information systems security planning dr. gurpreet dhillon virginia commonwealth university

Information Systems SecurityPlanning

Dr. Gurpreet DhillonVirginia Commonwealth University

© G. DhillonAll Rights Reserved

Security Plan, what is it?

In most companies there ain’t one Common problems…

It’s some one else’s problem We told the developers dilemma It’s a business issue. No, it’s an IT issue. No, the

auditors are responsible. Emergence of developmental duality


Why bother?

PentaSafe survey, Security Awareness Index (SAI), reported that:

One out of ten employees had never read any of their company's security policies

A quarter had not read them in over two years And 70 percent of companies admitted not tracking or following up

cases where staff had not signed a statement to say they had read and understood the security policy


Yes, there is a problem?

Yes, indeed. Gartner estimates that by 2006, one in five enterprises will experience a serious

attack that results in a material loss for the company Gartner says: Executives must get employees on board and establish a corporate

culture that endorses security… Culture is probably the single biggest influence in an enterprise…We need to start thinking about security as a business enabler.


RealWorld

InformationFeedbackDecisions

Singleloop

Mental Models of

RealWorld

Strategy,Structure,Decision

Rules

Doubleloop

Single and Double Loops


ImpedimentsReal

World

InformationFeedbackDecisions

Mental Models of

RealWorld

Strategy,Structure,Decision

Rules

Compounding factors

Delays

Conflicting untestedattributions

ImperfectAmbiguousInformation

Implementation failure

Erroneousassumptions


Argument

IS security problems occur when an organization’s ‘espoused theory’ and their ‘theory-in-use’ (what they actually do) are contradictory.


Our research project (2003 – 2008)

Phase 1: Identify the Espoused theories for IS Security

Phase 2: Identify the Theories-in-Use for IS Security

Phase 3: Comment on congruence


EVENTS

PATTERNS

STRUCTURE

React

AnticipateForecast

UnderstandImprove

What happened?

What’s been happeningover time?

Why is this happening?What are the root causes?

IncreasedLeverage

Events: a snapshot, a picture of a single moment in time Patterns: trends or changes in events over time Structure: answers the question, “what are the underlying structures and root causes of these events and patterns?”

Why are we doing this? The Iceberg


Conceptual territory

IS Security is the protection of organizational data and information - technically, formally and informally


Informal information system

Formal information systems

Data Communication

Technical information Systems

Networking

Technical IS Security

ConfidentialityIntegrityAvailabilityNon repudiation

Formal IS Security

Structures of ResponsibilityAuthorityIntegrity of roles

Informal IS Security

TrustworthinessEthicality


Phase 1 Overall Objective

To develop a value based objectives for IS security in organizations


Value-focused thinking Values are ‘principles used for evaluation’, which are essential to

assess ‘actual or potential consequences of action or inaction’. A value proposition focuses on benefits that end users anticipate to

receive. Value of IS security is therefore the net benefit and cost associated

with maintaining the security and integrity of the computer based IS and the organization

People choose among various alternatives since the consequences of alternatives may be different enough in terms of our values.

Hence the relative desirability of a consequence is a concept based on values.

And alternatives are a means to achieve the more fundamental values


Embedded value framesDifferent alternatives to achieve the fundamental objective Maximize IS security

Fundamental objective ofimproving data integrity

E.g. information ownership; Legal and procedural compliance; Empowerment

Fundamental objective ofmaximize privacy

Fundamental objective ofmaximize awareness

Overlapping and nested value frames


Procedure (framing)

Develop a list of user values Structuring values: express each value in a

common form Organizing objectives


Develop a list of values

Techniques used: wish list, posing alternatives, identifying problems and shortcomings to name a few.

Probing techniques adopted to overcome difficulty with the latency of the values. In order to overcome this problem, multiple probing techniques were used to identify the latent values.

Examples of probes: “If you did not have any constraints, what would your objectives be?” “What needs to be changed from the status quo?” “How do you evaluate whether IS security is being maintained?” “How do you tell if IS security is being compromised?”

Average duration of interview: 40 minutes Goal: to identify factors that influence individual and group behavior towards IS

security and values they have with respect to managing IS security.


Structuring values

Convert each value statement into an objective statement expressed in a common form

An objective is constituted of the decision context, an object and a direction of preferences.

In our study: “Decision context” is adequate management of IS security and a value

such as “personal integrity of employees is important” and “maximize employee integrity” etc become “emphasize importance of confidentiality


Organizing objectives

Categorize The “Why is this important?” test (WITI) 9 fundamental and 16 means objectives were identified

Relate categories by establishing a Means-End Network by establishing Issue Hierarchy


WITI Test

“Establish ownership of information”.

This objective helps to

“Ensure legal and procedural compliance”.

This objective in turn is important to

“Increase trust”,

Increasing trust further helps

“Maximize organizational integrity”.

When the application of the WITI test suggests that a given objective is important to achieve something more fundamental, such an objective is a means objective. However when the response to the WITI test suggests that the objective is simply important in our decision context, it is a fundamental objective.


Summary

Interview goal: to identify factors that influence individual and group behavior towards IS security and values they have with respect to managing IS security.

Part 1: 73 interviews of 40 minutes each 312 values identified. Consolidated into 246 values 246 values resulted in 83 objectives (there is a many to one relationship between values and

objectives) Part 2: 30 interviews of 40 minutes each

120 values identified. Consolidated into 76 values 42 values were repeats from part 1, hence only 27 additional values added 27 values resulted in 4 new objectives and in modification of another 4

Synthesis of part 1 and 2 In all there were 273 values resulted in 87 objectives

Categorize 87 objectives organized into 25 clusters Using the “Why is this important?” test (WITI) 9 fundamental and 16 means objectives were

identified


The 25 objectivesMeans Objectives• Improve authority structures• Increase communication• Promote responsibility and accountability• Establish ownership information• Increase trust• Understand work situation• Optimize work allocation practices• Maximize access control• Ensure empowerment• Maximize fulfillment of personal needs• Enhance understanding of personal financial situation• Understand individual characteristics• Ensure legal and procedural compliance• Understand personal beliefs• Maximize availability of information• Ensure censure

Fundamental Objectives• Maximize awareness• Adequate human resource management practices• Developing and sustaining an ethical environment• Enhance integrity of business processes• Enhanced management development practices• Maximize data integrity• Maximize organizational integrity• Maximize privacy• Promote individual work ethics


Means objectives

Improve authority structures Clarify delegation of authority Minimize the need for one to gain control Link information access to an individuals’ position Increased communication Minimize curiosity by open communication Create open-door environment at all levels Stress IT department interactiveness Develop open communication with IT department Limit “arm’s length” management Promote responsibility and accountability Clarify delegation of responsibilities Distribute workload evenly Maximize level of commitment to organization Create an environment that promotes accountability Establish ownership information Promote ownership in the organization Emphasize importance of confidentiality Decrease information sharing for shock value Emphasize the understanding of the value of information Create a contract of confidentiality Increase trust Display employer trust in employees Develop environment that promotes a sense of responsibility Maximize loyalty Understand work situation Minimize need to have leverage on others Minimize desire to seek revenge on others Minimize creation of disgruntled employees

Optimize work allocation practices Distribute workload evenly Distribute workload aggressively Do not allow for much unoccupied time Minimize temptation to use information for personal benefit Develop understanding of procedures Maximize access control Create user passwords Provide several levels of user access Control accessibility to information Ensure empowerment Promote empowerment in the organization Maximize fulfillment of personal needs Appreciate personal needs for job enhancement Facilitate attainment of self-actualization needs Enhance understanding of personal financial situation Understand the needs of different level of financial status Eliminate motivation to sharing information with competitors Minimize the desire to steal from others Understand individual characteristics Understand demographics with potential to subvert controls Interpret individual lifestyles Ensure legal and procedural compliance Minimize the disregard for laws Decrease level of employer’s tolerance for information misuse Develop understanding of legalities Develop understanding of regulations/rules

Understand personal beliefs Understand effect of religious beliefs on security Celebrate and understand ones upbringing Minimize the need for greed in the organization Create desire to not jeopardize company position Maximize availability of information Ensure adequate procedures for availability of information Ensure censure Introduce a fear of being exposed or ridiculed Instill a fear of consequences Instill a fear of losing your job Minimize the fear of information Minimize the fear of accessibility


Fundamental objectives

Overall Objective: Maximize IS security Maximize awareness Create an environment that promotes awareness Understand impact of varying education levels Adequate human resource management practices Provide necessary job resources Create an environment that promotes contribution Encourage high levels of group morale Create sense of pride in organization Create an environment of employee motivation Create an organizational code of ethics Developing and sustaining an ethical environment Develop an understood value system in the organization Develop co-worker and organizational relationships Instill value-based work ethics Instill professional work ethics Minimize temptation to use information for personal benefit Enhance integrity of business processes Understand the expected use of all available information Develop understanding of procedures Enhanced management development practices Develop a management team that leads by example Create growth opportunities within company Maximize individual comfort level of computers/software Minimize insecurity with computer systems Create legitimate possibilities for financial gain Provide employees with adequate IT training Maximize capability level of IT staff Maximize data integrity Maximize unauthorized changes

Maximize organizational integrity Create an environment of managerial support Create environment of positive management interaction Promote positive self-image among employees Create an environment that promotes respect Create an environment that promotes reliability Create environment of positive peer interaction Develop an environment that promotes a sense of responsibility Maximize privacy Emphasize importance of privacy Decrease information sharing for gossip purposes Promote individual work ethics Create an environment that promotes customer loyalty Create an environment that promotes organizational loyalty Emphasize the importance of integrity Maximize employee integrity in the company Minimize temptation to steal information Minimize need for self-promotion Minimize urgency of personal gain Minimize desire to seek revenge on others Create a desire to not jeopardize the position of the company Minimize the desire to steal from others Create an environment that promotes company profitability Instill moral values Stress individuals treating others as they would like to be treated


MeansObjectives

Personalfinancial situation

Censure

Empowerment

Legal &proceduralcompliance

Informationownership

Authoritystructures

Trust

Communication

Access control

Informationavailability

Personal needsfulfillment

Work allocationpractices

Responsibility &accountability

Individualcharacteristics

Personal beliefs

Work situation

FundamentalObjectives

Overall objective:Maximize IS Security

Maximizeawareness

Human resourcepractices

Ethicalenvironment

Integral businessprocesses

Managementdevelopment

practices

Data integrity

Organizationalintegrity

Privacy

Individual ethics

© G. DhillonAll Rights ReservedBenevolent ----------- Intentions ----------- Malicious

Expert -------- E

xpertise ---------N

ovice

Unintentional(In)security

Unintentional(In)security

NaïveMistakes

Detrimental Vexation

BasicHygiene

AwareAssurance

Intentional Destruction

DangerousTinkering

Making Sense


Cornerstone of good planning

Cooperation Managers can use a variety of carrots and sticks to

encourage people to work together for a common purpose.

Their ability to get results depends on selecting objectives and tools that match the circumstances they face.


Security agreement matrix

Broad Consensus

No Consensus

Ext

en

t to

wh

ich

pe

op

le k

no

w w

ha

t th

ey

wa

nt

Hope of what they will gain

Disagreementon everything

Maintainstatus quo

Willing o followprescribed procedures

No Consensus Broad Consensus

Extent to which people agree on cause and effect


Cooperation tools

No Consensus Broad Consensus

Broad Consensus

No Consensus

Ext

en

t to

wh

ich

pe

op

le k

no

w w

ha

t th

ey

wa

nt

Extent to which people agree on cause and effect

Leadership

Power

Culture

Management

Charisma

Salesman-ship

RoleModeling

Folklore

Rituals

Tradition

Religion

Democracy

Vision

Coercion

Fiat(sanction)

Threats

RoleDefinition

Negotiation

MeasurementSystem

St. Op. Procedures

Training

Apprenticeship

StrategicPlanning

FinancialInitiatives

TransferPricing

ControlSystems

Hiring &Promotion


Challenge

One of the rarest managerial skill is the ability to understand which tools will work in a given situation.

Although training and making users aware is an important planning issue, it is even more important to build competencies for managing security.

information systems security planning dr. gurpreet dhillon virginia commonwealth university

Documents