Risks to Risk Management

Nasim Taleb in his book The Black Swan provides the following examples of Mirage Casino’s four largest losses:

  • $100 million from a tiger mauling
  • Unsuccessful attempt to dynamite casino
  • Neglect in completing tax returns
  • Ransom demand for owner’s kidnapped daughter

How many of these losses could’ve been identified and managed appropriately?

John Adams in his research Risk, Freedom and Responsibility suggests that “Risk management is not rocket science – it’s much more complicated.” He further elaborates on this point in his research: “The risk manager must […] deal not only with risk perceived through science, but also with virtual risk – risks where the science is inconclusive and people are thus liberated to argue from, and act upon, pre-established beliefs, convictions, prejudices and superstitions.”

According to Adams, there are three types of risk:

three_kinds_or_risk

  • Directly perceptible risks are dealt with using a proper judgment. “One does not undertake a formal, probabilistic, risk assessment before crossing the road.”
  • Risks perceived through science are subject to formal risk managementprocess.  “Here one finds not only biological scientists in lab coats peering through microscopes, but physicists, chemists, engineers, doctors, statisticians, actuaries, epidemiologists and numerous other categories of scientist who have helped us to see risks that are invisible to the naked eye. Collectively they have improved enormously our ability to manage risk – as evidenced by the huge increase in average life spans that has coincided with the rise of science and technology.”
  • Virtual risk is not perceived through science, hence people are forced to act based on their convictions and beliefs.Such risks may or may not be real, but they have real consequences. In the presence of virtual risk what we believe depends on whom we believe, and whom we believe depends on whom we trust.”

Klein in his Streetlights and shadows: searching for the keys to adaptive decision making suggests the following issues with risk management:

  • It works best in well-ordered situations
  • Fear of speaking out may result in poor risk identification
  • Organisations should understand that plans do not guarantee success and may result in a false sense of safety
  • Risk Management plans may actually increase risk.

Klein also identifies three risk decision making approaches:

  • Prioritise and reduce
  • Calculate and decide
  • Anticipate and adapt

To illustrate individual’s decision-making process while dealing with risk, Adams introduces another concept called “Risk thermostat”

risk_thermostat

The main idea behind it is that people vary in their propensity to take risks which is influenced by the perception of risk, experience of losses, and potential rewards.

People tend to overestimate spectacular but rare risks, but downplay common risks. Also, personified risks are perceived to be greater than anonymous risks.

The protection measures also can be introduced to only increase perceived security, rather than implement actual mechanisms. A possible example might be using National Guard in airports after 9/11 to provide re-assurance. However, such a security theatre has other applications in relation to motivation, deception and economics.

Finally, Adams discusses the phenomenon of risk compensation and appropriate adjustments which take place in the risk thermostat. He argues that introducing safety measures changes behavior: for example, seat belts can save a life in a crash, so people buckle up and take more risks when driving, leading to an increased number of accidents. As a result, the overall number of deaths remains unchanged.

Advertisement

Daniel Schatz: It is generally appreciated if security professionals understand that they are supposed to support the strategy of an organisation

Interview with Daniel Schatz – Director for Threat & Vulnerability Management

Daniel

Let’s first discuss how you ended up doing threat and vulnerability management. What is your story?

I actually started off as a Banker at Deutsche Bank in Germany but was looking for a more technical role so I hired on with Thomson Reuters as Senior Support Engineer. I continued on to other roles in the enterprise support and architecture space with increasing focus on information security (as that was one of my strong interests) so it was just logical for me to move into that area. I particularly liked to spend my time understanding the developing threat landscape and existing vulnerabilities with the potential to impact the organisation which naturally led me to be a part of that team.

What are you working on at the moment and what challenges are you facing?

On a day to day basis I’m busy trying to optimise the way vulnerability management is done and provide advice on current and potential threats relevant to the organisation. I think one of the challenges in my space is to find a balance between getting the attention of the right people to be able to notify them of concerning developments/situations while doing so in a non-alarmist way. It is very easy to deplete the security goodwill of people especially if they have many other things to worry about (like budgets, project deadlines, customer expectations, etc.). On the other hand they may be worried about things that they picked up on the news which they shouldn’t waste time on; so providing guidance on what they can put aside for now is also important. Other than that there are the usual issues that any security professional will face – limited resources, competing priorities with other initiatives, etc.

Can you share your opinion on the current security trends?

I think it is less valuable to look at current security trends as they tend to be defined by media/press and reinforced by vendors to suit their own strategy. If you look at e.g. Nation state cyber activities; this has been ongoing for a decade at least yet we now perceive it as a trend because we see massive reporting on it. I believe it is more sensible to spend time anticipating where the relevant threat landscape will be in a few months or years’ time and plan against that instead of trying to catch up with today’s threats by buying the latest gadget. Initiatives like the ISF Threat Horizon are good ways to start with this; or follow a DIY approach like I describe in my article

What is the role of the users in security?

I think this is the wrong approach to ask this question to be honest. Culture and mind-set are two of the most important factors when looking at security so the question should emphasise the relationship of user and security in the right way. To borrow a phrase from JFK – Do not ask what users can do for security, ask what security can do for your users.

How does the good security culture look like?

One description of culture I like defines it as ‘an emotional environment shared by members of the organisation; It reflects how staff feels about themselves, about the people for whom and with whom they work and about their jobs.’ In this context it implies that security is part of the fabric of an organisation naturally weaved in every process and interaction without being perceived to be a burden. We see this at work within the Health & Safety area, but this didn’t happen overnight either.

How one can develop it in his/her company?

There is no cookie cutter approach but talking to the Health & Safety colleagues would not be the worst idea. I also think it is generally appreciated if security professionals understand that they are supposed to support the strategy of an organisation and recognise how their piece of the puzzle fits in. Pushing for security measures that would drive the firm out of the competitive market due to increased cost or lost flexibility is not a good way to go about it.

What are the main reasons of users’ non-secure behaviour?

Inconvenience is probably the main driver for certain behaviour. Everyone is unconsciously constantly doing a cost/benefit calculation; if an users expected utility of opening the ‘Cute bunnies’ attachment exceeds the inconvenience of ignoring all those warning messages a reasonable decision was made, albeit an insecure one.

What is the solution?

Either raise the cost or lower the benefit. While it will be difficult to teach your staff to dislike cute bunnies, raising the cost may work. To stick with the previous example, this could be done by imposing draconian punishment for opening malicious attachments or deploying technology solutions to aid the user in being compliant. There is an operational and economic perspective to this of course. If employees are scared to open attachments because of the potential for punishment it will likely have a depressing consequence for your business communications.

Some will probably look for ‘security awareness training’ as answer here; while I think there is a place for such training the direct impact is low in my view. If security awareness training aims to change an organisations culture you’re on the right track but trying to train users utility decisions away will fail.

Thank you Daniel!

Research Proposal: People and Security

UCL - research proposal
Purpose: The study aims to develop a model to support security managers’ decision-making process when implementing security policies in their organisations and incorporates users into the system in a way that mitigates the negative impact of users’ behaviour on security controls

Background: Security managers in companies lack a clear process to implement security controls in order to ensure compliance with various regulations and standards. The company can be formally compliant but still inefficient in performing its revenue-generating activities.
Security managers may take ISO 27001 standard as a framework and then make a decision on any particular implementation based on their experience. Such implementations run the risk of creating collisions with users’ business activities and result in violation of security policies in the company, because they introduce friction with the business process. Users try to avoid such friction. It is important, however, to differentiate between malicious non-compliance and cases when security policy obstructs business processes leading to workarounds. There is a mismatch between users’ and security managers’ perception of workload, introduced by security tasks

Method: To achieve the goal of the study, a combination of quantitative and qualitative methods is applied to research the perception of information security by both users and security managers.

Research benefits. The model points a security manager in the direction of a better understanding of the users in his company.  It provides the means to gain an insight into users’ core business activities and reflect on how they relate to the security tasks. This can help security managers to come up with more usable security policies and reduce the number of potential complaints, and instances of violation of security policy.
Moreover, this model can help the security manager to understand how much time users in his company spend on various security activities. This information can be used to make better investment decisions, and help in security policy optimisation. Additionally understanding that the security manager’s decisions affect the whole organisation may result in cost savings from pre-implementation security analysis and its relation to main business processes of the company

Giving a seminar at the University of East London

Poster

This morning I delivered a seminar for a group of graduate students at the University of East London. An enriched mix of participants from various degrees, including information security, forensics, and IT law made the classroom discussions very interesting.
I was very glad to see that students were very eager to learn more about the subject and were willing to share their ideas and experience.  We were even able to managed to identify new research opportunities in the field of economics of information security.
East London small
After the presentation, I facilitated a workshop which was designed based on a case study around USB drive encryption. This exercise helped the students to understand the perspective of both a security manager and an end-user on the same problem.

Image courtesy of Stuart Miles / FreeDigitalPhotos.net

Information security policy compliance, business processes and human behaviour

This article aims to review the literature on information security policy compliance issues and their relation to core business processes in the company and users’ behaviour. It also provides an insight into particular implementation examples of the ISO 27001 Standard, and methods of analysis of the effectiveness of such implementations.

Information security

Information security issues in organisations have been brought up long before the rapid development of technology. Companies have always been concerned with protecting their confidential information, including their intellectual property and trade secrets. There are many possible approaches to addressing information security. Wood [30] points out that security is a broad subject including financial controls, human resource policies, physical protection and safety measures. However, Ruighaver et al. [23] state that information security is usually viewed as a purely technical concern and is expected to have the same technical solution. On the other hand, Schneier [25], Lampson [17], and Sasse and Flechais [24]  emphasise the people aspect of security, and people play crucial role as they use and implement security controls.

As stated by Anderson [3], it is essential to properly define information security in order to pay merit to all these aspects.

The Standard for Information Security Management ISO 27001 [32] defines information security as “the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximise return on investments and business opportunities.

Dhillon [10] states security issues in organisations can arise due to absence of an information security policy. One of the ways to implement such a security policy is to take ISO 27001 standard as a framework.

ISO 27001 Standard

ISO 27001 Standard which is a member of the ISO 27000 standards family evolved from British national standard BS7799 [31]. It aims to provide guidance on managing the risk associated with threats to confidentiality, integrity and availability of organisation’s assets. Such assets, as defined in ISO 27001 [32] include people, software, hardware, services, etc.

Doherty and Fulford [11], Von Solms [28], and Canavan [8] all came to the conclusion that well-established standards such as ISO 27001 might be a stepping-stone to implementing good information security programs in organisations.

However, Anttila and Kajava in their study [4] identify the following issues with ISO 27001 Standard:

–       The standard is high-level and basic concepts are not presented consistently in the standard.

–       It is hard to measure business benefits from implementing this standard.

–       Presented process management is not fully supporting current business practices.

–       The standard struggles to recommend solutions to contemporary business environments.

Neubauer et al. [19] in their research states that the main problem with security standards, including ISO 27001 is their “abstract control definition, which leaves space for interpretation”. Furthermore, the authors suggest that companies focus on obtaining formal certification and often do not to assess and put in place the adequate security controls according their main business goals. Ittner et al. [14] support this point, adding that organisation also fail to estimate the effectiveness of the investments in such initiatives.

According to Sharma and Dash [26], ISO 27001 does not provide detailed guidance requires substantial level of expertise to implement. Moreover, the authors claim that “If risk assessment is flawed, don’t have sufficient security and risk assessment expertise, or do not have the management and organizational commitment to implement security then it is perfectly possible to be fully compliant with the standard, but be insecure.” Results of their study suggest that the organizations, which participated in the study implemented information security mainly to comply with legal and regulatory requirements. The consequence of that was low cost-effectiveness of such implementations. However, the researcher don’t analyse the level of users’ acceptance of implemented controls. The authors also fail to recommend an approach which would support security manager’s decision-making process in implementing ISO 27001 Standard controls.

Karabacak and Sogukpinar in in their paper [16] present a flexible and low-cost ISO 17799 compliance check tool.  The authors use qualitative techniques to collect and analyse data and sate that “the success of our method depends on the answers of surveyors. Accurately answered questions lead to accurate compliance results.” However, the researchers stop short of analysing the impact of compliance with security policy on users’ behaviour. The authors do not consider the issue that a security manager’s decisions regarding a particular implementation of security policy affects that organisation as a whole and may introduce additional cognitive burdens to users. These issues in extreme cases (e.g. obstructing core business processes) may result in non-compliance as users prioritise their primary task.

Vuppala et al. their study [29] discuss their experience from implementing ISO27001 information security management systems. One of the most important lessons learnt was developing an understanding of the role of users’ behaviour in this process. The authors recommend to “not make drastic changes to the current processes; this will only infuriate the users. Remember, users are an important, if not the most important, part of the overall security system.”

Human behaviour

Johnson and Goetz in [15] conducted a series of interviews with security managers to identify main challenges of influencing employees’ behaviour. The results of this study revealed that security managers rely extensively on information security policies, not only as a means of ensuring compliance with legal and regulatory requirements, but also to guide and direct users’ behaviour.

To explore the question of the impact on users’ behaviour while implementing security policies, the following theories were researched:

1. Theory of Rational Choice – a framework, which provides insight into social and economic behaviour. It implies that users tend to maximise their personal benefits [13]. Beautement et al. in their paper [6] uses this theory to  build a foundation explaining how people make decisions about whether to comply or not to comply with any particular information security policy.

Herley [12] suggests that it is rational for users not to comply with security policy, because of the perceived risk reduction is lower than the effort needed.

2. Protection Motivation Theory – a theory which describes four factors that individuals consider when trying to protect themselves [22]:

–       perceived severity

–       probability of the adverse event

–       efficiency of the preventive behaviour

–       self-efficiency

Siponen builds on this theory to gain an understanding of the attitude of individuals towards compliance with security policies. Siponen refers to it in order to study the impact of the punishment on the actual compliance and on intention to comply [27], [20].

3. The Theory of General Deterrence – this suggests that users will not comply with the rules if they are not concerned with punishment [1].

4. Theory of Planned Behaviour – this suggests that subjective norms and perceived behavioural controls influence individuals’ behaviour [2]. Siponen [27] and Pahnila [20] discovered that social norms play a significant role in users’ intention to comply.

These theories suggest that to effectively protect a company’s assets, the security manager should develop and implement security policies not only to ensure formal compliance with legal and regulatory requirements, but also to make sure that users are considered as a part of the system. Policies should be designed in a way that reduces the mental and physical workload of users [1], [6].

Business process visualisation and compliance

It is important to consider information security compliance and users’ behaviour in the context of a company. Users in organisations involved into activities, which could be presented as business processes.

Business process is defined as a set of logically related tasks (or activities) to achieve a defined business outcome [9].

The continuous monitoring of their business processes is essential for any organisation. This can be achieved by visualisation of business processes [21]. However, they are usually complex, due to number of different users or user roles in large companies [7]. Barrett [5] also argues that it is essential to create a “vision of the process” to successfully reengineer it.

Namiri and Stojanovic in their paper [18] present a scenario demonstrating a particular business process and implement controls necessary to achieve compliance with regulatory requirements. The authors separate business and control objectives, introducing two roles: a business process expert, who is motivated solely by business objectives, and a compliance expert, who is concerned with ensuring compliance of a given business process.

References

[1]        Adams, A. and Sasse, M.A. 1999. Users are not the enemy. Commun. ACM. 42, 12 (Dec. 1999).

[2]        Ajzen, I. 1991. The theory of planned behavior. Organizational Behavior and Human Decision Processes. 50, 2 (Dec. 1991).

[3]        Anderson, J.M. 2003. Why we need a new definition of information security. Computers & Security. 22, 4 (May 2003).

[4]        Anttila, J. and Kajava, J. 2010. Challenging IS and ISM Standardization for Business Benefits. ARES  ’10 International Conference on Availability, Reliability, and Security, 2010 (2010).

[5]        Barrett, J.L. 1994. Process Visualisation: Getting the Vision Right Is Key. Information Systems Management. 11, 2 (1994).

[6]        Beautement, A. et al. 2008. The compliance budget: managing security behaviour in organisations. Proceedings of the 2008 workshop on New security paradigms (New York, NY, USA, 2008).

[7]        Bobrik, R. et al. 2005. Requirements for the visualization of system-spanning business processes. Sixteenth International Workshop on Database and Expert Systems Applications, 2005. Proceedings (2005), 948–954.

[8]        Canavan, S. 2003. An information security policy development guide for large companies. SANS Institute. (2003).

[9]        Davenport, T.H. and Short, J.E. 2003. Information technology and business process redesign. Operations management: critical perspectives on business and management. 1, (2003), 1–27.

[10]     Dhillon, G. 2007. Principles of information systems security: text and cases. John Wiley & Sons.

[11]     Doherty, N.F. and Fulford, H. 2005. Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis. Information Resources Management Journal. 18, 4 (34 2005).

[12]     Herley, C. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users. Proceedings of the 2009 workshop on New security paradigms workshop (New York, NY, USA, 2009).

[13]     Herrnstein, R.J. 1990. Rational choice theory: Necessary but not sufficient. American Psychologist. 45, 3 (1990).

[14]     Ittner, C.D. and Larcker, D.F. 2003. Coming up short on nonfinancial performance measurement. Harvard business review. 81, 11 (2003), 88–95.

[15]     Johnson, M.E. and Goetz, E. 2007. Embedding Information Security into the Organization. IEEE Security Privacy. 5, 3 (2007).

[16]     Karabacak, B. and Sogukpinar, I. 2006. A quantitative method for ISO 17799 gap analysis. Computers & Security. 25, 6 (Sep. 2006).

[17]     Lampson, B.W. 2004. Computer security in the real world. Computer. 37, 6 (2004), 37–46.

[18]     Namiri, K. and Stojanovic, N. 2007. Pattern-based design and validation of business process compliance. On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS. Springer. 59–76.

[19]     Neubauer, T. et al. 2008. Interactive Selection of ISO 27001 Controls under Multiple Objectives. Proceedings of The Ifip Tc 11 23rd International Information Security Conference. S. Jajodia et al., eds. Springer US. 477–492.

[20]     Pahnila, S. et al. 2007. Employees’ Behavior towards IS Security Policy Compliance. 40th Annual Hawaii International Conference on System Sciences, 2007. HICSS 2007 (2007).

[21]     Rinderle, S.B. et al. 2006. Business process visualization-use cases, challenges, solutions. (2006).

[22]     Rogers, R.W. 1975. A Protection Motivation Theory of Fear Appeals and Attitude Change1. The Journal of Psychology. 91, 1 (1975).

[23]     Ruighaver, A.B. et al. 2007. Organisational security culture: Extending the end-user perspective. Computers & Security. 26, 1 (Feb. 2007).

[24]     Sasse, M.A. and Flechais, I. 2005. Usable Security: Why Do We Need It? How Do We Get It? Security and Usability: Designing secure systems that people can use. L.F. Cranor and S. Garfinkel, eds. O’Reilly.

[25]     Schneier, B. 2003. Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Springer.

[26]     Sharma, D.N. and Dash, P.K. 2012. Effectiveness Of Iso 27001, As An Information Security Management System: An Analytical Study Of Financial Aspects. Far East Journal of Psychology and Business. 9, 5 (2012), 57–71.

[27]     Siponen, M. et al. 2010. Compliance with Information Security Policies: An Empirical Investigation. Computer. 43, 2 (2010).

[28]     Solms, R. von 1999. Information security management: why standards are important. Information Management & Computer Security. 7, 1 (Mar. 1999).

[29]     Vuppala, V. et al. Securing a Control System: Experiences from ISO 27001 Implementation.

[30]     Wood, M.B. 1982. Introducing Computer Security. National Computing Centre.

[31]     BS, BS7799 – Information Technology – Code of practice for information security management, London: BS, 1995.

[32]     ISO/IEC, ISO/IEC 27001 – Information technology – Security techniques – Information security management systems – Requirements, Geneva: ISO/IEC, 2005 and Draft for the new revision ISO/IEC JTC 1/SC 27 N10641, 2011.

Comparing views on security compliance behaviour in an organisation

The purpose of this post is to provide a comprehensive analysis of the data collected from the survey and semi-structured interviews to compare views on information security activities from security managers’ and users’ viewpoints.

Methodology

Survey

A survey was developed to collect information from a broad sample on attitudes of the users’ towards information security policies in their organisations in general, and how compliance with information security policies affects their behaviour in particular. It was quantitatively analysed.

Method

The main goal of the survey was to assess the attitude of the end-users towards information security policies in their companies and measure the level of dissatisfaction with security tasks. Prior to the questions, all participants were shown a page with the explanation of the purpose of the study, approximate time to complete the survey, the researcher’s contact information, and their rights to withdraw their answers at any time. After getting participants’ consent by clicking the “Next” button, they were asked to answer the eleven multiple-choice questions. The first four questions were designed to gather demographic information about the participants for future analysis: participants were asked to provide information on their gender, age, the number of years of work experience, and the industry sector. The subsequent seven questions were aimed at gathering insight on users’ attitude towards information security policies in their companies and the way they make their compliance decisions. Participants were asked to:

  1. Indicate their attitude towards security policy in their company.
  2. Assess the effectiveness of implementation of the security policy in their company.
  3. Estimate the approximate time they spend weekly on various security activities, such as password changes, antivirus checks, anti-phishing checks, awareness training, encryption, etc.
  4. Indicate their attitude towards the impact which security activities have on their overall performance: respondents were presented with a statement “I believe security activities negatively affect my overall performance” and were asked to choose one of the following four answers: “strongly agree”, “agree”, “disagree”, and “strongly disagree”.
  5. Assess the degree of concern of the security manager in their company with users’ main business goals and tasks.
  6. Assess the frequency of the prevention of security controls from accomplishing their main business tasks.
  7. Indicate their attitude towards the possibility of violation of the security policy if it prevented them from accomplishing their main business activities.

The survey was advertised on social networks (LinkedIn, Facebook) to recruit participants for the survey. A sample of specific interest was created to include people with relevant job experience.

Results

This section presents detailed end-users’ survey findings. Results are described in the order of their appearance in the survey. 64 responses were collected.

End-users’ demographic characteristics

Results show that the majority of the sample (40 out of 64 participants) were male. They also illustrate that 32 out of 64 participants are in the 18 to 24 age group, and that 29 out of 64 are in the 25 to 34 age group. A relatively small number of participants (only 3 people) are older than 35 years. The members of the most populated group (22 out of 64 participants) are in the beginning of their careers and have less than one year worth of work experience. The following figure presents the distribution of respondents by industry sector.

Distribution

Distribution of respondents by industry sector

Attitude towards security policy in the company

The results of the survey show that 51% of participants share a positive outlook towards information security in the company (6 have chosen “very positive” option and 27 “positive”). 29 respondents share a neutral attitude towards information security in the organisation. Only 2 participants indicated a negative attitude.

Attitude

Attitude towards security policy

View on the implementation of the security policy in the organisation

50% of participants think that information security policy is effectively implemented in their compamy. However, 34% of the population struggled to provide an opinion on this matter.

Effectivness

Effectiveness of implementation of the security policy

Time spent by users on security activities

A large majority (80%) feel that they spend less than 30 minutes per week in total on security tasks. However, there are 4 respondents that share the perception that they have spent over an hour on security activities in the course of the past week.

 time

Time spent by users on security activities

Impact on users’ overall performance

37 participants disagree with the statement that security negatively impacts their overall performance and 12 participants strongly disagree with it, although, there is 1 respondent who strongly agrees.

 Impact

Impact on users’ overall performance

Assessing the degree of concern of the security manager in the company with users’ main business goals and tasks

Most of the participants (27 out of 64) believe that their security manager is rather neutral towards users’ business activities. 19 participants feel that their security manager is aware of their day-to-day tasks.

 Degree

Degree of concern of the security manager in the company with users’ main business goals and tasks 

Instances of obstructing core business processes

30 respondents cannot recall any instances in which security controls obstructed their business activities. On the other hand, the results of the survey show more than 50% experienced problems at least once a year, and in many cases more regularly because of the security policy.

 Instances

Instances of obstructing core business processes

Information security policy violations

Results show an almost equal split between people when faced with the statement “I would violate security policy if it prevents me from accomplishing my main business tasks” who are willing to violate security policy in order to get their job done and those who make the decision to comply even in this case.

 violations

Information security policy violations

Discussion

Individual response analysis shows that some people can’t recall situations whereby security policy prevented them from accomplishing their core business activities, however they still perceive security as something that hinders their performance. Other participants also didn’t indicate such instances more frequently than approximately once every three months

frequency

Frequency of collisions in relation to perception of negative impact on users’ performance

Individual response analysis also allowed revealing the fact that there is a person, who strongly agrees that security tasks affect his/her performance. This individual’s answer of the question on the perceived number of instances when security policy prevented him/her from accomplishing their main business task shows that he/she experiences difficulty performing business activities on a daily basis. The anonymous nature of the survey didn’t allow the researcher to conduct a follow up interview to gain an insight on this particular case. Moreover, high number of responses “I don’t know” to the question regardless the effectiveness of implementation of the security policy may indicate that the criteria for effectiveness were not clearly defined. Furthermore, using social networks as a sample to survey users negatively affected the researcher’s ability to generalise the results. The presented sample contains mostly young people with relatively small amount of work experience. This fact makes it difficult to drive conclusions, because perception of the employees towards security task may change with time in the job. Given the limitations, results show that more than 23% of participants believe that security tasks negatively affect their overall performance. This outlines the major concern for the organisations, because it directly affects company’s ability to generate revenue. According to the survey results, 20% of participants responded that they spend approximately one hour per week on various security tasks.

Interviews

The second stage was conducted as an exploratory study with five information security experts. This section presents a descriptive analysis of the semi-structured interviews with information security experts.

Method

The main goal of the semi-structured interviews was to gather an insight on information security manager’s awareness of the fact that his decisions on particular implementation of security controls affect organisation as a whole, and that his actions may negatively impact users’ performance in core business activities. The interview questions were designed to gather information on security manager’s ability to distinguish between instances of malicious non-compliance and instances when security controls obstruct users’ main business tasks was gathered. All information security experts selected to participate in the study have seven or more years of work experience in the field of information security and are currently holding managerial positions in their companies. Materials and feedback from the two pilot interviews, which were not included in the current project, were then used to refine the questions and procedures for the following interviews, so that they focus more on relevant topics and group them into categories. When patterns started to emerge, the data were then evaluated. The Grounded Theory analysis revealed that the most common codes: –       Security manager’s decision-making process on particular implementation of security controls –       Relation between business and security goals –       Detection of instances of non-compliance –       Reaction to instances of non-compliance –       Security manager’s awareness of how security policy implementation affects users’ behavior –       Difficulties in measuring impact of users’ behaviour. –       Security manager’s awareness of users’ typical business activities –       Effect of understanding of users’ business activities on security manager’s decision-making process

Results

Results are grouped into codes, which were developed in line with the Grounded Theory: – Security manager’s decision-making process on particular implementation of security controls: Interview results suggest that 4 out of 5 interviewed security managers use their past experience when implementing security policy. One security manager suggested that security policy was already implemented in his organisation. – Relation between business and security goals: all security managers understand the role of information security as a supporting process. – Detection of instances of non-compliance: all interviewed experts rely on both formal and informal channels of detecting instances of non-compliance. – Reaction to instances of non-compliance Interview results suggest that 4 out of 5 interviewed security managers tend to try to understand the root cause of the problem first. One security manager indicated that he is not directly involved into investigation of such incidents. – Security manager’s awareness of how security policy implementation affects users’ behaviour: 4 out of 5 security managers believe that they aware of the impact of security controls on users’ behaviour. One security manager suggested that he doesn’t have resources for that. – Difficulties in measuring the impact of users’ behaviour: all experts experience some difficulties in assessing the impact on users’ behaviour. – Security manager’s awareness of users’ typical business activities: 4 out of 5 security managers indicated their awareness of users’ day-to-day tasks. One security manager mentioned that he doesn’t have enough time for this. – Effect of understanding of users’ business activities on security manager’s decision-making process: all of the interviewed experts agree that it is beneficial to understand users’ business tasks.

Discussion

This section presents a discussion of interview findings.

Security manager’s decision-making process on particular implementation of security controls

Interview data reconfirms that security managers mostly use their own judgment and past experience when making a decision on particular implementation of information security controls. As explained in a quote: “When I’m making a decision to implement ISO 27001 standard in my organization, half of that decision is what the particular policies would actually look like. Because ISO 27001 is very high-level and it is by all means not a policy in itself, it just gives you one or two criteria or one or two suggestions how your security policies should look like. Because of this freedom of implementation, you actually have to write these policies yourself.”

Relation between business and security goals

Interviewed security experts also understand the role of involving the business management in the process of implementing security controls. For example, one security manager mentioned: “If there is no benefit to the business – you don’t do it.” Another expert reinforces his point by saying: “Get the people who these controls directly affect. You should start with the business. Get their buy-in; although they might view it as an additional workload, hence most people involved in this security initiative might produce sub-standard work.“ Interviewed security managers also think that business objectives should always be the priority. For example, one expert commented: “Many security managers think that security is the most important thing. I personally don’t think so. Paying shareholders is the most important. Inhibiting those activities or encouraging dangerous activities because of what you are doing you are making the situation worse.” The results illustrate that interviewed security managers understand that their decisions affect the whole organisation.

Detection of instances of non-compliance

Participants of the interview are aware of various methods to detecting non-compliance. For example, one expert mentioned: “I walk around this building on occasion and I wiggle doors and I check workstations for locked screens. The other way you find out is by rumours or chatting with people.” The results revealed that security experts rely on both formal (e.g. periodic security reviews) and informal (e.g. rumours, complains) channels of detecting non-compliance.

Reaction to instances of non-compliance

Most interviewed security managers agree that you should not punish users for non-compliance right away. You have to first understand the root cause of the problem. For instance, one expert suggested: “You don’t react on non-compliance with anger. You try to find out why it happened, rather than the fact that it has failed. Moreover, you can use it as a possibility for education and awareness and possibility for improvement.” Another expert reinforces this point saying: “At the end of the day it failed because with high probability you implemented it badly, because you forced some particular way of working or method which they can’t use, so they worked around it.” According to the results, understanding the reason behind the non-compliance is important for most of the interviewed experts.

Security manager’s awareness of how security policy implementation affects users’ behaviour

Most of the interviewed security experts believe that they are to a certain degree aware of the impact of the security policy on users’ behavior. One security manager said: “Yes, I think I’m aware of that, because when it affects it in a negative way – we hear about it. There are lots of complains.” Some participants backed-up their statements with examples. One security manager mentioned: “When users want to look at Excel spreadsheet or use an application using iPad but they can’t, because security controls don’t allow access to the business applications via an iPad. So they have to use a laptop rather than device of their own choice. So yes, we are aware of that tension, but we tend to enable people to do what they need to do.” Interview results suggest that such awareness is in the direct relation to the number of users’ complains. However, nobody mentioned proactive way of assessing this impact.

Difficulties in measuring impact of users’ behaviour.

Several security experts stated that it is difficult to assess the impact of security controls on users’ behaviour. For example, one mentioned: “We never measured it. We don’t have a way of measuring it. So we don’t know.” Another expert agrees with him: “One thing is putting controls in place and the other is measuring effectiveness. Around users it is very difficult. Because they are not like a server, where you can say here is CPU optimisation.” However, one security expert strongly disagrees with the fact that he should take behavioural impact into consideration. He said that: “Why should I care? Why this is relevant to my job – caring about users is not part of my job responsibilities. I have limited resources to ensure compliance – how am I going to stretch that to areas outside of my direct responsibility?”

Security manager’s awareness of users’ typical business activities

Some security experts, who participated in the interviews, mentioned that they are aware of the users’ business task to the degree which is required to successfully manage projects. Once a security manager stated that: “At a high level we are aware. At the detailed process level really only when we are doing a project in that department. When we need to understand the process within the project.” Another expert provides an example supporting the same argument: “When we do a particular project on a new system. Say, for instance, it’s a new credit card system being implemented we work through the user’s role, we work through the general data storage, so we become familiar with that particular department’s user activities.” The results show that some interviewed security managers believe that they are capable of understanding of users’ day-to-day business activities and that they make their decisions on the particular implementation of security controls according to this knowledge.

Effect of understanding of users’ business activities on security manager’s decision-making process

All of the interviewed experts agree that knowledge of what users in their company are doing can help them in better implementation of information security policy. One security manager shared an example of that: “For instance we worked with our studio manager and looked at the process of data transfer to the client. We have chosen one particular brand of encrypted USB keys, we believe that adoption would be very high, because they are great looking devices. It feels good for our creative workers to give it to the client with our logo on it, rather than sharing data using cheap plastic USB stick – there is no story, there is no sort of emotional attachment, which is so particularly important for creative workers. But in order for us to come with such a decision we actually spend some time observing and understanding our users.”

Conclusion

The results show that the majority of security managers, who participated in the survey, understand the importance of making the user part of the system and assessing possible impact on users’ behaviour when deciding on implementation of particular security controls. However, they agree on that their awareness of users’ business activities is reactive and based mainly on the users’ complains. Small number of interviewed security experts makes it problematic to generalise the results. Moreover, all of the interviewed security managers have substantial amount of work experience (they were chosen to have minimum seven, however some of them have more than twenty years of experience), which may affects the results. Those security experts tend to work in the companies with mature information security processes in place. Interviewing expects with less amount of experience may yield different results.

Discussion

Results of this section provide an insight on how security managers and users view the importance of compliance behaviour in organisations. Analysis of the interview and survey results show that presented method is capable of identifying the existence of the problem: there is a huge gap between perception of security policy by users and security managers, which negatively impacts the organisation as a whole. Most of the interviewed security managers think that they consider users part of the system and aware of the impact of their action on users’ behaviour. However, survey results indicate that more that 23% users believe that security negatively affects their performance. Moreover, 20% of participants spend approximately one hour weekly on various security activities. Current interview and survey data suggests a difference in the perception of the users and security managers exists due to the differing opinions presented, but doesn’t prove this is the case and the information comes from different contexts. Running the study inside an organisation would overcome this limitation. The issue the difference in the perception of the users and security managers should be studied more thoroughly. The study should be conducted in one company to directly compare the view of managers and users from the same organisation, which is critical to showing if a difference in opinion really exists. Moreover, the research should be conducted with a broader and better-quality sample to ensure that the results could be generalised. More participants from various backgrounds should form the sample.

Security compliance behaviour conflicts resolution model

This article presents the model for analysis and visualisation of a company’s security policy building on the example scenario in relation to productive business activities.

The model aims to provide the means of comparing the perception of security tasks from both users’ and security managers’ points of view and optimising security activities in the company.

A guide for the security manager

On the one hand, violation of compliance requirements may result in significant losses for an organisation. On the other hand, poorly implemented security policies may obstruct users’ goal-driven behaviour and may result in non-compliance.

The scenario suggests that the CISO takes ISO 27001 as a framework and then makes a decision on a particular implementation based on his knowledge and past experience. As illustrated by the scenario lack of clear guidance in this decision-making process may result in the situation in which a company is formally compliant with the standard but users perform their core business activities inefficiently and/or are forced to violate poorly implemented security policies.

By directly comparing security requirements and business processes, the security manager can analyse ISO 27001 policy compliance controls and their consequences in terms of affecting user behaviour.

In order to ensure that users in the organisation will comply with security policies, the security manager should broaden his perspective and make users a part of the system. It is important to differentiate between malicious non-compliance and cases when security policy obstructs core business process.

Policy compliance
Yes No
Primary task optimised Yes V (X)
No (V) X

Relation between policy compliance and optimisation of the primary task

“V” – CISO is satisfied with users’ compliance efforts.

“X” – CISO is not satisfied with users’ compliance efforts.

(X)” – the case when users perform their tasks efficiently, but not compliant with security policy.

“(V)” – the case when users are formally compliant with security policy, but it prevents them from carrying out their tasks efficiently.

The table emphasises the fact that regardless of formal compliance, users’ perform their core business activities in the inefficient manner due to poorly implemented security controls. The security manager also should pay attention to cognitive burdens and availability aspects of recommended solutions.

In order to mitigate the risk of poor implementation of security controls, the security manager should follow clear processes when implementing ISO 27001 controls.

process

Such guidance supports the security manager’s decision-making process. This method also gives the security manager an opportunity to reflect on his policy implementation in the context of the particular scenario.

Going beyond formally ensuring compliance, this method presents two rounds of compliance checks:

–       Check if organization is compliant (formal box-ticking exercise)

–       Check for collisions with core users’ tasks.

Visualisation technique

In order to minimise the probability of repeating scenario the security manager should pay more attention to users’ day-to-day business activities.

As a first step of the process, the security manager should gain an insight on users’ typical business activities. After understanding typical business activities, the security manager could visualise them for example in form of the workweek schedule.

main_BP

User’s main business process

For instance, the security manager finds out that the analyst runs data analysis software to model risks on Thursday to include this data in his report, which he usually presents at the end of each week to the client.

Furthermore, by gathering information on users’ manual security tasks, the information security manager estimates current users’ workload.

manual

User’s manual security tasks

The information security manager identifies unique security tasks that users undertake during the week and use this information to make those tasks invisible to user. In this case, users would feel less obstructed in completing business tasks. But those activities are still taking place in the background. Only by identifying them, mapping them, and prioritising them could the security manager then do something about them.

Next, as a part of security pre-implementation process of security controls, the security manager looks at scheduled security activities, such as periodic security awareness workshops, review of software and data on users’ workstations or full machine antivirus scans.

scheduled

Scheduled security activities

Merging all these diagrams together helps the security manager to understand total users’ workload and come up with a more effective implementation of security controls, which will not introduce collisions with core security tasks.

total

Total user’s workload

In order to make a decision on a particular implementation of security controls, the security manager should identify how users in his company perceive their security workload and which security tasks they carry out already.

At the moment, there is a possibility to of misconception of perceptions of security tasks of security managers and users. Developed model addresses this issue and helps the CISOs to manage their decision-making process more effectively. Moreover, comparing the security manager’s and users’ perceptions helps to uncover a number of unique security activities, and the amount of time users spend on them.

Validation of the model

The purpose of this section is to validate the model and gather relevant feedback from information security experts.

Method

An interview questionnaire was developed to interview information security experts and collect their opinion on the developed model.

Written consent was collected prior to the interview to explain ethical and privacy points. Additionally, permission to use voice-recording device was obtained for future analysis.

Information, regarding interview procedure, intended questions and brief overview of the study were sent to all participants in advance via e-mail. At least 2 days were allowed for participants to examine the materials and prepare for the interview.

Five interviews were conducted out with information security experts. Every interview took place at participant’s office and at convenient time.

Feedback, provided by information security experts was documented and analysed according to grounded theory method. The following codes were identified:

–       Degree of realistic implementation

–       Potential benefits

–       Business advantages

–       Practical implementation

–       Impact on security manger’s decision-making process

–       Other ways of dealing with the similar issues

–       Drawbacks of the model.

Results

Information in this section is presented according to codes, which were discovered during interview process and further data analysis.

  1. Degree of realistic implementation: all security managers agree that developed model is realistic and can be implemented in the real-world company.
  2. Potential benefits: all interviewed experts believe that the model is beneficial to their organizations.
  3. Business advantages: 3 out of 5 security experts were able to name possible economic advantages of implementing the model.
  4. Practical implementation: 2 out of 5 interviewed security managers agreed to run pilot testing of the model in their organisation.
  5. Impact on security manager’s decision-making process: 4 out of 5 interviewed experts stated that presented model changed their attitude towards compliance behaviour issues. One security manager commented that this model doesn’t affect his decision-making process.
  6. Other ways of dealing with the similar issues: no other ways of dealing with issues of impact of users’ behaviour in a proactive manner were presented.
  7. Drawbacks of the model: all interviewees agree that implementation of the model might be time- and resource-consuming.

Discussion

This section presents a discussion of interview findings.

Degree of realistic implementation

All the interviewed experts agree that the model could be implemented in the real-world scenario, but commented that it should be refined and validated with the real data. For example, one security manager said:

“I think the approach is sound and it’s realistic, but needs validation with the real data. And in the absence of the real data it’s got rather limited value.”

Another expert commented:

“I think that’s all sounds very interesting. You are definitely on the right track, but you need to collect more data to validate this model.”

Another security manager said:

“I believe it is realistic if it works, it will be relevant to any business. I don’t think many have considered practically addressing this dimension of security in their organisations.”

Potential benefits

Security experts can see the potential benefits of implementing developed model in their companies. For instance, one expert said:

“I think that issue of usability and security is really important. Understanding where those tensions are and then represent those tensions might in some way help us to understand the cost associated with mitigating the risk.”

Another security manager commented:

“This model might help us to highlight where we can be creative and do something slightly different to make it easier for users to do what they want to do and do it in the default secure way. So yes, anything that can help us shed light on that going to be beneficial.”

One expert said:

“I think it’s beneficial, because it allows you to channel these thought about users’ workflow versus your workflow. How we squeeze security tasks all together with business activities.”

Business advantages

According to the experts, developed model yields some direct economic benefits for the company. For example, one security manager suggested:

“It is a very relevant model also from resource management perspective. How is my staffs’ time being utilised? Am I utilising my staff for the best? ”

One security expert suggested, that presented model can help him to make better decisions regarding risk assessment and investments in information security controls:

“It can be very valuable input into our risk assessment process and into our security investment decision-making process. Do we want to invest in one security tool or the other? Your model can provide means to compare security investment opportunities.”

Another expert agrees:

“You can understand what the business process is and what security solution would fit the best in order to maximise value.”

Another security manager’s quote supports the same point:

“Security really struggles to justify return on investment. What you could do is if you actually will break it down, saying that during the day typical user spends thirty minutes doing security activities. That cost, say 2 million pounds for a user. Does this security control bring 2 million worth saving in a year? If yes, or more, then it worth it. If no, then maybe you are doing the wrong controls. When maybe you should accept the risk. For example, yes maybe USB stick may introduce a virus to the system. Fine, but don’t spend five minutes every time scanning it.”

Practical implementation

Some security managers agreed to run a pilot test in his company. One expert commented:

“It provided a different prospective on security – we have not considered how specific security controls may affect user behavior and productivity. I would be happy enough to run it as a small pilot to see if it yields promised results.”

Another said:

“If it could be used as a means to ensure greater user efficiency/reduced non-compliance, we could consider including it in our security review.”

This indicates that the model could be implemented in the real-world companies for the future analysis.

Impact on security manger’s decision-making process

The majority of security mangers mentioned that presented model made them realise the impact of their actions on users and how they might struggle with particular security controls they implemented in the company.

Some security mangers came up with particular scenarios of how they would now make decision on implementation of security controls: On expert said: 

“As a result you can make a decision to implement a technology solution that going to scan all the USB sticks in the background, rather than making each and every user do it manually. The cost of such implementation would be justified by you model. It will save user’s time and you can get security benefit as well.”

However, one security manager confessed that this model would not change the way he makes decision on security policy implementation:

“If it ain’t broken – don’t fix it! If the process we have in place is already compliant, I will not risk changing it just to satisfy the users who are not complaining anyway.”

The results imply that developed model helped most of the security managers to change their attitude towards compliance behaviour in their companies.

Other ways of dealing with the similar issues

All of the interviewed security managers agree that they are not actively dealing with issues of negative impact of security controls on users’ performance. One expert said:

“It’s very passive. The impact on users is important but it’s not the issue I spend a lot of time thinking about.  Our approach is more reactive. The model presented, on the other hand, is more proactive technique.”

Another commented:

“Very informally. We don’t really draw on a real data. I think, having a framework of some description would be very useful. Something that focuses that kind of thinking.“

One security manager said that he never considered users being part of the system, hence never used any techniques, as mentioned in the following quote:

“We never considered user compliance from this perspective before – so have not considered / applied alternative principles.”

Drawbacks of the model

All interviewees agree that implementation of the model might be time- and resource-consuming. One expert commented:

“You need an easier way to implement it – that’s the biggest challenge. Because you need to come up with all users’ business tasks, then all security tasks, and then map them all together. All these things have to also be categorised and measured. And humans a very difficult to measure.”

Another manager mentioned:

“Getting it implemented I see as a big challenge. But once it’s implemented you can get a really good value.”

Another commented:

“The method is very good, but it takes a lot of effort to compile this.”

Despite identified possible benefits, the model is considered to be difficult to implement. Cost-benefit analysis could be performed to support the decision on the implementation of the model.

Conclusion

According to the security experts, the model can yield additional benefits to the company, such as optimisation of security activities, cost reduction, and information security projects investment justification.

The interview results reveal the main benefit of the model: it points a security manager in the direction of a better understanding of the users in his company.  It provides the means to gain an insight into users’ core business activities and reflect on how they relate to the security tasks. This can help security managers to come up with more usable security policies and reduce the number of potential complaints, and instances of violation of security policy.

As some of the interviewees suggested, the security manager can implement this model in any company: all he has to do is to pick a process, pick a regulation and then apply the model.  Moreover, this model can help the security manager to understand how much time users in his company spend on various security activities. This information can be used to make better investment decisions, and help in security policy optimisation. Additionally understanding that the security manager’s compliance decisions affect the whole organisation may result in cost savings from pre-implementation security analysis and its relation to main business processes of the company.

Despite the potential benefits, the model has drawbacks. Interview results suggest that implementation of the model might be cost- and resource-consuming. To assess the degree of such problem, real-world data should be collected. Moreover, as one expert mentioned, the model has limited value in the absence of the real data. The limited time scope of the current project didn’t allow the validation of the model with such data. Furthermore, access to the real data was restricted due to protective attitude of the companies who don’t want to be seen in bad light.

Attitudes towards information security policy and its effect on users’ business activities should be measured before and after implementing the model in the company in order to assess the effectiveness of the model.

Security policy compliance behaviour case study

ISO 27001 Standard is high-level and provides only basic recommendations on implementation of security controls. This fact gives a security manager in a company a lot of flexibility in choosing particular information security policies.

When making a decision on the how to introduce new security controls to achieve compliance with the ISO 27001 standard, security managers lack a clear process and rely mostly on their past experience.

Such lack of a clear process and guidance from ISO 27001 may result in arbitrary implementation of information security controls, which will collide with the core business activities of users in the company.

This article presents a scenario of such implementation and provides specific examples of how those controls may affect users’ behaviour.

The company

Scrooge Bank is a global financial services firm, offering a range of solutions, including asset management, strategic advice, money lending, and risk management to clients in more than 100 countries.

From the organisational structure standpoint, Scrooge Bank consists of three departments in the business unit and three departments in the support unit.

Orgchart

The Chief Information Security Officer (CISO) reports directly to the Compliance and Risk Manager, and is responsible for ensuring legal and regulatory compliance, data loss prevention activities, and security incident management.

A decision taken by the CISO affects the whole organisation, including the analyst in the Investment Banking Department.

The business process

An analyst is a typical role in Scrooge Bank. He is involved in various business activities during the week.

BP

On a weekly basis the analyst receives information from the client. There are several ways he can obtain this data: it might be copying information on a USB stick during a face-to-face meeting, or via e-mail as an attachment.

There are instances when the information received was exported from the client’s proprietary software products, which are not directly compatible with the widely used packages, such as Microsoft Excel, used by the analyst. Hence, the analyst was forced to use special data extracting software to access the data.

On a regular basis, the analyst needs search for additional information on the Internet to prepare a report for the client.

Once a week he runs data analysis software to analyse the potential risk for the client. This software is very powerful and commonly used in Scrooge Bank. However, it analyses vast amounts of data and consumes a lot of CPU time and memory.

When a report is finalised, the analyst exports it on a USB stick in order to present it to the Client.

Compliance requirements, controls implementation and impact on users’ behaviour

In order to more effectively protect against malicious code, Scrooge Bank decided to implement the ISO 27001 Standard. According to chapter 10.4.1 of the standard, “Controls against malicious code”, “detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures should be implemented.”

The ISO 27001 Standard suggests that “Precautions are required to prevent and detect the introduction of malicious code and unauthorized mobile code. Software and information processing facilities are vulnerable to the introduction of malicious code, such as computer viruses, network worms, Trojan horses, and logic bombs. Users should be made aware of the dangers of malicious code. Managers should, where appropriate, introduce controls to prevent, detect, and remove malicious code and control mobile code.”

The Standard also recommends the particular security controls to be implemented in order to protect against malicious code. In order to address the described issues and ensure formal compliance with the Standard, the security manger decides on the following implementation of the security controls. The following table also shows examples of how users in various departments of the company could potentially violate security policy, because it prevented them from perform their main business tasks

ISO 27001 control implementation guidance Context Behavioral impact
Establishing a formal policy prohibiting the use of unauthorized software Scrooge Bank’s CISO came up with a policy document, outlining a list of authorized software, which can be installed on users’ workstations according to principle of least privilege – users should only have access they require to perform their day-to-day activities and no more.Each department contributed to the policy, submitting a list of software which is essential to carrying out tasks by employees in this department.After finalizing this list, all users were denied access to install any new software without written permission from CISO. John is performing an analysis of the company for the client. The deadline is fast approaching but there is still a lot of work to be done.The night before the deadline, John realizes that in order to finalize his analysis he requires a special data analysis tool, which was not included in the list of authorised software. He’s also unable to install it on his workstation, because he doesn’t have the required privileges to install new software.Getting the formal written approval from the CISO is not feasible, because it is going to take too long.John decides to copy sensitive information required for the analysis on his personal laptop using a USB flash drive to finish the analysis at home, where he can install any software he wants.

John understands the risk but he also wants to get the job done in order to avoid missing the deadline and get good performance review at the end of the year.

Unfortunately he leaves his bag with the USB stick in the taxi on the way back home.

He never tells anyone about this incident to avoid embarrassment.

Establishing a formal policy to protect against risks associated with obtaining files and software either from or via external networks, or on any other medium, indicating what protective measures should be taken In order to prevent obtaining files and software either from or via external networks, or on any other medium, CISO established a policy restricting use of file sharing websites and limited access to CD/DVD and USB flash drives.According to the policy, if a user wants to obtain a specific file from the internet or from an external device, he has to file a written request to his manager, who will decide if this file is essential to perform his duty. After management’s approval, the Information Security Department employee will process this request, downloading this file or copying it from the external medium, using a special isolated PC with thorough antivirus checks. Mary works closely with a client to finalise her report on risk analysis for an international energy company.She works directly with the CFO of this company who is very impatient and busy with other tasks.Mary doesn’t want to annoy him, because he may complain directly to her line manager and she can be disciplined, because this is a very important client, which brings millions to the company.The client is not aware of the new policy which was recently implemented by the CISO of Scrooge Bank and uploads important pieces of information to the file sharing website in form of the encrypted archive, because it is too big to transfer over the corporate e-mail.

He communicates the password to Mary over the phone and sends her the link.

Mary was scared to explain the new policy to the client and right now she is unable to access this file to finalise her report.

She decided to go to internet café during her lunch break and download the important file from there, understanding the risk, but realising that getting all necessary approvals may take way too long.

At the internet café she not only downloads the encrypted file but also opens it on the local machine to check its integrity to avoid returning back, because she won’t have any breaks later in a day.

Because the internet café is far from the office and she didn’t have her lunch yet, she hurries and forgets to delete the decrypted file from the machine in the internet café.

She realizes her mistake when she’s back in the office but thinks that it is not a big deal and nothing bad can happen.

Conducting regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments should be formally investigated The CISO established a procedure of monthly checks of users’ workstations for presence of unauthorized data and software.If such data or software were be found, the employee would be given a warning. After three warnings he would be fired because of non-compliance with the security policies of the company. Juliet uses data and files in her analysis, which she obtained from various sources, and she is not sure if it is approved or not. She’s afraid to clarify this situation with the CISO, because she’s afraid to be fired.In order to avoid being caught using such files, she decided to store this information on her personal laptop.But after a while she realised that it takes too long to copy and delete data from her corporate PC to personal laptop and vice versa, hence she decided to process all the information, including sensitive, on her personal computer.As always, she took her laptop with her on holiday, but it was stolen in a public place
Installation and regular update of malicious code detection and repair software to scan computers and media as a precautionary control, or on a routine basis; the checks carried out should include:1)  checking any files on electronic or optical media, and files received over networks, for malicious code before use;2)  checking electronic mail attachments and downloads for malicious code before use; this check should be carried out at different places, e.g. at electronic mail servers, desk top computers and when entering the network of the organization;3)  checking web pages for malicious code; The CISO implemented antivirus software on each workstation and configured automatic daily full machine scans to ensure that no malicious code was present on workstations.The CISO also established a formal policy, which requires every employee to run manual antivirus checks before opening e-mail attachments and using electronic or optical media. Robin is a derivatives trader. Time and efficiency are critical success factors for him.Robin carries out thousands of deals per day using the electronic terminal on his PC.Introducing a new antivirus software slowed down his workstation performance, especially during full machine scans. This directly affects his job performance – he is unable to act as fast as before and misses many valuable opportunities.Robin understands the risk of malicious software but he is also frustrated by his inability to work as efficiently as before.

He finds a way to manually disable the antivirus agent on his PC.

During the search for information on the internet he accidentally accesses a spoofed website and introduces a Trojan on his workstation.

With no antivirus software to prevent malware from stealing sensitive information from his PC, it becomes a victim.

Defining management procedures and responsibilities to deal with malicious code protection on systems, training in their use, reporting and recovering from malicious code attacks The CISO developed a set of procedures to prevent malicious code.According to these procedures, each head of a department is responsible for preventing malicious code attacks in his/her department.The CISO wants to raise awareness, train and educate users how to record, prevent and recover from malicious code attacks. He decided to run regular monthly workshops to achieve these goals. Employees of the organization not showing up for the workshops and not paying attention, because CISO’s efforts driven mainly by corporate directives, rather than security needs. Moreover, programme is the same for everyone, regardless of roles and responsibilities and it doesn’t change year after year.
Preparing appropriate business continuity plans for recovering from malicious code attacks, including all necessary data and software back-up and recovery arrangements The CISO developed appropriate plans identifying critical information assets, and gathering input from asset owners.The CISO also performs data back-ups on a regular basis and maintains recovery arrangements. Scrooge Bank recently acquired a small company and all its IT infrastructure.Because the CISO failed to update the business continuity plan in a timely manner to include recent changes, the company was very inefficient to recover from a malicious code attack.Furthermore, employees weren’t familiar with what they should do in this situation due to a lack of education and involvement during plan testing.
Implementing procedures to regularly collect information, such as subscribing to mailing lists and/or checking web sites giving information about new malicious code The CISO assigned regular collection of information about new malicious code to a member of Information Security Department in addition to the other tasks he performs. An employee of Information Security Department receives too much information daily from antivirus vendors’ websites and mailing lists, so he started to ignore it and focus more on his main tasks (i.e. handling information security incidents)
Implementing procedures to verify information relating to malicious code, and ensure that warning bulletins are accurate and informative; managers should ensure that qualified sources, e.g. reputable journals, reliable Internet sites or suppliers producing software protecting against malicious code, are used to differentiate between hoaxes and real malicious code; all users should be made aware of the problem of hoaxes and what to do on receipt of them The CISO wants to raise awareness of the employees on the issue of hoaxes.He decided to run regular monthly workshops to achieve this goal. People don’t attend information security awareness training workshops, because they scheduled at the same day as an important meeting with the client.

The table shows examples that regardless of the fact that the CISO developed a set of information security polices and implemented controls to ensure compliance with ISO 27001 Standard, users managed to find workarounds which negatively affected the company as a whole. In each and every case users violated security policy in in order to accomplish their main business tasks.

Additional security controls, which were added by the CISO, not only introduced additional cognitive burdens on the analyst, but also placed obstacles preventing him from performing his core business tasks.

BP_total

For example, the information security awareness training workshop was scheduled at the same day that the analyst has an important meeting with the client and he have to skip it in order to meet his deadline. Additionally, he managed to shut down the antivirus agent on his workstation because scheduled manual antivirus checks consume too many resources, which are needed to run his risk simulation and analysis software. The analyst also skips manual antivirus and anti-phishing checks either because they are too time consuming or because he is worried about the integrity of the data.

This chapter presented a scenario of a particular realistic implementation of security controls, which can lead to in huge numbers of collisions between security and business tasks.

This scenario emphasises the importance of making users part of the system when implementing security controls.

MSc Information Security research project: Overview of the methods and materials

It is difficult to ensure effectiveness of information security programme in the company without paying attention to users’ behaviour. One of the challenges for the security manager, when implementing information security policy, is to differentiate between malicious non-compliance and non-compliance due to the obstruction of business activities.

The main goal of this project is to gain an insight into information security behavior issues, from both an end-users’ and security managers’ perspectives. The study aims to develop a model to support security managers’ decision-making process when implementing security policy in the organisation. It is important to help security managers make a user a part of the system and to go beyond formal box-ticking when ensuring compliance with legal and regulatory requirements.

In order to achieve the objectives of the study, a method consisting of three parts was followed, including presenting example scenario and development of the model to address the research question for the first part, a survey and interviews for the second part, and interviews for the third part.

Stage one: Develop a model

The objective of the first stage is to motivate the research problem, presenting example scenario of poorly implemented security policy in the fictitious company, and to develop a model to support security manager’s decision-making process in implementing security controls in a company.

The example scenario presents the hypothesis that users’ experience and role of the manager are mismatched. Manager may think that user’s effort is unlimited. At the moment there is no way of directly comparing users’ and security manager’s perception of behavioural impact of security policy in the organisations.

The model is developed to support security managers’ decision-making process when implementing security policy in a company and to provide a tool of assessing users’ workload with security tasks.

The following stage shows that described mismatch exists and the developed model deals with the outlined problem.

Stage two Comparing views on security compliance behaviour in an organisation

The aim of the second part is to gather real-world data to highlight the importance of security compliance behavior and identify relevant problems which can arise when a security manager chooses a particular way of implementing information security controls in the organization. Moreover, this part aims to compare views of security managers and users on the problem of compliance behaviour.

For the purpose of this stage a combination of qualitative and quantitative methods was used.

1

As a part of the quantitative method, semi-structured interviews with five information security experts were conducted. In parallel 64 users were surveyed using an online surveying platform. For the purpose of the survey, eleven multiple-choice questions were developed, in collaboration with an academic with experience in this field.

Stage three: Validation of the developed model

The goal of the third stage of the study was to validate the model and gather relevant feedback from information security experts.

Five semi-structured interviews were conducted with information security experts.

2

Invitations for an interview were also distributed to outline the approximate duration of the interview, intended questions, to give insight on the procedure and to provide high-level information on the study.

Written consents were collected from the interviewees prior to the interview.

Interviews with security experts consisted of two parts:

  1. General questions on the security manager’s decision-making process regarding the implementation of security controls when ensuring compliance within the company (Stage two).
  2. Validating the model to support the security manager’s decision-making process (Stage three).

Pilot interviews were first carried out. Feedback gathered from the pilot interviews was used to improve model presentation technique, modify existing questions, and add new questions. Materials from the pilot interviews were not included in the thesis.

Each interview took approximately 50 minutes. All interviews were conducted face-to-face and at participants’ offices at a time convenient for them.

In the second part of the interview the same experts were presented the model after they had answered the question around validation of the importance of compliance behaviour. The study aims to assess how the presented model changed their decision-making process when thinking in terms of making users an essential part of the system.

Audio recordings were subsequently used by the researcher to develop interview transcripts, parts of which are presented in this work to support various points and provide insight on relevant issues.

MSc Information Security thesis abstract

speak

Security managers in companies lack a clear process to implement security controls in order to ensure compliance with various regulations and standards.

Interviews with experts show that security managers may take ISO 27001 standard as a framework and then make a decision on any particular implementation based on their experience.

Such implementations run the risk of creating collisions with users’ business activities and result in violation of security policies in the company, because they introduce friction with the business process. Users try to avoid such friction. It is important, however, to differentiate between malicious non-compliance and cases when security policy obstructs business processes leading to workarounds.

This piece of research presents example scenarios of such clashes and explores the root causes of events of non-compliance.

A model is developed that supports security managers’ decision-making process and incorporates users into the system in a way that mitigates the negative impact on users’ behaviour of security policy.

A combination of quantitative and qualitative methods is applied to research the perception of information security by both users and security managers: the survey was created and 64 participants were surveyed to gain an insight into users’ perspective of implemented information security controls; semi-structured interviews with five experts were conducted, who have seven or more years of experience in the information security field and currently hold managerial positions.

The study illustrates that company can be formally compliant but still inefficient in performing its revenue-generating activities. Moreover, there is a mismatch between users’ and security managers’ perception: security managers think that they are already paying attention to the users, but 23% users complain that security activities negatively affect their performance.

The presented model is validated by information security experts and provides clear guidance to security managers in organisations as to implementation of security controls. The majority of experts liked the approach, but said that it needs to be tried with real-world processes.