his.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
User-centered security applied to the development of a management information system
University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
Department of Computer and Information Science, University of Linköping, Linköping, Sweden.
2007 (English)In: Information Management & Computer Security, ISSN 0968-5227, Vol. 15, no 5, 372-381 p.Article in journal (Refereed) Published
Abstract [en]

Purpose – This paper aims to use user-centred security development of a prototype graphical interface for a management information system dealing with information security with upper-level management as the intended users.

Design/methodology/approach – The intended users were studied in order to understand their needs. An iterative design process was used where the designs were first made on paper, then as a prototype interface and later as a final interface design. All was tested by subjects within the target user group.

Findings – The interface was perceived as being successful by the test subjects and the sponsoring organization, Siguru. The major conclusion of the study is that managers use knowledge of information security mainly for financial and strategic matters which focus more on risk issues than security issues. To facilitate the need of managers the study presents three heuristics for the design of management information security system interfaces.

Research limitations/implications – This interface was tested on a limited set of users and further tests could be done, especially of users with other cultural/professional backgrounds.

Practical implications – This paper presents a useful set of heuristics that can be used in development of management information systems as well as other practical tips for similar projects.

Originality/value – This paper gives an example of a successful user-centred security development process. The lessons learned could be beneficial in software development in general and security products in particular.

Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2007. Vol. 15, no 5, 372-381 p.
Keyword [en]
Data security, Information, Information systems, User interfaces
National Category
Engineering and Technology
Research subject
Technology
Identifiers
URN: urn:nbn:se:his:diva-1451DOI: 10.1108/09685220710831116Scopus ID: 2-s2.0-34948879255OAI: oai:DiVA.org:his-1451DiVA: diva2:25377
Available from: 2008-09-26 Created: 2008-09-26 Last updated: 2013-02-14Bibliographically approved
In thesis
1. Securing Information Assets: Understanding, Measuring and Protecting against Social Engineering Attacks
Open this publication in new window or tab >>Securing Information Assets: Understanding, Measuring and Protecting against Social Engineering Attacks
2008 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Social engineering denotes, within the realm of security, a type of attack against the human element during which the assailant induces the victim to release information or perform actions they should not. Our research on social engineering is divided into three areas: understanding, measuring and protecting. Understanding deals with finding out more about what social engineering is, and how it works. This is achieved through the study of previous work in information security as well as other relevant research areas. The measuring area is about trying to find methods and approaches that put numbers on an organization’s vulnerability to social engineering attacks. Protecting covers the ways an organization can use to try to prevent attacks. A common approach is to educate the users on typical attacks, assailants, and their manipulative techniques. In many cases there are no preventive techniques, dealing with the human element of security, in place.

The results show that social engineering is a technique with a high probability of success. Furthermore, defense strategies against it are complicated, and susceptibility to it is difficult to measure. Important contributions are a model describing social engineering attacks and defenses, referred to as the Cycle of Deception, together with a thorough discussion on why and how social engineering works. We also propose new ways of conducting social engineering penetration testing and outline a set of recommendations for protection. It is crucial to involve managers more, but also to train the users with practical exercises instead of theoretical education, for example, by combining measuring exercises and penetration testing with training. We also discuss the future threat of Automated Social Engineering, in which software with a simple form of artificial intelligence can be used to act as humans using social engineering techniques online, making it quite hard for Internet users to trust anyone they communicate with online.

Place, publisher, year, edition, pages
Stockholm University, 2008. 97 p.
Series
Report Series/Department of Computer & Systems Sciences, ISSN 1101-8526 ; 09-001
National Category
Information Science
Research subject
Technology
Identifiers
urn:nbn:se:his:diva-2916 (URN)978-91-7155-786-5 (ISBN)
Public defence
(English)
Note

Sammanläggning: 7 artiklar

Available from: 2009-06-26 Created: 2009-03-27 Last updated: 2013-02-14Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full textScopus

Search in DiVA

By author/editor
Nohlberg, Marcus
By organisation
School of Humanities and InformaticsThe Informatics Research Centre
In the same journal
Information Management & Computer Security
Engineering and Technology

Search outside of DiVA

GoogleGoogle Scholar

Altmetric score

Total: 891 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf