The Concept of a Subsystem to Support the Management of the Protection of Intangible Assets of Companies from a Behavioural Perspective

Abstract

The human factor is the biggest challenge for enterprises in providing the expected level of security, whereas the lack of educated personnel is one of the key problems in building an effective system for protection against data and information threats. A human being is a non-programmable element of the system and it is difficult to predict his or her behavior in information management processes and in the face of a specific event. Humans cannot be programmed like some security applications or hardware solutions with predictable performance. Human actions very often have a stochastic effect on the operation of the system. They can be ill-considered, haphazard, affected by emotions, and taken without due attention and adequate knowledge and experience (Pham et al., 2019). All these imperfections are exploited by those whose goal is to destroy or obtain information. According to data published by several information security companies, attacks carried out by purpose-built bots and web applications that exploit a technical factor (e.g., system vulnerabilities) are becoming increasingly rare, and are being replaced by attacks in which human interaction is a key factor. The curiosity and trust, leading well-meaning individuals to click, install, open, and send information, are being exploited by cybercriminals who are increasingly adept at using social engineering techniques. The aim of the present paper is to discuss the theoretical basis of information security issues from the behavioral perspective and to present the concept of a subsystem that implements measures to minimize the impact of the human factor on the emergence of threats to the intangible resources of a business entity. The concept is to create an information and organizational space to support the operation of the traditional information security management system in small and medium-sized enterprises. The concept is presented using the object-oriented approach which focuses on the functional elements of the system, and the subject-oriented approach, which takes into account the relationships between the various individuals who affect the security of the information system. The author's models of each approach were presented along with a description of how they work.