Behavioural threshold analysis in the context of information security

Abstract

The human aspect in information security provides a unique challenge for its assessment and management. Many studies seek to address this challenge by employing psychological models to understand the behaviour of individuals when confronted with information security issues. Such models typically only address the behaviour of individuals and do not provide for the intricacies of the behaviour of people in groups. Few models exist to quantify group behaviour and as far as the researcher is aware, none have been applied in information security group behaviour before. Based on threshold models of collective behaviour, behavioural threshold analysis is used to quantify the individual inclinations of the members of a group and, based on the aggregation of these quantifications, predict possible outcomes of the collective behaviour of that group. Therefore, this study aims to address the following research question: How can behavioural threshold analysis be employed as an aid for managing the human factor in information security group behaviour? In this thesis as a series of papers, research articles are presented that describe the full range of activities that relate to the establishment of behavioural threshold analysis as a novel method for the evaluation of information security group behaviour. The approach is developed from the ground up and the activities that are described include, the initial exploratory investigation of the model in the new context of information security, the investigation of alternative strategies for finetuning the approach, the establishment of a formal methodology, real-world applications of the formal method in practice, and the development of practical and theoretical artefacts that can be used by future researchers and practitioners. This study makes contributions in three categories: literature, theory and practice. By publishing the findings and contributions in journals, conference proceedings, and book series, new knowledge is contributed to the existing body of literature. Theoretical contributions include a formalised methodology and application framework. The contribution to the practice of information security is in the form of a decision support system. Therefore, by adopting an approach from the field of sociology, which was previously not applied in the field of information security, and adapting it to the unique and specialised requirements for evaluating information security group behaviour, the research question was answered.