The role of Human Factor in Information Security: Findings and Recommendations
A lot of questions were investigated in 4 hours and summarized as follows:
-
What is the role of Top Management in the Security Initiative?
-
All participants agreed that the “tone at the top” is crucial for any business initiative and information security is not an exception. After all policies and strategies should be created at the management level. Examples were given and discussed where even big organizations started security initiatives and failed because top management never understood or took the ownership of them.
To the obvious question “How we can ensure top management commitment” all participants agreed: Only by translating the consequences in business language and, why not, make the impact evident can the management understand the value of information security. Monetarizing impact is one way to go but it is not the only way to go. Security incident that are now famous in the business sector were mentioned and can be used as examples.
-
What is Information Security Culture and how can we change it?
-
Culture was presented as the sum of actions, beliefs and experiences of the people inside the organization. Since everything depends on people actions, this is what should be changed to achieve the targeted security level. The best way which gives the more sustainable results is to change people beliefs driving their actions. And since beliefs depend and are driven by people experiences, this is the way to go: To create “security alarming” experiences to people in order to drive their actions at the end.
-
Is training enough?
-
All the participants agreed: No. Training explains people what they have to do, what is acceptable by the security policy, what follows the rules. But it is not the target of training to change people mindset and behavior. So, participants agreed that “coaching” is the right answer. People need to be coached for information security and change their mind sets. They need to take ownership of the rules and convinced that by following them, the added value of information security is easier to return.
-
Shall policies and procedures just being delivered or co-created with people?
-
As a natural conclusion of the previous question, the answer to this one is: Co-creation. When people participate in the creation of policies and procedures they reach the desired ownership level sooner and the act according to the rules. The worst and less efficient way to develop an Information Security Framework is to create it outside of the organization without people involvement. It may be perfect and pass any certification audit, but sustainability is not there. Participants gave examples of management systems delivered from consultants but never followed by the organization.
-
Do we need a Relationship Officer to communicate information security?
-
Yes we need. This guy will be responsible to listen to people needs and translate them to rules and controls. Sometimes, as all participants agree, security controls are written for someone else. Nobody reviewed the way people work in order to take it under consideration. There are of course cases where controls shall be applied due to legislative or contractual requirements but in most cases and despite what many people believe, security can be flexible.
At the end of the event, participants were asked to select a moto to represent people participation in information security.
They all agree to this: