Human Aspects of Information Assurance: A Questionnaire-based Quantitative Approach to Assessment

In work previously done by the authors, various human aspects of Information Assurance were identified. These comprise Social and Psychological aspects, the effects of Psycho-social risk at the workplace, the application of Influence techniques, user response to Social Engineering Methods and choices based on Economic considerations. Even though these aspects have been shown to gravely affect Information Assurance, the current level of their incorporation in the Plan-Do-Check-Act virtuous cycle of Information Security Management Systems, leaves a lot to be desired. In order to combine the findings of previous research and effectively provide quantified input that is usable in the context of an Information Security Management System (ISMS), an appropriate methodology must be introduced. This paper sets the framework and constraints for the methodology and by examining the merits and shortcomings of existing work in the field, proposes a questionnaire-based quantitative methodology that meets the set requirements. This will ultimately provide a tool for rapid, consistent and repeatable assessment of the Information Assurance level, as this is affected by the identified human aspects of Information Assurance.