Information security policy compliance, business processes and human behaviourPosted: September 10, 2013
This article aims to review the literature on information security policy compliance issues and their relation to core business processes in the company and users’ behaviour. It also provides an insight into particular implementation examples of the ISO 27001 Standard, and methods of analysis of the effectiveness of such implementations.
Information security issues in organisations have been brought up long before the rapid development of technology. Companies have always been concerned with protecting their confidential information, including their intellectual property and trade secrets. There are many possible approaches to addressing information security. Wood  points out that security is a broad subject including financial controls, human resource policies, physical protection and safety measures. However, Ruighaver et al.  state that information security is usually viewed as a purely technical concern and is expected to have the same technical solution. On the other hand, Schneier , Lampson , and Sasse and Flechais  emphasise the people aspect of security, and people play crucial role as they use and implement security controls.
As stated by Anderson , it is essential to properly define information security in order to pay merit to all these aspects.
The Standard for Information Security Management ISO 27001  defines information security as “the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximise return on investments and business opportunities.”
Dhillon  states security issues in organisations can arise due to absence of an information security policy. One of the ways to implement such a security policy is to take ISO 27001 standard as a framework.
ISO 27001 Standard
ISO 27001 Standard which is a member of the ISO 27000 standards family evolved from British national standard BS7799 . It aims to provide guidance on managing the risk associated with threats to confidentiality, integrity and availability of organisation’s assets. Such assets, as defined in ISO 27001  include people, software, hardware, services, etc.
Doherty and Fulford , Von Solms , and Canavan  all came to the conclusion that well-established standards such as ISO 27001 might be a stepping-stone to implementing good information security programs in organisations.
However, Anttila and Kajava in their study  identify the following issues with ISO 27001 Standard:
– The standard is high-level and basic concepts are not presented consistently in the standard.
– It is hard to measure business benefits from implementing this standard.
– Presented process management is not fully supporting current business practices.
– The standard struggles to recommend solutions to contemporary business environments.
Neubauer et al.  in their research states that the main problem with security standards, including ISO 27001 is their “abstract control deﬁnition, which leaves space for interpretation”. Furthermore, the authors suggest that companies focus on obtaining formal certification and often do not to assess and put in place the adequate security controls according their main business goals. Ittner et al.  support this point, adding that organisation also fail to estimate the effectiveness of the investments in such initiatives.
According to Sharma and Dash , ISO 27001 does not provide detailed guidance requires substantial level of expertise to implement. Moreover, the authors claim that “If risk assessment is flawed, don’t have sufficient security and risk assessment expertise, or do not have the management and organizational commitment to implement security then it is perfectly possible to be fully compliant with the standard, but be insecure.” Results of their study suggest that the organizations, which participated in the study implemented information security mainly to comply with legal and regulatory requirements. The consequence of that was low cost-effectiveness of such implementations. However, the researcher don’t analyse the level of users’ acceptance of implemented controls. The authors also fail to recommend an approach which would support security manager’s decision-making process in implementing ISO 27001 Standard controls.
Karabacak and Sogukpinar in in their paper  present a flexible and low-cost ISO 17799 compliance check tool. The authors use qualitative techniques to collect and analyse data and sate that “the success of our method depends on the answers of surveyors. Accurately answered questions lead to accurate compliance results.” However, the researchers stop short of analysing the impact of compliance with security policy on users’ behaviour. The authors do not consider the issue that a security manager’s decisions regarding a particular implementation of security policy affects that organisation as a whole and may introduce additional cognitive burdens to users. These issues in extreme cases (e.g. obstructing core business processes) may result in non-compliance as users prioritise their primary task.
Vuppala et al. their study  discuss their experience from implementing ISO27001 information security management systems. One of the most important lessons learnt was developing an understanding of the role of users’ behaviour in this process. The authors recommend to “not make drastic changes to the current processes; this will only infuriate the users. Remember, users are an important, if not the most important, part of the overall security system.”
Johnson and Goetz in  conducted a series of interviews with security managers to identify main challenges of influencing employees’ behaviour. The results of this study revealed that security managers rely extensively on information security policies, not only as a means of ensuring compliance with legal and regulatory requirements, but also to guide and direct users’ behaviour.
To explore the question of the impact on users’ behaviour while implementing security policies, the following theories were researched:
1. Theory of Rational Choice – a framework, which provides insight into social and economic behaviour. It implies that users tend to maximise their personal benefits . Beautement et al. in their paper  uses this theory to build a foundation explaining how people make decisions about whether to comply or not to comply with any particular information security policy.
Herley  suggests that it is rational for users not to comply with security policy, because of the perceived risk reduction is lower than the effort needed.
2. Protection Motivation Theory – a theory which describes four factors that individuals consider when trying to protect themselves :
– perceived severity
– probability of the adverse event
– efficiency of the preventive behaviour
Siponen builds on this theory to gain an understanding of the attitude of individuals towards compliance with security policies. Siponen refers to it in order to study the impact of the punishment on the actual compliance and on intention to comply , .
3. The Theory of General Deterrence – this suggests that users will not comply with the rules if they are not concerned with punishment .
4. Theory of Planned Behaviour – this suggests that subjective norms and perceived behavioural controls influence individuals’ behaviour . Siponen  and Pahnila  discovered that social norms play a significant role in users’ intention to comply.
These theories suggest that to effectively protect a company’s assets, the security manager should develop and implement security policies not only to ensure formal compliance with legal and regulatory requirements, but also to make sure that users are considered as a part of the system. Policies should be designed in a way that reduces the mental and physical workload of users , .
Business process visualisation and compliance
It is important to consider information security compliance and users’ behaviour in the context of a company. Users in organisations involved into activities, which could be presented as business processes.
Business process is defined as a set of logically related tasks (or activities) to achieve a defined business outcome .
The continuous monitoring of their business processes is essential for any organisation. This can be achieved by visualisation of business processes . However, they are usually complex, due to number of different users or user roles in large companies . Barrett  also argues that it is essential to create a “vision of the process” to successfully reengineer it.
Namiri and Stojanovic in their paper  present a scenario demonstrating a particular business process and implement controls necessary to achieve compliance with regulatory requirements. The authors separate business and control objectives, introducing two roles: a business process expert, who is motivated solely by business objectives, and a compliance expert, who is concerned with ensuring compliance of a given business process.
 Adams, A. and Sasse, M.A. 1999. Users are not the enemy. Commun. ACM. 42, 12 (Dec. 1999).
 Ajzen, I. 1991. The theory of planned behavior. Organizational Behavior and Human Decision Processes. 50, 2 (Dec. 1991).
 Anderson, J.M. 2003. Why we need a new definition of information security. Computers & Security. 22, 4 (May 2003).
 Anttila, J. and Kajava, J. 2010. Challenging IS and ISM Standardization for Business Benefits. ARES ’10 International Conference on Availability, Reliability, and Security, 2010 (2010).
 Barrett, J.L. 1994. Process Visualisation: Getting the Vision Right Is Key. Information Systems Management. 11, 2 (1994).
 Beautement, A. et al. 2008. The compliance budget: managing security behaviour in organisations. Proceedings of the 2008 workshop on New security paradigms (New York, NY, USA, 2008).
 Bobrik, R. et al. 2005. Requirements for the visualization of system-spanning business processes. Sixteenth International Workshop on Database and Expert Systems Applications, 2005. Proceedings (2005), 948–954.
 Canavan, S. 2003. An information security policy development guide for large companies. SANS Institute. (2003).
 Davenport, T.H. and Short, J.E. 2003. Information technology and business process redesign. Operations management: critical perspectives on business and management. 1, (2003), 1–27.
 Dhillon, G. 2007. Principles of information systems security: text and cases. John Wiley & Sons.
 Doherty, N.F. and Fulford, H. 2005. Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis. Information Resources Management Journal. 18, 4 (34 2005).
 Herley, C. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users. Proceedings of the 2009 workshop on New security paradigms workshop (New York, NY, USA, 2009).
 Herrnstein, R.J. 1990. Rational choice theory: Necessary but not sufficient. American Psychologist. 45, 3 (1990).
 Ittner, C.D. and Larcker, D.F. 2003. Coming up short on nonfinancial performance measurement. Harvard business review. 81, 11 (2003), 88–95.
 Johnson, M.E. and Goetz, E. 2007. Embedding Information Security into the Organization. IEEE Security Privacy. 5, 3 (2007).
 Karabacak, B. and Sogukpinar, I. 2006. A quantitative method for ISO 17799 gap analysis. Computers & Security. 25, 6 (Sep. 2006).
 Lampson, B.W. 2004. Computer security in the real world. Computer. 37, 6 (2004), 37–46.
 Namiri, K. and Stojanovic, N. 2007. Pattern-based design and validation of business process compliance. On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS. Springer. 59–76.
 Neubauer, T. et al. 2008. Interactive Selection of ISO 27001 Controls under Multiple Objectives. Proceedings of The Ifip Tc 11 23rd International Information Security Conference. S. Jajodia et al., eds. Springer US. 477–492.
 Pahnila, S. et al. 2007. Employees’ Behavior towards IS Security Policy Compliance. 40th Annual Hawaii International Conference on System Sciences, 2007. HICSS 2007 (2007).
 Rinderle, S.B. et al. 2006. Business process visualization-use cases, challenges, solutions. (2006).
 Rogers, R.W. 1975. A Protection Motivation Theory of Fear Appeals and Attitude Change1. The Journal of Psychology. 91, 1 (1975).
 Ruighaver, A.B. et al. 2007. Organisational security culture: Extending the end-user perspective. Computers & Security. 26, 1 (Feb. 2007).
 Sasse, M.A. and Flechais, I. 2005. Usable Security: Why Do We Need It? How Do We Get It? Security and Usability: Designing secure systems that people can use. L.F. Cranor and S. Garfinkel, eds. O’Reilly.
 Schneier, B. 2003. Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Springer.
 Sharma, D.N. and Dash, P.K. 2012. Effectiveness Of Iso 27001, As An Information Security Management System: An Analytical Study Of Financial Aspects. Far East Journal of Psychology and Business. 9, 5 (2012), 57–71.
 Siponen, M. et al. 2010. Compliance with Information Security Policies: An Empirical Investigation. Computer. 43, 2 (2010).
 Solms, R. von 1999. Information security management: why standards are important. Information Management & Computer Security. 7, 1 (Mar. 1999).
 Vuppala, V. et al. Securing a Control System: Experiences from ISO 27001 Implementation.
 Wood, M.B. 1982. Introducing Computer Security. National Computing Centre.
 BS, BS7799 – Information Technology – Code of practice for information security management, London: BS, 1995.
 ISO/IEC, ISO/IEC 27001 – Information technology – Security techniques – Information security management systems – Requirements, Geneva: ISO/IEC, 2005 and Draft for the new revision ISO/IEC JTC 1/SC 27 N10641, 2011.