An empirical evaluation of information security awareness levels in designing secure business processes

Abstract

Information Systems Security (ISS) is critical to ensuring the integrity and credibility of digitally exchanged information in business processes. Information systems development methodology that considers security requirements in the early phases of systems development is essential for ISS. In the context of ISS, information security awareness (SA) can play a vital role in minimizing end-user related security faults and maximizing the efficiency of security techniques. This information security awareness should be present in the requirements gathering phase of the software development process so that analysts become more aware of security constraints and possible violations resulting into secure business processes. In this paper, we extend the work by D'Aubeterre et al. (2008b) to evaluate the utility of Secure Activity Resource Coordination artifacts in generating three levels of security awareness: perception, comprehension and prediction. The experimental evaluation shows that using SARC artifacts analysts are able to better explain the current state of security of a business process. Should violations occur, analysts are able to explain the nature of security violation in terms of segregation of duties, non-repudiation, and authorization.

DOI: 10.1145/1555619.1555641

Extracted Key Phrases

4 Figures and Tables

Cite this paper

@inproceedings{DAubeterre2009AnEE, title={An empirical evaluation of information security awareness levels in designing secure business processes}, author={Fergle D'Aubeterre and Lakshmi S. Iyer and Rahul Singh}, booktitle={DESRIST}, year={2009} }