Home  |  Newsletter | Feedback | Advertise - Online  | Help
Google
Web dqindia.com
Search by issue  | Sitemap

• Visit pcquest.com to know all about the business benefits of IT infrastructure outsourcing • Ad : Play and Plug ERP by IBM

 
 RSS |  Follow Us on twitter
Home > Industry > Focus

Information Security : Of Human(e) Vulnerability
One of the weakest links in the information security chain are the end users, making it a daunting task for the security teams
Saturday, June 20, 2009
Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit TwitterTwitter

With the National Vulnerability Database of the US (nvd.nist.gov) publishing almost sixteen vulnerabilities per day, and with the recently released virus such as Win32/Conflicker/Downadup spreading across the Internet information security is no longer a peripheral issue for businesses today. While information security experts scout for the latest updates in security appliances, firewalls, anti-virus software and intrusion protection systems, the often neglected is the human side of it all. To get the users (who are often the weakest link in the security chain), to make good decisions about information security is a daunting task for the information security team in any organization. Hence, methods that organizations can use to actively involve users within the ambit of information security management become extremely important.

  • Campaigns: Safety is an abstract concept. When evaluating alternatives in making a decision, outcomes that are abstract in nature tend to be less persuasive than outcomes that are concrete. Hence, information security awareness is of crucial importance. Campaigning could be very useful in terms of security education, and provide a positive impetus for information security, The campaigns can be in the form of monthly newsletters, posters at conspicuous locations with the list of Dos and Donts, and quizzes to actively involve employees.
  • Ease of Use: Users are not stupid; they are unmotivated. Due to limited capacity for information processing (also referred to as cognitive miser), users in general tend to favor quick decisions based on learned rules and heuristics. This explains why users post their passwords on their whiteboards or dont read all the text relevant in a display or consider all the consequences of their action when a security warning is displayed. One way to circumvent this problem is to deploy standard set of default security settings and push auto-updates of security patches so that user involvement in software/hardware configuration is as minimal as possible.
  • Rewards: There is seldom an immediate reward or instant gratification which can be a powerful reinforcer in shaping user behavior. To incentivize good security behavior, employees should be rewarded periodically for reporting security incidences, spreading awareness and their knowledge of information security.
  • Catch Violators: Having a corporate security policy that is not monitored or enforced is tantamount to having laws without police. Though having a continuous auditing system to catch users when they make poor security decisions is not recommended, incidence reporting systems can be used to send out general warning messages to security violators.
  • RITEs: Apart from the widely used principles of information security, the Responsibility, Integrity, Trust and Ethicality (RITE) principles hold key for successfully managing security in the future. In large and physically diffused organizations, it is even more important for members of the organization to understand what their respective roles and responsibilities should be. Clear understanding of roles and responsibilities is required of each employee to practice information security management effectively. As witnessed in many of the data breaches perpetrated by insiders, even with exhaustive controls, it is possible that protected information can leak out, thus causing irreparable damage to organizations. Hence, the important human element of securityintegrity of the organization membersis of paramount importance. The organization needs to consider how to maintain and uphold integrity of its members so that it can minimize internal breaches. Innovative organizations emphasize less on external control and supervision, and more on self-control and responsibility. In such a situation, mutual systems of trust are important. Since close supervision is less viable, trust must act as the cohesive element in organizations. Lastly, ethics of the fellow members of the organization are important to uphold security principles. These are not related to formalized company ruled; but the ethical content of informal norms and behavior.

All set and done, information security begins and ends with the users.

Dr V Sridhar
The author is research fellow at Sasken Communication Technologies, Bengaluru
maildqindia@cybermedia.co.in

Page(s)   1  

Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit TwitterTwitter



ZTE:Leading CDMA Technology

Extraordinary Networks:Freedom of Choice





Collective Intelligence @ Work

Analysts: Guiding Stars or Shepherds?

How's the 'pitch' looking?

What's your Everest?

 

 

 

 

 

 

Magazine Subscription | Sitemap | Contact Us | About Us | Advertising Print | Mediakit Print | jobs@cybermedia
Other CyberMedia web sites
  [Voice&Data]  [CIOL]  [PCQuest]  [Living Digital]  [IDC India]
  [CIOL Shop]  [DQ Channels]  [DQweek]  [CyberMedia Events]
  [Cybermedia Digital]  [CyberMedia India]   [Cyber Astro
  [Global Services Media ]  [BioSpectrum]  [BioSpectrum Asia]

Copyright © CyberMedia. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.
Usage of this web site is subject to terms and conditions.