Here at the Gartner Security & Risk Management Summit, I sat in on a session regarding human behavior and it’s connection to information security. Tom Scholtz, an analyst with Gartner, started off with a statement many of us know to be true, but often forget.
“The single weakest link in the information security chain still remains the human being,” he said.
In Scholtz’s view we are increasingly coming to the realization that by focusing on individuals’ human behavior and how we can influence it, we can learn how to create a more secure environment. “By 2015, one out of four enterprises will use social and behavioral sciences techniques to drive cultural and behavioral change in their information security programs. Maybe understanding how individuals react differently will give us an understanding in improving our security measures.”
He advises that security professionals should start focusing on human behavior as a root cause rather than a symptom. “We need to understand how individuals react differently to risks and the controls to mitigate risks.”
The key issues regarding behavior and information security:
- How is the information security and risk management discipline evolving and what are the consequences?
- What are the parallels and overlaps with social and behavioral sciences?
- What strategies and tactics should information security and risk leaders adopt to exploit this evolution?
It is vitally important for organizations to consider these questions. But it may be better to seek answers from an outside source, in order to prevent group think. “Group think tends to polarize views,” said Scholtz. “If you have the same group of individuals who sit in the same office eight hours a day, they’re going to have similar attitudes towards things. We need to understand how those working environments pressurize people into beliefs which they might not have if it was a one-on-one basis or under a different work environment.”
So what kind of insights do we get from the social sciences? People react differently. To understand this is to become a pioneer in understanding human behavior and its importance in developing an ever-evolving information security program.
So many companies loosely refer to “risk Culture” in their annual reports and it seems like not much thinking go into this! #in
Executives assume that if they have a risk department and produce a risk report, they have a “risk culture” I have not seen an annual report that actually states what kind of “risk culture” they have or what the level of maturity of their risk culture is. Here are a few guidelines to consider before claiming you have a “risk culture” Check how you are doing?
• In a bad risk culture, people will NOT do the right things regardless of risk policies and controls
• In a typical risk culture, people will do the right things when risk policies and controls are in place
• In a good risk culture, people will do the right things even when risk policies and controls are not in place
• In an effective risk culture every person will do something about the risks associated with his/her job on a daily basis
• In the ultimate risk culture every person is a risk manager and will evaluate, control and optimise risks to build sustainable competitive advantage for the organisation
Great advice. Thanks!
“By 2015, one out of four enterprises will use social and behavioral sciences techniques”
An issue that I have often seen arise is the question of just how good is the “science” that is being used. Quite often I seen so-called scientific methods that are poorly transferred from the literature, applied in a suspect manner and in general not well understood. To be blunt, often the people discussing these methodologies may not have the academic or intellectual background to truly understand what they are trying to apply. Given this, it is no wonder that is difficult to fit the results into an overall risk management framework.
In some cases the function of the”outside source” seems only to provide some form of authoritative voice for a decision that has already been made.
In the end, if an organization is truly going to try to use a scientific approach, it should take the time to do it right with a lot of background reading and the development of real alternative solutions with a serious discussion about the risks and rewards.
More on “risk culture”
http://www.riskmanagementmonitor.com/what-we-talk-about-when-we-talk-about-risk-culture/
Does anyone have risk policies and procedures they could share? Or maybe a template for a risk manual?
What we fail to realize is that the greatest strength in any security program CAN be a human being.
If we are serious about moving from traditional results based management to a behavior reinforcement model that is driven by coaching incremental change in behavior rather than metric achievement we need to focus beyond the ” Asset Protection Function ‘ or even the broader area of “Risk Control”.
An organizations commitment to managing behavior requires a transformation that encompasses the entire organization.
Can it start in a specific discipline , yes, but the vision needs to be clear that the methods can and should be applied everywhere.
The tenets of the science are simple, the application is very difficult.