Information Security Policy Framework to Mitigate Data Breach Due to Human Factors in Physical Locations Abstract—Information Security policy is probably the most important tool that can be used to protected an organization's information and computer resources. However, mostly entities concentrate on the technology and leave out the human aspect of it. Furthermore, these policies do not have anything to do with the physical locations both internal and external. Cyber attacker now takes advantage of human factors and the lack of policy for physical locations to launch their attacks on seemingly strong information security system rendered weak by human behavior and their susceptibility in some physical locations. In this paper, three physical location policy frameworks in relation to human factors are proposed. A linear regression of human factors and data breach incidents associated with physical locations is performed to validated the existing loophole in a strong information security due to their negligence. The results show that vehicles, offices and public places are physical locations that are statistically and significantly associated with data breach incidents due to human factors. Keywords—Data Breach; HIPAA; Human Behavior; Information Security; Policy Framework; Physical Locations; I. INTRODUCTION The primary way by which organizations conduct operations today is the use of Information Systems (Info Sys.). This provides a platform for data gathering data processing, data storing and making data available for future access[1]. These system often require some kind of Information Security (Info Sec.), which most organizations implement at the technological level and ignoring or oblivious to human factors [2], [3]. To deal with the threats that organizations face as a result of using Info Sys, there has to be a good Info Sec policy which must be generally be high-level, technology neutral, assesses risks, well defined procedures, directions, penalties and countermeasures when policy is transgressed. Info Sec policies are critical to the protection of an organization's info Sys. The policies are created to just to address the problems of keeping up with the increase rate of technological changes, leaving out the human factor problems [1]. To successfully build any Info Sec policy, the focal point must be people. People play a critical role in security systems more than any other thing. Info Sec is not immune to the vital role of people in ensuring its success [4]. Over the years, there have been major advances in information technology and information systems. however, it has not translated to the type of security assurance organizations desire due to the people factor or human factors[5]. Human factors are suspected to be at play in 80% to 90% of information security incidents in organizations [4] [6]. Human factors and technological factors should be considered to be on the same side when it comes to providing a secure security system. Attackers are well aware of this kind of interdependence between technology and people, and are therefore prepared to invest resources such as time and money to exploit human weak points in an organization's Info [2]. An Information Security Management System(ISMS) is a prerequisite to ensuring security, and to achieve the goal of ISMS, a robust security framework that does not only ensures technical mechanism such as authentication and cryptography of essential parts, but also people must be at the core of its design, implementation, and operation[7]. Therefore, consideration of non-technological factors and technological ones is important to promote a safe system. Human factors are the most vulnerable points of an Info Sec system. Factors such as personal gain, irrational behavior can negatively affect the functioning of a good Info Sec system. For example, if an organization has a policy that requires complex passwords from employees, it is obvious that the passwords may be written down i.e., writing on sticky notes and sticking them to the monitors or somewhere on workstations. This practice will most definitely open the flood gate for attackers into the organization. So human factors should be addressed at the design stage of the security system, in line with management policy. Human factors must be addressed at the early stage of system design and in line with ISMS requirements. Info Sec studies generally focus on the effects of Info Sec with less consideration of security threats quantification, human issues, and clear specification of requirements which could assist senior management to make decisions on resource allocations and deal effectively with security threats[4][8]. Therefore, organizations remain without a clear rationale on specifications of how to achieve Info Sec goals and objectives in regards to human factors, which should have been considered from the early stage of the design process [3] Kwesi Hughes-Lartey 1,2 * , Zhen Qin 1,3,4 * , Francis E. Botchey 1,2 , Sarah Dsane-Nsor 2,5 1 School of Information and Software Engineering, University of Electronic Science and Technology of China, Chengdu 611731, China; 2 Computer Science Department, Koforidua Technical University, Koforidua EN-112-2188, Ghana, Ghana; 3 Institute of Electronic and Information Engineering UESTC in Guangdong, Dongguan 523808, China; 4 Network and Data Security Key Laboratory of Sichuan Province, Chengdu 610054, China; 5 Computer Science Department, University of Cape Town, Cape Town 7701, South Africa; International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 http://www.ijert.org IJERTV10IS040124 (This work is licensed under a Creative Commons Attribution 4.0 International License.) Published by : www.ijert.org Vol. 10 Issue 04, April-2021 184