Information security management is the task of establishing, implementing, monitoring, reviewing and improving controls in an organization, to ensure that the cybersecurity and business goals of the organization are met. It means meeting legal requirements, contractual agreements and other types of national/international standards, and at the same time supporting business goals. Consequently, research on information security management can address one or more of these controls. E.g., central issues in information security management are employees’ awareness of cybersecurity threats and risk, and controls, as well as why employees are non-compliant with existing rules. Indeed, employees being unaware and non-compliance with existing rules is one key explanation for cybersecurity breaches, and it is a perennial problem for organizations. Thus, these aspects are a central focus on this theme and are of high importance for enforcing cyber defence and in the domain of critical infrastructures that are under increased cyber threats but for also other work environments.


Moreover, this theme also deals with Human Factors related to security administration, and thus is related to technical security management. Humans are considered as the weakest link in security and are often the target of cyberattacks including social engineering and ransomware attacks. Human factors of end users but also of security administrators and developers need to be considered when designing secure solutions. Especially, misconfigurations of security and privacy controls are a well-known cause for cybersecurity breaches3. This theme will therefore conduct interdisciplinary research for addressing the usability of security and privacy controls and their configuration. Research topics to be addressed in T3 include for instance the usability of the SIEM systems for informing security administrators about security events and if and what actions need to be taken in a usable manner, as well as the usable configuration of data splitting in the cloud for confidentiality and privacy protection of data.