(This is part 3 of a 3-part series)
Irrespective of the time and effort expended creating and implementing a security plan, there is a universal truth to which all security professionals must acquiesce: an organization consists of people, and people make mistakes. While an effective plan can reduce the likelihood of many errors and inhibit the situations that lead to them, errors are an unfortunate reality for even the most successful organizations, touching all areas of day-to-day business – and the area of information security is no exception. Thus it is imperative for organizations and particularly managers to understand the different types of errors and the common causes of each in order to put in place contingencies to handle them with the least possible damage to sensitive business information.
The three basic error types that management should be aware are generally categorized as “skill-based”, “rule-based” and “knowledge based”. Characteristics of these types and suggestions for effective measures to reduce their occurrence with regards to a security plan are outlined below.
Moreover, there is a measurable link between an employee’s familiarity with a particular task in a security plan and attention to that task on its successful execution. Employees at all levels of task attention/familiarity are vulnerable to security errors, so the ultimate responsibility for anticipation of these errors – and the associated contingency planning – falls squarely on the shoulders of management.
In addition to the steps outlined above, organizations should perform routine analyses of the security plan in order to uncover any deficiencies. It is a common tendency for employees to fall victim to the same errors gain and again, so identifying these recurring errors can help the organization develop enhanced measures to avoid these traps. Another highly effective technique for contingency preparation is to run simulations of security issues and monitor the employee response. This involves periodically practicing disaster scenarios based on historical breaches or newly discovered industry threats to determine the reliability of an established security plan.
One of the chief duties of management is to ensure the successful protection of organizational information. This can be accomplished only through the use of an effective security plan – which takes into consideration employee behaviors – to accomplish the following objectives:
Using security plan deployment methodologies such as those described above as well as in the previous posts – i.e. a methodology that is based on psychological models of known employee behaviors with regards to risk perceptions, motivation and errors – is the only way to truly enhance employee compliance and thus increase your organizations’ risk posture.
Gary Braglia is a Security Specialist at GreyCastle Security with over 10 years of experience as an IT professional. Gary began his career as an application developer with the NYS Office of Information Technology Services (ITS), is a graduate of SUNY Albany with a Master’s degree in Information Science (M.S.I.S.) and the owner of industry-recognized certifications including Tenable Certified Network Auditor (TCNA) and CompTIA Security+.
At GreyCastle, Gary consults with clients in a wide range of security domains, including penetration testing, vulnerability assessments, security assessments, network security, application security and policy development.