Sign up for ISW's Newsletter
 
Integrating Security Into The Corporate Culture by Steve Purser on 13/12/04

At a major security conference several years ago, I asked a group of security professionals to define risk in such a way that it could be understood by non-specialists and then to suggest different ways of reacting to risks once they had been identified. Interestingly enough, many of those present were able to come up with good examples of risks, but defining risk in practical terms as a concept turned out to be a difficult exercise, even for security professionals. Equally interesting was the fact that although everyone realized that risks could be managed by some kind of mitigation exercise, very few people identified the option of transferring the risk to a third party (e.g. by insurance or contractual means) and even fewer suggested that it might make sense to simply accept certain risks. The important point here is that thinking about risk is not necessarily simple and even the experts can have difficulties when they are put on the spot.

Nevertheless, the notion of risk is at the heart of information security. Implementing real security involves understanding security-related risk and reacting appropriately and, in general, the better employees are at doing this, the more secure the enterprise will be. Put another way, even well-designed technical controls and procedures will be of limited value if the staff involved do not understand why they have been implemented, what they are accomplishing and their limitations. As the previous paragraph illustrates however, achieving this level of understanding represents a major challenge and normally involves a great deal more than an annual awareness initiative. Indeed, for many organizations this will involve a cultural change requiring the integration of security concepts into the working culture.

Recent surveys in the area of information security confirm that there is still a lot of progress to be made in this area. Hence, one of the key findings of the 2004 CSI/FBI Computer Crime and Security Survey is that although organizations view security awareness training as important, they do not on average believe that their organization invests enough in this area [1]. This conclusion is supported by the Ernst & Young 2003 Global Information Survey, which reports that only 29% of organizations list employee awareness and training as a top area of information security spending [2]. Much along the same lines, the Australian Computer Crime and Security Survey 2004 notes that “the most common challenges and difficulties respondent organizations faced were changing user attitudes and behavior (reported by 65% of respondents) and keeping up to date with information about the latest computer threats and vulnerabilities (reported by 61% of respondents)” [3]. Finally, the DTI Information Security Breaches Survey 2004 points out that the relatively low priority businesses give to educating their own staff is surprising given that a significant proportion of businesses recognize a need for more information security advice from third parties [4]. These results are largely in line with previous surveys in this area [5].

This short paper analyzes why organizations should consider spending more time on developing a culture that is both aware and capable of responding to security-related risk and goes on to suggest ways in which this could be achieved.

This document is in PDF format. To view it click here.

Rate this article
Home | About Us | Contact Us | Privacy Policy | Site Map

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , Infosecwriters.com. All rights reserved. Comments are property of the respective posters.