Due to human theft, fraud and error is declining as well as the reduction in computer properties misuse, most of the ICT departments all, should focus on human elements in their models of information system (IS) security. This issue has not been considered in previous studies efficiently. This paper, uses qualitative approach in order to improve IS security models. Usually, in most of the developed models so far, only technical factors are considered. In this regard, an interview was conducted with 6 experts in ICT departments of 6 universities in Iran. After exact review of their ideas and insights, human factors have been identified. All of the achieved results have been added to existed technical models and then the finalized model has been designed, which was verified by experts too later. The identified human factors include staffing, training, reward and compensation system and also performance appraisal.

[1]Albrechtsen, E. (2007). A qualitative study of users' view on information security. Computers & security, 26(4), 276-289.
[2] Besnard, D., &Arief, B. (2004).Computer security impaired by legitimate users. Computers & Security, 23(3), 253-264.
[3] Bishop, M. A. (2002). The art and science of computer security.
[4] Fulford, H., & Doherty, N. F. (2003). The application of information security policies in large UK-based organizations: an exploratory investigation.Information Management & Computer Security, 11(3), 106-114.
[5] Hinson, G. (2003). Human factors in information security. IsecT Ltd.
[6] Kahraman, E. (2005). Evaluating IT security performance with quantifiable metrics. Master's thesis, DSV SU/KTH.
[7] Karyda, M., Kiountouzis, E., &Kokolakis, S. (2005). Information systems security policies: a contextual perspective. Computers & Security, 24(3), 246-260.
[8] Knapp, K. J., Marshall, T. E., Kelly Rainer, R., & Nelson Ford, F. (2006). Information security: management's effect on culture and policy. Information Management & Computer Security, 14(1), 24-36
[9] Kraemer, J. A., &Zawadowskiy, A. (2006). U.S. Patent Application 11/499,460.
[10] Kraemer, S., &Carayon, P. (2007). Human errors and violations in computer and information security: The viewpoint of network administrators and security specialists. Applied ergonomics, 38(2), 143-154.
[11] Kraemer, S., &Carayon, P. (2005, September). Computer and information security culture: findings from two studies. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting (Vol. 49, No. 16, pp. 1483-1488).SAGE Publications.
[12] Moos, T. T. (2006). Cisco-sponsored security survey of remote workers reveals the need for more user awareness.
[13] Newman, E. (2003). Refugees, international security and human vulnerability: Introduction and Survey. Refugees and Forced Displacement, 3-30.
[14] Patrikakis, C. Z., Kyriazanos, D. M., Voulodimos, A. S., & Nikolakopoulos, I. G. (2009).Trust and security in Personal [15] Network environments. International Journal of Electronic Security and Digital Forensics, 2(4), 365-376.
[16] Pfleeger, C., &Pfleeger, S. L. (2003).Security in Computing 3rd.
[17] Roberts, A. S. (2004). National security and open government. Georgetown Public Policy Review, 9, 69-85.
[18] Ruighaver, A. B., Maynard, S. B., & Chang, S. (2007). Organisational security culture: Extending the end-user perspective. Computers & Security, 26(1), 56-62.
[19] Rupere, T., Mary, M., &Zanamwe, N. (2012).Towards Minimizing Human Factors In End-User Information Security. International Journal of Computer Science and Network Security, 12(12), 159-167.
[20] Stanton, J. M., Stam, K. R., Mastrangelo, P., &Jolton, J. (2005).Analysis of end user security behaviors. Computers & Security, 24(2), 124-133.
[21] Sarriegi, J. M., Santos, J., Torres, J. M., Imizcoz, D., &Plandolit, A. (2006). Modeling security management of information systems: analysis of a ongoing practical case. In The 24th international conference of the system dynamics society. Nijmegen, The Netherlands.
[22] Sasse, M. A., Brostoff, S., &Weirich, D. (2001). Transforming the ‘weakest link’—a human/computer interaction approach to usable and effective security.BT technology journal, 19(3), 122-131.
[23] Sapronov, K. (2005). The human factor and information security.
[24] Schneier, B. (2000). Software complexity and security.
[25] Schultz, E. (2005). The human factor in security. Computers & Security, 24(6), 425-426.
[26] Siponen, M. T. (2000). A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8(1), 31-41.
[27] Whitman ME, Mattord HJ., (2005) Principles of information security.2nd ed. Thomson.

@article{Hanieh04061005,
title = " Information System Security Model for ICT Departments ",
journal = "International Journal of Science and Engineering Applications (IJSEA)",
volume = "4",
number = "6",
pages = "357 - 360",
year = "2015",
author = " Hanieh Yaghoobi Bojmaeh ",
}