Continuous security monitoring

NISTIR 7756 Contextual Description of the CAESARS System

Knowing your existing assets, threats and countermeasures is a necessary step in establishing a starting point to begin prioritising cyber risk management activities. Indeed, when driving the improvement of the security posture in an organisation, security leaders often begin with getting a view of effectiveness of security controls.

A common approach is to perform a security assessment that involves interviewing stakeholders and reviewing polices in line with a security framework (e.g. NIST CSF).

A report is then produced presenting the current state and highlighting the gaps. It can then be used to gain wider leadership support for a remediation programme, justifying the investment for security uplift initiatives. I wrote a number of these reports myself while working as a consultant and also internally in the first few weeks of being a CISO.

These reports have a lot of merits but they also have limitations. They are, by definition, point-in-time: the document is out of date the day after it’s produced, or even sooner. The threat landscape has already shifted, state of assets and controls changed and business context and priorities are no longer the same.

More

Digital decisions: Understanding behaviours for safer cyber environments

DART

I was invited to participate in a panel discussion at a workshop on digital decision-making and risk-taking hosted by the Decision, Attitude, Risk & Thinking (DART) research group at Kingston Business School.

During the workshop, we addressed the human dimension in issues arising from increasing digital interconnectedness with a particular focus on cyber security risks and cyber safety in web-connected organisations.

We identified behavioural challenges in cyber security such as insider threats, phishing emails, security culture and achieving stakeholder buy-in. We also outlined a potential further research opportunity which could tackle behavioural security risks inherent in the management of organisational information assets.

2016-04-25 14.50

‘Wicked’ problems in information security

10299945186_12bb26640f_z

Incorporating security activities into the natural workflow of productive tasks, makes it easier for people to adopt new technologies and ways of working, but it’s not necessarily enough to guarantee that you’ll be able to solve a particular security-usability issue. The reason for this is that such problems can be categorised as wicked.

Rittel and Webber in ‘Policy Sciences’ define a wicked problem in the context of social policy planning as a challenging – if not impossible – problem to solve because of missing, poorly defined or inconsistent requirements from stakeholders, which may morph over time and which can be demanding to find an optimal solution for.[1]

One cannot apply traditional methods to solving a wicked problem; a creative solution must be sought instead. One of these creative solutions could be to apply design thinking techniques.

Methods for design thinking include performing situational analysis, interviewing, creating user profiles, looking at other existing solutions, creating prototypes and mind mapping.

Plattner, Meinel and Leifer in ‘Design Thinking: Understand–Improve–Apply’ assert that there are four rules to design thinking, which can help security professionals better approach wicked problems:[2]

  1. The human rule: all design activity is ultimately social in nature.
  2. The ambiguity rule: design thinkers must preserve ambiguity.
  3. The redesign rule: all design is redesign
  4. The tangibility rule: making ideas tangible always facilitates communication.

Security professionals should adopt these rules in order to develop secure and usable controls, by engaging people, utilising existing solutions and creating prototypes that can help by allowing the collection of feedback.

Although this enables the design of better security controls, the design thinking rules rarely provide an insight into why the existing mechanism is failing.

When a problem occurs, we naturally tend to focus on the symptoms instead of identifying the root cause. In ‘Toyota Production System: Beyond Large-Scale Production’, Taiichi Ohno developed the Five Whys technique, which was used in the Toyota production system as a systematic problem-solving tool to get to the heart of the problem.

In one of his books, Ohno provides the following example of applying this technique when a machine stopped functioning:[3]

  1. Why did the machine stop? There was an overload and the fuse blew.
  2. Why was there an overload? The bearing was not sufficiently lubricated.
  3. Why was it not lubricated sufficiently? The lubrication pump was not pumping sufficiently.
  4. Why was it not pumping sufficiently? The shaft of the pump was worn and rattling.
  5. Why was the shaft worn out? There was no strainer attached and metal scrap got in.

Instead of focusing on resolving the first reason for the malfunction – i.e. replacing the fuse or the pump shaft – repeating ‘why’ five times can help to uncover the underlying issue and prevent the problem from resurfacing again in the near future.

Eric Reis, who adapted this technique to starting up a business in his book The Lean Startup,[4] points out that at “the root of every seemingly technical problem is actually a human problem.”

As in Ohno’s example, the root cause turned out to be human error (an employee forgetting to attach a strainer), rather than a technical fault (a blown fuse), as was initially suspected. This is typical of most problems that security professionals face, no matter which industry they are in.

These techniques can help to address the core of the issue and build systems that are both usable and secure. This is not easy to achieve due to the nature of the problem. But, once implemented, such mechanisms can significantly improve the security culture in organisations.

References:

[1] Horst W. J. Rittel and Melvin M. Webber, “Dilemmas in a General Theory of Planning”, Policy Sciences, 4, 1973, 155–169.

[2] Hasso Plattner, Christoph Meinel and Larry J. Leifer, eds.,  Design Thinking: Understand–Improve–Apply, Springer Science & Business Media, 2010.

[3] Taiichi Ohno, Toyota Production System: Beyond Large-Scale Production, Productivity Press, 1988.

[4] Eric Reis, The Lean Startup, Crown Business, 2011.

Image by Paloma Baytelman https://www.flickr.com/photos/palomabaytelman/10299945186/in/photostream/

To find out more about the psychology behind information security, read Leron’s book, The Psychology of Information Security. Twitter: @le_rond

Productive Security

500995147_5f56493a1e_z

The majority of employees within an organisation are hired to execute specific jobs, such as marketing, managing projects, manufacturing goods or overseeing financial investment. Their main – sometimes only – priority will be to efficiently complete their core business activity, so information security will usually only be a secondary consideration. Consequently, employees will be reluctant to invest more than a limited amount of effort and time on such a secondary task that they rarely understand, and from which they perceive no benefit.

Research[1] suggests that when security mechanisms cause additional work, employees will favour non-compliant behaviour in order to complete their primary tasks quickly.

There is a lack of awareness among security managers[2] about the burden that security mechanisms impose on employees, because it is assumed that the users can easily accommodate the effort that security compliance requires. In reality, employees tend to experience a negative impact on their performance because they feel that these cumbersome security mechanisms drain both their time and their effort. The risk mitigation achieved through compliance, from their perspective, is not worth the disruption to their productivity. In extreme cases, the more urgent the delivery of the primary task is, the more appealing and justifiable non-compliance becomes, regardless of employees’ awareness of the risks.

When security mechanisms hinder or significantly slow down employees’ performance, they will cut corners, and reorganise and adjust their primary tasks in order to avoid them. This seems to be particularly prevalent in file sharing, especially when users are restricted by permissions, by data storage or transfer allowance, and by time-consuming protocols. People will usually work around the security mechanisms and resort to the readily available commercial alternatives, which may be insecure. From the employee’s perspective, the consequences of not completing a primary task are severe, as opposed to the ‘potential’ consequences of the risk associated with breaching security policies.

If organisations continue to set equally high goals for both security and business productivity, they are essentially leaving it up to their employees to resolve potential conflicts between them. Employees will focus most of their time and effort on carrying out their primary tasks efficiently and in a timely manner, which means that their target will be to maximise their own benefit, as opposed to the company’s. It is therefore vital for organisations to find a balance between both security and productivity, because when they fail to do so, they lead – or even force – their employees to resort to non-compliant behaviour. When companies are unable to recognise and correct security mechanisms and policies that affect performance and when they exclusively reward their employees for productivity, not for security, they are effectively enabling and reinforcing non-compliant decision-making on behalf of the employees.

Employees will only comply with security policies if they are motivated to do so: they must have the perception that compliant behaviour results in personal gain. People must be given the tools and the means to understand the potential risks associated with their roles, as well as the benefits of compliant behaviour, both to themselves and to the organisation. Once they are equipped with this information and awareness, they must be trusted to make their own decisions that can serve to mitigate risks at the organisational level.

References:

[1] Iacovos Kirlappos, Adam Beautement and M. Angela Sasse, “‘Comply or Die’ Is Dead: Long Live Security-Aware Principal Agents”, in Financial Cryptography and Data Security, Springer, 2013, 70–82.

[2] Leron Zinatullin, “The Psychology of Information Security.”, IT Governance Publishing, 2016.

Photo by Nick Carter https://www.flickr.com/photos/8323834@N07/500995147/

Cake and Security

There is no doubt that security is necessary, but why is it so unpleasant to follow a security policy? Reminding yourself to stick to the rules feels like your partner telling you…. to eat your salad. You know they are right, but anticipating that bland taste and mindless chewing that awaits you simply puts you off. You decide to leave it for tomorrow, so much so that you never get to it.

Cakes, on the other hand, are yummy and require no effort whatsoever to indulge in our cravings for them. Nobody needs to force us to eat a piece.

In our day-to-day lives we prefer to do “cake” tasks without giving it a second’s thought. Things like storing confidential files on Dropbox or emailing them to our personal accounts…. you know, taking a little bite here and there. It’s “only for today”, “no biggie”… This one-time thing is so harmless, it’s like a comfort snack. We might later feel guilty that we bypassed a few “salad” controls. Maybe we used our personal USB drive instead of a company-issued encrypted one, but at the end of the day… who cares? Who will notice? As long as there is no dramatic impact on our health, a bite here or a bite there won’t cause any harm.

reward

And one day we realise that it’s not all rosy. The result of our laziness or lack of willpower eventually rears its ugly head when the doctor makes us stand on the scales and has a look at our blood pressure. So to add to your partner’s words of wisdom, is the doctor’s warning of an unhealthy present and a bleak future; something that would sound very similar during the company’s security audit.

“You have got to eat more salad and lay off the cakes!”

To make matters worse, even with our best intentions to have the salad at the office cafeteria, we discover that the one available is practically inedible. Pretty much like finding that the company’s secure shared drive doesn’t have the necessary space to store our files or that the encrypted pen drive is not compatible with the client’s Mac.

So if there are chefs coming up with ways to make salads more appealing, what can security professionals do to help us, the employees, maintain our “security diet”?

They could aim at making security more like a cake – effortless, even attractive, but still keep it as healthy as a salad. Sound simple? Perhaps not so much, but they should invest in usability studies to make sure that the secure solution is the easiest to use. It might involve discovering an entirely new culinary art on how to make a cake-tasting salad altogether. But if they fail to realise just how unpalatable the salads are to begin with, we should let them know. Security professionals need employees’ support.

Organisations are like families: everyone has to stay healthy, otherwise when a single member gets sick, the whole family is at risk of getting sick as well, whether it be catching an infectious disease or adopting an unhealthy lifestyle. It’s like having the slimmest, fittest family member refrain from adding biscuits to the grocery list in order not to tempt the couch-potatoes. It’s a team effort. In order for a company to stay healthy, everyone has to keep a healthy lifestyle of eating salad regularly, even when it is not that pleasant.

unpleasant but necessary measures

The whole company needs to know that security is important for achieving its goals -not as something that gets in the way-, just as we should all know that having a healthy diet of greens will guarantee a sound body. Employees contribute to the efficient operation of the business when they comply with security policies. Not only does security ensure confidentiality and the integrity of information, but it also guarantees that the resources are available for employees to complete their primary tasks.

We need to realise that we contribute to security; and we can inflict serious damage on a company when we don’t comply with security policies, no matter how insignificant or harmless they may seem. As employees, we are individually responsible for the organisation’s exposure to security risks just as we are responsible for exposing ourselves to illness. Our behaviour and daily regime significantly shape our quality of life, and our practices shape the quality of our business.

The health of the company is everyone’s business. Let’s all eat our salad while helping the security specialists to come up with better tasting ones.

Poker and Security

Good poker players are known to perform well under pressure. They play their cards based on rigorous probability analysis and impact assessment. Sounds very much like the sort of skills a security professional might benefit from when managing information security risks.

What can security professionals learn from a game of cards? It turns out, quite a bit. Skilled poker players are very good at making educated guesses about opponents’ cards and predicting their next moves. Security professionals are also required to be on the forefront of emerging threats and discovered vulnerabilities to see what the attackers’ next move might be.

At the beginning of a traditional Texas hold’em poker match, players are only dealt two cards (a hand). Based on this limited information, they have to try to evaluate the odds of winning and act accordingly. Players can either decide to stay in the game – in this case they have to pay a fee which contributes to the overall pot – or give up (fold). Security professionals also usually make decisions under a high degree of uncertainty. There are many ways they can treat risk: they can mitigate it by implementing necessary controls, avoid, transfer or accept it. Costs of such decisions vary as well.

ID-10042164

Not all cards, however, are worth playing. Similarly, not all security countermeasures should be implemented. Sometimes it is more effective to fold your cards and accept the risk rather than pay for an expensive control. When the odds are right a security professional can start a project to implement a security change to increase the security posture of a company.

When the game progresses and the first round of betting is over, the players are presented with a new piece of information. The poker term flop is used for the three additional cards that the dealer places on the table. These cards can be used to create a winning combination with each player’s hand. When the cards are revealed, the player has the opportunity to re-assess the situation and make a decision. This is exactly the way in which the changing market conditions or business requirements provide an instant to re-evaluate the business case for implementing a security countermeasure.

ID-10058910

There is nothing wrong with terminating a security project. If a poker player had a strong hand in the beginning, but the flop shows that there is no point in continuing, it means that conditions have changed. Maybe engaging key stakeholders revealed that a certain risk is not that critical and the implementation costs might be too high. Feel free to pass. It is much better to cancel a security project rather than end up with a solution that is ineffective and costly.

However, if poker players are sure that they are right, they have to be ready to defend their hand. In terms of security, it might mean convincing the board of the importance of the countermeasure based on the rigorous cost-benefit analysis. Security professionals can still lose the game and the company might get breached, but at least they did everything in their power to proactively mitigate that.

It doesn’t matter if poker players win or lose a particular hand as long as they make sound decisions that bring desired long-term results. Even the best poker player can’t win every hand. Similarly, security professionals can’t mitigate every security risk and implement all the possible countermeasures. To stay in the game, it is important to develop and follow a security strategy that will help to protect against ever-evolving threats in a cost-effective way.

Images courtesy of Mister GC / FreeDigitalPhotos.net

Teaching Information Security Concepts at KPMG

KPMG1

I delivered a 1,5-day Information Security Concepts course at KPMG UK.

We covered a wide range of topics, including information security risk management, access control, threat and vulnerability management, etc.

According to the feedback I received after the course, the participants were able to understand the core security concepts much better and, more importantly, apply their knowledge in practice.

Leron is very engaging and interesting to listen to
Leron has the knowledge and he’s very effective making simple delivery of a complex topic
Leron is an effective communicator and explained everything that he was instructing on in a clear and concise manner

There will be continuous collaboration with the Learning and Development team to deliver this course to all new joiners to the Information Protection and Business Resilience team at KPMG.

Information security policy compliance, business processes and human behaviour

This article aims to review the literature on information security policy compliance issues and their relation to core business processes in the company and users’ behaviour. It also provides an insight into particular implementation examples of the ISO 27001 Standard, and methods of analysis of the effectiveness of such implementations.

Information security

Information security issues in organisations have been brought up long before the rapid development of technology. Companies have always been concerned with protecting their confidential information, including their intellectual property and trade secrets. There are many possible approaches to addressing information security. Wood [30] points out that security is a broad subject including financial controls, human resource policies, physical protection and safety measures. However, Ruighaver et al. [23] state that information security is usually viewed as a purely technical concern and is expected to have the same technical solution. On the other hand, Schneier [25], Lampson [17], and Sasse and Flechais [24]  emphasise the people aspect of security, and people play crucial role as they use and implement security controls.

As stated by Anderson [3], it is essential to properly define information security in order to pay merit to all these aspects.

The Standard for Information Security Management ISO 27001 [32] defines information security as “the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximise return on investments and business opportunities.

Dhillon [10] states security issues in organisations can arise due to absence of an information security policy. One of the ways to implement such a security policy is to take ISO 27001 standard as a framework.

ISO 27001 Standard

ISO 27001 Standard which is a member of the ISO 27000 standards family evolved from British national standard BS7799 [31]. It aims to provide guidance on managing the risk associated with threats to confidentiality, integrity and availability of organisation’s assets. Such assets, as defined in ISO 27001 [32] include people, software, hardware, services, etc.

Doherty and Fulford [11], Von Solms [28], and Canavan [8] all came to the conclusion that well-established standards such as ISO 27001 might be a stepping-stone to implementing good information security programs in organisations.

However, Anttila and Kajava in their study [4] identify the following issues with ISO 27001 Standard:

–       The standard is high-level and basic concepts are not presented consistently in the standard.

–       It is hard to measure business benefits from implementing this standard.

–       Presented process management is not fully supporting current business practices.

–       The standard struggles to recommend solutions to contemporary business environments.

Neubauer et al. [19] in their research states that the main problem with security standards, including ISO 27001 is their “abstract control definition, which leaves space for interpretation”. Furthermore, the authors suggest that companies focus on obtaining formal certification and often do not to assess and put in place the adequate security controls according their main business goals. Ittner et al. [14] support this point, adding that organisation also fail to estimate the effectiveness of the investments in such initiatives.

According to Sharma and Dash [26], ISO 27001 does not provide detailed guidance requires substantial level of expertise to implement. Moreover, the authors claim that “If risk assessment is flawed, don’t have sufficient security and risk assessment expertise, or do not have the management and organizational commitment to implement security then it is perfectly possible to be fully compliant with the standard, but be insecure.” Results of their study suggest that the organizations, which participated in the study implemented information security mainly to comply with legal and regulatory requirements. The consequence of that was low cost-effectiveness of such implementations. However, the researcher don’t analyse the level of users’ acceptance of implemented controls. The authors also fail to recommend an approach which would support security manager’s decision-making process in implementing ISO 27001 Standard controls.

Karabacak and Sogukpinar in in their paper [16] present a flexible and low-cost ISO 17799 compliance check tool.  The authors use qualitative techniques to collect and analyse data and sate that “the success of our method depends on the answers of surveyors. Accurately answered questions lead to accurate compliance results.” However, the researchers stop short of analysing the impact of compliance with security policy on users’ behaviour. The authors do not consider the issue that a security manager’s decisions regarding a particular implementation of security policy affects that organisation as a whole and may introduce additional cognitive burdens to users. These issues in extreme cases (e.g. obstructing core business processes) may result in non-compliance as users prioritise their primary task.

Vuppala et al. their study [29] discuss their experience from implementing ISO27001 information security management systems. One of the most important lessons learnt was developing an understanding of the role of users’ behaviour in this process. The authors recommend to “not make drastic changes to the current processes; this will only infuriate the users. Remember, users are an important, if not the most important, part of the overall security system.”

Human behaviour

Johnson and Goetz in [15] conducted a series of interviews with security managers to identify main challenges of influencing employees’ behaviour. The results of this study revealed that security managers rely extensively on information security policies, not only as a means of ensuring compliance with legal and regulatory requirements, but also to guide and direct users’ behaviour.

To explore the question of the impact on users’ behaviour while implementing security policies, the following theories were researched:

1. Theory of Rational Choice – a framework, which provides insight into social and economic behaviour. It implies that users tend to maximise their personal benefits [13]. Beautement et al. in their paper [6] uses this theory to  build a foundation explaining how people make decisions about whether to comply or not to comply with any particular information security policy.

Herley [12] suggests that it is rational for users not to comply with security policy, because of the perceived risk reduction is lower than the effort needed.

2. Protection Motivation Theory – a theory which describes four factors that individuals consider when trying to protect themselves [22]:

–       perceived severity

–       probability of the adverse event

–       efficiency of the preventive behaviour

–       self-efficiency

Siponen builds on this theory to gain an understanding of the attitude of individuals towards compliance with security policies. Siponen refers to it in order to study the impact of the punishment on the actual compliance and on intention to comply [27], [20].

3. The Theory of General Deterrence – this suggests that users will not comply with the rules if they are not concerned with punishment [1].

4. Theory of Planned Behaviour – this suggests that subjective norms and perceived behavioural controls influence individuals’ behaviour [2]. Siponen [27] and Pahnila [20] discovered that social norms play a significant role in users’ intention to comply.

These theories suggest that to effectively protect a company’s assets, the security manager should develop and implement security policies not only to ensure formal compliance with legal and regulatory requirements, but also to make sure that users are considered as a part of the system. Policies should be designed in a way that reduces the mental and physical workload of users [1], [6].

Business process visualisation and compliance

It is important to consider information security compliance and users’ behaviour in the context of a company. Users in organisations involved into activities, which could be presented as business processes.

Business process is defined as a set of logically related tasks (or activities) to achieve a defined business outcome [9].

The continuous monitoring of their business processes is essential for any organisation. This can be achieved by visualisation of business processes [21]. However, they are usually complex, due to number of different users or user roles in large companies [7]. Barrett [5] also argues that it is essential to create a “vision of the process” to successfully reengineer it.

Namiri and Stojanovic in their paper [18] present a scenario demonstrating a particular business process and implement controls necessary to achieve compliance with regulatory requirements. The authors separate business and control objectives, introducing two roles: a business process expert, who is motivated solely by business objectives, and a compliance expert, who is concerned with ensuring compliance of a given business process.

References

[1]        Adams, A. and Sasse, M.A. 1999. Users are not the enemy. Commun. ACM. 42, 12 (Dec. 1999).

[2]        Ajzen, I. 1991. The theory of planned behavior. Organizational Behavior and Human Decision Processes. 50, 2 (Dec. 1991).

[3]        Anderson, J.M. 2003. Why we need a new definition of information security. Computers & Security. 22, 4 (May 2003).

[4]        Anttila, J. and Kajava, J. 2010. Challenging IS and ISM Standardization for Business Benefits. ARES  ’10 International Conference on Availability, Reliability, and Security, 2010 (2010).

[5]        Barrett, J.L. 1994. Process Visualisation: Getting the Vision Right Is Key. Information Systems Management. 11, 2 (1994).

[6]        Beautement, A. et al. 2008. The compliance budget: managing security behaviour in organisations. Proceedings of the 2008 workshop on New security paradigms (New York, NY, USA, 2008).

[7]        Bobrik, R. et al. 2005. Requirements for the visualization of system-spanning business processes. Sixteenth International Workshop on Database and Expert Systems Applications, 2005. Proceedings (2005), 948–954.

[8]        Canavan, S. 2003. An information security policy development guide for large companies. SANS Institute. (2003).

[9]        Davenport, T.H. and Short, J.E. 2003. Information technology and business process redesign. Operations management: critical perspectives on business and management. 1, (2003), 1–27.

[10]     Dhillon, G. 2007. Principles of information systems security: text and cases. John Wiley & Sons.

[11]     Doherty, N.F. and Fulford, H. 2005. Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis. Information Resources Management Journal. 18, 4 (34 2005).

[12]     Herley, C. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users. Proceedings of the 2009 workshop on New security paradigms workshop (New York, NY, USA, 2009).

[13]     Herrnstein, R.J. 1990. Rational choice theory: Necessary but not sufficient. American Psychologist. 45, 3 (1990).

[14]     Ittner, C.D. and Larcker, D.F. 2003. Coming up short on nonfinancial performance measurement. Harvard business review. 81, 11 (2003), 88–95.

[15]     Johnson, M.E. and Goetz, E. 2007. Embedding Information Security into the Organization. IEEE Security Privacy. 5, 3 (2007).

[16]     Karabacak, B. and Sogukpinar, I. 2006. A quantitative method for ISO 17799 gap analysis. Computers & Security. 25, 6 (Sep. 2006).

[17]     Lampson, B.W. 2004. Computer security in the real world. Computer. 37, 6 (2004), 37–46.

[18]     Namiri, K. and Stojanovic, N. 2007. Pattern-based design and validation of business process compliance. On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS. Springer. 59–76.

[19]     Neubauer, T. et al. 2008. Interactive Selection of ISO 27001 Controls under Multiple Objectives. Proceedings of The Ifip Tc 11 23rd International Information Security Conference. S. Jajodia et al., eds. Springer US. 477–492.

[20]     Pahnila, S. et al. 2007. Employees’ Behavior towards IS Security Policy Compliance. 40th Annual Hawaii International Conference on System Sciences, 2007. HICSS 2007 (2007).

[21]     Rinderle, S.B. et al. 2006. Business process visualization-use cases, challenges, solutions. (2006).

[22]     Rogers, R.W. 1975. A Protection Motivation Theory of Fear Appeals and Attitude Change1. The Journal of Psychology. 91, 1 (1975).

[23]     Ruighaver, A.B. et al. 2007. Organisational security culture: Extending the end-user perspective. Computers & Security. 26, 1 (Feb. 2007).

[24]     Sasse, M.A. and Flechais, I. 2005. Usable Security: Why Do We Need It? How Do We Get It? Security and Usability: Designing secure systems that people can use. L.F. Cranor and S. Garfinkel, eds. O’Reilly.

[25]     Schneier, B. 2003. Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Springer.

[26]     Sharma, D.N. and Dash, P.K. 2012. Effectiveness Of Iso 27001, As An Information Security Management System: An Analytical Study Of Financial Aspects. Far East Journal of Psychology and Business. 9, 5 (2012), 57–71.

[27]     Siponen, M. et al. 2010. Compliance with Information Security Policies: An Empirical Investigation. Computer. 43, 2 (2010).

[28]     Solms, R. von 1999. Information security management: why standards are important. Information Management & Computer Security. 7, 1 (Mar. 1999).

[29]     Vuppala, V. et al. Securing a Control System: Experiences from ISO 27001 Implementation.

[30]     Wood, M.B. 1982. Introducing Computer Security. National Computing Centre.

[31]     BS, BS7799 – Information Technology – Code of practice for information security management, London: BS, 1995.

[32]     ISO/IEC, ISO/IEC 27001 – Information technology – Security techniques – Information security management systems – Requirements, Geneva: ISO/IEC, 2005 and Draft for the new revision ISO/IEC JTC 1/SC 27 N10641, 2011.

Comparing views on security compliance behaviour in an organisation

The purpose of this post is to provide a comprehensive analysis of the data collected from the survey and semi-structured interviews to compare views on information security activities from security managers’ and users’ viewpoints.

Methodology

Survey

A survey was developed to collect information from a broad sample on attitudes of the users’ towards information security policies in their organisations in general, and how compliance with information security policies affects their behaviour in particular. It was quantitatively analysed.

Method

The main goal of the survey was to assess the attitude of the end-users towards information security policies in their companies and measure the level of dissatisfaction with security tasks. Prior to the questions, all participants were shown a page with the explanation of the purpose of the study, approximate time to complete the survey, the researcher’s contact information, and their rights to withdraw their answers at any time. After getting participants’ consent by clicking the “Next” button, they were asked to answer the eleven multiple-choice questions. The first four questions were designed to gather demographic information about the participants for future analysis: participants were asked to provide information on their gender, age, the number of years of work experience, and the industry sector. The subsequent seven questions were aimed at gathering insight on users’ attitude towards information security policies in their companies and the way they make their compliance decisions. Participants were asked to:

  1. Indicate their attitude towards security policy in their company.
  2. Assess the effectiveness of implementation of the security policy in their company.
  3. Estimate the approximate time they spend weekly on various security activities, such as password changes, antivirus checks, anti-phishing checks, awareness training, encryption, etc.
  4. Indicate their attitude towards the impact which security activities have on their overall performance: respondents were presented with a statement “I believe security activities negatively affect my overall performance” and were asked to choose one of the following four answers: “strongly agree”, “agree”, “disagree”, and “strongly disagree”.
  5. Assess the degree of concern of the security manager in their company with users’ main business goals and tasks.
  6. Assess the frequency of the prevention of security controls from accomplishing their main business tasks.
  7. Indicate their attitude towards the possibility of violation of the security policy if it prevented them from accomplishing their main business activities.

The survey was advertised on social networks (LinkedIn, Facebook) to recruit participants for the survey. A sample of specific interest was created to include people with relevant job experience.

Results

This section presents detailed end-users’ survey findings. Results are described in the order of their appearance in the survey. 64 responses were collected.

End-users’ demographic characteristics

Results show that the majority of the sample (40 out of 64 participants) were male. They also illustrate that 32 out of 64 participants are in the 18 to 24 age group, and that 29 out of 64 are in the 25 to 34 age group. A relatively small number of participants (only 3 people) are older than 35 years. The members of the most populated group (22 out of 64 participants) are in the beginning of their careers and have less than one year worth of work experience. The following figure presents the distribution of respondents by industry sector.

Distribution

Distribution of respondents by industry sector

Attitude towards security policy in the company

The results of the survey show that 51% of participants share a positive outlook towards information security in the company (6 have chosen “very positive” option and 27 “positive”). 29 respondents share a neutral attitude towards information security in the organisation. Only 2 participants indicated a negative attitude.

Attitude

Attitude towards security policy

View on the implementation of the security policy in the organisation

50% of participants think that information security policy is effectively implemented in their compamy. However, 34% of the population struggled to provide an opinion on this matter.

Effectivness

Effectiveness of implementation of the security policy

Time spent by users on security activities

A large majority (80%) feel that they spend less than 30 minutes per week in total on security tasks. However, there are 4 respondents that share the perception that they have spent over an hour on security activities in the course of the past week.

 time

Time spent by users on security activities

Impact on users’ overall performance

37 participants disagree with the statement that security negatively impacts their overall performance and 12 participants strongly disagree with it, although, there is 1 respondent who strongly agrees.

 Impact

Impact on users’ overall performance

Assessing the degree of concern of the security manager in the company with users’ main business goals and tasks

Most of the participants (27 out of 64) believe that their security manager is rather neutral towards users’ business activities. 19 participants feel that their security manager is aware of their day-to-day tasks.

 Degree

Degree of concern of the security manager in the company with users’ main business goals and tasks 

Instances of obstructing core business processes

30 respondents cannot recall any instances in which security controls obstructed their business activities. On the other hand, the results of the survey show more than 50% experienced problems at least once a year, and in many cases more regularly because of the security policy.

 Instances

Instances of obstructing core business processes

Information security policy violations

Results show an almost equal split between people when faced with the statement “I would violate security policy if it prevents me from accomplishing my main business tasks” who are willing to violate security policy in order to get their job done and those who make the decision to comply even in this case.

 violations

Information security policy violations

Discussion

Individual response analysis shows that some people can’t recall situations whereby security policy prevented them from accomplishing their core business activities, however they still perceive security as something that hinders their performance. Other participants also didn’t indicate such instances more frequently than approximately once every three months

frequency

Frequency of collisions in relation to perception of negative impact on users’ performance

Individual response analysis also allowed revealing the fact that there is a person, who strongly agrees that security tasks affect his/her performance. This individual’s answer of the question on the perceived number of instances when security policy prevented him/her from accomplishing their main business task shows that he/she experiences difficulty performing business activities on a daily basis. The anonymous nature of the survey didn’t allow the researcher to conduct a follow up interview to gain an insight on this particular case. Moreover, high number of responses “I don’t know” to the question regardless the effectiveness of implementation of the security policy may indicate that the criteria for effectiveness were not clearly defined. Furthermore, using social networks as a sample to survey users negatively affected the researcher’s ability to generalise the results. The presented sample contains mostly young people with relatively small amount of work experience. This fact makes it difficult to drive conclusions, because perception of the employees towards security task may change with time in the job. Given the limitations, results show that more than 23% of participants believe that security tasks negatively affect their overall performance. This outlines the major concern for the organisations, because it directly affects company’s ability to generate revenue. According to the survey results, 20% of participants responded that they spend approximately one hour per week on various security tasks.

Interviews

The second stage was conducted as an exploratory study with five information security experts. This section presents a descriptive analysis of the semi-structured interviews with information security experts.

Method

The main goal of the semi-structured interviews was to gather an insight on information security manager’s awareness of the fact that his decisions on particular implementation of security controls affect organisation as a whole, and that his actions may negatively impact users’ performance in core business activities. The interview questions were designed to gather information on security manager’s ability to distinguish between instances of malicious non-compliance and instances when security controls obstruct users’ main business tasks was gathered. All information security experts selected to participate in the study have seven or more years of work experience in the field of information security and are currently holding managerial positions in their companies. Materials and feedback from the two pilot interviews, which were not included in the current project, were then used to refine the questions and procedures for the following interviews, so that they focus more on relevant topics and group them into categories. When patterns started to emerge, the data were then evaluated. The Grounded Theory analysis revealed that the most common codes: –       Security manager’s decision-making process on particular implementation of security controls –       Relation between business and security goals –       Detection of instances of non-compliance –       Reaction to instances of non-compliance –       Security manager’s awareness of how security policy implementation affects users’ behavior –       Difficulties in measuring impact of users’ behaviour. –       Security manager’s awareness of users’ typical business activities –       Effect of understanding of users’ business activities on security manager’s decision-making process

Results

Results are grouped into codes, which were developed in line with the Grounded Theory: – Security manager’s decision-making process on particular implementation of security controls: Interview results suggest that 4 out of 5 interviewed security managers use their past experience when implementing security policy. One security manager suggested that security policy was already implemented in his organisation. – Relation between business and security goals: all security managers understand the role of information security as a supporting process. – Detection of instances of non-compliance: all interviewed experts rely on both formal and informal channels of detecting instances of non-compliance. – Reaction to instances of non-compliance Interview results suggest that 4 out of 5 interviewed security managers tend to try to understand the root cause of the problem first. One security manager indicated that he is not directly involved into investigation of such incidents. – Security manager’s awareness of how security policy implementation affects users’ behaviour: 4 out of 5 security managers believe that they aware of the impact of security controls on users’ behaviour. One security manager suggested that he doesn’t have resources for that. – Difficulties in measuring the impact of users’ behaviour: all experts experience some difficulties in assessing the impact on users’ behaviour. – Security manager’s awareness of users’ typical business activities: 4 out of 5 security managers indicated their awareness of users’ day-to-day tasks. One security manager mentioned that he doesn’t have enough time for this. – Effect of understanding of users’ business activities on security manager’s decision-making process: all of the interviewed experts agree that it is beneficial to understand users’ business tasks.

Discussion

This section presents a discussion of interview findings.

Security manager’s decision-making process on particular implementation of security controls

Interview data reconfirms that security managers mostly use their own judgment and past experience when making a decision on particular implementation of information security controls. As explained in a quote: “When I’m making a decision to implement ISO 27001 standard in my organization, half of that decision is what the particular policies would actually look like. Because ISO 27001 is very high-level and it is by all means not a policy in itself, it just gives you one or two criteria or one or two suggestions how your security policies should look like. Because of this freedom of implementation, you actually have to write these policies yourself.”

Relation between business and security goals

Interviewed security experts also understand the role of involving the business management in the process of implementing security controls. For example, one security manager mentioned: “If there is no benefit to the business – you don’t do it.” Another expert reinforces his point by saying: “Get the people who these controls directly affect. You should start with the business. Get their buy-in; although they might view it as an additional workload, hence most people involved in this security initiative might produce sub-standard work.“ Interviewed security managers also think that business objectives should always be the priority. For example, one expert commented: “Many security managers think that security is the most important thing. I personally don’t think so. Paying shareholders is the most important. Inhibiting those activities or encouraging dangerous activities because of what you are doing you are making the situation worse.” The results illustrate that interviewed security managers understand that their decisions affect the whole organisation.

Detection of instances of non-compliance

Participants of the interview are aware of various methods to detecting non-compliance. For example, one expert mentioned: “I walk around this building on occasion and I wiggle doors and I check workstations for locked screens. The other way you find out is by rumours or chatting with people.” The results revealed that security experts rely on both formal (e.g. periodic security reviews) and informal (e.g. rumours, complains) channels of detecting non-compliance.

Reaction to instances of non-compliance

Most interviewed security managers agree that you should not punish users for non-compliance right away. You have to first understand the root cause of the problem. For instance, one expert suggested: “You don’t react on non-compliance with anger. You try to find out why it happened, rather than the fact that it has failed. Moreover, you can use it as a possibility for education and awareness and possibility for improvement.” Another expert reinforces this point saying: “At the end of the day it failed because with high probability you implemented it badly, because you forced some particular way of working or method which they can’t use, so they worked around it.” According to the results, understanding the reason behind the non-compliance is important for most of the interviewed experts.

Security manager’s awareness of how security policy implementation affects users’ behaviour

Most of the interviewed security experts believe that they are to a certain degree aware of the impact of the security policy on users’ behavior. One security manager said: “Yes, I think I’m aware of that, because when it affects it in a negative way – we hear about it. There are lots of complains.” Some participants backed-up their statements with examples. One security manager mentioned: “When users want to look at Excel spreadsheet or use an application using iPad but they can’t, because security controls don’t allow access to the business applications via an iPad. So they have to use a laptop rather than device of their own choice. So yes, we are aware of that tension, but we tend to enable people to do what they need to do.” Interview results suggest that such awareness is in the direct relation to the number of users’ complains. However, nobody mentioned proactive way of assessing this impact.

Difficulties in measuring impact of users’ behaviour.

Several security experts stated that it is difficult to assess the impact of security controls on users’ behaviour. For example, one mentioned: “We never measured it. We don’t have a way of measuring it. So we don’t know.” Another expert agrees with him: “One thing is putting controls in place and the other is measuring effectiveness. Around users it is very difficult. Because they are not like a server, where you can say here is CPU optimisation.” However, one security expert strongly disagrees with the fact that he should take behavioural impact into consideration. He said that: “Why should I care? Why this is relevant to my job – caring about users is not part of my job responsibilities. I have limited resources to ensure compliance – how am I going to stretch that to areas outside of my direct responsibility?”

Security manager’s awareness of users’ typical business activities

Some security experts, who participated in the interviews, mentioned that they are aware of the users’ business task to the degree which is required to successfully manage projects. Once a security manager stated that: “At a high level we are aware. At the detailed process level really only when we are doing a project in that department. When we need to understand the process within the project.” Another expert provides an example supporting the same argument: “When we do a particular project on a new system. Say, for instance, it’s a new credit card system being implemented we work through the user’s role, we work through the general data storage, so we become familiar with that particular department’s user activities.” The results show that some interviewed security managers believe that they are capable of understanding of users’ day-to-day business activities and that they make their decisions on the particular implementation of security controls according to this knowledge.

Effect of understanding of users’ business activities on security manager’s decision-making process

All of the interviewed experts agree that knowledge of what users in their company are doing can help them in better implementation of information security policy. One security manager shared an example of that: “For instance we worked with our studio manager and looked at the process of data transfer to the client. We have chosen one particular brand of encrypted USB keys, we believe that adoption would be very high, because they are great looking devices. It feels good for our creative workers to give it to the client with our logo on it, rather than sharing data using cheap plastic USB stick – there is no story, there is no sort of emotional attachment, which is so particularly important for creative workers. But in order for us to come with such a decision we actually spend some time observing and understanding our users.”

Conclusion

The results show that the majority of security managers, who participated in the survey, understand the importance of making the user part of the system and assessing possible impact on users’ behaviour when deciding on implementation of particular security controls. However, they agree on that their awareness of users’ business activities is reactive and based mainly on the users’ complains. Small number of interviewed security experts makes it problematic to generalise the results. Moreover, all of the interviewed security managers have substantial amount of work experience (they were chosen to have minimum seven, however some of them have more than twenty years of experience), which may affects the results. Those security experts tend to work in the companies with mature information security processes in place. Interviewing expects with less amount of experience may yield different results.

Discussion

Results of this section provide an insight on how security managers and users view the importance of compliance behaviour in organisations. Analysis of the interview and survey results show that presented method is capable of identifying the existence of the problem: there is a huge gap between perception of security policy by users and security managers, which negatively impacts the organisation as a whole. Most of the interviewed security managers think that they consider users part of the system and aware of the impact of their action on users’ behaviour. However, survey results indicate that more that 23% users believe that security negatively affects their performance. Moreover, 20% of participants spend approximately one hour weekly on various security activities. Current interview and survey data suggests a difference in the perception of the users and security managers exists due to the differing opinions presented, but doesn’t prove this is the case and the information comes from different contexts. Running the study inside an organisation would overcome this limitation. The issue the difference in the perception of the users and security managers should be studied more thoroughly. The study should be conducted in one company to directly compare the view of managers and users from the same organisation, which is critical to showing if a difference in opinion really exists. Moreover, the research should be conducted with a broader and better-quality sample to ensure that the results could be generalised. More participants from various backgrounds should form the sample.