A lot have been investigated, written and said about how to better protect companies against the unstoppable proliferation of advanced and sophisticated cyber-threats/attacks. By default, and by common sense, we tend to think that by adopting and implementing cutting-edge security technologies, companies will be on a better position to stop, prevent, and reduce security threats from cyber-criminals. This is not so far from reality. Lots of technologies have emerged and being adopted to reach that goal. Among these technologies are: Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Firewalls, Antivirus, Network Access Control (NAC), Proxies, Gateways, Advance Threat Analytics (ATA), Sandboxes, Multi-factor Authentication (MFA), Artificial Intelligence (AI), and Machine Learning (ML) solutions to mention a few. However, security and data breaches still happen and are on the news all around the world, every day.
On the other hand, security practitioners and researchers understand that by forcing the implementation of information security systems' policies (ISP’s), standards and guidelines, will also significantly help organizations against different human-targeted threat vectors. Then again, security firms and scholars still find that primary information security policies violations and user's misuse are among the top reasons why security breaches occur. We can ask ourselves, how is this still happening if there are severe sanctions against security policies violations? Sanctions should work as a deterrent against employee's un-intentionally and intentionally computer misuse, but findings report great opportunities within this security controls.
Scholars have demonstrated that employees have intention to comply with ISP’s, but there are many human and organizational factors that could negatively affect their perception and, in consequence, their best intentions. For example, risk homeostasis happens when employees place too much trust in technology, when considering information security risks. With this over-confidence, employees navigate through the Internet, open emails' attachments and submit data in fake portals, without being aware of the potential cyber-risks they may be, fully delegating security measures exclusively to their company’s technological security controls. Likewise, a lot of researchers are reporting that Information Systems Security Awareness (ISSA) and Security Education Training and Awareness (SETA) programs are one of most effective countermeasures that organizations can use to their advantage against cyber-threats.
Findings shows that if employees have a better understanding and knowledge about the tactics, techniques, and procedures (TTP’s) used by cyber-criminals, they could be in a better position to protect themselves and their company’s data and information technology assets. Likewise, if there exist threat intelligence and information sharing programs, by a collaboration between department units and organizations, companies could potentially better manage cyber-risks by proactively mitigating and/or reducing them. Nevertheless, employees are still victims of one of the oldest cyber-attacks, spear phishing and phishing campaigns, with convincing social engineering techniques. But, can we say that training and awareness are not so effective? Definitely not. Instead of merely implementing a SETA program, companies should consider stablishing a security culture that may considerer sharing employee’s values and behaviors with their organizational culture, allowing them to participate on security program's development.
To effectively implement an enterprise-wide information security risk management framework, the above mentioned organizational, technological and behavioral (human) factors should holistically be taken into consideration. Similarly, a strategical alignment should be in place between Technology and Security Officers, and the CEO to cohesively reach the organization's vision, mission, objectives, and revenues.
It is worth to mention the fact that too much security technologies, restrictive information system policies and ISSA programs tend to, in some occasions, be disruptive and against innovation, agility, productivity, and firm performance. The right balance could be utopic but taking it in consideration could potentially help decision-makers to take well-informed security decisions in order to be in compliance with regulators and law-enforcement agencies while still supporting organization's effectiveness and productiveness in competitive markets.
Author: Gilberto Crespo, MSCE, CDIA+, CIP, ITILv3
Computer Engineer & Technology Blogger
Scholars have demonstrated that employees have intention to comply with ISP’s, but there are many human and organizational factors that could negatively affect their perception and, in consequence, their best intentions. For example, risk homeostasis happens when employees place too much trust in technology, when considering information security risks. With this over-confidence, employees navigate through the Internet, open emails' attachments and submit data in fake portals, without being aware of the potential cyber-risks they may be, fully delegating security measures exclusively to their company’s technological security controls. Likewise, a lot of researchers are reporting that Information Systems Security Awareness (ISSA) and Security Education Training and Awareness (SETA) programs are one of most effective countermeasures that organizations can use to their advantage against cyber-threats.
Findings shows that if employees have a better understanding and knowledge about the tactics, techniques, and procedures (TTP’s) used by cyber-criminals, they could be in a better position to protect themselves and their company’s data and information technology assets. Likewise, if there exist threat intelligence and information sharing programs, by a collaboration between department units and organizations, companies could potentially better manage cyber-risks by proactively mitigating and/or reducing them. Nevertheless, employees are still victims of one of the oldest cyber-attacks, spear phishing and phishing campaigns, with convincing social engineering techniques. But, can we say that training and awareness are not so effective? Definitely not. Instead of merely implementing a SETA program, companies should consider stablishing a security culture that may considerer sharing employee’s values and behaviors with their organizational culture, allowing them to participate on security program's development.
To effectively implement an enterprise-wide information security risk management framework, the above mentioned organizational, technological and behavioral (human) factors should holistically be taken into consideration. Similarly, a strategical alignment should be in place between Technology and Security Officers, and the CEO to cohesively reach the organization's vision, mission, objectives, and revenues.
It is worth to mention the fact that too much security technologies, restrictive information system policies and ISSA programs tend to, in some occasions, be disruptive and against innovation, agility, productivity, and firm performance. The right balance could be utopic but taking it in consideration could potentially help decision-makers to take well-informed security decisions in order to be in compliance with regulators and law-enforcement agencies while still supporting organization's effectiveness and productiveness in competitive markets.
Author: Gilberto Crespo, MSCE, CDIA+, CIP, ITILv3
Computer Engineer & Technology Blogger
