CiiSCM Security & Crisis Conference - Malaysia 7 August 2017

I was most impressed with Muhammad Saiful Alan Shah, who spoke at the CiiSCM Security & Crisis Management conference. Muhammad Saiful Alan Shah was an articulate and knowledgeable speaker who provided insightful advice on improvements to our current de-radicalization strategies.He provided many take-away points that increased my knowledge of the difficulties in putting in place a truly effective de-radicalization program in western countries. 

Along with Muhammad, Professor Jolene Jerard, Dr Graham Ong-Webb, Mr Hamoon Khelghat-Doost and Mr Rodolphe Elégoēt provided an insightful series of presentations that promoted discussion and enhanced knowledge of the current state of terrorism beyond borders.

My gracious thanks to the organizers from CiiSCM and Global E2C..

Developing a security culture

It is said that "The destination is not always as important as the journey." It is important to ensure that while moving towards your destination, each step of the way is planned and taken in a way to ensure that the journey can be completed successfully. And that in the end, the result, like reaching a holiday resort, will be enjoyable and all involved are able to enjoy this new and exciting place.  Developing a security culture within an organisation is much like this.

To achieve a sound security culture, you must ensure that all of the elements are in place and working before you start your journey. However, as in real-life, not everything will work right the first time.  When you are developing a security culture you will be experimenting and changing things on your journey, trying to find your way through the myriad of policies and standards that appear to be restricting your progress.  Keep in mind though; there is nothing wrong with learning.  Test and confirm is as relevant in the development of a security culture as it is in research however the key is to use your employees to help you with this journey.

Ensure that there is no perception that this is just the "program of the month." This is usually the perception that everyone in the organisation will have if you start down one path and decide to move in another direction without proper communication. Again, this is where the employee participation comes into play, as all employees must be part of every change that occurs.  Good communication ensures employees are comfortable with changes as they see the benefit and are part of the process. 

An ideal security culture should be seen to be “the ‘engine’ that drives the system towards the goal of sustaining effective security within an organisation” This goal should be achieved irrespective of the organisation’s leader or current commercial concerns.

What drives the system is a constant level of awareness for anything that may bypass organisational security systems. In other words, it is important to remember what can go wrong.

You must maintain an awareness of evolving threats and risks to your business.  It is very dangerous to think that an organisation is safe because information is not saying otherwise. In periods of good security performance, the best ways to stay cautious is “to gather the right kind of information”, which means creating an informed culture.

An informed culture requires security management to be aware of the numerous factors that have an impact on the security systems (i.e. human, technical, organisational, and environmental). In this sense, “an informed culture can be seen to be a security culture”.

An organisations security culture is ultimately reflected in the way in which security is managed in the workplace, although it is important to note that an organisations security management system does not just consist of a set of policies and procedures on a bookshelf.

The security management system is the manner in which security is handled in the workplace and how those policies and procedures are implemented into the workplace.  The nature by which security is managed in the workplace (i.e. resources, policies, practices and procedures, monitoring, etc.) will be influenced by the security culture/climate of the organisation.

Security management should be integrated into the organisational system and management practice. Certainly in high-risk industries such as Defence, and multi-national corporations; security; similar to safety should be considered number one priority.

It is argued “a ‘good’ security culture might both reflect and be promoted by at least four factors”. These four factors include:

• Senior management commitment to security.
• Shared care and concern for security and the impact on people, information, assets and the security of the nation. 
• Realistic and flexible norms and rules about security threats, and
• Continual reflection upon practice through monitoring, analysis and feedback systems (organisational learning)”.

It has also been argued by academics that fundamentally, good leadership is the key to promoting an effective security culture.

It is also important to remember that an organisation’s culture develops over a period of time and cannot be created instantly. “Organisation’s, like organisms, adapt”. The security culture of an organisation is developed as a result of history, work environment, the workforce, security practices, and management leadership.

Lets move on to the nuts and bolts of developing a security culture.

The University of Melbourne undertook research into developing security cultures within the IT field.  They utilised the Ruighaver / Maynard security culture model.  This model looks at eight dimensions in developing a security culture.  My presentation is heavily based on this research.

The basis of truth and rationality

The basis of truth and rationality is the first dimension of the Ruighaver/Maynard security culture model that I will discuss.

According the authors of the original organisational model, this dimension of culture is about what the employees in an organisation believe is real or not real and, in particular, how what is true is ultimately discovered.

The most obvious aspect of this dimension is that is about beliefs. Beliefs influence the attitude of employees and their attitudes influence their behaviour. Research has shown that the basis of truth and rationality is critical in decision making within Security.  I will discuss some of these aspects.

How important is security for your organisation?

Literature on security culture recognises that the most crucial belief influencing the security in an organisation is the belief that security is important.

If the employees of an organisation do not believe that security is important, they will not support any security measures that restrict their behaviour. The belief that no threat exists is the critical factor in a security culture failing to develop.

Academic research has found that many organisations continuously undermine the belief that security is important by reporting to their staff that no money is available for their security initiatives. Obviously, different organisations need different levels of security, but never use such negative messages. Instead report on the issues that you are currently concentrating on in your security efforts, and indicate that new initiatives will be considered in due time.

Although the security requirements for one company or organisation may not be as high as the security requirements of another, achieving optimal security for that organisation’s particular situation will still be important, as is the need to ensure that their employees believe that security is important.

So, why not implement campaigns similar to occupational health campaigns to stress that security is important for your organisation.

How reliable is the information used in decision making?

While security managers and other decision makers in the security field generally belief that security is important, they often have personal beliefs about which areas of security are important for their organisation that are not based on truth and rationality.

Studies have found that management beliefs and trust in the quality of security, and about the quality of the different processes used to manage security, may be misplaced.

Many of the organisations investigated in a number of academic studies do, for instance, believe that their security is good, but most of these organisations did not really make an attempt to evaluate the quality of their security.

Even larger problems exist with the organisations beliefs about the quality of their risk analysis and security audits. If your asset identification and risk analysis is not based on a systematic application of your chosen methodology, you will have missed assets that need protection and you will have missed risks or threats to assets that they need to be protected against. 

Ad-hoc shortcuts seriously undermine the quality of your risk assessment. Hence, without feedback loops where the organisation continuously updates its risk assessment based on a thorough investigation of incidents and near misses, your risk data will be of low quality.

Nature of Time and Time Horizon

The Nature of Time and Time Horizon is the second dimension of the Ruighaver/Maynard security culture model. The time horizon that an organisation takes affects whether or not security managers and other organisational members involved in security adopt long term planning and goal setting, or focus primarily on the here-and-now.

Unfortunately, few organisations have long-term goals for security and those that have seldom look beyond a time frame of one or two years. Further more, these goals are in most cases only aimed at the building of a solid security infrastructure in line with National or International Security Standards. To be fair to those organisations, there is very little published security literature, on possible long-term strategies and security standards also offer little assistance.

To develop a high-quality security culture, organisations will need to place more emphasis on long-term commitment and strategic management. All too often the security focus of an organisation is on things demanding immediate attention, not on the things that may prove more important in the long run. And when they finally run into problems because their current security approach is no longer adequate and becomes too expensive to maintain, such organisations often will initiate a complete overhaul of their existing security infrastructure and decision making processes, throwing away the good with the bad.

 Long Term planning

Any organisation that would like to start increasing its investment in Security, by initiating a restructuring of their security management and governance structures, should first consider what long-term strategies and plans can or should be developed and by whom.

For instance, without a long-term strategy aimed at building up appropriate skill-sets related to security, any restructuring will eventually fail. An example taken from the IT security field: the environment in which the organisation's information systems are operating is simply changing too rapidly for an organisation's information security to survive if the necessary skill sets are missing. Similar strategies are needed for knowledge management, as the complexity of the Information Systems and other IT infrastructure is continuously increasing as well.

We need to align the security of an organisation with its organisational culture. Hence it will not come as a surprise that the most important long term strategy to be developed by an organisation that wants to improve its security should be aimed at aligning the organisation's security practices and procedure with its organisational culture.

An obvious example is that traditional security is still based on the implementation of restrictive practices and procedures that minimise risks.

Organisational culture is often the opposite: In their normal work environment employees are given specific goals and targets they need to achieve and are often allowed, or even actively encouraged, to bypass standard procedures and guidelines when necessary to reach those targets. If your organisational culture encourages such behaviour, why do you think these employees will not behave the same when they are restricted by your organisation's security procedures and guidelines? Hence, if this is your organisation's culture, your organisation will need to develop long term strategies aimed at increasing the involvement of employees in security and at finding, introducing and fine-tuning targeted security related objectives and goals for each of your employees.

These security related goals and targets are necessary to encourage employees to improve their behaviour and reduce security risks.

Motivation

Motivation is the third and most easy to understand dimension of our security culture model. There is lots of information in organisational culture literature about what motivates humans and whether people are motivated from within or by external forces. There is also extensive literature on whether people are inherently good or bad, whether people should be rewarded or punished, and whether manipulating someone's motivation can change effort or output.

Security is one of the only areas of organisational motivation where punishment is still the major motivational tool.

As there is no evidence that employees are intrinsically motivated to adopt secure practices, organisations will need to have appropriate processes in place to ensure employees are motivated in relation to security.

However, organisational literature also clearly indicates that punishment does not work in motivation. In a good security culture we would therefore expect positive motivation to be dominant

 Intrinsic motivation versus extrinsic motivation

Organisational behaviour literature suggests that provision of extrinsic rewards to employees for performing particular tasks, such as direct financial rewards, may actually reduce their intrinsic motivation.

However, organisations should consider both tangible rewards (e.g. money) and intrinsic motivation to adopt new behaviours (e.g. recognition and social participation) when employees are expected to meet modified performance standards or change their behaviour.

While it is essential that employees are made aware that security controls are necessary and useful in order to discourage them from attempting to bypass these controls, motivation in security should not only be aimed at preventing employees from compromising existing security measures and guidelines. A good security culture will encourage employees to be motivated to reflect on their behaviour at all times, to assess how their behaviour influences security and what they can do to improve security.

Although it is important that a degree of trust is involved and that responsibility to act in an appropriate manner is delegated to employees themselves, this does not mean that an organisation should not monitor their behaviour. It is essential that organisations have monitoring processes in place to identify security breaches, that they investigate those breaches to ensure that unacceptable behaviour is corrected. Of course, the organisation should also reward exemplary behaviour, and should publicise those examples to increase both awareness as well as motivation. 

For example, Defence has initiated an awards program for excellence in security within the Department and Defence Industry that is supported at the highest level of Defence and will be promoted through media reports throughout Defence. 

Horizontal versus vertical Social Participation

Social participation is a well know aspect of organisational culture. Research has  found that some organisations do encourage social participation in line with the organisation's governance structures, such as in encouraging staff influenced by a decision, to participate in the decision making process. This is called vertical social participation. Research suggests that such social participation has only a limited effect on improving the security culture, and that to improve motivation organisations should encourage more wide spread social participation. It should be obvious that employees at the same level within different areas of an organisation often come across the same security issues and may not know that others in the organisation are covering the same ground.

Organisations that have horizontal social participation where, for instance, all security practitioners, system and security administrators across the business units are involved in a regular exchange of information to improve decision making, may find that motivation will increase significantly as well.

Stability versus Change 

The Stability versus Change dimension is the fourth dimension of our Ruighaver/Maynard security culture model. While some individuals are open to change (risk-takers), other individuals have a high need for stability (risk-averse). The same is true for organisations. Risk-taking organisations are said to be innovative with a push for constant, continuous improvement. Risk-averse organisations focus on not rocking the boat. Hence, an important aspect of an organisation's security culture is its tolerance for change and innovation.

Organisations that have a high requirement for security often favour stability over change. Change is often seen as bad for security, as it can result in the introduction of new risks or in the invalidation or bypass of controls to existing risks. If this aspect of security culture is in line with the general organisational culture, there will be few problems. However, when change is carefully managed such organisations will need to ensure that their security posture is not static. Security is never 100% and in today’s complex environment tight centralised control over decision making can result in a lack of flexibility.

Facilitating change.

Most organisations have an organisational culture based on decentralised decision making and a tolerance of change. Often periodic cycles of change are purposefully built into the culture and processes to facilitate the introduction of new products and services. If such an organisation has a culture where individual risk taking behaviour within acceptable boundaries may be tolerated or even encouraged, a security culture which is restrictive is doomed to fail.

Most organisations that have a low requirement for security are tolerant to change, but they often fail to realise that the organisation will still need to constantly adapt its security to the inevitable changes in the organisation's environment. The organisation's existing security procedures and practices will need to improve this and will need to be carefully facilitated. While organisations that have adopted a security policy life-cycle methodology will have a culture of continuous change in that area of security, this may not necessarily extend to other areas such as security strategy development and security governance processes, or even the implementation of security measures.

Finally, research has found that almost all organisations were lacking in the development of new and innovative approaches to security. Most organisations just use the same old traditional security technologies and controls, often based on existing security standards that are more than a decade old.

Orientation to work, task and co-workers 

The fifth dimension of the Ruighaver/Maynard security culture model is Orientation to work, task and co-workers. This dimension deals with the balance between work as a production activity and as a social activity. Some individuals view work as an end in itself with a task focus, concerned fundamentally with work accomplishment and productivity. Other individuals see work as a means to other ends, such as having a comfortable life and developing social relationships.

Individuals with a strong task focus are likely to find that traditional security controls are too restrictive. For example, it is an important principle in information security that there is a trade-off between the use of an organisation's assets and their security. Limiting access to an asset such as email and the internet, can significantly improve its security. However, limiting access will result in a serious impediment to the daily operations of employees. There may be a temptation for organisations to lift all restrictions.

Security managers must be continuously fine-tuning the balance between security and how constrained employees feel in their work.  This is an important aspect of a good security culture. Of course, staff will feel less restricted if they are motivated and feel responsible for security, but that alone will not be enough. 

Responsibility and ownership.

While it is obvious that a good security culture depends on making employees feel responsible for security in the organisation, it is just as important that those employees responsible for a particular security area have a strong sense of ownership.

This will be positively influenced by social participation, but can just as easily be negated when staff feel that management do not take any suggestions for the improvement of security very seriously. Hence, a positive response of management and a continuous adaptation of security practices by incorporating at least a few of the suggestions is a must to improve the orientation of staff towards security.

Orientation to work is improved by education and security awareness. Regular education of employees on their roles and responsibilities related to security is crucial.

Too many organisations only give employees an overview of security during induction, and even then they mostly cover aspects of what is considered a legal requirement under governance/compliance rules, missing critical awareness information that necessitates other means of passing information out to all staff.  Security education can also be an important tool in increasing the feeling of responsibility and ownership of those involved in decisions about security. But for education to have a significant impact on the employee’s orientation to work, it will need to be reinforced continuously and must include a response to any unsatisfactory behaviour that has become widespread enough for users to consider it normal behaviour.

Isolation versus Collaboration/Co-operation 

Isolation versus Collaboration/Co-operation is the sixth dimension of the Ruighaver/Maynard security culture model. This dimension addresses underlying beliefs about the nature of human relationships and about how work is most effectively and efficiently accomplished, either by individuals or collaboratively.

It is common knowledge in software engineering that, without user involvement in the design process, acceptance of the resulting information system by the organisation will be minimal. The same is undoubtedly true for security procedures and policies. While organisations often realise that security policies should be created collaboratively using the input of people from various areas of the organisation to ensure its comprehensiveness and acceptance, the cost of this approach seems to a major obstacle.

It is surprising how often we find that an organisation's security planning and implementation is handled by only a small group of specialists and managers. As a result, the efforts of the security management team are often negated by other decisions taken by managers in the business units and on the work floor.

Control, Coordination and Responsibility 

The seventh dimension of the Ruighaver/Maynard security culture model is Control, Coordination and Responsibility. This dimension of an organisation's security culture is clearly related to the security governance in that organisation.

Where control is tight, there will often be formalised rules and procedures that are set by a few, to guide the behaviour of the majority. The need for governance is limited. Where control is loose, we expect flexibility and autonomy of workers, with fewer rules or formal procedures and shared decision-making. It is that shared decision making that depends on high quality security strategies and a well developed security strategic context.

An organisation with centralised decision making tends to have a tight control. Tight control allows for efficient security management but reduces the flexibility of the organisation to respond to the current dynamic security environment. Literature suggests that even where there are mechanisms of control and formalisation within a centralised organisation, a culture of fear and uncertainty that loose control may result in these control mechanisms such as policies, rules and procedures becoming dysfunctional. This may not in fact be true.

Loose control in security needs better governance.

To cope with the current dynamic business environment, most organisations have opted for a more flexible decentralised decision making structure. While those organisations are likely to have a loose control, change management processes may still influence how loose the control actually is.

It should be obvious by now how important it is that an organisation's security culture is aligned with organisational culture. So a tight control of security in an otherwise loosely controlled organisation is not likely to work very well. It is, therefore, surprising that most often organisations still attempt to keep a tight control on their security.

This is a direct result of the current lack of guidelines for adequate security governance at the middle management level in both literature and current security standards. If an organisation does not develop a proper security strategic context, loose control of security will simply not work.

Loose control also increases the importance of coordination. As discussed under motivation, improving the horizontal social participation in an organisation can be an important tool in improving coordination.

Responsibility needs accountability.

Independent of whether there is a tight control or a loose control, clear guidelines on who has decision rights in the different areas of security is essential. This aspect is often called responsibility and ensuring that all responsibilities have been assigned is a required feature in any strategic security policy. Top management support for security is a significant predictor of both the direction of an organisation's security culture and the level to which its security policies are enforced. Therefore, whereas operational responsibility and accountability may lie with middle management and end-users, top management has a clear responsibility to:

• Visibly demonstrate a prioritization of security,
• Provide strong and consistent support to the overall security program, and
• Take security issues into account in planning organisational strategies.

Orientation and Focus 

The Orientation and Focus dimension is the eighth and last dimension of the Ruighaver/Maynard security culture model. The nature of the relationship between an organisation and its environment and whether or not an organisation assumes that it controls, or is controlled by, its external environment is an important aspect of both organisational culture as well as of security culture. An organisation may have an internal orientation (focusing on people and processes within the organisation) or external orientation (focusing on external constituents, customers, competitors and the environment), or have a combination of both.

The orientation and focus of an organisation's security will clearly depend on the environment in which the organisation operates. Unfortunately, if an organisation is forced to conform to external audit and government requirements it will be likely that the emphasis of their risk management processes is only on meeting these requirements, and no longer on improving their security. The organisation often believe that meeting these requirements guarantees good security. Similarly, it has been found that many other organisations only aim to bring their protective and ICT security in line with international industry standards. Again the emphasis is often geared towards passing an audit to prove that they have achieved this goal, rather than on achieving the best security for the organisation within the obvious limitations of resources and budget.

As security in an organisation is influenced by both external factors and internal needs, I believe that an ideal security culture has a balance between an internal and external focus. External requirements and industry standards can obviously not be ignored, but the external focus should at least also include an awareness of the organisation's external security environment and how this changes over time.

This will allow the organisation to pro-actively meet any new threats. More important, however, is that the organisation builds up an awareness of its internal security environment. If the organisation is not trying to identify what security breaches occur and why they occur, it will never know if its security strategies are working and how it can improve the implementation of these strategies.

 Conclusion

There are challenges for both corporate and government security professionals in creating and maintaining a security culture within their organisation.

Financial constraints within corporations or government agencies provide an environment where risk management strategies must be robust and effective in order to provide an environment where security is valued as a capability enabler rather than a cost burden.

There is no simple solution, nor a one solution, fits all.  Each business unit has its own dynamics that requires analysing to ensure solutions fit the culture and provide an environment where a security culture can thrive.

This is the challenge for corporate and government security advisers in the current and future security environment.

Security Culture Bibliography

Improving your Security Culture.

1. Chia, P. Maynard, S., and Ruighaver, A.B. (2002) ‘Exploring Organisational Security Culture’ Sixth Pacific Asia Conference on Information Systems, Tokyo, Japan, 2-3 September 2002.
2. Chia, P. Maynard, S., and Ruighaver, A.B. (2003) 'Understanding Organisational Security Culture' in Information Systems: The Challenges of Theory and Practice, Hunter, M. G. and Dhanda, K. K. (eds), Information Institute, Las Vegas, USA, pages 335 - 365.
3. Dojkovski, S., Lichtenstein, S. and Warren, M. (2006) Challenges in Fostering an Information Security Culture in Australian Small and Medium Sized Enterprises, Proceedings of the 5th European Conference on Information Warfare and Security, Academic Conference Limited, United Kingdom.
4. Dojkovski, S., Lichtenstein, S and Warren, M. (2005) Information Security Culture in Small and Medium Sized Enterprises: A Socio-Cultural Framework, Proceedings of 6th Australian Information Warfare & Security Conference, School of Information Systems, Deakin University, Geelong, Australia.
5. Martins, A. and Eloff, J. (2002) ‘Information Security Culture’ IFIP TC11 International Conference on Information Security, Cairo, Egypt, 7- 9 May 2002.
6. Ngo, L. Zhou, W. Warren, M. (2005) Understanding transition towards organisational culture change. Proceedings of the 3rd Australian Information Security Management Conference, Perth Australia.
7. Ruighaver, A.B. , Maynard, S. & S. Chang (2006) Organisational Security Culture: Extending the End-User Perspective. Computers & Security, Volume 26, Issue 1, February 2007, Pages 56-62.
8. Ruighaver, A.B. & Maynard, S. (2006) Organisational Security Culture: More Than Just an End-User Phenomenon. Proceedings of the 21st IFIP TC-11 International Information Security Conference (IFIP/SEC 2006). May 22, 2006, Karlstad, Sweden, pages 425-430.
9. Schlienger, T. and S. Teufel (2002) ‘Information Security Culture - The Socio-Cultural Dimension in Information Security Management.’ IFIP TC11 International Conference on Information Security, Cairo, Egypt, 7-9 May 2002
10. Schlienger, T. and S. Teufel (2003) ‘Information Security Culture - From Analysis to Change.’ Proceedings of ISSA 2003, Johannesburg, South Africa, 9-11 July 2003.
11. Schlienger, T. and S. Teufel (2003) ‘Analysing Information Security Culture: Increased Trust by an Appropriate Information Security Culture’ 14th International Conference on Database and Expert Systems Applications (DEXA 2003), Prague, Czech Republic, September 2003.