Sunday, August 13, 2006

Creating an Atmosphere of Risk Management : Part I


Any security professional will tell you that the weakest link in security is always people. Even in the movies, how do the antagonists gain access to secure computer systems? By taking advantage of a person with trusted access. So any Information Security Program, in order to be successful, needs to start by building an “Atmosphere of Risk Management” within the organization.

This atmosphere of security is created through raising the awareness level of all employees and through the direction and example of senior management. We cannot emphasize enough, the importance of senior management’s buy-in and involvement in establishing an atmosphere or corporate culture where security is second nature to all employees.

In many of the organizations for which I perform security assessments, lack of buy-in by senior management is evident through the setup of their user accounts. More often than not, the President, CEO,and other senior managers are found to have special access privileges that include never having to change their passwords. On top of that, their passwords are among the worst in complexity, making them easily cracked by simple dictionary methods.

How can employees be expected to follow security policies and practices when it is well known that the top managers do not follow those same policies and practices? Corporate culture is created through the actions and attitudes of the organization’s managers. Therefore, the first step in creating an atmosphere of security is for senior management to adhere to , and enforce, the same policies as everyone else.

Many organizations make the mistake of combining awareness and training simply calling it security awareness training. Awareness is not training. Awareness is an ongoing process designed to focus employees’ attention on security. Awareness presentations are intended to make individuals recognize information security concerns and respond accordingly.

Effective IT security awareness presentations must be designed with the understanding that people develop a tuning-out process known as acclimation. If the same method of providing information is continually used, no matter how stimulating it is, the recipient will selectively ignore the stimulus. Therefore, awareness presentations must be ongoing, creative, and motivational. Awareness presentations should focus employees’ attention so that the information provided will be incorporated into conscious decision-making. This process where an individual incorporates new experiences into existing behavior patterns is called assimilation.

Learning attained through a single awareness activity will tend to be short-term, immediate, and specific. Repeated awareness activities spread over time improves assimilation. Another words, security awareness training performed once a year will not be assimilated into the existing behavior patterns of individuals. Information Security Officers must develop a program of ongoing security awareness in order to building atmosphere of security.

In my next post, I will cover some steps that every organization must take to begin this process . . .

1 comment:

Anonymous said...

I strongly agree that the awareness is not training, but first step to safe computer usage is information awareness training!Because without training there will not be effect!!!