In the current digital era, it is difficult to preserve the confidentiality, integrity, and availability of an organization’s information and technology assets against cyber attacks. Organizations cannot rely solely ...In the current digital era, it is difficult to preserve the confidentiality, integrity, and availability of an organization’s information and technology assets against cyber attacks. Organizations cannot rely solely on technical solutions for defense, since many cyber attacks attempt to exploit non-technical vulnerabilities such as how well employees comply with the organization’s cybersecurity policies. This study surveyed 245 randomly selected employees of government organizations in the Kingdom of Saudi Arabia with an electronically distributed questionnaire about factors that influence employees’ compliance with cybersecurity policies. The study found that ethical factors had the most influence on employee compliance with cybersecurity policies, followed in decreasing order of influence by legislative factors, technical factors, and administrative factors.展开更多
The configuration of information system security policy is directly related to the information asset risk, and the configuration required by the classified security protection is able to ensure the optimal and minimum...The configuration of information system security policy is directly related to the information asset risk, and the configuration required by the classified security protection is able to ensure the optimal and minimum policy in the corresponding security level. Through the random survey on the information assets of multiple departments, this paper proposes the relative deviation distance of security policy configuration as risk measure parameter based on the distance of information-state transition(DIT) theory. By quantitatively analyzing the information asset weight, deviation degree and DIT, we establish the evaluation model for information system. With example analysis, the results prove that this method conducts effective risk evaluation on the information system intuitively and reliably, avoids the threat caused by subjective measurement, and shows performance benefits compared with existing solutions. It is not only theoretically but also practically feasible to realize the scientific analysis of security risk for the information system.展开更多
文摘In the current digital era, it is difficult to preserve the confidentiality, integrity, and availability of an organization’s information and technology assets against cyber attacks. Organizations cannot rely solely on technical solutions for defense, since many cyber attacks attempt to exploit non-technical vulnerabilities such as how well employees comply with the organization’s cybersecurity policies. This study surveyed 245 randomly selected employees of government organizations in the Kingdom of Saudi Arabia with an electronically distributed questionnaire about factors that influence employees’ compliance with cybersecurity policies. The study found that ethical factors had the most influence on employee compliance with cybersecurity policies, followed in decreasing order of influence by legislative factors, technical factors, and administrative factors.
基金Supported by the National Natural Science Foundation of China(61662009)the Education Reform Project in Guizhou Province(SJJG201404)the Natural Science Foundation of Guizhou Province Education Department(KY(2015)367)
文摘The configuration of information system security policy is directly related to the information asset risk, and the configuration required by the classified security protection is able to ensure the optimal and minimum policy in the corresponding security level. Through the random survey on the information assets of multiple departments, this paper proposes the relative deviation distance of security policy configuration as risk measure parameter based on the distance of information-state transition(DIT) theory. By quantitatively analyzing the information asset weight, deviation degree and DIT, we establish the evaluation model for information system. With example analysis, the results prove that this method conducts effective risk evaluation on the information system intuitively and reliably, avoids the threat caused by subjective measurement, and shows performance benefits compared with existing solutions. It is not only theoretically but also practically feasible to realize the scientific analysis of security risk for the information system.
