Balancing software and training requirements for information security

•A novel approach concurrently considers information security software requirements (iSSR) and information security training requirements (iSTR).•The proposed approach helps to balance between iSSR and iSTR according to the information security performance of end users.•The experiment was conducted...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security 2023-11, Vol.134, p.103467, Article 103467
Main Authors: Fujs, Damjan, Vrhovec, Simon, Vavpotič, Damjan
Format: Article
Language:English
Subjects:
Cyber security
End user training
Experiment
Information security
Information security standard
Requirements engineering
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:•A novel approach concurrently considers information security software requirements (iSSR) and information security training requirements (iSTR).•The proposed approach helps to balance between iSSR and iSTR according to the information security performance of end users.•The experiment was conducted among 128 information system professionals.•Participants who used the proposed approach better balanced and selected iSTR and iSSR than those who did not. Information security is one of the key areas of consideration to assure reliable and dependable information systems (IS). Achieving an appropriate level of IS security requires concurrent consideration of the technical aspects of IS and the human aspects related to the end users of IS. These aspects can be described in the form of information security requirements. We propose an approach that helps select and balance information security software requirements (iSSR) and information security training requirements (iSTR) according to the information security performance of end users. The approach was tested in an experiment involving 128 IS professionals. The results showed that using the proposed approach helps IS professionals with limited experience in information security make significantly better decisions regarding iSSR and iSTR.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2023.103467