Ken H. Guo, CMA
The human factor is a well-recognized issue in organizational information security management; however, there is a tendency to equate the human factor with insider threat of end users. It is critical to take a holistic view, examining the roles of three groups of people: end users, information security professionals and top executives. Each group plays an important role in organizational information security management. Top executives should take the leadership role in envisioning an optimal security strategy, security professionals should be able to execute the security strategy and end users must participate in security management processes. All three groups are accountable for information security.
Employees play an important role in organizational information security management. How they use IT to perform daily business activities has an impact—negative or positive—on the overall security of the organization’s information systems. The role of employees is often referred to as the human factor in information security management; however, the definition of human factor in academia and practice is “end users.”1 End users are often referred to as insider threats to organizational information security. To address this type of insider threat, organizations are urged by scholars and practitioners to implement and enforce security policies that aim to deter end users’ undesirable behaviors. The deterrent effect of security policies has recently been examined in many studies that generally focus on those factors that may lead to end users’ violation of or compliance with security policies. An underlying assumption is that violation of organizational policies causes damage to security and must be prevented.
There has been less discussion, however, on the behavior of information security professionals—probably because they are the ones who manage security in organizations. They are supposed to be aware of the importance of security and the importance of proper use of IT. Thus, the role of information security professionals appears to be implied by their job descriptions: They are security protectors and should behave better than end users in terms of using IT. The role of top executives is often narrowly referred to as “top management support” in information security literature.2
There appears to be an assumption that:
Based on such a narrow assumption, security problems are largely, and maybe unfairly, attributed to end users rather than information security professionals and top executives. Perhaps more important, the unbalanced focus on one group of people, i.e., end users, may hinder the theoretical and practical advancement of the information security field. To some extent, the end-user-focused assumption gives organizations the wrong impression that security problems will not exist if end users are contained. The tendency to treat end users as the enemy leads to a lack of user-centered design in security mechanisms that may look secure on paper but will fail in practice.3 The police-violator focus may also widen the so-called digital divide between information security professionals and end users and result in questionable management strategies.4 These issues call for a balanced examination of the human factor in information security management.
The human factor is not limited to end users. Information security professionals who implement and manage security measures, end users who use IT solutions to carry out their business tasks, and top executives who make decisions about security strategy play an important role (figure 1). Top executives must take a leadership role in defining an optimal security strategy for the organization, information security professionals are in charge of the execution of the strategy and end users should participate in security management processes. Each of the three groups also requires different skills and knowledge.
Information Security ProfessionalsInformation security professionals initiate, implement and monitor security measures. Undoubtedly, they are the foundation of any organization’s information security strategy. As such, their role is focused on security execution. To execute the organization’s security strategy, information security professionals must have the necessary skills and knowledge in technical and business areas. Thus, the most important trait that information security professionals should have is security competence.
One of the key factors in information security is technology; information security professionals must have sufficient technical skills. They need to know specific technologies and, more important, how to put different technologies together to make information secure. It is equally important, however, that information security professionals have solid business skills and knowledge. Such business skills and knowledge are vital for them to effectively manage information security. To convince top executives to invest in security, security professionals need to use a language that top executives understand. In this regard, information security professionals should have sufficient communication skills. Another aspect of business skills is the understanding of business. Information security professionals should understand business problems and needs and must be able to link security and IT with business objectives.
In terms of the relationship between IT and business, IT should play a supporting role in organizational business activities, i.e., help achieve business objectives. This suggests that information security professionals should be business-oriented rather than close-mindedly security-oriented. More specifically, this supporting role can be reflected in the following two aspects: IT as business facilitator and IT projects as business projects.
From a means-end perspective, business is the end, while information systems are just one of the means. Security should protect business from risk. The hindrance caused by security measures should be kept at a minimal level. This principle should guide what and how security measures should be implemented. Unless end users and top executives see the value of IT measures for achieving their business goals, they are less likely to whole heartedly embrace the measures.
Given the supporting role in organizations, IT projects do not stand alone. Instead, they should be an integral part of business projects and should be led by business managers rather than IT managers. The job of security managers is to make business managers understand risk and how risk can be mitigated.
End UsersEnd users rely on information systems to carry out their business tasks. An important factor that may influence the effectiveness of security measures is end-user awareness. Due to their limited security knowledge and skills, end users may have a false sense of security and, thus, may engage in some security-threatening behaviors, such as downloading and installing unknown software from the Internet. End users may not know how to use certain technology, the value of the data they handle and/or the possible consequences of their use of IT, for example. End users may also ignore security measures because those measures often require various degrees of changes to their day-to-day business tasks. As a result, their interactions with systems may inadvertently cause damage to information security.
To deal with problems caused by end users, organizations often take an authoritative approach by implementing and enforcing security policies. The logic behind security policies is that sanctions can help prevent end users from engaging in those undesirable behaviors that may damage security. However, many studies in information security literature have found that sanctions may not work as expected.5, 6 End users’ focus on business tasks is one of the key reasons why they fail to follow security policies.7, 8 Most do not have any malicious intent to cause damage; thus, treating end users as the enemy of information security may not be an effective strategy.9
What role should end users play?
Instead of the passive role of security rule followers, end users can play a more active role in participating in organizational information security management. End users are not the enemy within, but are the partner of information security professionals in protecting an organization’s information.10 End users can be an important resource that contributes to effective security measures.11, 12 End-user participation in the design and implementation of security measures can ensure that measures are situated in the business processes for which the end users are responsible. As a result, the best fit between security measures and business processes can be accomplished. Any measures that can secure organizational information without interfering with end users’ business tasks can better win their acceptance.
To participate in security management, end users must understand the security implications of their actions in dealing with organizational information and, perhaps more important, the impact of security problems on their business tasks. Thus, awareness is an important factor that influences how end users participate and whether they fully embrace those security measures implemented by information security personnel. It is generally accepted that end users must receive sufficient training and education in information security. It remains a challenge, however, as to what exactly end users should know in terms of security.
Top ExecutivesTop executives of an organization make decisions on the overall IT strategy and the amount of resources that the organization invests in IT. Their decisions ultimately influence how secure the organization’s information systems are. What priority executives give IT in general and security in particular likely determine the resources allocated to this area.
One problematic trend is that the role of top executives is often reduced to a supporting part, sometimes termed “top management support.” By playing a supporting role, top executives turn security management into an IT problem rather than a business problem. The drawback of this approach is that top executives are taking a passive, reactive approach to security issues—trying to do something only after security breaches occur. Another problem is that information security professionals often lack the ultimate authority to push security measures across functional boundaries.
Thus, instead of merely supporting, top executives must lead security management. Strong leadership helps foster a proactive approach to information security that emphasizes proactive prevention rather than reactive correction after security problems occur. It also helps facilitate dialog among information security professionals and end users and, as a result, ensures that security measures are effective and supportive of business needs. As discussed earlier, higher levels of acceptance by end users can be expected if security measures fit end-user needs for carrying out business tasks.
To truly lead security management, top executives must understand the impact of security issues on business. Top executive awareness is an important factor in security management. As mentioned earlier, end users’ awareness is also an important factor that influences how they deal with security measures. Due to the differences of their job scopes, there is an important difference between the awareness of these two groups of people. For top executives, the focus is business risk—how security issues impact overall business strategy. For end users, on the other hand, the focus is on the risk related to processes and tasks—how security issues impact their daily work and how their behavior impacts security.
While each group of employees (information security professionals, end users and top executives) plays an important role, how they interact with each other also has an impact on organizational information security management. They should not act in an isolated manner.
Information Security Professionals and End UsersTo ensure that end users take a participative role in managing information security, information security professionals must engage and encourage them to do so. This requires information security professionals to treat end users as partners—not as the enemy within—in the endeavor to secure an organization’s systems.13 Such partnerships have two important implications.
First, information security professionals need to make a shift from passive responses to proactive engagement. Traditionally, the IT department (including information security professionals) of an enterprise is organized as a silo. Physically, IT staffs are located in a self-enclosed environment that makes interaction with end users difficult; functionally, the IT department often acts as an external vendor charging out services provided to end users and a help desk is often the only interaction point between IT professionals and end users. The key problem with the help-desk approach is that it is passive; information security professionals are waiting for end users to ask for help. This is particularly problematic in terms of security. End users may not be able to identify security issues due to their non-IT background and low awareness.
Second, information security professionals need to make an effort to understand the end users’ point of view and get feedback from them. This includes an understanding of how security measures impact their business tasks and what measures can best meet the requirements of business and security objectives. From a value-focused thinking perspective,14 this requires information security professionals to examine the values of end users—the fundamental objectives for information security and business performance and the means to achieve them. It is important to identify and reconcile areas of conflict between security procedures and legitimate professional work values.15
Information Security Professionals and Top ExecutivesWhile top executives must truly lead any security endeavor, information security professionals are not merely followers. Information security professionals, who are in charge of the implementation of security strategy, must be able to give top executives proper advice on security matters, and they must be able to convince top executives to pay more attention to and make sufficient investment in security. To do that, information security professionals must see a big picture beyond security by situating security in the bigger context of the business strategy and building the link between security and business.
As discussed earlier, information security professionals need to have technical skills as well as business skills and orientation to foster the advisor-leader relationship with top executives. Perhaps more important, information security professionals need to have good communication skills to discuss security issues in a nontechnical manner. They must be able to answer the “so what?” questions in terms of the impact of security issues on business. In addition, information security professionals must proactively engage in dialog with top executives rather than passively wait for questions to come.
End Users and Top ExecutivesIn addition to providing leadership in terms of overall security management, top executives play an important role in influencing end users’ dealings with security. First, top executives must lead by example in terms of complying with security policies and rules; their actions and attitudes have an impact on the end users’ attitudes toward security and ultimately how end users use technology and deal with security issues.
Second, top executives are in a better position to motivate end users to follow security policies and rules and participate in security management. When faced with a conflict between business tasks and information security, end users are likely to sacrifice security for their tasks on hand. It would be up to top executives to balance business performance requirements and security mandates. A balanced performance evaluation on business tasks and security matters helps motivate end users to be mindful of security issues when they use technology.
Human factors are well-recognized issues in organizational security management; however, there is a tendency to equate the human factor with end users who are typically referred to as insider threats. The risk of such a narrow definition is that the roles of information security professionals and top executives, which are no less critical than end users, may be inadvertently neglected.
Each of the three groups plays an important role in information security management. Top executives should take the leadership role, information security professionals should be able to execute security strategies and end users must participate in security management processes. An organization can be resilient in preventing, detecting and recovering from security problems only if all three groups take their share of responsibility. Each group is accountable for security in different capacities.
1 Adams, A.; M. A. Sasse; “Users Are Not the Enemy,” Communications of the ACM, vol. 42, 1999, p. 41-462 Kankanhalli, A., et al.; “An Integrative Study of Information Systems Security Effectiveness,” International Journal of Information Management, vol. 23, 2003, p. 139-1543 Op cit, Adams4 Albrechtsen, E.; J. Hovden; “The Information Security Digital Divide Between Information Security Managers and Users,” Computers & Security, vol. 28, 2009, p. 476-4905 Siponen, M.T.; A. Vance; “Neutralization: New Insight Into the Problem of Employee Information Systems Security Policy Violation,” MIS Quarterly, vol. 34, 2010, p. 487-5026 Guo, K. H., et al.; “Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model,” Journal of Management Information Systems, vol. 28, 2011, p. 203-2367 Ibid.8 Besnard, D.; B. Arief; “Computer Security Impaired by Legitimate Users,” Computers & Security, vol. 23, 2004, p. 253-2649 Op cit, Adams10 Ibid.11 Spears, J. L.; H. Barki; “User Participation in Information Systems Security Risk Management,” MIS Quarterly, vol. 34, 2010, p. 503-52212 Albrechtsen, E.; J. Hovden; “Improving Information Security Awareness and Behaviour Through Dialogue, Participation and Collective Reflection: An Intervention Study,” Computers & Security, vol. 29, 2010, p. 432-44513 Op cit, Adams14 Dhillon, G.; G. Torkzadeh; “Value-focused Assessment of Information System Security in Organizations,” Information Systems Journal, vol. 16, 2006, p. 293-31415 Hedstrom, K., et al.; “Value Conflicts of Information Security Management,” Journal of Strategic Information Systems, vol. 20, 2011, p. 373-384
Ken H. Guo, CMA, is an assistant professor of accounting at the College of Business at Western New England University (Springfield, Massachusetts, USA). His research interests include information systems security, auditing, behavioral accounting, forensic accounting and accounting information systems. He has been published in numerous journals and coauthored a research monograph on identity theft and fraud.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.