An Information Security Ontology Incorporating Human-Behavioral Implications

  1. Lookup NU author(s)
  2. Dr Simon Parkin
  3. Professor Aad van Moorsel
Author(s)Parkin S E, van Moorsel A
Publication type Report
Series TitleSchool of Computing Science Technical Report Series
Source Publication DateFebruary 2009
Report Number1139
Full text is available for this publication:
In this paper we explore the need to understand the human-behavioral factors within an organization's information security management processes. We frame this investigation around development of an information security ontology. This ontology is intended for use within organizations that aim not only to maintain compliance with external standards, but also to consider and adjust the attitude towards security as exhibited by those within the organization. We provide an ontology that combines information security standards (in this case ISO27002) and representation of the human-behavioral implications of information security management decisions. Our ontology explicitly represents the human-behavioral concerns attached to specific security processes and policy decisions. As such it encourages consideration of the security behavior of individuals towards technical security controls. We demonstrate use of our ontology with an applied example concerning management of an organization's password policy. This example illustrates how password configuration may be perceived by individuals within the organization, and how this perception alters their behavior and consequently the attitude to information security in the workplace.
InstitutionSchool of Computing Science, University of Newcastle upon Tyne
Place PublishedNewcastle upon Tyne
ActionsLink to this publication