Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Information security awareness: educating your users effectively M.E. Thomson Port Elizabeth Technikon, Port Elizabeth, South Africa R. von Solms Port Elizabeth Technikon, Port Elizabeth, South Africa This article investigates the evolution of computing, with specific reference to the security issues involved. These issues are then taken further to determine the need for education in the workplace through an information security awareness program. Techniques borrowed from the field of social psychology, which have been largely ignored in current awareness programs, are highlighted in order to show how they could be utilized to improve the effectiveness of the awareness program. Introduction The use of information technology has changed dramatically over the years. The user profile has also changed accordingly from a situation where all users were computer or information technology specialists to a situation where most users today are barely computer literate. This article will attempt to highlight the reasons why an information security awareness program should enjoy more attention in all organisations. It will also spell out the objectives of such a program and the potential for utilising psychological principles to make the program more effective. These are principles that have been refined over many years of research in the social psychology arena, but which have been largely ignored by IT professionals when developing information security awareness programs (Kabay, 1994, p. 1). Technological advances The technical development of the computer and associated disciplines has played a large role in the profile and involvement of the user. A description of some of these advances and their influence on the end-user will help to understand the current situation. These advances will be divided into three stages of development to highlight the situation of the typical IT user in an organisation. Standalone mainframe computing Information Management & Computer Security 6/4 [1998] 167–173 © MCB University Press [ISSN 0968-5227] This form of computing was used when computers were first introduced in business. The machinery was extremely large and susceptible to environmental conditions. The result was that it had to be housed in a completely separate building; hence the term standalone computing (Schaeffer, 1987, p. 113). When this form of computing was used, the security considerations were relatively easy to satisfy as the following will indicate: • The computer centre was housed in a completely separate building. Anyone needing to use the computer had to be in the computer centre building; hence physical access control was the major security consideration. • Generally, the type of systems in use were single user, i.e. only one person at a time could work on the machine. Anyone entering the building would have been screened by the access control device at the entrance to the building, thereby eliminating the need for any form of user authentication. • The major threats to the computer were of an environmental nature, i.e. floods, earthquakes, fires, and civil disorders. It was relatively easy to take precautions to minimise these threats. The building could be situated in an area safe from flooding and free of any seismological activity. Fire detection and extinguishing equipment were also very effective. As can be seen, the threats to this form of computing were of a physical nature and very effective precautions could be taken to minimise them to an acceptable level. All computer programs were processed in a secure physical environment. Electronically, it was difficult for any party to gain unauthorised access to any data. The users of information posed no security threat to the information, because no user had any access to any data electronically. Unfortunately (from a security viewpoint), the use of computers evolved further, rendering these security precautions obsolete, and further security measures were needed. Multi-user computing environment This form of computing brought with it new threats which needed to be countered, specifically the following (Shelley et al., 1992, p. 7.16): • more people were able to work on the machine at the same time, and not always within the confines of the computer centre; • access control to the computer centre was no longer adequate to determine the validity of users, since workstations were now situated in the user’s work environment; • users were allowed access to computer systems electronically; • many components were shared, e.g. memory, databases, printers, etc. These security considerations were largely eliminated by the implementation of a user authentication system on the machine. All users were allocated a user identification [ 167 ] M.E. Thomson and R. von Solms Information security awareness: educating your users effectively Information Management & Computer Security 6/4 [1998] 167–173 (userid) and a password. This userid and password were used to identify and authenticate a user successfully. Based on this successful authentication, the operating system provided authorisation to the user to utilize system objects. The workstations in use at this time were dumb terminals (all intelligence resided on the central computer) and it was relatively easy to restrict users to work in certain areas. This type of security was termed technical since the operating system on the machine was enforcing the security. At this phase of computer evolution, physical and technical security measures were adequate to ensure effective information security. Personal computers and networks The advent of the personal computer, as well as the increasing complexity and reliability of networks, has brought about a great challenge in the area of information security: • the decreasing price and increasing capabilities of personal computers resulted in many people in the organisation acquiring these machines; • the ever increasing number of software development packages available made it possible for these people to start developing their own systems; • the knowledge gained from developing these systems could often give them the capability to circumvent security measures built into the current systems; • the ever increasing use of the Internet meant that there were potential threats from outside the organisation. The above issues combined with the fact that information systems are becoming more and more crucial to the successful daily operations of many organisations has brought about the next major advance in information security, namely that the profile of the enduser is changing. The profile of the user has changed substantially in that previously the user was very often a person lower down in the organisational structure whose main purpose was to enter data that would be used at a later stage by someone higher up than themselves. This situation has gradually evolved to the current situation where the managerial people often need access to information on a “must have now” basis because of the competitiveness of business. They also often develop their own small systems to interpret data acquired from one of the mission critical systems. The data entry party is also often more computer knowledgeable than previously. This situation could have the result that these people could gain access to or modify data that they were not supposed [ 168 ] to, whether it be intentional or accidental. This increasing sophistication of the user combined with the need to grant them access to the information that they require means that it is no longer possible to maintain effective information security with physical and technical controls alone. It is now necessary to educate the users in the discipline of information security. Their behaviour has to be modified to such a degree that they carry out their day-to-day activities in a security supporting manner. It is important that this behaviour be subconscious, i.e. they must carry it out without having to think about what they are doing. For example signing off whenever they leave their office, ensuring that their password is not accessible to other employees, ensuring that information on the screen is not visible to anyone that should not see it, making regular backups of important data, etc. In order to achieve this an information security awareness program needs to be undertaken in every organisation. This program will educate users in information security issues, and will also continually remind users of the issues and any new issues which may have become relevant. The objectives of this security awareness program will be to change the ideas and behaviour of the user; therefore the awareness program must be structured in such a way that the user’s behaviour and attitudes are modified to ensure that their actions are security conscious. The above clearly shows that information security has now become very reliant on operational measures (the user’s behaviour) as well as the technical and physical measures highlighted earlier. The discipline of social psychology has, over many years, conducted research into the area of successfully changing the attitude and behaviour of people, and the results of this research should help to make any security awareness program more effective. In the next section some of these techniques developed in the social psychology area are introduced. These techniques could prove useful when applied to an information security awareness program. The application of social psychology Figure 1 represents the typical attitude system which all people have. This attitude system will help to explain the different aspects involved in determining the way a person will behave in a given situation (Zimbardo and Leippe, 1991, p. 32). M.E. Thomson and R. von Solms Information security awareness: educating your users effectively Information Management & Computer Security 6/4 [1998] 167–173 Figure 1 An attitude system Behaviour Intentions The plan to act in a certain way prior to doing so Behaviour The actual behaviour exhibited in a given situation Attitude Overall evaluation. Includes all other components Cognitions Ideas, beliefs, and knowledge on how one should behave in a given situation Central to everything is the actual attitude itself, but interrelated to it are a number of other factors: • Behaviour intentions: this refers to the person’s intention to behave in a certain manner under certain conditions; • Behaviour: this is the actual behaviour exhibited by the person in a given situation, not necessarily the same as they intended to behave in that situation; • Cognitions: this refers to a person’s knowledge and beliefs of how one should behave in a given situation; • Affective responses: these are the emotional or “gut feel” reactions shown in any given situation. Figure 1 clearly shows that all the areas highlighted are interrelated and as a result a change in any one of them can have the effect of changing any one of the others. This could ultimately result in a complete change of attitude, which is what one ultimately requires from a user as far as information security is concerned. Research conducted in social psychology has shown that there are a number of very effective methods that can be applied to affect a person’s behaviour. This section will focus on three of these methods, namely: 1 directly changing their behaviour (ignoring attitudes and knowledge); 2 using a change in behaviour to influence a person’s attitude; and 3 changing a person’s attitude through persuasion. Affective Responses Emotions or “gut feelings” Directly changing behaviour It has been proven that there are techniques which can be used that will persuade a person to behave in a certain way, regardless of their attitude to the subject, or their knowledge on the subject, or their emotional feeling on the subject. The following fall into this category. Instrumental learning There are two techniques which fall into this section, operant learning and shaping. Operant learning refers to a situation where there is a relationship between a response and its consequence. If a person’s behaviour is correct, then they are praised, and if their behaviour is not correct, then they are reprimanded (Haber and Runyon, 1986, p. 73). Shaping refers to a situation where initially low standards are applied, and as the person’s abilities improve, the standards are gradually increased as well. Initially behaviour which is only remotely like the desired behaviour is rewarded, but as time goes on, the rewards become more difficult to earn as more and more appropriate behaviour is required (Haber and Runyon, 1986, p. 79). Example: In an awareness training program these techniques could be applied by awarding small tokens as rewards to those employees showing the desired behaviour. These tokens should not be of any great monetary value, but they must be earned and not merely given out as a matter of course. They should also be visible to other employees so that they can act as motivation for those that have not yet earned one. [ 169 ] M.E. Thomson and R. von Solms Information security awareness: educating your users effectively Information Management & Computer Security 6/4 [1998] 167–173 Social learning Reciprocity This refers to people’s behaviour being influenced even though they are not part of the whole process. They see how their colleagues’ behaviour is rewarded and tend to behave in the same way so that they could be rewarded similarly (Zimbardo and Leippe, 1991, p. 45). Example: Other employees will see their fellow workers performing tasks which help to ensure information security, e.g. ensuring that their password remains confidential, or keeping backups of their data. This behaviour will help to instil similar behaviour in themselves. Employees who are not computer users could also benefit since they would become aware of the importance of information security, and a culture of information security would be fostered within the organisation. Reciprocity refers to the fact that people will want to return a favour, whether it be real or perceived. If one does something for someone else, and then asks them to do something for you at a later stage, it is more likely that they will do it than if you had done nothing for them beforehand. This holds true even if the initial favour was not requested by them, but was merely used as a ploy to gain their help at a later stage (Greenberg and Baron, 1993, p. 360). Example: A typical way in which this could be used in the awareness program would be to ask the attendees at one of the education sessions to do a great number of tasks when they leave and then to reduce the number substantially. In this way they feel that you are doing them a favour by reducing their workload, and will therefore be more likely to carry out your requests. Conformity Conformity relates directly to group pressure. Everybody seeks the approval of others for their behaviour or beliefs. If someone is in a group situation, and there is no support at all for their point of view, then it is very likely that they will adapt their ideas to conform with the group’s. If, however, there is some support (perhaps only one other person), then it is unlikely that they will conform to the group viewpoint (Greenberg and Baron, 1993, p. 559). Example: This can be utilised effectively in the education sessions. If there are some people who are very disruptive, or who are very opposed to the views being put across, then it would be beneficial to isolate them in groups of people who are very agreeable to the views being expressed. In this way additional pressure is brought to bear on these individuals to change their viewpoints to those desired by the awareness campaign. Obedience Obedience to authority is a rule of society that is ingrained since childhood. Research has proven that it is often incomprehensible the lengths to which some people will go in order to obey an authority figure. This is especially true if the person giving the orders is seen to be an expert in the specific field. The situation in which the orders are given also plays a big role. If the possibility of saying no is not even mentioned, many people assume that they are not allowed to refuse the request – even though they really could (Baron and Byrne, 1991, p. 340). Example: This could be used in the awareness program by ensuring that the presenter is an expert in information security. The possibility of not carrying out the procedures outlined should also not be mentioned to try to increase the obedience of the audience. [ 170 ] Commitment Another rule of society that is ingrained at an early age is the fact that one must stand by one’s word. If you commit to do something, then you do your utmost to ensure that it is carried out (Zimbardo and Leippe, 1991, p. 80). Example: This can be utilised in the awareness program by ensuring that the presenter gets each attendee’s commitment to try to apply the knowledge gained in the session. The commitment could be as a verbal promise or as a written commitment. By effectively utilising the above techniques within the information security awareness program, the presenter should be able to ensure that the program is far more effective in realising its ultimate goal, that of changing employee attitudes and behaviour to be more security conscious. Changing attitudes through a change in behaviour The previous section highlighted ways of influencing a person’s behaviour, regardless of their attitudes. This section will attempt to indicate the ways in which using a change in behaviour can lead ultimately to a change in attitudes. A change in attitude is also much more likely to result in a long-term modification of behaviour. The following techniques can achieve this change in attitude: Attribution Attribution refers to the need by a person to attribute some sort of reason for a particular form of behaviour. Self attribution is the need for a person to find a reason why he/she is behaving in a particular way in a given situation. It is important that the only reason that can be attributed is a change in attitude (Baron and Byrne, 1991, p. 80). M.E. Thomson and R. von Solms Information security awareness: educating your users effectively Information Management & Computer Security 6/4 [1998] 167–173 The previous section discussed instrumental learning and the awarding of a small token for correct behaviour. If this token is too valuable, then the person concerned uses it as the reason for the change in behaviour. If it is of little monetary value, then it will not make any sense to use it as a reason for a change in behaviour. This results in the individual having little option but to assume that it is a change of attitude that has caused the change in behaviour. Self-persuasion This refers primarily to the use of role playing exercises in the awareness program. Making someone play a role which supports a viewpoint different from their own forces that person to find reasons to support the role that they are playing. The reasons that they arrive at will ultimately be far more effective than any that the presenter could put forward to convince that person. It is a widely recognised fact that individuals know themselves much better than anyone else knows them, and they therefore also are able to come up with the best possible reasons to change their own behaviour. A role playing exercise forces this to happen (Zimbardo and Leippe, 1991, p. 102). Dissonance Dissonance refers to inconsistencies between a person’s beliefs or attitudes and the actual behaviour being exhibited. This dissonance causes tension and in order to reduce this tension either a change of behaviour or a change of attitude has to take place. Once again, it is essential that the individual is not able to justify the behaviour change due to a large inducement (money, threats, etc.) (Greenberg and Baron, 1993, p. 161). The above has highlighted a very important fact about attitude and behaviour change. It is possible that a large inducement will result in a change of behaviour, but the chances are that it will not be a permanent change, nor is it likely to result in a change of attitude. A change of attitude is ultimately what is wanted from this program, since it will then ensure a change in behaviour. Changing attitudes through persuasion The previous two sections dealt with methods of changing a person’s behaviour, and ultimately their attitudes. They used techniques which almost “tricked” the individual to change their behaviour, which then in turn resulted in a change of attitude. The preferred method to use, however, is first to persuade the individual to change their attitude, which will then result in a permanent change of behaviour. In order to persuade someone, the following need to be achieved first: Exposure In order to persuade someone of something, it is necessary for them to listen to the message. It is also unfortunately true that people tend to “tune out” any messages which do not agree with their beliefs. This is known as selective exposure (Zimbardo and Leippe, 1991, p. 138). Example: In an information security awareness program, the mere fact that employees are being forced to attend an education session ensures that they are exposed to the necessary information. Attention This is similar to “exposure” above, in that an individual will pay closer attention to a message that supports their attitude. This also refers back to dissonance theory in that a person who pays attention to a message that does not agree with their beliefs will be increasing the dissonance within themselves; hence the tendency to pay more attention to messages that agree with their beliefs. Example: In order to hold the audience’s attention during a presentation, it would help to regularly remind them of the following (Zimbardo and Leippe, 1991, p. 147): • the information is useful and new; and • if they think about it carefully, the information may not be as different from their beliefs as they had thought. Comprehension It is useless to have the audience’s attention if they cannot understand what is being presented to them. The medium used to transmit the information is also crucial at this stage. The more complex the message, the more likely that printed media will be more effective since they could then go over the subject matter repeatedly and in their own time to ensure that it was properly understood. Conversely, the less complex the message, the more likely that broadcast media (spoken) will be more effective (Greenberg and Baron, 1993, p. 159). Acceptance Gaining someone’s attention and ensuring that they have understood the message is not the end of the battle. It is necessary for the individual to accept the message, i.e. to achieve the sought-after change in attitude. There are a number of factors to consider at this point (Greenberg and Baron, 1993, p. 159): • The quality of the message or argument being put forward must be able to withstand any scrutiny from the audience. If they cannot discredit the message, then they will be more likely to accept it; • Since the audience will use their own knowledge and attitudes as a comparison [ 171 ] M.E. Thomson and R. von Solms Information security awareness: educating your users effectively Information Management & Computer Security 6/4 [1998] 167–173 for the presenter’s arguments, it is important for the presenter to know something about the audience so that his/her arguments can be structured in such a way that there is more likelihood of them being accepted; • If an audience’s attention lags, as is likely to happen at some stage, it tends to take a more heuristic route to accepting or rejecting the message being put forward. This entails using “rules of thumb” to make a decision. In this situation the presenter’s status becomes more important than the quality of argument. It the presenter is seen to be an expert, then the audience will be more likely to accept the arguments being put forward (Baron and Byrne, 1991, p. 151). Retention Retention deals with ensuring that the attitudes are retained for a significant length of time. There are a number of techniques which could help to ensure this (Zimbardo and Leippe, 1991, p. 181): • repetition of important facts during the presentation will help to ensure that they are more likely to be remembered; • ensuring that the attitude was arrived at through systematic methodical analysis means that it will be well-connected to the interrelated attitude systems of the individual, and will therefore also be well retained; • if two opposing arguments are presented one after another, and a decision must be made, then the second argument tends to be more persuasive since it is fresher in the mind. In this section a number of psychological issues were identified that can effectively change the attitude and/or behaviour of people. Seeing that in most cases this is precisely what one would like to accomplish in a security awareness program, these issues should be integrated into such a program to make it more effective. Social psychology in security awareness The previous section highlighted some of the social psychological techniques that could be pertinent to an information security awareness program. This section will focus more on the awareness program itself, and will attempt to show specifically where certain techniques would be of value. As was highlighted earlier, the profile of the user has changed significantly over the years, and an end-user today could be anyone from the CEO of the organisation to the lowest clerk. Previously, the use of role playing exer- [ 172 ] cises and the use of examples related to the employee’s own work situation were suggested as good techniques to achieve the desired outcome. Since the end-user could vary to include all levels of the hierarchy within the organisation, it makes sense to ensure that the groupings include people from a similar level in the organisation. This would make it easier to have a role playing exercise, as well as using examples, that were relevant to the work situation with which they were familiar. The awareness program should be divided into a number of short education sessions. This would help to ensure the employee’s full participation and attention. Some of the advantages of short sessions are: • participants are more relaxed since they are not removed from the workplace for too long. They are not going to get far behind with their normal workload; • previously it was highlighted that people tend to “tune out” if something does not grab their attention or if it is too long. This is eliminated because the presentations can be short and to the point, thereby having a far greater impact. There would be some form of commitment required at the end of each session, i.e. participants would have to give a preferably written undertaking to implement whatever they learned in that specific session. This would satisfy the commitment technique highlighted earlier. An evaluation of the participant’s adherence to the material covered would be necessary. This could take the form of direct observation by the course presenter or by a colleague of the participant. This observation should preferably occur without the participant’s knowledge. Alternatively, each participant could give a report-back on what they have done since the previous education session to ensure that they implemented the topics covered previously. Those who successfully implemented the techniques would receive a small token as an indication of their adherence. These tokens, as mentioned earlier, should be visible but of no great monetary value. The type of token envisaged is one of the following: mouse pad, coffee mug, paper weight, note paper pad, etc. These tokens would each bear a message relating to the topic covered in that particular education session. This would refer directly to the technique “shaping” and “instrumental learning” highlighted earlier. Each of the education sessions should cover more topics than actually required. This would make it possible for the presenter to make use of the “reciprocity” technique by M.E. Thomson and R. von Solms Information security awareness: educating your users effectively Information Management & Computer Security 6/4 [1998] 167–173 getting a commitment from the participants to implement all the techniques covered, and then reducing it at the end. This would give the participants the impression that the presenter had given them something, which would then make them more determined to carry out the other tasks that they had to. It is also of crucial importance that the presenter of these sessions be an expert in information security as well as being well presented. This is crucial since if a person is not convinced after all the efforts of the presenter, they very often resort to heuristic judgement whereby they use a “rule of thumb” to decide whether or not to accept the presenter’s arguments. These could come down to whether they see the presenter as an expert or whether they like them or the way they are dressed. Heuristic decision making may sound unlikely, but it is something that should not be taken lightly. This section has attempted to show the structure of the awareness program as well as where some of the psychological techniques could be implemented effectively. Some of the techniques highlighted earlier have not been included directly in the section on the awareness program. These are techniques which do not relate to a specific area of the program, but can be applied wherever the presenter deems relevant. It is merely necessary that they are made aware of them so that they can be applied in the right situation. Conclusion This article has highlighted the need for an effective information security awareness and training program within most organisations. In order to be more effective, these programs need to be tailored to address specific group- ings of employees within the organisation, namely top management, IT personnel, and the end-user. Most programs in existence today focus almost entirely on the end-user. The methods of presentation, however, result in them not being as effective as possible. The introduction of some of the techniques developed over many years of research in the social psychology field can have a significant impact in making this part of the program more effective. In conclusion, security awareness programs need to be implemented in organisations, those already in existence need to be expanded, and social psychological principles need to be introduced to improve the effectiveness of the program. References Baron, R.A. and Byrne, D. (1991), Social Psychology – Understanding Human Interaction, Allyn and Bacon, Boston, MA. Greenberg, J. and Baron, R.A. (1993), Behavior in Organisations, Allyn and Bacon, Boston, MA. Haber, A. and Runyon, R.P. (1986), Fundamentals of Psychology, 4th ed., Random House, New York, NY. Kabay, M. (1994), “Psychological factors in the implementation of information security policy”, EDPACS, The EDP Audit, Control, and Security Newsletter, Vol. XXI No. 10, pp. 110. Schaeffer, H. (1987), Data Center Operations, 2nd ed., Prentice-Hall, Englewood Cliffs, NJ. Shelley, G.B., Cashman, T.J., Waggoner, G.A. and Waggoner, W.C. (1992), Complete Computer Concepts, Boyd and Fraser, Danvers. Zimbardo, P.G. and Leippe, M.R. (1991), The Psychology of Attitude Change and Social Influence, McGraw-Hill, New York, NY. [ 173 ]