It is said
that "The destination is not always as important as the journey." It
is important to ensure that while moving towards your destination, each step of
the way is planned and taken in a way to ensure that the journey can be
completed successfully. And that in the end, the result, like reaching a
holiday resort, will be enjoyable and all involved are able to enjoy this new
and exciting place. Developing a
security culture within an organisation is much like this.
To achieve a
sound security culture, you must ensure that all of the elements are in place
and working before you start your journey. However, as in real-life, not
everything will work right the first time.
When you are developing a security culture you will be experimenting and
changing things on your journey, trying to find your way through the myriad of
policies and standards that appear to be restricting your progress. Keep in mind though; there is nothing wrong
with learning. Test and confirm is as
relevant in the development of a security culture as it is in research however
the key is to use your employees to help you with this journey.
Ensure that
there is no perception that this is just the "program of the month."
This is usually the perception that everyone in the organisation will have if
you start down one path and decide to move in another direction without proper
communication. Again, this is where the employee participation comes into play,
as all employees must be part of every change that occurs. Good communication ensures employees are
comfortable with changes as they see the benefit and are part of the process.
An ideal security culture should be seen to be “the
‘engine’ that drives the system towards the goal of sustaining effective
security within an organisation” This goal should be achieved irrespective of
the organisation’s leader or current commercial concerns.
What drives the system is a constant level of awareness
for anything that may bypass organisational security systems. In other words,
it is important to remember what can go wrong.
You must maintain an awareness of evolving threats and
risks to your business. It is very
dangerous to think that an organisation is safe because information is not saying
otherwise. In periods of good security performance, the best ways to stay
cautious is “to gather the right kind of information”, which means creating an
informed culture.
An informed culture requires security management to be
aware of the numerous factors that have an impact on the security systems (i.e.
human, technical, organisational, and environmental). In this sense, “an
informed culture can be seen to be a security culture”.
An organisations security culture is ultimately reflected
in the way in which security is managed in the workplace, although it is
important to note that an organisations security management system does not
just consist of a set of policies and procedures on a bookshelf.
The security management system is the manner in which
security is handled in the workplace and how those policies and procedures are
implemented into the workplace. The
nature by which security is managed in the workplace (i.e. resources, policies,
practices and procedures, monitoring, etc.) will be influenced by the security
culture/climate of the organisation.
Security management should be integrated into the organisational
system and management practice. Certainly in high-risk industries such as
Defence, and multi-national corporations; security; similar to safety should be
considered number one priority.
It is argued “a ‘good’ security culture might both
reflect and be promoted by at least four factors”. These four factors include:
- Senior management commitment to security.
- Shared care and concern for security and the impact on people, information,
assets and the security of the nation.
- Realistic and flexible norms and rules about security threats, and
- Continual reflection upon practice through monitoring, analysis and
feedback systems (organisational learning)”.
It has also been argued by academics that fundamentally, good
leadership is the key to promoting an effective security culture.
It is also important to remember that an organisation’s
culture develops over a period of time and cannot be created instantly.
“Organisation’s, like organisms, adapt”. The security culture of an organisation
is developed as a result of history, work environment, the workforce, security
practices, and management leadership.
Lets move on to the nuts and bolts of developing a
security culture.
The University
of Melbourne undertook
research into developing security cultures within the IT field. They utilised the Ruighaver / Maynard
security culture model. This model looks at eight dimensions in
developing a security culture. My
presentation is heavily based on this research.
The basis of truth and rationality
The basis of
truth and rationality is the first dimension of the Ruighaver/Maynard security
culture model that I will discuss.
According the
authors of the original organisational model, this dimension of culture is
about what the employees in an organisation believe is real or not real and, in
particular, how what is true is ultimately discovered.
The most
obvious aspect of this dimension is that is about beliefs. Beliefs influence
the attitude of employees and their attitudes influence their behaviour.
Research has shown that the basis of truth and rationality is critical in
decision making within Security. I will
discuss some of these aspects.
How important
is security for your organisation?
Literature on
security culture recognises that the most crucial belief influencing the
security in an organisation is the belief that security is important.
If the
employees of an organisation do not believe that security is important, they
will not support any security measures that restrict their behaviour. The
belief that no threat exists is the critical factor in a security culture
failing to develop.
Academic
research has found that many organisations continuously undermine the belief
that security is important by reporting to their staff that no money is
available for their security initiatives. Obviously, different organisations
need different levels of security, but never use such negative messages.
Instead report on the issues that you are currently concentrating on in your
security efforts, and indicate that new initiatives will be considered in due
time.
Although the
security requirements for one company or organisation may not be as high as the
security requirements of another, achieving optimal security for that organisation’s
particular situation will still be important, as is the need to ensure that
their employees believe that security is important.
So, why not
implement campaigns similar to occupational health campaigns to stress that
security is important for your organisation.
How reliable
is the information used in decision making?
While security
managers and other decision makers in the security field generally belief that
security is important, they often have personal beliefs about which areas of
security are important for their organisation that are not based on truth and
rationality.
Studies have
found that management beliefs and trust in the quality of security, and about
the quality of the different processes used to manage security, may be
misplaced.
Many of the
organisations investigated in a number of academic studies do, for instance,
believe that their security is good, but most of these organisations did not
really make an attempt to evaluate the quality of their security.
Even larger
problems exist with the organisations beliefs about the quality of their risk
analysis and security audits. If your asset identification and risk analysis is
not based on a systematic application of your chosen methodology, you will have
missed assets that need protection and you will have missed risks or threats to
assets that they need to be protected against.
Ad-hoc
shortcuts seriously undermine the quality of your risk assessment. Hence,
without feedback loops where the organisation continuously updates its risk
assessment based on a thorough investigation of incidents and near misses, your
risk data will be of low quality.
Nature of
Time and Time Horizon
The Nature of
Time and Time Horizon is the second dimension of the Ruighaver/Maynard security
culture model. The time horizon that an organisation takes affects whether or
not security managers and other organisational members involved in security
adopt long term planning and goal setting, or focus primarily on the
here-and-now.
Unfortunately,
few organisations have long-term goals for security and those that have seldom
look beyond a time frame of one or two years. Further more, these goals are in
most cases only aimed at the building of a solid security infrastructure in
line with National or International Security Standards. To be fair to those
organisations, there is very little published security literature, on possible
long-term strategies and security standards also offer little assistance.
To develop a
high-quality security culture, organisations will need to place more emphasis
on long-term commitment and strategic management. All too often the security
focus of an organisation is on things demanding immediate attention, not on the
things that may prove more important in the long run. And when they finally run
into problems because their current security approach is no longer adequate and
becomes too expensive to maintain, such organisations often will initiate a
complete overhaul of their existing security infrastructure and decision making
processes, throwing away the good with the bad.
Long Term
planning
Any organisation
that would like to start increasing its investment in Security, by initiating a
restructuring of their security management and governance structures, should
first consider what long-term strategies and plans can or should be developed
and by whom.
For instance,
without a long-term strategy aimed at building up appropriate skill-sets
related to security, any restructuring will eventually fail. An example taken
from the IT security field: the environment in which the organisation's
information systems are operating is simply changing too rapidly for an organisation's
information security to survive if the necessary skill sets are missing.
Similar strategies are needed for knowledge management, as the complexity of
the Information Systems and other IT infrastructure is continuously increasing
as well.
We need to
align the security of an organisation with its organisational culture. Hence it
will not come as a surprise that the most important long term strategy to be
developed by an organisation that wants to improve its security should be aimed
at aligning the organisation's security practices and procedure with its organisational
culture.
An obvious
example is that traditional security is still based on the implementation of
restrictive practices and procedures that minimise risks.
Organisational
culture is often the opposite: In their normal work environment employees are
given specific goals and targets they need to achieve and are often allowed, or
even actively encouraged, to bypass standard procedures and guidelines when
necessary to reach those targets. If your organisational culture encourages
such behaviour, why do you think these employees will not behave the same when
they are restricted by your organisation's security procedures and guidelines?
Hence, if this is your organisation's culture, your organisation will need to
develop long term strategies aimed at increasing the involvement of employees
in security and at finding, introducing and fine-tuning targeted security
related objectives and goals for each of your employees.
These security
related goals and targets are necessary to encourage employees to improve their
behaviour and reduce security risks.
Motivation
Motivation is
the third and most easy to understand dimension of our security culture model.
There is lots of information in organisational culture literature about what
motivates humans and whether people are motivated from within or by external
forces. There is also extensive literature on whether people are inherently
good or bad, whether people should be rewarded or punished, and whether
manipulating someone's motivation can change effort or output.
Security is
one of the only areas of organisational motivation where punishment is still
the major motivational tool.
As there is no
evidence that employees are intrinsically motivated to adopt secure practices,
organisations will need to have appropriate processes in place to ensure
employees are motivated in relation to security.
However,
organisational literature also clearly indicates that punishment does not work
in motivation. In a good security culture we would therefore expect positive
motivation to be dominant
Intrinsic
motivation versus extrinsic motivation
Organisational
behaviour literature suggests that provision of extrinsic rewards to employees
for performing particular tasks, such as direct financial rewards, may actually
reduce their intrinsic motivation.
However,
organisations should consider both tangible rewards (e.g. money) and intrinsic
motivation to adopt new behaviours (e.g. recognition and social participation)
when employees are expected to meet modified performance standards or change
their behaviour.
While it is
essential that employees are made aware that security controls are necessary
and useful in order to discourage them from attempting to bypass these
controls, motivation in security should not only be aimed at preventing
employees from compromising existing security measures and guidelines. A good
security culture will encourage employees to be motivated to reflect on their
behaviour at all times, to assess how their behaviour influences security and
what they can do to improve security.
Although
it is important that a degree of trust is involved and that responsibility to
act in an appropriate manner is delegated to employees themselves, this does
not mean that an organisation should not monitor their behaviour. It is essential
that organisations have monitoring processes in place to identify security
breaches, that they investigate those breaches to ensure that unacceptable
behaviour is corrected. Of course, the organisation should also reward
exemplary behaviour, and should publicise those examples to increase both
awareness as well as motivation.
For example, Defence
has initiated an awards program for excellence in security within the
Department and Defence Industry that is supported at the highest level of
Defence and will be promoted through media reports throughout Defence.
Horizontal
versus vertical Social Participation
Social
participation is a well know aspect of organisational culture. Research has found that some organisations do encourage
social participation in line with the organisation's governance structures, such
as in encouraging staff influenced by a decision, to participate in the
decision making process. This is called vertical social participation. Research
suggests that such social participation has only a limited effect on improving
the security culture, and that to improve motivation organisations should
encourage more wide spread social participation. It should be obvious that
employees at the same level within different areas of an organisation often
come across the same security issues and may not know that others in the organisation
are covering the same ground.
Organisations
that have horizontal social participation where, for instance, all security
practitioners, system and security administrators across the business units are
involved in a regular exchange of information to improve decision making, may
find that motivation will increase significantly as well.
Stability
versus Change
The Stability
versus Change dimension is the fourth dimension of our Ruighaver/Maynard
security culture model. While some individuals are open to change
(risk-takers), other individuals have a high need for stability (risk-averse).
The same is true for organisations. Risk-taking organisations are said to be
innovative with a push for constant, continuous improvement. Risk-averse organisations
focus on not rocking the boat. Hence, an important aspect of an organisation's
security culture is its tolerance for change and innovation.
Organisations
that have a high requirement for security often favour stability over change.
Change is often seen as bad for security, as it can result in the introduction
of new risks or in the invalidation or bypass of controls to existing risks. If
this aspect of security culture is in line with the general organisational
culture, there will be few problems. However, when change is carefully managed
such organisations will need to ensure that their security posture is not
static. Security is never 100% and in today’s complex environment tight
centralised control over decision making can result in a lack of flexibility.
Facilitating
change.
Most organisations
have an organisational culture based on decentralised decision making and a
tolerance of change. Often periodic cycles of change are purposefully built
into the culture and processes to facilitate the introduction of new products
and services. If such an organisation has a culture where individual risk
taking behaviour within acceptable boundaries may be tolerated or even
encouraged, a security culture which is restrictive is doomed to fail.
Most organisations
that have a low requirement for security are tolerant to change, but they often
fail to realise that the organisation will still need to constantly adapt its
security to the inevitable changes in the organisation's environment. The
organisation's existing security procedures and practices will need to improve this
and will need to be carefully facilitated. While organisations that have
adopted a security policy life-cycle methodology will have a culture of
continuous change in that area of security, this may not necessarily extend to
other areas such as security strategy development and security governance
processes, or even the implementation of security measures.
Finally, research
has found that almost all organisations were lacking in the development of new
and innovative approaches to security. Most organisations just use the same old
traditional security technologies and controls, often based on existing
security standards that are more than a decade old.
Orientation
to work, task and co-workers
The fifth
dimension of the Ruighaver/Maynard security culture model is Orientation to
work, task and co-workers. This dimension deals with the balance between work
as a production activity and as a social activity. Some individuals view work
as an end in itself with a task focus, concerned fundamentally with work
accomplishment and productivity. Other individuals see work as a means to other
ends, such as having a comfortable life and developing social relationships.
Individuals
with a strong task focus are likely to find that traditional security controls
are too restrictive. For example, it is an important principle in information
security that there is a trade-off between the use of an organisation's assets
and their security. Limiting access to an asset such as email and the internet,
can significantly improve its security. However, limiting access will result in
a serious impediment to the daily operations of employees. There may be a
temptation for organisations to lift all restrictions.
Security
managers must be continuously fine-tuning the balance between security and how
constrained employees feel in their work.
This is an important aspect of a good security culture. Of course, staff
will feel less restricted if they are motivated and feel responsible for
security, but that alone will not be enough.
Responsibility
and ownership.
While it is
obvious that a good security culture depends on making employees feel
responsible for security in the organisation, it is just as important that
those employees responsible for a particular security area have a strong sense
of ownership.
This will be
positively influenced by social participation, but can just as easily be
negated when staff feel that management do not take any suggestions for the
improvement of security very seriously. Hence, a positive response of
management and a continuous adaptation of security practices by incorporating
at least a few of the suggestions is a must to improve the orientation of staff
towards security.
Orientation to
work is improved by education and security awareness. Regular education of
employees on their roles and responsibilities related to security is crucial.
Too many
organisations only give employees an overview of security during induction, and
even then they mostly cover aspects of what is considered a legal requirement
under governance/compliance rules, missing critical awareness information that
necessitates other means of passing information out to all staff. Security education can also be an important
tool in increasing the feeling of responsibility and ownership of those
involved in decisions about security. But for education to have a significant
impact on the employee’s orientation to work, it will need to be reinforced
continuously and must include a response to any unsatisfactory behaviour that
has become widespread enough for users to consider it normal behaviour.
Isolation
versus Collaboration/Co-operation
Isolation
versus Collaboration/Co-operation is the sixth dimension of the
Ruighaver/Maynard security culture model. This dimension addresses underlying
beliefs about the nature of human relationships and about how work is most
effectively and efficiently accomplished, either by individuals or
collaboratively.
It is common
knowledge in software engineering that, without user involvement in the design
process, acceptance of the resulting information system by the organisation
will be minimal. The same is undoubtedly true for security procedures and
policies. While organisations often realise that security policies should be
created collaboratively using the input of people from various areas of the
organisation to ensure its comprehensiveness and acceptance, the cost of this
approach seems to a major obstacle.
It is surprising
how often we find that an organisation's security planning and implementation
is handled by only a small group of specialists and managers. As a result, the
efforts of the security management team are often negated by other decisions
taken by managers in the business units and on the work floor.
Control,
Coordination and Responsibility
The seventh
dimension of the Ruighaver/Maynard security culture model is Control,
Coordination and Responsibility. This dimension of an organisation's security
culture is clearly related to the security governance in that organisation.
Where control
is tight, there will often be formalised rules and procedures that are set by a
few, to guide the behaviour of the majority. The need for governance is
limited. Where control is loose, we expect flexibility and autonomy of workers,
with fewer rules or formal procedures and shared decision-making. It is that
shared decision making that depends on high quality security strategies and a
well developed security strategic context.
An organisation
with centralised decision making tends to have a tight control. Tight control
allows for efficient security management but reduces the flexibility of the
organisation to respond to the current dynamic security environment. Literature
suggests that even where there are mechanisms of control and formalisation
within a centralised organisation, a culture of fear and uncertainty that loose
control may result in these control mechanisms such as policies, rules and
procedures becoming dysfunctional. This may not in fact be true.
Loose control
in security needs better governance.
To cope with
the current dynamic business environment, most organisations have opted for a
more flexible decentralised decision making structure. While those organisations
are likely to have a loose control, change management processes may still
influence how loose the control actually is.
It should be
obvious by now how important it is that an organisation's security culture is aligned
with organisational culture. So a tight control of security in an otherwise
loosely controlled organisation is not likely to work very well. It is,
therefore, surprising that most often organisations still attempt to keep a
tight control on their security.
This is a
direct result of the current lack of guidelines for adequate security
governance at the middle management level in both literature and current
security standards. If an organisation does not develop a proper security
strategic context, loose control of security will simply not work.
Loose control
also increases the importance of coordination. As discussed under motivation,
improving the horizontal social participation in an organisation can be an
important tool in improving coordination.
Responsibility
needs accountability.
Independent of
whether there is a tight control or a loose control, clear guidelines on who
has decision rights in the different areas of security is essential. This
aspect is often called responsibility and ensuring that all responsibilities
have been assigned is a required feature in any strategic security policy. Top
management support for security is a significant predictor of both the
direction of an organisation's security culture and the level to which its
security policies are enforced. Therefore, whereas operational responsibility
and accountability may lie with middle management and end-users, top management
has a clear responsibility to:
- Visibly
demonstrate a prioritization of security,
- Provide
strong and consistent support to the overall security program, and
- Take
security issues into account in planning organisational strategies.
Orientation
and Focus
The
Orientation and Focus dimension is the eighth and last dimension of the
Ruighaver/Maynard security culture model. The nature of the relationship
between an organisation and its environment and whether or not an organisation
assumes that it controls, or is controlled by, its external environment is an
important aspect of both organisational culture as well as of security culture.
An organisation may have an internal orientation (focusing on people and
processes within the organisation) or external orientation (focusing on
external constituents, customers, competitors and the environment), or have a
combination of both.
The
orientation and focus of an organisation's security will clearly depend on the
environment in which the organisation operates. Unfortunately, if an organisation
is forced to conform to external audit and government requirements it will be
likely that the emphasis of their risk management processes is only on meeting
these requirements, and no longer on improving their security. The organisation
often believe that meeting these requirements guarantees good security.
Similarly, it has been found that many other organisations only aim to bring
their protective and ICT security in line with international industry
standards. Again the emphasis is often geared towards passing an audit to prove
that they have achieved this goal, rather than on achieving the best security
for the organisation within the obvious limitations of resources and budget.
As security in
an organisation is influenced by both external factors and internal needs, I
believe that an ideal security culture has a balance between an internal and
external focus. External requirements and industry standards can obviously not
be ignored, but the external focus should at least also include an awareness of
the organisation's external security environment and how this changes over
time.
This will
allow the organisation to pro-actively meet any new threats. More important,
however, is that the organisation builds up an awareness of its internal
security environment. If the organisation is not trying to identify what
security breaches occur and why they occur, it will never know if its security
strategies are working and how it can improve the implementation of these
strategies.
Conclusion
There
are challenges for both corporate and government security professionals in
creating and maintaining a security culture within their organisation.
Financial
constraints within corporations or government agencies provide an environment
where risk management strategies must be robust and effective in order to
provide an environment where security is valued as a capability enabler rather
than a cost burden.
There
is no simple solution, nor a one solution, fits all. Each business unit has its own dynamics that
requires analysing to ensure solutions fit the culture and provide an
environment where a security culture can thrive.
This
is the challenge for corporate and government security advisers in the current and future security environment.
Security Culture Bibliography
Improving
your Security Culture.
- Chia,
P. Maynard, S., and Ruighaver, A.B. (2002) ‘Exploring Organisational Security
Culture’ Sixth Pacific Asia Conference on Information Systems, Tokyo, Japan,
2-3 September 2002.
- Chia,
P. Maynard, S., and Ruighaver, A.B. (2003) 'Understanding Organisational
Security Culture' in Information Systems: The Challenges of Theory and Practice,
Hunter, M. G. and Dhanda, K. K. (eds), Information Institute, Las Vegas, USA,
pages 335 - 365.
- Dojkovski,
S., Lichtenstein, S. and Warren, M. (2006)
Challenges in Fostering an Information Security Culture in Australian Small and
Medium Sized Enterprises, Proceedings of the 5th European Conference on
Information Warfare and Security, Academic Conference Limited, United Kingdom.
- Dojkovski,
S., Lichtenstein, S and Warren, M. (2005) Information Security Culture in Small
and Medium Sized Enterprises: A Socio-Cultural Framework, Proceedings of 6th
Australian Information Warfare & Security Conference, School of Information
Systems, Deakin University, Geelong, Australia.
- Martins,
A. and Eloff, J. (2002) ‘Information Security Culture’ IFIP TC11 International
Conference on Information Security, Cairo,
Egypt, 7- 9 May
2002.
- Ngo,
L. Zhou, W. Warren,
M. (2005) Understanding transition towards organisational culture change.
Proceedings of the 3rd Australian Information Security Management Conference, Perth Australia.
- Ruighaver,
A.B. , Maynard, S. & S. Chang (2006) Organisational Security Culture:
Extending the End-User Perspective. Computers & Security, Volume 26, Issue
1, February 2007, Pages 56-62.
- Ruighaver,
A.B. & Maynard, S. (2006) Organisational Security Culture: More Than Just
an End-User Phenomenon. Proceedings of the 21st IFIP TC-11 International
Information Security Conference (IFIP/SEC 2006). May 22, 2006, Karlstad, Sweden,
pages 425-430.
- Schlienger,
T. and S. Teufel (2002) ‘Information Security Culture - The Socio-Cultural
Dimension in Information Security Management.’ IFIP TC11 International
Conference on Information Security, Cairo,
Egypt, 7-9 May
2002
- Schlienger,
T. and S. Teufel (2003) ‘Information Security Culture - From Analysis to
Change.’ Proceedings of ISSA 2003, Johannesburg,
South Africa,
9-11 July 2003.
- Schlienger,
T. and S. Teufel (2003) ‘Analysing Information Security Culture: Increased
Trust by an Appropriate Information Security Culture’ 14th International
Conference on Database and Expert Systems Applications (DEXA 2003), Prague,
Czech Republic, September 2003.
