Search published articles
Showing 4 results for Information Security
Hojat Abadtalab, Safiyeh Tahmasebi Limooni, Mitra Ghiasi,
Volume 9, Issue 2 (9-2022)
Volume 9, Issue 2 (9-2022)
Abstract
Background and Objective: Information security is of vital importance in most organizations. This is especially central in academic libraries due to the specific type of visitors, exchange and transfer of information to the users. Thus, the purpose is to investigate the relationship of the development of library software and information security management in the libraries of Islamic Azad Universities.
Research Methodology: This is a correlational study. Sample includes 240 employees of central libraries of the Islamic Azad Universities Iran, who participated in the investigation by census. Data was collected thru Ashourizadeh Information Security Management Questionnaire (2012) and a researcher-made questionnaire on system dynamics. Validity of the tools were confirmed and the reliability for information security management and system dynamics was calculated using Cronbach's alpha coefficient of 0.85 and 0.83, respectively. Data was analyzed by descriptive and inferential statistics via SPSS and Lisrel software.
Results: Findings showed that system dynamics has five main factors: Information storage and retrieval; usability; security; standards and accessibility. From the employees' standpoint, the status of system dynamics, information security management and each of their components in the libraries of Islamic Azad Universities is favorable. Also, there is a positive and significant relationship between the development of library software and information security management
Conclusion: Findings will be useful in identifying the effects of developing the dynamics of library software system in information security management of libraries of Islamic Azad Universities in the country.
Abdulamir Mabhoot, Mohammad Reza Farhadpoor, Ebrahim Hoseini,
Volume 11, Issue 1 (6-2024)
Volume 11, Issue 1 (6-2024)
Abstract
One of the most important current debates in organizational information security is information leakage. Information leakage, which refers to the unauthorized sharing of information by one organization with another, is one of the serious problems faced by organizations. Information leakage can cause losses to the company and affect its ability to gain a competitive advantage. Information leakage includes two types of leakage or intentional or unintentional disclosure of data or exclusive content to unauthorized persons. Intentional information leakage includes the intentional disclosure of information by employees to unauthorized persons. Deliberate information leakage is often caused by employee dissatisfaction with the company or a motive for personal gain. The main cause of intentional information leakage is revenge or unethical behavior of employees who are willing to betray their company or disclose sensitive information to competitors. In other words, if employees are not aware of how much information to disclose to outsiders, then unwanted/inadvertent information leakage may occur. These cases damage the reputation of the organization, its income and business. As a result, the pervasiveness of this uncertainty about information security in the work environment puts the organization's information assets at risk. In order to minimize or prevent information leakage, it is important to investigate and identify the factors that lead to this happening.
Regardless of the type of information leakage and the related motives, the impact of these actions in itself can lead to financial losses, disruption of the organization, loss of reputation and long-term impact on the organizational culture. Although the phenomenon of information leakage may happen in any organization; But considering the opportunities and values that every organization loses as a result, its importance can be understood. For this reason, the consequences of information leakage will be different from one organization to another, and accordingly, its degree of importance will also be different. The study and identification of factors affecting the phenomenon of information leakage is interesting from several aspects. First, the airport environment with the presence of various airlines is an example of a highly competitive market where the actions and operations of the airport are exposed to the customers. The second point is that the customers of the airport system are heterogeneous and may be people of different nationalities. Third point, the issue of security in airport systems is a complex and interesting phenomenon that is provided by the participation of different organizations. The fourth point is that the flow of information in the airport system is intense, intra-organizational and trans-organizational/cross-border. The fifth point is that the occurrence of an error in the flow of information in airport systems can have unfortunate human, financial, and other consequences. Considering these points, the present study was conducted at Ahvaz International Airport. Preventing information leakage is one of the most important security issues at Ahvaz International Airport. Because with the loss of data, the reputation of the airport is damaged and it loses its customers, it has to pay a high cost to fix the damages, and this will sometimes lead to the destruction of the organization. According to the mentioned contents, this research seeks to answer the question, what are the factors affecting organizational information leakage in Ahvaz International Airport? How are they ranked? Hence, the purpose of this study was to identify and rank the factors affecting organizational information leakage in Ahvaz International Airport using the Hierarchical Analysis Process.
Methods
Since the ultimate goal of the current research was to improve the understanding of the problem of information leakage as an important concern for the organization and to find a practical solution to reduce it, it is practical research in terms of the goal. Also, from the point of view of nature, the current research is descriptive-exploratory; Because what follows the data follower approach to "describe" and "interpret" the factors affecting organizational information leakage as it is. The research community was all information security experts in different parts of Ahvaz Airport; that by the snowball method (because it was difficult to identify the experts and the possibility of contacting and accessing them) 15 experts in the information security field of Ahvaz Airport (having relevant work experience of more than 15 years, a master's degree or higher and familiar with security issue and information leakage). In this study, the library method was used to compile the theoretical foundations of the research, the background of the research and the design of the decision tree. Then, the field method was used to distribute the five-point paired comparison questionnaire to collect data. The first questionnaire was taken from the research literature and was distributed among 15 experts using the Delphi technique. Opinions were sought from the expert group of the Delphi study, in the form of sending a structured questionnaire with a 5-point Likert scale, consisting of 22 questions, in two rounds with the participation of 15 people, in such a way that first, the first questionnaire consisting of 22 questions was sent to the members of the Delphi group. After distributing and collecting completed questionnaires and evaluating the results of this Delphi round, 5 main factors and 21 important sub-factors were identified (laws and regulations sub-factor with an average of 2.87±83 and a t value of 0.61 was not recognized as significant and was excluded from the questionnaire for the second round) and after twenty days, from the initial opinion poll, the important factors were re-evaluated in order to conduct the next round of Delphi in the form of a questionnaire with 21 questions related to the important sub-factors, the collected data It showed the confirmation of all subfactors. Finally, the data was analyzed using the hierarchical analysis method and using Expert Choice software.
Resultss and Discussion
Based on the results, 5 main factors and 21 sub-factors affecting organizational information leakage were identified. The weighting and prioritization of indicators showed that intentional individual factors (0.277) ranked first, unintentional individual factors (0.235) ranked second, organizational factors (0.188) ranked third, infrastructural factors (0.167) ranked fourth and environmental factors (0.133) ranked fifth.
Conclusion
The results showed that information leakage is a complex phenomenon that various individual, organizational, infrastructural and environmental factors are involved in its occurrence. However, the first and second rank of the intentional and unintentional dimensions of information leakage by individuals, on the one hand, indicate the complexity of the information leakage phenomenon, and on the other hand, require a review in the strategies related to human resources management in Ahvaz International Airport.
Based on the results, intentional individual factors with a weight of 0.277 were the first effective factors on information leakage in Ahvaz International Airport. Also, among intentional individual sub-factors, personal greed with a weight of 0.232 was the most important sub-factor and the experience of invasion of privacy with a weight of 0.078 was the least important sub-factor. The findings confirmed that intentional information leakage due to human factors should still be of concern to managers. Since it is not possible to abandon human factors in the organizational life cycle of information, managers should accept this challenge and look for appropriate mechanisms. In other words, despite human factors, organizations face the challenge of intentional or unintentional information leakage. Intentional leakage of information in the organization may have happened due to personal greed against organizational interests, where employees are willing to sell the organization's information to competitors for material reasons and prefer their interests over the interests of the organization. Jealousy of a company employee to colleagues or employees of competing companies, being dissatisfied with the company or feeling a grudge for any reason also causes the intentional leakage of information. Disgruntled employees may also intentionally disclose important information to unauthorized parties. Unintentional individual factors with a weight of 0.235 were the second most effective factors on information leakage in Ahvaz International Airport. Also, among unintentional individual sub-factors, negligence with a weight of 0.283 was the most important sub-factor and the use of contract and temporary employees with a weight of 0.133 was the least important sub-factor. An inadvertent leak occurs when an insider inadvertently discloses business-critical information that is not intended to be shared with third parties. Unintentional individual threat is the potential behavior of an individual who has access to the network, system or data of an organization through an accidental act or action, without malicious intent, and causes damage or significantly increases the likelihood of serious damage in the future to confidentiality, integrity Or the value of the organization's information.
Organizational factors with a weight of 0.188 were the third most effective factors on information leakage in Ahvaz International Airport. Also, among the organizational sub-factors, lack of understanding the value of information with a weight of 0.392 was the most important sub-factor and lack of proper intra-organizational communication with a weight of 0.262 was the least important sub-factor. The first is a lack of understanding of the value of information. Employees evaluate information differently depending on the hierarchical level, the type of information and the type of organizational structure. Employees' perception of the value of information is described by various researchers as an important aspect. This lack of awareness leads to the fact that the value of information is not clear, so the negative consequences of information leakage are not taken seriously by them. The second case is inappropriate organizational structure. Large companies are sensitive to data protection in the long term. Smaller companies do not have such extensive awareness. In general, organizational structure in terms of formality and existing control mechanisms may affect information leakage. The third case is the lack of proper communication within the organization. To achieve shared understanding, communication is required to convey a set of necessary values and norms that define the rules or context of interaction. Infrastructural factors with a weight of 0.167 were the fourth most effective factor on information leakage in Ahvaz International Airport. Similarly, among the infrastructure sub-factors, the weakness of information systems with a weight of 0.418 was the most important sub-factor and the presence of security holes in the network infrastructure with a weight of 0.258 was the least important sub-factor. The first is the weakness of information systems. Buying an incomplete information system and weak design of information systems may cause serious problems for organizations. Mechanisms that insiders use to perform business tasks based on their usual information systems can also be used to steal information assets. To prevent leakage and theft of information, mechanisms and protective measures against these methods should be used. The second case is improper use of physical means of data storage (hard drives, USB, CD, etc.). These days, most of the information inside the organization is stored electronically, the media of this information are hard drives, C drives. D. and U. S. etc.) are physical tools that are likely to be physically stolen. Preventing leakage with these devices requires implementing physical security measures. The third thing is the presence of security holes in the network infrastructure. The organization's networks are one of the essential parts of the organization's information technology infrastructure. There are several types of communication in the network. Internal-to-external communication includes any communication that is initiated within the boundaries of the organization and whose destination is outside the organization.
Finally, environmental factors with a weight of 0.133 were the fifth most effective factors on information leakage in Ahvaz International Airport. Also, among the environmental sub-factors, the stakeholders' request for information about security incidents with a weight of 0.416 was the most important sub-factor and the requirements of business partners with a weight of 0.259 was the least important sub-factor. One of the input sources that shape the behavior of people in an organization is the organizational environment. Employee decisions are influenced by environmental structure, the availability of environmental information, and the relevant meaning that employees assign to environmental information. The first case is the request of stakeholders to inform about security incidents. In the recent era, the demand for the type of information leakage events for companies is more intense, external and internal stakeholders are constantly concerned about maintaining a good public image of the organization. Overall, public interest in data breach incidents appears to exert pressure on organizations, while organizational responses are dynamic and appear to change over time. If stakeholder expectations are ignored and social influence is allowed to run its course, political and legal pressure will build, often leading to negative corporate outcomes. Stakeholder dissatisfaction arises when corporate actions do not meet societal expectations, and the gap between corporate actions and stakeholder expectations widens as public trust declines. Therefore, the greater the employees' understanding of information protection as a social expectation, the greater the perception of public leakage events as a threat to the company's image.
In general, the results show that information leakage is a major concern for organizations. In this context, the more the organization depends on information assets, the more relevant the concern of information leakage becomes. In such a situation, the taste of the competitors is stimulated more and more to think of the necessary mechanism to deal with it by getting the information of the organization, while being aware of the related organization's plans. Therefore, the identification of factors affecting information leakage in the form of 21 sub-factors in 5 groups provided the necessary insight to the managers of Ahvaz airport to strengthen the vulnerable points by adopting the necessary measures such as building trust, strengthening the sense of cooperation, observing professional ethics. , using motivational measures, raising awareness of the value of information, proper training of employees regarding information security, redesigning information systems, and designing targeted programs regarding information storage, sharing, and transfer.
Regardless of the type of information leakage and the related motives, the impact of these actions in itself can lead to financial losses, disruption of the organization, loss of reputation and long-term impact on the organizational culture. Although the phenomenon of information leakage may happen in any organization; But considering the opportunities and values that every organization loses as a result, its importance can be understood. For this reason, the consequences of information leakage will be different from one organization to another, and accordingly, its degree of importance will also be different. The study and identification of factors affecting the phenomenon of information leakage is interesting from several aspects. First, the airport environment with the presence of various airlines is an example of a highly competitive market where the actions and operations of the airport are exposed to the customers. The second point is that the customers of the airport system are heterogeneous and may be people of different nationalities. Third point, the issue of security in airport systems is a complex and interesting phenomenon that is provided by the participation of different organizations. The fourth point is that the flow of information in the airport system is intense, intra-organizational and trans-organizational/cross-border. The fifth point is that the occurrence of an error in the flow of information in airport systems can have unfortunate human, financial, and other consequences. Considering these points, the present study was conducted at Ahvaz International Airport. Preventing information leakage is one of the most important security issues at Ahvaz International Airport. Because with the loss of data, the reputation of the airport is damaged and it loses its customers, it has to pay a high cost to fix the damages, and this will sometimes lead to the destruction of the organization. According to the mentioned contents, this research seeks to answer the question, what are the factors affecting organizational information leakage in Ahvaz International Airport? How are they ranked? Hence, the purpose of this study was to identify and rank the factors affecting organizational information leakage in Ahvaz International Airport using the Hierarchical Analysis Process.
Methods
Since the ultimate goal of the current research was to improve the understanding of the problem of information leakage as an important concern for the organization and to find a practical solution to reduce it, it is practical research in terms of the goal. Also, from the point of view of nature, the current research is descriptive-exploratory; Because what follows the data follower approach to "describe" and "interpret" the factors affecting organizational information leakage as it is. The research community was all information security experts in different parts of Ahvaz Airport; that by the snowball method (because it was difficult to identify the experts and the possibility of contacting and accessing them) 15 experts in the information security field of Ahvaz Airport (having relevant work experience of more than 15 years, a master's degree or higher and familiar with security issue and information leakage). In this study, the library method was used to compile the theoretical foundations of the research, the background of the research and the design of the decision tree. Then, the field method was used to distribute the five-point paired comparison questionnaire to collect data. The first questionnaire was taken from the research literature and was distributed among 15 experts using the Delphi technique. Opinions were sought from the expert group of the Delphi study, in the form of sending a structured questionnaire with a 5-point Likert scale, consisting of 22 questions, in two rounds with the participation of 15 people, in such a way that first, the first questionnaire consisting of 22 questions was sent to the members of the Delphi group. After distributing and collecting completed questionnaires and evaluating the results of this Delphi round, 5 main factors and 21 important sub-factors were identified (laws and regulations sub-factor with an average of 2.87±83 and a t value of 0.61 was not recognized as significant and was excluded from the questionnaire for the second round) and after twenty days, from the initial opinion poll, the important factors were re-evaluated in order to conduct the next round of Delphi in the form of a questionnaire with 21 questions related to the important sub-factors, the collected data It showed the confirmation of all subfactors. Finally, the data was analyzed using the hierarchical analysis method and using Expert Choice software.
Resultss and Discussion
Based on the results, 5 main factors and 21 sub-factors affecting organizational information leakage were identified. The weighting and prioritization of indicators showed that intentional individual factors (0.277) ranked first, unintentional individual factors (0.235) ranked second, organizational factors (0.188) ranked third, infrastructural factors (0.167) ranked fourth and environmental factors (0.133) ranked fifth.
Conclusion
The results showed that information leakage is a complex phenomenon that various individual, organizational, infrastructural and environmental factors are involved in its occurrence. However, the first and second rank of the intentional and unintentional dimensions of information leakage by individuals, on the one hand, indicate the complexity of the information leakage phenomenon, and on the other hand, require a review in the strategies related to human resources management in Ahvaz International Airport.
Based on the results, intentional individual factors with a weight of 0.277 were the first effective factors on information leakage in Ahvaz International Airport. Also, among intentional individual sub-factors, personal greed with a weight of 0.232 was the most important sub-factor and the experience of invasion of privacy with a weight of 0.078 was the least important sub-factor. The findings confirmed that intentional information leakage due to human factors should still be of concern to managers. Since it is not possible to abandon human factors in the organizational life cycle of information, managers should accept this challenge and look for appropriate mechanisms. In other words, despite human factors, organizations face the challenge of intentional or unintentional information leakage. Intentional leakage of information in the organization may have happened due to personal greed against organizational interests, where employees are willing to sell the organization's information to competitors for material reasons and prefer their interests over the interests of the organization. Jealousy of a company employee to colleagues or employees of competing companies, being dissatisfied with the company or feeling a grudge for any reason also causes the intentional leakage of information. Disgruntled employees may also intentionally disclose important information to unauthorized parties. Unintentional individual factors with a weight of 0.235 were the second most effective factors on information leakage in Ahvaz International Airport. Also, among unintentional individual sub-factors, negligence with a weight of 0.283 was the most important sub-factor and the use of contract and temporary employees with a weight of 0.133 was the least important sub-factor. An inadvertent leak occurs when an insider inadvertently discloses business-critical information that is not intended to be shared with third parties. Unintentional individual threat is the potential behavior of an individual who has access to the network, system or data of an organization through an accidental act or action, without malicious intent, and causes damage or significantly increases the likelihood of serious damage in the future to confidentiality, integrity Or the value of the organization's information.
Organizational factors with a weight of 0.188 were the third most effective factors on information leakage in Ahvaz International Airport. Also, among the organizational sub-factors, lack of understanding the value of information with a weight of 0.392 was the most important sub-factor and lack of proper intra-organizational communication with a weight of 0.262 was the least important sub-factor. The first is a lack of understanding of the value of information. Employees evaluate information differently depending on the hierarchical level, the type of information and the type of organizational structure. Employees' perception of the value of information is described by various researchers as an important aspect. This lack of awareness leads to the fact that the value of information is not clear, so the negative consequences of information leakage are not taken seriously by them. The second case is inappropriate organizational structure. Large companies are sensitive to data protection in the long term. Smaller companies do not have such extensive awareness. In general, organizational structure in terms of formality and existing control mechanisms may affect information leakage. The third case is the lack of proper communication within the organization. To achieve shared understanding, communication is required to convey a set of necessary values and norms that define the rules or context of interaction. Infrastructural factors with a weight of 0.167 were the fourth most effective factor on information leakage in Ahvaz International Airport. Similarly, among the infrastructure sub-factors, the weakness of information systems with a weight of 0.418 was the most important sub-factor and the presence of security holes in the network infrastructure with a weight of 0.258 was the least important sub-factor. The first is the weakness of information systems. Buying an incomplete information system and weak design of information systems may cause serious problems for organizations. Mechanisms that insiders use to perform business tasks based on their usual information systems can also be used to steal information assets. To prevent leakage and theft of information, mechanisms and protective measures against these methods should be used. The second case is improper use of physical means of data storage (hard drives, USB, CD, etc.). These days, most of the information inside the organization is stored electronically, the media of this information are hard drives, C drives. D. and U. S. etc.) are physical tools that are likely to be physically stolen. Preventing leakage with these devices requires implementing physical security measures. The third thing is the presence of security holes in the network infrastructure. The organization's networks are one of the essential parts of the organization's information technology infrastructure. There are several types of communication in the network. Internal-to-external communication includes any communication that is initiated within the boundaries of the organization and whose destination is outside the organization.
Finally, environmental factors with a weight of 0.133 were the fifth most effective factors on information leakage in Ahvaz International Airport. Also, among the environmental sub-factors, the stakeholders' request for information about security incidents with a weight of 0.416 was the most important sub-factor and the requirements of business partners with a weight of 0.259 was the least important sub-factor. One of the input sources that shape the behavior of people in an organization is the organizational environment. Employee decisions are influenced by environmental structure, the availability of environmental information, and the relevant meaning that employees assign to environmental information. The first case is the request of stakeholders to inform about security incidents. In the recent era, the demand for the type of information leakage events for companies is more intense, external and internal stakeholders are constantly concerned about maintaining a good public image of the organization. Overall, public interest in data breach incidents appears to exert pressure on organizations, while organizational responses are dynamic and appear to change over time. If stakeholder expectations are ignored and social influence is allowed to run its course, political and legal pressure will build, often leading to negative corporate outcomes. Stakeholder dissatisfaction arises when corporate actions do not meet societal expectations, and the gap between corporate actions and stakeholder expectations widens as public trust declines. Therefore, the greater the employees' understanding of information protection as a social expectation, the greater the perception of public leakage events as a threat to the company's image.
In general, the results show that information leakage is a major concern for organizations. In this context, the more the organization depends on information assets, the more relevant the concern of information leakage becomes. In such a situation, the taste of the competitors is stimulated more and more to think of the necessary mechanism to deal with it by getting the information of the organization, while being aware of the related organization's plans. Therefore, the identification of factors affecting information leakage in the form of 21 sub-factors in 5 groups provided the necessary insight to the managers of Ahvaz airport to strengthen the vulnerable points by adopting the necessary measures such as building trust, strengthening the sense of cooperation, observing professional ethics. , using motivational measures, raising awareness of the value of information, proper training of employees regarding information security, redesigning information systems, and designing targeted programs regarding information storage, sharing, and transfer.
Mohammad Hossein Marzban, Rahman Sharifzadeh, ,
Volume 12, Issue 2 (9-2025)
Volume 12, Issue 2 (9-2025)
Abstract
Introduction
This study tries to find out the human and non-human things that affect how information security culture is formed. It uses the Actor-Network Theory (ANT) to look at this. Today, information is very important for businesses, and there are more cyber threats than ever. Because of this, organizations are spending a lot on security tools. But more than 90% of big security problems come from human errors. This shows that having a strong information security culture is very important, and it works well with technical tools.
Most of the traditional ways of looking at information security culture, like the ones from Schein and Hofstede, focus mainly on people and don't consider non-human factors like technology, rules, or systems. This is a gap in the theory, so using a more complete framework like ANT helps understand how all these factors work together.
ANT looks at how humans and non-humans, such as technology, policies, and infrastructure, are treated equally in networks. It also looks at how ideas and actions change as they move through these networks. This helps understand how information security culture develops over time. The main questions this study looks at are:
What are the important human factors that help create information security culture?
What are the important non-human factors?
What role do hybrid actors—those that mix humans and technology—play in building security culture?
This research is new in theory, method, and practice. It gives a more full picture of how information security culture works by bringing together different kinds of factors.
Methods and Materoal
This study used a qualitative method based on the interpretivist viewpoint. In this approach, there isn’t one true reality—instead, reality is shaped by people’s experiences and how they see things, and it changes depending on the situation. The researcher isn’t just watching from the side; they help build understanding together with the people involved.
The research focused on the Central Bank of the Islamic Republic of Iran because it was seen as the best place to study information security culture. This is because this organisation plays a key role in setting cybersecurity rules for the banking system, faces many complex security threats, and handles highly sensitive financial information. Within this organization, the ongoing balance between strong security policies and the need for new technology created a good setting to look at how people and technology work together.
Data for this study was gathered using semi-structured interviews with 25 managers, experts, and important users. These people were chosen through purposive and snowball sampling until no new ideas were coming up. They were picked because they had at least five years of work experience and were directly involved with security matters in big projects within the organization. The interview questions were based on five main topics, looking through the idea of actor-network theory. These topics covered roles, how people interact with technology, things that influence the culture, current problems, and how policies and technology affect how employees behave.
To make the data more complete and credible, we also observed employees' actual behavior on the job and studied documents like security policies, internal reports, and guidelines. Using multiple sources of data in this way helped compare information and cut down on possible biases. The data was analyzed in six steps using the Brown and Clarke content analysis method and the MAXQDA version 2024 software. To make sure the results were accurate and reliable, we also used the participant review technique. The study followed ethical guidelines, including getting informed consent and keeping participants' information private.
Results and Discussion
This study shows that information security culture comes from the ongoing interaction between people and other factors. Among the people involved, three main groups were found: senior managers, who make important decisions, set standards, and allocate resources; regular employees, who carry out daily tasks and are the first line of defense in security, and whose responsibility and quick reporting affect how well security policies work; and technical teams, who help turn policies into action, handle security problems, and provide ongoing training to users.
Among the human challenges, there were several key issues like the mismatch between security rules and how work is done, high work pressure, people not wanting to change their habits, and the balance between user comfort and system security. Also, psychological factors such as the need for trust, being open and honest, and having a personal drive to do the right thing were important in building a security culture. These learning and culture-building efforts were supported by ongoing training, encouraging people to report problems without fear of being punished, and sharing responsibility as a team.
In the section about non-human actors, five main groups were found: policies and standards like ISO 27001 that set rules and guidelines; security tools such as SIEM, DLP, and multi-factor authentication that help watch over systems and influence how people behave; technical systems like networks and hardware; written guides and rules that explain how humans and technology work together; and organizational steps like reporting and feedback processes.
A major part of this study found that there are hybrid actors that exist between humans and non-human elements. These actors include things like multi-factor authentication systems that slowly become part of how people work; policies that use technology to control actions, like automatic limits on copying data; and processes within organizations that help learn about security, such as using attack simulation tools. These hybrid actors show that the line between people and technology in information security culture is not fixed. To improve security culture, it's important to focus on both human and technological aspects at the same time.
When we compare these findings to traditional models, we see that traditional models are mostly focused on humans and see technology as just a tool. However, the actor-network approach treats both humans and non-humans as equal parts of a network. This gives a more connected and changing view of information security culture. In this view, culture isn't something fixed—it comes from the ongoing interactions and discussions between all the different actors involved.
Conclusion
This study finds that information security culture is formed by the dynamic interaction of human and non-human actors.
Key Human Actors:
This study tries to find out the human and non-human things that affect how information security culture is formed. It uses the Actor-Network Theory (ANT) to look at this. Today, information is very important for businesses, and there are more cyber threats than ever. Because of this, organizations are spending a lot on security tools. But more than 90% of big security problems come from human errors. This shows that having a strong information security culture is very important, and it works well with technical tools.
Most of the traditional ways of looking at information security culture, like the ones from Schein and Hofstede, focus mainly on people and don't consider non-human factors like technology, rules, or systems. This is a gap in the theory, so using a more complete framework like ANT helps understand how all these factors work together.
ANT looks at how humans and non-humans, such as technology, policies, and infrastructure, are treated equally in networks. It also looks at how ideas and actions change as they move through these networks. This helps understand how information security culture develops over time. The main questions this study looks at are:
What are the important human factors that help create information security culture?
What are the important non-human factors?
What role do hybrid actors—those that mix humans and technology—play in building security culture?
This research is new in theory, method, and practice. It gives a more full picture of how information security culture works by bringing together different kinds of factors.
Methods and Materoal
This study used a qualitative method based on the interpretivist viewpoint. In this approach, there isn’t one true reality—instead, reality is shaped by people’s experiences and how they see things, and it changes depending on the situation. The researcher isn’t just watching from the side; they help build understanding together with the people involved.
The research focused on the Central Bank of the Islamic Republic of Iran because it was seen as the best place to study information security culture. This is because this organisation plays a key role in setting cybersecurity rules for the banking system, faces many complex security threats, and handles highly sensitive financial information. Within this organization, the ongoing balance between strong security policies and the need for new technology created a good setting to look at how people and technology work together.
Data for this study was gathered using semi-structured interviews with 25 managers, experts, and important users. These people were chosen through purposive and snowball sampling until no new ideas were coming up. They were picked because they had at least five years of work experience and were directly involved with security matters in big projects within the organization. The interview questions were based on five main topics, looking through the idea of actor-network theory. These topics covered roles, how people interact with technology, things that influence the culture, current problems, and how policies and technology affect how employees behave.
To make the data more complete and credible, we also observed employees' actual behavior on the job and studied documents like security policies, internal reports, and guidelines. Using multiple sources of data in this way helped compare information and cut down on possible biases. The data was analyzed in six steps using the Brown and Clarke content analysis method and the MAXQDA version 2024 software. To make sure the results were accurate and reliable, we also used the participant review technique. The study followed ethical guidelines, including getting informed consent and keeping participants' information private.
Results and Discussion
This study shows that information security culture comes from the ongoing interaction between people and other factors. Among the people involved, three main groups were found: senior managers, who make important decisions, set standards, and allocate resources; regular employees, who carry out daily tasks and are the first line of defense in security, and whose responsibility and quick reporting affect how well security policies work; and technical teams, who help turn policies into action, handle security problems, and provide ongoing training to users.
Among the human challenges, there were several key issues like the mismatch between security rules and how work is done, high work pressure, people not wanting to change their habits, and the balance between user comfort and system security. Also, psychological factors such as the need for trust, being open and honest, and having a personal drive to do the right thing were important in building a security culture. These learning and culture-building efforts were supported by ongoing training, encouraging people to report problems without fear of being punished, and sharing responsibility as a team.
In the section about non-human actors, five main groups were found: policies and standards like ISO 27001 that set rules and guidelines; security tools such as SIEM, DLP, and multi-factor authentication that help watch over systems and influence how people behave; technical systems like networks and hardware; written guides and rules that explain how humans and technology work together; and organizational steps like reporting and feedback processes.
A major part of this study found that there are hybrid actors that exist between humans and non-human elements. These actors include things like multi-factor authentication systems that slowly become part of how people work; policies that use technology to control actions, like automatic limits on copying data; and processes within organizations that help learn about security, such as using attack simulation tools. These hybrid actors show that the line between people and technology in information security culture is not fixed. To improve security culture, it's important to focus on both human and technological aspects at the same time.
When we compare these findings to traditional models, we see that traditional models are mostly focused on humans and see technology as just a tool. However, the actor-network approach treats both humans and non-humans as equal parts of a network. This gives a more connected and changing view of information security culture. In this view, culture isn't something fixed—it comes from the ongoing interactions and discussions between all the different actors involved.
Conclusion
This study finds that information security culture is formed by the dynamic interaction of human and non-human actors.
Key Human Actors:
- Senior Managers: Make decisions and allocate resources.
- Employees: The first line of defense; their responsibility and reporting are crucial.
- Technical Teams: Implement policies and provide training.
Key Non-Human Actors:
- Policies and standards (e.g., ISO 27001).
- Security tools (e.g., SIEM, DLP, multi-factor authentication).
- Technical infrastructure and written guides.
Crucial Finding: Hybrid Actors
The study highlights "hybrid actors" that blur the line between people and technology, such as:
The study highlights "hybrid actors" that blur the line between people and technology, such as:
- Multi-factor authentication becoming a routine part of work.
- Automated policies that enforce rules.
- Attack simulation tools used for training.
So, unlike traditional human-focused models, this study uses an actor-network approach, treating humans and non-humans as equal partners. In this view, security culture is not fixed but is constantly created through the interactions between all these actors. Therefore, improving it requires addressing both human and technological aspects simultaneously.
Dr Mostafa Mohseni Sani, Athena Akbari Birjandi,
Volume 12, Issue 3 (12-2025)
Volume 12, Issue 3 (12-2025)
Abstract
Background and Objective: The present study was conducted with the aim of investigating the role of new technologies in improving data governance and enhancing information security in the country's Land and Property Registration Organization. The increasing importance of data in institutional decision-making and the need to harmonize with international standards double the need to address this issue.
Research Method: This study was qualitative and conducted with a grounded theory approach. The statistical population included managers and experts of the Land and Property Registration Organization, and data were collected through semi-structured interviews with 12 people. The coding process was carried out in three stages: open, axial, and selective, and participant review and comparison with international research were used to validate the data.
Findings: Data analysis showed that the main challenges include weak technological infrastructure, fragmentation of systems, legal gaps, security concerns, and cultural resistance of employees. In contrast, opportunities such as increasing transparency, reducing document forgery, promoting public trust, and improving service efficiency were identified. The findings were consistent with international studies, including the OECD’s emphasis on the link between technology and organizational culture, and the experiences of Sweden and Georgia in using blockchain in the registration system.
Conclusion: The Iranian Document Registration Organization has taken steps such as digitization and piloting blockchain, but it still faces legal, security, and institutional shortcomings. Achieving data-driven governance and increasing security requires a combination of institutional reforms, technological investment, and promoting a data-driven culture.
| Page 1 from 1 |
Related Websites
Site Keywords
نشریه, Academic Journal, Scientific Article, کلمه شماره یک, کلمه شماره یک, کلمه شماره یک, کلمه شماره یک, کلمه شماره دو, کلمه شماره یک, کلمه دوVote
© 2025 CC BY-NC 4.0 | Human Information Interaction
Designed & Developed by : Yektaweb