This article presents the model for analysis and visualisation of a company’s security policy building on the example scenario in relation to productive business activities.
The model aims to provide the means of comparing the perception of security tasks from both users’ and security managers’ points of view and optimising security activities in the company.
A guide for the security manager
On the one hand, violation of compliance requirements may result in significant losses for an organisation. On the other hand, poorly implemented security policies may obstruct users’ goal-driven behaviour and may result in non-compliance.
The scenario suggests that the CISO takes ISO 27001 as a framework and then makes a decision on a particular implementation based on his knowledge and past experience. As illustrated by the scenario lack of clear guidance in this decision-making process may result in the situation in which a company is formally compliant with the standard but users perform their core business activities inefficiently and/or are forced to violate poorly implemented security policies.
By directly comparing security requirements and business processes, the security manager can analyse ISO 27001 policy compliance controls and their consequences in terms of affecting user behaviour.
In order to ensure that users in the organisation will comply with security policies, the security manager should broaden his perspective and make users a part of the system. It is important to differentiate between malicious non-compliance and cases when security policy obstructs core business process.
|Primary task optimised||Yes||V||(X)|
Relation between policy compliance and optimisation of the primary task
“V” – CISO is satisfied with users’ compliance efforts.
“X” – CISO is not satisfied with users’ compliance efforts.
“(X)” – the case when users perform their tasks efficiently, but not compliant with security policy.
“(V)” – the case when users are formally compliant with security policy, but it prevents them from carrying out their tasks efficiently.
The table emphasises the fact that regardless of formal compliance, users’ perform their core business activities in the inefficient manner due to poorly implemented security controls. The security manager also should pay attention to cognitive burdens and availability aspects of recommended solutions.
In order to mitigate the risk of poor implementation of security controls, the security manager should follow clear processes when implementing ISO 27001 controls.
Such guidance supports the security manager’s decision-making process. This method also gives the security manager an opportunity to reflect on his policy implementation in the context of the particular scenario.
Going beyond formally ensuring compliance, this method presents two rounds of compliance checks:
– Check if organization is compliant (formal box-ticking exercise)
– Check for collisions with core users’ tasks.
In order to minimise the probability of repeating scenario the security manager should pay more attention to users’ day-to-day business activities.
As a first step of the process, the security manager should gain an insight on users’ typical business activities. After understanding typical business activities, the security manager could visualise them for example in form of the workweek schedule.
User’s main business process
For instance, the security manager finds out that the analyst runs data analysis software to model risks on Thursday to include this data in his report, which he usually presents at the end of each week to the client.
Furthermore, by gathering information on users’ manual security tasks, the information security manager estimates current users’ workload.
User’s manual security tasks
The information security manager identifies unique security tasks that users undertake during the week and use this information to make those tasks invisible to user. In this case, users would feel less obstructed in completing business tasks. But those activities are still taking place in the background. Only by identifying them, mapping them, and prioritising them could the security manager then do something about them.
Next, as a part of security pre-implementation process of security controls, the security manager looks at scheduled security activities, such as periodic security awareness workshops, review of software and data on users’ workstations or full machine antivirus scans.
Scheduled security activities
Merging all these diagrams together helps the security manager to understand total users’ workload and come up with a more effective implementation of security controls, which will not introduce collisions with core security tasks.
Total user’s workload
In order to make a decision on a particular implementation of security controls, the security manager should identify how users in his company perceive their security workload and which security tasks they carry out already.
At the moment, there is a possibility to of misconception of perceptions of security tasks of security managers and users. Developed model addresses this issue and helps the CISOs to manage their decision-making process more effectively. Moreover, comparing the security manager’s and users’ perceptions helps to uncover a number of unique security activities, and the amount of time users spend on them.
Validation of the model
The purpose of this section is to validate the model and gather relevant feedback from information security experts.
An interview questionnaire was developed to interview information security experts and collect their opinion on the developed model.
Written consent was collected prior to the interview to explain ethical and privacy points. Additionally, permission to use voice-recording device was obtained for future analysis.
Information, regarding interview procedure, intended questions and brief overview of the study were sent to all participants in advance via e-mail. At least 2 days were allowed for participants to examine the materials and prepare for the interview.
Five interviews were conducted out with information security experts. Every interview took place at participant’s office and at convenient time.
Feedback, provided by information security experts was documented and analysed according to grounded theory method. The following codes were identified:
– Degree of realistic implementation
– Potential benefits
– Business advantages
– Practical implementation
– Impact on security manger’s decision-making process
– Other ways of dealing with the similar issues
– Drawbacks of the model.
Information in this section is presented according to codes, which were discovered during interview process and further data analysis.
- Degree of realistic implementation: all security managers agree that developed model is realistic and can be implemented in the real-world company.
- Potential benefits: all interviewed experts believe that the model is beneficial to their organizations.
- Business advantages: 3 out of 5 security experts were able to name possible economic advantages of implementing the model.
- Practical implementation: 2 out of 5 interviewed security managers agreed to run pilot testing of the model in their organisation.
- Impact on security manager’s decision-making process: 4 out of 5 interviewed experts stated that presented model changed their attitude towards compliance behaviour issues. One security manager commented that this model doesn’t affect his decision-making process.
- Other ways of dealing with the similar issues: no other ways of dealing with issues of impact of users’ behaviour in a proactive manner were presented.
- Drawbacks of the model: all interviewees agree that implementation of the model might be time- and resource-consuming.
This section presents a discussion of interview findings.
Degree of realistic implementation
All the interviewed experts agree that the model could be implemented in the real-world scenario, but commented that it should be refined and validated with the real data. For example, one security manager said:
“I think the approach is sound and it’s realistic, but needs validation with the real data. And in the absence of the real data it’s got rather limited value.”
Another expert commented:
“I think that’s all sounds very interesting. You are definitely on the right track, but you need to collect more data to validate this model.”
Another security manager said:
“I believe it is realistic if it works, it will be relevant to any business. I don’t think many have considered practically addressing this dimension of security in their organisations.”
Security experts can see the potential benefits of implementing developed model in their companies. For instance, one expert said:
“I think that issue of usability and security is really important. Understanding where those tensions are and then represent those tensions might in some way help us to understand the cost associated with mitigating the risk.”
Another security manager commented:
“This model might help us to highlight where we can be creative and do something slightly different to make it easier for users to do what they want to do and do it in the default secure way. So yes, anything that can help us shed light on that going to be beneficial.”
One expert said:
“I think it’s beneficial, because it allows you to channel these thought about users’ workflow versus your workflow. How we squeeze security tasks all together with business activities.”
According to the experts, developed model yields some direct economic benefits for the company. For example, one security manager suggested:
“It is a very relevant model also from resource management perspective. How is my staffs’ time being utilised? Am I utilising my staff for the best? ”
One security expert suggested, that presented model can help him to make better decisions regarding risk assessment and investments in information security controls:
“It can be very valuable input into our risk assessment process and into our security investment decision-making process. Do we want to invest in one security tool or the other? Your model can provide means to compare security investment opportunities.”
Another expert agrees:
“You can understand what the business process is and what security solution would fit the best in order to maximise value.”
Another security manager’s quote supports the same point:
“Security really struggles to justify return on investment. What you could do is if you actually will break it down, saying that during the day typical user spends thirty minutes doing security activities. That cost, say 2 million pounds for a user. Does this security control bring 2 million worth saving in a year? If yes, or more, then it worth it. If no, then maybe you are doing the wrong controls. When maybe you should accept the risk. For example, yes maybe USB stick may introduce a virus to the system. Fine, but don’t spend five minutes every time scanning it.”
Some security managers agreed to run a pilot test in his company. One expert commented:
“It provided a different prospective on security – we have not considered how specific security controls may affect user behavior and productivity. I would be happy enough to run it as a small pilot to see if it yields promised results.”
“If it could be used as a means to ensure greater user efficiency/reduced non-compliance, we could consider including it in our security review.”
This indicates that the model could be implemented in the real-world companies for the future analysis.
Impact on security manger’s decision-making process
The majority of security mangers mentioned that presented model made them realise the impact of their actions on users and how they might struggle with particular security controls they implemented in the company.
Some security mangers came up with particular scenarios of how they would now make decision on implementation of security controls: On expert said:
“As a result you can make a decision to implement a technology solution that going to scan all the USB sticks in the background, rather than making each and every user do it manually. The cost of such implementation would be justified by you model. It will save user’s time and you can get security benefit as well.”
However, one security manager confessed that this model would not change the way he makes decision on security policy implementation:
“If it ain’t broken – don’t fix it! If the process we have in place is already compliant, I will not risk changing it just to satisfy the users who are not complaining anyway.”
The results imply that developed model helped most of the security managers to change their attitude towards compliance behaviour in their companies.
Other ways of dealing with the similar issues
All of the interviewed security managers agree that they are not actively dealing with issues of negative impact of security controls on users’ performance. One expert said:
“It’s very passive. The impact on users is important but it’s not the issue I spend a lot of time thinking about. Our approach is more reactive. The model presented, on the other hand, is more proactive technique.”
“Very informally. We don’t really draw on a real data. I think, having a framework of some description would be very useful. Something that focuses that kind of thinking.“
One security manager said that he never considered users being part of the system, hence never used any techniques, as mentioned in the following quote:
“We never considered user compliance from this perspective before – so have not considered / applied alternative principles.”
Drawbacks of the model
All interviewees agree that implementation of the model might be time- and resource-consuming. One expert commented:
“You need an easier way to implement it – that’s the biggest challenge. Because you need to come up with all users’ business tasks, then all security tasks, and then map them all together. All these things have to also be categorised and measured. And humans a very difficult to measure.”
Another manager mentioned:
“Getting it implemented I see as a big challenge. But once it’s implemented you can get a really good value.”
“The method is very good, but it takes a lot of effort to compile this.”
Despite identified possible benefits, the model is considered to be difficult to implement. Cost-benefit analysis could be performed to support the decision on the implementation of the model.
According to the security experts, the model can yield additional benefits to the company, such as optimisation of security activities, cost reduction, and information security projects investment justification.
The interview results reveal the main benefit of the model: it points a security manager in the direction of a better understanding of the users in his company. It provides the means to gain an insight into users’ core business activities and reflect on how they relate to the security tasks. This can help security managers to come up with more usable security policies and reduce the number of potential complaints, and instances of violation of security policy.
As some of the interviewees suggested, the security manager can implement this model in any company: all he has to do is to pick a process, pick a regulation and then apply the model. Moreover, this model can help the security manager to understand how much time users in his company spend on various security activities. This information can be used to make better investment decisions, and help in security policy optimisation. Additionally understanding that the security manager’s compliance decisions affect the whole organisation may result in cost savings from pre-implementation security analysis and its relation to main business processes of the company.
Despite the potential benefits, the model has drawbacks. Interview results suggest that implementation of the model might be cost- and resource-consuming. To assess the degree of such problem, real-world data should be collected. Moreover, as one expert mentioned, the model has limited value in the absence of the real data. The limited time scope of the current project didn’t allow the validation of the model with such data. Furthermore, access to the real data was restricted due to protective attitude of the companies who don’t want to be seen in bad light.
Attitudes towards information security policy and its effect on users’ business activities should be measured before and after implementing the model in the company in order to assess the effectiveness of the model.