Article Details

Copyright Statement: This is an open access article licensed under a Creative Commons Attribution 4.0 International License, which permits unrestricted use, distribution, and reproduction in any medium, even commercially as long as the original work is properly cited.

The Design and Evaluation of a User-Centric Information Security Risk Assessment and Response Framework

Author 1: Manal Alohali
Author 2: Nathan Clarke
Author 3: Steven Furnell

Download PDF

Digital Object Identifier (DOI) : 10.14569/IJACSA.2018.091018

Article Published in International Journal of Advanced Computer Science and Applications(IJACSA), Volume 9 Issue 10, 2018.

Abstract: The risk of sensitive information disclosure and modification through the use of online services has increased considerably and may result in significant damage. As the management and assessment of such risks is a well-known discipline for organizations, it is a challenge for users from the general public. Users have difficulties in using, understanding and reacting to security-related threats. Moreover, users only try to protect themselves from risks salient to them. Motivated by the lack of risk assessment solutions and limited impact of awareness programs tailored for users of the general public, this paper aims to develop a structured approach to help in protecting users from threats and vulnerabilities and, thus, reducing the overall information security risks. By focusing on the user and that different users react differently to the same stimuli, the authors developed a user-centric risk assessment and response framework that assesses and communicates risk on both user and system level in an individualized, timely and continuous way. Three risk assessment models were proposed that depend on user-centric and behavior-related factors when calculating risk. This framework was evaluated using a scenario-based simulation of a number of users and results analyzed. The analysis demonstrated the effectiveness and feasibility of the proposed approach. Encouragingly, this analysis provided an indication that risk can be assessed differently for the same behavior based upon a number of user-centric and behavioral-related factors resulting in an individualized granular risk score/level. This granular risk assessment, provided a more insightful evaluation of both risk and response. The analysis of results was also useful in demonstrating how risk is not the same for all users and how the proposed model is effective in adapting to differences between users offering a novel approach to assessing information security risks.

Keywords: Risk; analysis; security behavior; BFI; correlation

Manal Alohali, Nathan Clarke and Steven Furnell, “The Design and Evaluation of a User-Centric Information Security Risk Assessment and Response Framework” International Journal of Advanced Computer Science and Applications(IJACSA), 9(10), 2018. http://dx.doi.org/10.14569/IJACSA.2018.091018

@article{Alohali2018,
title = {The Design and Evaluation of a User-Centric Information Security Risk Assessment and Response Framework},
journal = {International Journal of Advanced Computer Science and Applications},
doi = {10.14569/IJACSA.2018.091018},
url = {http://dx.doi.org/10.14569/IJACSA.2018.091018},
year = {2018},
publisher = {The Science and Information Organization},
volume = {9},
number = {10},
author = {Manal Alohali and Nathan Clarke and Steven Furnell}
}

IJACSA

Upcoming Conferences

IntelliSys 2021

2-3 September 2021

Future Technologies Conference (FTC) 2021

28-29 October 2021

Future of Information and Communication Conference (FICC) 2022

3-4 March 2022

Computing Conference 2022

14-15 July 2022