Informal component 75

The third component of IS/IT security governance, namely, the Informal component, is dealing with the people and human aspect issues within the implementation of IS/IT security. As introduced briefly in Chapter 2, Dhillon et al (2000) pointed out that contemporary processes of protecting IS/IT in organisations involve not only maintaining the confidentiality, integrity and availability of IS/IT but also engaging human aspects including the responsibility of employees, integrity of people, trust and ethicality (Dhillon et al, 2000). In addition to that, the definition of human aspects terms are presented; integrity is a “part of the requirement of membership of an organisation” (Dhillon, 2000, pp. 127-128). Trust is a “self- control and responsibility and less emphasis on external supervision” (Dhillon, 2000, p 127-128). Ethicality involves compliance with the company code of ethics and “the ethical content of informal norms and behaviour” (Dhillon et al, 2000, p 128).

Responsibility is knowledge of roles and separation of duties, the employees are expected to exhibit “their own practices on a basis of clear understanding of their responsibilities” and being accountable for what has gone on in the past and development of events in the future (Dhillon et al, 2000, p 127). The definition of the Informal component of this conceptual framework covers the structure of responsibility, integrity, trust and ethicality.

As clearly stated in Chapter 2, the Informal component of this conceptual framework is also related to the security culture, norms of employees, employee beliefs and personal values (Mishra et al, 2007). As noted by Mishra et al (2006), a lack of security culture results in problems of maintaining integrity of the whole organisation and indirectly threatens the protection of technical systems. In addition, the security culture in an organisation has been emphasized in the literature. For example, the greater involvement of the Board and senior management improves the security culture of an organisation (Knapp et al, 2006). The explanation of Knapp et al’s research methods and findings are presented in Chapter 2.

Moreover, Mishra et al (2007) has stressed the important role of human factors in solving IS/IT security problems and has suggested establishing normative controls. Normative controls are a by— product of a dominant security culture which is the totality of behaviour in an organisation that contributes to the protection of all kinds (Mishra et al, 2007). Cultural norms are behaviours and practices that already exist within the corporation perhaps from the environment at the physical location of the organisation.

Figure 4.4 shows that the Informal component of this conceptual framework involves culture, norms and beliefs. In this framework, the culture, norms and beliefs of an organisation are influenced by two elements: employee values and organisational values.

Figure 12Figure 4.4. Informal component of IS/IT security governance conceptual framework

The research issues of behavioural aspects by Mishra et al., such as values, attitudes and norms are important for the development of personal and organisational values. The behavioural aspect of information systems security governance relates to conformity with the policies and procedures of the organisation and management of people (Mishra et al, 2007).

Furthermore, the model of IS/IT security governance in this study has drawn upon Dhillon’s (2007) model where it is claimed that employee values are considered to be related to people’s integrity, trust and ethicality while organisational values are concerned with structures of responsibility. Dhillon et al (2007) found that two determinants, structures of responsibility and the integrity of people were the most important factors for behavioural security.

The two specific elements of the Informal component are now discussed.

a) Employee values

Employee values relate to the personal and ethical values of individuals within the organisation (Gaunt, 2000; Wood,2002; Stanton,2004). Attitude of staff, commitment, user behaviour, high levels of trust and integrity are examples of the personal values of employees. The ethicality of employees

Culture,  norms and  beliefs  Informal component  Employee values    Organisational values 

involves compliance with the corporation’s code of ethics and the external standards of work practices (Dhillon et al, 2007). Employee values held in an organisation may be appropriate or not appropriate for effective IS/IT security implementation, depending on these values and beliefs. For example, the organisation sets policy for the use of security software to protect IS/IT assets and business data from viruses, worms, malicious attacks and other possible forms of attack. One of the procedures stated in the policy is to conduct virus scans periodically over the computer desktop drives and folders. Those who do not follow and comply with the procedures from the policies are considered as lacking in integrity and trustworthiness. Employees with low integrity and trustworthiness will bring risk to the company’s IS/IT implementation, as failure to perform the virus scan procedure will expose the systems to threats and vulnerabilities.

Putting policy in place was the example of deterrent controls, where it can be used to control the human actions from committing deliberate or non-intended actions in a passive approach. The example of deterrent control was discussed in an earlier section; the use of four security controls and counter- measures for coping with the IS/IT security risks from the informal aspect is now discussed: deterrent control, preventive, detective and remedy. If the deterrent control is not effective in controlling human actions, the preventive control line will take place. The organisation needs to have strong access controls such as passwords, finger prints, or face recognition in order to control actively and protect the IT system from modifications and data manipulation. Automatic IS/IT security systems such as an Intrusion Detection System, are software applications that monitor the system activities and network for monitoring malicious activities or policy violations and produces reports to a management station (in this case, the IT Department). The Intrusion Detection System may attempt to stop (actively), alert and notify (passively) any intrusion attempts on any suspicious and abnormal activities of employees in the organisation on a real-time basis.

b) Organisational values

The Informal component of the IS/IT security governance framework is also concerned with the organisational values which may influence the business processes. Organisational values are expectations of the Board on the ways in which employees should work and interact with each other in achieving IS/IT security governance and other duties. This includes the establishment of structures of responsibility and authority for the success of IS/IT security, involving the identification of agents (e.g., individual, group, department), identifying their roles and associated actions (Backhouse, et al., 1996). Furthermore, Dhillon et al. (2007) added that structures of responsibility also involve the establishment

of supervisory roles, the separation of duties and establishment of start and finish times of the authority (e.g., when she/he retires, contract ends). The structures of responsibility, if practically and consistently implemented, will become part of the cultural norms in a corporation (Solms et al, 2004). As Solms et al note that the structure of responsibility is derived from the policies and if the employees show conformity with the policies, the security culture will be automatically formed and cultivated. In the previous section on employee values, the policy was used for deterring human actions but in this section the policy is used for structuring the responsibility of security roles.

In summary, ineffective and inefficient controlling of IT risks from the Informal component will lead to corporate failure. Employee values and organisational values are part of the Informal dimension and the effective implementation of the Informal dimension still requires interaction between Informal, Formal and Technical dimensions.

In order to align these relationships management must provide managerial reports on employee values and organisational values from lower levels. If the problems at lower levels cannot be resolved, the supervisor of the responsibility should assess and report the problems to upper levels for decisions and actions. This is because not only does the supervisor have the responsibility but the holder of the responsibility is also responsible to discharge his/her obligations in IS/IT security, such as reporting.