Human Information Interaction

fa شناسایی مؤلفه‌های انسانی-غیرانسانی فرهنگ امنیت اطلاعات: یک مطالعه کیفی مبتنی بر نظریه کنشگر-شبکه (ANT) Identifying the Human-Nonhuman Components of Information Security Culture: A Qualitative Study Based on Actor-Network Theory (ANT) تخصصي Special پژوهشي Research <div style="text-align: justify;">هدف: با تبدیل‌شدن اطلاعات به ارزشمندترین دارایی سازمان‌ها و افزایش پیچیدگی تهدیدات سایبری، سرمایه‌گذاری کلانی بر راهکارهای امنیتی صورت گرفته است. بااین‌حال، شواهد نشان می‌دهد که بیش از ۹۰ درصد نقض‌های امنیتی عمده ریشه در خطاهای انسانی دارد. این امر، اهمیت پرداختن به «فرهنگ امنیت اطلاعات» را به‌عنوان مکمل ضروری راهکارهای فنی، بیش‌ازپیش آشکار می‌سازد. مدل‌های سنتی فرهنگ امنیت اطلاعات (مانند مدل‌های شاین و هافستد) عمدتاً انسان‌محور بوده و نقش کنشگران غیرانسانی را نادیده می‌گیرند. این شکاف نظری، ضرورت به‌کارگیری چارچوب‌های جامعی مانند نظریه کنشگر-شبکه (ANT) را برای درک تعامل پویای تمامی عوامل مؤثر ایجاب می‌کند. این مطالعه باهدف پرکردن این شکاف و شناسایی مؤلفه‌های انسانی و غیرانسانی مؤثر در فرهنگ امنیت اطلاعات در یک سازمان مالی حیاتی انجام شد. روش پژوهش: پژوهش حاضر به روش کیفی تفسیرگرایانه و با تحلیل مصاحبه‌های نیمه‌ساختاریافته با ۲۵ مدیر، کارشناس و کاربر در بانک مرکزی ایران، همراه با مشاهده میدانی و بررسی اسناد انجام شد. یافته‌ها: نتایج نشان داد فرهنگ امنیتی حاصل تعامل پویای سه گروه انسانی است: ۱)مدیران ارشد (تصمیم‌گیران راهبردی)، ۲)کارکنان (اجراکنندگان رفتارهای روزمره) و ۳)تیم‌های فنی (ترجمه‌کنندگان سیاست‌ها به اقدامات عملی). همچنین، پنج دسته کنشگر غیرانسانی شناسایی شد: سیاست‌ها (مثل ISO 27001)، فناوری‌ها (نظیر SIEM و MFA)، زیرساخت‌ها، اسناد و فرآیندهای سازمانی. نکته کلیدی، نقش کنشگران هیبریدی (ترکیب انسان-فناوری) مانند سیستم‌های احراز هویت بود که رفتار کاربران را تغییر می‌دهند. نتیجه‌گیری: در مقایسه با مدل‌های خطی، این پژوهش ثابت کرد بهبود فرهنگ امنیتی نیازمند طراحی شبکه‌ای است که تعامل متقابل تمام کنشگران را مدنظر قرار دهد. پیشنهادها شامل توسعه فناوری‌های کاربرپسند، الگوسازی مدیران، و ادغام امنیت در فرآیندهای کاری است. این چارچوب برای سازمان‌های مالی و حاکمیتی که با چالش‌های مشابه روبرو هستند، کاربرد دارد.</div> <div style="text-align: justify;">Introduction This study tries to find out the human and non-human things that affect how information security culture is formed. It uses the Actor-Network Theory (ANT) to look at this. Today, information is very important for businesses, and there are more cyber threats than ever. Because of this, organizations are spending a lot on security tools. But more than 90% of big security problems come from human errors. This shows that having a strong information security culture is very important, and it works well with technical tools. Most of the traditional ways of looking at information security culture, like the ones from Schein and Hofstede, focus mainly on people and don't consider non-human factors like technology, rules, or systems. This is a gap in the theory, so using a more complete framework like ANT helps understand how all these factors work together. ANT looks at how humans and non-humans, such as technology, policies, and infrastructure, are treated equally in networks. It also looks at how ideas and actions change as they move through these networks. This helps understand how information security culture develops over time. The main questions this study looks at are: What are the important human factors that help create information security culture? What are the important non-human factors? What role do hybrid actors—those that mix humans and technology—play in building security culture? This research is new in theory, method, and practice. It gives a more full picture of how information security culture works by bringing together different kinds of factors. Methods and Materoal This study used a qualitative method based on the interpretivist viewpoint. In this approach, there isn’t one true reality—instead, reality is shaped by people’s experiences and how they see things, and it changes depending on the situation. The researcher isn’t just watching from the side; they help build understanding together with the people involved. The research focused on the Central Bank of the Islamic Republic of Iran because it was seen as the best place to study information security culture. This is because this organisation plays a key role in setting cybersecurity rules for the banking system, faces many complex security threats, and handles highly sensitive financial information. Within this organization, the ongoing balance between strong security policies and the need for new technology created a good setting to look at how people and technology work together. Data for this study was gathered using semi-structured interviews with 25 managers, experts, and important users. These people were chosen through purposive and snowball sampling until no new ideas were coming up. They were picked because they had at least five years of work experience and were directly involved with security matters in big projects within the organization. The interview questions were based on five main topics, looking through the idea of actor-network theory. These topics covered roles, how people interact with technology, things that influence the culture, current problems, and how policies and technology affect how employees behave. To make the data more complete and credible, we also observed employees' actual behavior on the job and studied documents like security policies, internal reports, and guidelines. Using multiple sources of data in this way helped compare information and cut down on possible biases. The data was analyzed in six steps using the Brown and Clarke content analysis method and the MAXQDA version 2024 software. To make sure the results were accurate and reliable, we also used the participant review technique. The study followed ethical guidelines, including getting informed consent and keeping participants' information private. Results and Discussion This study shows that information security culture comes from the ongoing interaction between people and other factors. Among the people involved, three main groups were found: senior managers, who make important decisions, set standards, and allocate resources; regular employees, who carry out daily tasks and are the first line of defense in security, and whose responsibility and quick reporting affect how well security policies work; and technical teams, who help turn policies into action, handle security problems, and provide ongoing training to users. Among the human challenges, there were several key issues like the mismatch between security rules and how work is done, high work pressure, people not wanting to change their habits, and the balance between user comfort and system security. Also, psychological factors such as the need for trust, being open and honest, and having a personal drive to do the right thing were important in building a security culture. These learning and culture-building efforts were supported by ongoing training, encouraging people to report problems without fear of being punished, and sharing responsibility as a team. In the section about non-human actors, five main groups were found: policies and standards like ISO 27001 that set rules and guidelines; security tools such as SIEM, DLP, and multi-factor authentication that help watch over systems and influence how people behave; technical systems like networks and hardware; written guides and rules that explain how humans and technology work together; and organizational steps like reporting and feedback processes. A major part of this study found that there are hybrid actors that exist between humans and non-human elements. These actors include things like multi-factor authentication systems that slowly become part of how people work; policies that use technology to control actions, like automatic limits on copying data; and processes within organizations that help learn about security, such as using attack simulation tools. These hybrid actors show that the line between people and technology in information security culture is not fixed. To improve security culture, it's important to focus on both human and technological aspects at the same time. When we compare these findings to traditional models, we see that traditional models are mostly focused on humans and see technology as just a tool. However, the actor-network approach treats both humans and non-humans as equal parts of a network. This gives a more connected and changing view of information security culture. In this view, culture isn't something fixed—it comes from the ongoing interactions and discussions between all the different actors involved. Conclusion This study finds that information security culture is formed by the dynamic interaction of human and non-human actors. Key Human Actors:</div> <ul> <li style="margin-left: 56px; text-align: justify;">Senior Managers: Make decisions and allocate resources.</li> <li style="margin-left: 56px; text-align: justify;">Employees: The first line of defense; their responsibility and reporting are crucial.</li> <li style="margin-left: 56px; text-align: justify;">Technical Teams: Implement policies and provide training.</li> </ul> <div style="text-align: justify;">Key Non-Human Actors:</div> <ul> <li style="margin-left: 56px; text-align: justify;">Policies and standards (e.g., ISO 27001).</li> <li style="margin-left: 56px; text-align: justify;">Security tools (e.g., SIEM, DLP, multi-factor authentication).</li> <li style="margin-left: 56px; text-align: justify;">Technical infrastructure and written guides.</li> </ul> <div style="text-align: justify;">Crucial Finding: Hybrid Actors The study highlights "hybrid actors" that blur the line between people and technology, such as:</div> <ul> <li style="margin-left: 56px; text-align: justify;">Multi-factor authentication becoming a routine part of work.</li> <li style="margin-left: 56px; text-align: justify;">Automated policies that enforce rules.</li> <li style="margin-left: 56px; text-align: justify;">Attack simulation tools used for training.</li> </ul> <div style="text-align: justify;">So, unlike traditional human-focused models, this study uses an actor-network approach, treating humans and non-humans as equal partners. In this view, security culture is not fixed but is constantly created through the interactions between all these actors. Therefore, improving it requires addressing both human and technological aspects simultaneously.  </div> فرهنگ امنیت اطلاعات, نظریه کنشگر-شبکه (انت), کنشگر انسانی, کنشگر غیرانسانی, امنیت سایبری Information security culture, actor-network theory (ANT), human actor, non-human actor, cybersecurity. 46 70 http://hii.khu.ac.ir/browse.php?a_code=A-10-1070-1&slc_lang=fa&sid=1 mohammad hossein marzban محمد حسین مرزبان mo.marzban@iau.ac.ir 10031947532846006140 10031947532846006140 No Department of Information Technology Management, Science and Research Branch, Islamic Azad University, Tehran, Iran گروه مدیریت فناوری اطلاعات، دانشکده مدیریت و اقتصاد، واحد علوم و تحقیقات، دانشگاه آزاد اسلامی، تهران، ایران. rahman sharifzadeh رحمان شریف زاده sharifzadeh@irandoc.ac.ir 10031947532846006141 10031947532846006141 Yes Iranian Research Institute for Information Sceince snd Technology (IranDoc), Tehran, Iran. پژوهشکده جامعه و اطلاعات، گروه پژوهشی اخلاق و حقوق اطلاعات، پژوهشگاه علوم و فناوری اطلاعات ایران (ایران داک) علیرضا پورابراهیمی poorebrahimi@gmail.com 10031947532846006142 10031947532846006142 No Department of Industrial Management, Karaj Branch, Islamic Azad University, Karaj, Iran. گروه مدیریت صنعتی، دانشکده مدیریت و حسابداری، واحد کرج، دانشگاه آزاد اسلامی، کرج، ایران