ABSTRACT
Information security is not just about technology. High level of information security is obtained by the interplay between technology, organizations, and humans. Of course, the technology itself is the basis for information security, but it has to accommodate human, organizational, and societal needs to be successful. It is part of a socio-technical dynamic system governed and controlled by laws and regulations, standards, guidelines, and norms for informal behavior achieved by education and experience. A web of actors are involved at all levels, from governmental and private agencies, enterprises, and down to the individual user at workplaces. The threats and security risks have their origin in both technical and human factors. For the human factors, we divide between accidental events, such as people violating information security by carelessness, ignorance, or misunderstanding, and, on the other hand, deliberate actions motivated by malicious intentions. We need methods for information security risk identification, assessment, and evaluation for the protection of information security performance.
