Senior Executives Commitment to Information Security - from Motivation to
Responsibility
Jorma Kajava
University of Lapland
P. 0. Box 122, FIN- 96101 Rovaniemi,
Finland
Jorma.Kajava(ulapland.fi
Rauno Varonen
University of Oulu
P. 0. Box 7200, FIN- 90014 University of
Oulu, Finland
Rauno.Varonen@oulu.fi
Juha Roning
University of Oulu
P. 0. Box 4500, FIN- 90014 University of Oulu, Finland
Juha.Roning(ee.oulu.fi
Abstract
For senior executives, information security is a
basic requirement for business success. Yet, despite
being well-motivated, top managers often have only a
superficial understanding of information security,
which may lead them to make decisions that are not
conducive to raising the organization's security level.
Enhancing information security awareness among all
employees has been found necessary, but the key to
success is raising the awareness level of senior
management. Playing a decisive role, they must
assume overall responsibility for information security.
The question is how to achieve this in an efficient and
natural way.
1. Introduction: Information Security and
Safety at Odds
Attitudes toward information security vary.
Everyone knows the fundamentals, but few have a
deeper understanding of it. Some time ago, an
extensive survey, conducted in a Finnish company,
indicated that although all employees were well-
1-4244-0605-6/06/$20.00 C2006 IEEE.
Juhani Anttila
Quality Integration
Rypsikuja 4, FIN-00660 Helsinki,
Finland
Juhani.Anttila@telecon.fi
Reijo Savola
VTT Technical Research Centre of Finland
P. 0. Box 1100, FIN-90571 Oulu,
Finland
Reijo.Savola@vtt.fi
motivated, senior management lacked the necessary
information security management skills. This was
evidenced by the fact that an external consultant
managed to convince the top management to agree to a
work safety study without asking experts on the
company payroll, who anticipated a better information
security solution. Examples such as this one can be
found also in governmental offices and at univiersities.
Our work aims at elucidating the significance of
senior management in the promotion of organizational
information security. A great number of organizations
boast extensive security awareness programmes, but
the top management often shies away from them.
Damage caused by an individual employee may have
far-reaching consequences for a company, but when
damage is inflicted by senior management, the effects
may be devastating. Thus, it is important to get top
managers to endorse the adopted information security
solutions whole-heartedly, which involves not only
being motivated to follow security principles, but also
accepting the responsibilities that go with the highest
positions.
As its starting-off point, this paper takes the new
international standard ISO 17799 [1] However, as we
are dealing with a serious issue, standards are not
1519
sufficient, we must advance from a discussion on
standards to a change in culture [6].
2. Day to Day Business
Business life tends to value ease-of-use more than
security. A change of values occurs often only after a
serious mishap, although only part of the damage may
be expressed directly in terms of money.
The prevailing view seems to be that information
security produces costs, not profit. Unless we change
our way of thinking, we will soon find that the cost of
doing nothing is even higher. As indicated by our
survey, there are great deficiences in the management
of information security, particularly as regards the
commitment of senior managers. To remedy this
situation, we must find the means of gaining this
commitment, before some hostile party forces the
change.
As a rule, information security management is seen
from the viewpoint of large corporations. In today's
world, however, we must become cognizant of the fact
that business is based on networking. Even giant
corporations are not islands, they are connected with
other, smaller companies through subcontracting and
outsourcing, for instance. As a result, negligence in the
management of information security, even when it
occurs several nodes down from some large
corporation, may nevertheless affect it through the
network. Commitment to information security is
therefore of utmost importance for the entire network.
By their commitment, corporate managers help pave
the way towards the information society.
3. Commitment of Senior Executives
Ultimate responsibility for managing information
security is borne by corporate management, which
provides the resources and sets the requirements on the
basis of which the IT security manager promotes and
coordinates security activities. A lively discussion has
been going on for some time now on the commitment
of senior management to information security.
The objects and activities of information security
must be in line with the organization's business
objectives and the requirements imposed by them.
Senior management must take charge of this and
provide visible support and show real commitment. To
do this, they have to understand the seriousness of the
threat that information risks pose to corporate assets.
Further, they need to ensure that middle management
and other staff fully grasp the importance of the issue.
The organization's information security policy and
1-4244-0605-6/06/$20.00 c2006 IEEE.
objectives must be known by corporate employees as
well as by external partners.
Information security policy represents the position
of senior management toward information security,
and sets the tone for the entire organization. It is
recommended that coordinating the organization's
information security policy should be the responsibility
of some member of top management.
Encouragement should be given to the extensive
application of information security within the
organization and among its stakeholder groups to make
certain that problems are dealt with in an efficient and
regular manner. When necessary, external
professional assistance should be sought to keep
abreast of advances, standards and values in the field.
At the same time, this enables establishing forms of
collaboration for potential security breaches.
The key component of information security work is
the visible support and engagement of senior
management. In practical terms, this commitment
involves allocating necessary funding to information
security work and responding without delay to new
situations. Nevertheless, swelling the size of the
information security organization is unwise, for a small
organization is often more flexible and faster on the
draw. A better alternative to enlarging security staff is
to enhance information security skills and knowledge
at all levels of the organization, because that is where
the actual work processes are. Yet another way of
showing management commitment is participation in a
range of information security-related events, which
serves to underline the importance attached to the
topic.
4. Evidence Supplied by Surveys
We became aware of the sensitive nature of the
topic in 2002, when several reports were published
highlighting the commitment of senior management to
corporate information security solutions. Of particular
interest was the report stating that the commitment
level among Finnish managers was slightly above 20
percent [5]. This finding provided a good starting point
for a national discussion. When the result was
explained to a group of Austrian researchers, they
congratulated us on the high percentage rate. This was
a little confusing, as the title of the original paper
declared that information security does not interest
corporate management. Moreover, the paper went on
to point out that only two managers out of ten have
realized that information security is of strategic value
to their company. And yet this survey involved 50
companies among the top 500 businesses in Finland
1 520
listed by business magazines. The crucial question
was: how is this result to be understood and evaluated
objectively.
One central issue identified by the survey was that
merely 11 of the 50 largest companies had an
information systems manager or a corresponding
person on the management team. This is a far cry from
showing commitment, and is undoubtedly reflected in
corporate attitudes and practices. Thus, the sentiments
implied in the title of the paper, information security
does not interest corporate management, describe the
situation spot on, because smaller companies display
even less commitment.
At around the same time, we conducted a survey in
a Northern Finnish company with 500 employees. It
turned out that all members of the fairly large
management team as well as key personnel were well-
versed in information security and its attendant risks.
Yet, although they were motivated to deepen their
knowledge and hone their skills, we were left
wondering, whether they had internalized their own
roles in the management of information security [6].
What does commitment to security work entail? A
key factor is enthusiasm, "getting personally
involved", believing in what you are doing. Another
important factor is providing resources for the work.
Everyone must also know who is responsible for
taking decisions and directing activities. On this road,
the first step involves motivation and gaining an
understanding of information security. Obtaining
funding serves to anticipate future needs and has far-
reaching consequences, but training staff and winning
their support are equally important.
At the management team level, the delicate issue of
authority and responsibility often leads to conflict.
Authority should be exercised in a manner that
promotes performance even under difficult
circumstances. Responsibilities stand in relief when
things go wrong and a mishap occurs. Authority and
responsibilities are also necessary during the following
recovery period, and should be considered in advance.
Most information security breaches and violations take
place within the organization, by its own staff, who are
involved either wittingly or unwittingly. Incidents of
this type show how important it is that the person
charged with coordinating information security really
has the support of the senior management and acts
with their authorization. Although it may be
disconcerting, action must be taken to prevent insider
abuse before anything serious happens.
1-4244-0605-6/06/$20.00 C)2006 IEEE.
5. Information Security Awareness
Programmes
Success in information security management, as
stated in the ISO/IEC 17799 standard (2005) [1],
demands two things: commitment of senior
management and provision of information security
awareness programmes to all staff. The contents of
such a programme were already outlined in earlier
documents of the ISO/IEC JTC 1/SC 27/WG 1. In
2002 - 2004, we applied this information to create an
intranet-based learning environment for information
security [3].
An information security awareness programme may
incorporate at least the following topics:
* factors that influence organizational information
security policy together with such extensions to
the policy, guidelines, directives and risk
management strategy that enable a deeper
understanding of risks and security measures,
* implementing the information security
programme/plan and verifying the effects of
security measures,
* basic data protection requirements,
* a classification scheme for protection of
information,
* reporting procedures for information security
breaches, attempts thereof and investigation of
such breaches,
* significance of security extensions to end users
and the entire organization,
* work procedures, responsibilities and job
descriptions,
* security audits and checks,
* managing activities and organizational structures,
* explaining effects of unauthorized activities.
There are several avenues of obtaining guidelines
on information security training. It may be confusing
for some employees that they receive security-related
information from several sources or through many
different channels. In larger organizations, the
implementation of information security programmes is
coordinated by IT security managers. Nevertheless,
these awareness programmes are invariably the
responsibility of senior management who must
integrate the approach with the organization's genuine
business needs.
6. Promoting a Culture of Security
An approach that considers the best interests of all
participants and the characteristics of information
1521
systems, networks and associated services can be both
efficient and secure [7].
The OECD approach comprises nine principles that
deal with awareness, responsibility, response, ethics,
democracy, risk assessment, security design and
implementation, security management and
reassesment: "Security management should be based
on risk assessment and should be dynamic,
encompassing all levels of participants' activities and
all aspects of their operations. It should include
forward-looking responses to emerging threats and
address prevention, detection and response to
incidents, systems recovery, ongoing maintenance,
review and audit. Information system and network
security policies, practices, measures and procedures
should be coordinated and integrated to create a
coherent system of security. The requirements of
security management depend upon the level of
involvement, the role of the participant, the risk
involved and system requirements." [7].
In addition, the OECD guidelines state that
fostering a culture of security requires both leadership
and extensive participation. Security design and
management should be an important element in
corporate management, and all participants must
appreciate the value of security. The principles set up
by the OECD form a foundation for promoting a
culture of security across the society. All participants
must assimilate and promote this culture as a way of
thinking about, assessing and implementing
information systems and networks.
Organizations are exhorted to adopt a proactive
approach to information security. Business is likely to
suffer if senior management has insufficient
knowledge of security. This state of affairs poses a
severe threat not only to the organization's reputation,
but to its entire business and existence.
This paper seeks to emphasize the role of senior
management in the creation of an organizational
culture of security. A solution that is custom-tailored to
a particular organization is only applicable to that
organization. This raises the issue of how general
principles and standards could be utilized to create an
approach to information security and security
management that is adaptable to different
organizations with certain adjustments. This leads us to
propose that the starting point for an information
security awareness model designed for senior
management should incorporate the following aspects:
senior management
* must understand their own roles as business
leaders. A better grasp of information security in
fact facilitates their work, as it enables them to set
1-4244-0605-6/06/$20.00 C 2006 IEEE.
policy objectives and take a leading role also in
security;
* should define what the critical assets are that must
be protected. For that, they need to have a basic
understanding of information classification; and
* must pledge a holistic commitment to information
security, manifested, for example, by active
participation in business continuity planning.
7. Conclusions
We have discussed one of the most remarkable
practical-level problems of information security
management in organizations: the lack of senior
management commitment to information security.
This problem is difficult to solve because many
professionals think that it is not a good idea to "teach"
their managers, or "preach" to them. However, if the
information security awareness of senior management
of a company is at too low a level, the consequences
may be very dramatic to the company's business.
Products - goods and services - with poor information
security solutions can be very easily driven out of the
market by consumers. In addition, co-operation
partners may vanish after they realize that a company
is not paying enough attention to its information
security management and that the key persons - senior
management- are not committed.
8. References
[1] ISO/IEC 17799:2005. "Information Technology
Security Techniques - Code of Practice for Information
Security Management", ISO, Geneve. (2005).
[2] ISO/IEC 27001:2005. "Information Technology -
Security Techniques - Information Security Management
Systems - Requirements", ISO, Geneve. (2005).
[3] Heikkinen, I., Ramet, T., "E-Learning as a Part of
Information Security Education Development from
Organisational Point of View". Oulu University, Oulu,
Finland., In Finnish (2004).
[4] Kajava, J., "Critical Success Factors in Information
Security Management in Organizations: The Commitment of
Senior Management and the Information Security Awareness
Programme". Hallinnon tutkimus - Administrative Studies,
Volume 22, Number 1, Tampere. (2003).
[5] Kajava, J., Varonen, R., Tuormaa, E. Nykanen, M.,
"Information Security Training through eLearming - Small
Scale Perspective". In VIEWDET 2003. Nov. 26-28. Vienna,
Austria. (2003).
[6] Lempinen H., "Security Model as a Part of the Strategy
of a Private Hospital" (In Finnish), University of Oulu,
Finland. (2002).
[7] OECD, "OECD Guidelines for the Security of
Information Systems and Networks - Towards a Culture of
Security", OECD Publications, Paris, France, 29 p. (2002).
1522