Guest editorial

Guest editorial

The first two papers in this issue give a global perspective on information management issues. Lazarides examines the gaps in the legislators and practitioners approaches in information system design and implementation in Greece. Meanwhile, the paper from Kini considers Chile as an ICT outsourcing destination, analyzing the strategy adopted by Chilean companies to evaluate the need for ICT outsourcing.

The remaining papers are security-focused, and have been selected for inclusion from the International Symposium on Human Aspects of Information Security & Assurance (HAISA 2007), which took place in Plymouth, UK, on 10 July 2007. The theme of the event reflected that a significant aspect of protection comes down to the attitudes, awareness, behaviour and capabilities of the people involved. Indeed, people at all levels need to understand security concepts, how the issues may apply to them, and how to use the available technology to protect their systems. In addition, the technology itself can make a contribution by reducing the demands upon users, simplifying protection measures, and automating a variety of safeguards. With these points in mind, the symposium included papers concerning methods to inform and guide users' understanding of security, as well as technologies that can benefit and support them in achieving protection.

Six papers have been selected from those presented at the symposium, based upon the strength of the original review comments and associated recommendations from the reviewers. In preparing the versions for the journal, the authors were given the opportunity to revise their papers to reflect discussions at the conference, as well as any further developments in their work since the original submissions.

The paper from Pattinson and Anderson examines how an individual's perception of the risks can influence the likelihood and extent of them engaging in risk-taking behaviour when using a computer, and considers how the use of graphics and symbols can help to convey risk messages more effectively. Nohlberg and Bäckström apply user-centered security development to produce a prototype graphical interface to present security-related information to upper-level management users, leading to the development of three resultant design heuristics. Atkinson et al. examine the online privacy risks for vulnerable groups, and present a prototype tool the aims to inform related users about areas of potential harm in their online behaviour. Herzog and Shahmehri identify the problems that can face lay users when they are required to set up security policies, and present guidelines for enhancing the usability and security of software in which policy decisions are delegated to such users. Sveen et al. examine the viability of incident reporting systems, recognizing that incident volumes and difficulties in differentiating priority can affect peoples' ability to report effectively. The discussion is supported by consideration of four different incident reporting policies, which are examined via simulation scenarios. The final paper, from Beznosov and Beznosova, argues that while the vast majority of security research has focused upon technical advances, attackers are increasingly exploiting human and social factors. This imbalance highlights the need for a broadening of the computer security research agenda.

Further details of the HAISA symposium, including information about the 2008 event, can be found at: www.haisa.org

Steven Furnell and Nathan ClarkeGuest Editors and HAISA Co-chairs