Follow us at
Sapient Coach
  • Blog
  • Services
  • Contact
  • EspaƱol

A Prescription for an Information Security Risk Management Program

4/21/2018

0 Comments

 
Cybersecurity Sapient Coach
A lot have been investigated, written and said about how to better protect companies against the unstoppable proliferation of advanced and sophisticated cyber-threats/attacks. By default, and by common sense, we tend to think that by adopting and implementing cutting-edge security technologies, companies will be on a better position to stop, prevent, and reduce security threats from cyber-criminals. This is not so far from reality. Lots of technologies have emerged and being adopted to reach that goal. Among these technologies are: Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Firewalls, Antivirus, Network Access Control (NAC), Proxies, Gateways, Advance Threat Analytics (ATA), Sandboxes, Multi-factor Authentication (MFA), Artificial Intelligence (AI), and Machine Learning (ML) solutions to mention a few.  However, security and data breaches still happen and are on the news all around the world, every day.
On the other hand, security practitioners and researchers understand that by forcing the implementation of information security systems' policies (ISP’s), standards and guidelines, will also significantly help organizations against different human-targeted threat vectors.  Then again, security firms and scholars still find that primary information security policies violations and user's misuse are among the top reasons why security breaches occur. We can ask ourselves, how is this still happening if there are severe sanctions against security policies violations? Sanctions should work as a deterrent against employee's un-intentionally and intentionally computer misuse, but findings report great opportunities within this security controls.

Scholars have demonstrated that employees have intention to comply with ISP’s, but there are many human and organizational factors that could negatively affect their perception and, in consequence, their best intentions. For example, risk homeostasis happens when employees place too much trust in technology, when considering information security risks. With this over-confidence, employees navigate through the Internet, open emails' attachments and submit data in fake portals, without being aware of the potential cyber-risks they may be, fully delegating security measures exclusively to their company’s technological security controls. Likewise, a lot of researchers are reporting that Information Systems Security Awareness (ISSA) and Security Education Training and Awareness (SETA) programs are one of most effective countermeasures that organizations can use to their advantage against cyber-threats.

Findings shows that if employees have a better understanding and knowledge about the tactics, techniques, and procedures (TTP’s) used by cyber-criminals, they could be in a better position to protect themselves and their company’s data and information technology assets. Likewise, if there exist threat intelligence and information sharing programs, by a collaboration between department units and organizations, companies could potentially better manage cyber-risks by proactively mitigating and/or reducing them. Nevertheless, employees are still victims of one of the oldest cyber-attacks, spear phishing and phishing campaigns, with convincing social engineering techniques. But, can we say that training and awareness are not so effective? Definitely not. Instead of merely implementing a SETA program, companies should consider stablishing a security culture that may considerer sharing employee’s values and behaviors with their organizational culture, allowing them to participate on security program's development.

To effectively implement an enterprise-wide information security risk management framework, the above mentioned organizational, technological and behavioral (human) factors should holistically be taken into consideration. Similarly, a strategical alignment should be in place between Technology and Security Officers, and the CEO to cohesively reach the organization's vision, mission, objectives, and revenues.

It is worth to mention the fact that too much security technologies, restrictive information system policies and ISSA programs tend to, in some occasions, be disruptive and against innovation, agility, productivity, and firm performance. The right balance could be utopic but taking it in consideration could potentially help decision-makers to take well-informed security decisions in order to be in compliance with regulators and law-enforcement agencies while still supporting organization's effectiveness and productiveness in competitive markets.

Author: Gilberto Crespo, MSCE, CDIA+, CIP, ITILv3
Computer Engineer & Technology Blogger
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Gilberto Crespo

    Author

    Dr. Gilberto Crespo is an information security researcher & technology expert.

    He has been working for more than 20 years in the information technology industries, cybersecurity, financial, higher education, and life coaching.  He is also a motivational and leadership speaker.

    View my profile on LinkedIn

    Archives

    June 2022
    January 2021
    May 2019
    April 2018
    March 2018
    July 2017
    May 2017
    February 2017
    September 2016
    July 2016
    April 2016
    March 2016
    January 2016
    December 2015
    November 2015
    August 2015
    June 2015
    May 2015
    February 2015
    January 2015

    Categories

    All
    Android
    Apple
    Business
    Certification
    CloudComputing
    Coaching
    Computers
    Covid19
    Cyber
    Cybersecurity
    Education
    Employment
    Faith
    Goals
    Google
    Hackers
    Heaven
    Homeopathy
    Inspiration
    IOS
    IoT
    Jobs
    Microsoft
    Motivation
    Nature
    Online
    Potions
    Publication
    Remedies
    Research
    Security
    Skies
    Sun
    Technology
    Tips
    Work
    Zombies

    Subscribe to email updates, it's FREE

    *required

Copyright © 2023.  This site is part of Sapient Coach © 2023.  All rights reserved.  All content posted on this site is a commentary or an opinion, and is protected by freedom of expression.  Sapient Coach is not responsible for content written by contributing authors.  The information in this blog is provided for educational and informational purposes only.  It is not intended as a substitute for professional advice of any kind.  Sapient Coach © assumes no responsibility for the use or misuse of this material.  The use of this web site indicates your acceptance of these terms.  All brands, trademarks and service marks mentioned on this site are the property of their respective owners.

Designed by Blig Consulting

BligConsulting.com