Kultura informacijske varnosti kot ključni dejavnik zagotavljanja ustrezne ravni informacijske varnosti

Avtorji

  • Alenka Rožanec
  • Sebastijan Lahajnar

Ključne besede:

informacijska varnost, ravnanje uporabnikov, informacijska kultura, organizacije

Povzetek

Raziskave ugotavljajo, da je bilo v zadnjem času največ varnostnih incidentov posledica neustreznega ravnanja uporabnikov in ne posledica vdorov s pomočjo naprednih orodij IT. V prispevku zato razložimo, zakaj orodja IT in postopki, ki se v praksi uporabljajo, že danes niso več dovolj učinkoviti, ter kako se mora upravljanje informacijske varnosti v prihodnosti spremeniti. Ravnanje uporabnikov v organizaciji je namreč poleg tega, da vodstvo podpira informacijsko varnost, izvaja varnostno politiko in postopke, odvisno predvsem od njihove varnostne ozaveščenosti, znanja, prepričanja in motivacije oziroma kulture informacijske varnosti. V prispevku predstavimo načela OECD, standarde, modele in raziskave tega področja ter principe upravljanja njenih sprememb. Samo s tehničnimi rešitvami, brez ustrezne kulture informacijske varnosti in varnega ravnanja uporabnikov, organizacije v prihodnosti ne bodo več mogle zagotavljati ustrezne ravni informacijske varnosti.

Literatura

AlHogail, A. (2015). Design and validation of information security culture framework. Computers in Human Behavior, No. 49, pp. 567–575.

AlHogail, A. (2015a). Cultivating and assessing an organizational information security culture. International Journal of Security and Its Applications, 9, No. 7, pp.163–178.

Alhogail, A. and Mirza, A. (2014). A framework of information security culture change. Journal of Theoretical and Applied Information Technology, 64, No. 2, pp. 540–549.

Alnatheer, M. (2014). A conceptual model to understand Information Security Culture. International Journal of Social Science and Humanity, 4, No. 2, pp. 104–107.

Alnatheer, M. and Nelson, K. (2009). Proposed Framework for Understanding Information Security Culture and Practices in the Saudi Context. Retrieved on 6/29/2017 from the Inter-net: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1001 &context=ism.

Alnatheer, M. et al. (2012). Understanding and measuring Information Security Culture. Re-trieved on 8/25/2017 from the Internet: http://aisel.aisnet.org/cgi/viewcontent.cgi ?article=119&context=pacis 2012.

Armerding, T. (2017). The 15 worst data security breaches of the 21st century. Retrieved on 1/22/2017 from the Internet: http://www.csoonline.com/article/2130877/data-protection/dataprotection-html.

Armstrong, M. (2006). A Handbook of Human Resource Management Practice. 11th ed., London and Philadelphia: Kogan Page.

Cadle, Y. and Yeates, D. (2001). Project management for information systems. London: Pear-son Education.

Cameron, E. and Green, M. (2015). Making sense of change management: a complete guide to the models, tools and techniques of organizational change. London: Kogan Page.

CISO (2011). Human behaviour and security culture. Retrieved on 8/30/2017 from the Inter-net: http://exec.tuck.dartmouth.edu/downloads/623/human_behavior_and_security_ cultu-re_ciso_workshop_overview.pdf.

Da Veiga, A. and Eloff, J. H. P. (2010). A framework and assessment instrument for infor-mation security culture. Computers & Security, 29, No. 2, pp. 196–207.

Da Veiga, A. and Martins, N. (2014). Information Security Culture: A Comparative Analysis of Four Assessments. Retrieved on 8/15/2017 from the Internet: http://uir.unisa.ac.za/bitstream/handle/10500/18734/Information%20Security%20Culture%20A%20Comparative%20

Analysis%20of%20Four%20Assessments%202014.pdf?sequence=1&isAllowed=y.

Da Veiga, A. et al. (2007). Information security culture – validation of an assessment instru-ment. Southern African Business Review, 11, No. 1, pp. 147–166.

Dhillon, G. (1999). Managing and controlling computer misuse, Information Management & Computer Security, 7, No. 4, pp. 171–175.

Gebrasilase, T. in Lessa, L. F. (2011). Information Security Culture in Public Hospitals. The Xase of Hawasa Referral Hospital. The African Journal of Information Systems, 3, No. 3, pp. 72–86.

Hassan, N. H. and Ismail, Z. (2012). A conceptual model for investigating factors influencing information security culture in healthcare environment. Retrieved on 6/27/2017 from the In-ternet: http://www.sciencedirect.com/science/article/pii/S1877042812052196.

Hassan, N. H. et al. (2015). Information Security Culture: A systematic literature review. Re-trieved on 8/24/2017 from the Internet: http://www.icoci.cms.net.my/proceedings/2015/PDF/PID205.pdf.

Ifinedo, P. (2014).The effects of national culture on the assessment of information security threats and controls in financial services industry. International journal of electronic business management, 12, No. 2, pp. 75–89.

International Organisation for Standardization. ISO/IEC: 27001:2013, Information technology-- Security techniques -- Information security management systems – Requirements. Re-trieved on 2/3/2017 from the Internet: http://www.iso.org/iso /catalogue_detail?csnumber=54534.

International Organisation for Standardization. ISO/IEC: 27002:2013, Information technolo-gy -- Security techniques -- Code of practice for information security controls. Retrieved on 2/3/2017 from the Internet: http://www.iso.org/iso/catalogue _detail?csnumber=54533.

IT Governance Institute (2007). CobiT 4.1. Rolling Meadows: IT Governance Institute.

Knapp, K. J. et al. (2006a). The top information security issues facing organizations: What can government do to help? Information Security And Risk Management, 15, No. 4. pp. 51–58.

Knapp, K. J. et al. (2006b), Information security: management’s effect on culture and policy, Information Management and Computer Security, 14, No. 1, pp. 24–36.

Martins, A. in Eloff, J. (2002). Information security culture. Retrieved on 8/26/2017 from the Internet https://link.springer.com/content/pdf/10.1007%2F978-0-387-35586-3_16.pdf.

Martins, N. and Da Veiga, A (2015). An information security culture model validated with structural Equitation modelling. Retrieved on 8/30/2017 from the Internet: http://uir.unisa.ac.za/bitstream/handle/10500/19061/CSCAN-OA-254%20Inf%20Sec%20 Cul%20Model%20with%20SEM%20HAISA%202015.pdf?sequence=1&isAllowed=y.

Martins, N. and Da Veiga, A. (2014). The value of using a validated information security culture assessment instrument. Retrieved on 8/30/2017 from the Internet: http://uir.unisa.ac.za/bitstream/handle/10500/14350/Martins%20Da%20Veiga_The%20Value%20of%20Using%20a%20

Validated%20Information%20Security%20Culture%20Instrument.pdf?sequence=2.

OECD (2002). Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security. Retrieved on 1/5/2017 from the Internet: http://www.oecd.org/sti/ieconomy/15582260.pdf.

Opcomm (2013). Pridobljeno dne 3. 2. 2017 s svetovnega spleta: http://www.opcomm.eu/sl/medijsko-sredisce/blog/139-zakaj-postaja-internet-stvari-najveja-globalna-panoga.

Prislan, K. in Bernik, I. (2014). Trendi informacijske varnosti v sodobni organizaciji. Uporabna informatika, 22, št. 1, str. 25–37.

Rančigaj, K. in Lobnikar, B. (2012). Vedenjski vidiki zagotavljanja informacijske varnosti: pomen upravljanja informacijske varnostne kulture. Pridobljeno dne 20. 1. 2017 s svetovnega spleta: http://www.fvv.um.si/konferencaiv/zbornik/Rancigaj_Lobnikar.pdf.

Sans Institute (2017). Pridobljeno dne 22. 1. 2017 s svetovnega spleta: https://www.sans.org/reading-room/whitepapers/analyst/survey-mobility-byod-security-policies-practices-35175.

Schlienger, T. and Teufel, S. (2003). Analyzing information security culture: increased trust by an appropriate information security culture. Retrieved on 8/22/2017 from the Internet: http://ieeexplore.ieee.org/abstract/document/1232055/.

Talib, S. et al. (2010). An analysis of information security awareness within home and work environments. Retrieved on 2/1/2017 from the Internet: http://ro.ecu.edu.au/cgi/ viewcon-tent.cgi?article=7348&context=ecuworks.

Van Niekerk, J. F. and Von Solms, R. (2010). Information Security Culture: A management perspective. Computers & Security, 29, No. 4, pp. 476–486.

Van Niekerk, J. F. and Von Solms, R. (2005). A holistic framework for the fostering of an information security sub-culture in organizations. Retrieved on 8/30/2017 from the Internet: https://www.researchgate.net/profile/Johan_Van_Niekerk2/publication/220803201 _A_holistic_framework_for_the_fostering_of_an_information_security_sub-culture_in_organizations/links/0deec519093063e1f2000000.pdf.

Prenosi

Objavljeno

2022-03-31

Kako citirati

Rožanec, A., & Lahajnar, S. (2022). Kultura informacijske varnosti kot ključni dejavnik zagotavljanja ustrezne ravni informacijske varnosti. Revija Za Ekonomske in Poslovne Vede, 4(2), 92–109. Pridobljeno od https://www.eb-nm.si/index.php/EB/article/view/51

Številka

Letn. 4 Št. 2 (2017)

Rubrike

Prispevki

Licenca

Avtorske pravice (c) 2022 Alenka Rožanec, Sebastijan Lahajnar

Creative Commons licenca

To delo je licencirano pod Creative Commons Priznanje avtorstva 4.0 mednarodno licenco.