This paper proposes a new approach for the development of information security culture amongst employees within organisations through management ...
Proceedings of the International Conference on Electrical Engineering and Informatics Institut Teknologi Bandung, Indonesia June 17-19, 2007
B-80
Reengineering Information Security Culture Formulation Through Management Perspective Omar Zakaria, Abdullah Gani, Mustaffa Mohd Nor and Nor Badrul Anuar Faculty of Computer Science & Information Technology, University of Malaya, 50603 Kuala Lumpur, MALAYSIA E-mail: {omarzakaria, abdullah, mus_kamal, badrul}@um.edu.my ABSTRACT This paper proposes a new approach for the development of information security culture amongst employees within organisations through management perspective. Management is a concept that consisting of activities such as planning, organising, controlling and leading, which are pre requisite elements in order to accomplish the organisational goals. This paper explores the possibility of management activities that can be integrated or applied to information security, especially on development of an information security culture within an organisation. Keywords: Information security, information security culture, management, management activities
1.0
INTRODUCTION
According to Schlienger and Teufel (2002:197), information security culture “should support all activities in a way, that information security becomes a natural aspect in daily activities of every employee”. Martins and Eloff (2002:205) mention that information security culture is “an assumption about what is and what is not acceptable in relation to information security”. Zakaria and Gani (2003) state that information security culture can lead an employee to act as a “human firewall” in order to safeguard organisational information assets. 2.0
THE NATURE OF INFORMATION
SECURITY CULTURE Information security implementers, practitioners and researchers have felt the need to minimise internal security incidents arising from the management of the organisational information system by employees. Studies have shown that technical solutions alone are not enough to handle internal security incidents. In order to have better security precautions in organisations, both the technical and non-technical aspects of information security need to be addressed. The non-technical aspects of information security have not been received the same attention relatively compared to the advances made in the technical aspects of information security. This is because many who are involved in information security policies and procedures, understandably, come from the technical background. It is important that information security implementers, researchers and practitioners take cognisance of the nontechnical aspects of information security that also consider
ISBN 978-979-16338-0-2
employees’ security perceptions, design of basic security tasks, internalisation of security knowledge, etc., when addressing information security features in the organisation’s information systems. These aspects are relevant in developing a security culture amongst employees in the organisation. Emphasising the non-technical aspects can help nurture information security as an essential part of everyone’s daily work routines in an organisation. However, security culture will develop and succeed only if there is involvement from all levels of employees. Participation by the technical staff alone is not sufficient because they cannot instill staff at all levels to exercise security precautions as prescribed in the security policy documents. Information security should be viewed holistically and all employees need to be aware of the potential security threats to the organisation, especially, internal security incidents. To overcome these threats, an organisation should encourage collective responsibility amongst all employees, and not just the technical staff, to perform security activities. An information security culture will also shape employee behaviour towards security concerns. In this context, the establishment of appropriate security perceptions and assumptions is important because it can contribute towards changing the employees’ behaviour and making them more security conscious. Awareness and training programmes, participation from all levels of employees, and guidance from technical staff, can be used to establish appropriate security perceptions and assumptions, which in turn can influence the way employees view information security. An appropriate information security culture within an organisation will also help to create a secure environment. This is because employees will not hesitate to
638
Proceedings of the International Conference on Electrical Engineering and Informatics Institut Teknologi Bandung, Indonesia June 17-19, 2007
perform security activities, thereby increasing security precautions. When these security activities are performed on a daily basis, they will become the organisation’s norms, thereby making a secure environment a part of everyone’s priority. Figure 1 shows the common characteristics of information security culture based on the research findings. Information security culture
Require participation from all employees
Shape employee behaviour towards security concerns
Create a secure environment within an organisation
Figure 1: Common characteristics of information security culture. 3.0
MANAGEMENT ACTIVITIES
Management is a broad concept consisting of activities like planning, organising, controlling and leading, in order to accomplish organisational goals (Hannagan, 1998). Although some researches have focused on certain organisational aspects like organisational culture, yet still research should broaden the scope to explore other management activities such as planning, organising, controlling, leading and so on and their implications for information security (see Figure 1).
Figure 2: Management activities and their implications for information security
ISBN 978-979-16338-0-2
B-80
3.1
Planning
In the context of organisations, planning is one of the management activities which concern with defining goals for future organisational performance and deciding on the tasks and resources to be used in order to attain those goals. To meet the goals, managers many develop plans such as a business plan or a marketing plan or a contingency plan. As mentioned above, it is necessary to integrate planning concept in information security in order to have a sound security practices within an organisation. Although planning has been enforced in information security, it was mostly a technical planning where human factors have been put aside. According to Schlienger and Teufel (2002), everyone in an organisation must be participated in information security especially in security practices of daily work routines. Therefore, planning activities in information security must be viewed as a holistic approach which involve with technical and non technical planning. For instance, it is useless to have a secure system in place if the person in charge is not aware of current security threats and not competent. In summary, we can integrate all ‘planning’ activities in management such as strategic management, management control and total quality management (TQM) in information security planning in organisations. 3.2
Organising
As discussed in section 3.0, organising is one the management activities. It is a factors influencing larger span of management. Some examples of organising activities are: work performed by subordinates is stable and routine; subordinates perform similar work tasks; and rules and procedures defining task activities are available. Up to this moment, there is no proper organising on security practices amongst employees. This is because security practices are not really a routine but an event basis. For example, an appropriate security practices is only being implemented when many of personal computers are being attacked by malicious code. In a normal day, it is very rare that everyone know how to perform appropriate security practices in daily work routine. Therefore, it is crucial that to use ‘organising’ activities in term of organising security practices amongst employees which in turn can guide them in performing security tasks. Once security tasks have been a routine that it will become norm, later an appropriate information security culture can be developed. In fact, organisations seek security efficiencies through improvements in organising. In summary, we can integrate all ‘organising’ activities in management such as human resource management and organisational communication in organising information security practices in organisations.
639
Proceedings of the International Conference on Electrical Engineering and Informatics Institut Teknologi Bandung, Indonesia June 17-19, 2007
3.3
Controlling
It cannot be denied that, controlling is one of the important aspects in managing risks. In fact, organisations will expose to threats and vulnerabilities easily where there is no controls. Although control aspects have been implemented in many areas, still its certain aspects in management have been ignored. This is because some practitioners either in management or technical do not realise that inter-discipline between management and security can help each other to implement appropriate activities in information security. Besides, internal controls and external controls in organisations, aspects of human controls must be included too. This is because people are performing and maintaining security activities in organisations. Without considering human controls, it will leads to security incidents. According to Kenning (2001), insiders (i.e. employees) are the most percentage of contributing to security breaches. Some examples of human controls are motivation, sociopsychology, rewards and punishments, and peer relationships. In summary, we can integrate all ‘controlling’ activities in management such as management decision making and operation management in information security controls in organisations. 3.4
include all aspect of management activities: planning, organising, controlling and leading. By embedding all management activities, we can develop appropriate security practices amongst employees. This is because human factors have been taken seriously in implementing and maintaining security in organisations (see Figure 3).
Management activities: planning, organising, controlling and l di
Embed Information security
Create •
•
PROPOSED REENGINEERING
As discussed above, the advantages of each activities of management have been highlighted. Now, we would like to propose reengineering of the development an of information security culture within an organisation which
ISBN 978-979-16338-0-2
Create Security Tasks to All Employees Perform Security Tasks in Daily Work Routines • Guide Employees to a Proper Security Tasks • Inspire Everyone to Perform Security Tasks
•
Leading
Leadership can refer to the process of leading. According to Kouzes (2002), he argues that “leadership is not a place, it’s not a position, and it’s not a secret code that cannot be deciphered by ordinary people. Leadership is an observable set of skills and abilities. Of course some people are better at it than others.” In terms of security, leading can be used as a process of influencing security goal-directed behaviour where in turn can encourage subordinates to follow the same security practices (Zakaria, 2005). Therefore, we must include leading process in implementing appropriate security practices within an organisation. This is because security practices shown by leaders can inspire subordinates to perform them in daily work routines. In summary, we can integrate all ‘leading’ activities in management such as managing people, productions and operations in organisations in inspiring all staff to perform information security practices in organisations. 4.0
B-80
Become Routine Change
Norm Merge
Security culture develops
Figure 3: Embedding Management Activities in Information Security 5.0
CONCLUSION
It is clear that management activities are important in order to develop appropriate information security culture within an organisation. Through these activities, we highlight human and social factors of information security. As discussed above, without non technical (i.e. human) aspects, information security is still lacking.
640
Proceedings of the International Conference on Electrical Engineering and Informatics Institut Teknologi Bandung, Indonesia June 17-19, 2007
B-80
References (1) Hannagan, T. (1998), Management: concepts and practices. 2nd Edition, London. Financial Times, Pitman Publishing (2) Kenning, M. J. (2001), Security management standard – ISO 17799/BS 7799, BT Technology Journal 19(3): 132-136. (3) Kouzer, J. M. and Posner, B. Z. (1987). The leadership challenge. San Francisco, Jossey Bass. (4) Martins, A. and Eloff, J. (2002), Information Security Culture, In Ghonaimy, M. A. et al. (eds), Security in the Information Society: Vision & Perspectives, Kluwer Academic, 203-214. (5) Schlienger, T and Teufel, S (2002), Information security culture: the socio-cultural dimension in information security management. In Ghonaimy, M. A. et al. (eds), Security in the Information Society: Vision & Perspectives, Kluwer Academic, 2002: 193-201. (6) Zakaria, O (2005), Information Security Culture and Leadership, In Proceedings of the 4th European Conference on Information Warfare and Security, Cardiff, Wales, July 2005, pp 415-420. (7) Zakaria, O and Gani, A (2003), A Conceptual Checklist of Information Security Culture, The Proceeding of 2nd European Conference on Information Warfare and Security, MCIL, Reading, England, 365-371.
ISBN 978-979-16338-0-2
641
