Information security management systems – a behavioral analysis

Abstract

The treatment of risks related to the behavior of employees in organizations represents a major challenge in the implementation of information security management systems. The main measure adopted by the organizations is the definition of information security policies. It occurs that the majority of the studies in the literature is restricted to the formal aspects of their elaboration or approached the awareness programs as instruments of their implantation. In this work, a new model is proposed to deal with these risks, based on the theoretical framework established by the behavior analysis, especially the theory presented by the Behavior Analysis of Law, which proposes an interpretation of the legal system that combines the theory of operant behavior with the theory of functionally specialized social systems.
This research was divided into two phases, the first being the behavioral analysis of an information security policy, which includes the description and analysis of the contingencies planned in the normative, and the second the behavioral analysis of an information security norm, while a set of interlocked behavioral patterns aimed at coercive control of unwanted behaviors. Through its application in a Brazilian government agency, the results pointed to a new path based on the behavioral
analysis of information security management systems for risk mitigation in organizations, by identifying flaws, inconsistencies and proposing new measures, based on principles of behavior analysis, subject to empirical verification, aiming at the improvement of these management systems.