Of human(e) vulnerability

DQW Bureau
New Update


With the National Vulnerability Database of the US ( publishing

almost 16 vulnerabilities per day, and with the recently released virus such as

Win32/Conflicker/Downadup spreading across the Internet information security is

no longer a peripheral issue for businesses today. While information security

experts scout for the latest updates in security appliances, firewalls,

anti-virus software, and intrusion protection systems, the often neglected is

the human side of it all. To get the users (who are often the weakest link in

the security chain), to make good decisions about information security is a

daunting task for the information security team in any organization. Hence,

methods that organizations can use to actively involve users within the ambit of

information security management become extremely important.

Campaigns: Safety is an abstract concept. When evaluating alternatives in

making a decision, outcomes that are abstract in nature, tend to be less

persuasive than outcomes that are concrete. Hence, information security

awareness is of crucial importance. Campaigning could be very useful in terms of

security education, and provide a positive impetus for information security, The

campaigns can be in the form of monthly newsletters, posters at conspicuous

locations with the list of dos and dont's, and quizzes to actively involve


Ease of use: Users are not stupid; they are unmotivated. Due to limited

capacity for information processing (also referred to as cognitive miser), users

in general tend to favor quick decisions based on learned rules and heuristics.

This explains why users post their passwords on their whiteboards or don't read

all the text relevant in a display or consider all the consequences of their

action when a security warning is displayed. One way to circumvent this problem

is to deploy standard set of default security settings and push auto-updates of

security patches so that user involvement in software/hardware configuration is

as minimal as possible.


Rewards: There is seldom an immediate reward or instant gratification which

can be a powerful reinforcer in shaping user behavior. To incentivize good

security behavior, employees should be rewarded periodically for reporting

security incidences, spreading awareness and their knowledge of information


Catch violators: Having a corporate security policy that is not monitored or

enforced is tantamount to having laws without police. Though having a continuous

auditing system to catch users when they make poor security decisions is not

recommended, incidence reporting systems can be used to send out general warning

messages to security violators.

RITEs: Apart from the widely used principles of information security, the

Responsibility, Integrity, Trust and Ethicality (RITE) principles hold key for

successfully managing security in the future. In large and physically diffused

organizations, it is even more important for members of the organization to

understand what their respective roles and responsibilities should be. Clear

understanding of roles and responsibilities is required of each employee to

practice information security management effectively. As witnessed in many of

the data breaches perpetrated by insiders, even with exhaustive controls, it is

possible that protected information can leak out, thus causing irreparable

damage to organizations. Hence, the important human element of

security-integrity of the organization members-is of paramount importance. The

organization needs to consider how to maintain and uphold integrity of its

members so that it can minimize internal breaches. Innovative organizations

emphasize less on external control and supervision, and more on self-control and

responsibility. In such a situation, mutual systems of trust are important.

Since close supervision is less viable, trust must act as the cohesive element

in organizations. Lastly, ethics of the fellow members of the organization are

important to uphold security principles. These are not related to formalized

company ruled; but the ethical content of informal norms and behavior.

All set and done, information security begins and ends with the users.

Dr V Sridhar

(The author is research fellow at Sasken Communication Technologies, Bengaluru)

(Source: DQ)