IT Security Culture Transition Process

Transcription

1 319 T Security Culture Transition Process Leanne Ngo Deakin University, Australia NTRODUCTON The information superhighway is here and stretching further than the eye can see. Our working environment is becoming ever more hectic and demanding, computers and information technology are more pervasive, and limitations are perishing. The once solo dimension of information and technology is now multifaceted and convoluted in disposition (Ngo & Zhou, 2005). As a result, organizations need to be more vigilant than ever in actively responding to new information and technology challenges and to ensure survivability in this new age. Over the years many information technology (T) approaches technical, managerial, and inst itutionalization have surfaced. Also safeguards and countermeasures have been developed, practiced, and learned within organizations. Despite all these attempts to reduce and/or eradicate T threats and vulnerabilities, the issue still continues to be problematic for organizations. Solutions are needed that will reach the core of the problem safeguarding and controlling humans the human aspect of T. Humans are a pervasive element in our businesses and critical infrastructures, the element which interacts with systems, services, information, and information technology. Furthermore, humans are responsible for the design, development, operation, administration, and maintenance of our information systems and resources. Therefore the ultimate success of any effort to secure information resources depends largely on the behavior and attitudes of the humans involved. While technological solutions can solve some information problems, even the finest technology cannot succeed without the cooperation of humans. T is not just a technical problem that can be solved with technical solutions, but also a human problem that requires human solutions. This article reviews the current literature on the human aspect of T within an organizational context. Human-related T concerns are summarized, and current human-related T solutions are examined and discussed. n this article, we consider T culture as a plausible solution to improving T -related behavior and attitudes of humans. We present our T culture transition model that is currently being trialed in three organizations to assist with increasing T awareness and hence improve the T culture of the individuals (managers and employees) and overall organization. Further, we discuss the potential individual psychological experiences of managers and employees during the transitional change towards T culture change. BACKGROUND Human-related T problems relate to how people associate themselves and interact with. Here, human-related T problems are presented as well as current human-related solutions regarding the controlling and management of the human-side to T. Human-Related T Security Problems Human factors impeding T within an organizational context with examples include: 1. How humans perceive risk people: People do not know to analyze risk properly and therefore this leads to improper actions. 2. Ability to make decisions: Organizations cannot expect general employees to be T experts on top of their daily work. 3. Human memory limitations: This is a result of our inability to remember numerous and complex passwords. 4. Trust: We must have faith and confidence in the of our computers. 5. Usability: This includes individuals trading off between and practicality. Copyright 2008, G Global, distributing in print or electronic forms without written permission of G Global is prohibited.

2 6. Social engineering: This means being manipulated to do things we would not normally do. These human factors stem from the norms of natural human tendencies. Natural human tendencies suggest that humans are emotional, manipulative, and fallible. For example, humans want to get their job done and want to be helpful. People are helpful and therefore as a consequence are easily deceived, as exemplified by the success of social engineering attacks (Mitnick & Simon, 2002). Furthermore, humans are irrational and unpredictable. Unlike computers that can be programmed to process instructions in some logical order, humans on the other hand are irrational and complex and do unpredictable things. Barrett (2003) states for all the cleverness that organizations put into formulating creative, innovative, and secure efforts, they all can be breached if the users are reckless, therefore insinuating that recklessness and carelessness are common natural human tendencies. Natural human tendencies put an organization at risk of many -related threats. A better understanding of these predispositions will provide organizations and the greater community with a better chance of protecting and securing the human aspect of information. Current Human-Related T Security Solutions Current human-related T solutions encompass understanding the human aspects and enforcing compliant behaviors and attitudes towards T. These current solutions include: Behavioral Auditing for Compliance: Current auditing () methods do not cover effectively the behavior of the employees. Vroom and von-solms (2004) proposes the concept of behavior auditing for compliance as a way of understanding, identifying, and resolving T -related human behavior concerns. However, auditing human behavior is very difficult to attain reliable and valid results due to humans being unpredictable by nature. T Security Policy: T policy has the potential to enforce compliant behavior and attitudes of employees (Wood, 2004). T policies are a set of rules that outline how information and technology is to be protected to achieve the organization s goals. This allows humans to understand what is expected from them and be accountable for their actions. Simply telling people to behave in a certain way can be one option, but managers should not expect human to always act as prescribed. Also, reiterated by Dekker (2003), procedures do not rule human behavior and suggest that procedures should be seen as resources for action instead of an expectation about human behavior. Security Training and Education Programs: A good training program helps improve a user s decision-making skills by providing them with the necessary knowledge about threats and the consequences of their actions (Leach, 2003). With the growing numbers of mobile employees, enterprises are at greater risks due to their employees with inadequate understanding of current threats and risks to their computers. This simply illustrates the need for better education on current threats and best practices for humans. Ethical Standards of Behavior: Eloff and Eloff (2003) and Jones (2004) researched ethical standards of behavior related to and asserted that in order to change a user s behavior, there needs to be some form of guidelines on which to base such behavior. The authors maintained that following such established guides like the EEE professional code can promote good behavior and influence others to do so. Leveraging off technology to reduce human error: T systems have become increasingly complex. Consequently, human errors resulting from operating these systems has increased. Experts have highlighted how T has now gone beyond legitimate users control to use information systems honestly and appropriately without causing a breach. Legitimate users such as employees are more likely to put a priority on getting their work tasks completed rather than think about (Besnard & Arief, 2004). These authors suggest better software design with built-in, that is, invisible to the user. Any approach to human information should aim to achieve transparent that is, built-in either in technology or defused into the daily lives of humans, whereby is not seen as an 0

3 afterthought. t should be easy-to-understand that is, consider usability issues and facilitate decision making. t should be least-effort that is, only ask humans to do as little as possible, as humans do not act or behave as prescribed. t should be continuous and constant that is, whatever the effort, it needs to be persistent to act as a recurring reminder of the importance of. And it must aim to be personal that is, must be taken on board by humans on a private and individual basis in order for humans to take seriously. T Security Culture Culture relates to the way in which things are done in an organization, and thus relates to the behavior and attitude of its members. An ethical culture of is a culture whereby organizational members have strong ethical values that are exhibited in their attitudes and behaviors within the organization s operational environment. A culture whereby organizational members have strong ethical values and beliefs towards their organization s operational environment will have better prospects of successful culture change. Creating a culture means to change the current culture to a more -conscious one. This requires an examination of the current culture. An examination of the current culture will allow an organization to highlight areas that require greatest attention for change. Fostering a culture of means to instill as a way of life. This means integrating into the behavior and attitudes of people towards a -conscious state. The main limitations of creating a culture are that it requires understanding and communication, it is slow and uncertain and difficult to measure whether culture change has taken place (Vroom & von-solms, 2003). Security training, awareness, and education programs are critical in fostering culture within individuals and organizations. These programs will help make employees understand, be responsive, and appreciate the need to act in a responsible mindful way. However, education may not solve all problems, but will at least let users know of the consequences of their actions. Humans should see as a personal gain and benefit to themselves and the overall organization. There are several different methods in which an organization can foster a strong culture. Vroom and von-solms (2004) argue the presence of three cultures within an organization that require change: (1) organization as a whole, (2) groups or departmental, and (3) individual culture. The authors articulate that once group behavior begins to alter, this would influence the individual employees and likewise have an eventual affect on the formal organization (Vroom & von-solms, 2003). This suggests that any organizations attempting to change culture should do so in small incremental steps (Kabay, 1993), and hence should be gradual and voluntary (Vroom & von-solms, 2003). n a short amount of time, the and management literature has produced several key ideas regarding how organizations can foster and instill a culture of within organizations. However, very little has been done to address the transition towards T culture improvement from both an organizational and individual point of view. Noting the key points suggested by the literature, we propose our T culture transition model. T Security Culture Transition (TSeCT) model The TSeCT model proposed by Ngo, Zhou, and Warren (2005) aimed at assisting participating organizations in their research to better meet the organization s desired level of T awareness and culture. Employees needed to understand their roles and responsibilities in order to make informative and morally correct judgments and actions. Our T transition model proposes to detail the roles and responsibilities of managers and employees in the transition process to improve T culture in the workplace. The model places importance on raising awareness of T threats and risks, and associated consequences of T -related behavior and actions towards T and information systems interactivity in the workplace. Our TSeCT model proposes a culture that would see individuals behave in an expected manner when faced with new challenges. We know that technology will always advance. Therefore, giving individuals knowledge of T basics such as threats, risks, and consequences of their actions will allow individuals to gradually adapt to constant change and hence allow us to predict expected behavior.

4 Figure 1. T culture transition model Phase 1: Ending Communicate what has to be changed and reasons for change Phase 2: Neutral Zone Define & steer new requirements and what to do Phase 3: New Beginning Reinforce & commit to new status quo Phase 1: Ending Understand & recognize what has to be changed and reasons for change Management Leaders Employees Followers Phase 2: Neutral Zone Adjust to new requirements and take action Time Phase 3: New Beginning Accept & embrace new status quo The transition model is intended to assist organizations in transitioning towards T culture improvement. The model consists of two main players leaders (managers) and followers (general employees). The model is shown in Figure 1. The model highlights the respective roles and responsibilities of managers and employees. The former has the role of overseeing and managing the process, and the latter adapts and accepts the transition. There are three phases within the model. Phase 1, Ending, requires an understanding of letting something go. n this article s case, it is letting go of the current behavior and apathetical attitude towards T. Management communicates this change, and employees understand and recognize the reasons for change. Phase 2, Neutral Zone, is the fertile ground opened for new requirements and actions to flourish, steered by management, and adjusted and learned by employees. Phase 3, New Beginning, looks towards the improved T culture. Management reinforces and commits to the new status quo, and employees accept and embrace it. The transition process needs to have the commitment and support from management and the understanding and acceptance from employees to have any chance of success. Furthermore, any new ventures intended in any organization require planning and dedication. Transition is the adjustment, development, and change experienced by people within organizations when progressing towards achieving a particular change (Bridges, 2003). Understanding the transition process is crucial for successful organizational information culture change. Furthermore, identifying the key roles of management and employees in the transition process will allow for better understanding of their respective responsibilities. For more explanation and discussion of the model, please refer to Ngo et al. (2005). The TSeCT model is easy to follow with a stepby-step process. Only two major parties are involved: managers and employees. There is no need for technology spending, as it solely focuses on improving the attitudes and behavior of individuals. T Security Culture Transition model: ndividual Context Bridges (2003) asserts that there are two transition processes running concurrently. The first has been discussed, and the second is the individual psychological transition process. When there are changes happening within an organization, the people that are affected by it are also going through their own psychological transitions (acovini, 1993; St-Armour, 2002; Harvard Business School, 2003). Ngo et al. (2005) show in Figure 2 an adaptation of an individual transition process and the psychological experiences as suggested by St- Amour (2001) during each transition phase. n Table 1 we present the personal experiences during each phase of the transition process that managers

5 Table 1. ndividual transitions:managers vs. employees ndividual Transitions Managers Endings Neutral Zone Beginnings ignoring the potential impact of T threats taking a reactive approach to having a false sense of How, when, and what information should communicate to my employees? Will my employees care enough to participate? Do trust my employees enough with extra responsibility? Proactive approach to Supporting and commitment to T culture Understanding of potential T threats and risk Employees ignoring potential impact of T threats not caring about seeing as solely the T team s and manager s responsibility Responsible for organizational Realizing that am part of the team How will change my behavior and attitude to be t T is conscious? How do adjust to the new requirements? am part of the organizational strategy am a conscious employee My interactions with T and conforms to organization s policies and procedures and employees may experience during transitioning towards T culture change. Our example is based on applying Bridges (2003) framework of transition and St-Amour s (2001) individual transition process. Table 1 shows this example. FUTURE TRENDS Human T research will give us a better understanding of human factors associated with T which is fundamental to the understanding of how humans interact and behave towards T. This knowledge can aid in providing the basis for proposals of possible approaches and measures to manage the human aspect of T. Human T research will help to raise awareness among those who are unacquainted with the potential detrimental threats and risks that humans can cause. Therefore, it is anticipated that this research will generate a great deal of interest, not only by corporations and governments, but to the general public. Our future research project will focus on this research gap to promote T awareness and establish an T culture within organizations. Furthermore, an T awareness and culture assessment tool will be a direct outcome of this research, which will be available to participating Australian organizations. CONCLUSON Human-related problems should be addressed with human solutions. Technical solutions, although important, cannot be the only means for solving human

6 problems, and any approach should focus on solutions tailored to solving the human problem. Understanding and having a well-planned transition process is crucial for successful organizational information culture change. Furthermore, identifying the key roles of management and employees in the transition process will allow for better understanding of their respective responsibilities. This article addressed the key roles and responsibilities for managers and general staff in improving the T culture in an organization s operational environment. The model highlighted the importance of understanding the transition process required for T culture change. We reviewed the key developments with T culture research. Our model was developed based on key T culture research and Bridges (2003) transition process framework. Furthermore, we highlighted that individuals such as employees and managers go through their own psychological transition concurrent to the organization. We provided an example of the psychological transition process that managers and employees may go through when transitioning towards T culture improvement. We based our example on Bridges (2003) transition process and St-Amour s (2001) individual transition framework. REFERENCES Barrett, N. (2003). Penetration testing and social engineering: Hacking the weakest link. nformation Security Technical Report, 8(4), Besnard, D., & Arief, B. (2004). Computer impaired by legitimate users. Computers & Security, 23, Bridges, W. (2003). Managing transitions: Making the most of change. New York: Perseus. Dekker, S. (2003). Failure to adapt or adaptations that fail: Contrasting models on procedures and safety. Applied Ergonomics 2003, 34, Eloff, J., & Eloff, M. (2003). nformation management: A new paradigm. Proceedings of the 2003 South African nstitute for Computer Scientists and nformation Technologists Conference, South Africa. Harvard Business School. (2003). Managing change and transition. Boston: Harvard Business School Press. acovini, J. (1993). The human side of organization change. Training & Development, 47(1), Jones, A. (2004). Technology: llegal, immoral, or fattening? Proceedings of the 32nd Annual ACM SGUCCS Conference on User Services, Baltimore, MD. Kabay, M.E. (1993). Social psychology and infosec: Psycho-social factors in the implementation of information policy. Proceedings of the 16th U.S. National Computer Security Conference. Leach, J. (2003). mproving user behavior. Computers & Security, 22(8), Mitnick, K.D., & Simon, W.L. (2002). The art of deception: Controlling the human element of. ndianapolis: Wiley. Ngo, L., & Zhou, W. (2005). The multifaceted and everchanging directions of information Australia get ready! Proceedings of the 3rd nternational Conference on nformation Technology and Applications (CTA 2005), Sydney, Australia. Ngo, L., Zhou, W., & Warren, M. (2005). Understanding transition towards information culture change. Proceedings of the 3rd Australian nformation Security Management Conference, Perth, Australia. St-Amour, D. (2001). Successful organizational change. Canadian Manager, 26(2), Vroom, C., & von-solms, R. (2004). Towards information behavioral compliance. Computers & Security, 23, Wood, C.C. (2004). Developing a policy your company can adhere to. Retrieved February 6, 2006, from KEY TERmS ndividual Transition Process: The individual transitional and psychological process individuals go through in when transitioning towards change. T Security Awareness: Familiarity of T literacy concepts by either an individual or organization as a whole.

7 T Security Culture: Relates to the way in which things are done in an organization, thus relating to the T behavior and attitude of its members. T Security Management: Refers to the policies, processes, procedures, and guidelines regarding how to manage and control information and technology for achieving goals. T Security Policy: Formally written T statements similar to that of laws aimed at representing T rules within an organization context. TSeCT (T Security Culture Transition) Model: A role- and process-based model aimed at assisting individuals and organizations to increase T awareness and in transitioning towards T culture improvement. Transition: The adjustment, development, and change experienced by people within organizations when progressing towards achieving a particular change