The Psychology of Information Security – Resolving conflicts between security compliance and human behaviourPosted: November 26, 2015
In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.
Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.
This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.
I just finished writing a book with IT Governance Publishing on this topic. This book draws on the experience of industry experts and related academic research to:
- Gain insight into information security issues related to human behaviour, from both end users’ and security professionals’ perspectives.
- Provide a set of recommendations to support the security professional’s decision-making process, and to improve the culture and find the balance between security and productivity.
- Give advice on aligning a security programme with wider organisational objectives.
- Manage and communicate these changes within an organisation.
Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.
The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.
There is no doubt that security is necessary, but why is it so unpleasant to follow a security policy? Reminding yourself to stick to the rules feels like your partner telling you…. to eat your salad. You know they are right, but anticipating that bland taste and mindless chewing that awaits you simply puts you off. You decide to leave it for tomorrow, so much so that you never get to it.
Cakes, on the other hand, are yummy and require no effort whatsoever to indulge in our cravings for them. Nobody needs to force us to eat a piece.
In our day-to-day lives we prefer to do “cake” tasks without giving it a second’s thought. Things like storing confidential files on Dropbox or emailing them to our personal accounts…. you know, taking a little bite here and there. It’s “only for today”, “no biggie”… This one-time thing is so harmless, it’s like a comfort snack. We might later feel guilty that we bypassed a few “salad” controls. Maybe we used our personal USB drive instead of a company-issued encrypted one, but at the end of the day… who cares? Who will notice? As long as there is no dramatic impact on our health, a bite here or a bite there won’t cause any harm.
And one day we realise that it’s not all rosy. The result of our laziness or lack of willpower eventually rears its ugly head when the doctor makes us stand on the scales and has a look at our blood pressure. So to add to your partner’s words of wisdom, is the doctor’s warning of an unhealthy present and a bleak future; something that would sound very similar during the company’s security audit.
“You have got to eat more salad and lay off the cakes!”
To make matters worse, even with our best intentions to have the salad at the office cafeteria, we discover that the one available is practically inedible. Pretty much like finding that the company’s secure shared drive doesn’t have the necessary space to store our files or that the encrypted pen drive is not compatible with the client’s Mac.
So if there are chefs coming up with ways to make salads more appealing, what can security professionals do to help us, the employees, maintain our “security diet”?
They could aim at making security more like a cake – effortless, even attractive, but still keep it as healthy as a salad. Sound simple? Perhaps not so much, but they should invest in usability studies to make sure that the secure solution is the easiest to use. It might involve discovering an entirely new culinary art on how to make a cake-tasting salad altogether. But if they fail to realise just how unpalatable the salads are to begin with, we should let them know. Security professionals need employees’ support.
Organisations are like families: everyone has to stay healthy, otherwise when a single member gets sick, the whole family is at risk of getting sick as well, whether it be catching an infectious disease or adopting an unhealthy lifestyle. It’s like having the slimmest, fittest family member refrain from adding biscuits to the grocery list in order not to tempt the couch-potatoes. It’s a team effort. In order for a company to stay healthy, everyone has to keep a healthy lifestyle of eating salad regularly, even when it is not that pleasant.
The whole company needs to know that security is important for achieving its goals -not as something that gets in the way-, just as we should all know that having a healthy diet of greens will guarantee a sound body. Employees contribute to the efficient operation of the business when they comply with security policies. Not only does security ensure confidentiality and the integrity of information, but it also guarantees that the resources are available for employees to complete their primary tasks.
We need to realise that we contribute to security; and we can inflict serious damage on a company when we don’t comply with security policies, no matter how insignificant or harmless they may seem. As employees, we are individually responsible for the organisation’s exposure to security risks just as we are responsible for exposing ourselves to illness. Our behaviour and daily regime significantly shape our quality of life, and our practices shape the quality of our business.
The health of the company is everyone’s business. Let’s all eat our salad while helping the security specialists to come up with better tasting ones.
To expand on my research on the human aspect of security, I created a simplified model to highlight the relationship between productivity and security. The main hypothesis, is that there is a productivity cost associated with the security controls.
The interactive simulation was created to allow users to implement their own security policies and observe the relationship between risk reduction and impact on productivity cost. Easy to understand visual feedback is available immediately for the users. This helps to understand security managers’ perspective when implementing security controls in a company.
The creation of the model was inspired by research conducted by Angela Sasse and her colleagues at the University College London.
Please get in touch if you have any feedback or would like to discuss the underlying research findings.
I delivered a seminar on the human aspects of information security at the University of West London. We discussed conflicts between security and productivity in companies and possible solutions. Research students with different backgrounds helped to drive the debates around usability, awareness and policy design.
We also talked about the practical applications of behavioural theories, where I shared my views on user monitoring and trust in organisations within the context of security culture.
Daniel, one of the participants, summarised his experience in his blog.
Image courtesy of Vlado / FreeDigitalPhotos.net
Interview with Jitender Arora – Information Security & Risk Executive (Financial Services)
Could you please start by telling us about your background?
I am a Computer Science and Engineering graduate, with Masters Degree in Consultancy Management. I had been a very technical, hands-on person from the very beginning of my career. I spent the first two years building firewalls, proxy servers and hardening UNIX servers. After few years, I was presented with an opportunity to move into information security and risk. At the time, I was working for Wipro Technologiesand they were building a Security Consultancy Practice, which would be front-ending with their customers, and working on the projects. The organisation was recruiting for this practice from other parts of the organisation so I decided to move into this new practice which proved to be a very exciting and challenging assignment. That’s where my journey in terms of “information security and risk”started from. Later, I had leadership roles in organisations like Adobe Systems and Agilent Technologies. I moved to the UK around 8 years ago, and that’s when my journey began working in the financial services sector.
What do you do now?
Around four years ago, I decided to quit my job and start my own small consulting firm with two friends I had met at RBS. We did a good job for two years, and build a good profitable business. Unfortunately, due to some unavoidable circumstance the partnership didn’t work out and we decided to amicably part ways. After that, I didn’t want to jump into the first thing that came along, and so I focused on my independent journey as Interim Executive in leading business transformation and change programs that address governance, risk and compliance problems faced by my client organisations. My engagements are outcome oriented to deliver the specific outcome for the client organisation. Over the last 3 or 4 years, I have built a strong reputation of being an outcome-oriented management consultant.
You are a very well known speaker within the industry. What made you decide to engage in this sort of activities as well?
It was not an intentional choice. I was once having a conversation with my best mate, Javvad Malik, around the need for new speakers at conferences who are able to present a different point of view. In a way, Javvad encouraged (or should I say pushed, Thank You Jav) me to go ahead and speak at conferences. At that point, I wasn’t too keen on it because I have always felt anxious about speaking in a public forum. Additionally, English is not my first language, which represented another barrier. But I decided to face my fear, and just go along with it. When I actually started speaking, I received an encouraging response from the audience and attendees liked my take on topics which they said provided a unique perspective. Being a very pragmatic consultant, I usually have a different point of view, as opposed to being a paranoid view. I approach security & risk problems and issues as a business person which provides a different perspective, so that’s where I think I got some good recognition from the market, especially in the speaking circuit. I believe speaking engagements not only present an opportunity for building your own personal brand but also helps sharpen your selling and marketing skills. The way you approach people, build their perception of you, sell yourself and your ideas, it’s a very good skill to have which is not generally taught in school or at university. Now, I encourage my colleagues and professionals to speak at events.
Returning to what you were saying about being an outcome oriented consultant, could you please elaborate on how changes can be implemented within organisations when these changes involve people and their behaviour? How do you address the people aspect of security?
As a security professional, when you implement a new security control, you are usually changing the way people are operating. A very simple example would be when implementing a control in terms of how people access production system. So if you go into an organisation in which their practices have been acceptable for the past 10 years, and you suddenly tell them that they can no longer follow same practice, you are, in a way, taking a privilege away from them and they will react accordingly. The analogy that I usually use for this is if I suddenly tell my son, who normally watches 1 hour of T.V. a day for the past several years, that he cannot watch it without taking permission every time and not more than 30mins from now on. He will not like it and will most likely rebel and show his displeasure.
As security professionals we try to change the process, and we want to introduce a certain level of governance on top of it. It’s very important to manage the people aspect of implementing such changes for security. You need to get people on your side before you actually implement these controls. It is a lot about socialising, and communicating, which brings me back to the point on selling and marketing. You have to package, sell and market these changes by conveying the message that “even though we are taking this privilege away from you by implementing these controls, we are going to give you something in return: We will guarantee that you run your business in a compliant manner and do not get audit findings or regulatory issues in which you will have to invest to address them”. So returning to the original example, it’s about establishing a secure way of accessing production systems which, although might be different from existing methods and might involve a little extra work, will ensure that everybody can continue to do their job while being compliant. We will create a robust production access environment: “So let’s be proactive and address this situation together before someone else comes and asks us to fix it.”
There are some of security professionals who scare the clients and users as a strategy for avoiding unwanted behaviour, by telling them, for example, that they might even risk getting fired. What is your opinion on this approach?
If you scare people too much, they will be scared as long as you are in front of them, but the behaviour won’t change. The objective should be to change the behaviour, and when we say “behaviour”, we are referring to the way people operate on a day-to-day basis. Make sure that they don’t see this as a temporary situation, but as a routine. A very simple example for this would be physical security guards. We have security guards in all the office buildings who are standing on the side, observing people, looking for individuals who may seem malicious or suspicious. But they don’t intimidate people around them. You might even be able to approach them for directions and they will kindly answer if they can help. But the moment they detect somebody suspicious, they will intervene. Now let’s imagine that instead of having these friendly security personnel, we had big bouncers who are aggressive. Would you feel okay approaching them? Sometimes security in our context operates like those big nightclub bouncers, because it is intimidating. So business people stop inviting you as a security professional to their business initiatives because they see security as the big intimidating bouncer: as a problem. For them, if you bring security in, you are bringing a problem in. That needs to change, and it largely depends on relationships and how you manage those relationships, how you come across in your meetings with them, and what they main message of your proposition is: “we are not taking anything away from you, we are going to help implementing new controls that will allow you to run your business in a secure and compliant manner meeting legal and regulatory obligations.”So it’s a trade-off and it’s a lot about perception, so the scaring tactic I don’t think works for too long.
You have come up with a way of selling all of your services to the executives and they understand the value of them. What about the actual people who use the service?
I think of executives as the same as the end-users, so the methods I use to sell security doesn’t change at for different levels. It’s the way you deliver message and what message you deliver has to be adapted for different levels. Business executives will normally focus on how you are going to solve the problems that will allow the business to address the compliance issues and meet regulatory requirements. They are the ones that get chased around by the auditors and the regulators. But for the end-users, compliance is not their problem. They never get to own or see these auditing issues. From their perspective, they have a business to do, a server to manage, an infrastructure to run, they want to operate the way they have done so far. So if bringing in new security controls doesn’t mean making life difficult, they are happy to participate. As a security professional, that’s the message that you can give: “we are not here to make your life difficult, but to make sure you have the right tools to do your job effectively in a secure and compliant manner.”
As a preliminary step to implementation, would you have to first understand what it is people normally do on a day-to-day basis?
Absolutely. The very first thing I like to do is to see these users or consumers of these controls as my key stakeholders. One thing I always do in any of these change programmes is approach stakeholders including user groups in their working environment, and make them feel comfortable. Ask them, listen to them and understand what their problems are. What is it that they like that they would like to keep, and what they don’t like that they would like to have changed, and what is it that they might have seen somewhere else and might be a good thing to include as part of this change. Key benefit from being in listening mode is that people become part of the journey because they have largely contributed to the creation and design of these new controls. The key to success is to approach any change from human psychological perspective and engaging them by asking, listening and taking their feedback on board. Another thing that I always make sure to do is to fix the things they don’t like in the existing environment. Listen to people; understand what they like, what they don’t like, make sure you can fix their problems, and if they want something else, try to help them get it: get them on your side. Make them feel like they are part of this journey and also give them credit for their contribution to the success.
Let’s imagine that a security manager decides to implement a security policy in any given company. Let’s say that they take a standard framework like, say, ISO 27001, they tweak it a bit and apply it into the company’s environment. Do you see any potential problems with this?
Frameworks are a good start. But what lots of organisations do is that they lift the framework as is and if you look at the policies in most of them, there is not much difference. But if you think of different types of organisations like the financial services, investment banking, or law firms, you have many different environments: you have different drivers and they come with a very different set of challenges. A lot of professionals, who write policies, do so in isolation. They don’t spend time understanding how a specific organisation carries out its business. An interesting question would be, once a policy is written, whom do you want to be the target audience? Is the policy being written by security people, to be interpreted by security people? Or is a policy being written by security people, to be understood by security people, when in reality it is supposed to be meant for business people? In one of my previous engagements, I had security experts writing the policy, and I then hired a technical writer to review, proof-read and rewrite the policy. The end products between the policy written by the security experts and by the technical writer were completely different: the latter was much more understandable by the business community. We don’t realise that, unless an external person comes along and starts asking questions –“oh, what do you mean by this?”- that the language is not easily understandable for everyone. So I believe that every organisation should hire competent technical writers to translate their security policy, standards and guidance from specialised security jargon into a language that is understandable for business people.
So once your policy is written in understandable terms for everyone, how do you make people read it and comply?
The first thing I do in any organisation is that I visit their homepage and type in “information security”. If the policy doesn’t come up as the first search result, something is wrong. If people can’t find the security policy, how can you expect them to read it? How can you expect them to comply?
Another thing that I have done in few organisations is to conduct a simple survey, by asking three simple questions to business community:
- Do you know that we have an information security department?
- Do you know services this department has to offer?
- Do you know how to contact them if you need it?
It’s very eye-opening and you get lots of strange responses from the business people. Many times they do not know how to contact the security department or what services they provide. If they don’t know you exist, how can they possibly approach you? We can have a fantastic policy embedded in some website, but nobody is looking at it nor reading it.
Another problem is that security policies are long documents: They are not exciting, they are not novels. So I wouldn’t expect business people to read each and every bit and understand it. The probability to succeed can increase if you can provide them a platform where they are able to search when they need to and know where to go and look for answers when they need it. And this touches the point of approachability and availability of the policy and guidance.
But lets focus on the policy itself. How many policies do we have in a typical regulated organisation that we expect employees to read and comply with? E.g. security, anti-money laundering, acceptable use, expenses, travel and anti-bribery policy etc: it’s a huge list. Think about how long it takes an individual to read those policies, understand, remember and follow them. We’re human, it’s not possible. What’s important is that on a day-to-day basis there are some aspects that you need to demonstrate and follow as a normal business user and whenever in doubt go and seek answers. I like to refer to this as “acceptable behaviour”, not only in terms of privacy and security but overall behaviour.
You can take key messages from all of your relevant policies, and communicate them in friendly, simplistic and interesting terms linking it back to acceptable behaviour. It’s not the computer-based training (CBT) that can change human behaviour, but human-to-human interaction. It’s about helping people understand how to do what they do on a day-to-day basis, how to make their daily life easier and making the information accessible if they need to know more.
To wrap it up, you have mentioned previously that it is important to build a good security culture within the organisation. How do you define a good security culture?
A good analogy for this would be our behaviour regarding airport security, what we know we can do and what not to do, as well as reporting anything that may look suspicious. We are generally aware of our surroundings, especially when we are in an unknown territory. This is very natural to us in the physical world where we can see, hear and touch things in our surroundings. The challenge now is that we are spending so much of our time in this virtual world, where our senses can’t be used in the same way. We have to ask ourselves what key risk indicators in this virtual world are. How should we conduct ourselves in this virtual world? This is the kind of awareness that needs to be built into people’s behaviour. I think this journey should start from earlier stages in life, when people are being schooled. When I was in school, when I was growing up, my parents used to tell me: don’t talk to strangers, don’t accept anything from strangers, don’t give away your personal information to people you don’t know well, and so on. It’s an advice on how to conduct yourself safely in the physical world. Now, those messages have to change. You need to build a culture into the newer generations who are now and will be spending so much of their time in the virtual world. The definition of stranger in the virtual world is different from that in the physical world. The definition of “acceptable behaviour”in this virtual world has to be different from physical world. The definition of those risk indicators haven’t changed. One cannot expect behaviour to change on the first day a person joins the workforce, because by that time, behaviours are already formed.
The moment people become security aware, they become security advocates who can help spread this awareness on behalf of the security department. The organisations have to start a chain-reaction by making a few people security-aware and sending the message across the organisation. Everybody becomes self-aware at some point and starts thinking on his/her own about what is right and wrong. But this doesn’t happen because of computer-based training or policies. It is the change in human behaviour that is required in the long-term.
Thank you Jitender
This article aims to review the literature on information security policy compliance issues and their relation to core business processes in the company and users’ behaviour. It also provides an insight into particular implementation examples of the ISO 27001 Standard, and methods of analysis of the effectiveness of such implementations.
Information security issues in organisations have been brought up long before the rapid development of technology. Companies have always been concerned with protecting their confidential information, including their intellectual property and trade secrets. There are many possible approaches to addressing information security. Wood  points out that security is a broad subject including financial controls, human resource policies, physical protection and safety measures. However, Ruighaver et al.  state that information security is usually viewed as a purely technical concern and is expected to have the same technical solution. On the other hand, Schneier , Lampson , and Sasse and Flechais  emphasise the people aspect of security, and people play crucial role as they use and implement security controls.
As stated by Anderson , it is essential to properly define information security in order to pay merit to all these aspects.
The Standard for Information Security Management ISO 27001  defines information security as “the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximise return on investments and business opportunities.”
Dhillon  states security issues in organisations can arise due to absence of an information security policy. One of the ways to implement such a security policy is to take ISO 27001 standard as a framework.
ISO 27001 Standard
ISO 27001 Standard which is a member of the ISO 27000 standards family evolved from British national standard BS7799 . It aims to provide guidance on managing the risk associated with threats to confidentiality, integrity and availability of organisation’s assets. Such assets, as defined in ISO 27001  include people, software, hardware, services, etc.
Doherty and Fulford , Von Solms , and Canavan  all came to the conclusion that well-established standards such as ISO 27001 might be a stepping-stone to implementing good information security programs in organisations.
However, Anttila and Kajava in their study  identify the following issues with ISO 27001 Standard:
– The standard is high-level and basic concepts are not presented consistently in the standard.
– It is hard to measure business benefits from implementing this standard.
– Presented process management is not fully supporting current business practices.
– The standard struggles to recommend solutions to contemporary business environments.
Neubauer et al.  in their research states that the main problem with security standards, including ISO 27001 is their “abstract control deﬁnition, which leaves space for interpretation”. Furthermore, the authors suggest that companies focus on obtaining formal certification and often do not to assess and put in place the adequate security controls according their main business goals. Ittner et al.  support this point, adding that organisation also fail to estimate the effectiveness of the investments in such initiatives.
According to Sharma and Dash , ISO 27001 does not provide detailed guidance requires substantial level of expertise to implement. Moreover, the authors claim that “If risk assessment is flawed, don’t have sufficient security and risk assessment expertise, or do not have the management and organizational commitment to implement security then it is perfectly possible to be fully compliant with the standard, but be insecure.” Results of their study suggest that the organizations, which participated in the study implemented information security mainly to comply with legal and regulatory requirements. The consequence of that was low cost-effectiveness of such implementations. However, the researcher don’t analyse the level of users’ acceptance of implemented controls. The authors also fail to recommend an approach which would support security manager’s decision-making process in implementing ISO 27001 Standard controls.
Karabacak and Sogukpinar in in their paper  present a flexible and low-cost ISO 17799 compliance check tool. The authors use qualitative techniques to collect and analyse data and sate that “the success of our method depends on the answers of surveyors. Accurately answered questions lead to accurate compliance results.” However, the researchers stop short of analysing the impact of compliance with security policy on users’ behaviour. The authors do not consider the issue that a security manager’s decisions regarding a particular implementation of security policy affects that organisation as a whole and may introduce additional cognitive burdens to users. These issues in extreme cases (e.g. obstructing core business processes) may result in non-compliance as users prioritise their primary task.
Vuppala et al. their study  discuss their experience from implementing ISO27001 information security management systems. One of the most important lessons learnt was developing an understanding of the role of users’ behaviour in this process. The authors recommend to “not make drastic changes to the current processes; this will only infuriate the users. Remember, users are an important, if not the most important, part of the overall security system.”
Johnson and Goetz in  conducted a series of interviews with security managers to identify main challenges of influencing employees’ behaviour. The results of this study revealed that security managers rely extensively on information security policies, not only as a means of ensuring compliance with legal and regulatory requirements, but also to guide and direct users’ behaviour.
To explore the question of the impact on users’ behaviour while implementing security policies, the following theories were researched:
1. Theory of Rational Choice – a framework, which provides insight into social and economic behaviour. It implies that users tend to maximise their personal benefits . Beautement et al. in their paper  uses this theory to build a foundation explaining how people make decisions about whether to comply or not to comply with any particular information security policy.
Herley  suggests that it is rational for users not to comply with security policy, because of the perceived risk reduction is lower than the effort needed.
2. Protection Motivation Theory – a theory which describes four factors that individuals consider when trying to protect themselves :
– perceived severity
– probability of the adverse event
– efficiency of the preventive behaviour
Siponen builds on this theory to gain an understanding of the attitude of individuals towards compliance with security policies. Siponen refers to it in order to study the impact of the punishment on the actual compliance and on intention to comply , .
3. The Theory of General Deterrence – this suggests that users will not comply with the rules if they are not concerned with punishment .
4. Theory of Planned Behaviour – this suggests that subjective norms and perceived behavioural controls influence individuals’ behaviour . Siponen  and Pahnila  discovered that social norms play a significant role in users’ intention to comply.
These theories suggest that to effectively protect a company’s assets, the security manager should develop and implement security policies not only to ensure formal compliance with legal and regulatory requirements, but also to make sure that users are considered as a part of the system. Policies should be designed in a way that reduces the mental and physical workload of users , .
Business process visualisation and compliance
It is important to consider information security compliance and users’ behaviour in the context of a company. Users in organisations involved into activities, which could be presented as business processes.
Business process is defined as a set of logically related tasks (or activities) to achieve a defined business outcome .
The continuous monitoring of their business processes is essential for any organisation. This can be achieved by visualisation of business processes . However, they are usually complex, due to number of different users or user roles in large companies . Barrett  also argues that it is essential to create a “vision of the process” to successfully reengineer it.
Namiri and Stojanovic in their paper  present a scenario demonstrating a particular business process and implement controls necessary to achieve compliance with regulatory requirements. The authors separate business and control objectives, introducing two roles: a business process expert, who is motivated solely by business objectives, and a compliance expert, who is concerned with ensuring compliance of a given business process.
 Adams, A. and Sasse, M.A. 1999. Users are not the enemy. Commun. ACM. 42, 12 (Dec. 1999).
 Ajzen, I. 1991. The theory of planned behavior. Organizational Behavior and Human Decision Processes. 50, 2 (Dec. 1991).
 Anderson, J.M. 2003. Why we need a new definition of information security. Computers & Security. 22, 4 (May 2003).
 Anttila, J. and Kajava, J. 2010. Challenging IS and ISM Standardization for Business Benefits. ARES ’10 International Conference on Availability, Reliability, and Security, 2010 (2010).
 Barrett, J.L. 1994. Process Visualisation: Getting the Vision Right Is Key. Information Systems Management. 11, 2 (1994).
 Beautement, A. et al. 2008. The compliance budget: managing security behaviour in organisations. Proceedings of the 2008 workshop on New security paradigms (New York, NY, USA, 2008).
 Bobrik, R. et al. 2005. Requirements for the visualization of system-spanning business processes. Sixteenth International Workshop on Database and Expert Systems Applications, 2005. Proceedings (2005), 948–954.
 Canavan, S. 2003. An information security policy development guide for large companies. SANS Institute. (2003).
 Davenport, T.H. and Short, J.E. 2003. Information technology and business process redesign. Operations management: critical perspectives on business and management. 1, (2003), 1–27.
 Dhillon, G. 2007. Principles of information systems security: text and cases. John Wiley & Sons.
 Doherty, N.F. and Fulford, H. 2005. Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis. Information Resources Management Journal. 18, 4 (34 2005).
 Herley, C. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users. Proceedings of the 2009 workshop on New security paradigms workshop (New York, NY, USA, 2009).
 Herrnstein, R.J. 1990. Rational choice theory: Necessary but not sufficient. American Psychologist. 45, 3 (1990).
 Ittner, C.D. and Larcker, D.F. 2003. Coming up short on nonfinancial performance measurement. Harvard business review. 81, 11 (2003), 88–95.
 Johnson, M.E. and Goetz, E. 2007. Embedding Information Security into the Organization. IEEE Security Privacy. 5, 3 (2007).
 Karabacak, B. and Sogukpinar, I. 2006. A quantitative method for ISO 17799 gap analysis. Computers & Security. 25, 6 (Sep. 2006).
 Lampson, B.W. 2004. Computer security in the real world. Computer. 37, 6 (2004), 37–46.
 Namiri, K. and Stojanovic, N. 2007. Pattern-based design and validation of business process compliance. On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS. Springer. 59–76.
 Neubauer, T. et al. 2008. Interactive Selection of ISO 27001 Controls under Multiple Objectives. Proceedings of The Ifip Tc 11 23rd International Information Security Conference. S. Jajodia et al., eds. Springer US. 477–492.
 Pahnila, S. et al. 2007. Employees’ Behavior towards IS Security Policy Compliance. 40th Annual Hawaii International Conference on System Sciences, 2007. HICSS 2007 (2007).
 Rinderle, S.B. et al. 2006. Business process visualization-use cases, challenges, solutions. (2006).
 Rogers, R.W. 1975. A Protection Motivation Theory of Fear Appeals and Attitude Change1. The Journal of Psychology. 91, 1 (1975).
 Ruighaver, A.B. et al. 2007. Organisational security culture: Extending the end-user perspective. Computers & Security. 26, 1 (Feb. 2007).
 Sasse, M.A. and Flechais, I. 2005. Usable Security: Why Do We Need It? How Do We Get It? Security and Usability: Designing secure systems that people can use. L.F. Cranor and S. Garfinkel, eds. O’Reilly.
 Schneier, B. 2003. Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Springer.
 Sharma, D.N. and Dash, P.K. 2012. Effectiveness Of Iso 27001, As An Information Security Management System: An Analytical Study Of Financial Aspects. Far East Journal of Psychology and Business. 9, 5 (2012), 57–71.
 Siponen, M. et al. 2010. Compliance with Information Security Policies: An Empirical Investigation. Computer. 43, 2 (2010).
 Solms, R. von 1999. Information security management: why standards are important. Information Management & Computer Security. 7, 1 (Mar. 1999).
 Vuppala, V. et al. Securing a Control System: Experiences from ISO 27001 Implementation.
 Wood, M.B. 1982. Introducing Computer Security. National Computing Centre.
 BS, BS7799 – Information Technology – Code of practice for information security management, London: BS, 1995.
 ISO/IEC, ISO/IEC 27001 – Information technology – Security techniques – Information security management systems – Requirements, Geneva: ISO/IEC, 2005 and Draft for the new revision ISO/IEC JTC 1/SC 27 N10641, 2011.
The purpose of this post is to provide a comprehensive analysis of the data collected from the survey and semi-structured interviews to compare views on information security activities from security managers’ and users’ viewpoints.
A survey was developed to collect information from a broad sample on attitudes of the users’ towards information security policies in their organisations in general, and how compliance with information security policies affects their behaviour in particular. It was quantitatively analysed.
The main goal of the survey was to assess the attitude of the end-users towards information security policies in their companies and measure the level of dissatisfaction with security tasks. Prior to the questions, all participants were shown a page with the explanation of the purpose of the study, approximate time to complete the survey, the researcher’s contact information, and their rights to withdraw their answers at any time. After getting participants’ consent by clicking the “Next” button, they were asked to answer the eleven multiple-choice questions. The first four questions were designed to gather demographic information about the participants for future analysis: participants were asked to provide information on their gender, age, the number of years of work experience, and the industry sector. The subsequent seven questions were aimed at gathering insight on users’ attitude towards information security policies in their companies and the way they make their compliance decisions. Participants were asked to:
- Indicate their attitude towards security policy in their company.
- Assess the effectiveness of implementation of the security policy in their company.
- Estimate the approximate time they spend weekly on various security activities, such as password changes, antivirus checks, anti-phishing checks, awareness training, encryption, etc.
- Indicate their attitude towards the impact which security activities have on their overall performance: respondents were presented with a statement “I believe security activities negatively affect my overall performance” and were asked to choose one of the following four answers: “strongly agree”, “agree”, “disagree”, and “strongly disagree”.
- Assess the degree of concern of the security manager in their company with users’ main business goals and tasks.
- Assess the frequency of the prevention of security controls from accomplishing their main business tasks.
- Indicate their attitude towards the possibility of violation of the security policy if it prevented them from accomplishing their main business activities.
The survey was advertised on social networks (LinkedIn, Facebook) to recruit participants for the survey. A sample of specific interest was created to include people with relevant job experience.
This section presents detailed end-users’ survey findings. Results are described in the order of their appearance in the survey. 64 responses were collected.
End-users’ demographic characteristics
Results show that the majority of the sample (40 out of 64 participants) were male. They also illustrate that 32 out of 64 participants are in the 18 to 24 age group, and that 29 out of 64 are in the 25 to 34 age group. A relatively small number of participants (only 3 people) are older than 35 years. The members of the most populated group (22 out of 64 participants) are in the beginning of their careers and have less than one year worth of work experience. The following figure presents the distribution of respondents by industry sector.
Distribution of respondents by industry sector
Attitude towards security policy in the company
The results of the survey show that 51% of participants share a positive outlook towards information security in the company (6 have chosen “very positive” option and 27 “positive”). 29 respondents share a neutral attitude towards information security in the organisation. Only 2 participants indicated a negative attitude.
Attitude towards security policy
View on the implementation of the security policy in the organisation
50% of participants think that information security policy is effectively implemented in their compamy. However, 34% of the population struggled to provide an opinion on this matter.
Effectiveness of implementation of the security policy
Time spent by users on security activities
A large majority (80%) feel that they spend less than 30 minutes per week in total on security tasks. However, there are 4 respondents that share the perception that they have spent over an hour on security activities in the course of the past week.
Time spent by users on security activities
Impact on users’ overall performance
37 participants disagree with the statement that security negatively impacts their overall performance and 12 participants strongly disagree with it, although, there is 1 respondent who strongly agrees.
Impact on users’ overall performance
Assessing the degree of concern of the security manager in the company with users’ main business goals and tasks
Most of the participants (27 out of 64) believe that their security manager is rather neutral towards users’ business activities. 19 participants feel that their security manager is aware of their day-to-day tasks.
Degree of concern of the security manager in the company with users’ main business goals and tasks
Instances of obstructing core business processes
30 respondents cannot recall any instances in which security controls obstructed their business activities. On the other hand, the results of the survey show more than 50% experienced problems at least once a year, and in many cases more regularly because of the security policy.
Instances of obstructing core business processes
Information security policy violations
Results show an almost equal split between people when faced with the statement “I would violate security policy if it prevents me from accomplishing my main business tasks” who are willing to violate security policy in order to get their job done and those who make the decision to comply even in this case.
Information security policy violations
Individual response analysis shows that some people can’t recall situations whereby security policy prevented them from accomplishing their core business activities, however they still perceive security as something that hinders their performance. Other participants also didn’t indicate such instances more frequently than approximately once every three months
Frequency of collisions in relation to perception of negative impact on users’ performance
Individual response analysis also allowed revealing the fact that there is a person, who strongly agrees that security tasks affect his/her performance. This individual’s answer of the question on the perceived number of instances when security policy prevented him/her from accomplishing their main business task shows that he/she experiences difficulty performing business activities on a daily basis. The anonymous nature of the survey didn’t allow the researcher to conduct a follow up interview to gain an insight on this particular case. Moreover, high number of responses “I don’t know” to the question regardless the effectiveness of implementation of the security policy may indicate that the criteria for effectiveness were not clearly defined. Furthermore, using social networks as a sample to survey users negatively affected the researcher’s ability to generalise the results. The presented sample contains mostly young people with relatively small amount of work experience. This fact makes it difficult to drive conclusions, because perception of the employees towards security task may change with time in the job. Given the limitations, results show that more than 23% of participants believe that security tasks negatively affect their overall performance. This outlines the major concern for the organisations, because it directly affects company’s ability to generate revenue. According to the survey results, 20% of participants responded that they spend approximately one hour per week on various security tasks.
The second stage was conducted as an exploratory study with five information security experts. This section presents a descriptive analysis of the semi-structured interviews with information security experts.
The main goal of the semi-structured interviews was to gather an insight on information security manager’s awareness of the fact that his decisions on particular implementation of security controls affect organisation as a whole, and that his actions may negatively impact users’ performance in core business activities. The interview questions were designed to gather information on security manager’s ability to distinguish between instances of malicious non-compliance and instances when security controls obstruct users’ main business tasks was gathered. All information security experts selected to participate in the study have seven or more years of work experience in the field of information security and are currently holding managerial positions in their companies. Materials and feedback from the two pilot interviews, which were not included in the current project, were then used to refine the questions and procedures for the following interviews, so that they focus more on relevant topics and group them into categories. When patterns started to emerge, the data were then evaluated. The Grounded Theory analysis revealed that the most common codes: – Security manager’s decision-making process on particular implementation of security controls – Relation between business and security goals – Detection of instances of non-compliance – Reaction to instances of non-compliance – Security manager’s awareness of how security policy implementation affects users’ behavior – Difficulties in measuring impact of users’ behaviour. – Security manager’s awareness of users’ typical business activities – Effect of understanding of users’ business activities on security manager’s decision-making process
Results are grouped into codes, which were developed in line with the Grounded Theory: – Security manager’s decision-making process on particular implementation of security controls: Interview results suggest that 4 out of 5 interviewed security managers use their past experience when implementing security policy. One security manager suggested that security policy was already implemented in his organisation. – Relation between business and security goals: all security managers understand the role of information security as a supporting process. – Detection of instances of non-compliance: all interviewed experts rely on both formal and informal channels of detecting instances of non-compliance. – Reaction to instances of non-compliance Interview results suggest that 4 out of 5 interviewed security managers tend to try to understand the root cause of the problem first. One security manager indicated that he is not directly involved into investigation of such incidents. – Security manager’s awareness of how security policy implementation affects users’ behaviour: 4 out of 5 security managers believe that they aware of the impact of security controls on users’ behaviour. One security manager suggested that he doesn’t have resources for that. – Difficulties in measuring the impact of users’ behaviour: all experts experience some difficulties in assessing the impact on users’ behaviour. – Security manager’s awareness of users’ typical business activities: 4 out of 5 security managers indicated their awareness of users’ day-to-day tasks. One security manager mentioned that he doesn’t have enough time for this. – Effect of understanding of users’ business activities on security manager’s decision-making process: all of the interviewed experts agree that it is beneficial to understand users’ business tasks.
This section presents a discussion of interview findings.
Security manager’s decision-making process on particular implementation of security controls
Interview data reconfirms that security managers mostly use their own judgment and past experience when making a decision on particular implementation of information security controls. As explained in a quote: “When I’m making a decision to implement ISO 27001 standard in my organization, half of that decision is what the particular policies would actually look like. Because ISO 27001 is very high-level and it is by all means not a policy in itself, it just gives you one or two criteria or one or two suggestions how your security policies should look like. Because of this freedom of implementation, you actually have to write these policies yourself.”
Relation between business and security goals
Interviewed security experts also understand the role of involving the business management in the process of implementing security controls. For example, one security manager mentioned: “If there is no benefit to the business – you don’t do it.” Another expert reinforces his point by saying: “Get the people who these controls directly affect. You should start with the business. Get their buy-in; although they might view it as an additional workload, hence most people involved in this security initiative might produce sub-standard work.“ Interviewed security managers also think that business objectives should always be the priority. For example, one expert commented: “Many security managers think that security is the most important thing. I personally don’t think so. Paying shareholders is the most important. Inhibiting those activities or encouraging dangerous activities because of what you are doing you are making the situation worse.” The results illustrate that interviewed security managers understand that their decisions affect the whole organisation.
Detection of instances of non-compliance
Participants of the interview are aware of various methods to detecting non-compliance. For example, one expert mentioned: “I walk around this building on occasion and I wiggle doors and I check workstations for locked screens. The other way you find out is by rumours or chatting with people.” The results revealed that security experts rely on both formal (e.g. periodic security reviews) and informal (e.g. rumours, complains) channels of detecting non-compliance.
Reaction to instances of non-compliance
Most interviewed security managers agree that you should not punish users for non-compliance right away. You have to first understand the root cause of the problem. For instance, one expert suggested: “You don’t react on non-compliance with anger. You try to find out why it happened, rather than the fact that it has failed. Moreover, you can use it as a possibility for education and awareness and possibility for improvement.” Another expert reinforces this point saying: “At the end of the day it failed because with high probability you implemented it badly, because you forced some particular way of working or method which they can’t use, so they worked around it.” According to the results, understanding the reason behind the non-compliance is important for most of the interviewed experts.
Security manager’s awareness of how security policy implementation affects users’ behaviour
Most of the interviewed security experts believe that they are to a certain degree aware of the impact of the security policy on users’ behavior. One security manager said: “Yes, I think I’m aware of that, because when it affects it in a negative way – we hear about it. There are lots of complains.” Some participants backed-up their statements with examples. One security manager mentioned: “When users want to look at Excel spreadsheet or use an application using iPad but they can’t, because security controls don’t allow access to the business applications via an iPad. So they have to use a laptop rather than device of their own choice. So yes, we are aware of that tension, but we tend to enable people to do what they need to do.” Interview results suggest that such awareness is in the direct relation to the number of users’ complains. However, nobody mentioned proactive way of assessing this impact.
Difficulties in measuring impact of users’ behaviour.
Several security experts stated that it is difficult to assess the impact of security controls on users’ behaviour. For example, one mentioned: “We never measured it. We don’t have a way of measuring it. So we don’t know.” Another expert agrees with him: “One thing is putting controls in place and the other is measuring effectiveness. Around users it is very difficult. Because they are not like a server, where you can say here is CPU optimisation.” However, one security expert strongly disagrees with the fact that he should take behavioural impact into consideration. He said that: “Why should I care? Why this is relevant to my job – caring about users is not part of my job responsibilities. I have limited resources to ensure compliance – how am I going to stretch that to areas outside of my direct responsibility?”
Security manager’s awareness of users’ typical business activities
Some security experts, who participated in the interviews, mentioned that they are aware of the users’ business task to the degree which is required to successfully manage projects. Once a security manager stated that: “At a high level we are aware. At the detailed process level really only when we are doing a project in that department. When we need to understand the process within the project.” Another expert provides an example supporting the same argument: “When we do a particular project on a new system. Say, for instance, it’s a new credit card system being implemented we work through the user’s role, we work through the general data storage, so we become familiar with that particular department’s user activities.” The results show that some interviewed security managers believe that they are capable of understanding of users’ day-to-day business activities and that they make their decisions on the particular implementation of security controls according to this knowledge.
Effect of understanding of users’ business activities on security manager’s decision-making process
All of the interviewed experts agree that knowledge of what users in their company are doing can help them in better implementation of information security policy. One security manager shared an example of that: “For instance we worked with our studio manager and looked at the process of data transfer to the client. We have chosen one particular brand of encrypted USB keys, we believe that adoption would be very high, because they are great looking devices. It feels good for our creative workers to give it to the client with our logo on it, rather than sharing data using cheap plastic USB stick – there is no story, there is no sort of emotional attachment, which is so particularly important for creative workers. But in order for us to come with such a decision we actually spend some time observing and understanding our users.”
The results show that the majority of security managers, who participated in the survey, understand the importance of making the user part of the system and assessing possible impact on users’ behaviour when deciding on implementation of particular security controls. However, they agree on that their awareness of users’ business activities is reactive and based mainly on the users’ complains. Small number of interviewed security experts makes it problematic to generalise the results. Moreover, all of the interviewed security managers have substantial amount of work experience (they were chosen to have minimum seven, however some of them have more than twenty years of experience), which may affects the results. Those security experts tend to work in the companies with mature information security processes in place. Interviewing expects with less amount of experience may yield different results.
Results of this section provide an insight on how security managers and users view the importance of compliance behaviour in organisations. Analysis of the interview and survey results show that presented method is capable of identifying the existence of the problem: there is a huge gap between perception of security policy by users and security managers, which negatively impacts the organisation as a whole. Most of the interviewed security managers think that they consider users part of the system and aware of the impact of their action on users’ behaviour. However, survey results indicate that more that 23% users believe that security negatively affects their performance. Moreover, 20% of participants spend approximately one hour weekly on various security activities. Current interview and survey data suggests a difference in the perception of the users and security managers exists due to the differing opinions presented, but doesn’t prove this is the case and the information comes from different contexts. Running the study inside an organisation would overcome this limitation. The issue the difference in the perception of the users and security managers should be studied more thoroughly. The study should be conducted in one company to directly compare the view of managers and users from the same organisation, which is critical to showing if a difference in opinion really exists. Moreover, the research should be conducted with a broader and better-quality sample to ensure that the results could be generalised. More participants from various backgrounds should form the sample.
This article presents the model for analysis and visualisation of a company’s security policy building on the example scenario in relation to productive business activities.
The model aims to provide the means of comparing the perception of security tasks from both users’ and security managers’ points of view and optimising security activities in the company.
A guide for the security manager
On the one hand, violation of compliance requirements may result in significant losses for an organisation. On the other hand, poorly implemented security policies may obstruct users’ goal-driven behaviour and may result in non-compliance.
The scenario suggests that the CISO takes ISO 27001 as a framework and then makes a decision on a particular implementation based on his knowledge and past experience. As illustrated by the scenario lack of clear guidance in this decision-making process may result in the situation in which a company is formally compliant with the standard but users perform their core business activities inefficiently and/or are forced to violate poorly implemented security policies.
By directly comparing security requirements and business processes, the security manager can analyse ISO 27001 policy compliance controls and their consequences in terms of affecting user behaviour.
In order to ensure that users in the organisation will comply with security policies, the security manager should broaden his perspective and make users a part of the system. It is important to differentiate between malicious non-compliance and cases when security policy obstructs core business process.
|Primary task optimised||Yes||V||(X)|
Relation between policy compliance and optimisation of the primary task
“V” – CISO is satisfied with users’ compliance efforts.
“X” – CISO is not satisfied with users’ compliance efforts.
“(X)” – the case when users perform their tasks efficiently, but not compliant with security policy.
“(V)” – the case when users are formally compliant with security policy, but it prevents them from carrying out their tasks efficiently.
The table emphasises the fact that regardless of formal compliance, users’ perform their core business activities in the inefficient manner due to poorly implemented security controls. The security manager also should pay attention to cognitive burdens and availability aspects of recommended solutions.
In order to mitigate the risk of poor implementation of security controls, the security manager should follow clear processes when implementing ISO 27001 controls.
Such guidance supports the security manager’s decision-making process. This method also gives the security manager an opportunity to reflect on his policy implementation in the context of the particular scenario.
Going beyond formally ensuring compliance, this method presents two rounds of compliance checks:
– Check if organization is compliant (formal box-ticking exercise)
– Check for collisions with core users’ tasks.
In order to minimise the probability of repeating scenario the security manager should pay more attention to users’ day-to-day business activities.
As a first step of the process, the security manager should gain an insight on users’ typical business activities. After understanding typical business activities, the security manager could visualise them for example in form of the workweek schedule.
User’s main business process
For instance, the security manager finds out that the analyst runs data analysis software to model risks on Thursday to include this data in his report, which he usually presents at the end of each week to the client.
Furthermore, by gathering information on users’ manual security tasks, the information security manager estimates current users’ workload.
User’s manual security tasks
The information security manager identifies unique security tasks that users undertake during the week and use this information to make those tasks invisible to user. In this case, users would feel less obstructed in completing business tasks. But those activities are still taking place in the background. Only by identifying them, mapping them, and prioritising them could the security manager then do something about them.
Next, as a part of security pre-implementation process of security controls, the security manager looks at scheduled security activities, such as periodic security awareness workshops, review of software and data on users’ workstations or full machine antivirus scans.
Scheduled security activities
Merging all these diagrams together helps the security manager to understand total users’ workload and come up with a more effective implementation of security controls, which will not introduce collisions with core security tasks.
Total user’s workload
In order to make a decision on a particular implementation of security controls, the security manager should identify how users in his company perceive their security workload and which security tasks they carry out already.
At the moment, there is a possibility to of misconception of perceptions of security tasks of security managers and users. Developed model addresses this issue and helps the CISOs to manage their decision-making process more effectively. Moreover, comparing the security manager’s and users’ perceptions helps to uncover a number of unique security activities, and the amount of time users spend on them.
Validation of the model
The purpose of this section is to validate the model and gather relevant feedback from information security experts.
An interview questionnaire was developed to interview information security experts and collect their opinion on the developed model.
Written consent was collected prior to the interview to explain ethical and privacy points. Additionally, permission to use voice-recording device was obtained for future analysis.
Information, regarding interview procedure, intended questions and brief overview of the study were sent to all participants in advance via e-mail. At least 2 days were allowed for participants to examine the materials and prepare for the interview.
Five interviews were conducted out with information security experts. Every interview took place at participant’s office and at convenient time.
Feedback, provided by information security experts was documented and analysed according to grounded theory method. The following codes were identified:
– Degree of realistic implementation
– Potential benefits
– Business advantages
– Practical implementation
– Impact on security manger’s decision-making process
– Other ways of dealing with the similar issues
– Drawbacks of the model.
Information in this section is presented according to codes, which were discovered during interview process and further data analysis.
- Degree of realistic implementation: all security managers agree that developed model is realistic and can be implemented in the real-world company.
- Potential benefits: all interviewed experts believe that the model is beneficial to their organizations.
- Business advantages: 3 out of 5 security experts were able to name possible economic advantages of implementing the model.
- Practical implementation: 2 out of 5 interviewed security managers agreed to run pilot testing of the model in their organisation.
- Impact on security manager’s decision-making process: 4 out of 5 interviewed experts stated that presented model changed their attitude towards compliance behaviour issues. One security manager commented that this model doesn’t affect his decision-making process.
- Other ways of dealing with the similar issues: no other ways of dealing with issues of impact of users’ behaviour in a proactive manner were presented.
- Drawbacks of the model: all interviewees agree that implementation of the model might be time- and resource-consuming.
This section presents a discussion of interview findings.
Degree of realistic implementation
All the interviewed experts agree that the model could be implemented in the real-world scenario, but commented that it should be refined and validated with the real data. For example, one security manager said:
“I think the approach is sound and it’s realistic, but needs validation with the real data. And in the absence of the real data it’s got rather limited value.”
Another expert commented:
“I think that’s all sounds very interesting. You are definitely on the right track, but you need to collect more data to validate this model.”
Another security manager said:
“I believe it is realistic if it works, it will be relevant to any business. I don’t think many have considered practically addressing this dimension of security in their organisations.”
Security experts can see the potential benefits of implementing developed model in their companies. For instance, one expert said:
“I think that issue of usability and security is really important. Understanding where those tensions are and then represent those tensions might in some way help us to understand the cost associated with mitigating the risk.”
Another security manager commented:
“This model might help us to highlight where we can be creative and do something slightly different to make it easier for users to do what they want to do and do it in the default secure way. So yes, anything that can help us shed light on that going to be beneficial.”
One expert said:
“I think it’s beneficial, because it allows you to channel these thought about users’ workflow versus your workflow. How we squeeze security tasks all together with business activities.”
According to the experts, developed model yields some direct economic benefits for the company. For example, one security manager suggested:
“It is a very relevant model also from resource management perspective. How is my staffs’ time being utilised? Am I utilising my staff for the best? ”
One security expert suggested, that presented model can help him to make better decisions regarding risk assessment and investments in information security controls:
“It can be very valuable input into our risk assessment process and into our security investment decision-making process. Do we want to invest in one security tool or the other? Your model can provide means to compare security investment opportunities.”
Another expert agrees:
“You can understand what the business process is and what security solution would fit the best in order to maximise value.”
Another security manager’s quote supports the same point:
“Security really struggles to justify return on investment. What you could do is if you actually will break it down, saying that during the day typical user spends thirty minutes doing security activities. That cost, say 2 million pounds for a user. Does this security control bring 2 million worth saving in a year? If yes, or more, then it worth it. If no, then maybe you are doing the wrong controls. When maybe you should accept the risk. For example, yes maybe USB stick may introduce a virus to the system. Fine, but don’t spend five minutes every time scanning it.”
Some security managers agreed to run a pilot test in his company. One expert commented:
“It provided a different prospective on security – we have not considered how specific security controls may affect user behavior and productivity. I would be happy enough to run it as a small pilot to see if it yields promised results.”
“If it could be used as a means to ensure greater user efficiency/reduced non-compliance, we could consider including it in our security review.”
This indicates that the model could be implemented in the real-world companies for the future analysis.
Impact on security manger’s decision-making process
The majority of security mangers mentioned that presented model made them realise the impact of their actions on users and how they might struggle with particular security controls they implemented in the company.
Some security mangers came up with particular scenarios of how they would now make decision on implementation of security controls: On expert said:
“As a result you can make a decision to implement a technology solution that going to scan all the USB sticks in the background, rather than making each and every user do it manually. The cost of such implementation would be justified by you model. It will save user’s time and you can get security benefit as well.”
However, one security manager confessed that this model would not change the way he makes decision on security policy implementation:
“If it ain’t broken – don’t fix it! If the process we have in place is already compliant, I will not risk changing it just to satisfy the users who are not complaining anyway.”
The results imply that developed model helped most of the security managers to change their attitude towards compliance behaviour in their companies.
Other ways of dealing with the similar issues
All of the interviewed security managers agree that they are not actively dealing with issues of negative impact of security controls on users’ performance. One expert said:
“It’s very passive. The impact on users is important but it’s not the issue I spend a lot of time thinking about. Our approach is more reactive. The model presented, on the other hand, is more proactive technique.”
“Very informally. We don’t really draw on a real data. I think, having a framework of some description would be very useful. Something that focuses that kind of thinking.“
One security manager said that he never considered users being part of the system, hence never used any techniques, as mentioned in the following quote:
“We never considered user compliance from this perspective before – so have not considered / applied alternative principles.”
Drawbacks of the model
All interviewees agree that implementation of the model might be time- and resource-consuming. One expert commented:
“You need an easier way to implement it – that’s the biggest challenge. Because you need to come up with all users’ business tasks, then all security tasks, and then map them all together. All these things have to also be categorised and measured. And humans a very difficult to measure.”
Another manager mentioned:
“Getting it implemented I see as a big challenge. But once it’s implemented you can get a really good value.”
“The method is very good, but it takes a lot of effort to compile this.”
Despite identified possible benefits, the model is considered to be difficult to implement. Cost-benefit analysis could be performed to support the decision on the implementation of the model.
According to the security experts, the model can yield additional benefits to the company, such as optimisation of security activities, cost reduction, and information security projects investment justification.
The interview results reveal the main benefit of the model: it points a security manager in the direction of a better understanding of the users in his company. It provides the means to gain an insight into users’ core business activities and reflect on how they relate to the security tasks. This can help security managers to come up with more usable security policies and reduce the number of potential complaints, and instances of violation of security policy.
As some of the interviewees suggested, the security manager can implement this model in any company: all he has to do is to pick a process, pick a regulation and then apply the model. Moreover, this model can help the security manager to understand how much time users in his company spend on various security activities. This information can be used to make better investment decisions, and help in security policy optimisation. Additionally understanding that the security manager’s compliance decisions affect the whole organisation may result in cost savings from pre-implementation security analysis and its relation to main business processes of the company.
Despite the potential benefits, the model has drawbacks. Interview results suggest that implementation of the model might be cost- and resource-consuming. To assess the degree of such problem, real-world data should be collected. Moreover, as one expert mentioned, the model has limited value in the absence of the real data. The limited time scope of the current project didn’t allow the validation of the model with such data. Furthermore, access to the real data was restricted due to protective attitude of the companies who don’t want to be seen in bad light.
Attitudes towards information security policy and its effect on users’ business activities should be measured before and after implementing the model in the company in order to assess the effectiveness of the model.
ISO 27001 Standard is high-level and provides only basic recommendations on implementation of security controls. This fact gives a security manager in a company a lot of flexibility in choosing particular information security policies.
When making a decision on the how to introduce new security controls to achieve compliance with the ISO 27001 standard, security managers lack a clear process and rely mostly on their past experience.
Such lack of a clear process and guidance from ISO 27001 may result in arbitrary implementation of information security controls, which will collide with the core business activities of users in the company.
This article presents a scenario of such implementation and provides specific examples of how those controls may affect users’ behaviour.
Scrooge Bank is a global financial services firm, offering a range of solutions, including asset management, strategic advice, money lending, and risk management to clients in more than 100 countries.
From the organisational structure standpoint, Scrooge Bank consists of three departments in the business unit and three departments in the support unit.
The Chief Information Security Officer (CISO) reports directly to the Compliance and Risk Manager, and is responsible for ensuring legal and regulatory compliance, data loss prevention activities, and security incident management.
A decision taken by the CISO affects the whole organisation, including the analyst in the Investment Banking Department.
The business process
An analyst is a typical role in Scrooge Bank. He is involved in various business activities during the week.
On a weekly basis the analyst receives information from the client. There are several ways he can obtain this data: it might be copying information on a USB stick during a face-to-face meeting, or via e-mail as an attachment.
There are instances when the information received was exported from the client’s proprietary software products, which are not directly compatible with the widely used packages, such as Microsoft Excel, used by the analyst. Hence, the analyst was forced to use special data extracting software to access the data.
On a regular basis, the analyst needs search for additional information on the Internet to prepare a report for the client.
Once a week he runs data analysis software to analyse the potential risk for the client. This software is very powerful and commonly used in Scrooge Bank. However, it analyses vast amounts of data and consumes a lot of CPU time and memory.
When a report is finalised, the analyst exports it on a USB stick in order to present it to the Client.
Compliance requirements, controls implementation and impact on users’ behaviour
In order to more effectively protect against malicious code, Scrooge Bank decided to implement the ISO 27001 Standard. According to chapter 10.4.1 of the standard, “Controls against malicious code”, “detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures should be implemented.”
The ISO 27001 Standard suggests that “Precautions are required to prevent and detect the introduction of malicious code and unauthorized mobile code. Software and information processing facilities are vulnerable to the introduction of malicious code, such as computer viruses, network worms, Trojan horses, and logic bombs. Users should be made aware of the dangers of malicious code. Managers should, where appropriate, introduce controls to prevent, detect, and remove malicious code and control mobile code.”
The Standard also recommends the particular security controls to be implemented in order to protect against malicious code. In order to address the described issues and ensure formal compliance with the Standard, the security manger decides on the following implementation of the security controls. The following table also shows examples of how users in various departments of the company could potentially violate security policy, because it prevented them from perform their main business tasks
|ISO 27001 control implementation guidance||Context||Behavioral impact|
|Establishing a formal policy prohibiting the use of unauthorized software||Scrooge Bank’s CISO came up with a policy document, outlining a list of authorized software, which can be installed on users’ workstations according to principle of least privilege – users should only have access they require to perform their day-to-day activities and no more.Each department contributed to the policy, submitting a list of software which is essential to carrying out tasks by employees in this department.After finalizing this list, all users were denied access to install any new software without written permission from CISO.||John is performing an analysis of the company for the client. The deadline is fast approaching but there is still a lot of work to be done.The night before the deadline, John realizes that in order to finalize his analysis he requires a special data analysis tool, which was not included in the list of authorised software. He’s also unable to install it on his workstation, because he doesn’t have the required privileges to install new software.Getting the formal written approval from the CISO is not feasible, because it is going to take too long.John decides to copy sensitive information required for the analysis on his personal laptop using a USB flash drive to finish the analysis at home, where he can install any software he wants.
John understands the risk but he also wants to get the job done in order to avoid missing the deadline and get good performance review at the end of the year.
Unfortunately he leaves his bag with the USB stick in the taxi on the way back home.
He never tells anyone about this incident to avoid embarrassment.
|Establishing a formal policy to protect against risks associated with obtaining files and software either from or via external networks, or on any other medium, indicating what protective measures should be taken||In order to prevent obtaining files and software either from or via external networks, or on any other medium, CISO established a policy restricting use of file sharing websites and limited access to CD/DVD and USB flash drives.According to the policy, if a user wants to obtain a specific file from the internet or from an external device, he has to file a written request to his manager, who will decide if this file is essential to perform his duty. After management’s approval, the Information Security Department employee will process this request, downloading this file or copying it from the external medium, using a special isolated PC with thorough antivirus checks.||Mary works closely with a client to finalise her report on risk analysis for an international energy company.She works directly with the CFO of this company who is very impatient and busy with other tasks.Mary doesn’t want to annoy him, because he may complain directly to her line manager and she can be disciplined, because this is a very important client, which brings millions to the company.The client is not aware of the new policy which was recently implemented by the CISO of Scrooge Bank and uploads important pieces of information to the file sharing website in form of the encrypted archive, because it is too big to transfer over the corporate e-mail.
He communicates the password to Mary over the phone and sends her the link.
Mary was scared to explain the new policy to the client and right now she is unable to access this file to finalise her report.
She decided to go to internet café during her lunch break and download the important file from there, understanding the risk, but realising that getting all necessary approvals may take way too long.
At the internet café she not only downloads the encrypted file but also opens it on the local machine to check its integrity to avoid returning back, because she won’t have any breaks later in a day.
Because the internet café is far from the office and she didn’t have her lunch yet, she hurries and forgets to delete the decrypted file from the machine in the internet café.
She realizes her mistake when she’s back in the office but thinks that it is not a big deal and nothing bad can happen.
|Conducting regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments should be formally investigated||The CISO established a procedure of monthly checks of users’ workstations for presence of unauthorized data and software.If such data or software were be found, the employee would be given a warning. After three warnings he would be fired because of non-compliance with the security policies of the company.||Juliet uses data and files in her analysis, which she obtained from various sources, and she is not sure if it is approved or not. She’s afraid to clarify this situation with the CISO, because she’s afraid to be fired.In order to avoid being caught using such files, she decided to store this information on her personal laptop.But after a while she realised that it takes too long to copy and delete data from her corporate PC to personal laptop and vice versa, hence she decided to process all the information, including sensitive, on her personal computer.As always, she took her laptop with her on holiday, but it was stolen in a public place|
|Installation and regular update of malicious code detection and repair software to scan computers and media as a precautionary control, or on a routine basis; the checks carried out should include:1) checking any files on electronic or optical media, and files received over networks, for malicious code before use;2) checking electronic mail attachments and downloads for malicious code before use; this check should be carried out at different places, e.g. at electronic mail servers, desk top computers and when entering the network of the organization;3) checking web pages for malicious code;||The CISO implemented antivirus software on each workstation and configured automatic daily full machine scans to ensure that no malicious code was present on workstations.The CISO also established a formal policy, which requires every employee to run manual antivirus checks before opening e-mail attachments and using electronic or optical media.||Robin is a derivatives trader. Time and efficiency are critical success factors for him.Robin carries out thousands of deals per day using the electronic terminal on his PC.Introducing a new antivirus software slowed down his workstation performance, especially during full machine scans. This directly affects his job performance – he is unable to act as fast as before and misses many valuable opportunities.Robin understands the risk of malicious software but he is also frustrated by his inability to work as efficiently as before.
He finds a way to manually disable the antivirus agent on his PC.
During the search for information on the internet he accidentally accesses a spoofed website and introduces a Trojan on his workstation.
With no antivirus software to prevent malware from stealing sensitive information from his PC, it becomes a victim.
|Defining management procedures and responsibilities to deal with malicious code protection on systems, training in their use, reporting and recovering from malicious code attacks||The CISO developed a set of procedures to prevent malicious code.According to these procedures, each head of a department is responsible for preventing malicious code attacks in his/her department.The CISO wants to raise awareness, train and educate users how to record, prevent and recover from malicious code attacks. He decided to run regular monthly workshops to achieve these goals.||Employees of the organization not showing up for the workshops and not paying attention, because CISO’s efforts driven mainly by corporate directives, rather than security needs. Moreover, programme is the same for everyone, regardless of roles and responsibilities and it doesn’t change year after year.|
|Preparing appropriate business continuity plans for recovering from malicious code attacks, including all necessary data and software back-up and recovery arrangements||The CISO developed appropriate plans identifying critical information assets, and gathering input from asset owners.The CISO also performs data back-ups on a regular basis and maintains recovery arrangements.||Scrooge Bank recently acquired a small company and all its IT infrastructure.Because the CISO failed to update the business continuity plan in a timely manner to include recent changes, the company was very inefficient to recover from a malicious code attack.Furthermore, employees weren’t familiar with what they should do in this situation due to a lack of education and involvement during plan testing.|
|Implementing procedures to regularly collect information, such as subscribing to mailing lists and/or checking web sites giving information about new malicious code||The CISO assigned regular collection of information about new malicious code to a member of Information Security Department in addition to the other tasks he performs.||An employee of Information Security Department receives too much information daily from antivirus vendors’ websites and mailing lists, so he started to ignore it and focus more on his main tasks (i.e. handling information security incidents)|
|Implementing procedures to verify information relating to malicious code, and ensure that warning bulletins are accurate and informative; managers should ensure that qualified sources, e.g. reputable journals, reliable Internet sites or suppliers producing software protecting against malicious code, are used to differentiate between hoaxes and real malicious code; all users should be made aware of the problem of hoaxes and what to do on receipt of them||The CISO wants to raise awareness of the employees on the issue of hoaxes.He decided to run regular monthly workshops to achieve this goal.||People don’t attend information security awareness training workshops, because they scheduled at the same day as an important meeting with the client.|
The table shows examples that regardless of the fact that the CISO developed a set of information security polices and implemented controls to ensure compliance with ISO 27001 Standard, users managed to find workarounds which negatively affected the company as a whole. In each and every case users violated security policy in in order to accomplish their main business tasks.
Additional security controls, which were added by the CISO, not only introduced additional cognitive burdens on the analyst, but also placed obstacles preventing him from performing his core business tasks.
For example, the information security awareness training workshop was scheduled at the same day that the analyst has an important meeting with the client and he have to skip it in order to meet his deadline. Additionally, he managed to shut down the antivirus agent on his workstation because scheduled manual antivirus checks consume too many resources, which are needed to run his risk simulation and analysis software. The analyst also skips manual antivirus and anti-phishing checks either because they are too time consuming or because he is worried about the integrity of the data.
This chapter presented a scenario of a particular realistic implementation of security controls, which can lead to in huge numbers of collisions between security and business tasks.
This scenario emphasises the importance of making users part of the system when implementing security controls.
It is difficult to ensure effectiveness of information security programme in the company without paying attention to users’ behaviour. One of the challenges for the security manager, when implementing information security policy, is to differentiate between malicious non-compliance and non-compliance due to the obstruction of business activities.
The main goal of this project is to gain an insight into information security behavior issues, from both an end-users’ and security managers’ perspectives. The study aims to develop a model to support security managers’ decision-making process when implementing security policy in the organisation. It is important to help security managers make a user a part of the system and to go beyond formal box-ticking when ensuring compliance with legal and regulatory requirements.
In order to achieve the objectives of the study, a method consisting of three parts was followed, including presenting example scenario and development of the model to address the research question for the first part, a survey and interviews for the second part, and interviews for the third part.
Stage one: Develop a model
The objective of the first stage is to motivate the research problem, presenting example scenario of poorly implemented security policy in the fictitious company, and to develop a model to support security manager’s decision-making process in implementing security controls in a company.
The example scenario presents the hypothesis that users’ experience and role of the manager are mismatched. Manager may think that user’s effort is unlimited. At the moment there is no way of directly comparing users’ and security manager’s perception of behavioural impact of security policy in the organisations.
The model is developed to support security managers’ decision-making process when implementing security policy in a company and to provide a tool of assessing users’ workload with security tasks.
The following stage shows that described mismatch exists and the developed model deals with the outlined problem.
Stage two Comparing views on security compliance behaviour in an organisation
The aim of the second part is to gather real-world data to highlight the importance of security compliance behavior and identify relevant problems which can arise when a security manager chooses a particular way of implementing information security controls in the organization. Moreover, this part aims to compare views of security managers and users on the problem of compliance behaviour.
For the purpose of this stage a combination of qualitative and quantitative methods was used.
As a part of the quantitative method, semi-structured interviews with five information security experts were conducted. In parallel 64 users were surveyed using an online surveying platform. For the purpose of the survey, eleven multiple-choice questions were developed, in collaboration with an academic with experience in this field.
Stage three: Validation of the developed model
The goal of the third stage of the study was to validate the model and gather relevant feedback from information security experts.
Five semi-structured interviews were conducted with information security experts.
Invitations for an interview were also distributed to outline the approximate duration of the interview, intended questions, to give insight on the procedure and to provide high-level information on the study.
Written consents were collected from the interviewees prior to the interview.
Interviews with security experts consisted of two parts:
- General questions on the security manager’s decision-making process regarding the implementation of security controls when ensuring compliance within the company (Stage two).
- Validating the model to support the security manager’s decision-making process (Stage three).
Pilot interviews were first carried out. Feedback gathered from the pilot interviews was used to improve model presentation technique, modify existing questions, and add new questions. Materials from the pilot interviews were not included in the thesis.
Each interview took approximately 50 minutes. All interviews were conducted face-to-face and at participants’ offices at a time convenient for them.
In the second part of the interview the same experts were presented the model after they had answered the question around validation of the importance of compliance behaviour. The study aims to assess how the presented model changed their decision-making process when thinking in terms of making users an essential part of the system.
Audio recordings were subsequently used by the researcher to develop interview transcripts, parts of which are presented in this work to support various points and provide insight on relevant issues.