Basis of truth and rationality
Improving your Security Culture.
The basis of truth and rationality is the first dimension of our Ruighaver/Maynard security culture model that we will discuss. According to Detert et.al., the authors of the original organizational model, this dimension of culture is about what the employees in an organization believe is real or not real and, in particular, how what is true is ultimately discovered.
The most obvious aspect of this dimension is that is about beliefs. Beliefs influence the attitude of employees and their attitudes influence their behavior. But further research has shown that the basis of truth and rationality is even more important in the decision making within Information Security. In the next paragraphs we will discuss some of these aspects.
How important is security for your organization?
Literature on security culture recognizes that the most crucial belief influencing the security in an organization is the belief that security is important. If the employees of an organization do not believe that security is important, they will not support any security measures that restrict their behavior. We found that many organization continuously undermine the belief that security is important by reporting to their staff that no money is available for their security initiatives. Obviously, different organizations need different levels of security, but never use such negative messages. Instead report on the issues that you are currently concentrating on in your security efforts, and indicate that new initiatives will be considered in due time.
Although the security requirements for one company may not be as high as the security requirements of another, achieving optimal security for that organization?s particular situation will still be important, as is the need to ensure that their employees believe that security is important. So, why not implement campaigns similar to occupational health campaigns to stress that security is important for your organization.
How reliable is the information used in decision making?
While security managers and other decision makers in information security generally belief that security is important, they often have personal beliefs about which areas of information security are important for their organization that are not based on truth and rationality. We also found that their beliefs about the quality of security, and about the quality of the different processes used to manage security, are even more important. Many of the organizations we investigated do, for instance, believe that their security is good, but most of these organizations did not really make an attempt to evaluate the quality of their security.
Even larger problems exist with the organizations? beliefs about the quality of their risk analysis and security audits. If your asset identification and risk analysis is not based on a systematic application of your chosen methodology, you will have missed assets that need protection and you will have missed risks to assets that they need to be protected against. Having taught risk analysis to experienced people in industry for several years I believe that this problem is so severe, that I no longer believe in risk assessment as a major tool for security. The current IT environment has become so complex, that any risk assessment will need to use shortcuts to become viable. These ad-hoc shortcuts seriously undermine the quality of your risk assessment. Hence, without feedback loops where the organization continuously updates its risk assessment based on a thorough investigation of incidents and near misses, your risk data will be of low quality.
