Tailoring security-related software and training requirements to users based on their categorizationFujs, Damjan (Avtor) Vavpotič, Damjan (Mentor) Vrhovec, Simon (Komentor) information securityinformation security software requirementsinformation security training requirementsuser categorizationtailoringexperimentmapping tooltechnical aspectshuman aspectsWith cyber threats becoming more sophisticated and frequent, the importance of information security as a shield for digital assets has never been more evident. Traditionally, information security is provided by technical solutions in the final stages of software development. The fact that security is considered an add-on feature means that a vulnerability is fixed with security patches as soon as it occurs. Moreover, information security has conventionally been focused on technical solutions. Yet, the importance of human factors is increasingly recognized, as technical solutions alone are not sufficient to eliminate security vulnerabilities. Users of information systems in particular are the weakest link in information security, therefore, it is important to address challenges directly related to users regarding information security. Taking into account users' information security performance is essential for improving overall information security. The purpose of this doctoral dissertation is to present an approach that allows prioritization of information security requirements. The approach concurrently considers information security software requirements (iSSR) and information security training requirements (iSTR), which means that it addresses the human and technical aspects of information security simultaneously and in a connected manner. The doctoral dissertation presents a comprehensive methodology for achieving this goal. First, we present an approach for user segmentation to improve information security training by dividing users into smaller groups based on their information security performance. User segmentation aims to identify groups of end users that are similar or different from each other. It is about defining groups from many users, representing added value because we move away from a one-size-fits-all approach and a personalized approach when dealing with information security training. To test the approach, we used data collected from students at a Slovenian university (N=165) with the Human Aspects of Information Security Questionnaire (HAIS-Q). HAIS-Q data was used to create user segments according to their information security performance via clustering. These segments were used to enable the development of a more efficient training plan in comparison to existing approaches. Specifically, the approach mitigates the challenges related to training boringness and lack of user motivation which are emblematic for traditional information security training approaches while offering flexibility regarding the degree of personalization by fine-tuning the number of user groups. This segmentation is the basis for concurrent consideration of iSSR and iSTR and their tailoring to end user security profiles. Second, we expand our approach by introducing a mapping tool that helps prioritize and balance iSSR and iSTR according to the information security performance of end users. Mapping tool plays a central role in deciding between iSSR and iSTR. The main purpose is to find the right balance between iSSR and iSTR. The approach was tested in an experiment involving 128 IS professionals from 17 different countries. The results showed that using the proposed approach helps IS professionals with limited experience in information security make significantly better decisions regarding iSSR and iSTR. Specifically, the results show that there are statistically significant differences in favor of using our approach.20242024-03-12 14:10:01Doktorsko delo/naloga154979VisID: 35291COBISS_ID: 188845059sl