The Psychology of Information Security – Resolving conflicts between security compliance and human behaviourPosted: November 26, 2015
In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.
Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.
This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.
I just finished writing a book with IT Governance Publishing on this topic. This book draws on the experience of industry experts and related academic research to:
- Gain insight into information security issues related to human behaviour, from both end users’ and security professionals’ perspectives.
- Provide a set of recommendations to support the security professional’s decision-making process, and to improve the culture and find the balance between security and productivity.
- Give advice on aligning a security programme with wider organisational objectives.
- Manage and communicate these changes within an organisation.
Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.
The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.
There are many factors that make an effective project manager. From my experience, project managers face the biggest challenges managing and communicating project inter-dependencies, open actions, risks and issues.
To help myself and others, I’ve developed a simple spreadsheet, which includes templates for the above items.
For example, open actions can be tracked in the table below, making it easier to keep all the stakeholders aligned on what needs to be done and by when.
|Date Raised||Raised By||Original Action||Progress Update / Revised Actions||Category||Owner||Priority||Target Completion Date||Status|
Additionally, dependencies can be captured in the table below. This format emphasises the potential conflict between the parties and enables a constructive dialogue to clarify inter-dependencies and agree on the critical path.
|Deliverable Title||Provider||Delivery Date||Receiver||Required Date||HandShake?||RAG||Comments / Actions|
Feel free to download the PM Toolkit template (in the Excel format) along with tabs for risk and issue management and adjust it to your needs.
Image courtesy phasinphoto / FreeDigitalPhotos.net