All of us have commiserated with colleagues about the difficulty of getting people to pay attention to security policies - to comply with what seems like good common sense. We shake our heads in disbelief as we recount tales of employees who hold the door open for their work mates, thereby rendering million-dollar card-access systems useless.
One problem is that although information systems security and network management personnel have a wide variety of backgrounds, many of us lack any formal training in social psychology.
Security policies and procedures affect not only what people do but also how they see themselves, their colleagues and their world. Despite these psychosocial issues, security personnel pay little or no attention to what is known about social psychology. Yet the established principles of human social behavior have much to teach us in our attempts to improve corporate and institutional information security.
Information security specialists concur that security depends on people more than on technology. Another commonplace is that employees are a far greater threat to information security than outsiders.
It follows from these observations that improving security depends on changing beliefs, attitudes and behavior - of individuals and of groups. The following are some ways that social psychology can help us understand how best to work with human predilections and predispositions to achieve our goals of improving security:
Research on social cognition looks at how people form impressions about reality (knowing these principles, we can better teach our colleagues and clients about effective security).
Understanding attitude formation and beliefs helps us present information effectively and so convince employees and others to cooperate in improving security.
Scientists studying persuasion and attitude change have learned how best to change people's minds about unpopular views, such as those of the security community.
Studies of factors enhancing pro-social behavior provide insights on how to foster an environment where corporate information is willingly protected.
Knowledge of the phenomena underlying conformity, compliance and obedience can help us enhance security by encouraging compliance and by protecting staff against social pressure to breach security.
Group psychology research provides warnings about group pathology and hints for working better with groups in establishing and maintaining information security in the face of ingrained resistance.
In upcoming issues of this newsletter, I will discuss well-established principles of social psychology that will help security and network management personnel implement security policies more effectively. Any recent introductory college textbook in this field will provide references to the research that has led to the principles which are applied to security policy implementation.
M. E. Kabay, Ph.D., CISSP, is Security Leader, INFOSEC Group, at Adario, Inc. He can be reached at mkabay@compuserve.com. Adario specializes in all aspects of information security consulting and training, including e-commerce, enterprise security policies and communications security.
Check out the new "Computer Security Handbook, 4th Edition" edited by Seymour Bosworth and Michel E. Kabay; Wiley (New York), ISBN 0-4714-1258-9. Available now at your technical
bookstore or visit Amazon.
M. E. Kabay, Ph.D., CISSP is Associate Professor of Information Assurance in the Department of Computer Information Systems at Norwich University in Northfield, Vt. Mich can be reached by e-mail by clicking here. He invites inquiries about his information security and operations management courses and consulting services. Visit his Web site for papers and course materials on information technology, security and management.
The number one security tool? Policy!
Network World, 11/22/99.
Sniffing for harassing corporate e-mail
Network World, 06/21/99.
Writing a security policy
Network World, 03/10/99.
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
 |
 |
 |
NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up! |
|
 |
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE |
|
|
| Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW. |
|
