Information Security Plans: A Psychology-based Approach (part 1 of 3) - Security Risk Assessments

Protecting business data and personal employee information is the foremost duty of an organization’s information security staff. In order to be effective at this task, a security plan must be created and presented to all employees within the organization. A well-designed security plan is vital to ensuring information security; however, a crucial and often-overlooked component of the plan is the manner in which it is communicated to the staff.

This 3-part series will present a deployment methodology for management that is based on psychological models of known employee behaviors with regards to risk perceptions, motivation and errors, and describe techniques to exploit these behaviors to enhance employee compliance.

Assessing Risk/Control Perceptions

An important consideration that all organizations must be aware of when communicating a security plan to employees is the disparity between actual security risks and the perceptions of those risks. This disparity can greatly affect the likelihood of adherence to a security plan, i.e. if an employee does not view a particular risk as probable he/she will be less aware of the actual threat and will therefore be less likely to follow established security guidelines.

Similarly, an employee must feel that they are able to implement the security measures he/she is being instructed to perform, and that the performance of a particular measure will produce a risk-reducing outcome. If the success or failure of protecting an organization’s information is viewed as something outside of their control, there will be little incentive for the employee to consider the importance of their role in an organization’s security.  Gaining an understanding of employees’  risk and control perceptions should be viewed as a key factor in creating an atmosphere of policy observance.

iceberg

One way to gauge these perceptions is with an informal survey of employees.   The survey should be anonymous, and question employees on their knowledge of topics such as best practices for information security, threats inherent in organizationally used hardware/software and the probabilities of security attacks. A follow-up meeting should then be held to discuss the results and present the correct answers, along with accurate statistical data relating to security issues within the organizations itself as well as those affecting other organizations in the same industry.

Based on the findings from the survey, management additionally may wish to schedule security training and/ or begin distributing a regular security bulletin to employees. A bulletin, circulated via paper or email, can be useful on two fronts:

  • Keep employees up-to-date on the latest security concerns, and
  • As a recurring reminder of the organizational security guidelines.

In Part 2 of this series, we will discuss effective techniques for enhancing compliance intentions by understanding employee motivation.  Stay tuned…

About the Author: Gary Braglia

Gary Braglia is a Security Specialist at GreyCastle Security with over 10 years of experience as an IT professional. Gary began his career as an application developer with the NYS Office of Information Technology Services (ITS), is a graduate of SUNY Albany with a Master’s degree in Information Science (M.S.I.S.) and the owner of industry-recognized certifications including Tenable Certified Network Auditor (TCNA) and CompTIA Security+.

At GreyCastle, Gary consults with clients in a wide range of security domains, including penetration testing, vulnerability assessments, security assessments, network security, application security and policy development.