Information technology (IT) security managers face many problems in protecting their organizations' information infrastructures. The list of threats is always growing—worries about the stereotypical hacker have evolved into dealing with sophisticated fraudsters, organized criminals, identity thieves and spammers, as well as the inappropriate use of network and system resources, theft of intellectual property by disgruntled workers, and rising pressure to meet ever-increasing governance and regulatory requirements. ISACA's recent survey on risky business practices shows that security managers must continue to deal with users' lack of awareness of the risks their online activities pose to themselves and their organizations.

The telephone survey of 301 white-collar workers in the US who work for businesses with 100 or more employees was conducted for ISACA by MARC Research in August 2007. The results show some surprising contrasts between risk perceptions and behaviors.

Users Perceive Themselves as Low Risk Takers

The survey shows that most white-collar workers do not consider themselves big risk takers: 34 percent indicated that they have a low to very low tolerance for risk, and only 16 percent stated that they consider themselves moderate or high risk takers. Approximately 50 percent of the survey respondents have at least some concern for the privacy and security of information at their place of work, and more than 75 percent have at least some concern about privacy and security on their home systems.

Ninety-two percent of respondents said that security is at least a consideration when purchasing a mobile device and/or consumer electronics, with 50 percent saying that security features were "extremely important" in their purchase decisions.

Engaging in Risky Behaviors

When questioned on particular risky online behaviors, the respondents showed a significant lack of awareness and a propensity to engage in activity that put themselves or their organizations at risk. For example, 35 percent admitted that they have violated their organization's IT policies at least once.

Additionally, 15 percent of respondents said they have used peer-to-peer file sharing at work. While this may seem low, it represents 15 instances in a company with 100 employees and corresponds to up to 7,500 instances of exposure in a company with 50,000 employees. Seventeen percent of respondents said that they had used a personal, noncompany mobile device to send business information at least once.

Eleven percent of respondents said that they had e-mailed a sensitive company document to the wrong recipient (representing 5,500 incidents in a company with 50,000 employees).

According to the survey, the respondents also engage in other risky activities:

• 49 percent say they have clicked on URLs sent to them in external e-mails.
• 42 percent have e-mailed company documents to their home system.
• 33 percent have received software or files from a personal friend or family member at work.
• 23 percent have transferred sensitive information using a USB device.

A False Sense of Security

The survey showed that the two most common reasons for the discrepancy between white-collar workers' perception of risk and the risky activities they engaged in are lack of awareness and a false sense of security.

When asked how risky they believe peer-to-peer, file-sharing software is, 62 percent of respondents said they believe there is little or no risk. An even more startling 74 percent think there is little to no risk associated with downloading personal software onto work systems, and 50 percent feel there is little or no risk involved when using a mobile device to connect to files or emails at work without the knowledge of the IT department.

Other activities respondents believe to be low or no risk are:

• E-mailing a confidential document to the wrong recipient (41 percent)
• Using a USB key to transport sensitive information (56 percent)
• Using work computers to open e-mail messages from unknown sources (56 percent)
• Losing equipment with company information stored on it (e.g., a Blackberry or laptop) (59 percent)

Additionally, it appears that most white-collar workers have a false sense of security, as most (94 percent) believe that their IT work environment is secure, very secure or totally secure (see figure 1).

This false sense of security is also reflected in results showing that most white-collar workers are not very concerned about their privacy (65 percent) or the security of their information (63 percent) when using a computer at work.

Conclusion

Too often, IT security practitioners focus on the selection of tools and technical controls to manage risks while ignoring or minimizing the other critical elements of risk management, such as people, policies and processes. More often than not, people are the weak link in protecting organizations and critical information. Whether it is management override of controls through excessive exceptions, poorly trained IT professionals or users who are unaware of the risks that their activities create, the human element of security cannot be neglected.

The results of the ISACA survey show the continued need to educate users on risks and their responsibilities, as security is everyone's job.

Kent Anderson, CISM
is a leading authority on information security, with more than 21 years of experience in the field. He serves on ISACA's Security Management Committee and is the founder and managing director of Network Risk Management LLC. Anderson has held positions as senior vice president of IT security and investigations with an international business risk consultancy, as director in the Dispute & Analysis Investigations group of PricewaterhouseCoopers LLP, and as the European information security manager for Digital Equipment Corp. Anderson can be reached at kea@aracnet.com.

Editor's Note

Questions about the ISACA survey referenced in this article may be directed to the ISACA communications department at news@isaca.org.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.