Abstract
In this opinion paper, we first review the evolution of information security research, and summarize it as three waves of information security evolution: the first wave is technology-centric, which aimed to create technical artifacts of information security; the second wave is economics-centric, which aimed to design economic mechanisms to incentivize users' optimal information security behaviors; and the emerging third wave which is human-centric. In this wave, the focal point of interest is human decision making in information security scenarios, and a wide variety of factors that would influence human decision making in reality are incorporated in the study of human-centric information security. Based on this understanding, we propose an Integrated Model of Human-Centric Information Security (iMOHCIS), which systematically incorporates various factors that influence human brain functions, and illustrates how human brain activities result in actual information security behaviors. Furthermore, we extend the iMOHCIS in two dimensions: qualitative and quantitative. In qualitative extension, we consider the decision makers to be either friendly or adversary to each other; in quantitative extension, we consider the decision maker's individual behavior versus group behavior. We are convinced that iMOHCIS and its extension capture the essence of the emerging human-centric information security, provide a comprehensive framework for understanding human-centric information security, and generate a systematic approach to identifying significant research opportunities.
Recommended Citation
Mai, Bin, "Emergence of Human-Centric Information Security and an Integrated Model" (2019). AMCIS 2019 Proceedings. 49.
https://aisel.aisnet.org/amcis2019/treo/treos/49
Emergence of Human-Centric Information Security and an Integrated Model
In this opinion paper, we first review the evolution of information security research, and summarize it as three waves of information security evolution: the first wave is technology-centric, which aimed to create technical artifacts of information security; the second wave is economics-centric, which aimed to design economic mechanisms to incentivize users' optimal information security behaviors; and the emerging third wave which is human-centric. In this wave, the focal point of interest is human decision making in information security scenarios, and a wide variety of factors that would influence human decision making in reality are incorporated in the study of human-centric information security. Based on this understanding, we propose an Integrated Model of Human-Centric Information Security (iMOHCIS), which systematically incorporates various factors that influence human brain functions, and illustrates how human brain activities result in actual information security behaviors. Furthermore, we extend the iMOHCIS in two dimensions: qualitative and quantitative. In qualitative extension, we consider the decision makers to be either friendly or adversary to each other; in quantitative extension, we consider the decision maker's individual behavior versus group behavior. We are convinced that iMOHCIS and its extension capture the essence of the emerging human-centric information security, provide a comprehensive framework for understanding human-centric information security, and generate a systematic approach to identifying significant research opportunities.