/dqweek/media/agency_attachments/JNb31gQnqJvAm0jqPxaV.png)
Follow Us
With the National Vulnerability Database of the US (nvd.nist.gov) publishing
almost 16 vulnerabilities per day, and with the recently released virus such as
Win32/Conflicker/Downadup spreading across the Internet information security is
no longer a peripheral issue for businesses today. While information security
experts scout for the latest updates in security appliances, firewalls,
anti-virus software, and intrusion protection systems, the often neglected is
the human side of it all. To get the users (who are often the weakest link in
the security chain), to make good decisions about information security is a
daunting task for the information security team in any organization. Hence,
methods that organizations can use to actively involve users within the ambit of
information security management become extremely important.
Campaigns: Safety is an abstract concept. When evaluating alternatives in
making a decision, outcomes that are abstract in nature, tend to be less
persuasive than outcomes that are concrete. Hence, information security
awareness is of crucial importance. Campaigning could be very useful in terms of
security education, and provide a positive impetus for information security, The
campaigns can be in the form of monthly newsletters, posters at conspicuous
locations with the list of dos and dont's, and quizzes to actively involve
employees.
Ease of use: Users are not stupid; they are unmotivated. Due to limited
capacity for information processing (also referred to as cognitive miser), users
in general tend to favor quick decisions based on learned rules and heuristics.
This explains why users post their passwords on their whiteboards or don't read
all the text relevant in a display or consider all the consequences of their
action when a security warning is displayed. One way to circumvent this problem
is to deploy standard set of default security settings and push auto-updates of
security patches so that user involvement in software/hardware configuration is
as minimal as possible.
Rewards: There is seldom an immediate reward or instant gratification which
can be a powerful reinforcer in shaping user behavior. To incentivize good
security behavior, employees should be rewarded periodically for reporting
security incidences, spreading awareness and their knowledge of information
security.
Catch violators: Having a corporate security policy that is not monitored or
enforced is tantamount to having laws without police. Though having a continuous
auditing system to catch users when they make poor security decisions is not
recommended, incidence reporting systems can be used to send out general warning
messages to security violators.
RITEs: Apart from the widely used principles of information security, the
Responsibility, Integrity, Trust and Ethicality (RITE) principles hold key for
successfully managing security in the future. In large and physically diffused
organizations, it is even more important for members of the organization to
understand what their respective roles and responsibilities should be. Clear
understanding of roles and responsibilities is required of each employee to
practice information security management effectively. As witnessed in many of
the data breaches perpetrated by insiders, even with exhaustive controls, it is
possible that protected information can leak out, thus causing irreparable
damage to organizations. Hence, the important human element of
security-integrity of the organization members-is of paramount importance. The
organization needs to consider how to maintain and uphold integrity of its
members so that it can minimize internal breaches. Innovative organizations
emphasize less on external control and supervision, and more on self-control and
responsibility. In such a situation, mutual systems of trust are important.
Since close supervision is less viable, trust must act as the cohesive element
in organizations. Lastly, ethics of the fellow members of the organization are
important to uphold security principles. These are not related to formalized
company ruled; but the ethical content of informal norms and behavior.
All set and done, information security begins and ends with the users.
Dr V Sridhar
(The author is research fellow at Sasken Communication Technologies, Bengaluru)
(Source: DQ)