This article aims to review the literature on information security policy compliance issues and their relation to core business processes in the company and users’ behaviour. It also provides an insight into particular implementation examples of the ISO 27001 Standard, and methods of analysis of the effectiveness of such implementations.
Information security issues in organisations have been brought up long before the rapid development of technology. Companies have always been concerned with protecting their confidential information, including their intellectual property and trade secrets. There are many possible approaches to addressing information security. Wood  points out that security is a broad subject including financial controls, human resource policies, physical protection and safety measures. However, Ruighaver et al.  state that information security is usually viewed as a purely technical concern and is expected to have the same technical solution. On the other hand, Schneier , Lampson , and Sasse and Flechais  emphasise the people aspect of security, and people play crucial role as they use and implement security controls.
As stated by Anderson , it is essential to properly define information security in order to pay merit to all these aspects.
The Standard for Information Security Management ISO 27001  defines information security as “the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximise return on investments and business opportunities.”
Dhillon  states security issues in organisations can arise due to absence of an information security policy. One of the ways to implement such a security policy is to take ISO 27001 standard as a framework.
ISO 27001 Standard
ISO 27001 Standard which is a member of the ISO 27000 standards family evolved from British national standard BS7799 . It aims to provide guidance on managing the risk associated with threats to confidentiality, integrity and availability of organisation’s assets. Such assets, as defined in ISO 27001  include people, software, hardware, services, etc.
Doherty and Fulford , Von Solms , and Canavan  all came to the conclusion that well-established standards such as ISO 27001 might be a stepping-stone to implementing good information security programs in organisations.
However, Anttila and Kajava in their study  identify the following issues with ISO 27001 Standard:
– The standard is high-level and basic concepts are not presented consistently in the standard.
– It is hard to measure business benefits from implementing this standard.
– Presented process management is not fully supporting current business practices.
– The standard struggles to recommend solutions to contemporary business environments.
Neubauer et al.  in their research states that the main problem with security standards, including ISO 27001 is their “abstract control deﬁnition, which leaves space for interpretation”. Furthermore, the authors suggest that companies focus on obtaining formal certification and often do not to assess and put in place the adequate security controls according their main business goals. Ittner et al.  support this point, adding that organisation also fail to estimate the effectiveness of the investments in such initiatives.
According to Sharma and Dash , ISO 27001 does not provide detailed guidance requires substantial level of expertise to implement. Moreover, the authors claim that “If risk assessment is flawed, don’t have sufficient security and risk assessment expertise, or do not have the management and organizational commitment to implement security then it is perfectly possible to be fully compliant with the standard, but be insecure.” Results of their study suggest that the organizations, which participated in the study implemented information security mainly to comply with legal and regulatory requirements. The consequence of that was low cost-effectiveness of such implementations. However, the researcher don’t analyse the level of users’ acceptance of implemented controls. The authors also fail to recommend an approach which would support security manager’s decision-making process in implementing ISO 27001 Standard controls.
Karabacak and Sogukpinar in in their paper  present a flexible and low-cost ISO 17799 compliance check tool. The authors use qualitative techniques to collect and analyse data and sate that “the success of our method depends on the answers of surveyors. Accurately answered questions lead to accurate compliance results.” However, the researchers stop short of analysing the impact of compliance with security policy on users’ behaviour. The authors do not consider the issue that a security manager’s decisions regarding a particular implementation of security policy affects that organisation as a whole and may introduce additional cognitive burdens to users. These issues in extreme cases (e.g. obstructing core business processes) may result in non-compliance as users prioritise their primary task.
Vuppala et al. their study  discuss their experience from implementing ISO27001 information security management systems. One of the most important lessons learnt was developing an understanding of the role of users’ behaviour in this process. The authors recommend to “not make drastic changes to the current processes; this will only infuriate the users. Remember, users are an important, if not the most important, part of the overall security system.”
Johnson and Goetz in  conducted a series of interviews with security managers to identify main challenges of influencing employees’ behaviour. The results of this study revealed that security managers rely extensively on information security policies, not only as a means of ensuring compliance with legal and regulatory requirements, but also to guide and direct users’ behaviour.
To explore the question of the impact on users’ behaviour while implementing security policies, the following theories were researched:
1. Theory of Rational Choice – a framework, which provides insight into social and economic behaviour. It implies that users tend to maximise their personal benefits . Beautement et al. in their paper  uses this theory to build a foundation explaining how people make decisions about whether to comply or not to comply with any particular information security policy.
Herley  suggests that it is rational for users not to comply with security policy, because of the perceived risk reduction is lower than the effort needed.
2. Protection Motivation Theory – a theory which describes four factors that individuals consider when trying to protect themselves :
– perceived severity
– probability of the adverse event
– efficiency of the preventive behaviour
Siponen builds on this theory to gain an understanding of the attitude of individuals towards compliance with security policies. Siponen refers to it in order to study the impact of the punishment on the actual compliance and on intention to comply , .
3. The Theory of General Deterrence – this suggests that users will not comply with the rules if they are not concerned with punishment .
4. Theory of Planned Behaviour – this suggests that subjective norms and perceived behavioural controls influence individuals’ behaviour . Siponen  and Pahnila  discovered that social norms play a significant role in users’ intention to comply.
These theories suggest that to effectively protect a company’s assets, the security manager should develop and implement security policies not only to ensure formal compliance with legal and regulatory requirements, but also to make sure that users are considered as a part of the system. Policies should be designed in a way that reduces the mental and physical workload of users , .
Business process visualisation and compliance
It is important to consider information security compliance and users’ behaviour in the context of a company. Users in organisations involved into activities, which could be presented as business processes.
Business process is defined as a set of logically related tasks (or activities) to achieve a defined business outcome .
The continuous monitoring of their business processes is essential for any organisation. This can be achieved by visualisation of business processes . However, they are usually complex, due to number of different users or user roles in large companies . Barrett  also argues that it is essential to create a “vision of the process” to successfully reengineer it.
Namiri and Stojanovic in their paper  present a scenario demonstrating a particular business process and implement controls necessary to achieve compliance with regulatory requirements. The authors separate business and control objectives, introducing two roles: a business process expert, who is motivated solely by business objectives, and a compliance expert, who is concerned with ensuring compliance of a given business process.
 Adams, A. and Sasse, M.A. 1999. Users are not the enemy. Commun. ACM. 42, 12 (Dec. 1999).
 Ajzen, I. 1991. The theory of planned behavior. Organizational Behavior and Human Decision Processes. 50, 2 (Dec. 1991).
 Anderson, J.M. 2003. Why we need a new definition of information security. Computers & Security. 22, 4 (May 2003).
 Anttila, J. and Kajava, J. 2010. Challenging IS and ISM Standardization for Business Benefits. ARES ’10 International Conference on Availability, Reliability, and Security, 2010 (2010).
 Barrett, J.L. 1994. Process Visualisation: Getting the Vision Right Is Key. Information Systems Management. 11, 2 (1994).
 Beautement, A. et al. 2008. The compliance budget: managing security behaviour in organisations. Proceedings of the 2008 workshop on New security paradigms (New York, NY, USA, 2008).
 Bobrik, R. et al. 2005. Requirements for the visualization of system-spanning business processes. Sixteenth International Workshop on Database and Expert Systems Applications, 2005. Proceedings (2005), 948–954.
 Canavan, S. 2003. An information security policy development guide for large companies. SANS Institute. (2003).
 Davenport, T.H. and Short, J.E. 2003. Information technology and business process redesign. Operations management: critical perspectives on business and management. 1, (2003), 1–27.
 Dhillon, G. 2007. Principles of information systems security: text and cases. John Wiley & Sons.
 Doherty, N.F. and Fulford, H. 2005. Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis. Information Resources Management Journal. 18, 4 (34 2005).
 Herley, C. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users. Proceedings of the 2009 workshop on New security paradigms workshop (New York, NY, USA, 2009).
 Herrnstein, R.J. 1990. Rational choice theory: Necessary but not sufficient. American Psychologist. 45, 3 (1990).
 Ittner, C.D. and Larcker, D.F. 2003. Coming up short on nonfinancial performance measurement. Harvard business review. 81, 11 (2003), 88–95.
 Johnson, M.E. and Goetz, E. 2007. Embedding Information Security into the Organization. IEEE Security Privacy. 5, 3 (2007).
 Karabacak, B. and Sogukpinar, I. 2006. A quantitative method for ISO 17799 gap analysis. Computers & Security. 25, 6 (Sep. 2006).
 Lampson, B.W. 2004. Computer security in the real world. Computer. 37, 6 (2004), 37–46.
 Namiri, K. and Stojanovic, N. 2007. Pattern-based design and validation of business process compliance. On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS. Springer. 59–76.
 Neubauer, T. et al. 2008. Interactive Selection of ISO 27001 Controls under Multiple Objectives. Proceedings of The Ifip Tc 11 23rd International Information Security Conference. S. Jajodia et al., eds. Springer US. 477–492.
 Pahnila, S. et al. 2007. Employees’ Behavior towards IS Security Policy Compliance. 40th Annual Hawaii International Conference on System Sciences, 2007. HICSS 2007 (2007).
 Rinderle, S.B. et al. 2006. Business process visualization-use cases, challenges, solutions. (2006).
 Rogers, R.W. 1975. A Protection Motivation Theory of Fear Appeals and Attitude Change1. The Journal of Psychology. 91, 1 (1975).
 Ruighaver, A.B. et al. 2007. Organisational security culture: Extending the end-user perspective. Computers & Security. 26, 1 (Feb. 2007).
 Sasse, M.A. and Flechais, I. 2005. Usable Security: Why Do We Need It? How Do We Get It? Security and Usability: Designing secure systems that people can use. L.F. Cranor and S. Garfinkel, eds. O’Reilly.
 Schneier, B. 2003. Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Springer.
 Sharma, D.N. and Dash, P.K. 2012. Effectiveness Of Iso 27001, As An Information Security Management System: An Analytical Study Of Financial Aspects. Far East Journal of Psychology and Business. 9, 5 (2012), 57–71.
 Siponen, M. et al. 2010. Compliance with Information Security Policies: An Empirical Investigation. Computer. 43, 2 (2010).
 Solms, R. von 1999. Information security management: why standards are important. Information Management & Computer Security. 7, 1 (Mar. 1999).
 Vuppala, V. et al. Securing a Control System: Experiences from ISO 27001 Implementation.
 Wood, M.B. 1982. Introducing Computer Security. National Computing Centre.
 BS, BS7799 – Information Technology – Code of practice for information security management, London: BS, 1995.
 ISO/IEC, ISO/IEC 27001 – Information technology – Security techniques – Information security management systems – Requirements, Geneva: ISO/IEC, 2005 and Draft for the new revision ISO/IEC JTC 1/SC 27 N10641, 2011.
Within the channel of research two main analytical methods can be used:
Bell  argues that quantitative and qualitative approaches each have their own weaknesses and strengths. Hence, researchers should choose the appropriate technique according to their objectives and needs. Moreover, researchers can move from one approach to the other if it will bring benefit to their study.
Quantitative Research Methods
Quantitative research methods help researchers to support their hypothesis by testing various theories and existing research results . Large sample sizes are often used to collect data and draw more general conclusion . However, quantitative research approaches may not provide a sufficient amount of detail regarding participants’ attitudes and motivations.
A questionnaire can help a researcher to collect larger volumes of information compared to interviews. Furthermore, they have reduced bias, which interviews typically introduce through personal interactions. Questionnaires can provide anonymity for the participants; hence more honest responses may be expected. This is relevant when the subject matter is sensitive, for example, security.
However, the main limitation of questionnaires is low response rates, which makes it difficult to collect large amounts of data. To overcome this limitation and achieve higher response rates follow-up e-mails should be sent and follow-up calls should be made in order to remind participants to take part in the survey .
Qualitative Research Methods
Creswell  characterises the qualitative approach as being focused mainly on participants’ experience and perceptions as expressed in words rather than numbers. Qualitative research methods allow researchers to use less structured instruments to collect information on participants’ thoughts and motivations. This gives the researcher the opportunity to look for common patterns, which is particularly useful in areas where little or no existing research has been done.
However, qualitative research methods are more time consuming to undertake and may result in smaller samples being used. Further, small samples result in issues surrounding repeatability of the study, and also subjectivism of responses, hence less reliability and less ability to apply to other situations outside the test conditions
For instance, Bjorck  adopts qualitative methods to collect information and draw conclusions on the implementation of information security management systems according to ISO 17799 Standard. In his paper, the author studies the attitude and behaviour of information security consultants’.
Interviews can be time consuming and expensive. Moreover, face-to-face interaction allows the researcher to introduce additional bias . Nevertheless, interviews are still commonly used in various research fields, because of the flexibility and deep insight into human perceptions and motivations which they allow.
According to Berg , Patton , and Briggs et al.  interviews can be divided into the following categories:
– Structured interviews – these are standardised questionnaires, similar to quantitative research methods. They tend to be less biased, because the questions asked are always the same and in the same order. However, it reduces flexibility.
– Semi-structured interviews – these are guided discussions with open-ended questions. The interviewer prepares questions in advance, but some questions might very well emerge during the process of the interview.
– Unstructured interviews – these are similar to an informal conversation, which can be beneficial if the interviewer needs to collect additional information. However, it could be difficult to manage the interview and stay within the research question.
Using Grounded Theory
Following from Corbin and Strauss , a theory which is derived from collected information can provide valuable insights into real-world situations. For this reason, the Grounded Theory Method can be used to analyse interview data. Answers could be grouped into categories in order to discover possible patterns and derive meaningful conclusions. Corbin and Strauss  outline the following types of coding for analyzing the data
– Open coding – basic categorization based on identified similarities.
– Axial coding: – introducing sub-categories and connecting it with main categories.
– Selective coding – revealing the connections between main categories in the study, integration of categories.
Adopting this approach would allow the collection, documentation, and analysis of interview materials, whilst interviewees freely express their thoughts and attitudes towards security compliance and behavior issues in their company.
Using a combination of quantitative and qualitative methods
According to Tashakkori and Teddlie , Carr , and Bandyopadhyay et al.  using the combination of both quantitative and qualitative may yield better outcomes, because it will help to overcome the weaknesses of each particular method, as well as combining strengths and achieving high-quality results. For instance, Rainer et al.  adopted a similar approach when researching the issue of risk analysis processes for information technology. Doherty and Fulford  decided to use a questionnaire when carrying out their study on the question of application of information security policies in companies. They then identified the need to apply more qualitative methods to research this area.
 Bandyopadhyay, K. et al. 1999. A framework for integrated risk management in information technology. Management Decision. 37, 5 (Jun. 1999).
 Bell, J. and Goulding, S. 1984. Conducting small-scale investigations in educational management. Harper & Row in association with the Open University.
 Berg, B.L. 2004. Qualitative research methods for the social sciences. Pearson Boston.
 Bjorck, F. 2001. Implementing Information Security Management Systems–An Empirical Study of Critical Success Factors. Lic thesis. Stockholm University & Royal Institute of Technology. (2001).
 Briggs, A.R. et al. 2012. Research methods in educational leadership and management. Sage Publications.
 Carr, L.T. 1994. The strengths and weaknesses of quantitative and qualitative research: what method for nursing? Journal of Advanced Nursing. 20, 4 (1994).
 Corbin, J. and Strauss, A. 2008. Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory. SAGE.
 Creswell, J.W. 2013. Research design: Qualitative, quantitative, and mixed methods approaches. Sage Publications, Incorporated.
 Doherty, N.F. and Fulford, H. 2005. Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis. Information Resources Management Journal. 18, 4 (34 2005).
 Flick, U. 2009. An Introduction to Qualitative Research. SAGE.
 McIlwraith, A. 2006. Information Security and Employee Behaviour: How to Reduce Risk Through Employee Education, Training and Awareness. Gower Publishing, Ltd.
 Patton, M.Q. 2005. Qualitative Research. Encyclopedia of Statistics in Behavioral Science. John Wiley & Sons, Ltd.
 Rainer Jr, R.K. et al. 1991. Risk Analysis for Information Technology. J. of Management Information Systems. 8, 1 (1991).
 Scandura, T.A. and Williams, E.A. 2000. Research Methodology In Management: Current Practices, Trends, And Implications For Future Research. Academy of Management Journal. 43, 6 (Dec. 2000).
 Tashakkori, A. and Teddlie, C. 1998. Mixed Methodology: Combining Qualitative and Quantitative Approaches. SAGE.
The purpose of this post is to provide a comprehensive analysis of the data collected from the survey and semi-structured interviews to compare views on information security activities from security managers’ and users’ viewpoints.
A survey was developed to collect information from a broad sample on attitudes of the users’ towards information security policies in their organisations in general, and how compliance with information security policies affects their behaviour in particular. It was quantitatively analysed.
The main goal of the survey was to assess the attitude of the end-users towards information security policies in their companies and measure the level of dissatisfaction with security tasks. Prior to the questions, all participants were shown a page with the explanation of the purpose of the study, approximate time to complete the survey, the researcher’s contact information, and their rights to withdraw their answers at any time. After getting participants’ consent by clicking the “Next” button, they were asked to answer the eleven multiple-choice questions. The first four questions were designed to gather demographic information about the participants for future analysis: participants were asked to provide information on their gender, age, the number of years of work experience, and the industry sector. The subsequent seven questions were aimed at gathering insight on users’ attitude towards information security policies in their companies and the way they make their compliance decisions. Participants were asked to:
- Indicate their attitude towards security policy in their company.
- Assess the effectiveness of implementation of the security policy in their company.
- Estimate the approximate time they spend weekly on various security activities, such as password changes, antivirus checks, anti-phishing checks, awareness training, encryption, etc.
- Indicate their attitude towards the impact which security activities have on their overall performance: respondents were presented with a statement “I believe security activities negatively affect my overall performance” and were asked to choose one of the following four answers: “strongly agree”, “agree”, “disagree”, and “strongly disagree”.
- Assess the degree of concern of the security manager in their company with users’ main business goals and tasks.
- Assess the frequency of the prevention of security controls from accomplishing their main business tasks.
- Indicate their attitude towards the possibility of violation of the security policy if it prevented them from accomplishing their main business activities.
The survey was advertised on social networks (LinkedIn, Facebook) to recruit participants for the survey. A sample of specific interest was created to include people with relevant job experience.
This section presents detailed end-users’ survey findings. Results are described in the order of their appearance in the survey. 64 responses were collected.
End-users’ demographic characteristics
Results show that the majority of the sample (40 out of 64 participants) were male. They also illustrate that 32 out of 64 participants are in the 18 to 24 age group, and that 29 out of 64 are in the 25 to 34 age group. A relatively small number of participants (only 3 people) are older than 35 years. The members of the most populated group (22 out of 64 participants) are in the beginning of their careers and have less than one year worth of work experience. The following figure presents the distribution of respondents by industry sector.
Distribution of respondents by industry sector
Attitude towards security policy in the company
The results of the survey show that 51% of participants share a positive outlook towards information security in the company (6 have chosen “very positive” option and 27 “positive”). 29 respondents share a neutral attitude towards information security in the organisation. Only 2 participants indicated a negative attitude.
Attitude towards security policy
View on the implementation of the security policy in the organisation
50% of participants think that information security policy is effectively implemented in their compamy. However, 34% of the population struggled to provide an opinion on this matter.
Effectiveness of implementation of the security policy
Time spent by users on security activities
A large majority (80%) feel that they spend less than 30 minutes per week in total on security tasks. However, there are 4 respondents that share the perception that they have spent over an hour on security activities in the course of the past week.
Time spent by users on security activities
Impact on users’ overall performance
37 participants disagree with the statement that security negatively impacts their overall performance and 12 participants strongly disagree with it, although, there is 1 respondent who strongly agrees.
Impact on users’ overall performance
Assessing the degree of concern of the security manager in the company with users’ main business goals and tasks
Most of the participants (27 out of 64) believe that their security manager is rather neutral towards users’ business activities. 19 participants feel that their security manager is aware of their day-to-day tasks.
Degree of concern of the security manager in the company with users’ main business goals and tasks
Instances of obstructing core business processes
30 respondents cannot recall any instances in which security controls obstructed their business activities. On the other hand, the results of the survey show more than 50% experienced problems at least once a year, and in many cases more regularly because of the security policy.
Instances of obstructing core business processes
Information security policy violations
Results show an almost equal split between people when faced with the statement “I would violate security policy if it prevents me from accomplishing my main business tasks” who are willing to violate security policy in order to get their job done and those who make the decision to comply even in this case.
Information security policy violations
Individual response analysis shows that some people can’t recall situations whereby security policy prevented them from accomplishing their core business activities, however they still perceive security as something that hinders their performance. Other participants also didn’t indicate such instances more frequently than approximately once every three months
Frequency of collisions in relation to perception of negative impact on users’ performance
Individual response analysis also allowed revealing the fact that there is a person, who strongly agrees that security tasks affect his/her performance. This individual’s answer of the question on the perceived number of instances when security policy prevented him/her from accomplishing their main business task shows that he/she experiences difficulty performing business activities on a daily basis. The anonymous nature of the survey didn’t allow the researcher to conduct a follow up interview to gain an insight on this particular case. Moreover, high number of responses “I don’t know” to the question regardless the effectiveness of implementation of the security policy may indicate that the criteria for effectiveness were not clearly defined. Furthermore, using social networks as a sample to survey users negatively affected the researcher’s ability to generalise the results. The presented sample contains mostly young people with relatively small amount of work experience. This fact makes it difficult to drive conclusions, because perception of the employees towards security task may change with time in the job. Given the limitations, results show that more than 23% of participants believe that security tasks negatively affect their overall performance. This outlines the major concern for the organisations, because it directly affects company’s ability to generate revenue. According to the survey results, 20% of participants responded that they spend approximately one hour per week on various security tasks.
The second stage was conducted as an exploratory study with five information security experts. This section presents a descriptive analysis of the semi-structured interviews with information security experts.
The main goal of the semi-structured interviews was to gather an insight on information security manager’s awareness of the fact that his decisions on particular implementation of security controls affect organisation as a whole, and that his actions may negatively impact users’ performance in core business activities. The interview questions were designed to gather information on security manager’s ability to distinguish between instances of malicious non-compliance and instances when security controls obstruct users’ main business tasks was gathered. All information security experts selected to participate in the study have seven or more years of work experience in the field of information security and are currently holding managerial positions in their companies. Materials and feedback from the two pilot interviews, which were not included in the current project, were then used to refine the questions and procedures for the following interviews, so that they focus more on relevant topics and group them into categories. When patterns started to emerge, the data were then evaluated. The Grounded Theory analysis revealed that the most common codes: – Security manager’s decision-making process on particular implementation of security controls – Relation between business and security goals – Detection of instances of non-compliance – Reaction to instances of non-compliance – Security manager’s awareness of how security policy implementation affects users’ behavior – Difficulties in measuring impact of users’ behaviour. – Security manager’s awareness of users’ typical business activities – Effect of understanding of users’ business activities on security manager’s decision-making process
Results are grouped into codes, which were developed in line with the Grounded Theory: – Security manager’s decision-making process on particular implementation of security controls: Interview results suggest that 4 out of 5 interviewed security managers use their past experience when implementing security policy. One security manager suggested that security policy was already implemented in his organisation. – Relation between business and security goals: all security managers understand the role of information security as a supporting process. – Detection of instances of non-compliance: all interviewed experts rely on both formal and informal channels of detecting instances of non-compliance. – Reaction to instances of non-compliance Interview results suggest that 4 out of 5 interviewed security managers tend to try to understand the root cause of the problem first. One security manager indicated that he is not directly involved into investigation of such incidents. – Security manager’s awareness of how security policy implementation affects users’ behaviour: 4 out of 5 security managers believe that they aware of the impact of security controls on users’ behaviour. One security manager suggested that he doesn’t have resources for that. – Difficulties in measuring the impact of users’ behaviour: all experts experience some difficulties in assessing the impact on users’ behaviour. – Security manager’s awareness of users’ typical business activities: 4 out of 5 security managers indicated their awareness of users’ day-to-day tasks. One security manager mentioned that he doesn’t have enough time for this. – Effect of understanding of users’ business activities on security manager’s decision-making process: all of the interviewed experts agree that it is beneficial to understand users’ business tasks.
This section presents a discussion of interview findings.
Security manager’s decision-making process on particular implementation of security controls
Interview data reconfirms that security managers mostly use their own judgment and past experience when making a decision on particular implementation of information security controls. As explained in a quote: “When I’m making a decision to implement ISO 27001 standard in my organization, half of that decision is what the particular policies would actually look like. Because ISO 27001 is very high-level and it is by all means not a policy in itself, it just gives you one or two criteria or one or two suggestions how your security policies should look like. Because of this freedom of implementation, you actually have to write these policies yourself.”
Relation between business and security goals
Interviewed security experts also understand the role of involving the business management in the process of implementing security controls. For example, one security manager mentioned: “If there is no benefit to the business – you don’t do it.” Another expert reinforces his point by saying: “Get the people who these controls directly affect. You should start with the business. Get their buy-in; although they might view it as an additional workload, hence most people involved in this security initiative might produce sub-standard work.“ Interviewed security managers also think that business objectives should always be the priority. For example, one expert commented: “Many security managers think that security is the most important thing. I personally don’t think so. Paying shareholders is the most important. Inhibiting those activities or encouraging dangerous activities because of what you are doing you are making the situation worse.” The results illustrate that interviewed security managers understand that their decisions affect the whole organisation.
Detection of instances of non-compliance
Participants of the interview are aware of various methods to detecting non-compliance. For example, one expert mentioned: “I walk around this building on occasion and I wiggle doors and I check workstations for locked screens. The other way you find out is by rumours or chatting with people.” The results revealed that security experts rely on both formal (e.g. periodic security reviews) and informal (e.g. rumours, complains) channels of detecting non-compliance.
Reaction to instances of non-compliance
Most interviewed security managers agree that you should not punish users for non-compliance right away. You have to first understand the root cause of the problem. For instance, one expert suggested: “You don’t react on non-compliance with anger. You try to find out why it happened, rather than the fact that it has failed. Moreover, you can use it as a possibility for education and awareness and possibility for improvement.” Another expert reinforces this point saying: “At the end of the day it failed because with high probability you implemented it badly, because you forced some particular way of working or method which they can’t use, so they worked around it.” According to the results, understanding the reason behind the non-compliance is important for most of the interviewed experts.
Security manager’s awareness of how security policy implementation affects users’ behaviour
Most of the interviewed security experts believe that they are to a certain degree aware of the impact of the security policy on users’ behavior. One security manager said: “Yes, I think I’m aware of that, because when it affects it in a negative way – we hear about it. There are lots of complains.” Some participants backed-up their statements with examples. One security manager mentioned: “When users want to look at Excel spreadsheet or use an application using iPad but they can’t, because security controls don’t allow access to the business applications via an iPad. So they have to use a laptop rather than device of their own choice. So yes, we are aware of that tension, but we tend to enable people to do what they need to do.” Interview results suggest that such awareness is in the direct relation to the number of users’ complains. However, nobody mentioned proactive way of assessing this impact.
Difficulties in measuring impact of users’ behaviour.
Several security experts stated that it is difficult to assess the impact of security controls on users’ behaviour. For example, one mentioned: “We never measured it. We don’t have a way of measuring it. So we don’t know.” Another expert agrees with him: “One thing is putting controls in place and the other is measuring effectiveness. Around users it is very difficult. Because they are not like a server, where you can say here is CPU optimisation.” However, one security expert strongly disagrees with the fact that he should take behavioural impact into consideration. He said that: “Why should I care? Why this is relevant to my job – caring about users is not part of my job responsibilities. I have limited resources to ensure compliance – how am I going to stretch that to areas outside of my direct responsibility?”
Security manager’s awareness of users’ typical business activities
Some security experts, who participated in the interviews, mentioned that they are aware of the users’ business task to the degree which is required to successfully manage projects. Once a security manager stated that: “At a high level we are aware. At the detailed process level really only when we are doing a project in that department. When we need to understand the process within the project.” Another expert provides an example supporting the same argument: “When we do a particular project on a new system. Say, for instance, it’s a new credit card system being implemented we work through the user’s role, we work through the general data storage, so we become familiar with that particular department’s user activities.” The results show that some interviewed security managers believe that they are capable of understanding of users’ day-to-day business activities and that they make their decisions on the particular implementation of security controls according to this knowledge.
Effect of understanding of users’ business activities on security manager’s decision-making process
All of the interviewed experts agree that knowledge of what users in their company are doing can help them in better implementation of information security policy. One security manager shared an example of that: “For instance we worked with our studio manager and looked at the process of data transfer to the client. We have chosen one particular brand of encrypted USB keys, we believe that adoption would be very high, because they are great looking devices. It feels good for our creative workers to give it to the client with our logo on it, rather than sharing data using cheap plastic USB stick – there is no story, there is no sort of emotional attachment, which is so particularly important for creative workers. But in order for us to come with such a decision we actually spend some time observing and understanding our users.”
The results show that the majority of security managers, who participated in the survey, understand the importance of making the user part of the system and assessing possible impact on users’ behaviour when deciding on implementation of particular security controls. However, they agree on that their awareness of users’ business activities is reactive and based mainly on the users’ complains. Small number of interviewed security experts makes it problematic to generalise the results. Moreover, all of the interviewed security managers have substantial amount of work experience (they were chosen to have minimum seven, however some of them have more than twenty years of experience), which may affects the results. Those security experts tend to work in the companies with mature information security processes in place. Interviewing expects with less amount of experience may yield different results.
Results of this section provide an insight on how security managers and users view the importance of compliance behaviour in organisations. Analysis of the interview and survey results show that presented method is capable of identifying the existence of the problem: there is a huge gap between perception of security policy by users and security managers, which negatively impacts the organisation as a whole. Most of the interviewed security managers think that they consider users part of the system and aware of the impact of their action on users’ behaviour. However, survey results indicate that more that 23% users believe that security negatively affects their performance. Moreover, 20% of participants spend approximately one hour weekly on various security activities. Current interview and survey data suggests a difference in the perception of the users and security managers exists due to the differing opinions presented, but doesn’t prove this is the case and the information comes from different contexts. Running the study inside an organisation would overcome this limitation. The issue the difference in the perception of the users and security managers should be studied more thoroughly. The study should be conducted in one company to directly compare the view of managers and users from the same organisation, which is critical to showing if a difference in opinion really exists. Moreover, the research should be conducted with a broader and better-quality sample to ensure that the results could be generalised. More participants from various backgrounds should form the sample.
This article presents the model for analysis and visualisation of a company’s security policy building on the example scenario in relation to productive business activities.
The model aims to provide the means of comparing the perception of security tasks from both users’ and security managers’ points of view and optimising security activities in the company.
A guide for the security manager
On the one hand, violation of compliance requirements may result in significant losses for an organisation. On the other hand, poorly implemented security policies may obstruct users’ goal-driven behaviour and may result in non-compliance.
The scenario suggests that the CISO takes ISO 27001 as a framework and then makes a decision on a particular implementation based on his knowledge and past experience. As illustrated by the scenario lack of clear guidance in this decision-making process may result in the situation in which a company is formally compliant with the standard but users perform their core business activities inefficiently and/or are forced to violate poorly implemented security policies.
By directly comparing security requirements and business processes, the security manager can analyse ISO 27001 policy compliance controls and their consequences in terms of affecting user behaviour.
In order to ensure that users in the organisation will comply with security policies, the security manager should broaden his perspective and make users a part of the system. It is important to differentiate between malicious non-compliance and cases when security policy obstructs core business process.
|Primary task optimised||Yes||V||(X)|
Relation between policy compliance and optimisation of the primary task
“V” – CISO is satisfied with users’ compliance efforts.
“X” – CISO is not satisfied with users’ compliance efforts.
“(X)” – the case when users perform their tasks efficiently, but not compliant with security policy.
“(V)” – the case when users are formally compliant with security policy, but it prevents them from carrying out their tasks efficiently.
The table emphasises the fact that regardless of formal compliance, users’ perform their core business activities in the inefficient manner due to poorly implemented security controls. The security manager also should pay attention to cognitive burdens and availability aspects of recommended solutions.
In order to mitigate the risk of poor implementation of security controls, the security manager should follow clear processes when implementing ISO 27001 controls.
Such guidance supports the security manager’s decision-making process. This method also gives the security manager an opportunity to reflect on his policy implementation in the context of the particular scenario.
Going beyond formally ensuring compliance, this method presents two rounds of compliance checks:
– Check if organization is compliant (formal box-ticking exercise)
– Check for collisions with core users’ tasks.
In order to minimise the probability of repeating scenario the security manager should pay more attention to users’ day-to-day business activities.
As a first step of the process, the security manager should gain an insight on users’ typical business activities. After understanding typical business activities, the security manager could visualise them for example in form of the workweek schedule.
User’s main business process
For instance, the security manager finds out that the analyst runs data analysis software to model risks on Thursday to include this data in his report, which he usually presents at the end of each week to the client.
Furthermore, by gathering information on users’ manual security tasks, the information security manager estimates current users’ workload.
User’s manual security tasks
The information security manager identifies unique security tasks that users undertake during the week and use this information to make those tasks invisible to user. In this case, users would feel less obstructed in completing business tasks. But those activities are still taking place in the background. Only by identifying them, mapping them, and prioritising them could the security manager then do something about them.
Next, as a part of security pre-implementation process of security controls, the security manager looks at scheduled security activities, such as periodic security awareness workshops, review of software and data on users’ workstations or full machine antivirus scans.
Scheduled security activities
Merging all these diagrams together helps the security manager to understand total users’ workload and come up with a more effective implementation of security controls, which will not introduce collisions with core security tasks.
Total user’s workload
In order to make a decision on a particular implementation of security controls, the security manager should identify how users in his company perceive their security workload and which security tasks they carry out already.
At the moment, there is a possibility to of misconception of perceptions of security tasks of security managers and users. Developed model addresses this issue and helps the CISOs to manage their decision-making process more effectively. Moreover, comparing the security manager’s and users’ perceptions helps to uncover a number of unique security activities, and the amount of time users spend on them.
Validation of the model
The purpose of this section is to validate the model and gather relevant feedback from information security experts.
An interview questionnaire was developed to interview information security experts and collect their opinion on the developed model.
Written consent was collected prior to the interview to explain ethical and privacy points. Additionally, permission to use voice-recording device was obtained for future analysis.
Information, regarding interview procedure, intended questions and brief overview of the study were sent to all participants in advance via e-mail. At least 2 days were allowed for participants to examine the materials and prepare for the interview.
Five interviews were conducted out with information security experts. Every interview took place at participant’s office and at convenient time.
Feedback, provided by information security experts was documented and analysed according to grounded theory method. The following codes were identified:
– Degree of realistic implementation
– Potential benefits
– Business advantages
– Practical implementation
– Impact on security manger’s decision-making process
– Other ways of dealing with the similar issues
– Drawbacks of the model.
Information in this section is presented according to codes, which were discovered during interview process and further data analysis.
- Degree of realistic implementation: all security managers agree that developed model is realistic and can be implemented in the real-world company.
- Potential benefits: all interviewed experts believe that the model is beneficial to their organizations.
- Business advantages: 3 out of 5 security experts were able to name possible economic advantages of implementing the model.
- Practical implementation: 2 out of 5 interviewed security managers agreed to run pilot testing of the model in their organisation.
- Impact on security manager’s decision-making process: 4 out of 5 interviewed experts stated that presented model changed their attitude towards compliance behaviour issues. One security manager commented that this model doesn’t affect his decision-making process.
- Other ways of dealing with the similar issues: no other ways of dealing with issues of impact of users’ behaviour in a proactive manner were presented.
- Drawbacks of the model: all interviewees agree that implementation of the model might be time- and resource-consuming.
This section presents a discussion of interview findings.
Degree of realistic implementation
All the interviewed experts agree that the model could be implemented in the real-world scenario, but commented that it should be refined and validated with the real data. For example, one security manager said:
“I think the approach is sound and it’s realistic, but needs validation with the real data. And in the absence of the real data it’s got rather limited value.”
Another expert commented:
“I think that’s all sounds very interesting. You are definitely on the right track, but you need to collect more data to validate this model.”
Another security manager said:
“I believe it is realistic if it works, it will be relevant to any business. I don’t think many have considered practically addressing this dimension of security in their organisations.”
Security experts can see the potential benefits of implementing developed model in their companies. For instance, one expert said:
“I think that issue of usability and security is really important. Understanding where those tensions are and then represent those tensions might in some way help us to understand the cost associated with mitigating the risk.”
Another security manager commented:
“This model might help us to highlight where we can be creative and do something slightly different to make it easier for users to do what they want to do and do it in the default secure way. So yes, anything that can help us shed light on that going to be beneficial.”
One expert said:
“I think it’s beneficial, because it allows you to channel these thought about users’ workflow versus your workflow. How we squeeze security tasks all together with business activities.”
According to the experts, developed model yields some direct economic benefits for the company. For example, one security manager suggested:
“It is a very relevant model also from resource management perspective. How is my staffs’ time being utilised? Am I utilising my staff for the best? ”
One security expert suggested, that presented model can help him to make better decisions regarding risk assessment and investments in information security controls:
“It can be very valuable input into our risk assessment process and into our security investment decision-making process. Do we want to invest in one security tool or the other? Your model can provide means to compare security investment opportunities.”
Another expert agrees:
“You can understand what the business process is and what security solution would fit the best in order to maximise value.”
Another security manager’s quote supports the same point:
“Security really struggles to justify return on investment. What you could do is if you actually will break it down, saying that during the day typical user spends thirty minutes doing security activities. That cost, say 2 million pounds for a user. Does this security control bring 2 million worth saving in a year? If yes, or more, then it worth it. If no, then maybe you are doing the wrong controls. When maybe you should accept the risk. For example, yes maybe USB stick may introduce a virus to the system. Fine, but don’t spend five minutes every time scanning it.”
Some security managers agreed to run a pilot test in his company. One expert commented:
“It provided a different prospective on security – we have not considered how specific security controls may affect user behavior and productivity. I would be happy enough to run it as a small pilot to see if it yields promised results.”
“If it could be used as a means to ensure greater user efficiency/reduced non-compliance, we could consider including it in our security review.”
This indicates that the model could be implemented in the real-world companies for the future analysis.
Impact on security manger’s decision-making process
The majority of security mangers mentioned that presented model made them realise the impact of their actions on users and how they might struggle with particular security controls they implemented in the company.
Some security mangers came up with particular scenarios of how they would now make decision on implementation of security controls: On expert said:
“As a result you can make a decision to implement a technology solution that going to scan all the USB sticks in the background, rather than making each and every user do it manually. The cost of such implementation would be justified by you model. It will save user’s time and you can get security benefit as well.”
However, one security manager confessed that this model would not change the way he makes decision on security policy implementation:
“If it ain’t broken – don’t fix it! If the process we have in place is already compliant, I will not risk changing it just to satisfy the users who are not complaining anyway.”
The results imply that developed model helped most of the security managers to change their attitude towards compliance behaviour in their companies.
Other ways of dealing with the similar issues
All of the interviewed security managers agree that they are not actively dealing with issues of negative impact of security controls on users’ performance. One expert said:
“It’s very passive. The impact on users is important but it’s not the issue I spend a lot of time thinking about. Our approach is more reactive. The model presented, on the other hand, is more proactive technique.”
“Very informally. We don’t really draw on a real data. I think, having a framework of some description would be very useful. Something that focuses that kind of thinking.“
One security manager said that he never considered users being part of the system, hence never used any techniques, as mentioned in the following quote:
“We never considered user compliance from this perspective before – so have not considered / applied alternative principles.”
Drawbacks of the model
All interviewees agree that implementation of the model might be time- and resource-consuming. One expert commented:
“You need an easier way to implement it – that’s the biggest challenge. Because you need to come up with all users’ business tasks, then all security tasks, and then map them all together. All these things have to also be categorised and measured. And humans a very difficult to measure.”
Another manager mentioned:
“Getting it implemented I see as a big challenge. But once it’s implemented you can get a really good value.”
“The method is very good, but it takes a lot of effort to compile this.”
Despite identified possible benefits, the model is considered to be difficult to implement. Cost-benefit analysis could be performed to support the decision on the implementation of the model.
According to the security experts, the model can yield additional benefits to the company, such as optimisation of security activities, cost reduction, and information security projects investment justification.
The interview results reveal the main benefit of the model: it points a security manager in the direction of a better understanding of the users in his company. It provides the means to gain an insight into users’ core business activities and reflect on how they relate to the security tasks. This can help security managers to come up with more usable security policies and reduce the number of potential complaints, and instances of violation of security policy.
As some of the interviewees suggested, the security manager can implement this model in any company: all he has to do is to pick a process, pick a regulation and then apply the model. Moreover, this model can help the security manager to understand how much time users in his company spend on various security activities. This information can be used to make better investment decisions, and help in security policy optimisation. Additionally understanding that the security manager’s compliance decisions affect the whole organisation may result in cost savings from pre-implementation security analysis and its relation to main business processes of the company.
Despite the potential benefits, the model has drawbacks. Interview results suggest that implementation of the model might be cost- and resource-consuming. To assess the degree of such problem, real-world data should be collected. Moreover, as one expert mentioned, the model has limited value in the absence of the real data. The limited time scope of the current project didn’t allow the validation of the model with such data. Furthermore, access to the real data was restricted due to protective attitude of the companies who don’t want to be seen in bad light.
Attitudes towards information security policy and its effect on users’ business activities should be measured before and after implementing the model in the company in order to assess the effectiveness of the model.
ISO 27001 Standard is high-level and provides only basic recommendations on implementation of security controls. This fact gives a security manager in a company a lot of flexibility in choosing particular information security policies.
When making a decision on the how to introduce new security controls to achieve compliance with the ISO 27001 standard, security managers lack a clear process and rely mostly on their past experience.
Such lack of a clear process and guidance from ISO 27001 may result in arbitrary implementation of information security controls, which will collide with the core business activities of users in the company.
This article presents a scenario of such implementation and provides specific examples of how those controls may affect users’ behaviour.
Scrooge Bank is a global financial services firm, offering a range of solutions, including asset management, strategic advice, money lending, and risk management to clients in more than 100 countries.
From the organisational structure standpoint, Scrooge Bank consists of three departments in the business unit and three departments in the support unit.
The Chief Information Security Officer (CISO) reports directly to the Compliance and Risk Manager, and is responsible for ensuring legal and regulatory compliance, data loss prevention activities, and security incident management.
A decision taken by the CISO affects the whole organisation, including the analyst in the Investment Banking Department.
The business process
An analyst is a typical role in Scrooge Bank. He is involved in various business activities during the week.
On a weekly basis the analyst receives information from the client. There are several ways he can obtain this data: it might be copying information on a USB stick during a face-to-face meeting, or via e-mail as an attachment.
There are instances when the information received was exported from the client’s proprietary software products, which are not directly compatible with the widely used packages, such as Microsoft Excel, used by the analyst. Hence, the analyst was forced to use special data extracting software to access the data.
On a regular basis, the analyst needs search for additional information on the Internet to prepare a report for the client.
Once a week he runs data analysis software to analyse the potential risk for the client. This software is very powerful and commonly used in Scrooge Bank. However, it analyses vast amounts of data and consumes a lot of CPU time and memory.
When a report is finalised, the analyst exports it on a USB stick in order to present it to the Client.
Compliance requirements, controls implementation and impact on users’ behaviour
In order to more effectively protect against malicious code, Scrooge Bank decided to implement the ISO 27001 Standard. According to chapter 10.4.1 of the standard, “Controls against malicious code”, “detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures should be implemented.”
The ISO 27001 Standard suggests that “Precautions are required to prevent and detect the introduction of malicious code and unauthorized mobile code. Software and information processing facilities are vulnerable to the introduction of malicious code, such as computer viruses, network worms, Trojan horses, and logic bombs. Users should be made aware of the dangers of malicious code. Managers should, where appropriate, introduce controls to prevent, detect, and remove malicious code and control mobile code.”
The Standard also recommends the particular security controls to be implemented in order to protect against malicious code. In order to address the described issues and ensure formal compliance with the Standard, the security manger decides on the following implementation of the security controls. The following table also shows examples of how users in various departments of the company could potentially violate security policy, because it prevented them from perform their main business tasks
|ISO 27001 control implementation guidance||Context||Behavioral impact|
|Establishing a formal policy prohibiting the use of unauthorized software||Scrooge Bank’s CISO came up with a policy document, outlining a list of authorized software, which can be installed on users’ workstations according to principle of least privilege – users should only have access they require to perform their day-to-day activities and no more.Each department contributed to the policy, submitting a list of software which is essential to carrying out tasks by employees in this department.After finalizing this list, all users were denied access to install any new software without written permission from CISO.||John is performing an analysis of the company for the client. The deadline is fast approaching but there is still a lot of work to be done.The night before the deadline, John realizes that in order to finalize his analysis he requires a special data analysis tool, which was not included in the list of authorised software. He’s also unable to install it on his workstation, because he doesn’t have the required privileges to install new software.Getting the formal written approval from the CISO is not feasible, because it is going to take too long.John decides to copy sensitive information required for the analysis on his personal laptop using a USB flash drive to finish the analysis at home, where he can install any software he wants.
John understands the risk but he also wants to get the job done in order to avoid missing the deadline and get good performance review at the end of the year.
Unfortunately he leaves his bag with the USB stick in the taxi on the way back home.
He never tells anyone about this incident to avoid embarrassment.
|Establishing a formal policy to protect against risks associated with obtaining files and software either from or via external networks, or on any other medium, indicating what protective measures should be taken||In order to prevent obtaining files and software either from or via external networks, or on any other medium, CISO established a policy restricting use of file sharing websites and limited access to CD/DVD and USB flash drives.According to the policy, if a user wants to obtain a specific file from the internet or from an external device, he has to file a written request to his manager, who will decide if this file is essential to perform his duty. After management’s approval, the Information Security Department employee will process this request, downloading this file or copying it from the external medium, using a special isolated PC with thorough antivirus checks.||Mary works closely with a client to finalise her report on risk analysis for an international energy company.She works directly with the CFO of this company who is very impatient and busy with other tasks.Mary doesn’t want to annoy him, because he may complain directly to her line manager and she can be disciplined, because this is a very important client, which brings millions to the company.The client is not aware of the new policy which was recently implemented by the CISO of Scrooge Bank and uploads important pieces of information to the file sharing website in form of the encrypted archive, because it is too big to transfer over the corporate e-mail.
He communicates the password to Mary over the phone and sends her the link.
Mary was scared to explain the new policy to the client and right now she is unable to access this file to finalise her report.
She decided to go to internet café during her lunch break and download the important file from there, understanding the risk, but realising that getting all necessary approvals may take way too long.
At the internet café she not only downloads the encrypted file but also opens it on the local machine to check its integrity to avoid returning back, because she won’t have any breaks later in a day.
Because the internet café is far from the office and she didn’t have her lunch yet, she hurries and forgets to delete the decrypted file from the machine in the internet café.
She realizes her mistake when she’s back in the office but thinks that it is not a big deal and nothing bad can happen.
|Conducting regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments should be formally investigated||The CISO established a procedure of monthly checks of users’ workstations for presence of unauthorized data and software.If such data or software were be found, the employee would be given a warning. After three warnings he would be fired because of non-compliance with the security policies of the company.||Juliet uses data and files in her analysis, which she obtained from various sources, and she is not sure if it is approved or not. She’s afraid to clarify this situation with the CISO, because she’s afraid to be fired.In order to avoid being caught using such files, she decided to store this information on her personal laptop.But after a while she realised that it takes too long to copy and delete data from her corporate PC to personal laptop and vice versa, hence she decided to process all the information, including sensitive, on her personal computer.As always, she took her laptop with her on holiday, but it was stolen in a public place|
|Installation and regular update of malicious code detection and repair software to scan computers and media as a precautionary control, or on a routine basis; the checks carried out should include:1) checking any files on electronic or optical media, and files received over networks, for malicious code before use;2) checking electronic mail attachments and downloads for malicious code before use; this check should be carried out at different places, e.g. at electronic mail servers, desk top computers and when entering the network of the organization;3) checking web pages for malicious code;||The CISO implemented antivirus software on each workstation and configured automatic daily full machine scans to ensure that no malicious code was present on workstations.The CISO also established a formal policy, which requires every employee to run manual antivirus checks before opening e-mail attachments and using electronic or optical media.||Robin is a derivatives trader. Time and efficiency are critical success factors for him.Robin carries out thousands of deals per day using the electronic terminal on his PC.Introducing a new antivirus software slowed down his workstation performance, especially during full machine scans. This directly affects his job performance – he is unable to act as fast as before and misses many valuable opportunities.Robin understands the risk of malicious software but he is also frustrated by his inability to work as efficiently as before.
He finds a way to manually disable the antivirus agent on his PC.
During the search for information on the internet he accidentally accesses a spoofed website and introduces a Trojan on his workstation.
With no antivirus software to prevent malware from stealing sensitive information from his PC, it becomes a victim.
|Defining management procedures and responsibilities to deal with malicious code protection on systems, training in their use, reporting and recovering from malicious code attacks||The CISO developed a set of procedures to prevent malicious code.According to these procedures, each head of a department is responsible for preventing malicious code attacks in his/her department.The CISO wants to raise awareness, train and educate users how to record, prevent and recover from malicious code attacks. He decided to run regular monthly workshops to achieve these goals.||Employees of the organization not showing up for the workshops and not paying attention, because CISO’s efforts driven mainly by corporate directives, rather than security needs. Moreover, programme is the same for everyone, regardless of roles and responsibilities and it doesn’t change year after year.|
|Preparing appropriate business continuity plans for recovering from malicious code attacks, including all necessary data and software back-up and recovery arrangements||The CISO developed appropriate plans identifying critical information assets, and gathering input from asset owners.The CISO also performs data back-ups on a regular basis and maintains recovery arrangements.||Scrooge Bank recently acquired a small company and all its IT infrastructure.Because the CISO failed to update the business continuity plan in a timely manner to include recent changes, the company was very inefficient to recover from a malicious code attack.Furthermore, employees weren’t familiar with what they should do in this situation due to a lack of education and involvement during plan testing.|
|Implementing procedures to regularly collect information, such as subscribing to mailing lists and/or checking web sites giving information about new malicious code||The CISO assigned regular collection of information about new malicious code to a member of Information Security Department in addition to the other tasks he performs.||An employee of Information Security Department receives too much information daily from antivirus vendors’ websites and mailing lists, so he started to ignore it and focus more on his main tasks (i.e. handling information security incidents)|
|Implementing procedures to verify information relating to malicious code, and ensure that warning bulletins are accurate and informative; managers should ensure that qualified sources, e.g. reputable journals, reliable Internet sites or suppliers producing software protecting against malicious code, are used to differentiate between hoaxes and real malicious code; all users should be made aware of the problem of hoaxes and what to do on receipt of them||The CISO wants to raise awareness of the employees on the issue of hoaxes.He decided to run regular monthly workshops to achieve this goal.||People don’t attend information security awareness training workshops, because they scheduled at the same day as an important meeting with the client.|
The table shows examples that regardless of the fact that the CISO developed a set of information security polices and implemented controls to ensure compliance with ISO 27001 Standard, users managed to find workarounds which negatively affected the company as a whole. In each and every case users violated security policy in in order to accomplish their main business tasks.
Additional security controls, which were added by the CISO, not only introduced additional cognitive burdens on the analyst, but also placed obstacles preventing him from performing his core business tasks.
For example, the information security awareness training workshop was scheduled at the same day that the analyst has an important meeting with the client and he have to skip it in order to meet his deadline. Additionally, he managed to shut down the antivirus agent on his workstation because scheduled manual antivirus checks consume too many resources, which are needed to run his risk simulation and analysis software. The analyst also skips manual antivirus and anti-phishing checks either because they are too time consuming or because he is worried about the integrity of the data.
This chapter presented a scenario of a particular realistic implementation of security controls, which can lead to in huge numbers of collisions between security and business tasks.
This scenario emphasises the importance of making users part of the system when implementing security controls.
It is difficult to ensure effectiveness of information security programme in the company without paying attention to users’ behaviour. One of the challenges for the security manager, when implementing information security policy, is to differentiate between malicious non-compliance and non-compliance due to the obstruction of business activities.
The main goal of this project is to gain an insight into information security behavior issues, from both an end-users’ and security managers’ perspectives. The study aims to develop a model to support security managers’ decision-making process when implementing security policy in the organisation. It is important to help security managers make a user a part of the system and to go beyond formal box-ticking when ensuring compliance with legal and regulatory requirements.
In order to achieve the objectives of the study, a method consisting of three parts was followed, including presenting example scenario and development of the model to address the research question for the first part, a survey and interviews for the second part, and interviews for the third part.
Stage one: Develop a model
The objective of the first stage is to motivate the research problem, presenting example scenario of poorly implemented security policy in the fictitious company, and to develop a model to support security manager’s decision-making process in implementing security controls in a company.
The example scenario presents the hypothesis that users’ experience and role of the manager are mismatched. Manager may think that user’s effort is unlimited. At the moment there is no way of directly comparing users’ and security manager’s perception of behavioural impact of security policy in the organisations.
The model is developed to support security managers’ decision-making process when implementing security policy in a company and to provide a tool of assessing users’ workload with security tasks.
The following stage shows that described mismatch exists and the developed model deals with the outlined problem.
Stage two Comparing views on security compliance behaviour in an organisation
The aim of the second part is to gather real-world data to highlight the importance of security compliance behavior and identify relevant problems which can arise when a security manager chooses a particular way of implementing information security controls in the organization. Moreover, this part aims to compare views of security managers and users on the problem of compliance behaviour.
For the purpose of this stage a combination of qualitative and quantitative methods was used.
As a part of the quantitative method, semi-structured interviews with five information security experts were conducted. In parallel 64 users were surveyed using an online surveying platform. For the purpose of the survey, eleven multiple-choice questions were developed, in collaboration with an academic with experience in this field.
Stage three: Validation of the developed model
The goal of the third stage of the study was to validate the model and gather relevant feedback from information security experts.
Five semi-structured interviews were conducted with information security experts.
Invitations for an interview were also distributed to outline the approximate duration of the interview, intended questions, to give insight on the procedure and to provide high-level information on the study.
Written consents were collected from the interviewees prior to the interview.
Interviews with security experts consisted of two parts:
- General questions on the security manager’s decision-making process regarding the implementation of security controls when ensuring compliance within the company (Stage two).
- Validating the model to support the security manager’s decision-making process (Stage three).
Pilot interviews were first carried out. Feedback gathered from the pilot interviews was used to improve model presentation technique, modify existing questions, and add new questions. Materials from the pilot interviews were not included in the thesis.
Each interview took approximately 50 minutes. All interviews were conducted face-to-face and at participants’ offices at a time convenient for them.
In the second part of the interview the same experts were presented the model after they had answered the question around validation of the importance of compliance behaviour. The study aims to assess how the presented model changed their decision-making process when thinking in terms of making users an essential part of the system.
Audio recordings were subsequently used by the researcher to develop interview transcripts, parts of which are presented in this work to support various points and provide insight on relevant issues.
Security managers in companies lack a clear process to implement security controls in order to ensure compliance with various regulations and standards.
Interviews with experts show that security managers may take ISO 27001 standard as a framework and then make a decision on any particular implementation based on their experience.
Such implementations run the risk of creating collisions with users’ business activities and result in violation of security policies in the company, because they introduce friction with the business process. Users try to avoid such friction. It is important, however, to differentiate between malicious non-compliance and cases when security policy obstructs business processes leading to workarounds.
This piece of research presents example scenarios of such clashes and explores the root causes of events of non-compliance.
A model is developed that supports security managers’ decision-making process and incorporates users into the system in a way that mitigates the negative impact on users’ behaviour of security policy.
A combination of quantitative and qualitative methods is applied to research the perception of information security by both users and security managers: the survey was created and 64 participants were surveyed to gain an insight into users’ perspective of implemented information security controls; semi-structured interviews with five experts were conducted, who have seven or more years of experience in the information security field and currently hold managerial positions.
The study illustrates that company can be formally compliant but still inefficient in performing its revenue-generating activities. Moreover, there is a mismatch between users’ and security managers’ perception: security managers think that they are already paying attention to the users, but 23% users complain that security activities negatively affect their performance.
The presented model is validated by information security experts and provides clear guidance to security managers in organisations as to implementation of security controls. The majority of experts liked the approach, but said that it needs to be tried with real-world processes.