysis \u2014 lessons learned and best practices revealed.","volume":"12","author":"J.Somaini","year":"2008","journal-title":"Privacy & Data Security Law"},{"key":"jsse.2013010104-73","doi-asserted-by":"publisher","DOI":"10.1108\/00251741111094491"},{"key":"jsse.2013010104-74","doi-asserted-by":"publisher","DOI":"10.1108\/09685221211219191"},{"key":"jsse.2013010104-75","author":"F.Tipton","year":"2008","journal-title":"Information security management handbook"},{"key":"jsse.2013010104-76","author":"J. K.Tudor","year":"2001","journal-title":"Integrated security architecture: An integrated approach to security in the organization"},{"key":"jsse.2013010104-77","author":"A.Vance","year":"2010","journal-title":"Why do employees violate IS security policies?"},{"key":"jsse.2013010104-78","first-page":"371","article-title":"The 10 deadly sins of information security management. Computers &amp","volume":"23","author":"B.Von Solms","year":"2004","journal-title":"Security"},{"key":"jsse.2013010104-79","doi-asserted-by":"publisher","DOI":"10.1108\/09685229910255223"},{"key":"jsse.2013010104-80","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2004.01.012"},{"key":"jsse.2013010104-81","doi-asserted-by":"publisher","DOI":"10.1108\/09685220910944722"},{"key":"jsse.2013010104-82","doi-asserted-by":"publisher","DOI":"10.1016\/j.infoandorg.2006.08.001"},{"key":"jsse.2013010104-83","unstructured":"Wilson, M., & Hash, J. (2003). Building an information technology security awareness and training program. In Commerce, U. S. D. O. (Ed.), Washington, DC: National Institute of Standards and Technology (NIST)."},{"key":"jsse.2013010104-84","author":"J.Wylder","year":"2007","journal-title":"Strategic information security"},{"key":"jsse.2013010104-85","doi-asserted-by":"crossref","unstructured":"Yanyan, Z., & Renzuo, X. (2008, December 12-14). The basic research of human factor analysis based on knowledge in software engineering. In Proceedings of the 2008 International Conference on Computer Science and Software Engineering.","DOI":"10.1109\/CSSE.2008.219"},{"key":"jsse.2013010104-86","unstructured":"Zhang, Y., Vaishnavi, V. K., Vandenberg, A., & Duraisamy, S. (2009). Towards design principles for effective context- and perspective-based web mining. In Proceedings of the 4th International Conference on Design Science Research in Information Systems and Technology (DESRIST '09). New York, NY: ACM."}],"container-title":["International Journal of Secure Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=76355","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,5,8]],"date-time":"2024-05-08T12:08:46Z","timestamp":1715170126000},"score":1,"resource":{"primary":{"URL":"http:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/jsse.2013010104"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2013,1]]},"references-count":87,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.4018\/jsse.2013010104","relation":{},"ISSN":["1947-3036","1947-3044"],"issn-type":[{"value":"1947-3036","type":"print"},{"value":"1947-3044","type":"electronic"}],"subject":[],"published":{"date-parts":[[2013,1]]}}}