Deutsch
english

Informationssicherheitskultur: Die sozio-kulturelle Dimension des Informationssicherheits Management

Information Security Culture: The socio-cultural dimension in information security management

--> Dieser Blog Beitrag ist nur in Englisch verfügbar.

The information security management mostly disregards the human dimension. The main focus is on technical and procedural measures. The user is seen as a security enemy, not as a security asset. In our paper we identify some problems, that emerge from this sight […]. We explain the concept of corporate culture and show exemplary on the example of the security culture, how the cultural theory can help to increase the overall security of an organization.

1.MOTIVATION

In the information security discussion the human dimension is mostly disregarded. The main focus is on technical security measures where users are seen as a threat for information security. As of this technical focus, the possibilities of information security measures are mostly used in an unsatisfactory way. In our paper we propose a […] shift from a technical to a human centric focus[…]. We will discuss some aspects,that can help to build a security management, which also takes the human dimension in account. […]

In General,the number of security incidents increased highly during the last years and organizations increasingly risk to loose money and reputation. Therefore information security has become a critical success factor for organizations. In this approach, the employees play a primary role. […] we show a possibility for an organization, to turn its employees into valuable security assets. […]

2.THE STATE OF THE ART IN INFORMATION SECURITY MANAGEMENT

[…] Technical measures are set up to intercept intruders at the gate, to protect the user from making mistakes and to prevent misuse. During the lastyears security specialists agreed upon the fact, that security management can only be successful if it is embedded in an organizational and managerial structure within the organization […].

For the last years of the nineties, […] a technical, procedural and socio-cultural security infrastructure (was built up, consisting): […] several parts:standardization, certification, metrics and security culture. The latter concentrates on the human dimension in information security, which we want to discuss in depths.

3. THE HUMAN DIMENSION IN INFORMATION SECURITY

[…] The rollout of new security products and procedures can only be successful, if firstly the users understand the why’s and the how’s, and secondly if the users can be motivated to support such a change. […]

The following Table 1 shows a summary of today’s information security management problems. It also includes some ideas for future improvements.

We postulate a cultural change in information security management: Asocio-cultural, human centric approach that is based on trust and partnership,accompanied by appropriate security technology.

Trust can be circumscribed as: […]

  • The trustor accepts willingly the risk of ill will of a trustee.
  • The trustor has confidence, that the trustee will not take this possibility.

We have to be aware that 100% security is not possible besides not being cost effective.In information security the costs of the countermeasures must always be compared with its benefit of decreased risk. Thus the same applies to technical countermeasures as to human measures: We have to accept some residual risk. The security policy has to define, how big this residual risk shall be.

[…] In our trust model we define trust with regard to information security as cognition-based (a rational trust that can be actively build up by training and/or experience) and bi-directional between an organization, its managers and owners respectively, and its employees. […] How can an organization have confidence in their employees, that they don’t misuse their trust (and vice versa)? How can an organization build up trust regarding information security? In the next section we show a possible way to build up this trust.

4.INFORMATION SECURITY CULTURE

[…] The corporate culture is […] a collective phenomenon that is growing and changing over time and it can be influenced or even designed by the management of the organization. […]

The corporate culture is consequently expressed in the collective values, norms and knowledge of organizations. In turn those collective norms and values affect the behaviour of the employees. […] Ultimately the corporate culture has a crucial impact onto the corporate success [Rühli1991, 15]. Corporate culture emerges and grows with time. It is formed by the behaviour of dominant organization members like founders and top managers. […]

Security culture should support all activities in a way, that information security becomes a natural aspect in the daily activities of every employee. Corporate culture helps to build the necessary trust between the different partners in our trust model. […]

The information security culture focuses on the socio-cultural aspects of information security management. […] The measures of the safety culture mainly target the layer of norms, values and knowledge.

According to this model, the security culture should define three layers of responsibility
(see Figure 3):

  1. Corporate politics
  2. Management
  3. Individuals

[…] On the corporate politics level, information security should be defined as a corporate target. This means that the top management is responsible to define the security policy. Consequently they must provide sufficient resources to implement this policy. This task could be delegated, e.g. to a chief security officer (CSO), but the top management as whole remains responsible. ACSO can be positioned on several places within the organization chart: in the informatics department, in a new staff unit or in an existing security department.

The different department managers are then responsible for the compliance of the information security policy and for the implementation in their units. They must be sufficiently motivated to observe the security policy; since without their assistance it’s not possible to implement such a policy. To implement this security policy, the management must define and control the different security measures. Additionally they must qualify and train their employees. […] Also, the security strategy must be audited and benchmarked on a regular basis.

On the individual layer, every employee must contribute to the security of the organization him/herself. He/she has to have a critical attitude, by asking:

  • Have I understood my task?
  • What are my responsibilities?
  • In which relationship do they stand to the information security?
  • Do I have enough knowledge to fulfil my task?
  • Do I need help?

He/she has to act carefully and with due diligence. Abnormal behaviour of people or computer systems including malfunctions must be registered and reported.Furthermore, the user has to be integrated in the risk analysis process and the company should install an employee suggestion system.

Concerning security culture the most important points are:

  • The exemplary behaviour of the managers
  • Security training of the employees,this includes creating awareness
  • About the risks of information technology and training in the use of security products
  • Awarding of security conform behaviour  

[…] Informing the management about errors and mistakes can help the organization to improve the security behaviour by better understanding the possible risks and errors. Only malicious behaviour should be prosecuted.

5.CONCLUSION

Humans and technology have different peculiarities. Humans can establish order inself-organizing form, whereas technology can only be used to sustain order using well-defined rules. The human being is a creative problem solver, whereas technology is dumb and deterministic. The strengths of humans and technology are thus complementary parts that can solve tasks together, which, individually approached, would be unsolvable. […] 

Designing a security process and implementing a security technology should start at the business process and the employees working in this process, not at the technology. The combination of technology and human awareness and qualification can improve the overall security level of an organization greatly. […] To reach this target it is necessary to have a security culture that addresses the socio-cultural aspects of security. We have shown the concept of security culture and we proposed also a way to implement this culture. […] information security can only be increased by the help of the users.

To read the full article, click on this link. Here you also find the full bibliography.

www.researchgate.net/publication

Article by:Thomas Schlienger, Stephanie Teufel
iimt -international institute of management in telecommunications
University of Fribourg (CH). May 2002