28 OCTOBER 2008
StrategyTalking about a revolution One of the most enduring threats to an organisations security can be found in its unwitting employees. David Lacey looks at the ways we can instill new attitudes and minimise the risk posed by the human factor
Last year, a small action by a junior HMRC employee triggered
a major crisis, prompting the resignation of its chief executive,
as well as a large drop in public confidence in government
custodianship. It astounded many that such a small, seemingly
innocent action could create so much outrage and impact.
That however, is the nature of modern organisations. The
source of power, influence and control has shifted from the
bridge to the engine room. Flattened, networked enterprises
with large, centralised databases place enormous power in the
hands of employees.
The root cause of the HMRC incident has been well
established by numerous reviews; at the heart of the problem
is information security culture, or, rather, a lack of it. As the
recent Cabinet Office report on the incident states, we need a
culture that properly values, protects and uses data, both in the
planning and delivery of public services. The problem is not
new, though there is now a greater urgency to fix it.
The information security industry has consistently
underestimated the role and importance of people. With
hindsight, we should have learned this lesson from the breaking
of the Enigma cipher transmissions during the Second World
War. That system was considered unbreakable, but was
compromised by human operating errors.
Since the introduction of commercial computers, our
business information systems and data have been repeatedly
Human factors are simply too vague and abstract for a technologist to get to grips with
Staff dont read security policies and manuals; they dont pay attention to lackluster flyers designed by security staff with no communications experience
is0507_p28_30.indd 28 09/10/2008 11:10:01
undermined by design flaws, weak passwords, lost media, social
engineering and numerous other bad practices. And these
risks are growing with the increasing richness, complexity and
networking of modern business systems.
People are the soft underbelly of information security.
They design, implement and operate our information systems.
They use, misuse and abuse them. They manage the physical
and logical access to our systems and data. They also create
mistakes, incidents and the weaknesses that enable criminals to
steal, corrupt and manipulate our intellectual assets.
A new awakeningPeople are finally waking up to the importance of the human
factor in information security. The subject is gaining ground
in research and academic circles, but out in the field, at the
sharp end of our business, its a very different matter. Security
managers dont pay enough attention to the human factor. We
complain about the problem. But we dont invest sufficient time,
resource or money to fix it.
The question of what percentage of a security budget should
be allocated to education is often raised. The answer? Between
10 and 20%, which reflects both the minimum need for
education and the substantial return on investment that can be
achieved through a major reduction in security incidents.
There are very few companies that spend anywhere near that
amount, and most companies would not know where to start or
what to spend their money on. Human factors are simply too
vague and abstract for a technologist to get to grips with.
Staff dont read security policies and manuals; they dont
pay attention to lackluster flyers designed by security staff with
no communications experience. To date, security policies have
served primarily as a tick-the-box compliance measure, rather
than a vehicle for inspiring real behavior change.
The style of security education needed for todays socially
networked world is quite different from that of yesterdays
process driven world. We live and work in a Web 2.0 business
world, and that requires no less than the equivalent of a security
2.0 solution; security with a stronger focus on people and their
A new kind of security The ISO 27001 standard was a major breakthrough in its day.
But its a vehicle conceived more than fifteen years ago. It
epitomises information security management for a process-
driven business world. And that world is slowly dissolving. Its
time to work on a radical approach for a real-time generation
that operates in a nomadic, networked world.
New security is a paradigm shift from our traditional security
focus on processes and procedures. Risk management is no
longer the answer; its no more than a measuring stick.
The new focus needs to be on people, relationships and
information flows. As Debi Ashenden, a senior fellow at the
UK Defence College of Management & Technology, put it a
few years ago: The future of information security is pink and
fluffy. Security managers have to engage a lot more effectively
with management and staff in order to have any real impact on
their security behaviour. And it has to be a two-way emotional
communication, not a one-way broadcast of dogma.
A revolution in thinkingTo support this new kind of security, we need a brand new
knowledge base of theories, techniques and methods, ones
that are very different from the deterministic methods weve
employed for risk management, security architecture and
vulnerability management. We need softer, smarter skills to
educate and change people. And that includes the security
The starting point is to appreciate how people think and
how modern networks work. Social networks are dissolving
traditional approaches to security. They cut through corporate
boundaries, including those between our business and personal
lifestyles. Networks provide the lever for promoting our
ideas, policies and initiatives. They are the new engine of the
information age, no less than the equivalent of the invention
of factories in the industrial age. Networks can help us to
build the new community solutions that we need to manage
the challenges of the future. We know that the future will be
To date, our security policy has served primarily as a tick-the-box compliance measure, rather than a vehicle for inspiring real behavior change
Between 10 and 20% of a security budget should be allocated to education
is0507_p28_30.indd 29 09/10/2008 11:10:04
30 OCTOBER 2008
a much more dangerous place than it is today. Knowledge
bases and information flows will be under greater threat from
sophisticated spies and fraudsters.
Meeting this challenge demands that we harness the
efforts of everyone in the corporation, including our customers
and business partners. We need their collective vision and
perception to understand the root causes of incidents and gain
visibility of events and their context.
We need better security and information systems that allow
a sensible margin of human error, to eliminate unnecessary
mistakes, accidents and breaches. But good security design can
only be achieved through closer engagement with our users. We
have to learn to appreciate their culture, requirements, likes,
dislikes and expectations. The difference between a design that
works and one that fails is often no more than a small detail or
Realistic risk management And we need to improve the way we respond to risks, incidents
and crises, because were entering a world of increasing
hazards, uncertainty and volatility. That means coming to
terms with our human limitations for managing them. Risks
are a peculiar blend of logic and gut feeling, with the latter
dominating the former. In theory, risk management is simple.
But in practice, were all astoundingly bad at assessing and
managing risks. Our perception is shaped by our experience,
personal agenda and personal characteristics such as
personality, gender, age, culture and religion. Risks are more
emotional than scientific.
The current financial crisis also demonstrates very clearly
that even the most sophisticated risk management systems
cannot stop managers from gambling away the family silver.
Risk management is a decision-support tool, not a decision-
making process. Its a vast oversimplification of reality. Its
limitations need to be acknowledged.
Its important to accept that not everybody is honest. Many
people will cheat if they can avoid getting caught, especially if
everyone else seems to be doing it. But aiming to catch crooks
after the event is not the most sensible security strategy. Its
much better to design systems that are intrinsically secure. We
can vet staff, monitor their actions, and reduce incentives
for corruption. But people will always be easily seduced and
fooled. Besides, our identity management systems are far from
Changing security cultureGetting to grips with organisation culture is not easy, especially
if youre a part of it. An ou