Environmental subsystem risks and controls

In the socio-technical approach, the environmental subsystem is often related to legislation, government or customers. The requirements of these actors can influence the way the organisation operates and what it produces. Additionally, in information security approaches, there is some attention to the physical surroundings of an organisation. The environment can limit and shape the organisation’s information processing. For example, the geographical location of an organisation defines the possibility of acts of nature influencing the ability to communicate and process information. This, in turn, defines requirements for the security of the built environment and for the security of the underlying technical infrastructure. Furthermore, the environment in terms of social-geographic and demographic figures, has the ability to influence the social and technical subsystems in terms of possibility of robbery, theft, burglary and so on.

Physical and environmental security is an element of information security, which is not often discussed in depth in information security studies. The scope of physical security is to protect the physical surroundings of information processing activities. This means the people; the building and its facilities; the hardware and communications; and the environment around the building. Physical security also extends to the employee’s home. Working from home on the business network and mobile working create requirements for security controls at the remote location. The handbook of the National Institute of Standards and Technology (NIST), an agency of the U.S. Commerce Department, describes how physical controls aim to protect against interruptions in computer services, physical damage, theft, unauthorised disclosure of information and loss of control over systems (NIST, 1996). Methods to select controls to protect against these risks are often based on checklist or risk assessments. The international standard ISO/IEC 27001 suggests that physical controls include backup power supplies, fire controlling equipment, access control to the building, and clear desk policy. These controls are meant for a specific perimeter, and do not include the wider environmental and socio-geographical context. Some risks remain uncontrolled when following only this standard’s suggestions.

The social environment is an element that is not often included in information security risk analysis methods. Local crime rates in the neighbourhood could influence the risk of staff being robbed of their information carrying devices (laptops, tablets, smartphones) at the car park or whilst walking to their transportation. Cozens, Saville

and Hillier (2005) reviewed the core findings from place-based crime prevention research and found that a growing body of research supports the assertion that crime prevention through environmental design is effective. The architecture of the built environment and urban planning could have a direct relationship with crime and security and defines the security risk and the fear of crime in the community where an organisation is placed.

Moral laws and information ethics are becoming new areas of interest for information security researchers studying environmental controls. This is where academic fields such as psychology, philosophy and sociology could contribute to the understanding of the handling of secrets by persons and social groups and how people are affected by the loss of secrets (e.g. by loss of face, embarrassment, loss of trust, loss of membership of a group, stigma, loss of image and so on).

Thompson and Kaarst-Brown (2005) use examples of socio-cultural studies that studied the role of secrecy in different social groups and secret societies such as Native Americans and the Ku Klux Klan. These studies show that individuals within these societies feel that the information about the group must not be known to outsiders.

Obtaining access to secrets is a sign of trust in the individual member and the information serves as social lubricant to maintain the cohesiveness of the unit and to signal identity in the group. The betrayal of the secrets is a major offence and could lead to termination of the membership. These type of studies have not been extensively researched in relation to information security, which could be a satisfactory line of inquiry for the future as it may provide insights into compliance to policy and perception of security.

Dourish and Anderson (2006) explored the social context of privacy and security. They argue that people have constantly changing information needs, which are subject to on-going revision and re-interpretation. Information management, in their view, is a way in which social actions are achieved. Therefore, any privacy and security requirement must be grounded in an understanding of the specific social and cultural context within which the activity is taking place. Furthermore, they propose that the concerns for risk, danger, trust, secrecy, identity, morality, and power are collectively giving meaning to information activities. They state that “security and privacy are ways in which people collectively understand the world” (p.338). They are social products rather than natural facts. In their approach, they do not seek to automate security in technological artefacts, but “to support the human and social practices through which the whole complex of

phenomena –privacy, security, risk, danger, secrecy, trust, identity, morality, power, and so forth- are managed and sustained” (p. 338).

The environmental and social context of information security expands to governments and relates to topics such as information policy, diplomacy and international relations (Choucri, 2012; Choucri & Goldsmith, 2012; Gady & Austin, 2010; Mueller, Schmidt

& Kuerbis, 2013). For example, the resilience of critical infrastructures is a matter of national security. President Obama stated that: “Organizations should cooperate more with each other and with governments, and even governments should work together internationally to secure information held in computer networks and to protect critical infrastructures” (Obama, 2011). However, international cooperation on this front is still in its infancy and is mainly military funded. Particularly in countries that have experienced significant downsizing of (conventional) military forces, cyberspace has attracted a considerable interest in the new opportunities for the military to play in what has become framed as “information warfare and information operations” (Eriksson &

Giacomello, 2007, p. 178). In a way, this resembles the early days of information security when computing was mainly a military problem.

Examples of international collaboration are the NATO Cooperative Cyber Defence Centre of Excellence, an organisation that originated from military initiatives and aims to coordinate help after a major cyber attack, or Computer Emergency Response Teams (CERTs), who aim to handle incident response. The first CERT was developed by the U.S. Defence Advanced Research Project Agency in 1998 and now the system has expanded worldwide, with more than 250 organisations dealing with Internet security problems. Europe’s Convention on Cybercrime is one of the more formal initiatives to foster international cooperation by harmonising criminal laws, and investigative and prosecutorial procedures around the world. Although it has not yet managed to have all member states sign the convention, it represents a cooperation that had not previously existed. The G8 sub-group on High-Tech Crime is another large-scale international network that maintains network of contacts for high tech crime and an international Critical Information Infrastructure Protection (CIIP) directory, but this initiative does not operate within clear legal frameworks, making it difficult to cooperate (Hathaway et al., 2012; Helms, Constanza & Johnson, 2012).

Global cooperation and Internet governance is problematic, yet vital for information security. According to Beck (2007), such cooperation “must be constructed” (p. 186), as he states that it will not automatically appear. However, the emerging international

security discourse, conferences, research centres, and so on, may suggest a wide interest in cooperation, without the power struggles. Here lies a role for information security experts to act professionally, to support governments and to inform the public (von Solms, 2010). Beck calls this macro-ethics: “Social groups and firms coordinate their activities, offer competing assessments of risk and create new identities, laws and international organisations in economies, society and politics” (p. 15).

Van Dijk (2012) relates information security issues to politics and power, by discussing them in a book chapter with that name. He finds it remarkable that discussions about computer network vulnerabilities are reduced to aspects of technical security and the protection of confidentiality and privacy, as he states: “It is about the stability of the entire social system working with new ICTs” (p. 96). He argues that “the most fundamental values of society are at stake: social equality, democracy, freedom, safety, quantity and quality of social relations and the richness of the human mind” (p. 3-4).

Maybe, as a result of the slow pace at which governments are able to organise themselves in this area, or as a result of the need for knowledge or even fear, many initiatives arise from the industry, academia and public sector organisations. As many organisations struggle with the security of their data individually, although sometimes seeking help from branch organisations, institutions, consultants or international standards, the calls for more regional and national cooperation are getting more frequent, indicating that information security is an international issue in our modern society and should be researched, approached and governed as such.

Information security controls in the environment are also related to public policy on human interaction and the risks to privacy, freedom of speech, equality, fairness, dignity and other human rights. Braman (2011) sees information policy as the strategic solution to frame and understand the effects of the laws and regulations involving information.

Furthermore, according to Orna (2008), information policy also provides the essential context for organisational information policies, which cannot be understood without it.

Questions have been asked on how society will control these issues. On a national level, steering and policy are lacking (Choucri & Goldsmith, 2012; Duff, 2012), and the law is unclear on how to handle cyber crime (Hathaway et al., 2012; Helms et al., 2012).

Furthermore, discussions about information ownership and liability for fraud and confidentiality breaches are only just beginning.

Duff (2012) even argues that information policy could possibly play an important role to protect democracy and equality by ensuring equal access to information. According to Duff, the state has been allowing a free market in information, which has implications for society and the democratic rights of individuals to access information.

He proposes the implementation of certain political and moral principles to ensure a just state that prevents inequality within society (a disparity between information-rich and information-poor) and to ensure an equal access to and a justified storage of personal data. The state should represent the moral convictions of people about how they wish to have their selves and their digital selves treated.

In contrast, Castells (2011) expresses his opinion against Internet policy (p.115) and his disappointment in networks regarding the topic of global Internet governance. He observes that governments are trying to regulate control over the Internet and to enforce that control through traditional categories of law and order. Castells argues that controls over the Internet are not likely to be effective when they are not directed towards specific corporations or organisations. He argues that the liberalisation and deregulation of Internet is based on capitalism and state control, and has led to the formation of global multimedia business networks where “business interest prevails over state interest” (p.116).

Governments have to play a crucial role. Information policy is an important component in the deliberations of national governments and international public bodies, yet it is much less immediately visible than other areas of public policy (Rowlands, Eisenschitz,

& Bawden, 2002). At its highest level, information policy comprises all the laws, regulations and public policies that encourage, discourage or regulate the creation, use, storage and communication of information. Historically, information policies have evolved in direct response to the emergence of specific technologies, such as print, telephony, radio or value added and data services. For example, as was observed by Porat (1977), privacy policy is often “reduced to decisions regarding control of and access to information technologies” (p. 211). To improve this, he states that neither the policy (or ideological) perspective nor the technology perspective alone can solve privacy problems, but that the two must work together.

Related to information security, the process of international cyber security diplomacy proves to be delicate. States with a major influence on international relations such as the U.S., Russia, China and the European Union, considered in this connection as a ‘super state’, accuse each other of hacking, attacking and spying on citizens. The Internet,

which has traditionally been governed from a market principle and self-regulation, has become the centre of international power struggles. The protection of critical infrastructures depends now on global policy versus self-regulation and global hierarchy versus collaboration. The traditional laissez-faire principle now leads to discussions about state control, responsibility and information policy.

Perhaps in the future, our society and politics can evolve towards or can construct a

“global solidarity” (Beck, 2007) to protect information. A unified and adaptive global

‘management’ of states, formed by a coalition of different groups from society and businesses provides an opportunity for information security experts to gain influence and to become part of a secure digital future. If our globalizing society can manage to keep trust in its people and institutions, by changing the social, moral, reputational, and institutional pressures as well as the security systems, then, in the future, governance and compliance may be substituted by ‘trustworthiness’ and security by ‘trust’

(Schneier, 2012).

Information policy discussions are thriving at the time of writing of this thesis. The media are currently covering the alleged worldwide spying of the U.S. government on citizens through the Planning Tool for Resource Integration, Synchronization, and Management (PRISM). It is currently the centre of an international diplomatic row, and time will tell if this issue has the potential to stimulate a new wave of security discourse, information policy and citizen empowerment.