Security breaches that can be traced back to the actions of one individual are not the fault of one "stupid" employee but rather a failure to educate and engage the whole workforce around the importance of good security practice, according to a leading academic.
Speaking at the Cyber Warfare 2008 event in London this week, Debi Ashenden, senior research fellow at the Defence College of Management and Technology at Cranfield University, said most companies overlook the importance of employee behaviour when it comes to securing their IT and information systems.
"Lots of organisations claim to have a culture of information security but in most cases I would say that this is not true and unfounded," she told an audience made of military and civilian IT security specialists. "We need to get end users on side. We can't ignore them anymore. We need to move away from command and control and interact with them."
IT security managers do not like the idea of empowering the end users and would prefer to be able to "lock them down" in the same way employees' PCs can be locked down, said Ashenden
Ashenden's speech made reference to several recent high-profile security breaches, including the exposure of 25 million individual's records by HM Revenue & Customs (HMRC) in November last year, and the loss of an MoD laptop containing the records of some 600,000 defence personnel.
Ashenden claimed that although breaches such as HMRC had led to a new focus on IT security, based around improving processes and technology, the incidents were down to human factors. "We need to find a way to make people streetwise and question core beliefs so they question this kind of behaviour before it's carried out," she said.
A survey from PriceWaterhouseCoopers (PwC) released this week appears to back up Ashenden's assertions. The results show the proportion of companies that have an information security policy has quadrupled over the last eight years.
However, one of the report's authors, PwC's Chris Potter, said having a security policy alone does not magically improve security awareness among staff. "What companies are realising is that increasing security awareness is only part of the answer. The critical issue is changing the behaviour of their people."
There has been a spate of high-profile security breaches dating back to mid-2007, which has led the government watchdogs to demand action be taken against organisations and individuals who fail to safeguard data and information. In a document submitted to government in January this year, information commissioner Richard Thomas called for the Data Protection Act (DPA) to be amended to include a penalty for data controllers "knowingly or recklessly failing to comply with the principles" of the DPA.
Ashenden claimed there has to be a fundamental shift in the behaviour of senior IT security professionals towards end users and the importance of understanding social interaction within companies.
"Most information security managers didn't come into the profession to get involved in cultural change and to talk to end users. They came in because they have an interest in technology," she said. "But we have to measure values, attitudes and perceptions of end users and aggregate the information to craft cultural change."
In response to those IS professionals who suggested there are no hard quantitative approaches to the analysis of attitudes and behaviour of employees, Ashenden claimed there are recognised ways to tackle this kind of analysis of end-user behaviour that are already used in social-science disciplines.
Responding to a question about the failure of software makers to build user-friendly security systems, Ashenden agreed that approaches such as pop-up warnings in operating systems were ineffective, as users eventually become conditioned to ignore them. She also referenced a quote that claims hackers often pay more attention to the human link in the security chain than security designers do.
The PwC survey is part of the 2008 Information Security Breaches Survey created on behalf of the Department for Business, Enterprise and Regulatory Reform. The final report will be launched in London at the Infosecurity show on 22-24 April.
In order to post a comment you need to be registered and logged in
Log in or create your ZDNet UK account below
By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Membership FAQ
Hey - presume you mean something that builds on Apple's existing TV device? Apple have already had a couple of runs at building Apple TV and it's...
5 hours ago by Andrew Donoghue on Google's TV timing may reveal more to come
Google, Sony, Intel may build TV project www.zdnet.co.uk/news/emerging-tech/2010/03/18/google-sony-intel-may-build-tv-project-40088359/
6 hours ago on Twitter by BVE2011
70,0000 to 90,0000 computers? A very small number considering some of these botnets are in the millions, and there are so many of them operating,...
7 hours ago by ator1940 on Microsoft says it decimated Waledac botnet I agree Roger, and why can't they write secure code? What will happen when they find stolen code in windows? They have a track record of...
7 hours ago by ator1940 on Microsoft lashing out at Linux, open source Do you think it will really take days?
7 hours ago by ator1940 on Microsoft previews Internet Explorer 9 with HTML 5 support
Wonder how many days it will take before somebody codes an exploitive hack for IE9?
19 hours ago by Xwindowsjunkie on Microsoft previews Internet Explorer 9 with HTML 5 support
There are some really good people in Microsoft and I wonder, how embarassing it must be for them to see how the organisation behaves from it's...
24 hours ago by roger andre on Microsoft lashing out at Linux, open source
Great new look for ZDNET UK web-site http://bit.ly/9R5eAA to check it out @ZDNetUK #zdnet
1 day ago on Twitter by ajclarke
Microsoft previews Internet Explorer 9 with HTML 5 support - zdnet.co.uk http://bit.ly/9FSh23
1 day ago on Twitter by feedfrog
We were just pondering on when IE will get HTML5 and CSS3 onboard! this is excellent
1 day ago by kencogold on Microsoft previews Internet Explorer 9 with HTML 5 support
RT @suziedaniels: relaunched www.zdnet.co.uk raises the bar yet again! its so fast it makes my eyes bleed.
1 day ago on Twitter by riptari This is brilliant - I borrowed one and straight away saw that a few AP`s were set up to the wrong country. It gives interference levels on each...
1 day ago by Bob Preece on Fluke Networks AirCheck Wi-Fi Tester
http://www.zdnet.co.uk/news/networking/2010/03/11/european-parliament-votes-down-acta-treaty-40085614/ (Where does this leave #Debill?)
1 day ago on Twitter by _SimonArnoldme
relaunched www.zdnet.co.uk raises the bar yet again! its so fast it makes my eyes bleed.
1 day ago on Twitter by suziedaniels
Redesign complet pour ZDNet UK et AU, Twitter au centre http://www.zdnet.co.uk/ http://www.zdnet.com.au/
1 day ago on Twitter by eparody
RT @eparody: Redesign complet pour ZDNet UK et AU, Twitter au centre http://www.zdnet.co.uk/ http://www.zdnet.com.au/
1 day ago on Twitter by cdutheil
Sharepoint 2010 in photo's http://www.zdnet.co.uk/reviews/communication-and-collaboration/2010/03/04/sharepoint-2010-screenshots-40070577/
1 day ago on Twitter by gerardv
Thanks for commenting and clearing that up, Richard. We look forward to seeing what the new clause, if it is not struck out due to protests and/or...
1 day ago by David Meyer on Rights holders vs digital rights activists - who wins?For multi-store outlets, including retail, banking, grocery, gas, hospitality, convenience stores and others, reducing (or avoiding) the cost of in-store system support and maintenance while maintaining compliance with PCI and other requirements has become a strategic challenge.
Speaker: Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc. As Enterprises are increasingly connected to the Internet and as hard organizational boundaries are fast disappearing, security professionals are facing fresh challenges in Enterprise computing.
This tutorial is for new MindManager users and teaches you how to get started, by creating maps, reading maps and organizing your information.
Talkback
I agree that the "stupid users" should not be punished. Organisation with these threats and risks need to enforce the policies with security technology that removes the threat. Dont rely on a written document to protect vital information, sensitive information and business critical information. Get smart and give your IT and Security Managers the budget to invest in Gartner approved technology and save you from the embarrassment of possible breeches in the future.
Zeebs 3 Apr 08 12:15 ReplyPrevention is better than a cure.... Wake up and dont wait for a legal battle to make the move
Hey Zeebs,
andrewdonoghue 3 Apr 08 15:43 ReplyThanks for your comments. Policies and the right tech are definitely an important part of the story but I think that what Debi was really pushing is that they are not the whole story by any means.
You can have all the rules and regs you like and robust tech but if you don't make the effort to find out how your users actually behave then your information securithy stratgy is going to have a big fat hole in it.
The problem, as she pitched it, is that not many technical managers want to roll up their sleeves and actually analyse human behaviour - they would rather just seek a tech solution as that is where they feel most at home. r.
Yeah i think that is the case but i was just stretching the point that if you had technology in place to enforce policy then the need to monitor the human activity would be reduced. Plus with offerings from companies such as IMB ISS and the ADS function which links in to the IPS and it allows to monitor employee's activity on the network and disable activity if anything seen as malicious is occuring. In organisations with 500+ employees its always going to be fighting a losing battle to educate the importance of security.
Zeebs 3 Apr 08 16:08 ReplyIf they had an BS7799 or ISO 27000 security audit should prevent excessive permissions to junior staff. Implementing Role Based Accounting would help, but requires experience and knowledgeable staff to get it working. Selling the idea should be easy NOW that senior staff will have to start listening,but some of them cannot or will not under stand unless the outsourced IT company pays a penalty (BIG TIME) other wise the incentive is lost or not remembered.
ben channell 7 Apr 08 12:59 ReplyIf the staff are the week link then integrate the basic IT security into your annual Health and Safety tests done by ALL your staff. Ensure your HR departrment check all staff have completed the H&S, IT security, absic policy and compliance.
The policy should prevent silly events from happening, and staff awareness of what should NOT be done. but what about the mangers who break the policy and procedures and insists on the lowest cost or lowest work required. (Organ donor ?)