HUMAN FACTOR AND SECURITY MANAGEMENT. INFORMATION SECURITY AUDIT: METHODOLOGY AND PRACTICAL CASES

Authors

  • Anna Kras Lesya Ukrainka Volyn National University

Abstract

This paper examines the role of the human factor in information security systems, emphasizing that despite the presence of advanced technological solutions, policies, and procedures, employee behavior, knowledge, and motivation remain critical to effective cybersecurity. It details the main threats related to the human factor, including social engineering, accidental errors, insider threats, and sabotage. Special attention is given to the importance of continuous employee training, fostering a security-aware culture, implementing the principle of least privilege, using multi-factor authentication, monitoring, and conducting regular audits. The analysis covers international standards (ISO/IEC, NIST, COBIT) and practical audit cases, demonstrating the need for a comprehensive approach to managing human-related risks. The paper concludes that effective information security requires a balanced integration of technical measures, management strategies, and an understanding of the social and psychological dynamics within the organization.

References

Dreyer, P.; T. Jones; K. Klima; J. Oberholtzer; A. Strong; J. Welburn; Z. Winkelman; “Estimating the Global Cost of Cyber Risk: Methodology and Examples,” Rand Corporation, 2018, https://www.rand.org/pubs/research_reports/RR2299.html (date of access: 05.05.2025).

Fuenmayor R., Lpez-Garay H. The scene for Interpretive Systemology. Systems Practice. 1991. Vol. 4, no. 5. P. 401–418. URL: https://doi.org/10.1007/bf01104459 (date of access: 05.05.2025).

Security Fatigue / B. Stanton et al. IT Professional. 2016. Vol. 18, no. 5. P. 26–32. URL: https://doi.org/10.1109/mitp.2016.84 (date of access: 05.05.2025).

The Human Factor of Information Security: Unintentional Damage Perspective / E. Metalidou et al. Procedia - Social and Behavioral Sciences. 2014. Vol. 147. P. 424–428. URL: https://doi.org/10.1016/j.sbspro.2014.07.133 (date of access: 05.05.2025).

The Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within. URL: https://www.kaspersky.com/blog/the-human-factor-in-it-security/#:~:text=against%20cyberattack%20is%20their%20own,IT%20security%20strategy%20at%20risk (date of access: 05.05.2025).

People controls in ISO 27001. URL: https://www.dataguard.com/knowledge/iso-27001/annex-a/6-people-controls/#:~:text=,employees%20to%20information%20security%20risks (date of access: 05.05.2025).

How to Reduce Human Risk: Best Practices for Security Teams. URL: https://hoxhunt.com/blog/how-to-reduce-human-risk#:~:text=,of%20users%20is%20a%20must (date of access: 05.05.2025).

Downloads

Published

2025-06-03

Conference Proceedings Volume

2025: 2nd International Scientific and Practical Conference "Problems of Computer Science, Software Modeling and Security of Digital Systems"

Section

Security of digital systems. Cybersecurity.