Abstract
Over the past years, there has been a significant increase in the use of and reliance on information systems in order to communicate and achieve daily tasks. Although this increasing reliance has benefits, it also comes with various challenges. Most of those information systems, typically operated by organizations in different environments, are sociotechnical systems. Users, essentially, leverage technology to communicate and form social systems. Additionally, many of those systems are interconnected. One of the challenges of the increasing reliance on those systems is securing them. For various reasons, i.e. emerging technologies and first-mover advantage, security-related incidents, shifts in the organization’s culture, unclear boundaries due to the interconnection, it can be challenging to secure such systems. Given the trust that society and users endow those systems with, along with the resilience and adaptability social systems present, this thesis researches and proposes a framework where organizations can be analyzed as social systems and form their security policy based on this analysis. The framework aims to provide resilience and adaptability as part of the security policy. This framework will also enable security departments to inspect the organization and the environment it operates in, track changes and update the security policy as needed. Finally, given that there are incidents either not detected or not addressed by security teams (i.e. Service Availability) and security-related work not done by security departments (i.e. maintaining various services), this research aims to allow non-security teams to leverage that framework and update the security policy as needed after each incident.
Advisory Committee
Kameas A. (Supervisor), Stamatiou I., Papageorgiou D.