Friend or foe? Information security management of employees

Abstract

Although information security traditionally has been a technological discipline, the role and function of employees is an additional important part. Users can both be a threat and a resource in information security management. On the one hand, employees can produce or ignite threats and vulnerabilities. On the other hand, they are a precondition for safe and secure operation. As a consequence, information security management of employees is an important part of the total information security management in organizations.

The general aim of this study is to explore the information security management of employees. This is approached by studying: users’ function in and view on information security; measures aiming at improving individual information security performance; and information security management practice in organizations. Findings from explorative interview studies of users and information security managers; an intervention study aiming at improved individual awareness and behaviour; and a survey on organizational security measures were used as the empirical basis in the study.

When it comes to operative work, employees’ information security performance is weak. Users perform few proactive information security actions and are indifferent to information security in their daily work. Information security managers mainly view users as a threat and a problem to the information security level, while users view themselves as an untapped resource in the information security work. Individual security performance is created by technological frameworks and formal and informal organizational aspects of information security.

Besides technological solutions framing what it is possible for individual behaviour to perform, the most used measures directed at users are documented requirements for individual behaviour. These measures are evaluated to have limited effect on individual performance. However they are the basis for several other measures, thus they have an indirect effect. Instructions for behaviour are thus necessary, but not sufficient alone.

Education, training and information have the best effect on users when employees and communicators are interacting and are in dialogue. However, information and education  tends to be more based on written and electronic information, rather than rich information with possibilities for two-way communication.

Employee participation is evaluated to be the most effective process to improve individual information security performance, but is modestly used. An intervention study based on direct participation, dialogue and collective reflection in order to improve individual information security awareness and behaviour showed significant improvements among participants. Employee participation is likely to improve the quality of technological and administrative security solutions; improve the usability of security technology; improve security professionals’ knowledge of sharp-end information security activities; close the gap in understanding and communication between security managers and users; improve individual ownership, acceptance and motivation for information security; and ensure democratic rights that influence personal working conditions.

If there is a social information security digital divide between users and information security managers, i.e. no interaction and dialogue; differences in risk judgement; and views and experience of information security practice, these will reflect the lack of participation. The information security professionals make the premises for the information security work in an organization without involving users to any extent. The differences result in management strategies based on the prejudiced view that users are more of a security threat than a resource. Consequently, the management approaches might be insufficient for dealing with users as a resource as the information security activities are based on nonrealistic understanding of actual work at the sharp-end.

Combinations of adequate measures for all parts of the socio-technical information security systems must be available in order to perform efficient defence, including the handling of employees’ function in information security. One needs to handle pragmatic, formal rulebased and technical principles. Managing the human element of information security is thus one of many activities in information security management. The thesis has identified some shortcomings in current approaches to employees. These shortcomings may not be inadequate for other information security efforts than human management, so the current approaches must not be discarded. This thesis has argued in favour of approaches that lead to greater user involvement which would be a complementary addition to traditional information security approaches.