Biblio

This research covers the problem related to user behavior and its relationship with the protection of computer assets in terms of confidentiality, integrity, and availability. The main objective was to evaluate the relationship between the dimensions of awareness, compliance and appropriation of the information security culture and the asset protection variable, the ISCA diagnostic instrument was applied, and social engineering techniques were incorporated for this process. The results show the levels of awareness, compliance and appropriation of the university that was considered as a case study, these oscillate between the second and third level of four levels. Similarly, the performance regarding asset protection ranges from low to medium. It was concluded that there is a significant relationship between the variables of the investigation, verifying that of the total types of incidents registered in the study case, approximately 69% are associated with human behavior. As a contribution, an information security culture model was formulated whose main characteristic is a complementary diagnostic process between surveys and social engineering techniques, the model also includes the information security management system, risk management and security incident handling as part of the information security culture ecosystem in an enterprise.

In the process of diagnosing the culture of information security in an organization, it is considered two methods, the first one is the application of an ISCA (Information Security Culture Assessment) survey questionnaire and the second one based on social engineering techniques such as phishing, answering the question, How can a diagnosis be made effectively of the level of information security culture within an organization? with the objective of determining which of the two methods is the most effective and realistic for the diagnosis of the information security culture. This helps to understand and have a real and complete perception of the behavior and reaction of the users against the attacks of threat actors who make use of persuasion and manipulation tactics in order to obtain confidential or sensitive information. A description of these two methods is applied to a case study (public university). As a result, it is obtained that it is not enough to perform a diagnosis based on questionnaires because they can be relatively subjective in the sense of the way in which users respond to questions or statements. Evidence of controlled social engineering attacks that demonstrate in more detail the real behavior of users should be considered. Based on this more complete knowledge, appropriate strategies can be formulated for the change or strengthening of the security culture that ultimately contributes to the purpose of protecting information assets.