3. LÍNEAS DE ACTUACIÓN PRIORITARIAS
3.4. Reducción de amenazas para el patrimonio natural y la biodiversidad
In the introduction to this Chapter, the vicious and virtuous circles of information security management were presented. The two circles can be combined as shown in Figure 6.4.
According to this figure, depending upon their assumption regarding the nature of end-users in the organization, information security managers create the information security management systems (ISMS) and its constituent information security policies and controls. The nature of the ISMS, and specifically its constituent policies and controls, creates a psychological and behavioural climate in the organization that can either promote commitment and compliance by end-users or drive them towards disenchantment and non-compliance. The end-users are affected by the surrounding climate and the available policies and controls. Finally, the end-users demonstrate either compliance or non-compliance and this feeds back and reinforces the assumptions that information security managers hold about their nature. As can be seen from Figure 6.4, the genesis of both circles lies in the view that information security managers in the organization hold regarding the nature of end-users in the organization.
The present-day approach to ISM has a blinkered view of end-users. In this view, present-day information security management in organizations is still focused on technology; end-users are the enemy and are treated merely as adjuncts to this technology. Furthermore, end-users can be motivated towards compliance through training, rewards and punishment. Information security is further improved and enhanced through enforcing stronger policies and controls. The information security efforts are based on the assumption that end-users behave as ‘homo economicus’. But as shown earlier in Chapter 2, this assumption is false, and consequently, information security efforts are liable to fail. Currently, efforts to motivate end-users are directed towards their rational and calculative side. However, when it comes to information security behaviours, end-users are motivated by a complex set of factors including commitment and loyalty, social norms, perceptions of control, heuristics, habits etc. Thus, an incorrect conception of end-users directs, or rather misdirects, present-day information security management in the organization which is unable to yield improved end-user compliance with information security policies and controls in the organization.
The end-user centric approach of ISSM requires information security managers to re-conceptualize the notion of end-users in the organization. In this re-conceptualization, end-users are not the enemy but an invaluable asset in securing information in the organization; end-users
Assumptions of information security managers regarding human nature in the organization
Information security management system in the organization
Psychological and behavioural climate in the organization
Information security behaviours of end-users
Appropriate Inappropriate
Various individual, social and technical factors
Figure 6.4: Influence of managerial assumptions of human nature upon the information security behaviours of end-users
are knowledgeable about their information needs and practices, and the inherent business risks in these practices. Furthermore, given the right environment and tools, end-users would rather comply than not comply with information security policies and controls in the organization; end-users can be held responsible for only a few insecure acts, most other insecure acts can be traced back to earlier decisions concerning the formulation and implementation of information security policies and controls in the organization. Thus, while the actions (or inactions) of end-users may be the immediate cause of non-compliance, the non-compliance actually originates from other organizational and systemic factors created by decisions made by other people such as information security managers, designers, developers, IT managers, business managers, etc.
In the end-user centric approach, the focus of information security managers shifts from compliance to commitment of end-users to information security policies and controls in the organization. This shift occurs with information security managers adopting the CARE principles (Figure 6.5). The CARE principles, as the name suggests, ensure that end-users are handled with due care. The remainder of this section discusses the CARE principles.
The CARE principles are as follows:
• Communicate with end-users: to win their commitment to information security policies and controls, to give them the required skills and to learn and understand their practices and needs.
• Accommodate the end-user perspective: to formulate the information security policies and controls around the practices and needs of end-users and to provide them with the tools required for doing their primary work tasks in a secure manner.
• Respond to the difficulties experienced by end-users: to provide support to end-users as they navigate through the maze of information security policies and controls.
CARE =
Communicate
Accommodate
Respond +
+
Figure 6.5: The CARE principles
Communication provides the link between end-users and information security management and enables the exchange of information between the information security management and end-users. This communication allows the concerns of management and the limitations of technology to be conveyed to the end-users while escalating their issues and needs to business, IT and information security managers. Traditionally, information security managers have used communication uni-directionally i.e. to deliver expert-driven information to end-users. This information consists of awareness and training guidance. Information security managers are the providers, while end-users are the consumers of this information. The purpose of this communication is to inform the end-users about the information security policies and controls and to give them the skills required to successfully complete their information security tasks. The CARE principles redefine the scope and purpose of communication. The communication is bi-directional and it is as much driven by experts as by the end-users. In addition to the above mentioned purpose of communication, the CARE principles enhance the purpose of communication to learn about users and to provide them with a forum to voice their concerns and needs and to share their experiences. In the CARE principles, the objectives of communication are to win the commitment of end-users to information security and to allow information security managers to learn about the practices, needs and concerns of end-users.
In the present-day approach to ISM, policies and controls are designed or formulated on the basis of risk analysis related to the information assets of the organization. End-users are expected to comply and modify their day-to-day working practices, as required. According to the
‘Accommodate’ element of the CARE principles, the traditional design approach is enhanced to ensure that information security policies and controls are built around the practices and behaviours of end-users, including the prevailing culture and social practices in the organization.
The main objective of the ‘Accommodate’ element is to minimize the conflict between the information security policies and controls and the day-to-day practices of end-users. Another objective is to ensure that information security policies and controls are easy to understand and use. However, it may not always be possible to accommodate all end-user requirements. Einstein said, “Make everything as simple as possible, but not simpler”. Likewise, end-user practices can be accommodated only to a certain point. Beyond this point, the practices take the organization into the area of unacceptable risk, where the practice needs to be curbed. In this situation, the
‘Communicate’ and ‘Respond’ elements are expected to combine to resolve the issue.
The last element of the CARE principles is the ‘Respond’ element. During their day-to-day life in the organization, end-users come across the information security policies and controls as they interact with information and information systems in the organization. The end-users’
willingness to undertake their information security tasks and their ability to complete these tasks, both are influenced by their perception of the level of difficulty of the tasks. Also, past experience of difficulty may prompt the end-users to ignore their information security tasks.
Thus, it is imperative to provide adequate support to the end-users in an on-going manner. The
‘Respond’ element of the CARE principles embodies this support. The ‘Respond’ element requires that the organization creates a support function consisting of support-employees. The support-employees interact with the end-users on a regular basis and help and advise them in the conduct of their information security tasks. End-users should find it convenient to contact the support-employees in case of any difficulty or doubt. The conduct of the support-employees should be such as to make the end-users feel comfortable in seeking help. The objective of the support function is to give comfort and confidence to end-users and to assist them in the conduct of their information security behaviours.
This section has discussed the end-user centric approach of ISSM. The basis for this approach is the re-conceptualization of the notion of end-users in information security. End-users are to be treated as partners rather than as enemies to be controlled. This view of end-users negates the bureaucratic style of present-day information security management and paves the way for a service management approach for end-user centric information security management based upon the CARE principles. The following two sections will discuss ISSM in greater detail and how the service management approach is utilized to implement the CARE principles.