What Drives People to Maintain Information Security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.datacenterjournal.com/it/drives-people-protect-information-security/

We’ve all heard statistics about how the information being created and
stored is growing at an exponential rate. Many now regularly measure
database sizes in petabytes—and the growth is not slowing. In a recent
article, Gartner analysts predict that enterprise data will grow by 800
percent over the next five years and that 80 percent or more of that new
data will be unstructured. Unstructured data is the most difficult to
protect as it can take many forms, such as documents, videos, spreadsheets
and other content that workers create.

Organizations are centralizing information storage to promote better
collaboration, but for many the concept of having all their data “eggs” in
one basket raises new security concerns. We also know that much of the
information organizations create, gather and use is considered sensitive.
Yet despite being bombarded with messages from governments, NGOs,
consumers, vendors and the media that sensitive information must be
properly governed, many of the individuals who have access to and
responsibility for this information usually treat its security as an
afterthought.

Why is that?

With all the statistics and talk about the amount of information we’re
generating, the increased security risk of pooling all this information in
a central repository and the serious damage a data leak can cause, why is
its security not top of mind?

On the basis of my experience in the security industry working with many
large organizations around the world and with many individuals who own
content (or are responsible for content), I have developed a theory.

People only feel compelled to secure information when all of the following
apply:

They have a personal connection to it
They truly understand the risk that exposure of the information poses
The impact of such an exposure affects them directly

Data users rarely secure information because it’s the right thing to do.
Although there are exceptions, in general people choose to treat data
securely because it protects them, rather than doing it for the good of the
organization. This isn’t a pessimistic view; it’s just natural human
behavior…at least it is today.

Successful security requires that the end user is properly motivated. To
that end, we need to examine why organizations are securing data and how to
make sure the people in the organization understand why it is to their
benefit to ensure that security measures are followed.

So what drives people to secure information?

Reducing Liability and Protecting Investment

In many industries, the exposure of sensitive corporate information can
have very negative business impacts. Risks can include

Compliance violations that result in heavy fines
Sanctions and legally imposed restrictions on business
Loss of business reputation (bad PR can lead to lost stock value, lost
customers, lost market share and so on)
Loss or theft of intellectual property

Since a business owner or a C-level executive looks at the business as a
whole and is tasked (and financially rewarded) with ensuring its success,
senior managers are better positioned to understand the risks. They are
also more invested in the consequences of a breach, as it is they who must
face the fines, lawsuits and an angry board of directors. They are also the
staff with the most to gain since performance bonuses are often tied to
profits.

Yet, corporate security measures often fail because the average employee is
not as concerned about—or even aware of—these risks to the business.
Depending on the employee, they very likely don’t even know what
information is sensitive or understand how the loss of these items can
affect the organization. Unless you both provide a clear way to identify
what information is sensitive and effectively motivate employees to secure
the data they manage, their ability (and desire) to help protect against
data loss will be limited.

Exceptions and the Seeds of Change

In recent years there has been an overall increase in attention paid to
security. In industries where the public good is at risk, we find that
average workers are beginning to connect to the data they handle. In
government agencies, for example, public safety and mission success can be
greatly affected if data is leaked. For national-defense departments,
internal security agencies (such as the U.S. Department of Homeland
Security) and other government departments, the personnel that deal with
the data involved are typically well trained in how to handle this type of
sensitive information. Additionally, people often go into these areas of
work because they have a desire to serve the public or protect the public’s
safety.

Another area where you find the average worker making a strong connection
to their data is in health care. Unlike organizations that must protect
personal identifying or financial information, workers at hospitals,
insurance companies and government agencies are finding motivation to
protect data beyond just bad press, fines or profit loss. A stolen health
identity can have tremendously negative impact on an individual’s safety.

Consider that a health identity is used by an imposter who is otherwise
without health insurance. Although this situation can be categorized as a
kind of financial theft, more seriously the person illegally using the
health identity can cause data in the victim’s health record to be
modified. For example, if the impostor is blood type A, then that data
could be applied to the original health record. If the actual insured
individual needs an emergency blood transfusion but is type B-negative, his
or her health is at risk. In these cases, typically both the senior
administrators and the employees are aware of the very serious consequences
a data breach can have.

So What Can Be Done to Ensure Information Is Secure?

In most organizations, average individuals tend to feel a true need to
secure information when they have a personal connection to it, when they
truly understand the consequences of exposure or when the impact of such an
exposure can affect them directly. The ideal situation in any organization
would be to have each and every individual truly care about securely
handling sensitive information.

The best way to create a security mindset is to overtly involve all
employees in the organization’s security strategy. This approach starts
with education to convey what information is sensitive and how it should be
handled. Employees also must be aware of the very real and very negative
impacts of information exposure, both to the business and to them
personally. In addition, openly discussing security policy and asking for
best-practice feedback from employees will help foster feelings of
ownership and responsibility.

Once employees have been educated and become involved in the security
process, organizations need to overtly foster accountability. This
accountability can be in the form of check-out procedures for highly
sensitive documents or by stamping the employees’ names on all documents
they access so if it is handled carelessly, it can easily be tracked back
to them.

Despite all the tremendous effort and work that has gone into developing
some excellent security technologies, they unfortunately are not 100%
effective in keeping data secure. Employees’ willingness and ability to
enforce secure-information governance procedures is vital to helping
organizations defend against both inadvertent and malicious exposure of
sensitive information.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.