comments on "the insider threat to information systems and the effectiveness of iso17799"...
TRANSCRIPT
Comments on "The insider threat to information systems and the effectiveness of ISO17799"
Marianthi Theoharidou, Spyros Kokolakis, Maria Karyda and Evangelos Kiountouzis. "The insider threat to information systems and the effectiveness of ISO17799." Computers & Security 24, no.6 (2005): 472-484.
Ben Skudder
Summary
This paper explores the deficiencies of ISO17799 in addressing insider threats to information systems with reference to modern criminology models.
Appreciation
• What is the significance of this to computer security specialists?
• Given its popularity a computer security specialist is likely to be working under a standard like this.
• It's an area which has a large impact on computer security.
Criticism
How can aspects of these models be realised, and how do they relate to the models? With regards to Social Bond Theory:
“the need for management to act as a role model” and its relationship to attachment
commitment and the company “honoring its part of the contract”
Informal controls and their relationship to Social Bond Theory, Social Learning Theory and the Theory of Planned Behaviour.
If these enhancements are supposed to be incorporated into a standard there needs to be a criteria by which we can evaluate a given policy.
Question
As computer security specialists, to what extent do we need to be aware of security as a social/behavioural problem, either with regards to insider threat in particular or computer security in general?