Social network analysis in the context of information security risk management

Abstract

One of the primary factors that determines the efficacy of information security is addressing the risks associated with the human actors involved. This is usually accomplished through the use of security policies that aim to manage user behaviour, and security awareness programmes that aim to improve both the knowledge users have of information security threats, and their behaviour. Unfortunately, while these methods do often reduce information security risk, they have certain shortcomings that may have an impact on how effectively they can help mitigate these risks. Awareness programmes, for example, may not necessarily address new risks, whereas overreaching policies could lead to information security fatigue. An additional approach is to implement Social Network Analysis (SNA) in order to identify and manage information security risks by addressing structural risks in the social networks of organisations. These social networks describe the interactions between people, tasks, and resources, and by investigating them hidden information security risks can potentially be identified. In this study a framework is proposed that aims to use SNA in order to identify the information security risks present in social networks. The proposed framework also presents a structured approach to developing risk mitigation strategies that can be used to reduce these risks, as well as the implementation of these strategies. In order to develop a complete framework, the study also presents a number of methods that were adapted for use with SNA. These novel applications include, among others, an implementation of Self-Organising Maps that can be used to evaluate information security risks in a social network graphically, and an adapted network optimisation technique. A real-world network, built using data from a Corporate Risk Report, is used in conjunction with multiple smaller networks to demonstrate the validity and utility of the framework.