130 likes | 298 Views
Defining Security Culture. Peteris Treijs, project manager, State Information Network Agency, Latvia. There are several OECD documents concerning information security and security culture:.
E N D
Defining Security Culture Peteris Treijs,project manager, State Information Network Agency, Latvia
There are several OECD documents concerning information security and security culture: • OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, adopted as a Recommendation of the OECD Council at its 1037th Session on 25 July 2002. • Implementation Plan for OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (02-Jul-2003). • The Promotion of a Culture of Security for Information Systems and Networks in OECD Countries (16-Dec-2005). • OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security,Questions and Answers
Neither of the mentioned papers contains comprehensive, clear-cut definition of the concept ‘Security Culture’. • Why authors of these papers avoided defining security culture and preferred to confide in the intuitive understanding of the term? • “Organization culture is like pornography ‑ it is hard to define, but you know it when you see it“,Ellen Wallach. • However, if we are going to create security culture in our organisations we have to make clear to ourselves: • -What the ‘security culture’ means? • -What makes the difference between applicable security legislation, regulations, standards, policies, rules or instructions and Security culture?
Quotation from article ‘Creating A Security Culture’ published by Animal Liberation Front: ‘Those who belong to a security culture also know what behavior compromises security and they are quick to educate and reprimand those people who, out of ignorance, forgetfulness, or personal weakness, partake in insecure behavior. This security consciousness becomes a "culture" when the group as a whole makes security violations socially and morally unacceptable within the group’. The last clause of the quotation is essential – actually it answers the question what makes the difference.
Safety and Security are different stuff; however there are a lot of similarities between them: - both are linked with risks and - lack of both may cause considerable, even catastrophic damage. Concept of Safety culture is more mundane and much more widely used. Safety rules and instructions are ever-present. Safety is the top priority in areas like shipping, nuclear energy industry etc.
The International Atomic Energy Agency gives the following official definition of Nuclear Safety Culture: ‘Safety Culture is that assembly of characteristics and attitudes in organisations and individuals which establishes that, as an overriding priority, nuclear plant safety issues receive the attention warranted by their significance’. And further we read: ’…Safety culture has to be inherent in the thoughts and actions of all the individuals at every level in an organization’. Concept of ‘attitudes’ included in the definition is of crucial importance. It makes the difference.
Replacing ‘safety” by ‘security” we can get to workable statements for Security culture: Security culture is that assembly of characteristics and attitudes in organisations and individuals, which establishes that, issues of security of information systems and networks, as a high priority, receive the attention warranted by their significance. Security culture has to be inherent in the thoughts and actions of all the individuals at every level in an organization. Actually it is another wording of the above-mentioned requirement to make security violations socially and morally unacceptable. This kind of security culture definition is in reality just a statement of a goal, which, if reached, is the best guarantee for information and information systems protection .
Creating and/or changing organisation’s culture is a very difficult long-term managerial task, and security culture is no exception, it is part and parcel of the overall corporate culture. So we are confronted with the difficult task of changing corporate culture. Writing security standards, policies and instructions alone does not create culture. We are not going to discuss all aspects of establishing the desired culture in organization; we shall only emphasize those, which are of particular importance in the area of information security.
In the OECD Guidelines awareness is mentioned as the first principle. Being aware of importance of security, of the risks and available safeguards is of crucial importance. But requirement of awareness is closely linked with competence and knowledge in the area of information security at all levels in the organization. Without adequate knowledge no real awareness is possible. As ICT is fast changing industry it means that maintaining security culture has to be linked with permanent learning process.
The effect of insufficient competence at the level of individual users is quite obvious ‑ the individual himself becomes the weak point in the whole system of information and information system protection. For example, if a person did not manage the very fundamentals of public key cryptography, he or she may be unaware of situations when his or her actions (when using digital signature) may cause serious risks. It is completely unacceptable that people, whose position or occupation clearly requires competence in these matters, promote incorrect understanding, for instance, of issues around digital signature. Announcements like “digital signature is in your smart card” or “you will receive your digital signature from certification service provider” send utterly wrong messages about the very essence of digital signature.
Whatever simplifications are used (for the sake of convenience or briefness) they should not lead to wrong understanding of the subject, because those, who do not possess the respective knowledge, are learning from what the allegedly competent (official) person says. Insufficient competence at the level of political appointees in government and/or governmental organizations results into slow and inefficient process of establishing the necessary security institutions, like Public Key Infrastructure, Computer Emergency Response Teams or Computer Security Incident Response Teams.
The level of necessary competence depends on the role person performs in the Information society, but it is clear requirement of Security culture that the respective adequate competence is ensured and maintained at all levels. It is indispensable prerequisite of both the Information society and Security culture. Tank you for attention