Revista LAN & WAN - Redes de computadores, networking y telecomunicaciones, LAN, WAN. Seguridad Informática, auditoría y certificación. Cursos y seminarios, consultoría.
Site hosted by Build your free website today!

IT Information Security vs. Information Security? 1
© Ing. Carlos Ormella Meyer

The diversity of security environments that have built up experience especially since the beginning of the last decade, shows some differential and partly contrasting visions on matters of great importance for a company.

IT Information Security
One of the most significant subject is that most "security experts" base their knowledge and expertise only in the traditional technical aspect of security, i.e. focusing on the IT area, although some of them also consider issues arising from the "new" aspect of communications so it is usual today to talk about ICT.

But besides the essentially technical approach, these specialists generally only deal with vulnerabilities and threats in the form of attacks, all of which is not enough to talk about the risks involved.

For a risk analysis or even a risk assessment, RA, though restricted to technical, asset valuations and an identification of the threats that take advantage and exploit asset vulnerabilities are also needed. Only then risks can be determined from the three factors -assets, vulnerabilities and threats- each measured in the appropriate range of levels (typically 3 for vulnerabilities, 3 to 5 for threats, and 5 to 8 or even more for assets) in a qualitative approach.

Then, trying to determine what to do with risks, in most cases they have to be mitigated to an acceptable level, for which certain security measures have to be implemented.

The most efficient approach for risks with technical features is to perform a gap analysis against technical standards to determine what controls and at what level should be implemented to reduce risks to be acceptable. The NIST 800 series or a standard with a wider corporate approach such as ISO 27002 (formerly ISO 17799), can help to get through.

Up here we can talk about issues closer to something like "computer / network / communication security" or simply "IT information security".

Information Security
There has been lately a change respect to the information security concept. But, in spite of, there are many specialists who still keep dealing with the pure technical approach discussed above.

In reality, information security is much more extensive than IT information security since it is not simply a technical matter but responsibility of senior management and senior executives of an organization.

In this regard it should be noted ICT environment tends to be oriented to service and to act as role for enabling business processes. This is different from the central processes of an organization that constitute the core business of an enterprise.

In fact, without the active involvement of business units and leaders, executives, directors and steering-committee, there can be no sustainable information security plan to take care of risks identified. And all of this within the guidance and control system of an appropriate corporate governance, as is defined by the OECD (Organization for Economic Cooperation and Development).

Now it deals, among other matters, to consider also people, processes and business functions, the protection of all assets / resources of an organization. This way the whole company is the promoter, owner and beneficiary of the information security within a framework of shared responsibilities.

Last paragraph implies then the information security framework requires considering not only the technical risks of ICT, but also the security risks that are spread throughout the company, namely: organizational, operational and physical risks.

Furthermore, operational risks, of particular importance for example in the context of the New Basel II Capital Accord for banks, are increasingly crucial in the scenarios of information security. And the vulnerabilities affecting these risks, as opposed to ICT vulnerabilities that rather respond to a black-white scheme, spread over a wide range of gray, closely related to human behavior and the subjective views of people, business culture, the way of communication, resistance to change, etc.

The determination of organizational vulnerabilities follows a very different procedure respect to measurements or readings taken on computers, servers, routers, switches, etc. As many times there is not sufficient historical data available, an accurate analysis becomes impossible. Therefore the analysis is supplemented with information you can gather in this regard corresponding to subjective information arising out of opinions (usually from experts or at least specific personal with knowledge of the area being analyzed). These opinions can be identified and analyzed by using a prospective research method such as Delphi, followed by personal interviews to weigh the value of their opinions.

Moreover, the asset assessment is not in most cases in the reach of technicians. The value or level of an asset is a business value and for company business. This indicates that business process owners are those who can establish proper values where from we can derive the values of assets / resources to manage the various functions that make up each process.

At this point we will have to determine how to reduce risks to acceptable levels. The appropriate way to do this will be the implementation of the ISO 27002 standard (which covers all aspects, i.e. organizational, operational, technical or ICT and physical), to select for such risks the standard controls necessary for risk reduction. These controls will be implemented conforming ISO 27001 to set up an ISMS, i.e. Information Security Management System. ISMS, in addition to being certifiable, keep alignment and harmonization with other management systems such as those for Quality and Environment, among others.

Information Security and IT Information Security
The extension of the usual concept of IT information security to information security involves a shift and a broader framework of business risk compared to the traditional view of technical security, based mainly on vulnerabilities. According to the aspects previously discussed, such an extension is given in two ways.

On one hand, in the information security context the business risks include not only some aspects of vulnerabilities and threats, but all the factors that determine these risks: assets, vulnerabilities and threats.

Moreover, business risks to be considered include organizational, operational, physical and ICT risks.

An illustrative view of these concepts can be viewed in the accompanying figure.

In this scenario, especially in relation to organizational and operational risk, there is a factor generally neglected and even unknown in the implementation of security measures. It is the people factor [1], because such measures require changes in behavior and attitudes that may conflict with the patterns of most people for its natural resistance to change and the defense mechanisms that are triggered.

Change management at the individual, group and organizational level, including social networks and internal corporate culture, faces us with challenges of not at all technical features. We need to build an effective participation and commitment to succeed in implementing security measures. This implies we must communicate to supervisors the knowledge and appropriate behavior as well as facilitate the development of resilience. And then that this approach be transferred in a similar manner to their staff.

Finally it also emerges that a comprehensive approach to information security starts by considering that the necessary resources to mitigate risks, within a security plan, are not a cost but an investment. And, as such, it requires the analysis and quantifiable determination of return on investment in security, particularly through the determination of ROSI (Return On Security Investment) as an extension of the known financial concept of ROI (Return on Investment.)

[1] The People Factor and Information Security, Carlos Ormella Meyer.

1 The original article in Spanish is based on considering the conceptual differences arising in practice between two different but correct translation for "information security". Either way, papers originally wrote in English show many authors speak of information security as if it were exclusive to the IT area. The others, however, recognize the difference in scope between information security and IT information security.

Copyright © 2011. Carlos Ormella Meyer.

Impact Analysis or Risk Assessment?
© Ing. Carlos Ormella Meyer

Sometimes it has been raised a dilemma about which mechanism is best or most appropriate to initiate an information security plan. And in this sense BIA (Business Impact Analysis) and (Risk Assessment) are compared.

The truth is that words that characterize both initials shows BIA and RA are distinct things, so that comparison cannot be done directly.

BIA, Business Impact Analysis
The business impact analysis is a key step in the process of a BCP (Business Continuity Plan) as part of a BCM (Business Continuity Management).

This is because BIA is primarily related to undesirable events causing an interruption or degradation in a company operations, i.e., affecting the availability of critical resources to keep a properly operation of business processes. Even in this context, causes and / or likelihood of such events are not needed to determine the impact of a failure in such processes.

BIA definition refers to impacts a concept used for the determination of risk focused on incidents, even measured quantitatively as ALE (Annual Loss Expectancy). Either way, the impact is one of two risk factors, where the other is the annual frequency of occurrence of undesirable events, both together determining loss expectations along one year.

Moreover, BIA allows assess the impact along time on a business process not available or provided with less performance than those expected, and to prioritize the functions of the process that relates to other processes.

BIA allows identify the timescale and extent of the impact of a disruption in critical operations of an organization, providing the data to determine strategies to deal with them. This way it is closely related to availability. Timescales are related to indicators like RTO, RPO y MTPD. These indicators establish critical, “in-the-past” recovery, and “fatal” windows respectively. In all cases, process components, i.e. business functions and resources / assets that support each business process, inherit corresponding timescales.

RA, Risk Assessment
On the other hand, risk assessment is also referred to risks as an entity, i.e. those resulting from the various factors involved: impact and annual probability of occurrence in the case of working with ALE or similar approach, or assets, vulnerabilities and threats for the determination of risk focused on assets.

Moreover, RA is the appropriate mechanism to determine how to mitigate the impact of these events or even expected to occur, working on the risk factors through security safeguards or countermeasures.

RA and BIA
From the foregoing arguments it could be said that RA is more complete than BIA, but RA actually does not include all the BIA features, as the time parameters mentioned.

In fact, the two mechanisms compared arise from different methodologies, but in any case with some aspects in common. These methodologies are the BCP/BCM and the ISMS (Information Security Management System) as established by ISO 27002 and ISO 27001 information security standards.

In a BCP/BCM project, RA comes after the BIA. A Business Impact Analysis should be completed before performing Risk Assessment in order to first identify the critical functions upon which the risk assessment must focus on.

As a result, this form of RA only relates to processes critical to business continuity identified by the BIA, under the approach of the availability needed to ensure business continuity.

Moreover, in any case we can say that the rate of criticality/importance of processes established by the BIA can be used in the RA, so that treatment for processes with the same level of risk should be more immediate for processes with a higher criticality rate and less immediate for the rest of them.

But things are not so simple in some situations. Some situations in which we worked occurs when companies had already implemented a BCP and then they were planning to establish a security plan under ISMS.

Indeed, risk assessment involves the valuation of all the risks (not just the critics), both ICT as organizational, operational and physical risks in the context of the value of the organization assets. In this sense, the valuation of risks in a comprehensive manner requires identifying the vulnerabilities of the organization assets that the threats could exploit.

In addition, RA does not refer only to BIA availability aspect, but also to other factors affecting information security, such as confidentiality and integrity, plus accountability, authenticity and reliability. As we can see, the RA in a scenario ISMS is broader than in the case of a BCP, so if there is a BCP / BCM prior to implementing the ISO 27001 ISMS, the RA should be expanded accordingly.

The situation is different when there is no implementation of BCP / BCM prior before implementing ISMS. In this situation the RA is performed before the BIA obtained by applying ISO 27002 Chapter 14, Business Continuity Management. We find then that this form of RA is sufficiently broad thus allowing to extract a subset of RA in order to treat the portion Business Continuity in an information security project.

Copyright ©2011. Carlos Ormella Meyer.

© Ing. Carlos Ormella Meyer

There are two issues in information security which, despite its limited dissemination, span all areas of corporate data protection, acquiring a significance to be considered.

One such issue is the rationale for investment in security. The other issue is how to measure the performance of security measures and from there managing them in the search for better results.

The first issue has been analyzed several years ago, giving rise to ROSI (see box ROSI) as an application in information security of the financial indicator ROI, i.e. the Return on Investment,


The Return On Security Investment works with the ALE mechanism, i.e. the Annualized Loss Expectancy, based on the impactt of each security incident and its likelihood of occurrence over a year.

This mechanism works well when you have enough historical data of such incidents. On the contrary you may resort to data from external sources, but generally they are not complete and may be referred to different business environments.

It is also not sure an incident happened before will be going to repeat the same way as there are incidents declining their appearance by the action of safeguards or the threats themselves, as well as new incidents that had not appeared before.

In this uncertain scenario you can use Bayes approach that combines historical data with qualitative data from key staff opinions involved in the stuff. Or better yet, you can apply Monte Carlo simulation based on appropriate statistical distributions. This way results are delimited This way results are delimited so they will become more acceptable, even correspondent investments, by administrative managers and other executives that could know ROI applications as regards their own activities.

Until recently the second question posed before has been different to deal to. For several years NIST Metrics [1], although with a greater focus on the technical, has been the more complete information. We have been working by mapping NIST controls to ISO 27002 controls [2] in order to determine appropriate metrics, plus some other metrics derived from analysis of the ISO 27002 controls applying GQM (Goal Question Metric).

Additionally, effectiveness of awareness plans on policies on which you worked is necessary to be checked. Compliance with such policies by individuals can be verified by different criteria.

As you may have a number of policies with different importance or priority (so that the sum of these priorities is equal to one), the situation can be analyzed using the Value Function as the major method of MCDA (Multiple Criteria Decision Analysis). Also criteria against which policies will be considered have some relative importance or priority between them, so that you can also apply the corresponding Value Function.

Let us see the analysis of different policies for compliance with each of the criteria by applying the Value Function.

First, the Value Function of any policy with respect to certain criterion will be given by the verified compliance level of the policy to such criterion multiplied by the factor of importance / priority or Relative Weight (0 to 1) of the same criterion.

In turn, the particular Value Function of a certain policy with respect to all criteria is the sum of the results for each criterion obtained by multiplying the Compliance Level of that policy in respect of a particular criterion and the Relative Weight of the same criterion.

Finally, the total Value Function of all policies reviewed will be equal to the sum of the particular Value Function of each policy multiplied by the Relative Weight (0 to 1) of the policy considered in each case.

A similar analysis can be done with the different criteria simply by swapping "policy/policies" with "criterion/criteria" and vice versa on the concepts of the four above paragraphs.

To carry out the process mentioned above is required to establish the policies, the criteria used to analyze each policy performance, and the relative weights of each policy and each criterion.

First, policies respond to the issues addressed in the awareness plan, such as the attention level to policies, handling and management of passwords, use of mobile equipment, handling paper documents, email use and care, response to incidents, etc.

Now, to establish the compliance level of these policies you can use techniques of Social Psychology such as closed questionnaires with two or three possible answers, focusing separately on criteria contributing to such compliance as, for example, knowledge, attitude and behavior [3] of employees.

And finally, the relative weights of each policy and each criterion can be established through the implementation of AHP (Analytic Hierarchy Process) including pair-wise comparisons.

Beyond all control and awareness metrics above mentioned, the regulatory landscape was expanded with the appearance in December 2009 of ISO 27004 Security Metrics. This standard establishes a framework for measuring the efficiency of the ISMS and the effectiveness of security controls implemented under the ISO 27001, as well as a measurement model including the conditions on what to measure and how, as to appropriate results to analyze and improve the treatment of risks be provided.

However, a good mechanism has not been arisen so far for serving as a means of effective control and management for the security measures implemented, and even facilitates decision-making for appropriate improvements. In this case, as with ROSI, a tool from another business could be of help.

This is the Balanced Scorecard (BSC) which, although submitted almost 20 years as a tool to measure the performance of processes, has its main application today in the implementation of a company strategic objectives.

The last concept is important for security because it allows direct communication with the business areas of the company, and its benefits that will emerge in what follows.

To apply the BSC to information security some basic concepts at the enterprise level should be cleared. They are mainly the Mission, Vision, Strategy, Strategic Objectives and Assets.

Briefly but concretely these concepts mean:
• The Mission focuses on the present of a company.
• The Vision expresses what the company aspires to be in the future, the overall goals to be achieved.
• The Strategy consists in establishing strategic objectives to be achieved from the conditions defined in the Mission, making real the goals expressed in the Vision.
Assets are the property available to a company. There are two types of assets: Financial and Intangibles.
a) Financial Assets are the only ones that have traditionally been regarded because they express the physical and accounting values available to a company.
b) Intangible Assets, a modern paradigm, include knowledge, information, corporate culture, leadership, and other assets of the kind.

The BSC incorporates Intangible Assets besides Financial Assets, gaining then a much more emphasis thanks to its comprehensive approach to an organization issues. From these bases the BSC translates the Strategy into action and monitor its completion, facilitating decision-making to meet the goals and objectives.

The BSC approach is based on four perspectives: Financial, Customer, Internal Processes and Learning and Growth. The latter is often also referred to as Research and Development.

In few words such perspectives can be described specifically as follows:
Financial: Partner view.
Customers: Customer viewpoint.
Internal Processes: What is related to management of overall operations.
Learning and Growth: It defines how you learn to grow and support the strategy through their processes and to deliver the appropriate response to customers.
The BSC has two parts: Strategy Map and Dashboard both applying to the four perspectives.
The Strategic Map (Figure 1) is a graphic image that shows the representation of assumptions on which strategy is based. It arises from the Strategic Objectives identified in the Strategy and from the four perspectives where from business are focused.

The result is a dependency between objectives expressed by a chain of cause-effect relationships between them in both the same and different perspectives.

These relationships are important because from the results to be obtained later in the Dashboard, changes or improvements in one or more objectives may be needed, which involves making decisions regarding the objectives on which they depend.

For its part, the Dashboard is built with four elements (Figure 2): Objectives, Indicators, Targets and Initiatives.

These four elements apply to each perspective and they can be described briefly as follows:
Objectives: What we want to achieve. From 3 to 5 objectives are usually suggested for each perspective.
Indicators: Parameters for monitoring progress towards achieving each objective. They are usually between 1 and 5 for each objective. It is convenient to differentiate the concepts of indicators, metrics and measures. Measures are the measurements done, metrics are relationships between measures and indicators are metrics evaluations.
Targets or highlights: What you want to be attaining over time, to be measured by indicators.
Initiatives: Action plans or programs to achieve the objectives and corresponding targets.

Up here the analysis refers to purely strategic issues in a company. But the strategies being established always lead to operational processes so Strategic Objectives determine Operational Objectives that apply to different areas and / or functions of an organization.

In our case, these Strategic Objectives assign Operational Objectives related to information security. Each operational objective of this type will lead, as before, to Indicators to verify compliance, Targets to met and Initiatives to take for achieving such compliance.

This process of "mapping" strategic business objectives in security objectives is very important because this way security metrics are put into a context understandable and meaningful for executives and managers, as a result of quantifying the ISMS efficiency in its outreach to enterprise-wide activities, as in fact ISO 27004 calls for.

This way, the BSC allows concretely to set a dialogue with executives on the basis of security aspects that are relevant to senior management, making it easier to break that kind of false paradigm that security is a technical problem, meaning an IT area concern [4], so common in many areas of a company even as middle and upper management levels.

Moreover, in these conditions, the BSC plays a strategic role in relation to information security. Indeed, creating value within the business development the BSC acts as a bridge between business and information security areas.

Now, a question arising then is how to define Indicators and Initiatives for Operational Security Objectives. Well, Security Objectives can be practically nothing less than Control Objectives from ISO 27001/27002. And, in a similar way, Security Initiatives can be precisely Controls from these standards.

This is not to say an unavoidably condition be all Dashboard Objectives be security Control Objectives and / or all Dashboard Initiatives be security Controls. In fact, Dashboard is not intended to be a complete picture of information security at regulatory level, but rather to correlate the most critical aspects of security with the company business processes.

In Figure 3 you can see a piece of a Dashboard prepared in Excel using its conditional formatting which allows for automatic traffic light up to three levels (commercial products offer more options). For these levels you can use different criteria. In this example thresholds were set as follows:
• Green: 75% or more.
• Yellow: From 45% to less than 75%.
• Red: Less than 45%.

As an example let us consider the case of the Objective "To ensure secure operation" from which vulnerability losses should be reduced by 30% as a target for 2010. However, measurements indicate they were only reduced in 8%, which implies a 27% achievement of the target. As a compliance level of 27% is below 45%, the cell color becomes red.

From the analysis of a dashboard some need will raise to make appropriate decisions in order to provide a greater strength in the Initiatives (controls) related to the targets in red and yellow in this order of priority, or even to add new initiatives to achieve meeting desired targets.

Data feeding values into a Dashboard can be obtained through interfaces BSC commercial products offer to other programs or simply entering data by hand.

[1] NIST 800-55 - Performance Measurement Guide for Information Security.
[2] NIST 800-53 - Recommended Security Controls for Federal Information Systems.
[3] The People Factor and Information Security, Carlos Ormella Meyer.
[4] IT Information Security vs. Information Security? Ing. Carlos Ormella Meyer.

Copyright © 2011. Carlos Ormella Meyer.

© Ing. Carlos Ormella Meyer

Abstract - The importance of "information security" standards has been extended to corporate level as a business component, beyond the concept of "IT security" limited to the area of technology. Indeed, both the Principles of Corporate Governance and the Security Guidelines of the OECD (Organization for Economic Cooperation and Development) also lead us to consider organizational and operational risks. Here is where the "people factor", individuals and groups, often neglected and / or unknown, even by management, when implementing security measures. As these measures generally pose changes in behavior, they may conflict with the patterns of the people, because of their natural resistance to change and the defense mechanisms that trigger. This tells us that we need not only awareness but appropriate behavior, all of which require extensive discussion at all levels and the contribution of subjects such as Social Psychology.

Key words - belief, knowledge, attitude, behavior, communication, participation, commitment, responsibility, corporate culture, awareness, people, resistance to change, information security, IT security, security.

It is generally said viruses and hackers are those who put information at risk. But often the opposite is true: that the neglect and misuse of legitimate users cause far greater damage than those.

This is reflected in a corporate scenario when in analyzing the organizational and operational risks [1], an issue arises generally neglected and sometimes even stranger about people and groups; something we call the "people factor” 1.

For example, many of the mistakes and failures commonly found in security plans are due to some technical staff do not have sufficient knowledge of non-technical risks, and hence neither about questions and management of people behavior, with what all this implies on the implementation of security measures.

Even in part because of these reasons it happens sometimes a company has a thick manual of Information Security Policies, in some cases finely bound and bearing the stamp of major consulting firms, but ... that very few people have read it, and even less put into practice!

This type of experience, our and from third-party, states that information security depends on people, individuals and groups, rather than the technology itself, since people are the weakest link in implementing security measures. This is because human nature and social interactions are often more easily manipulated than to produce breakthroughs in technological protections.

Indeed, the exploitation of the weaknesses of human behavior can often circumvent technical controls and procedures. This is the case of Social Engineering, i.e. how to persuade people to provide confidential information.

Consequently, the effective implementation of a security plan is not achieved from a purely technical standpoint, but taking into account human behavior and the social context in which people are involved.

Above comments indicate that security measures require changes in attitudes and behavior, which naturally generates negative feelings in most people, because of their natural resistance to change and the defense mechanisms that trigger.

The management of behavioral changes at personal, group and still organizational levels, including social networks and internal corporate culture, confront us with certain challenges with no technical features, ranging from a better understanding of people up to the ability to lead these changes.

The picture outlined is quite complex and, with few exceptions [2] [3] [4] is very little or only partially covered in the best practices of information security. This is not the only case; something similar happens in other activities in different disciplines and other areas facing organizational changes.

To confine the situation we appeal to heuristic reasoning considering not only cause-effect relationships but also, under a lateral thinking, those characteristics that even being dissimilar are able to contribute to resolve the issues raised. Additionally, we seek professional support in terms of knowledge and people management, as discussed below. Here are some of the most important aspects that have facilitated the management and achieving the required targets.

Mentioned negative feelings arise almost naturally upon implementing security measures, since in many cases these measures may conflict with people schemata, schemata that respond to the complex picture of reality on which we base our judgments and how we consider our social interactions.

This reaction is manifested by the behavior of a person tending to delay, discredit, dismiss or prevent any change.

Resistance to change can respond to logical factors, e.g. the possible extended time and effort the new situation can demand, or the psychological environment of emotions, feelings and attitudes of a person, or the sociological characteristics of social values based on group criteria and / or interests.

This resistance is not smooth at all. Psychologists tell us these differences correspond to the transfer of scenarios that each person brings unconsciously from the past. Also, that the display of such scenarios is a personal collection that can generate in some cases a strong resistance to change.

All this indicates that to obtain adequate results in the proposals made we have to delve into the roots of this problem, which requires careful analysis, study and consideration.

The analysis begins with four basic concepts: what he thinks, what he knows, what he feels and what makes a person, in our case facing security measures.

A belief is a mindset that considers as true some specific information. Beliefs are the personal subjective bases of individual behavior.

According to epistemologists, knowledge is something that is "known" only when it is a belief whose truth can be justified. The true condition is an objective state independent of the individual. We need then that a belief to be transferred will result in an accurate knowledge.

Attitude refers to an evaluation or emotional response for objects or events. The attitudes of a person can be influenced by a number of own and external conditions that have been investigated especially by some scholars.

According to Herzberg there are two types of factors that act separately on the attitudes of people: the factors of satisfaction or dissatisfaction in the work environment, and the motivating factors given by the stimuli received.

On his part, Maslow states that people's attitudes are modeled after the personal needs, not only the survival and security basic needs but also, in an environment of participatory management as discussed below, the social needs in terms of acceptance and appreciation from others and the recognition and auto-achievement needs.

Studies show that even seemingly minor stimuli can influence attitudes. This is the case of even small awards that reinforce the actions towards the desired end. For example, something as simple as a candy or sweet on the desktop of people that, on retiring at the end of the day, had been offline from their machines and / or do not have left papers on the desk, locking file cabinets or drawers containing documents.

Beliefs, knowledge and attitudes may be uneven. It can be clear and justified (knowledge) material protected by intellectual property must not be downloaded from the Web, but nonetheless do it by thinking (belief) unconcernedly (attitude) that no one will notice.

The behavior of a person is related mainly with his personal style, i.e. his personality. People are classified according to different personality types, as Carl Jung suggested originally as of indicators based on dichotomies or opposites.

Later, Myers-Briggs extended to four indicators of personality: outgoing or introverted, sensitive or intuitive, rational or emotional, and judicious or perceptive, resulting in 16 different types of personality. Since behavior is framed according to these categorizations, we can deduce that something similar will happen with regard to risks and the respective personal responses.

Moreover, the behavior does not always go together with attitude. Let us consider two cases.

One happens when the behavior of a person actually does not respond to their own attitudes, but it adapts to the dominant behavior in a group.

Another situation may arise as a result of personal interviews with those who have previously answered questionnaires based on the Delphi Method for prospective research. Such interviews look for establish the level of credibility of these people and to see if attitudes and behaviors correspond.

These interviews, as other personal and group interactions, can lead to incorrect interpretations, known as errors of attribution. This happens when not considering the context of the facts and / or the existence of prejudice to personal characteristics or traits that even highlighted can derive from a first impression or partial views that do not really identify who people are.

Bridging distances and opposite is the case with Phishing -a type of social engineering- that in the form of e-mail appears to come from a legitimate institution such as a bank, with a warning of undesired actions against the recipient, which is usually asked to click to a Web site, apparently also legitimate and similar to the true, where people is asked to give private data like passwords, etc.

In the behavioral changes there is a very important aspect to consider in addition to understand clearly what is being sought. It is about recognizing the so-called enablers and blockers that act on human behavior.

Enablers are positive thought patterns that enable success. They manifest when people ask questions that show interest and with a body language on the positive. The mainstay of their work is the belief on the own conditions and capacities, self-esteem, seeing new things as opportunities, and accepting responsibilities that can enhance personal and professional opportunities.

Blockers, on the other hand, are patterns of negative thoughts. Here we can recall the already commented resistance to change, as well as the personal characteristics not action-oriented, due to leave things for later and the very passivity, making rational excuses from irrational behaviors and, above all things, just not feeling comfortable enough with something.

Communication blockers reveal e.g. by different ways to interrupt a conversation, the tendency to consider as failures or problems from other people and not own, repeated outright expressions as "always" or "never" in relation to his behavior. Also in a passive way but expressed as body language, moving away from the speaker or through certain facial expressions.

Summarizing one can say that achieving a change of behavior, not only in others but in oneself, is the greatest challenge to face. It is needed to be clear about the desired behavior, and recognize the enablers and blockers, identifying appropriate motivators for their strengthening and compensation respectively.

To produce behavioral changes we have to work on attitudes. And to influence attitudes is necessary to persuade them to develop beliefs that come to constitute true knowledge.

Persuasion, i.e. changing the attitudes of a person or group and thus influence their behavior, is described in terms of communication. Pichon Rivière says that communication is the track of learning for this to be possible and exists, which highlights the importance of personal interactions in the way to produce changes.

Here we can put concepts based on who, what and how communicate. So, who should communicate security measures, what to say and how.

First, who communicate must have communication skills, be didactic, to know what others think, which are their attitudes and beliefs, and understand their behavior avoiding the errors of attribution.

What is said depends on the people who receive the communication, whether an operation user, a technician or an executive.

How one communicates is a bit of an art, the communicator must be persuasive and avoid both to be purely professorial and giving compelling indications. The roughness in words and gestures creates resentment.

The way we communicate changes when talking a group or individually. A form of structured communication with a group of people can be realized through further meetings and informal meetings. Unstructured variant, however, is the direct interaction with another person.

In individual conversations the style of our interlocutor must be considered. Some people are more open but there are also other people closed or booked. In a dialectical context there are those who go straight to the point, while others are more reflective.

Respecting with communication, specially in personal meetings, you should consider a similar approach to that mentioned when talking about the different personalities. For example, a "sensitive" person has a strong preference for details in comparison with an "intuitive" person.

In addition, at speaking it may be more important the gesture of attitudes than the context of what is said. And that communication is more than just talk. It is a two-way street; we must also listen to what others say.

We know that the implementation of security measures may cause negative reactions, either by a perceived loss of freedom of action by some part of the staff, or a supposed invasion to the technical area, or indifference or disinterest even in executives.

There are times when the effects of such circumstances may be deeper but more passive; effects so adverse that may cost some people react positively to this situation.

These situations correspond to the concept of Resilience, i.e. the feature to resist and overcome adverse effects, reacting positively to the difficulties, even taking them as building props.

Pillars of resilience are a consistent auto-esteem, introspection, independent thought, ability to relate and taking initiative.

The more or less resilience is one aspect of Emotional Intelligence that includes the control and handling of perceptions and reactions of people.

Another aspect of Emotional Intelligence refers to the interpersonal handling that comes into play when people interact. At this point we can mention the empathy, the ability to influence, the communication (including leadership) and other skills that allow a profitable operation for members of a group.

The own balance and positive view of Emotional Intelligence are turning into actions based on the capacity of participation, commitment and responsibility.

Participation is the process that allows people to exert greater influence over their working conditions. This is a concept fairly recognized and commented lately being in fact one of the cornerstones of Participatory Management and Management by Objectives.

The importance of facilitating the participation of staff in a company is based on factors such as:
a) The staff knows as one the tasks performed.
b) The result of a proper motivation leads to a consistent training and education.
c) The generation of a high level of commitment between management and operational staff.

Participation is critical to the success of a project. Experience shows that the best way to carry out a change, such as implementation and enforcement of security measures, is to encourage staff to participate in the process itself, thereby gaining mutual trust and credibility. Typically, the higher participation the lower the resistance to change, and changes will be more stable over time.

To establish such participation is necessary to know first what motivates people as for their personal needs as already commented. In fact, participation proves to be an important motivating mechanism to allow satisfying the needs of recognition and self-realization, strengthening staff skills and broadening their perspectives. At this point it highlights the work of Mc Gregor that postulated human and social values, placing the man as a person and not as a resource, emphasizing individual initiative.

That people getting involved in something has a basic reason of being in the psychology of those needs and in the motivating factors that shape their attitudes, so the motivation and behavior of people are essential elements of a successful project.

In addition, for an adequate participation, staff needs to be provided with information relevant to the case. A good strategy at this point can begin providing staff with adequate knowledge, and letting them know the expected behavior, taking into account the different attitudes of people. And that such an approach in the case of supervisory personnel can be transferred in a similar manner to the personnel they have to charge.

A significant example of participation is the well-known concept of "buy in" that can be applied in our case by saying that people "will buy" a security plan if he participates actively in the project.

Commitment responds to the involvement of people in the goals of a project. It is often said commitment is concomitant to participation. It is probably more accurate to say that a proper direct participation leads to a better compromise in the formation of the respective Responsibility, including the establishment of roles making easy auditing the application of these concepts.

Commitment can be seen in terms of both situational and organizational factors as the own predisposing factor in each person. It can also be seen as a multidimensional construct, individuals in the group and the reasons for the membership of each person to the group.

In our case, commitment can be achieved on the basis of a clear definition of goals and objectives for staff to get involved and engaged in a project such as one for security, in the first place the chief executives of the company as a focus for dissemination, and then specially the Forum members (see box Management Forum) which we usually have installed in our security projects.

The application of the concept "buy in" may not be enough for some members of the Management Forum. They are those which, besides discussing the drafting and implementation of security controls, then subsequently have to coordinate their respective operating groups, assuming the responsibility to manage similarly their own personnel. It is needed then also to tend towards an appropriate level of leadership.

The purpose of the Management Forum for an information security project is the participation, within a dialectical framework, of people which are concerned to the policies and controls to be implemented. In this way it seeks to achieve the widest possible consensus in the drafting of measures and so facilitating their entry into force.

The Management Forum meets a collective participation mechanism of dynamic composition. Not a single group but for each topic a different group composed by people with related activities.

Just for that, we handle ad hoc multi-mixed type, i.e. from different areas and hierarchical levels of the company, for which we must select personnel such as coordinators and supervisors with some level of capacity to make decisions, plus technical staff from Systems and Technology, and operation users which activities related to the topic to be considered.

Operation users are important because they are those who perform the day to day work, and they could recognize easily faults, mistakes and failures, downtime and other features that may need to be addressed. They are the ones who can say how easy or difficult it is to carry out a control or policy making actually applicable, and even easing their effectiveness measurement, determination which today can be based on ISO 27004 enhanced by the use of the Balanced Scorecard (BSC).

Technicians, on the other hand, have often area-specific issues regarding security measures, and may also clarify the interactions with other controls.

Finally the decision makers with their behavior and participation are which must support definitively the adoption of appropriate measures.

For the Management Forum to be productive and effective must meet these objectives:
a) Provide an environment of collaboration and mutual support among its members, enabling people to express and offer suggestions.
b) Motivate and create awareness of the work to be done.
c) Facilitate a better communication among staff in general and the executives involved.

Participation, commitment and responsibility of members of a Management Forum simplify the transfer to third parties the scope of each control, reducing the natural resistance to security measures and facilitating their acceptance.

Coordinators and supervisors can become the most influential in the motivation for the necessary change, and help staff in the corresponding transition. Therefore they should receive special attention, even first to convince them about the need for change.

Their work will also include promoting formation of value in their staff management, taking responsibility to act on them in order to transform behaviors as concerns the changes involved in a security plan.

One of the most effective ways to achieve this objective is by additional individual meetings to those of the Management Forum, supplemented with group meetings of coordinators / supervisors, where these meetings are used to share ideas and experiences, while the principal trainer shifts away from the center of the stage, with the advantage that means. It is also a good place to discuss innovations involving improvements in the processes of change for the implementation of security measures.

Although it is generally required to promote engagement and participation together and even it is said that without participation there is no compromise, there may be acceptable exceptions. It is for example the case of executives who although not actively involved in a project, also provide the commitment and take the responsibility given by the necessary support to promote and sustain the project.

Corporate Culture sees the organization as an organizational grid. It arises from the Values established in the Mission of a company, where values are the beliefs, habits and practices shared by those who manage the organization.

The corporate culture of an organization has different components that can be categorized as follows. There are forms of functional types based on hierarchy and work structure. Others respond to adaptation to the work processes according to market demands. And finally there are those that seek for the maximization of the return on their own resources.

Within an organization live together different proportions of these manifestations of culture. The functional form is usually the most resistant to change.

To improve security and specifically the acceptance of measures it is required a change of beliefs, attitudes, and individual and group behavior. At this point, as discussed above, the interpretation of people behavior is critical to understand the scenario of a corporate culture change.

To achieve the desired changes one has to strive by successive presentations to management levels, for these people to come considering information security as part of corporate strategies themselves and therefore of business management and risks [5]. This is the vision that goes beyond the strictly technical that has long leaving in the background the deeper features of information security.

For their part, awareness and education lectures and talks at personal and group level spread throughout the organization are a fundamental pillar specially with regard to operational risks. These discussions promote the integration of information security in corporate culture, and get enhanced by using techniques e.g. from Social Psychology.

Sometimes it is not easy to get a full hearing to produce better results. Some opportunities have given to us when companies are already working with Kaizen as a strategy to promote staff participation activities for problem solving and continuous improvement of processes. Kaizen, incidentally, also focuses strongly on the issue of participation and commitment discussed earlier.

The integration of general security discussions at Kaizen meetings can then be beneficial since these usually ranks first interest and dedication, besides being specifically promoted by senior management in most cases.

Social Psychology aforementioned treats mainly of groups of persons and the behavior in people interactions. It offers an appropriate contribution in terms of communication and learning, coordination of task forces, and usually the issues that help to understand how best to work with the preferences and biases of people. Social Psychology has been proving to be our main support.

Additionally, Behavioral Psychology can provide a vision of the interaction between an individual with the other persons, but otherwise it may limit some features of people in relation to social phenomena.

NLP or Neuro Linguistic Programming can also help specially in the communication field. NLP focuses on the individual and on the verbal and nonverbal communication, e.g. gestures, postures, tone of voice, etc. arising from interpersonal relationships in terms of their contribution to the changes sought. The NLP allows us to understand how people organize their thoughts, feelings, language and behavior in their actions and the production of results.

Coaching is also highlighted, because even with different structure and context, it has points in common with the PNL, such change and ways to achieve, but also seeks to improve performance and guide to the leadership. Coaching is a very suitable tool for the required attention to coordinators and supervisors already mentioned before, specially in the analysis of Commitment and Responsibility.

Like any program of change, it is required careful planning, identifying requirements and key issues, analysis of the nature of the situations that arise, and the identification and development of actions to perform.

As the evidence gathered and discussed so far, a typical program can be structured as follows.

First we have worked with questionnaires to identify the knowledge, attitudes and behavior of personnel involved in the security project.

These questionnaires are prepared keeping always in mind people who will answer, and based on three different groups: general users, technicians and managerial staff. In the first case we have worked with closed questions, i.e. those that lead to short and concrete answers. In contrast, the technical and management personnel questions are written in the open as to give rise to receive more details.

In turn, each questionnaire is constructed in three parts. One to establish what people knows (knowledge) about policies and security standards. Another to see how they feel (attitude) about security and how they consider it. And finally, a third to detect how they act (behavior) in front of responsibilities such as the choice of passwords, care with papers and documents with sensitive information at their desks, etc.

As communication, it deals with taking into account the issues discussed specially in terms of resistance to change, attitudes, behaviors, and the considerations done in the box Management Forum.

The communication process is based on general discussions and individual meetings with executives and some technicians. Overall in the first talks and whenever deemed necessary, we try to initiate sessions by encouraging participation through comments other than security, and seeking to overcome skepticism and defensive positions that may have some people.

Specially in individual conversations the personality of the other party must be considered, as discussed above, to cope well in a scenario where our interlocutor can feel comfortable. It is very important to consider the enablers and blockers in interviewed people identifying, as already stated, the motivators that can leverage the enablers and help overcome blockers. Although it can be very frustrating at first, the resistance to change in some people can be reduced and even produce good results, specially if a genuine dialogue and understanding of their concerns is transformed into a vehicle for constructive feedback.

The issue of People Factor is a concept little known, researched or considered by IT (technical) security experts, which merits its inclusion in an Information Security Graduate Degree, focused specially on organizational and operational risks, besides well-known ICT risks.

The experience we have gained over time, got enriched the initial assumptions of how to solve the original uncertainty in scenarios of these and similar types causing changes..

A pilot test was to include almost three years ago the topic of People Factor in a Hands-on Practice Exercise in a seminar on Management and Audit on Information Security, getting surprised for the interest and dedication observed in the audience of different presentations of this seminar.

All this has become greatly expanded when included the topic in specific security projects. One of the momentous step was the decision to incorporate a professional in Social Psychology to accompany the Management Forum and individual and group meetings as a facilitator or agent that instills dynamism to the tasks to be undertaken. Also that such a person mobilizes with his intervention the objections and obstacles encountered to produce appropriate solutions, tending to establish a framework composed of linking relations maintaining bidirectional links.

We hope the material presented may be an introductory guide to improve the management of various aspects of human behavior. And also useful to recognize the characteristics of the people we work with and, by extension, for they can transfer to their staff, appropriate behaviors according to information security.

To Norma Robledo, BA in Social Psychology, for the comments, observations and material supplied to us, and by firing the especial interest in the issues that contributed to our main objectives.

[1] Ormella Meyer, CA, "Seguridad Informática vs. Seguridad de la Información”, Web page CEyTIC, Committee of Electronics and Information Technology and Communications of the Argentine Center of Engineers: and eyelashes Dto.Técnico / Comisiones Técnicas / Electrónica y TIC / Publicaciones.
[2] Kabay, ME, "Using Social Psychology to Implement Security Policies", Website:, (Chapter 35 from “Computer Security Handbook”, John Wiley & Sons, 2002).
[3] Lucey David, "Managing the Human Factor in Information Security", John Wiley & Sons, 2009.
[4] Manish Gupta, Sharman Raj, "Social and Human Elements of Information Security, Emerging Trends and Countermeasures", Barnes and Noble, 2008.
[5] Ormella Meyer, CA, " Estrategias Corporativas y Seguridad de la Información" CEyTIC Web page, cited in [1].

1 We designate it people factor instead of human factor because "people" involves the individual and the collective

Copyright © 2010. Carlos Ormella Meyer

Home Cursos Artículos Documentación Artículos L&W Resúmenes