Kerry-Lynn Thomson

Cultivating an organizational information security culture

An information security solution should be a fundamental component in any organization. One of the major difficulties in achieving the assimilation of information into an organization is the actions and behaviour of employees. To ensure the integration of information security into the corporate culture of an organization, the protection of information should be part of the daily activities and second-nature behaviour of the employees.

Information security obedience: a definition

Information is a fundamental asset within any organisation and the protection of this asset, through a process of information security, is of equal importance. This paper examines the relationships that exist between the fields of corporate governance, information security and corporate culture. It highlights the role that senior management should play in cultivating an information security conscious culture in their organisation, for the benefit of the organisation, senior management and the users of information.

From culture to disobedience: Recognising the varying user acceptance of IT security

It is often observed that addressing security can be as much about people as it is technology. One of the key aspects here is establishing the correct mindset, and ensuring that people are working for (or at least with) security rather than against it. Unfortunately, people are very often perceived as an obstacle rather than an asset in this regard. Indeed, to quote an Information Security magazine survey from a few years ago, one of the biggest hurdles for organisations to overcome in their attempts to address security is the problem of “unalert, uninterested, lax, ignorant, uncaring end users”. 1 One of the most prevalent problems when protecting information assets is the apathetic attitude, and resulting actions and behaviour, of employees. Given that the corporate culture of an organisation shapes the beliefs and values of those within it, it becomes essential to address the mindsets of employees and ensure that relevant security knowledge and skills are communicated to them. However, organisations cannot assume a uniform starting point; employees will have varying degrees of compliance that may evolve to become more compliant or more disobedient depending on the guidance provided by management. This article examines the levels of security acceptance that can exist amongst employees within an organisation, and how these levels relate to three recognised levels of corporate culture. It then proceeds to identify several factors that could be relevant to the development of culture, from traditional awareness-raising techniques through to context-aware promotion of security.

Towards an Information Security Competence Maturity Model

The corporate culture of an organization influences the behaviour of employees and ultimately contributes to the effectiveness of an organization. Information is a vital asset for most organizations. Therefore, ideally, a corporate culture should incorporate information security controls into the daily routines and implicit behaviour of employees. This paper introduces the Information Security Competence Maturity Model as a possible method to evaluate to what extent information security is embedded in the overall current corporate culture of an organization.

Combating information security apathy by encouraging prosocial organisational behaviour

Purpose – The protection of organisational information assets is a human problem. It is widely acknowledged that an organisations employees are the weakest link in the protection of the organisations information assets. Most current approaches towards addressing this human problem focus on awareness and educational activities and do not necessarily view the problem from a holistic viewpoint. Combating employee apathy and motivating employees to see information security as their problem is often not adequately addressed by “isolated” awareness activities. The purpose of this paper is to show how employee apathy towards information security can be addressed through the use of existing theory from the social sciences.Design/methodology/approach – By means of a literature study, three key organizational environments that could exist are identified and explored. Goal‐setting theory is then investigated. Finally, arguments are presented to show how goal‐setting theory could be used to actively foster an organ...

Recognising and addressing ‘security fatigue’

Despite widespread recognition as a crucial issue for both organisations and individuals in IT contexts, there remain numerous cases in which we fail to follow good security practice. While some will be down to lack of awareness, skill or investment, other situations will witness security failings in spite of all the necessary pieces being in place. In these cases, the reason often comes down to how people perceive and feel about security, and the way that the need for compliance is promoted to them.

Information Security Governance control through comprehensive policy architectures

Information Security Governance has become one of the key focus areas of strategic management due to its importance in the overall protection of the organizations information assets. A properly implemented Information Security Governance framework should ideally facilitate the implementation of (directing), and compliance to (control), Strategic level management directives. These Strategic level management directives are normally interpreted, disseminated and implemented by means of a series of information security related policies. These policies should ideally be disseminated and implemented from the Strategic management level, through the Tactical level to the Operational level where eventual execution takes place. Control is normally exercised by capturing data at the lowest levels of execution and measuring compliance against the Operational level policies. Through statistical and summarized analyses of the Operational level data into higher levels of extraction, compliance at the Tactical and Strategic levels can be facilitated. This scenario of directing and controlling defines the basis of sound Information Security Governance. Unfortunately, information security policies are normally not disseminated onto the Operational level. As a result, proper controlling is difficult and therefore compliance measurement against all information security policies might be problematic. The objective of this paper is to argue towards a more complete information security policy architecture that will facilitate complete control, and therefore compliance, to ensure sound Information Security Governance.

Evaluating the Cisco Networking Academy Program’s Instructional Model against Bloom’s Taxonomy for the Purpose of Information Security Education for Organizational End-Users

Organizational end-user information security end-user education is becoming increasingly more important in the current information society. Without the active co-operation of knowledgeable employees, organizations cannot effectively protect their valuable information resources. Most current information security educational programs lack a theoretical basis. This paper briefly examines the use of Bloom’s learning taxonomy to help address this lack of theoretical basis. The paper further investigates the applicability of the Cisco Networking Academy Program’s (CNAP) instructional model for the delivery of end-user information security instructional content, planned with the assistance of Bloom’s taxonomy.

Scare tactics – A viable weapon in the security war?

End users are frequently criticised as the sources of bad security practice, and it is suggested they might take the issue more seriously if they experienced a breach. An option for enabling this would be for security administrators to deliberately create conditions and situations that provide first-hand demonstrations to targeted users. Such approaches are referred to as scare tactics. It is widely accepted that securing information technology requires much more than just technology-based protection. We can hone the technology as much as we like but not get any benefit if people fail to use it properly. It might seem harsh, but security would be much easier to maintain if users could be taken out of the equation altogether. Feelings sometimes run so high that those working in the field say that security would be much easier to push, and more readily accepted, if you could teach users a lesson every once in a while.

Integrating Information Security into Corporate Governance

Information is an important asset of any organisation and the protection of this asset, through information security is equally important. This paper examines the relationship between corporate governance and information security and the fact that top management is responsible for high-quality information security.