The Psychology of Information Security – Resolving conflicts between security compliance and human behaviourPosted: November 26, 2015
In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.
Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.
This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.
I just finished writing a book with IT Governance Publishing on this topic. This book draws on the experience of industry experts and related academic research to:
- Gain insight into information security issues related to human behaviour, from both end users’ and security professionals’ perspectives.
- Provide a set of recommendations to support the security professional’s decision-making process, and to improve the culture and find the balance between security and productivity.
- Give advice on aligning a security programme with wider organisational objectives.
- Manage and communicate these changes within an organisation.
Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.
The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.
Information security professionals not only have to deal with change, more often than not they represent change. It might be changing the way a company manages access to its systems, works with third-parties or anything else.
To be effective with the change management process, security professionals should work with the business, demonstrating the value of security.
John Kotter in his book Our Iceberg is Melting tells a story about a penguin colony, which demonstrates basic principles of successful change management:
- Establish a sense of urgency
- Create a guiding coalition
- Develop a change vision
- Communicate the vision for buy-in
- Empower broad-based action
- Generate short-term wins
- Never let up
- Anchor new approaches into the culture
The short video below summarises the book and shows how to engage different stakeholders and deal with the change faster and more effectively.
I just returned from my trip to Bangalore, India, where I was asked to deliver a series of training activities to the KPMG offshore teams. Spending a week there came with lots of wonderful insights.
First of all, India is a beautiful country. I didn’t really have a lot of time to travel around, but I still had a chance to visit the Bangalore Palace, drive up and down the Mahatma Gandhi Road, see the Parliament and many beautiful parks.
Moreover, apart from delivering training sessions myself, the local leadership organised a presentation for the UK team, where we were described the services they offer globally. I was impressed by the level of innovation and standardisation, which clearly demonstrate the rapid technological growth in India.
I’ve had a chance to work with some of the marvelous members of our offshore team before, and it was very valuable to finally meet them in person. I had an opportunity to interview a few people for a position in my programme and we are already on-boarding the successful candidate.
Not only I was able to share my knowledge and meet some lovely people, but I could enjoy a brief but wonderful taste of India and its warm hospitality. I’m sure the effectiveness of our communications and project work will increase substantially in going forward.
Imagine the following situation. A father with his son are driving to the camping site for the weekend. The deer was crossing the road and the car hit it. The father dies in the accident and the son is badly injured. He was swiftly brought to the emergency room and requires surgery. A surgeon enters the room, sees the boy and exclaims: “I can’t operate – this is my son!”.
How is it possible?
Think about it for a few moments…
Didn’t his father die in the accident? The answer is really simple. Read the rest of this entry »
A knowledge management system is an integral part of a modern organisation. It involves processes, people and technology that make sure information is not only kept in the individuals’ heads but is shared with the whole department. It is usually implemented in the form of an intranet portal which requires processes to maintain it and people to support it.
Because I believe having the right information at hand is crucial in making effective business decisions, I volunteered to take on the role of a knowledge management champion in my department. A knowledge management champion is the person who oversees the adequate operation of the system. In this case, to lead the project that would re-launch the system that wasn’t being fully used.
In my company, the knowledge management system is mainly intended to support the bid management process, where we respond with proposals to fulfill specific requests from our current or prospective clients. It is also used to assist project delivery when a piece of work is won.
As a first step, I managed a team of four to analyse the current state of the system and to gather feedback from the users to understand the limitations they felt they encountered. We discovered that the portal was hardly being used because some users were unaware of its existence, and many others found the navigation not very user friendly. This meant that the information stored in it was out-dated.I then developed a strategic plan to promote easy access to static information such as templates, proposals and engagement created data for the department. Several design changes were introduced based on feedback from the users.
Because the portal is only useful if it actually contains data that can be easily searched for, the next step was to collect as much information as possible from the department. We held multiple interviews with engagement managers to gather case studies and relevant data to add to the system. To ensure that the quality of the data collected was constant, we created a case study template consisting of three main parts:
- The client’s challenge: the problem the current or prospective client needs addressing.
- The approach: how the problem was tackled and solved
- Benefit to the client : the specific and measurable positive outcomes
When the design changes were implemented, the outdated data was removed and a sufficient amount of information was collected, everything was ready for the system’s re-launch. This re-launch was important enough to be given a presentation slot at the quarterly departmental meeting, where we talked about the improvements, encouraged the users to use the system and requested further feedback.
Though this successful project, as all projects, had a defined desired outcome due by a specific date, knowledge management never finishes and requires continuous improvement. It is now in the operational “run-and-maintain” state. New information is being uploaded to the portal and processes are in place to make sure it is maintained and information remains up-to-date.
I also organise regularly and participate in knowledge sharing events. I believe participating in such events and communicating lessons learnt to the rest of the team can help everyone to avoid mistakes we’ve made in our projects and improve the quality of deliverables.
Image courtesy of cooldesign/ FreeDigitalPhotos.net
We discussed improving team productivity previously. I received a few comments regarding this topic, which I decided to address here. I would like to cover the question of developing your team members through coaching.
I remember attending a workshop once, where the participants were divided into two teams and were presented with a rather peculiar exercise. The facilitator announced that the goal of this competition was to use newspaper and tape to construct a giraffe. The teams would be judged on the height of the animal: the team who will manage to build the tallest one wins.
There are many variations of this exercise, but they all boil down to the same principle. The real aim is to understand how people work together. How they plan, assign roles and responsibilities, execute the task, etc.
In the end, everyone had a chance to discuss the experience. Participants were also presented with feedback on their performance. But can people’s performance be improved? And if yes, what could have been done in order to achieve positive and lasting change?
The answer to these questions can be found in coaching.
Coaching is all about engaging people in an authentic way. There might be different opinions on the same problem, which doesn’t necessarily mean that there is only one universal truth. How much do you appreciate and respect what other people think?
Coaching, however, is not about knowing all the answers, but about listening, empathising and understanding others. Here are some example questions you can use:
- What is happening in your life and career?
- What’s going well?
- Where do you want to be?
- What do you need to do to get there?
- What is the first step you would take today?
The last thought I would like to mention here is about giving people time to reflect. Some silent and alone time can yield unexpected results. Our brain is bombarded with enormous amounts of information on a daily basis. Finding time to quiet your mind and slow down can help you to listen to your inner voice of intuition. This can help you come up with innovative solutions to seemingly unsolvable problems.
All companies have assets. They help them generate profit and hence require protection. Information security professionals help companies to assess and manage risk to these assets and make sure that cost-effective and appropriate response strategies are chosen to address these risks.
Enterprises in turn may decide to implement mitigation strategies in the form of technical, procedural, physical or legal controls. These implementations would have a defined start and end date and would require resources and hence a project rather than an operational activity.
However, such implementations have their own project risks. According to the Guide to the Project Management Body of Knowledge, risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.
The project risk management process is similar to the information security risk management and consists of four stages:
1. Identification – Log risk, agree and assign an owner
2. Analysis – An owner assesses risk and sets probability and impact
3. Monitoring and Control – An ongoing process of tracking identified risks, monitoring residual risks, identifying new risks, executing risk response plans and evaluating their effectiveness throughout programme.
4. Response planning – What response will be taken to manage the risk
It is a good practice to involve your team and all relevant stakeholders during the project planning stage to identify the risks and populate the risk log
- ID – assign a number (e.g. 1, 2, 3)
- Risk– a specific definition of the risk event.
- Consequence –what effect each entry has on the business/change programme/projects
- Trigger – an event which signals the risk occurrence
- Date Raised – when the risk was initially raised
- Date Updated – when the risk was updated
- Owner – a person responsible for monitoring risk event, notifying team, and executing risk response
- Due Date – when will the actions be completed
- Probability (on a scale 1-5) – likelihood of the risk occurring
- Impact (on a scale 1-5) – impact if the risk does occur
- Risk Score – probability x Impact
- Response Strategy – a specific agreed actions which will take place to manage the risk (Avoid, Transfer, Mitigate, Accept))
- Current Status – indicate risk status (Red, Amber, Green, Closed)
During the execution of the project, the risk log should be continuously revised and kept up to date to ensure that project issues, risks and mitigating actions are fully and formally assessed and managed throughout the project lifecycle.