By: Ts. Dr. Omar bin Zakaria is a Professor from Department of Computer Science, Faculty of Defence Science & Technology, UPNM
Information security is not simply a technological issue but should be viewed at holistically in its organisation context. This is because information security practices should be an integral part of every employee’s daily work routines. It implies that the success of implementation of information security within an organisation hardly depending on the way that employees are handling it. Therefore, this short article is revisiting aspect of socio technical in which mentioning on the interaction between people (i.e. managing human aspects) and technology in workplaces (i.e. information security implementation). For instance, inappropriate security practice is where an employee does not backup confidential data in a timely manner, which may lead to adverse consequences such as violation of confidentiality, comprising the integrity and availability of the information.
The manner in which employees conduct their daily work routine and interact with information assets can reflect how information security practices are being undertaken within an organisation. Information security has evolved over time as technology and society evolved. Many of the technological and societal changes have forced organisation to make fundamental changes to the way they manage security. Dependency solely on responsibility of the technical employees in information security is an inappropriate perception. This is because preserving confidentiality, integrity and availability of the information assets is the responsible of all employees due to everyone handling them in the workplaces.
Although security documents such as standards, policies and procedures are in place, the ignorance by the employees in practising them may lead to management failures and implementation mistakes. Therefore, we need to understand employee behaviour vis-à-vis information security practices. It is very crucial that the right transformation from information security documents (i.e. official employee behaviour) into the right perception (actual behaviour) is exact. This is can done by establishing an effective security documents from develop, disseminate, read, comprehend, agreed, enforced until maintaining them. As a result, employees can appreciate and practise the value of these documents into workplace activities.
Moreover, human is the weakest link in the information security chain. This is because the success (i.e. effectiveness and efficiency) of information security implementation is highly dependent on human factors such as security awareness (i.e. alert on current threats) and security training (i.e. competent in doing security tasks). Ignoring the human factors can lead to information security incidents such as unauthorised disclosure, compromised modification and denial of service. Illegitimate security behaviour among employees poses more serious threats when compared to external factors (i.e. hacking).
As information security threats become progressively sophisticated, employing procedural and technical factors alone might not be adequate to bring about effective information security solutions. By revisiting human factors, they can foster an appropriate employee security behaviour in implementing security activities as a part of the organisation’s daily work routines. If a proper information security culture is cultivated among employees, then they would know how to perform those activities and then continue to be sustained within the organisation.
Unavoidably, everyone deals with information assets while performing his/her daily work routines in organisations. Employees need to perform security tasks to ensure that the information assets are secure. When everyone practises these security tasks as a part of his or her job, these tasks can become a daily work routine, and once this work pattern becomes dominant, everyone accepts the way of securing information assets. Over time, this creates an appropriate information security culture amongst the employees in the organisation.
At initial stage, establishment of information security planning shall include in designing social technical aspects such as designing appropriate security practices for all employees. This planning requires the participation by all employees. Information security roles and responsibilities should not merely be left to technical employees, but should be the collective responsibility of all employees.
Last remark, to protect and manage information assets, there is a need to address technical and socio-technical aspects of information security in order to develop a successful appropriate employees’ security behaviour which can help to create better security practices among them in an organisation. Likewise, could help to increase security precautions and reduce the occurrence of internal information security incidents.