Basis of truth and rationality
Improving your Security Culture.
The basis of truth and rationality is the first dimension of our Ruighaver/Maynard security culture model that we will discuss. According to Detert et.al., the authors of the original organisational model, this dimension of culture is about what the employees in an organisation believe is real or not real and, in particular, how what is true is ultimately discovered.
The most obvious aspect of this dimension is that is about beliefs. Beliefs influence the attitude of employees and their attitudes influence their behaviour. But further research has shown that the basis of truth and rationality is even more important in the decision making within Information Security. In the next paragraphs we will discuss some of these aspects.
How important is security for your organisation?
Literature on security culture recognizes that the most crucial belief influencing the security in an organization is the belief that security is important. If the employees of an organisation do not believe that security is important, they will not support any security measures that restrict their behaviour. We found that many organisation continously undermine the belief that security is important by reporting to their staff that no money is available for their security iniatives. Obviously, different organizations need different levels of security, but never use such negative messages. Instead report on the issues that you are currently concentrating on in your security efforts, and indicate that new initiatives will be considered in due time.
Although the security requirements for one company may not be as high as the security requirements of another, achieving optimal security for that organisation?s particular situation will still be important, as is the need to ensure that their employees believe that security is important. So, why not implement campaigns similar to occupational health campaigns to stress that security is important for your organisation.
How reliable is the information used in decision making?
While security managers and other decision makers in information security generally belief that security is important, they often have personal beliefs about which areas of information security are important for their organisation that are not based on thruth and rationality. We also found that their beliefs about the quality of security, and about the quality of the different processes used to manage security, are even more important. Many of the organizations we investigated do, for instance, believe that their security is good, but most of these organizations did not really make an attempt to evaluate the quality of their security.
Even larger problems exist with the organisations? beliefs about the quality of their risk analysis and security audits. If your asset identification and risk analysis is not based on a systematic application of your chosen methodology, you will have missed assets that need protection and you will have missed risks to assets that they need to be protected against. Having taught risk analysis to experienced people in industry for several years I believe that this problem is so severe, that I no longer believe in risk assesment as a major tool for security. The current IT environment has become so complex, that any risk assessment will need to use shortcuts to become viable. These ad-hoc shortcuts seriously undermine the quality of your risk assessment. Hence, without feedback loops where the organisation continiously updates its risk assessment based on a thourough investigation of incidents and near misses, your risk data will be of low quality.
