Human Factors in Computer & Information Security

“A company may have purchased the best security technologies that money can buy, trained their people so well that they lock up all their secrets before going home at night, and hired building guards from the best security firm in the business. The company is still totally vulnerable… the human factor is truly security’s weakest link” Mitnick and Simon (2002).

“Computer security is difficult (maybe even impossible), but imagine for a moment that we’ve achieved it… Unfortunately, this still isn’t enough. For this miraculous computer system to do anything useful, it is going to have to interact with users in some way, at some time, for some reason. And this interaction is the biggest security risk of them all. People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems” (Schneier, 2000).

Overview: Computer and information security (CIS) is usually approached from a technology-centric viewpoint. Remedies for CIS vulnerabilities and breaches tend to focus on technical mechanisms, e.g., stronger firewalls and implementation of encryption. The technical CIS remedies are often designed and implemented with little consideration for the needs and characteristics of the end users, network administrators, and CIS managers. This lack of consideration for human factors may create situations where people have to circumvent the CIS mechanisms and procedures in order to perform their job (i.e. violation of CIS rules, policies and procedures).

This project examined violations in CIS committed by two groups of people:  network administrators and end users. We used a mixed-methods research approach which combined qualitative (interviews and focus groups) and quantitative (surveys) research methods in order to understand CIS violations, their consequences, the factors contributing to violations, and to develop solutions to deal with CIS violations.

Funding: National Science Foundation

Research model

Full proposal (PDF)

Pascale Carayon, PhD
Procter & Gamble Bascom Professor in Total Quality
Department of Industrial and Systems Engineering
Director, Center for Quality and Productivity Improvement
University of Wisconsin-Madison

Raj Veeramani
Professor, Industrial and Systems Engineering, Mechanical Engineering, Civil & Environmental Engineering and Operations & Information Management
Director, Wisconsin E-Business Consortium
University of Wisconsin-Madison

Peter Hoonakker, PhD
Research Scientist, Associate Director of Research
Center for Quality and Productivity Improvement
University of Wisconsin-Madison

Sami Saydjari
Founder and President of Cyber Defense Agency

Nis Bornoe
Center for Quality and Productivity Improvement
University of Wisconsin-Madison


Hoonakker, P., Bornoe, N.A., & Carayon, P. (2009). Password Authentication from a Human Factors Perspective: Results of a survey among end-users. Paper presented at the Human Factors and Ergonomics Society (HFES) 53rd Annual Meeting, San Antonio, TX. DOI: 10.1177/154193120905300605

Hoonakker, P., Carayon, P. & Bornoe, N.A. (2009). Spamming, phishing and spoofing. Paper presented at the IEA Conference, Beijing China.

Kraemer, S. & Carayon, P. (2009). Human and organizational factors in computer and information security: Pathways to vulnerabilities. Computers & Security, 28 (7), 509-520. DOI: 10.1016/j.cose.2009.04.006


Hoonakker, P. & Carayon, P. (2008). Computer and information security from a human factors perspective. Paper presented at the 2008 ODAM Conference, Guaruja, Brazil.


Kraemer, S. & Carayon, P. (2007). Human errors and violations in computer and information security: The viewpoint of network administrators and security specialists. Applied Ergonomics, 38 (2), 143-154. PMID: 16782040


Kraemer, S., Carayon, P. & Clem, J. (2006). Characterizing violations in computer and information security systems. Paper presented at the IEA 2006 Conference, Maastricht, The Netherlands.

Kraemer, S., Carayon, P., & Clem, J. (2006). Performance of red teams in computer and information security. Applied Ergonomics.


Kraemer, S. & Carayon, P. (2003). A human factors vulnerability evaluation method for computer and information security. Proceedings of the Human Factors and Ergonomics Society (HFES) 47th Annual Meeting, Denver, CO. DOI: 10.1177/154193120304701202

Carayon, P. & Kraemer, S. (2003). Using accident analysis methods in computer security: The development of the human factors vulnerability analysis (HFVA). Proceedings of the XVth Triennial Congress of the International Ergonomics Association and the 7th Joint Conference of Ergonomics Society of Korea/Japan Ergonomics Society, Seoul, Korea.

Kraemer, S., Carayon, P., & Duggan, R. (2003). A model of red team performance. In Luczak & Zink (Eds.) Proceedings of the Seventh International Symposium on Human Factors Organizational Design and Management, IEA Press: Aachen, Germany.

Carayon, P., & Kraemer, S. (2003). Human factors in e-security: The business viewpoint. Center for Quality and Productivity Improvement (CQPI), Madison, WI.


Kraemer, S. (2002). A human factors evaluation method for computer and information security technical vulnerabilities and security breaches. MS Thesis, Department of Industrial and Systems Engineering, University of Wisconsin-Madison.

Carayon, P. & Kraemer, S. (2002). Macroergonomics in WWDU: What about computer and information security? In H. Luczak, A.E. Cakir, & G. Cakir (Eds.). Proceedings of the 6th International Scientific Conference on Work With Display Units (WWDU) – World Wide Work. (pp. 87-89). Berlin, Germany: Ergonomic Institut fur Arbeits – und Sozialforschung Forschungsgesellschaft mbH.

A web survey was conducted to gather information on CIS violations of network administrators and end users. The survey is developed based on the literature and interviews of network administrators and end users.

For the results of pilot study with an adapted version of the questionnaire, click here.

For an explanation for the topics in the questionnaire, click here.

For more information, please contact Peter Hoonakker.