Abstract:
This thesis examines the concepts of Information System (IS) security assurance using a
socio-technical framework. IS security assurance deals with the problem of estimating
how well a particular security system will function efficiently and effectively in a specific
operational environment. In such environments, the IS interact with other systems such as
ethical, legal, operational and administrative. Security failure in any of these systems may
result in security failure of the whole system.
In this thesis a socio-technical framework is used to examine culture, usability problems,
security internal controls, security requirements and re-use of security requirements of
TANESCO IS systems. TANESCO is the energy utility company in Tanzania where the
case study was conducted. Results show that culture affects the way people approach IS
security. Also results show that the socio-technical framework is effective in modeling
systems security and its environment. The re-use of security requirements is also shown
to significantly minimise the time taken when developing and improving security
requirements for an IS.
The overall purpose of this thesis has been to develop a framework for information
systems security assurance. The resulting framework of thinking brings together
numerous assurance concepts into a coherent explanation that should be useful for any
organisation or evaluators seeking to understand the underlying principals of systems
security assurance. It contains organisational, cultural, and technical issues that should be
looked at when considering and applying systems security assurance methods and
techniques.