Communications of the ACM
Why Information Security is Hard-An Economic Perspective
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
The compliance budget: managing security behaviour in organisations
Proceedings of the 2008 workshop on New security paradigms
So long, and no thanks for the externalities: the rational rejection of security advice by users
NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
Hi-index | 0.01 |
We finally got what we wished for: executive managers are aware of the need to protect their organizational data. However, we still have problems; for example, database breaches, stolen passwords and identity theft continue to be major issues. Aside from usability issues, the major issue is that management usually considers information security governance as under the jurisdiction of their information technology department, separate from corporate governance. They do not realize that security cannot be treated as an "add-on"; security must be made a priority and become integral to the organizational culture. This integration of security must be done from the top down and include everyone in the organization. I propose that the best and easiest way to accomplish this is by focusing on the everyday security issues that employees confront. Management should not initially try to force employee buy-in to the entire security policy. Instead, management should initially limit the policies with which all personnel must comply in order to help shape behavior that will ultimately become second nature. As employees learn and comply with these policies, management can slowly introduce the additional policies so that eventually the entire policy becomes integral to the organizational culture.