The chapter gives an overview of business practices and how people and human relations influence situational awareness and information security in an organization. There is still a long way to go in training employees in information security and improving employees’ information security awareness. Motivated and trained employees have the ability to detect and report security weaknesses and breaches, including near-miss incidents, and in this way, they may provide a valuable defense-in-depth-capability that is often lacking. The chapter discusses two approaches to overcome the barriers to building situational awareness promulgated in the general deterrence theory and socio-technical theory.
TopIntroduction
While the internet exposes our computer networks to threats from all over the world, it is still insiders that are considered to be the greatest threat to information security, either alone or in combination with people outside the organization. Insiders can be trusted people like employees, hired consultants and sub-contractors. These persons and trusted people have much easier access to computers and IT systems than outsiders. Both US reports about insider threats (e.g. Keeney, Kowaski, Capelli, Moore, Shimeall and Rogers, 2005) and the Norwegian Computer Crime Surveys (NCCS, 2006; Hagen, 2007) document a significant threat to an organization’s IT systems from insiders like employees that should not be neglected. Insider threats are likely to increase in the coming years as the number of people using social networks is expanding. Personal preferences, interests and relations are published; this facilitates more than ever social engineering attacks, including automated social engineering attacks (Huber, Kowalski, Nohlberg and Tjoa, 2009).
The question is what can be done in order to detect and mitigate the threats from inside? There are two ways to deal with the insider threat: By searching research databases and scientific articles we find that the most common approach is to regard insiders as malicious or unintentional threats and by technical and administrative means restrict their access rights in accordance with the-need-to-know principle. They are given just as much access as needed, and nothing more than this. Their actions are also supervised and logged. This regime will restrict their freedom and their opportunities to commit illicit actions without detection, and subsequently reduce the risk of failures and vulnerability to malicious actions. If an insider should commit an illegal action, then that breach will be reported to the police. This approach is in line with the general deterrence theory, which is a well established social theory explaining activities that deviate from accepted norms and emphasizes disincentives. According to this theory, potential offenders will refrain from illicit actions if the risk of being subjected to disciplinary action is high and the punishment severe (Straub, Carlson and Jones, 1992). The effectiveness of the disincentives depends on the applied sanctions and punishment. The other approach focuses on employees and regards them as a resource as opposed to a threat. Here, employees are considered to be loyal to the company and constitute a defense capability against malicious attacks and illegal actions. While the first approach has strong relations with the general deterrence theory, the latter approach is linked to the social-technical theory which is more common in Scandinavia. The socio-technical theory emphasizes: the development of humane working conditions, employee participation, and democracy. The roots go back to the 1950s and the close link between technical aspects and the social systems in British coal mines (Trist and Bambort, 1951). The social-technical theory takes a positive view of humans and their contributions, in stark contrast to the negative view taken by Taylor with respect to a more scientific form of management (Taylor, 1911). It is the socio-technical view that influenced the development of industrial democracy that is widespread in the Scandinavian countries.
How these two theories relate to information security becomes clearer if we study roles of human beings within the context of information security. Human beings as insiders can adopt different roles in organizations, spanning from good to unfortunate and malicious. The two theoretical approaches offer advice on mitigating measures and how to influence security awareness and behaviour, and as this chapter will show, the socio-technical theory approach has a broader application than the general deterrence theory.