Security breaches that can be traced back to the actions of one individual are not the fault of one "stupid" employee but rather a failure to educate and engage the whole workforce around the importance of good security practice, according to a leading academic.
Speaking at the Cyber Warfare 2008 event in London this week, Debi Ashenden, senior research fellow at the Defence College of Management and Technology at Cranfield University, said most companies overlook the importance of employee behaviour when it comes to securing their IT and information systems.
"Lots of organisations claim to have a culture of information security but in most cases I would say that this is not true and unfounded," she told an audience made of military and civilian IT security specialists. "We need to get end users on side. We can't ignore them anymore. We need to move away from command and control and interact with them."
IT security managers do not like the idea of empowering the end users and would prefer to be able to "lock them down" in the same way employees' PCs can be locked down, said Ashenden
Ashenden's speech made reference to several recent high-profile security breaches, including the exposure of 25 million individual's records by HM Revenue & Customs (HMRC) in November last year, and the loss of an MoD laptop containing the records of some 600,000 defence personnel.
Ashenden claimed that although breaches such as HMRC had led to a new focus on IT security, based around improving processes and technology, the incidents were down to human factors. "We need to find a way to make people streetwise and question core beliefs so they question this kind of behaviour before it's carried out," she said.
A survey from PriceWaterhouseCoopers (PwC) released this week appears to back up Ashenden's assertions. The results show the proportion of companies that have an information security policy has quadrupled over the last eight years.
However, one of the report's authors, PwC's Chris Potter, said having a security policy alone does not magically improve security awareness among staff. "What companies are realising is that increasing security awareness is only part of the answer. The critical issue is changing the behaviour of their people."
There has been a spate of high-profile security breaches dating back to mid-2007, which has led the government watchdogs to demand action be taken against organisations and individuals who fail to safeguard data and information. In a document submitted to government in January this year, information commissioner Richard Thomas called for the Data Protection Act (DPA) to be amended to include a penalty for data controllers "knowingly or recklessly failing to comply with the principles" of the DPA.
Ashenden claimed there has to be a fundamental shift in the behaviour of senior IT security professionals towards end users and the importance of understanding social interaction within companies.
"Most information security managers didn't come into the profession to get involved in cultural change and to talk to end users. They came in because they have an interest in technology," she said. "But we have to measure values, attitudes and perceptions of end users and aggregate the information to craft cultural change."
In response to those IS professionals who suggested there are no hard quantitative approaches to the analysis of attitudes and behaviour of employees, Ashenden claimed there are recognised ways to tackle this kind of analysis of end-user behaviour that are already used in social-science disciplines.
Responding to a question about the failure of software makers to build user-friendly security systems, Ashenden agreed that approaches such as pop-up warnings in operating systems were ineffective, as users eventually become conditioned to ignore them. She also referenced a quote that claims hackers often pay more attention to the human link in the security chain than security designers do.
The PwC survey is part of the 2008 Information Security Breaches Survey created on behalf of the Department for Business, Enterprise and Regulatory Reform. The final report will be launched in London at the Infosecurity show on 22-24 April.