Scholars have demonstrated that employees have intention to comply with ISP’s, but there are many human and organizational factors that could negatively affect their perception and, in consequence, their best intentions. For example, risk homeostasis happens when employees place too much trust in technology, when considering information security risks. With this over-confidence, employees navigate through the Internet, open emails' attachments and submit data in fake portals, without being aware of the potential cyber-risks they may be, fully delegating security measures exclusively to their company’s technological security controls. Likewise, a lot of researchers are reporting that Information Systems Security Awareness (ISSA) and Security Education Training and Awareness (SETA) programs are one of most effective countermeasures that organizations can use to their advantage against cyber-threats.
Findings shows that if employees have a better understanding and knowledge about the tactics, techniques, and procedures (TTP’s) used by cyber-criminals, they could be in a better position to protect themselves and their company’s data and information technology assets. Likewise, if there exist threat intelligence and information sharing programs, by a collaboration between department units and organizations, companies could potentially better manage cyber-risks by proactively mitigating and/or reducing them. Nevertheless, employees are still victims of one of the oldest cyber-attacks, spear phishing and phishing campaigns, with convincing social engineering techniques. But, can we say that training and awareness are not so effective? Definitely not. Instead of merely implementing a SETA program, companies should consider stablishing a security culture that may considerer sharing employee’s values and behaviors with their organizational culture, allowing them to participate on security program's development.
To effectively implement an enterprise-wide information security risk management framework, the above mentioned organizational, technological and behavioral (human) factors should holistically be taken into consideration. Similarly, a strategical alignment should be in place between Technology and Security Officers, and the CEO to cohesively reach the organization's vision, mission, objectives, and revenues.
It is worth to mention the fact that too much security technologies, restrictive information system policies and ISSA programs tend to, in some occasions, be disruptive and against innovation, agility, productivity, and firm performance. The right balance could be utopic but taking it in consideration could potentially help decision-makers to take well-informed security decisions in order to be in compliance with regulators and law-enforcement agencies while still supporting organization's effectiveness and productiveness in competitive markets.
Author: Gilberto Crespo, MSCE, CDIA+, CIP, ITILv3
Computer Engineer & Technology Blogger