Auditing the Human Factor as a Part of Setting up an Information Security Management System
Independent thesis Advanced level (professional degree), 20 credits / 30 HE creditsStudent thesis
The human factor is the weakest link in all information systems regarding security but the users are not aware of the risks and the importance of following policies and routines to prevent a security breach. The most common attack vector starts by exploiting the human weakness and plant malware inside the organization. There is a need to nd a good way to audit the human factor to address this issue. Dierent penetration tests will be evaluated in this study; two phishing attacks and one in the form of a survey under a false pretext. The respondents are tricked into thinking that they are answering questions about customer service eciency while they are actually about information security and social engineering.
This thesis argues that it is very complicated to measure people's predisposition to fall for social engineering but the survey under a false pretext is an interesting method to use when auditing how vulnerable an organization is to social engineering. It is also good at increasing the security awareness and to be used as a soft-start for the information security management process. The author also argues that all humans can be deceived and trust is something that is crucial for the society to work. It is therefore perhaps more meaningful to audit the users compliance with security policies and not the human behavior.
Place, publisher, year, edition, pages
2013. , 30 p.
EES Examensarbete / Master Thesis, XR-EE_ICS 2013:001
Electrical Engineering, Electronic Engineering, Information Engineering
IdentifiersURN: urn:nbn:se:kth:diva-119528OAI: oai:DiVA.org:kth-119528DiVA: diva2:611457
Master of Science in Engineering - Electrical Engineering
Ekstedt Lövehagen, Mathias, Universitetslektor