Information security awareness – its role and importance 122

Various international information security standards and guidelines have emphasized the value of ISA to the effectiveness of information security policies and controls in the organization. According to ISO/IEC 27002:2005 (ISO/IEC 27002, 2005), if end-users are not made aware of their security responsibilities, they remain unmotivated and unreliable and can cause information security incidents leading to considerable damage to an organization.

ISO/IEC 27001:2005 (ISO/IEC 27001, 2005) states that the ISA control consists of ensuring that all end-users, whether employees or contractors or other third party end-users, receive

“appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function”. According to ISO/IEC 27002:2005, the ISA activities should

also include information on known threats, who to contact for further security advice and the proper channels for reporting information security incidents.

ISO/IEC 27002:2005 (ISO/IEC 27002, 2005) states that information security awareness, education and training are common practices and that this control applies to most organizations and in most environments. According to the standard, ISA, along with the marketing of information security and the dissemination of guidance on information security policy and standards within the organization are some of the critical success factors for the implementation of information security in the organization. ISO/IEC 27002:2005 (ISO/IEC 27002, 2005) underlines the importance of ISA by stating the following:

• The information security policy document should mention the security education, training, and awareness requirements;

• Management of the organization should initiate plans and programs to maintain information security awareness;

• Various functions in the organization should cooperate and coordinate their efforts to ensure effective promotion of information security education, training and awareness throughout the organization;

• It is the responsibility of the management of the organization to ensure that all end-users, whether employees, contractors or third party users are properly briefed on their information security roles and responsibilities; are provided with guidelines to state security expectations of their role within the organization; are motivated to fulfill the security policies of the organization; and achieve a level of awareness on security relevant to their roles and responsibilities within the organization.

ISO/IEC 27002:2005 (ISO/IEC 27002, 2005) also provides implementation guidance for ISA. According to this standard, ISA should begin with a formal induction process that introduces the end-users to the organization’s security policies and expectations before the end-users are granted access to information or services. This induction process should be complemented by an ongoing ISA program disseminating information regarding security requirements, legal responsibilities, business controls, and the disciplinary process as well as training in the correct use of information processing facilities.

According to another standard GAISP V3.0 (ISSA, 2003), the purpose of ISA is to inform end- users regarding the ‘acceptable use’ principles and practices that lead to the protection of the information assets of the organization. GAISP V3.0 lists the “Awareness Principle” as one of the “Pervasive Principles”. This principle states that all end-users in an organization should have “access to applied or available principles, standards, conventions, or mechanisms for the

security of information and information systems”. Furthermore, these end-users should be “informed of applicable threats to the security of information”. GAISP V3.0 underlines the

importance of ISA by stating that enhanced awareness leads to improved levels of acceptance of controls; otherwise end-users may be tempted to ignore, bypass or overcome the existing controls. GAISP V3.0 also lists “Education and Training” as one of its “Broad Functional

Principles”. According to this principle, the management in an organization should ensure that

all end-users are educated about “standards, baselines, procedures, guidelines, responsibilities,

related enforcement measures, and consequences of failure to comply”. A failure to

communicate effectively can lead to the following implications: unintentional and intentional breaches by end-users. Furthermore, this failure may limit the organization’s ability for enforcement, prosecution of criminal activity and the opportunity to seek legal redress.

Thomson and Von Solms (1998) stated that ISA is a program to educate, and continually remind, end-users regarding information security issues. According to the authors, the ISA program should be designed to change both the attitudes and the behaviour of the end-users to ensure that their actions are security conscious. Thomson and Von Solms (1998) highlight the issue that rapid changes in business and information technology are reducing the effectiveness of physical and technical controls and that these controls alone are not sufficient. Thus, for effective information security, it is necessary to educate end-users and change their behaviour to such an extent that security actions become part of their sub-conscious. According to Thomson and Von Solms (1998), changes in attitude are more likely to result in long-term and durable behaviour change. Consequently, the ISA methodology should first use persuasion in an attempt to change attitudes before proceeding to attempt any direct changes in behaviour. Thomson and Von Solms (1998) proceeded to state that end-user ‘acceptance’ of the message is an antecedent for attitude change; and for this ‘acceptance’ to occur, the ISA program must be tailored to the characteristics of the audience.

Siponen (2000) states that ‘information security awareness’ refers to “a state where users in an

organization are aware of – ideally committed to – their security mission”. According to the

author, ISA is of “crucial importance”. Siponen (2000) elaborates on the point that awareness includes education and training. Education enhances end-users’ insight into information security issues; training imparts them the skills and competence to perform in accordance with information security policies and controls in the organization.

Du Plessis and Von Solms (2002) state that the effectiveness of information security in the organization depends to a large extent upon end-users. Consequently, end-users need to be educated on the importance of their role and how to behave in order to fulfill this role, so as to protect the information assets of their organization. According to the authors, ISA consists of

“making users aware of their responsibilities in securing the information technology environment and motivating them to do so”. The content of the ISA program should include

topics on the “importance of information and information security”, “threats to and

vulnerabilities of computer systems”, “information security policy” and “specific procedures and how to implement them” (Du Plessis & Von Solms, 2002).

According to Wipawayangkool (2009), organizations no longer focus on writing formal policies; rather, organizations today focus on applying these policies via the building of an informal culture. This is achieved through ISA, which is a fundamental and critical factor for the effectiveness of ISM in the organization. According to the author, ISA has two key dimensions, namely, “to understand” and “to act”. Trainee progression along these two dimensions ensures that: the trainee learns all the principles of key knowledge of information security (cognitive aspect); the trainee develops optimistic attitudes towards both specific content in training sessions and generic concepts of security (affective aspect); and the trainee ultimately learns to act in a secure manner (skills aspect). Thus, ISA equips the trainee both with knowledge and the capability to act in compliance with information security policies and controls in the organization.

ISA is accorded great importance by various international standards, guidelines and academic authors. These standards, guidelines and authors also delineate the content of ISA and the ways and means by which ISA programs provide their benefits to the organization. However, several authors have also mentioned the weaknesses in present ISA approaches and they have pointed out the failure of ISA in delivering its promised benefits to the organization. The next sub- section discusses this aspect of ISA.

7.6.1 Information security awareness – its weaknesses

Various authors have written about the weaknesses in present-day ISA approaches. These weaknesses stem mainly from the simplistic approach to the link between ISA and the improved information security behaviour of end-users in the organization.

According to Siponen (2000), most organizations treat ISA as consisting of “passing around

security guidelines in a factual manner”. In this approach, it is futile to believe that “after a security awareness lesson people will all follow the guidelines at once”. The author further states

that people may respond to ISA in a positive manner leading to “readjustment, co-operation,

acceptance and internalization”; a negative response may result in “repulsiveness or hate, even leading to different kinds of resistance”. Siponen (2000) concludes that an ISA approach based

on the mere dissemination of information is bound to fail.

Albrechtsen (2007) states that most organizations conduct ISA as “expert-based one-way

communication directed towards many receivers”. This approach to ISA is futile and most end-

users tend to remain unaffected. Sometimes, ISA programs include gifts as incentives. Such programs too tend to fail as end-users remember only the gift, while they forget the message. Albrechtsen (2007) further cites the poverty of such communication as it fails in motivating end- users to seek security related information even when they are aware of its availability.

Chipperfield and Furnell (2010) state that the most common approach to ISA in the organization is to provide documented security policy to end-users. The authors cite the failure of such methods of promotion. According to the authors, the SafeBoot survey (Grant, 2007) shows that nearly 80% of public sector employees ignore information security policies and exhibit insecure behaviour. The simplistic view towards ISA is that end-users simply need to be told, i.e. made aware of various facts and, in return, end-users will simply comply. This approach has a negative impact as it leads end-users to regard policies “as an overhead in terms of being just another

thing to be read and remembered”.

To tide over the weaknesses of present-day ISA approaches, various authors have proposed using a ‘promotion’ or ‘selling’ or ‘marketing’ approach to ISA (Chipperfield & Furnell, 2010; Stewart, 2009). These approaches are inspired by the principles of marketing from the business domain. According to Stewart (2009), marketing approaches promise a holistic approach to ISA. This concept is not new and Siponen (2000) cites Perry (1985) as proposing an approach that makes information security an “in topic (fashionable and everybody-wants-to-use-it) within an

organization”. Siponen (2000) also cites McLean (1992) as proposing a ‘selling’ approach in

which campaigns are used to promote information security in the organization. According to Siponen (2000), such approaches need to be used with care and cannot be considered as achieving the commitment of end-users to information security in the organization.

Weaknesses in the present-day approaches to ISA have been highlighted in this section. The main weakness is the assumption of a simplistic link between end-users being told and then complying. The next sub-section takes this discussion further by indicating the lack of consideration of the image of information security in the minds of end-users in the organization.

7.6.2 Information security awareness – its lack of focus on image

The previous two sub-sections have discussed the role and importance of ISA in the organization and the inherent weaknesses in the present approaches to ISA. This sub-section takes this discussion further. This sub-section indicates the lack of focus of present ISA approaches on improving the image of information security in the minds of end-users in the organization.

As discussed earlier in previous sections, information security suffers from a negative image in the minds of end-users in the organization. Earlier sections have also discussed the importance of image as a perceptional filter that influences the effectiveness of all communication and operational efforts of the organization. Against this backdrop, it is vital to stress that communication efforts in the organization should first focus on creating, or correcting, a positive image for information security in the minds of end-users in the organization. Instead, ISA has tended to focus on educating end-users to make them capable of behaving in accordance with information security policies and controls in the organization. ISA approaches have continued to ignore the antecedent for their effectiveness, namely, the image aspect. Even the selling or marketing approaches have addressed ISA in terms of the benefits, incentives or rewards and direct one-to-one communication – such approaches have not yet addressed the image issue. Thus, the failure of ISA approaches to achieve behavioural change, and hence the criticism in the previous sub-section, is not entirely unexpected.

The role, importance and weaknesses of present ISA approaches have been discussed in this section. It is vital to recognize that while ISA is considered to have significant benefits for the organization, it continues to suffer from weaknesses that limit the benefits it delivers. This section has concluded by suggesting that the failure of present ISA approaches lies in the fact that they tend to ignore the image aspect. The discussion in this chapter has so far emphasized the critical role of image regarding information security in the organization. Hence, it can be argued, that ISA efforts need to be enhanced with efforts targeted at improving the image of information security in the minds of end-users. Towards this end, branding, from the domain of marketing in business, is a useful concept. Branding is focused on creating a favourable image in the minds of customers. Likewise, in the context of information security in the organization, branding holds promise for creating a positive image of information security in the minds the of end-users in the organization. These branding efforts constitute Information Security Service

Branding (ISSB) and they will complement the existing ISA efforts in the organization. The concept of branding is discussed in the next section.