Revolution and stability in the study of the human factor in the security of information systems field : A systematic literature review over 30 years of publication

摘要

Human factor is widely recognized as the first threat to the security of information systems (ISS). ISS research thus points to the problem of user behavior, which is overwhelmingly represented as a fallibility that would be part of its nature. Companies would therefore have no choice but to anticipate these behaviors in order to reinforce the security of the information system. However, despite all the collective legitimacy contributing to the "normal" evolution of this field of research, could we think differently this problem? We therefore conducted a critical review of the literature on the human factor in information system security publications over 31 years (between 1989 and 2020). Our results draw the details of a normal science that has developed and deepened our knowledge of human behavior to protect an information system. We discovered that this main knowledge production shares structural epistemic and moral assumptions. These researchers’ choices are problematic since they are implicit and consequently raise concern about a very partial and simplifying representation of user’s contribution to a good security. We advocate for the development of alternative epistemic and moral choices to nourish the evolution of the current paradigmatic consensus. This alternative agenda is likely to improve recommendations for practice while showing a greater objectivity.