Written by Sebastian Hummel
Secure data practices may, from the offset, seem to require only complex technical skills; after all, it makes sense to protect ones and zeros with more ones and zeros, right? It is easy to forget that the people using, sharing and protecting information are not programmable, and it is exactly here where the biggest challenge in information security lies. [1] refers to this as the internal security threat, defined as “a threat area encompassing a broad range of events, incidents and attacks all connected by being caused not by external people who have no right to be using the corporate IT facilities but by the company’s own staff, its authorised IT users.” In the healthcare sector, for example, it has been found [2] that “the vast majority of data breaches affecting individuals appear to be the result of theft and loss, not hacking or IT incidents”, again indicating that IT-related factors are not the only, and may not even be the biggest threat when it comes to your data.
Hackers have figured this out a long time ago, employing tactics that can literally be as simple as pretending to work at a company and asking for employees’ security information. This implies that significant resources have to be budgeted in creating employee compliance in and understanding of a company’s IT policy, including all aspects of the business. Unfortunately, companies tend to be reluctant to do so. As an example; in 2017, the national data security spending in The Netherlands was about 0,1% of the GDP, whereas cybercrime caused damage worth of around 1,5% of the GDP, a significant difference to say the least.
Role of the employee
Then let us consider what would be wise to spend our money on. According to [3] “The consciousness aspect of users’ behaviour plays a vital role, while the reasons for many information security breaches are related to users’ ignorance, negligence, lack of awareness, mischievousness, apathy, and resistance.” Already a few themes emerge: problems will usually be caused either by an employee’s lack of interest in data security, lack of awareness of it, or lack of goodwill towards the company. Of these, the easiest to tackle is the lack of awareness. Research has shown the dramatic effect of increasing employee awareness on their attitude towards digital security [3]. To get an even better effect, one must take a step further, as is shown by [4], who were able to show that “local employee participation, collective reflection and group processes produce changes in short-term information security awareness and behaviour.” So, while it is understandable that managers might be weary of spending many office hours on this seemingly trivial topic, research shows that it can yield significant effects, while statistics on data breaches show us that this can save significant costs.
Role of the manager
This brings us to another issue in data security, namely the level of involvement of the higher management. [5] lists the ten deadly sins of information security, where they identified “not realising that information security is a corporate governance responsibility” as the number one deadly sin. According to a literature review [6], “information security issues should be considered as a responsibility of management, as it has an impact on the market position of a firm”. This makes sense from a business perspective, but also from a practical point of view, since policy and compliance to it is a top-down process in any company. This has recently been well-established in the academic community, but is often not how cyber security is enforced in practice, causing many mishaps.
Role of the Customer
We have argued for a human side in IT security through employees and managers, but what about consumers? Akamai, a company that specialises in digital security, provides us with interesting data on how consumers respond to their data being stolen, and how they hold the faulting party accountable. Therefore, with proper management, the negative effects of a breach may be contained, “as long as companies demonstrate good faith” [7]. In this survey — shown in the figure — only seven percent of respondents gave a definite “no” when asked if they could forgive a company that lost their personal data, with almost half of respondents indicating that they can forgive said company.
While this research has its limitations (small sample size and demographic sampling errors for example), it still provides for an argument to prepare your marketing department for faults in information security, as its effects can clearly be controlled strongly.
When we realise that information security is related heavily with employees, managers and consumers, it becomes obvious that proper management and bridging the gap between IT and people is crucial, and plays a vital role in the success of a company’s strategy.
Role of the Industrial Engineer
As industrial engineers, many might think that we are not educated to work in cyber security; we are not programmers. However, this does not exclude us from being involved in IT security management, as a good understanding of business practices and human nature is crucial in creating a secure data environment. Information security may well be one of the best examples of where industrial engineers can be of most value to a company, especially because of the necessity for both technical and personal aspects, which is exactly where IEMers shine.
References
[1]
Leach, J. (2003). Improving user security behaviour. Computers & Security, 22(8), 685–692.
[2]
Wikina, S. B. (2014). What caused the breach? An examination of use of information technology and health data breaches. Perspectives in health information management, 11(Fall).
[3]
Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behaviour formation in organizations. Computers & Security, 53, 65–78.
[4]
Albrechtsen, E., & Hovden, J. (2010). Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Computers & Security, 29(4), 432–445.
[5]
Von Solms, B., & Von Solms, R. (2004). The 10 deadly sins of information security management. Computers & Security, 23(5), 371–376.
[6]
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), 215–225.
[7]
