IT Security Culture Transition Process

I

IT Security Culture Transition Process

Deakin University, Australia

Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.

INTRODUCTION

The information superhighway is here and stretching further than the eye can see. Our working environment is becoming ever more hectic and demanding, comput-ers and information technology are more pervasive, and limitations are perishing. The once solo dimension of information and technology is now multifaceted and convoluted in disposition (Ngo & Zhou, 2005). As a result, organizations need to be more vigilant than ever in actively responding to new information and technology security challenges and to ensure surviv-ability in this new age.

Over the years many information technology (IT) security approachestechnical, managerial, and inst itutionalizationhave surfaced. Also safeguards and countermeasures have been developed, practiced, and learned within organizations. Despite all these attempts to reduce and/or eradicate IT security threats and vul-nerabilities, the issue still continues to be problematic for organizations. Solutions are needed that will reach the core of the problemsafeguarding and controlling

humansthe human aspect of IT security.

Humans are a pervasive element in our businesses and critical infrastructures, the element which interacts with systems, services, information, and information technology. Furthermore, humans are responsible for the design, development, operation, administration, and maintenance of our information systems and re-sources. Therefore the ultimate success of any effort to secure information resources depends largely on the behavior and attitudes of the humans involved. While technological solutions can solve some information security problems, even the finest technology cannot succeed without the cooperation of humans. IT security is not just a technical problem that can be solved with technical solutions, but also a human problem that requires human solutions.

This article reviews the current literature on the human aspect of IT security within an organizational context. Human-related IT security concerns are summarized, and current human-related IT security

solutions are examined and discussed. In this article, we consider IT security culture as a plausible solution to improving IT security-related behavior and atti-tudes of humans. We present our IT security culture transition model that is currently being trialed in three organizations to assist with increasing IT security awareness and hence improve the IT security culture of the individuals (managers and employees) and overall organization. Further, we discuss the potential individual psychological experiences of managers and employees during the transitional change towards IT security culture change.

BACKGROUND

Human-related IT security problems relate to how people associate themselves and interact with security. Here, human-related IT security problems are presented as well as current human-related solutions regarding the controlling and management of the human-side to IT security.

Human-Related IT Security Problems

Human factors impeding IT security within an orga-nizational context with examples include:

1. How humans perceive risk people: People do

not know to analyze risk properly and therefore this leads to improper actions.

2. Ability to make security decisions:

Organiza-tions cannot expect general employees to be IT security experts on top of their daily work.

3. Human memory limitations: This is a result of

our inability to remember numerous and complex passwords.

4. Trust: We must have faith and confidence in the

security of our computers.

5. Usability: This includes individuals trading off between security and practicality.

0

6. Social engineering: This means being

manipu-lated to do things we would not normally do. These human factors stem from the norms of natural human tendencies. Natural human tendencies suggest that humans are emotional, manipulative, and fallible. For example, humans want to get their job done and want to be helpful. People are helpful and therefore as a consequence are easily deceived, as exemplified by the success of social engineering attacks (Mitnick & Simon, 2002). Furthermore, humans are irrational and unpredictable. Unlike computers that can be pro-grammed to process instructions in some logical order, humans on the other hand are irrational and complex and do unpredictable things. Barrett (2003) states for all the cleverness that organizations put into formulating creative, innovative, and secure efforts, they all can be breached if the users are reckless, therefore insinuating that recklessness and carelessness are common natural human tendencies. Natural human tendencies put an organization at risk of many security-related threats.

A better understanding of these predispositions will provide organizations and the greater community with a better chance of protecting and securing the human aspect of information security.

Current Human-Related IT Security

Solutions

Current human-related IT solutions encompass under-standing the human aspects and enforcing compliant behaviors and attitudes towards IT security. These current solutions include:

• Behavioral Auditing for Compliance:Current

auditing (security) methods do not cover ef-fectively the behavior of the employees. Vroom and von-Solms (2004) proposes the concept of behavior auditing for compliance as a way of understanding, identifying, and resolving IT security-related human behavior concerns. How-ever, auditing human behavior is very difficult to attain reliable and valid results due to humans being unpredictable by nature.

• IT Security Policy: IT security policy has the

potential to enforce compliant security behavior and attitudes of employees (Wood, 2004). IT se-curity policies are a set of rules that outline how information and technology is to be protected to

achieve the organization’s security goals. This allows humans to understand what is expected from them and be accountable for their actions. Simply telling people to behave in a certain way can be one option, but managers should not expect human to always act as prescribed. Also, reiterated by Dekker (2003), procedures do not rule human behavior and suggest that procedures should be seen as resources for action instead of an expectation about human behavior.

• Security Training and Education Programs:A

good security training program helps improve a user’s decision-making skills by providing them with the necessary knowledge about security threats and the consequences of their actions (Leach, 2003). With the growing numbers of mobile employees, enterprises are at greater risks due to their employees with inadequate under-standing of current security threats and risks to their computers. This simply illustrates the need for better security education on current security threats and best practices for humans.

• Ethical Standards of Behavior:Eloff and Eloff

(2003) and Jones (2004) researched ethical stan-dards of behavior related to security and asserted that in order to change a user’s behavior, there needs to be some form of guidelines on which to base such behavior. The authors maintained that following such established guides like the IEEE professional code can promote good behavior and influence others to do so.

• Leveraging off technology to reduce human

error: IT systems have become increasingly

complex. Consequently, human errors resulting from operating these systems has increased. Experts have highlighted how IT has now gone beyond legitimate users’ control to use informa-tion systems honestly and appropriately without causing a security breach. Legitimate users such as employees are more likely to put a priority on getting their work tasks completed rather than ‘think’ about security (Besnard & Arief, 2004). These authors suggest better software design with security built-in, that is, invisible to the user. Any approach to human information security should aim to achieve transparent securitythat is, built-in security either in technology or defused into the daily lives of humans, whereby security is not seen as an

I

afterthought. It should be easy-to-understandthat is, consider usability issues and facilitate security decision making. It should be least-effortthat is, only ask humans to do as little as possible, as humans do not act or behave as prescribed. It should be con-tinuous and constantthat is, whatever the effort, it needs to be persistent to act as a recurring reminder of the importance of security. And it must aim to be personalthat is, security must be taken on board by humans on a private and individual basis in order for humans to take security seriously.

IT Security Culture

Culture relates to the way in which things are done in an organization, and thus relates to the behavior and attitude of its members. An ethical culture of security is a culture whereby organizational members have strong ethical values that are exhibited in their secu-rity attitudes and behaviors within the organization’s operational security environment. A culture whereby organizational members have strong ethical values and beliefs towards their organization’s operational security environment will have better prospects of successful security culture change.

Creating a security culture means to change the current culture to a more security-conscious one. This requires an examination of the current culture. An examination of the current culture will allow an organization to highlight areas that require greatest attention for change. Fostering a culture of security means to instill security as a way of life. This means integrating security into the behavior and attitudes of people towards a security-conscious state.

The main limitations of creating a security culture are that it requires understanding and communica-tion, it is slow and uncertain and difficult to measure whether culture change has taken place (Vroom & von-Solms, 2003). Security training, awareness, and education programs are critical in fostering security culture within individuals and organizations. These programs will help make employees understand, be responsive, and appreciate the need to act in a respon-sible security mindful way. However, education may not solve all problems, but will at least let users know of the consequences of their actions. Humans should see security as a personal gain and benefit to themselves and the overall organization.

There are several different methods in which an organization can foster a strong security culture. Vroom and von-Solms (2004) argue the presence of three cul-tures within an organization that require change: (1) organization as a whole, (2) groups or departmental, and (3) individual culture. The authors articulate that once group behavior begins to alter, this would influence the individual employees and likewise have an eventual affect on the formal organization (Vroom & von-Solms, 2003). This suggests that any organizations attempting to change culture should do so in small incremental steps (Kabay, 1993), and hence should be gradual and voluntary (Vroom & von-Solms, 2003).

In a short amount of time, the security and manage-ment literature has produced several key ideas regarding how organizations can foster and instill a culture of security within organizations. However, very little has been done to address the transition towards IT security culture improvement from both an organizational and individual point of view. Noting the key points sug-gested by the literature, we propose our IT security culture transition model.

IT Security Culture Transition (ITSeCT)

model

The ITSeCT model proposed by Ngo, Zhou, and Warren (2005) aimed at assisting participating organizations in their research to better meet the organization’s desired level of IT security awareness and culture. Employees needed to understand their roles and responsibilities in order to make informative and morally correct judg-ments and actions. Our IT security transition model proposes to detail the roles and responsibilities of managers and employees in the transition process to improve IT security culture in the workplace. The model places importance on raising awareness of IT security threats and risks, and associated consequences of IT security-related behavior and actions towards IT and information systems interactivity in the workplace.

Our ITSeCT model proposes a culture that would see individuals behave in an expected manner when faced with new security challenges. We know that technol-ogy will always advance. Therefore, giving individuals knowledge of IT security basics such as threats, risks, and consequences of their actions will allow individu-als to gradually adapt to constant changeand hence allow us to predict expected behavior.

The transition model is intended to assist orga-nizations in transitioning towards IT security cul-ture improvement. The model consists of two main playersleaders (managers) and followers (general employees). The model is shown in Figure 1. The model highlights the respective roles and responsibilities of managers and employees. The former has the role of overseeing and managing the process, and the latter adapts and accepts the transition.

There are three phases within the model. Phase 1,

Ending, requires an understanding of letting some-thing go. In this article’s case, it is letting go of the current behavior and apathetical attitude towards IT security. Management communicates this change, and employees understand and recognize the reasons for change. Phase 2, Neutral Zone, is the fertile ground opened for new requirements and actions to flourish, steered by management, and adjusted and learned by employees. Phase 3, New Beginning, looks towards the improved IT security culture. Management reinforces and commits to the new status quo, and employees accept and embrace it. The transition process needs to have the commitment and support from management and the understanding and acceptance from employees to have any chance of success. Furthermore, any new ventures intended in any organization require planning and dedication.

Transition is the adjustment, development, and change experienced by people within organizations when progressing towards achieving a particular change

(Bridges, 2003). Understanding the transition process is crucial for successful organizational information security culture change. Furthermore, identifying the key roles of management and employees in the transition process will allow for better understanding of their respective responsibilities. For more explana-tion and discussion of the model, please refer to Ngo et al. (2005).

The ITSeCT model is easy to follow with a step-by-step process. Only two major parties are involved: managers and employees. There is no need for tech-nology spending, as it solely focuses on improving the attitudes and behavior of individuals.

IT Security Culture Transition model:

Individual Context

Bridges (2003) asserts that there are two transition processes running concurrently. The first has been dis-cussed, and the second is the individual psychological transition process. When there are changes happening within an organization, the people that are affected by it are also going through their own psychological transitions (Iacovini, 1993; St-Armour, 2002; Harvard Business School, 2003). Ngo et al. (2005) show in Fig-ure 2 an adaptation of an individual transition process and the psychological experiences as suggested by St-Amour (2001) during each transition phase.

In Table 1 we present the personal experiences dur-ing each phase of the transition process that managers

Figure 1. IT security culture transition model

Time Phase 1: Ending Understand & recognize what has to be changed and reasons for change Phase 2: Neutral Zone Adjust to new requirements and take action Phase 3: New Beginning Accept & embrace

new status quo

Employees – ‘Followers’ Phase 1: Ending Communicate what has to be changed and reasons for change

Phase 2: Neutral Zone Define & steer

new requirements and what to do Phase 3: New Beginning Reinforce & commit to new status quo Management – ‘Leaders’

I

and employees may experience during transitioning towards IT security culture change. Our example is based on applying Bridges’ (2003) framework of transition and St-Amour’s (2001) individual transition process. Table 1 shows this example.

FUTURE TRENDS

Human IT security research will give us a better under-standing of human factors associated with IT security which is fundamental to the understanding of how humans interact and behave towards IT security. This knowledge can aid in providing the basis for propos-als of possible approaches and measures to manage the human aspect of IT security. Human IT security research will help to raise awareness among those who are unacquainted with the potential detrimental

threats and risks that humans can cause. Therefore, it is anticipated that this research will generate a great deal of interest, not only by corporations and govern-ments, but to the general public.

Our future research project will focus on this research gap to promote IT security awareness and establish an IT security culture within organizations. Furthermore, an IT security awareness and culture as-sessment tool will be a direct outcome of this research, which will be available to participating Australian organizations.

CONCLUSION

Human-related security problems should be addressed with human solutions. Technical solutions, although important, cannot be the only means for solving human

Table 1. Individual transitions:Managers vs. employees

Individual

Transitions Endings Neutral Zone Beginnings

Managers • No longer ignoring the potential impact of IT security threats • No longer taking a reactive approach to security • No longer having a false sense of security

• How, when, and what information should I communicate to my employees? • Will my employees care enough to participate? • Do I trust my employees enough with extra responsibility? • Proactive approach to security • Supporting and commitment to IT security culture • Understanding of potential IT security threats and risk

Employees • No longer ignoring

potential impact of IT security threats • No longer not caring about security • No longer seeing security as solely the IT team’s and manager’s responsibility • Responsible for organizational security • Realizing that I am part of the security team • How will I change my behavior and attitude to be t IT is security conscious? • How do I adjust to the new requirements? • I am part of the organizational security strategy • I am a security-conscious employee • My interactions with IT and security conforms to organization’s security policies and procedures

problems, and any approach should focus on solutions tailored to solving the human problem.

Understanding and having a well-planned transition process is crucial for successful organizational informa-tion security culture change. Furthermore, identifying the key roles of management and employees in the transition process will allow for better understanding of their respective responsibilities.

This article addressed the key roles and responsi-bilities for managers and general staff in improving the IT security culture in an organization’s operational environment. The model highlighted the importance of understanding the transition process required for IT security culture change. We reviewed the key develop-ments with IT security culture research. Our model was developed based on key IT security culture research and Bridges’ (2003) transition process framework.

Furthermore, we highlighted that individuals such as employees and managers go through their own psychological transition concurrent to the organiza-tion. We provided an example of the psychological transition process that managers and employees may go through when transitioning towards IT security culture improvement. We based our example on Bridges’ (2003) transition process and St-Amour’s (2001) individual transition framework.

REFERENCES

Barrett, N. (2003). Penetration testing and social

engineering: Hacking the weakest link. Information

Security Technical Report, 8(4), 56-64.

Besnard, D., & Arief, B. (2004). Computer security impaired by legitimate users. Computers & Security, 23, 253-264.

Bridges, W. (2003). Managing transitions: Making the most of change. New York: Perseus.

Dekker, S. (2003). Failure to adapt or adaptations that fail: Contrasting models on procedures and safety.

Applied Ergonomics2003,34, 233-238.

Eloff, J., & Eloff, M. (2003). Information security

management: A new paradigm. Proceedings of the

2003 South African Institute for Computer Scientists and Information Technologists Conference, South Africa.

Harvard Business School. (2003). Managing change

and transition. Boston: Harvard Business School Press.

Iacovini, J. (1993). The human side of organization change. Training & Development, 47(1), 65 - 68. Jones, A. (2004). Technology: Illegal, immoral, or

fat-tening? Proceedings of the 32nd Annual ACM SIGUCCS

Conference on User Services, Baltimore, MD. Kabay, M.E. (1993). Social psychology and infosec: Psycho-social factors in the implementation of infor-mation security policy. Proceedings of the 16th U.S. National Computer Security Conference.

Leach, J. (2003). Improving user security behavior.

Computers & Security, 22(8), 685-692.

Mitnick, K.D., & Simon, W.L. (2002). The art of de-ception: Controlling the human element of security.

Indianapolis: Wiley.

Ngo, L., & Zhou, W. (2005). The multifaceted and ever-changing directions of information securityAustralia get ready! Proceedings of the 3rd International Con-ference on Information Technology and Applications

(ICITA 2005), Sydney, Australia.

Ngo, L., Zhou, W., & Warren, M. (2005). Understanding transition towards information security culture change.

Proceedings of the 3rd Australian Information Security Management Conference, Perth, Australia.

St-Amour, D. (2001). Successful organizational change.

Canadian Manager, 26(2), 20-22.

Vroom, C., & von-Solms, R. (2004). Towards infor-mation security behavioral compliance. Computers & Security, 23, 191-198.

Wood, C.C. (2004). Developing a policy your

com-pany can adhere to. Retrieved February 6, 2006, from

http://www.searchsecurity.com

KEY TERmS

Individual Transition Process: The individual

transitional and psychological process individuals go through in when transitioning towards change.

IT Security Awareness:Familiarity of IT security

literacy concepts by either an individual or organiza-tion as a whole.

I

IT Security Culture: Relates to the way in which things are done in an organization, thus relating to the IT security behavior and attitude of its members.

IT Security Management: Refers to the policies, processes, procedures, and guidelines regarding how to manage and control information and technology for achieving security goals.

IT Security Policy: Formally written IT security statements similar to that of laws aimed at representing IT security rules within an organization context.

ITSeCT (IT Security Culture Transition) Model:

A role- and process-based model aimed at assisting individuals and organizations to increase IT security awareness and in transitioning towards IT security culture improvement.

Transition: The adjustment, development, and change experienced by people within organizations when progressing towards achieving a particular change