“So often information security is viewed as a technical discipline – a world of firewalls, anti-virus software, access controls and encryption. An opaque and enigmatic discipline which defies understanding, with a priesthood who often protect their profession with complex concepts, language and most of all secrecy.
Leron takes a practical, pragmatic and no-holds barred approach to demystifying the topic. He reminds us that ultimately security depends on people – and that we all act in what we see as our rational self-interest – sometimes ill-informed, ill-judged, even downright perverse.
No approach to security can ever succeed without considering people – and as a profession we need to look beyond our computers to understand the business, the culture of the organisation – and most of all, how we can create a security environment which helps people feel free to actually do their job.”
David Ferbrache OBE, FBCS
Technical Director, Cyber Security
“This is an easy-to-read, accessible and simple introduction to information security. The style is straightforward, and calls on a range of anecdotes to help the reader through what is often a complicated and hard to penetrate subject. Leron approaches the subject from a psychological angle and will be appealing to both those of a non-technical and a technical background.”
Dr David King
Visiting Fellow of Kellogg College
University of Oxford
The Psychology of Information Security – Resolving conflicts between security compliance and human behaviourPosted: November 26, 2015
In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.
Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.
This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.
I just finished writing a book with IT Governance Publishing on this topic. This book draws on the experience of industry experts and related academic research to:
- Gain insight into information security issues related to human behaviour, from both end users’ and security professionals’ perspectives.
- Provide a set of recommendations to support the security professional’s decision-making process, and to improve the culture and find the balance between security and productivity.
- Give advice on aligning a security programme with wider organisational objectives.
- Manage and communicate these changes within an organisation.
Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.
The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.
Modern security professionals while fighting cyber threats also have to take human behaviour into accountPosted: April 3, 2014
In today’s corporations, information security managers have a lot on their plate. While facing major and constantly evolving cyber threats, they must comply with numerous laws and regulations, protect the company’s assets, and mitigate risks as best as possible. To address this, they have to formulate policies to establish desired practices that avoid these dangers. They must then communicate this wanted behavior to the employees so that they adapt and everything can go according to plan. But is this always the case?
Security managers often find that what they put on paper is only half of the story. Getting the corporation to “cooperate” and follow the policy all the time can be far more challenging than it seems. So why do employees seem to be so reluctant?
Are we even asking the right question here?
The correct question is: do security managers know what imposing new rules means to the average employee within the company?
People’s behavior is goal-driven. If processes are imposed on them, people will usually follow them, as long as they still allow them to achieve their goals. If they come across situations where they are under pressure, or they encounter obstacles, people will cut corners, break rules and violate policies.
So why should the behavior of a corporation’s employees be an exception? They will usually follow the rules willingly while trying to comply with the security policy, but, at the end of the day, their objective is simply to get their work done.
Yes., there are cases of employees who have a malicious goal of intentionally violating security policies, but research shows that policy violations will most likely result from the controls implementation that prevented people from performing their tasks.
What happens to an organization when honest workers can’t achieve their goals because of poorly implemented security controls? What happens on the security manager’s end and on the employees’ end that leads to this scenario? A short survey I performed in 2013 shows that there is a huge gap between the employees’ and the security managers’ perceptions of security policies; and it’s this discrepancy that negatively impacts the organization as a whole. Security managers, on their side, assume that they have made all the relevant considerations pertaining the needs of the employees. However, the fact is that they rarely speak directly to the employees to familiarize themselves with their tasks, their needs, and their goals. It is therefore usual to hear employees complain about how security controls hinder or impede their performance.
Let’s consider the following scenario:
In an investment bank, a security manager comes up with a policy document, outlining a list of authorized software which can be installed on computers, according to the principle of least privilege: people can only have the access they require to perform their day-to-day activities and no more. All employees are denied access to install any new software without written permission from the security manager.
John is writing a report for the client. The deadline is fast approaching but he still has a lot of work ahead of him. The night before the deadline, John realizes that in order to finish his work, he requires a special data analysis software which was not included in the list of authorized programs. He is also unable to install it on his workstation, because he doesn’t have the required privileges. Getting the formal written approval from the security manager is not feasible, because it is going to take too long. John decides to copy the sensitive information required for the analysis on his personal computer, using a flash drive, to finish the work at home, where he can install any software he wants. He understands the risk but he also wants to get the job done in order to avoid missing the deadline and get good performance review. Unfortunately, he leaves his bag with the flash drive in the taxi on the way back home. He never tells anyone about this incident to avoid embarrassment or a reprimand.
The security manager in this scenario clearly failed to recognize the employee’s needs before implementing the controls.
A general rule of thumb to never forget is that employees will most likely work around the security controls to get their work done regardless of the risks this might pose, because they value their main business activities more than compliance with security policies.
To address this, security managers should consider analyzing security controls in a given context in order to identify clashes and resolve potential conflicts adjusting the policy. They should also communicate the value of security accordingly. Scaring people and imposing sanctions might not be the best approach. They should instead demonstrate to the employees that they contribute to the efficient operation of the business when they comply with security policies. Not only does security ensure confidentiality and the integrity of information, but it also makes sure that the resources are available to complete their primary tasks.
Employees need to understand that security is something that important for achieving the company’s goals, not something that gets in the way. To achieve this, the culture of the organisation must change.
Interview with Jitender Arora – Information Security & Risk Executive (Financial Services)
Could you please start by telling us about your background?
I am a Computer Science and Engineering graduate, with Masters Degree in Consultancy Management. I had been a very technical, hands-on person from the very beginning of my career. I spent the first two years building firewalls, proxy servers and hardening UNIX servers. After few years, I was presented with an opportunity to move into information security and risk. At the time, I was working for Wipro Technologiesand they were building a Security Consultancy Practice, which would be front-ending with their customers, and working on the projects. The organisation was recruiting for this practice from other parts of the organisation so I decided to move into this new practice which proved to be a very exciting and challenging assignment. That’s where my journey in terms of “information security and risk”started from. Later, I had leadership roles in organisations like Adobe Systems and Agilent Technologies. I moved to the UK around 8 years ago, and that’s when my journey began working in the financial services sector.
What do you do now?
Around four years ago, I decided to quit my job and start my own small consulting firm with two friends I had met at RBS. We did a good job for two years, and build a good profitable business. Unfortunately, due to some unavoidable circumstance the partnership didn’t work out and we decided to amicably part ways. After that, I didn’t want to jump into the first thing that came along, and so I focused on my independent journey as Interim Executive in leading business transformation and change programs that address governance, risk and compliance problems faced by my client organisations. My engagements are outcome oriented to deliver the specific outcome for the client organisation. Over the last 3 or 4 years, I have built a strong reputation of being an outcome-oriented management consultant.
You are a very well known speaker within the industry. What made you decide to engage in this sort of activities as well?
It was not an intentional choice. I was once having a conversation with my best mate, Javvad Malik, around the need for new speakers at conferences who are able to present a different point of view. In a way, Javvad encouraged (or should I say pushed, Thank You Jav) me to go ahead and speak at conferences. At that point, I wasn’t too keen on it because I have always felt anxious about speaking in a public forum. Additionally, English is not my first language, which represented another barrier. But I decided to face my fear, and just go along with it. When I actually started speaking, I received an encouraging response from the audience and attendees liked my take on topics which they said provided a unique perspective. Being a very pragmatic consultant, I usually have a different point of view, as opposed to being a paranoid view. I approach security & risk problems and issues as a business person which provides a different perspective, so that’s where I think I got some good recognition from the market, especially in the speaking circuit. I believe speaking engagements not only present an opportunity for building your own personal brand but also helps sharpen your selling and marketing skills. The way you approach people, build their perception of you, sell yourself and your ideas, it’s a very good skill to have which is not generally taught in school or at university. Now, I encourage my colleagues and professionals to speak at events.
Returning to what you were saying about being an outcome oriented consultant, could you please elaborate on how changes can be implemented within organisations when these changes involve people and their behaviour? How do you address the people aspect of security?
As a security professional, when you implement a new security control, you are usually changing the way people are operating. A very simple example would be when implementing a control in terms of how people access production system. So if you go into an organisation in which their practices have been acceptable for the past 10 years, and you suddenly tell them that they can no longer follow same practice, you are, in a way, taking a privilege away from them and they will react accordingly. The analogy that I usually use for this is if I suddenly tell my son, who normally watches 1 hour of T.V. a day for the past several years, that he cannot watch it without taking permission every time and not more than 30mins from now on. He will not like it and will most likely rebel and show his displeasure.
As security professionals we try to change the process, and we want to introduce a certain level of governance on top of it. It’s very important to manage the people aspect of implementing such changes for security. You need to get people on your side before you actually implement these controls. It is a lot about socialising, and communicating, which brings me back to the point on selling and marketing. You have to package, sell and market these changes by conveying the message that “even though we are taking this privilege away from you by implementing these controls, we are going to give you something in return: We will guarantee that you run your business in a compliant manner and do not get audit findings or regulatory issues in which you will have to invest to address them”. So returning to the original example, it’s about establishing a secure way of accessing production systems which, although might be different from existing methods and might involve a little extra work, will ensure that everybody can continue to do their job while being compliant. We will create a robust production access environment: “So let’s be proactive and address this situation together before someone else comes and asks us to fix it.”
There are some of security professionals who scare the clients and users as a strategy for avoiding unwanted behaviour, by telling them, for example, that they might even risk getting fired. What is your opinion on this approach?
If you scare people too much, they will be scared as long as you are in front of them, but the behaviour won’t change. The objective should be to change the behaviour, and when we say “behaviour”, we are referring to the way people operate on a day-to-day basis. Make sure that they don’t see this as a temporary situation, but as a routine. A very simple example for this would be physical security guards. We have security guards in all the office buildings who are standing on the side, observing people, looking for individuals who may seem malicious or suspicious. But they don’t intimidate people around them. You might even be able to approach them for directions and they will kindly answer if they can help. But the moment they detect somebody suspicious, they will intervene. Now let’s imagine that instead of having these friendly security personnel, we had big bouncers who are aggressive. Would you feel okay approaching them? Sometimes security in our context operates like those big nightclub bouncers, because it is intimidating. So business people stop inviting you as a security professional to their business initiatives because they see security as the big intimidating bouncer: as a problem. For them, if you bring security in, you are bringing a problem in. That needs to change, and it largely depends on relationships and how you manage those relationships, how you come across in your meetings with them, and what they main message of your proposition is: “we are not taking anything away from you, we are going to help implementing new controls that will allow you to run your business in a secure and compliant manner meeting legal and regulatory obligations.”So it’s a trade-off and it’s a lot about perception, so the scaring tactic I don’t think works for too long.
You have come up with a way of selling all of your services to the executives and they understand the value of them. What about the actual people who use the service?
I think of executives as the same as the end-users, so the methods I use to sell security doesn’t change at for different levels. It’s the way you deliver message and what message you deliver has to be adapted for different levels. Business executives will normally focus on how you are going to solve the problems that will allow the business to address the compliance issues and meet regulatory requirements. They are the ones that get chased around by the auditors and the regulators. But for the end-users, compliance is not their problem. They never get to own or see these auditing issues. From their perspective, they have a business to do, a server to manage, an infrastructure to run, they want to operate the way they have done so far. So if bringing in new security controls doesn’t mean making life difficult, they are happy to participate. As a security professional, that’s the message that you can give: “we are not here to make your life difficult, but to make sure you have the right tools to do your job effectively in a secure and compliant manner.”
As a preliminary step to implementation, would you have to first understand what it is people normally do on a day-to-day basis?
Absolutely. The very first thing I like to do is to see these users or consumers of these controls as my key stakeholders. One thing I always do in any of these change programmes is approach stakeholders including user groups in their working environment, and make them feel comfortable. Ask them, listen to them and understand what their problems are. What is it that they like that they would like to keep, and what they don’t like that they would like to have changed, and what is it that they might have seen somewhere else and might be a good thing to include as part of this change. Key benefit from being in listening mode is that people become part of the journey because they have largely contributed to the creation and design of these new controls. The key to success is to approach any change from human psychological perspective and engaging them by asking, listening and taking their feedback on board. Another thing that I always make sure to do is to fix the things they don’t like in the existing environment. Listen to people; understand what they like, what they don’t like, make sure you can fix their problems, and if they want something else, try to help them get it: get them on your side. Make them feel like they are part of this journey and also give them credit for their contribution to the success.
Let’s imagine that a security manager decides to implement a security policy in any given company. Let’s say that they take a standard framework like, say, ISO 27001, they tweak it a bit and apply it into the company’s environment. Do you see any potential problems with this?
Frameworks are a good start. But what lots of organisations do is that they lift the framework as is and if you look at the policies in most of them, there is not much difference. But if you think of different types of organisations like the financial services, investment banking, or law firms, you have many different environments: you have different drivers and they come with a very different set of challenges. A lot of professionals, who write policies, do so in isolation. They don’t spend time understanding how a specific organisation carries out its business. An interesting question would be, once a policy is written, whom do you want to be the target audience? Is the policy being written by security people, to be interpreted by security people? Or is a policy being written by security people, to be understood by security people, when in reality it is supposed to be meant for business people? In one of my previous engagements, I had security experts writing the policy, and I then hired a technical writer to review, proof-read and rewrite the policy. The end products between the policy written by the security experts and by the technical writer were completely different: the latter was much more understandable by the business community. We don’t realise that, unless an external person comes along and starts asking questions –“oh, what do you mean by this?”- that the language is not easily understandable for everyone. So I believe that every organisation should hire competent technical writers to translate their security policy, standards and guidance from specialised security jargon into a language that is understandable for business people.
So once your policy is written in understandable terms for everyone, how do you make people read it and comply?
The first thing I do in any organisation is that I visit their homepage and type in “information security”. If the policy doesn’t come up as the first search result, something is wrong. If people can’t find the security policy, how can you expect them to read it? How can you expect them to comply?
Another thing that I have done in few organisations is to conduct a simple survey, by asking three simple questions to business community:
- Do you know that we have an information security department?
- Do you know services this department has to offer?
- Do you know how to contact them if you need it?
It’s very eye-opening and you get lots of strange responses from the business people. Many times they do not know how to contact the security department or what services they provide. If they don’t know you exist, how can they possibly approach you? We can have a fantastic policy embedded in some website, but nobody is looking at it nor reading it.
Another problem is that security policies are long documents: They are not exciting, they are not novels. So I wouldn’t expect business people to read each and every bit and understand it. The probability to succeed can increase if you can provide them a platform where they are able to search when they need to and know where to go and look for answers when they need it. And this touches the point of approachability and availability of the policy and guidance.
But lets focus on the policy itself. How many policies do we have in a typical regulated organisation that we expect employees to read and comply with? E.g. security, anti-money laundering, acceptable use, expenses, travel and anti-bribery policy etc: it’s a huge list. Think about how long it takes an individual to read those policies, understand, remember and follow them. We’re human, it’s not possible. What’s important is that on a day-to-day basis there are some aspects that you need to demonstrate and follow as a normal business user and whenever in doubt go and seek answers. I like to refer to this as “acceptable behaviour”, not only in terms of privacy and security but overall behaviour.
You can take key messages from all of your relevant policies, and communicate them in friendly, simplistic and interesting terms linking it back to acceptable behaviour. It’s not the computer-based training (CBT) that can change human behaviour, but human-to-human interaction. It’s about helping people understand how to do what they do on a day-to-day basis, how to make their daily life easier and making the information accessible if they need to know more.
To wrap it up, you have mentioned previously that it is important to build a good security culture within the organisation. How do you define a good security culture?
A good analogy for this would be our behaviour regarding airport security, what we know we can do and what not to do, as well as reporting anything that may look suspicious. We are generally aware of our surroundings, especially when we are in an unknown territory. This is very natural to us in the physical world where we can see, hear and touch things in our surroundings. The challenge now is that we are spending so much of our time in this virtual world, where our senses can’t be used in the same way. We have to ask ourselves what key risk indicators in this virtual world are. How should we conduct ourselves in this virtual world? This is the kind of awareness that needs to be built into people’s behaviour. I think this journey should start from earlier stages in life, when people are being schooled. When I was in school, when I was growing up, my parents used to tell me: don’t talk to strangers, don’t accept anything from strangers, don’t give away your personal information to people you don’t know well, and so on. It’s an advice on how to conduct yourself safely in the physical world. Now, those messages have to change. You need to build a culture into the newer generations who are now and will be spending so much of their time in the virtual world. The definition of stranger in the virtual world is different from that in the physical world. The definition of “acceptable behaviour”in this virtual world has to be different from physical world. The definition of those risk indicators haven’t changed. One cannot expect behaviour to change on the first day a person joins the workforce, because by that time, behaviours are already formed.
The moment people become security aware, they become security advocates who can help spread this awareness on behalf of the security department. The organisations have to start a chain-reaction by making a few people security-aware and sending the message across the organisation. Everybody becomes self-aware at some point and starts thinking on his/her own about what is right and wrong. But this doesn’t happen because of computer-based training or policies. It is the change in human behaviour that is required in the long-term.
Thank you Jitender
Let’s start with the basics. How did you start your journey in information security?
Back in 1998 I graduated with a BSc in Computer Science and chose to focus on Object Oriented Analysis & Design and Java. In September 1999 I started contracting in the telecom industry in Netherlands. It was a unique, pre-dotcom-crash situation. A brand new multi-billion-dollar joint venture between two telecom groups – loads of money, starting from scratch with next to no infrastructure – really brilliant place for a relatively new graduate to come in to. A start-up with loads of money! While, officially regarded as a “Web Developer”, since they had no developer PCs, no servers, no DEV/TEST/Prod, no source-control, no standards, no policies, no DMZ; I ended up being involved in everything – and it was great! Set up policies, set up development standards, and specifying and ordering the PCs and software for the developers; specifying the servers for the website/database, and then being in meetings with the networking people to define what the firewall rules were going to be, and what we needed to do. Basically, doing everything!
A year later, I began a contract in Munich working as a secure Java developer using the new JAAS (Java Authentication and Authorisation Service) API in an Agile/Extreme programming team. So back in 2000 I was exposed to security and ever since I’ve kind of been in-and-out, either just doing application development or some other branch of security.
Then, in 2005 while I was working permanently with Accenture and I was exposed to identity management as a specific field –Thor Xellerate (later to become Oracle Identity Manager). Working on various client sites, I found identity management very interesting because it cut across every part of the business. Everybody in the business needs access to multiple, different systems, and the IDM provisions and de-provisions the users with the appropriate level of access, for all users.
Very interesting. What are you working at the moment?
In January, I was contacted by a cloud-based accountancy firm regarding a cyber-security voucher that the government was funding to encourage Small and Medium sized firms and Sole-traders to improve their cyber security stance.
It was one of the more enjoyable projects I’ve been involved in. Compared to working in a large faceless organisation, or government department, where you might disappear in amongst thousands of other small cogs, and your influences is small; here, you get to make an impact. When you are working in a smaller organisation of about 50 people or up to 200 people; your influence and impact is clear to see and is appreciated by the client. More over, since I’m communicating directly with the business leaders, the security serves the business needs instead of just an individual department’s needs.
Why do you think this is important? What is the main difference between working for a small company compared to a big one?
I believe you are going to understand their business better, so you can give genuinely relevant advice. You don’t need to worry about keeping your consultancy/employer or specific business-unit happy. You just need to focus on the business, and on giving them the best advice for them.
I hope to keep doing this for the foreseeable future, because it is easy to get bored of working in big companies. I mean, big organisations are nice because you get exposed to good technology, complex problems and huge projects etc., but as far as getting return for your work where you actually see results there and then; then you can’t beat the immediacy of an SME. You don’t need permission/sign-off from a dozen different stakeholders before you update that policy document. You change that policy or that you give them a piece of advice that has changed their focus to create a secure coding development platform; how to improve testing on that; you’ve given them access to resources they didn’t even know about, and you’ve given them new ideas and new perspectives.
And you’ve also shown them how they can actually improve themselves. So if they go for ISO 27001, that might be a differentiator between themselves and their competitors, and it’s also something that they can tell their customers: “We value your data privacy seriously, we have these standards in place, and we’re looking after you.”
When you work in security, you take a lot of things for granted. But then you go to some small or medium-sized companies, and they’ve been so focused on building their small business and delivering new functions, security is way back in their list of priorities. Now you get to raise that up and show them that it not only benefits them on the compliance side of things, but that the benefit also lies in their knowing where their data is, who has access to their data, they know when they have access to it. And you can put all sorts of different levels of controls onto things and give them a far greater peace of mind about how they are dealing with things internally to their company and how they are dealing with things with regards to their product. So delivering this cyber-security voucher to SMEs is something that I’m pursue with a lot more zeal at the moment, because I never knew about it before, and I know it can make a big difference to all of them. £5K is pretty meaningless to your average Fortune 500 company, but to an SME it is a pretty big deal.
What in your opinion is the main obstacle in implementing a similar approach in large corporations?
One of the problems with large corporations, and the same thing in government, is that each separate individual department has a budget. And they need to work to that budget, and they need to ensure that they are doing enough so that they get the same budget or more next year. And it gives a very narrow view to what they are doing. For me the best security (and IT investment in general) is when it is applied at the enterprise-level, across all of the various business units, and considers how we can make all of these people work well together. There is no point in having a really strong security in your finance department, when another department isn’t even talking to them, and they are doing similar work but on different platforms. On the one hand, you are wasting money, because they are duplicating work, they are duplicating data, they are duplicating the risks involved: in fact they are not even duplicating, they are making the risks much wider, because they may not be tracking where the data is going, and on another platform; its going all over the place.
[So if one department has Oracle DB, another is running Sybase and another small team has MS Access; a) You have the cost of the separate platforms; b) separate licensing for same task; c) you need to harden each platform separately; d) you need define a mechanism to share the data across the systems to maintain the integrity of the data; e) you need to support and patch separate systems etc. Conversely, the enterprise could have defined a single Database platform that all departments to use thus saving a world of pain.]
And while the ISO 27001 and various other standards out there will give you a kind of check-box compliance, “yes, we did this, we did this,” it doesn’t give you the kind of thing to say, “I feel comfortable about this.” Yes, you might feel comfortable about it if the legal department comes and questions you about it, but do you feel comfortable enough about it to be able to say that we have done a good job here, and we have delivered something to the client that actually works for them?
What about the security culture?
Yes, one of the things that I kept on stressing to one of my clients was: “you have a culture here that works for you. You have a very nice environment because everybody knows what’s going on here. If you are a developer, you know everybody in marketing, you know everybody in sales, and everybody knows you. And you have very free-flowing information going on, and it helps a great deal in how you operate. So when you are adding security controls, you don’t want to break what’s already working. You want to make sure it becomes better”.
Can security awareness training help to resolve this?
There is a problem with awareness training and educating users. If you are like me, I come from a technical background, you become very narrow-minded thinking: well I find technology very easy, why can’t you work it out? “Well, because I work in marketing!”
I don’t know anything about marketing so why should they know anything about technology?
There is a certain level of arrogance that we in technology developed about other people: in fact, there is a massive amount of arrogance, you come up with all kinds of deprecating or dismissive terms like “problem exists between keyboard and chair (PEBKAC)” or other phrases, just because they just don’t understand. Why don’t they understand? Because they are qualified for something completely different, something which you don’t understand.
So one should stop being so arrogant, step into their shoes, and understand them or try to find a way to translate what you do into terms that they will understand.
So what is the solution?
For me, I always go back to real world examples. Most people understand security from the real world. We are used to carrying five or six different keys for different things. But on the Internet, people only use one key; they only use one password. And they use it everywhere. So when it gets lost, people have access to everything that they own.
In the real world, I have a separate key for my car, a separate key for my home, a separate key for the main door vs. a separate key for my own apartment, and we are used to this kind of thing. But trying to explain to a user why it is that we use a password manager, we have to explain it to them in terms that they will actually understand, and actually take time for them to join the dots within their brain. “So that’s why I should have a different password. That’s why I should make my password really difficult.” Until they put two and two together, they are going to go for whatever is easiest.
So there are a lot of places where not only security people, but technology people in general need to learn to meet the end user halfway and make security transparent and ubiquitous: make security a layer that they don’t necessarily need to think about so much. But from our side, we need to make our code secure, we need to make our cloud system interactions secure, and we need to make our data policies and the implementation of our data policies secure.
Can you elaborate on security policies? Do you see any problems with them?
There’s no point in writing something in your policy that everyone is ignoring. There was a company a few years ago with the policy that nobody was allowed to use Microsoft Messenger. Everyone was using Microsoft Messenger! Your policy says this, and everyone is doing something different. So why is it written in your policy? Either train your people to not use it, and give them a valid, relevant, genuine alternative that they can use, or don’t put it in your policy.
And there are loads of things in the policy documents to please the auditors and to please the compliance team. But that is not how you do security. It in fact makes security worse because it gives the illusion to management that all these things are in place, when all the while the users are bypassing or ignoring it.
How security professionals can help the management in this case?
You need to give them the tools that help. If they are carrying client-data upon which they need to write reports, they need to do some data classification, state who should have access to it and how valuable things are. So if you have classified data, how should you encrypt it, how should you store it, how should you transfer it. So, for argument’s sake, buy a set of encrypted USB keys. If you know that people are working off of their laptops, get something like TrueCrypt or something else that encrypts their laptop, so that their laptop is encrypted if their laptop goes missing or something, you’re safe. Institute Two-Factor-Authentication. And, educate the user: you make sure they understand.
Are there any problems with implementation of such solutions?
Big corporations get these things, they throw loads of money at it, but they don’t look at it from the perspective of how does a business actually use this.
So one of the things which I was saying was that yes you can buy a really cool firewall and IPS system, but you can also do a simple hardening of your database, of your OS, of your application server, close down all of the open ports, close down all of the services that shouldn’t be on, and lets do some monitoring on some user behaviour, on how people are accessing your system. That will give you, for much cheaper, a whole load of control and peace of mind.
What the possible solution might be then?
From the technology and security side, you need to be aware of the business, and what are the drivers of this business, where do they make their money, where is the “data gold”, and what do they need to protect, and how they are going to protect that, and remain operational. You’ve got data which is very valuable to the company because it’s being used. If they can’t use that data, it’s worthless to them. So if you lock it down too much, or you prevent it from moving around to certain people, then you’re preventing the company from doing business. So until you actually understand that, you can’t put in the relevant controls to allow them to use their data and have a level of security.
You’re never going to be 100% secure, so trying to dream that you are going to be 100% secure is a waste of time, trying to do it by way of fear and scaring your client into doing things is a completely wrong way of doing things, because when you are in a state of fear, your judgment is so far off the mark, that it’s ridiculous. Whereas in the case of “I understand what I’m doing over here. Yes, there are some dangers in this. But we understand it.“
Can you give an example?
It is all about risk management – don’t be afraid of them; simply understand them and manage accordingly.
I’m a snowboarder, and last winter I did an avalanche skills training certification course. The way they manage risk is very similar to how we in security do many things (In many respects they are better because lives depend on it). They have to look at a lot of different things that can trigger an avalanche –current weather conditions, weather over the preceding weeks, terrain, different types of snow; which places you are in danger of being in an avalanche, and there are various trigger points and safety concerns (yes, it gets complicated). You don’t live in fear of avalanches because you saw something in some crappy disaster movie. Instead you live in awareness of it and manage your safety. It’s called awareness training, as opposed to a “you’ll magically be safe from an avalanche by doing this.” It’s a case of saying: right, these are different factors that can trigger an avalanche and these are different things that can make you safer from an avalanche.
So if you have had a lot of snowfall in the preceding days followed by a rapid thaw, then it is very likely that some areas on the mountains will have avalanches. So under those circumstances, you don’t go out into very steep slopes, you stay on the slopes that are shallower, or in the treeline. Yes, you may not have as much fun, but you live to play another day.
Before you go out, there are a few things that you are supposed to do. You’re supposed to notify people that this the zone that we are going to, you define a leader of the group, you take all the various precautions that you have all the avalanche transceivers, probes and shovels, and all these kind of things so that, if the worst happens, you are prepared to dig someone out, and that kind of stuff.
Are there any issues applying the same principles to security?
When you go to have your tyres changed, you don’t need to tell the mechanic to make sure to pump up the tires to the correct pressure. They do it automatically. But for us in IT, we need to stipulate this bunch of standard documents and requirements, and we have this non-functional sets that put these standards in place, “you will make sure that you are using this framework” to prevent SQLi attacks. People should be doing this automatically in our industry (it should be part of our quality process), but we don’t do it.
And there is a lot on our side to blame, because we don’t communicate properly, we don’t talk to the right people. And we also have a tendency to think: I told you once, how come you haven’t changed it?
We want it instantly, or at the latest, tomorrow. No, it’s going to take them time to learn, it’s going to take them time to step up their game to the correct level. And you need to be appreciative of this.
What is your approach?
There’s no one magic bullet that will solve this problem, since it is spread across so many systems and every business is different.
For a previous client, following initial meetings, I setup multiple security roadmaps for them in the three areas that we chose to focus on: business continuity planning; software development and data privacy.
How was this to be achieved? What steps must we take in the next week, month, quarter and where do we expect to be in six months from now. The steps we take must be measureable to some degree. This allowed us to apply a maturity model to it.
It involved some technology, some education, and a lot of communication across business domains and teams to ensure we were serving the business. It also involved the flexibility to acknowledge what isn’t working and change accordingly.
So we have a way of setting these things up so that we can track how well are we doing and where we are, and then you’ve got the ways for them, for the technical team to give feedback back to management, to say that “we’ve added this, and this has given us this additional benefit”.
Thank you Yousef. A few final words of wisdom, please.
You need to be honest with your customer. Sometimes they are not going to listen and you are going to have to do what they want you to do, and that’s part of the business. But you need to understand what the business is, and not just the department that you are being called into. You need to explore what is going on at an enterprise level.
This article aims to review the literature on information security policy compliance issues and their relation to core business processes in the company and users’ behaviour. It also provides an insight into particular implementation examples of the ISO 27001 Standard, and methods of analysis of the effectiveness of such implementations.
Information security issues in organisations have been brought up long before the rapid development of technology. Companies have always been concerned with protecting their confidential information, including their intellectual property and trade secrets. There are many possible approaches to addressing information security. Wood  points out that security is a broad subject including financial controls, human resource policies, physical protection and safety measures. However, Ruighaver et al.  state that information security is usually viewed as a purely technical concern and is expected to have the same technical solution. On the other hand, Schneier , Lampson , and Sasse and Flechais  emphasise the people aspect of security, and people play crucial role as they use and implement security controls.
As stated by Anderson , it is essential to properly define information security in order to pay merit to all these aspects.
The Standard for Information Security Management ISO 27001  defines information security as “the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximise return on investments and business opportunities.”
Dhillon  states security issues in organisations can arise due to absence of an information security policy. One of the ways to implement such a security policy is to take ISO 27001 standard as a framework.
ISO 27001 Standard
ISO 27001 Standard which is a member of the ISO 27000 standards family evolved from British national standard BS7799 . It aims to provide guidance on managing the risk associated with threats to confidentiality, integrity and availability of organisation’s assets. Such assets, as defined in ISO 27001  include people, software, hardware, services, etc.
Doherty and Fulford , Von Solms , and Canavan  all came to the conclusion that well-established standards such as ISO 27001 might be a stepping-stone to implementing good information security programs in organisations.
However, Anttila and Kajava in their study  identify the following issues with ISO 27001 Standard:
– The standard is high-level and basic concepts are not presented consistently in the standard.
– It is hard to measure business benefits from implementing this standard.
– Presented process management is not fully supporting current business practices.
– The standard struggles to recommend solutions to contemporary business environments.
Neubauer et al.  in their research states that the main problem with security standards, including ISO 27001 is their “abstract control deﬁnition, which leaves space for interpretation”. Furthermore, the authors suggest that companies focus on obtaining formal certification and often do not to assess and put in place the adequate security controls according their main business goals. Ittner et al.  support this point, adding that organisation also fail to estimate the effectiveness of the investments in such initiatives.
According to Sharma and Dash , ISO 27001 does not provide detailed guidance requires substantial level of expertise to implement. Moreover, the authors claim that “If risk assessment is flawed, don’t have sufficient security and risk assessment expertise, or do not have the management and organizational commitment to implement security then it is perfectly possible to be fully compliant with the standard, but be insecure.” Results of their study suggest that the organizations, which participated in the study implemented information security mainly to comply with legal and regulatory requirements. The consequence of that was low cost-effectiveness of such implementations. However, the researcher don’t analyse the level of users’ acceptance of implemented controls. The authors also fail to recommend an approach which would support security manager’s decision-making process in implementing ISO 27001 Standard controls.
Karabacak and Sogukpinar in in their paper  present a flexible and low-cost ISO 17799 compliance check tool. The authors use qualitative techniques to collect and analyse data and sate that “the success of our method depends on the answers of surveyors. Accurately answered questions lead to accurate compliance results.” However, the researchers stop short of analysing the impact of compliance with security policy on users’ behaviour. The authors do not consider the issue that a security manager’s decisions regarding a particular implementation of security policy affects that organisation as a whole and may introduce additional cognitive burdens to users. These issues in extreme cases (e.g. obstructing core business processes) may result in non-compliance as users prioritise their primary task.
Vuppala et al. their study  discuss their experience from implementing ISO27001 information security management systems. One of the most important lessons learnt was developing an understanding of the role of users’ behaviour in this process. The authors recommend to “not make drastic changes to the current processes; this will only infuriate the users. Remember, users are an important, if not the most important, part of the overall security system.”
Johnson and Goetz in  conducted a series of interviews with security managers to identify main challenges of influencing employees’ behaviour. The results of this study revealed that security managers rely extensively on information security policies, not only as a means of ensuring compliance with legal and regulatory requirements, but also to guide and direct users’ behaviour.
To explore the question of the impact on users’ behaviour while implementing security policies, the following theories were researched:
1. Theory of Rational Choice – a framework, which provides insight into social and economic behaviour. It implies that users tend to maximise their personal benefits . Beautement et al. in their paper  uses this theory to build a foundation explaining how people make decisions about whether to comply or not to comply with any particular information security policy.
Herley  suggests that it is rational for users not to comply with security policy, because of the perceived risk reduction is lower than the effort needed.
2. Protection Motivation Theory – a theory which describes four factors that individuals consider when trying to protect themselves :
– perceived severity
– probability of the adverse event
– efficiency of the preventive behaviour
Siponen builds on this theory to gain an understanding of the attitude of individuals towards compliance with security policies. Siponen refers to it in order to study the impact of the punishment on the actual compliance and on intention to comply , .
3. The Theory of General Deterrence – this suggests that users will not comply with the rules if they are not concerned with punishment .
4. Theory of Planned Behaviour – this suggests that subjective norms and perceived behavioural controls influence individuals’ behaviour . Siponen  and Pahnila  discovered that social norms play a significant role in users’ intention to comply.
These theories suggest that to effectively protect a company’s assets, the security manager should develop and implement security policies not only to ensure formal compliance with legal and regulatory requirements, but also to make sure that users are considered as a part of the system. Policies should be designed in a way that reduces the mental and physical workload of users , .
Business process visualisation and compliance
It is important to consider information security compliance and users’ behaviour in the context of a company. Users in organisations involved into activities, which could be presented as business processes.
Business process is defined as a set of logically related tasks (or activities) to achieve a defined business outcome .
The continuous monitoring of their business processes is essential for any organisation. This can be achieved by visualisation of business processes . However, they are usually complex, due to number of different users or user roles in large companies . Barrett  also argues that it is essential to create a “vision of the process” to successfully reengineer it.
Namiri and Stojanovic in their paper  present a scenario demonstrating a particular business process and implement controls necessary to achieve compliance with regulatory requirements. The authors separate business and control objectives, introducing two roles: a business process expert, who is motivated solely by business objectives, and a compliance expert, who is concerned with ensuring compliance of a given business process.
 Adams, A. and Sasse, M.A. 1999. Users are not the enemy. Commun. ACM. 42, 12 (Dec. 1999).
 Ajzen, I. 1991. The theory of planned behavior. Organizational Behavior and Human Decision Processes. 50, 2 (Dec. 1991).
 Anderson, J.M. 2003. Why we need a new definition of information security. Computers & Security. 22, 4 (May 2003).
 Anttila, J. and Kajava, J. 2010. Challenging IS and ISM Standardization for Business Benefits. ARES ’10 International Conference on Availability, Reliability, and Security, 2010 (2010).
 Barrett, J.L. 1994. Process Visualisation: Getting the Vision Right Is Key. Information Systems Management. 11, 2 (1994).
 Beautement, A. et al. 2008. The compliance budget: managing security behaviour in organisations. Proceedings of the 2008 workshop on New security paradigms (New York, NY, USA, 2008).
 Bobrik, R. et al. 2005. Requirements for the visualization of system-spanning business processes. Sixteenth International Workshop on Database and Expert Systems Applications, 2005. Proceedings (2005), 948–954.
 Canavan, S. 2003. An information security policy development guide for large companies. SANS Institute. (2003).
 Davenport, T.H. and Short, J.E. 2003. Information technology and business process redesign. Operations management: critical perspectives on business and management. 1, (2003), 1–27.
 Dhillon, G. 2007. Principles of information systems security: text and cases. John Wiley & Sons.
 Doherty, N.F. and Fulford, H. 2005. Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis. Information Resources Management Journal. 18, 4 (34 2005).
 Herley, C. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users. Proceedings of the 2009 workshop on New security paradigms workshop (New York, NY, USA, 2009).
 Herrnstein, R.J. 1990. Rational choice theory: Necessary but not sufficient. American Psychologist. 45, 3 (1990).
 Ittner, C.D. and Larcker, D.F. 2003. Coming up short on nonfinancial performance measurement. Harvard business review. 81, 11 (2003), 88–95.
 Johnson, M.E. and Goetz, E. 2007. Embedding Information Security into the Organization. IEEE Security Privacy. 5, 3 (2007).
 Karabacak, B. and Sogukpinar, I. 2006. A quantitative method for ISO 17799 gap analysis. Computers & Security. 25, 6 (Sep. 2006).
 Lampson, B.W. 2004. Computer security in the real world. Computer. 37, 6 (2004), 37–46.
 Namiri, K. and Stojanovic, N. 2007. Pattern-based design and validation of business process compliance. On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS. Springer. 59–76.
 Neubauer, T. et al. 2008. Interactive Selection of ISO 27001 Controls under Multiple Objectives. Proceedings of The Ifip Tc 11 23rd International Information Security Conference. S. Jajodia et al., eds. Springer US. 477–492.
 Pahnila, S. et al. 2007. Employees’ Behavior towards IS Security Policy Compliance. 40th Annual Hawaii International Conference on System Sciences, 2007. HICSS 2007 (2007).
 Rinderle, S.B. et al. 2006. Business process visualization-use cases, challenges, solutions. (2006).
 Rogers, R.W. 1975. A Protection Motivation Theory of Fear Appeals and Attitude Change1. The Journal of Psychology. 91, 1 (1975).
 Ruighaver, A.B. et al. 2007. Organisational security culture: Extending the end-user perspective. Computers & Security. 26, 1 (Feb. 2007).
 Sasse, M.A. and Flechais, I. 2005. Usable Security: Why Do We Need It? How Do We Get It? Security and Usability: Designing secure systems that people can use. L.F. Cranor and S. Garfinkel, eds. O’Reilly.
 Schneier, B. 2003. Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Springer.
 Sharma, D.N. and Dash, P.K. 2012. Effectiveness Of Iso 27001, As An Information Security Management System: An Analytical Study Of Financial Aspects. Far East Journal of Psychology and Business. 9, 5 (2012), 57–71.
 Siponen, M. et al. 2010. Compliance with Information Security Policies: An Empirical Investigation. Computer. 43, 2 (2010).
 Solms, R. von 1999. Information security management: why standards are important. Information Management & Computer Security. 7, 1 (Mar. 1999).
 Vuppala, V. et al. Securing a Control System: Experiences from ISO 27001 Implementation.
 Wood, M.B. 1982. Introducing Computer Security. National Computing Centre.
 BS, BS7799 – Information Technology – Code of practice for information security management, London: BS, 1995.
 ISO/IEC, ISO/IEC 27001 – Information technology – Security techniques – Information security management systems – Requirements, Geneva: ISO/IEC, 2005 and Draft for the new revision ISO/IEC JTC 1/SC 27 N10641, 2011.