A Corporate Employee as a Subject of Corporate Information Security Management
- PDF / 221,585 Bytes
- 6 Pages / 612 x 792 pts (letter) Page_size
- 101 Downloads / 208 Views
rporate Employee as a Subject of Corporate Information Security Management L. V. Astakhova* Information Security Department, South Ural State University National Research University, Chelyabinsk, 454080 Russia *e-mail: [email protected] Received December 17, 2019
Abstract—A contradiction is revealed between the rise in the number of information security incidents in companies through the fault of employees and the stable inefficiency of measures taken by employers to reduce these incidents. It is concluded that there is a lack of attention on the part of scientists to the current trends in corporate management (quality, personnel, knowledge, and risk management) that consists in more active participation of employees in managerial processes. The need for strengthening the role of the user of a corporate information system as a subject involved in managing its information security is substantiated based on the example of detecting social engineering attacks. The organizational, hardware, and software tools for engaging the user in this process are described. Keywords: information security, management, organization, employee, engagement, social engineering attack, risks, human as a sensor DOI: 10.3103/S0147688220020069
Knowledge and intelligence tend to become means of production and the human user has strengthened his position in society’s information realm greatly. However, people still remain the weakest link in any information security system [1]. Although this issue has been studied for many years, it is becoming more and more topical. According to analytical reports, in 2017 the amount of data that was compromised all around the world through the fault of inside users was ten times higher than in 2016. Moreover, the share of data breaches resulting from intentional or unintentional actions of insiders was 58% of all the observed data leaks [2]; in Russia their share in 2018 was even higher: 77.9% [3]. For the first time since 2004 internal breaches were more massive than their external counterparts: one internal breach compromised a much larger amount of data than one external breach [4]. Companies and organizations try to prevent human-induced threats. Currently, the stereotypical view of information security (IS) as a purely technical domain of activity is gradually being overcome. It has become clear than even the latest and most powerful protective firmware cannot guarantee full information security to a company or an organization. The family of the ISO/IEC 27000 national and international information security management system (ISMS) standards pays special attention to security issues related to personnel [5]. To prevent any kind of destructive action on the part of employees, these documents propose certain arrangements for the
phases of hiring, employment, and dismissal, including the requirement on improving employee awareness of information security. It should be acknowledged, however, that not many companies build their information protection systems according to these standards because they are on
Data Loading...
