Orientation to work, task and co-workers

Improving your Security Culture.

The fifth dimension of our Ruighaver/Maynard security culture model is Orientation to work, task and co-workers. This dimension deals with the balance between work as a production activity and as a social activity. Some individuals view work as an end in itself with a task focus, concerned fundamentally with work accomplishment and productivity. Other individuals see work as a means to other ends, such as having a comfortable life and developing social relationships.

Individuals with a strong task focus are likely to find that traditional security controls are too restrictive. It is an important principle in information security that there is a trade-off between the use of an organisation's assets and their security. Limiting access to an asset can significantly improve its security. However, limiting access will often result in a serious impediment to the daily operations of employees. All too often organisations will therefore lift all restrictions. We believe that continiously fine-tuning the balance between security and how constrained employees feel in their work is an important aspect of a good security culture. Of course, staff will feel less restricted if they are motivated and feel responsible for security, but that alone will not be enough.

Responsibility and ownership.

While it is obvious that a ggod security culture depends on making employees feeling responsible for security in the organisation, it is just as important that those employees responsible for a particular security area have a strong sense of ownership. This will be positively influenced by social participation, but can just as easily be negated when staff feel that management do not take any suggestions for the improvement of security very seriously. Hence, a positive response of management and a continuous adaptation of security practices by incorporating at least a few of the suggestions is a must to improve the orientation of staff towards security.

Orientation to work is improved by education. Regular education of employees on their roles and responsibilities related to security is crucial. Too many organisations only give employees an overview of security during induction, and even then they mostly cover aspects of what is considered acceptable use. While such user education can ?eliminate inadvertent disclosures, education can also be an important tool in increasing the feeling of responsibility and ownership of those involved in decisions about security and employees involved in implementing those decisions. But for education to have a significant impact on the employees? orientation to work, it will need to be reinforced continuously and respond to any unsatisfactory behaviour that has become widespread enough for users to consider it normal behaviour.