The era of automation brought with it the necessity to own urbane information technology (IT) hardware and software. These IT tools have facilitated communication, research and data gathering, creating a network of information systems to the benefit of organizations worldwide. Hence, for any business to remain competitive in today’s global market, it must adopt a results-oriented approach to the use of its available information systems. Examples of IT hardware include personal computers, mobile phones, servers, storage devices and routers. Unfortunately, advancements in the development of IT hardware and software have been matched by an escalation of cyber crime. The growing dependency on sophisticated information systems makes organizations vulnerable to cyber attacks. A report released by Symantec(developers of Norton Antivirus) in 2014 emphasized that cyber-espionage, threats to privacy, and the acts of malicious insiders have increased over the years with the year 2013 recording the highest and largest mega breaches. In view of this, the need to educate and protect users from cyber attacks cannot be overstated.
Earlier information security interventions were skewed towards using tools like firewalls and antivirus to protect users from attacks. However, current approaches to fighting cyber attacks have been modified to include educating users of information systems. The underlying belief here is that the activities of users make them weak targets for attacks. For example, visiting virus-infected websites, connecting to public wireless networks, installing malicious software, among others. The sections that follow will discuss three strategies that have dominated discussions on a human resource approach to tackling information security.
Proponents of the fear factor approach argue that informing users on the consequences of not complying to security procedures will persuade them to fervently adopt best practices. The consequences are presented in two-fold; the first is the potential damage to the affected device, the second, the potential damage to information stored on the affected device. The setback with this strategy is that in some cultures (whether geographic or organizational), potential threats may be regarded as catalysts for adventure. Where this approach requires demonstration, users may be provided with links to harmful content which they may not have had prior knowledge of.
Security professionals who believe in this strategy explain that decision-makers should be made custodians of organizational security policies. The general thinking here is that employees are less likely to oppose security policies passed by management or woven into the culture of the organization. Again, this strategy may only be effective in certain environments. With the growing trend of virtual work environments, physical contact between employees and management continues to decrease. Monitoring the compliance of employees to security policies may prove to be a daunting task. Perhaps, the only way management may discover that an employee has violated security policies may be during or after an attack.
The reward systems strategy suggests that employees should be rewarded for good information security practices. Managers must be rewarded for their team’s or department’s commitment to adhering to organizational security policies. Employees must also be rewarded for their individual endeavours in conforming to security practices or discovering loopholes that may be targets for breaches. Again, just like the two strategies discussed, the reward systems has its own setbacks. Managers and employees may be tempted to hide attacks that may occur. Also, false loophole discoveries may be concocted to increase chances of receiving rewards or gaining favour. The financial implications for this approach are enough to deter some organizations from adopting it.
The approaches discussed above may be combined based on the security culture of the organization to build a sound and secure working environment. These human resource strategies however, do not propose an obliteration of early information security interventions using security tools but rather a multi-method approach by combining tools and human resource processes.
By: Kofi Arhin
Head, Product Development,