Evaluation of Human Factors as Vulnerable Points in Information System Security

Abstract

The increasing adoption of digital technologies and the transformation of organizational operations into the cyber domain have made information system security a crucial strategic issue. Although many organizations have implemented advanced security technologies, such as firewalls, intrusion detection systems, and data encryption, cyber security incidents continue to occur frequently. This phenomenon indicates that system vulnerabilities do not solely originate from technical aspects but are also significantly influenced by human factors. This study aims to analyze the role of human factors as critical vulnerabilities in organizational information system security, particularly in the context of social engineering attacks such as phishing. The research employs a quantitative approach using a survey method. Data were collected through the distribution of Likert-scale questionnaires to users of organizational information systems. The research instrument was developed based on human factors and security awareness indicators and was subjected to validity and reliability testing. The collected data were analyzed using descriptive statistical techniques to identify levels of security awareness and patterns of risky user behavior. The results show that users’ security awareness is at a moderate level; however, various risky behaviors that can potentially be exploited in cyber attacks, especially through social engineering techniques, are still evident. These findings indicate a gap between users’ understanding of information security and the actual implementation of secure behaviors in daily operational activities. This study concludes that the effectiveness of information system security is strongly influenced by user behavior and compliance, in addition to technological factors. Therefore, a more holistic security approach is required through the strengthening of behavior-oriented security training programs and the development of more adaptive and user-friendly security policies.