1) For senior executives, information security is important for business success, but they often only have a superficial understanding which can lead to poor decisions.
2) While employees may be motivated about security, senior management lacks necessary skills and instead relies on external consultants.
3) The paper aims to show how raising senior management's awareness and sense of responsibility is key to improving organizational security. Playing a decisive role, they must assume overall responsibility for information security.
Original Description:
Original Title
Senior Executives Commitment to Information Security - From Motivation to Responsibility (1)
1) For senior executives, information security is important for business success, but they often only have a superficial understanding which can lead to poor decisions.
2) While employees may be motivated about security, senior management lacks necessary skills and instead relies on external consultants.
3) The paper aims to show how raising senior management's awareness and sense of responsibility is key to improving organizational security. Playing a decisive role, they must assume overall responsibility for information security.
1) For senior executives, information security is important for business success, but they often only have a superficial understanding which can lead to poor decisions.
2) While employees may be motivated about security, senior management lacks necessary skills and instead relies on external consultants.
3) The paper aims to show how raising senior management's awareness and sense of responsibility is key to improving organizational security. Playing a decisive role, they must assume overall responsibility for information security.
Senior Executives Commitment to Information Security - from Motivation to
Responsibility
Jorma Kajava Juhani Anttila
University of Lapland Quality Integration P. 0. Box 122, FIN- 96101 Rovaniemi, Rypsikuja 4, FIN-00660 Helsinki, Finland Finland Jorma.Kajava(ulapland.fi Juhani.Anttila@telecon.fi Rauno Varonen Reijo Savola University of Oulu VTT Technical Research Centre of Finland P. 0. Box 7200, FIN- 90014 University of P. 0. Box 1100, FIN-90571 Oulu, Oulu, Finland Finland Rauno.Varonen@oulu.fi Reijo.Savola@vtt.fi Juha Roning University of Oulu P. 0. Box 4500, FIN- 90014 University of Oulu, Finland Juha.Roning(ee.oulu.fi
Abstract motivated, senior management lacked the necessary
information security management skills. This was For senior executives, information security is a evidenced by the fact that an external consultant basic requirement for business success. Yet, despite managed to convince the top management to agree to a being well-motivated, top managers often have only a work safety study without asking experts on the superficial understanding of information security, company payroll, who anticipated a better information which may lead them to make decisions that are not security solution. Examples such as this one can be conducive to raising the organization's security level. found also in governmental offices and at univiersities. Enhancing information security awareness among all Our work aims at elucidating the significance of employees has been found necessary, but the key to senior management in the promotion of organizational success is raising the awareness level of senior information security. A great number of organizations management. Playing a decisive role, they must boast extensive security awareness programmes, but assume overall responsibility for information security. the top management often shies away from them. The question is how to achieve this in an efficient and Damage caused by an individual employee may have natural way. far-reaching consequences for a company, but when damage is inflicted by senior management, the effects 1. Introduction: Information Security and may be devastating. Thus, it is important to get top managers to endorse the adopted information security Safety at Odds solutions whole-heartedly, which involves not only being motivated to follow security principles, but also Attitudes toward information security vary. accepting the responsibilities that go with the highest Everyone knows the fundamentals, but few have a positions. deeper understanding of it. Some time ago, an As its starting-off point, this paper takes the new extensive survey, conducted in a Finnish company, international standard ISO 17799 [1] However, as we indicated that although all employees were well- are dealing with a serious issue, standards are not
1-4244-0605-6/06/$20.00 C2006 IEEE. 1519
sufficient, we must advance from a discussion on objectives must be known by corporate employees as standards to a change in culture [6]. well as by external partners. Information security policy represents the position 2. Day to Day Business of senior management toward information security, and sets the tone for the entire organization. It is Business life tends to value ease-of-use more than recommended that coordinating the organization's security. A change of values occurs often only after a information security policy should be the responsibility serious mishap, although only part of the damage may of some member of top management. be expressed directly in terms of money. Encouragement should be given to the extensive The prevailing view seems to be that information application of information security within the security produces costs, not profit. Unless we change organization and among its stakeholder groups to make our way of thinking, we will soon find that the cost of certain that problems are dealt with in an efficient and doing nothing is even higher. As indicated by our regular manner. When necessary, external survey, there are great deficiences in the management professional assistance should be sought to keep of information security, particularly as regards the abreast of advances, standards and values in the field. commitment of senior managers. To remedy this At the same time, this enables establishing forms of situation, we must find the means of gaining this collaboration for potential security breaches. commitment, before some hostile party forces the The key component of information security work is change. the visible support and engagement of senior As a rule, information security management is seen management. In practical terms, this commitment from the viewpoint of large corporations. In today's involves allocating necessary funding to information world, however, we must become cognizant of the fact security work and responding without delay to new that business is based on networking. Even giant situations. Nevertheless, swelling the size of the corporations are not islands, they are connected with information security organization is unwise, for a small other, smaller companies through subcontracting and organization is often more flexible and faster on the outsourcing, for instance. As a result, negligence in the draw. A better alternative to enlarging security staff is management of information security, even when it to enhance information security skills and knowledge occurs several nodes down from some large at all levels of the organization, because that is where corporation, may nevertheless affect it through the the actual work processes are. Yet another way of network. Commitment to information security is showing management commitment is participation in a therefore of utmost importance for the entire network. range of information security-related events, which By their commitment, corporate managers help pave serves to underline the importance attached to the the way towards the information society. topic.
3. Commitment of Senior Executives 4. Evidence Supplied by Surveys
Ultimate responsibility for managing information We became aware of the sensitive nature of the security is borne by corporate management, which topic in 2002, when several reports were published provides the resources and sets the requirements on the highlighting the commitment of senior management to basis of which the IT security manager promotes and corporate information security solutions. Of particular coordinates security activities. A lively discussion has interest was the report stating that the commitment been going on for some time now on the commitment level among Finnish managers was slightly above 20 of senior management to information security. percent [5]. This finding provided a good starting point The objects and activities of information security for a national discussion. When the result was must be in line with the organization's business explained to a group of Austrian researchers, they objectives and the requirements imposed by them. congratulated us on the high percentage rate. This was Senior management must take charge of this and a little confusing, as the title of the original paper provide visible support and show real commitment. To declared that information security does not interest do this, they have to understand the seriousness of the corporate management. Moreover, the paper went on threat that information risks pose to corporate assets. to point out that only two managers out of ten have Further, they need to ensure that middle management realized that information security is of strategic value and other staff fully grasp the importance of the issue. to their company. And yet this survey involved 50 The organization's information security policy and companies among the top 500 businesses in Finland
1-4244-0605-6/06/$20.00 c2006 IEEE. 1 520
listed by business magazines. The crucial question 5. Information Security Awareness was: how is this result to be understood and evaluated Programmes objectively. One central issue identified by the survey was that Success in information security management, as merely 11 of the 50 largest companies had an stated in the ISO/IEC 17799 standard (2005) [1], information systems manager or a corresponding demands two things: commitment of senior person on the management team. This is a far cry from management and provision of information security showing commitment, and is undoubtedly reflected in awareness programmes to all staff. The contents of corporate attitudes and practices. Thus, the sentiments such a programme were already outlined in earlier implied in the title of the paper, information security documents of the ISO/IEC JTC 1/SC 27/WG 1. In does not interest corporate management, describe the 2002 - 2004, we applied this information to create an situation spot on, because smaller companies display intranet-based learning environment for information even less commitment. security [3]. At around the same time, we conducted a survey in An information security awareness programme may a Northern Finnish company with 500 employees. It incorporate at least the following topics: turned out that all members of the fairly large * factors that influence organizational information management team as well as key personnel were well- security policy together with such extensions to versed in information security and its attendant risks. the policy, guidelines, directives and risk Yet, although they were motivated to deepen their management strategy that enable a deeper knowledge and hone their skills, we were left understanding of risks and security measures, wondering, whether they had internalized their own * implementing the information security roles in the management of information security [6]. What does commitment to security work entail? A programme/plan and verifying the effects of key factor is enthusiasm, "getting personally security measures, involved", believing in what you are doing. Another * basic data protection requirements, important factor is providing resources for the work. * a classification scheme for protection of Everyone must also know who is responsible for information, taking decisions and directing activities. On this road, * reporting procedures for information security the first step involves motivation and gaining an breaches, attempts thereof and investigation of understanding of information security. Obtaining such breaches, funding serves to anticipate future needs and has far- * significance of security extensions to end users reaching consequences, but training staff and winning and the entire organization, their support are equally important. * work procedures, responsibilities and job At the management team level, the delicate issue of descriptions, authority and responsibility often leads to conflict. * security audits and checks, Authority should be exercised in a manner that * managing activities and organizational structures, promotes performance even under difficult * explaining effects of unauthorized activities. circumstances. Responsibilities stand in relief when There are several avenues of obtaining guidelines things go wrong and a mishap occurs. Authority and on information security training. It may be confusing responsibilities are also necessary during the following for some employees that they receive security-related recovery period, and should be considered in advance. information from several sources or through many Most information security breaches and violations take different channels. In larger organizations, the place within the organization, by its own staff, who are implementation of information security programmes is involved either wittingly or unwittingly. Incidents of coordinated by IT security managers. Nevertheless, this type show how important it is that the person these awareness programmes are invariably the charged with coordinating information security really responsibility of senior management who must has the support of the senior management and acts integrate the approach with the organization's genuine with their authorization. Although it may be business needs. disconcerting, action must be taken to prevent insider abuse before anything serious happens. 6. Promoting a Culture of Security An approach that considers the best interests of all participants and the characteristics of information
1-4244-0605-6/06/$20.00 C)2006 IEEE. 1521
systems, networks and associated services can be both policy objectives and take a leading role also in efficient and secure [7]. security; The OECD approach comprises nine principles that * should define what the critical assets are that must deal with awareness, responsibility, response, ethics, be protected. For that, they need to have a basic democracy, risk assessment, security design and understanding of information classification; and implementation, security management and * must pledge a holistic commitment to information reassesment: "Security management should be based security, manifested, for example, by active on risk assessment and should be dynamic, participation in business continuity planning. encompassing all levels of participants' activities and all aspects of their operations. It should include 7. Conclusions forward-looking responses to emerging threats and address prevention, detection and response to We have discussed one of the most remarkable incidents, systems recovery, ongoing maintenance, practical-level problems of information security review and audit. Information system and network management in organizations: the lack of senior security policies, practices, measures and procedures management commitment to information security. should be coordinated and integrated to create a This problem is difficult to solve because many coherent system of security. The requirements of professionals think that it is not a good idea to "teach" security management depend upon the level of their managers, or "preach" to them. However, if the involvement, the role of the participant, the risk information security awareness of senior management involved and system requirements." [7]. of a company is at too low a level, the consequences In addition, the OECD guidelines state that may be very dramatic to the company's business. fostering a culture of security requires both leadership Products - goods and services - with poor information and extensive participation. Security design and security solutions can be very easily driven out of the management should be an important element in market by consumers. In addition, co-operation corporate management, and all participants must partners may vanish after they realize that a company appreciate the value of security. The principles set up is not paying enough attention to its information by the OECD form a foundation for promoting a security management and that the key persons - senior culture of security across the society. All participants management- are not committed. must assimilate and promote this culture as a way of thinking about, assessing and implementing 8. References information systems and networks. Organizations are exhorted to adopt a proactive [1] ISO/IEC 17799:2005. "Information Technology approach to information security. Business is likely to Security Techniques - Code of Practice for Information suffer if senior management has insufficient Security Management", ISO, Geneve. (2005). knowledge of security. This state of affairs poses a [2] ISO/IEC 27001:2005. "Information Technology - severe threat not only to the organization's reputation, Security Techniques - Information Security Management but to its entire business and existence. Systems - Requirements", ISO, Geneve. (2005). This paper seeks to emphasize the role of senior [3] Heikkinen, I., Ramet, T., "E-Learning as a Part of management in the creation of an organizational Information Security Education Development from culture of security. A solution that is custom-tailored to Organisational Point of View". Oulu University, Oulu, Finland., In Finnish (2004). a particular organization is only applicable to that [4] Kajava, J., "Critical Success Factors in Information organization. This raises the issue of how general Security Management in Organizations: The Commitment of principles and standards could be utilized to create an Senior Management and the Information Security Awareness approach to information security and security Programme". Hallinnon tutkimus - Administrative Studies, management that is adaptable to different Volume 22, Number 1, Tampere. (2003). organizations with certain adjustments. This leads us to [5] Kajava, J., Varonen, R., Tuormaa, E. Nykanen, M., propose that the starting point for an information "Information Security Training through eLearming - Small security awareness model designed for senior Scale Perspective". In VIEWDET 2003. Nov. 26-28. Vienna, management should incorporate the following aspects: Austria. (2003). senior management [6] Lempinen H., "Security Model as a Part of the Strategy of a Private Hospital" (In Finnish), University of Oulu, * must understand their own roles as business Finland. (2002). leaders. A better grasp of information security in [7] OECD, "OECD Guidelines for the Security of fact facilitates their work, as it enables them to set Information Systems and Networks - Towards a Culture of Security", OECD Publications, Paris, France, 29 p. (2002).