We all know about the importance of the human factor in our information security processes. However, there is no common recipe on how to switch on information security awareness in a given company or organization.
Education and training is only part of the solution - Often the non-privileged IT users are referred to as the weakest link in the security chain. Security issues are:
-opening malicious attachments
-getting caught by phishing
-using weak passwords
-transferring confidential data over insecure channels
-saving company data on a medium without backup
-installing unapproved software
-losing mobile devices
The situation can be improved to some extent by repeatedly teaching the users a list of relevant Do's and Don'ts. But for the remaining part we need a better understanding of the psychological aspects.
Trying to understand human nature - While technology is in permanent development and progress, some components of human character have never changed:
-We rely on long-term experience.
-We estimate risks based on our intuition.
-We feel safe if potential enemies are far away.
-We are used to allowing exceptions.
These properties are obviously not in line with today's requirements for an effective risk-based security framework. We have to accept that human beings don't always think and act in a logical and reliable way. Soft factors play a role in the behavior of users as well as IT specialists; sometimes they even affect decisions in the management. So what are the good arguments for a better security understanding?
Business-focused security awareness - Some of the most effective human awareness sensors are money, law and personal responsibility. In our awareness raising activities we should try to focus on these values. The security goal to be communicated is not to reach a high security level or to reduce IT-related risks, but to ensure business success in a legal framework.
Information security culture - An isolated awareness campaign will usually not induce long-lasting changes in the attitude and behavior of the target groups. Security has to become an integrated part of the business processes. In order to establish and maintain a general culture of security, contributions of different roles are needed:
-Senior Management officially recognizes the importance of security.
-Superiors respect the security policy without any V.I.P exceptions.
-The helpdesk supports users with reliable and helpful services.
-IT architects take account of security throughout their projects.
-Developers consider usability aspects e.g. by compiling comprehensive configuration menus, security warnings and help texts.
-Users knowing what they are doing will cause less incidents.
Secure processing of information and data should be made as easy and normal as possible.
Conclusion - Instead of complaining about human error we should try to understand the reasons for insecure behavior. Information security is only given the appropriate attention if the business impact is visible. Rules and guidelines should always be based on the company strategy and supported by the management. Keep in mind that security awareness doesn't develop very quickly, so never give up!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment