The first article in this series provided an introduction to our research analyzing human factors and their influence on an effective information security management system, and the second installment explored some of the background knowledge on the subject, including Force Field Analysis (FFA) and the GOAL-Driven Risk Management Model.
This last part of the series will look at modelling human factors in information security management systems.
The proposed work attempts to analyze the human factors in a proactive way for an effective information security management system. We adopt a combination of force field analysis method and goal-driven risk management model to support modelling the human factors. The aim is to understand what should be an ideal situation for an organization considering human issues for overall IS matters.
Figure 3 above shows the concepts used for modelling human factors. This model consists of three levels. Human factors compromise the first level and represent the important factors which identified based on our last study on the IS incidents. This level can be easily recognized as part of the outcome of conducted interviews. The second level compromises driving and restraining forces.
They are devised by outcome of SWOT analysis and employees’ prioritization in the questionnaires. Third level of this model defines by goal driven approach where driving forces support the goal of ISMS and restraining forces perform as obstacles in fulfillment of ISMS objectives.
Driving Factors as Goals
The driving forces, which promote changes in a way human factors are managed and dealt with, are varied and extremely difficult to be identified. Goals in this paper are the objective, and requirements that need to address effective considering human factors such as errors and apathy. In this article we used the outcome of the SWOT analysis to identify the driving and restraining forces for achievement of ISMS goals.
In that respect the Awareness, Management Support, Budget and Security Culture have been identified as driving forces. Based on discussed IS incidents these factors were promoting ISMS goals (Alavi et al, 2013).
Some of both direct and indirect human factors can be categorized as driving forces. Whilst their natures are different, they can be advocate alteration in the process of design, implementation and evaluation of an ISMS in order to be effective and efficient. These forces, however, must be validated and to be prioritized. Also, the state of their criticality must be determined.
Restraining Forces as Obstacles
Obstacles in this study are the restraining forces, which prevent changes and consequently creating risks and unable the system to fulfill the goals. For example, human stress preventing people to adopt changes that ensure ISMS performs effectively. People in organizations are skeptical of ISMS measures and guidelines and may resist learning to use new principals and procedures which enhancing efficiency of ISMS.
Identifying their reluctance and planning strategies to work through these obstacles is the key to implementing effective ISMS in organization. As change becomes an increasingly common occurrence in a way information is managed by technology, understanding human factors offers a view of the dynamic interaction between individuals and ISMS to understand resisting forces to change.
Based on SWOT analysis some direct and indirect factors were weaknesses of the system, which can be translated to the restraining forces, opposing change in a way ISMS handled. Therefore, the resisting forces are Errors, lack of Experience, Apathy, Negligence, Stress, lack of Communication, and lack of Security Policy Enforcement.
Understanding Organizational ISMS Situation
Force field analysis methodology requires an understanding of the current and ideal situation of ISMS, enabling an identification of driving and restraining forces. This section compromises the current and ideal general state of ISMS, linking up the goals and obstacles in effective ISMS process. The goal of ISMS is to fulfill a situation where risks are minimized by encouraging constant positive changes to the system. This goal is an ideal situation.
However, obstacles or restraining forces working to keep the status quo and preventing any changes to ISMS. This would be a current situation. Therefore the current situation advocates risks when the resisting forces building up information security vulnerabilities. Understanding of ideal situation enables organizations to identify driving forces to attain right control measures to meet ISMS goals. Without understanding of these two situations organizations are unable to make any improvements in control measures, concerning risks and possible new risks arising within ISMS weak countermeasure tools.
Ideal Situation for ISMS
In contrast to the current state of ISMS in organizations, ideal situation would be a desirable situation of organizations considering ISMS. An ideal situation could have different statues in various organizations, concerning the IS culture, practices and guidelines.
However, information security standards provided an overview of an ideal situation. For example, ISO/IEC 27001 that is one of the well-known standards released by the International Organization for Standardization in October 2005 specifies a certain requirements of an ideal situation of ISMS as following:
- A consistent framework of IS controls, ISMS policy, appropriate risk management procedures concerning risks that are considered unacceptable.
- A routine scrutiny of an organization’s risks, with consideration of threats, vulnerabilities, and impacts of those risks.
- A constant review of ISMS policies and controls to ensure the corrective and preventive actions are in place.
It is expected that ISMS taking care of IS leadership, organizational frameworks and processes which protect information. However, this ideal role challenges regularly in the reality of organizational activities. Despite this clear direction and guidelines, organizations do fail to fulfil these requirements. This is clearly is the goal of ISMS and driving forces that promote this goal by introducing constant positive changes.
Current Situation in ISMS
Defining current situation assists to determine how currently an organization deals with ISMS goals. Current situation resisting against changes and would prevent any effective changes in assisting ISMS to achieve its goals. Restraining forces are promoted in the current situation and risks are accumulated.
Consequences of the Continuation of Current Situation
Information security incidents are rising. These incidents have impacts on organizations in various ways. The most common types of impact on organizations that must be considered in a information security profile are; financial cost, legal liabilities, business status (reputation), theft, vandalism, damaged intellectual property, employees and customer moral and confidence.
These impacts hampering the system when resisting forces creating obstacles for changes to keep the current status of ISMS untouched. This happens whilst driving forces push for changes to promote better and ideal situation in which risks are downgraded and decreased.
To explain the situation, we use force field analysis that defines the interaction of two conflicting groups of forces, those endeavoring to promote change, the driving forces and those seeking to maintain the status quo that called restraining forces (Lewin, 1947).
The equilibrium or current situation must be disrupted for change to happen which can be achieved by supporting favorable conditions to the change and eliminating resisting forces. Based on the FFA model whenever driving forces are stronger than restraining forces, the status quo or equilibrium will change and organizations move from current status to a better place which is closer to an ideal situation of system.
Outcome of the Force Field Analysis
The analysis of all forces show that driving forces are required to be supported and decisions must be made by information security senior management team to eliminate restraining forces. The status quo or current ISMS situation will be stand unchanged, as resisting forces are stronger than driving forces for change. This is clearly averting organizations’ efforts from moving towards goals of ISMS that is a better and safer situation.
In case of stalling at the same situation, organizations will face risks, which increase vulnerabilities, and accumulate risks. Senior manager must address very important individual concerns as resisting forces such as apathy, negligence, and stress whilst providing better facilities to enhance communication, security enforcement policy, and minimizing errors by introducing training programs.
The important aspect of the outcome emphasizes on the individual characteristics of human factors as the resisting forces of change. Factors such as apathy, error and stress have received high scores.
This article provides a summary of an undertaken research which underlines the importance of understanding of driving and restraining forces for positive changes for an effective ISMS practice. The proposed human factors model employed a combination of force field analysis and goal driven approach. The human factors categorized to two distinct forces, driving and restraining forces. Driving forces are supportive of ISMS goals by promoting changes.
On the other hand restraining forces constitute barriers in order to stop positive changes. The outcome demonstrates the relationship between the security of an organization and the potential impact that people could make when it comes to very individual issues such as stress and apathy. We believe restraining factors create a situation where information system vulnerability increased and risks factors escalate. These risks put organizations in extremely difficult legal and financial situation.
We are convinced that this research can provide a constructive quantification insight of the roles of human factors in information security change management. However, we need to validate the approach. We are currently working to deploy the model within an organizational context as case study to understand the applicability of the approach.
About the Author: Reza Alavi (@SecurityVPeople) is currently conducting his research in the School of Architecture, Computing and Engineering (ACE) in the University of East London. His research topic is: “Modeling a Human-Centric Approach For An Effective Information Security Management System (ISMS) – British Financial Institutions Perspective”. His research interests are the role of people and organizations in Information Security Management System (ISMS) with special interest in Information Assurance (IA). Reza has been working in various IT and business management positions such as Networking, IT Audit, and Sales and Marketing Management for the last 23 years.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Are Security Metrics Too Complicated for Management?
- Majority of Organizations Committed to Risk-Based Security Management
- Security Professionals Split on Risk-Based Security Management
- Don’t Be Baffled by BS Security Metrics
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock
References for the Series:
- Cyberthreat (2006). http://www.pwc.co.uk/en_UK/uk/assets/pdf/olpapp/uk-information-security-breaches-survey-technical-report.pdf. (Accessed 10 May 2012)
- D’Arcy J, Hovav A & Galletta DF (2009). User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach. Information Systems Research 20(1): 79–98.
- DeloitteReport (2006). Deloitte global financial report, www.deloitte.com
- Detica (2011). The Cost of Cyber Crime. Guildford, Detica Limited and the Office of Cyber Security and Information Assurance in the Cabinet Office.
- Ericsson, G. N. (2010). Cyber Security and Power System Communication— Essential Parts of a Smart Grid Infrastructure. Power Delivery, IEEE Transactions on, 25, 1501-1507.
- Ernst & Young (2008). 10th Annual Global Information Security Survey Achieving a Balance of Risk and Performance. Ernst & Young
- Kankanhalli A, Teo HH, Tan BCY & Wei KK (2003). An integrative study of information systems security effectiveness. International Journal of Information Management 23(2): 139–154.
- Hange, M. (2011). IT Security Situation in Germany. IN GERMANY, F. O. F. I. S.-. (Ed. Berlin, Federal Office for Information Security- BSI.
- Herzog, P. (2010). Security, trust, and how we are broken. ISECOM.
- Huang, D., Rau, P.P. & Salvendy, G. (2007). A survey of factors influencing people’s perception of information security. In J. Jacko (Ed.). Human-Computer Interaction, Part IV.
- Islam, S., & Dong, W. (2008). Human factors in software security risk management. Proceedings of the first international workshop on Leadership and management in software architecture(LMSA2008). Leipzig, Germany, ACM.
- Islam, S, Mouratidis, H. and Jurjen, J. (2011), A Framework to Support Alignment of Secure Software Engineering with Legal Regulations, Journal of Software and Systems Modeling (SoSyM), Vol 10, No 3, page 369-394, 2011
- IT Security Market Report (2011).http://www.keynote.co.uk/market-intelligence/view/product/10439/it-security?utm_source=kn.reports.browse# (Accessed 25th October 2012).
- Kabay, M.E. (2002), Computer Security Handbook – Using Social Psychology to Implement Security Policies, Wiley, New York, NY.
- Kankanhalli, A., Teo, H.-H., Tan, B. C. Y. & Wei, K.-K. (2003). An integrative study of information systems security effectiveness. International Journal of Information Management, 23, 139-154.
- Kraemer, S., Carayon, P. and Clem, J. (2009). Human and organizational factors in computer and information security: Pathways to vulnerabilities. Computers & Security, vol.28, 509-520.
- Lacy, D. (2009). Managing the Human Factor in Information Security, How to win over staff and influence business managers, Chichester, John Wiley & Sons Ltd.
- Lee SM, Lee S & Yoo S (2004) An integrative model of computer abuse based on social control and general deterrence theories. Information & Management 41(6): 707–718.
- Lim, J.S., Ahmad, A., Chang, S., & Maynard, S. (2010). “Embedding Information Security Culture Emerging Concerns and Challenges”. PACIS 2010.
- Marilynn G., Bozak. (2003). Using Lewin’s Force Field Analysis in Implementing a Nursing Information System. CIN: Computers, Informatics, Nursing. Vol. 21 Issue 2, p80-85, 6p
- Mouratidis, H., Jahankhani, H., Nkhoma, M.Z., (2008). Management versus security specialists: an empirical study on security related perceptions, Information Management & Computer Security, Vol. 16 Iss: 2 pp. 187 – 205
- Potter, C. & Waterfall, G. (2012). Information security breaches survey, Technical report. London, PWC Corporation, Infosecurity Europe, Reed Exhibitions, Department for Business, Innovation & Skills.
- Srivastava, P. & L. Frankwick, G. (2011). Environment, management attitude, and organizational learning in alliances Management Decision, 49, 156 – 166.
- Stamp, M. (2011) Information Security: Principles and Practice, John Wiley & Sons.
- Su, X., Bolzoni, D., van Eck, P. (2006). A business goal driven approach for understanding and specifying information security requirements. 11th Int. Workshop on Exploring Modeling Methods in Systems Analysis and Design (EMMSAD2006), Presses Universitaries de Namur. 465–472
- Thomson, K. & Niekerk, J. V. (2012). Combating information security apathy by encouraging prosocial organizational behaviour Information Management & Computer Security, 20, 39-46.
- Tipton, F. & Krause, M. (2008). Information Security Management Handbook, NW, Auerbach Publication.
- Vance, A. (2010). Why Do Employees Violate IS Security Policies? The Faculty of Science of the University of Oulu. Oulu, University of Oulu.
- Von Solms, B. & Von Solms, R. (2004). The 10 deadly sins of information security management. Computers & Security, 23, 371-376.
- Werlinger, R., Hawkey, K. & Beznosov, K. (2009). An Integrated View of Human, Organizational, and Technological Challenges of IT Security Management. Information Management & Computer Security, 17.
- Willison, R. (2006). Understanding the perpetration of employee computer crime in the organizational context. Information and Organization, 16, 304-324.
- Workman M, Bommer W & Straub D (2008) Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior 24(6): 2799–2816.
- Yixin, L. (2011) Study on the Current Situation of Information Security and Countermeasures in China. Energy Procedia, 5, 392-396.