FRONTIERS OF E-BUSINESS RESEARCH 2003 INFORMATION SECURITY CULTURE IN SMALL AND MEDIUM SIZE

FRONTIERS OF E-BUSINESS RESEARCH 2003 INFORMATION SECURITY CULTURE IN SMALL AND MEDIUM SIZE ENTERPRISES Tuija Kuusisto Tampere University of Technology Institute of Business Information Management tuija.kuusisto@tut.fi Ilona Ilvonen Tampere University of Technology Institute of Business Information Management ilona.ilvonen@tut.fi Abstract Interest in the security of information and knowledge management systems has been increasing together with the developments in information and communication technology. Besides information management, an organization has to enable knowledge creation. From the security point of view this means that an organization has to secure both information and knowledge. Attempts to cover both information and knowledge security have often been discussed under the title of “information security awareness” and more recently under the title of “information security culture”. The aim of this paper is to study the concept of information security culture and apply this concept to small and medium size enterprises (SMEs). The paper has a broad view to information security culture and regards it as a complex system consisting of interacting framework and content categories of information security awareness. The development of a common information security culture for an organization is a huge task, because it shall be based on mutually agreed visible signs, practices and images, values and basic assumptions. Keywords Information security, information system security, complex systems INTRODUCTION The aim of this paper is to study the concept of information security culture and apply this concept to small and medium size enterprises (SMEs). An increasing amount of effective information and knowledge is currently available due to developments in information and communication technology services. Information and especially knowledge are considered to be the critical success factors of business activities. Interest in the security of information and knowledge management systems has been increasing together with these developments. Current approaches to secure information and knowledge in an organization include information security management, information system security management, information risk management and security evaluation. Typically, these approaches emphasise information security and pay less attention on knowledge security. Information has a meaning, purpose 431 FRONTIERS OF E-BUSINESS RESEARCH 2003 and relevance and it is about understanding relations, e.g. (Awad & Ghaziri 2003). Knowledge is the ability to turn information and data, i.e. known facts, into effective action (Applehans et al. 1999). Besides information management, an organization has to enable knowledge creation, e.g., (Krogh et al 2000). From the security point of view this means that an organization has to secure both information and knowledge. Attempts to cover both information and knowledge security have often been discussed under the title of “information security awareness” and more recently under the title of “information security culture”. Siponen (2000) describes that “information security awareness” is a state where users in an organization are aware of their security mission. He outlines two categories of security awareness: framework and content. Framework contains formalized information and activities such as standardization, certification and measurement of information security. Content includes people attitude, motivation and knowledge including mental models about information security. (Siponen 2000) It is the content category that especially addresses the security of human knowledge. Siponen (2000) stresses the importance of the content category and describes that even if almost all measures aimed at increasing security awareness have focused on the framework category, it is the shortcomings on the contents of information security that usually invalidate the measures. However, framework category efforts have to be planned and implemented too to have a balance between the two categories. This balance is needed to be able to formalize security efforts at organizational level. Virtanen (2002) describes the results of an information security survey made by Huomo et al. (2002) in Finland. Information security was divided into eight areas in the survey. The areas are: legislation and norms, effectiveness, security administration, implementation of protection, risk analysis, countermeasures, values of community, ethics, responsibility and information security awareness. It was found in the survey that especially in SMEs the information security level is not good enough. Information security awareness was one of the low performance areas. (Virtanen 2002) So, there is a need to developed information security awareness and especially content category of information security awareness in SMEs in Finland. Von Solms (2000) included content category issues of information security awareness in the third wave of information security, i.e. in the institutionalization wave. The aim of the institutionalisation wave is to build an information security culture in such a way that information security becomes a natural aspect of the daily activities of all employees of the organization. It covers standardisation, certification, measurement and concern of the human aspect to information security. (Von Solms 2000) The standardisation, certification and measurement activities of the institutionalisation wave are included into the framework category of information security awareness. The human aspect forms the content category. Developments in the area of the institutionalization wave are currently ongoing parallel to the activities in the first and second waves of information security. The first wave was the technical wave. It addresses information security by using the facilities of information and communication technology based systems such as authentication and access control services. The second wave, i.e., the management wave started when organizations got involved in networking activities at technical level with the introduction of the Internet and web browsers as well as at business level with emerging e-business activities. The management wave contains preparation of information security policies, procedures and methods as well as 432 FRONTIERS OF E-BUSINESS RESEARCH 2003 nominating of information security personnel. (Von Solms 2000) Von Solm’s waves are an attempt to combine narrow technical and more comprehensive socio-organizational aspects on information security. It follows Dhillon’s (1997) view to information and knowledge security. Dhillon (1997) states that information system security concerns not only the security of the information and communication technology based information systems but that of the formal and informal information systems within an organization. This paper pays attention on these broad organizational aspects of information system security in SMEs. Especially, the paper focuses on the meaning of information security culture and the current state of information security culture in SMEs in Finland. INFORMATION SECURITY CULTURE Dhillon (1997) has a broad view to the term “security culture”. He defines that security culture is the behaviour in an organization that contributes to the protection of data, information and knowledge (Dhillon 1997). Most of the recent papers approach information security culture from theories and models of organizational culture, e.g., (Nosworthy 2000), (Chia et al. 2002), (Martins and Eloff 2002), (Schlienger and Teufel 2002), (Zakaria and Gani 2003) and (Zakaria et al. 2003). Nosworthy (2000) emphasises that the organizational culture plays a major role in information security, as it may resist change or direct what types of changes will take place. Chia et al. (2002) based their work on a general framework of an organizational culture. This framework developed by Detert et al. (2000) contains eight dimensions. Chia et al. (2002) applied these eight dimensions to information security area and identified the main information security topics of each dimension. They performed case studies to show that the identified topics can be used for assessing and developing information security culture for an organization. Martins and Eloff (2002) define that information security culture is the assumption about acceptable information security behaviour and it can be regarded as a set of information security characteristics such as integrity and availability of information. They outlined an information security culture model consisting of organisational, group and individual levels to evaluate information security culture in an organization (Martins and Eloff 2002). Schlienger and Teufel (2002) emphasise that a corporate culture including an information security culture is a collective phenomenon that is changing over time and it can be designed by the management of an organization. They as well as Zakaria and Gani (2003) and Zakaria et al. (2003) adopted Scheins’s (1992) organizational cultural model. Schlienger and Teufel (2002) and Zakaria and Gani (2003) give examples of information security issues related to each of the elements of the model. Zakaria et al. (2003) have the management perspective to the studying and applying of the organizational culture into information security management. They regard information security culture as a subculture in an organization. A culture is often defined to consist of visible signs, practices and images, shared values and basic assumptions (Schein 1992). Values are the commonsense beliefs about right and wrong that guide us in our daily lives (Fisher & Lovell 2003). Straub et al. (2002) argue that information systems (IS) research nearly always assumes that an individual belongs to a single culture. They proposed social identity theory to be used as a grounding for cultural research in IS. Social identity theory suggests that each individual is influenced by plethora of cultures. (Straub et al. 2002) When applied to information security culture research, this 433 FRONTIERS OF E-BUSINESS RESEARCH 2003 means that an individual shall be considered to be influenced by several ethical, national, organizational and information security cultures. These cultures have an effect on the way the individual interpret the meaning and importance of information security. The development of a common information security culture for an organization is a huge task, because it shall be based on mutually agreed visible signs, practices and images, values and basic assumptions. This paper has a broad view to information security culture and regards it as a complex system. It is a system consisting of interacting framework and content categories of information security awareness (Figure 1) (Helokunnas et al. 2003). time frameworkcontent-standardization-attitude -certification-motivation -measurement-knowledge INFORMATION SECURITY CULTUREFigure 1. Information security culture consists of interacting framework and content components. Information security culture is developed over time by changing the behavior in an organization to the desired direction. This takes place both by formalizing the framework of information security as well as by influencing to the mental models, attitude, motivation and explicit and especially tacit knowledge of personnel. FINDINDS FROM CASE ORGANIZATIONS Empirical data about the state of information system security in SMEs was collected in Tampere region in Finland in Spring 2003. The data consist of key observations and improvement proposals. The data were collected from information security assessments performed in 11 SMEs. The assessed SMEs act in the field of information intensive business. So, their business is highly dependent on technology. The assessments were performed by groups of students as an exercise of Information security management course of Tampere University of Technology in Finland. The assessments were implemented as semi-structured interviews based on guidelines given to the students. The guidelines were derived by applying information security standards ISO/IEC 17799:2000 and BS7799-2:2002. The emphasis of information security in the assessed companies was in the technical wave of information security. The technical aspects of information security were implemented well and the technical threats to business had been thoroughly analysed. For example, backup policies, virus detection, and data communications security were subject to nearly no complaints in the assessment reports. In addition, the management wave of the information security was partially covered. Even in the smallest firm the information security had been concerned when planning the functions of the firm. However, a documented information security policy was found only in three SMEs. Some SMEs had some documents that were 434 FRONTIERS OF E-BUSINESS RESEARCH 2003 related to information security issues, but there was no coordination of these documents, and they hadn’t been collected to form an entity. Figure 2 illustrates the situation of a documentation related to information security. Documented 3firmsPartialdocumentation 3firmsNo documentation5 firms Figure 2. Documentation of information security policy in the assessed SMEs Very small SMEs that employ 1 or 2 persons can manage without written information security policy. With so few employees it’s still easy to coordinate company practices and procedures, and to agree on them just orally. However, when the amount of staff increases, oral agreements are not sufficient. They can lead to a situation, when everyone has their own practices even in quite a small SME. In addition, a clearly documented information security policy helps the training of new employees and thus supports mature growth of the company. Already for a company of 5-6 employees should have a collection of documents that includes an information security policy and some detailed instructions on company procedures. The assessments revealed an alarming attitude among the companies; even a company of 30 employees stated that a documented information security policy is not needed due to the small size of the company. Information classification procedures in the assessed SMEs were remarkably variable. In addition, due to the size variation among the assessed SMEs, a selection of ways to organize information security responsibilities was found in the assessments and the responsibilities were not clearly defined in all firms. The most common arrangement was that the person responsible for the information systems was responsible for the technical part of information security. Other areas of information security were either taken care of by that person too, or as in bigger SMEs, it was the responsibility of middle managers or the information manager. Figure 3 illustrates the information security organization of two of the assessed companies. The companies have 9 and 20 employees. 435 FRONTIERS OF E-BUSINESS RESEARCH 2003 -information Primary CEO CEO security procedures responsibility of information security Technical security Technical Information security Computer manager support Executive Executive Project responsibles Training, responsibility of information security in everyday work Information security within projects, supervising A. A company of 9 employees, no B. A company of 20 employees, a documented information security documented information security policy policy Figure 3. Information security management organization in two of the assessed companies Information security is not just technical systems, which is well realized in companies A and B. Both of them have arranged so that computer support is not the only one responsible for information security procedures and documentation. In company A the CEO is responsible for supervising information security, since a separate position for this purpose wouldn’t be worth the cost. In company B the organization chart is a little wider, and the company has a position for an information manager. Supervising information security fits well into the profile of this person, as still a separate position for an information security supervisor would be too expensive. Even in such small organizations as companies A and B are, not all areas of information security are the responsibility of one person. In both companies there is, besides the primary responsible person, another person who takes care of the technical information security. In companies that have a computer support, technical security belongs naturally his responsibility area. In smaller companies technical security is the responsibility of the person responsible for computer system maintenance. Some of the companies had documented who would substitute a person if he wasn’t able to come to work. This substitute system had also been tested due to sickness absences. In one company these documents had been made, but they were not up to date. Most of the companies handled substitution simply by relying on employees sharing information about their work. Almost no-one had really documented their work procedures. Most companies admitted, that if a key person were absent for a long period of time, it would cause major problems to their business. Even having noticed this, the companies hadn’t begun documenting key work tasks, not to mention training substitutes. Generally there was no information security training arranged in the assessed SMEs. Primary reason for the lack of training was the low number of employees, and the small amount of training overall. In some of the SMEs information security issues were acknowledged in the training of a new employee, and if a company had documented information security procedures, the documents were included in the training material for new employees. Regular training over information security issues was not arranged. In two of the SMEs information 436 -training FRONTIERS OF E-BUSINESS RESEARCH 2003 security issues were addressed in other training situations, which were also irregularly arranged. RECOMMENDATIONS TO SMES The most obvious and essential thing that the assessed companies should do is to begin information security documentation. By documenting an information security policy they can begin a process of developing information security as an entity. Although the companies did not seem to have any major deficiencies in company procedures and no obvious holes in information security, documenting an information security policy should be started to reach the standardization phase of information security waves. Documentation would have following benefits: • A unified understanding of information security procedures • Easier training for new employees • A tool for information security improvement • Clear instructions to crisis situations The documentation process can be done either way; first create an information security policy, and based on that policy document instructions to secure procedures. Or vice versa, first document instructions and based on those instructions formulate an information security policy. When building information security inside a company, documents are the first step. Then the personnel has to be trained to use the documents and update them regularly. A key influencer to the need for information classification procedures is the size of the company, but some kind of documented instructions on how information is classified and thus handled is needed in every SME. The instructions should include definitions to different information classes: public, company confidential and classified. In addition, they should contain guidelines how to share, store and dispose of information within that class. Personnel should be aware that in the company there is lots of information that should stay inside the company, and that should not be stored on desktops where it can be accidentally, or on purpose, viewed by visitors. Some attention had been paid to the substitute problem in most of the assessed companies. However, almost no documentation on this matter had been made. By documenting a substitute system the company can assure that employees are aware of their responsibilities. Training on this subject makes sure that people take action on updating the documentation, and also independently train their substitutes. In many cases documentation is not enough, the substitute needs to have also some hands-on experience of the tasks he is required to do if substitution is needed. Training needs to be regular in order to keep things fresh in mind, and regular training encourages regular updating of the documents. Substitute system could be organized for example by taking the following steps: 1. In a meeting a group of people consider how substitutions should be arranged. The size of the group depends on the size of the company. At least the key positions should have a substitute plan. 2. A chart illustrating the substitution arrangements is documented. 3. The person responsible for information security has a duty of updating the chart in case of changes in personnel or organizational structure. 437 FRONTIERS OF E-BUSINESS RESEARCH 2003 4. 5. Personnel are responsible for the substitute documentation. The documentation for each position is created by the person holding the position and his substitute. The documentation process is also a part of training for the substitute. When changes in the tasks take place, documentation is updated. This also is done in co-operation. Training in information security issued was rarely arranged in the assessed companies. The biggest reason for this was that the assessed companies are small and training in general was rare. Another reason for lack of training can be the differences in defining training. One person can consider instructing an employee in the use of the paper shredder as training, when another person thinks training is only happening when somebody from outside the company is lecturing to the employees. Information security training doesn’t have to be lecturing. Shared coffee breaks, when information security issues are discussed can be considered training. The main thing is that information security issues are documented and these documents are used in the company. CONCLUSIONS Security culture is the behaviour in an organization that contributes to the protection of data, information and knowledge (Dhillon 1997). Each individual working for an organization is influenced by several ethical, national and organizational cultures. These cultures have an effect on the way the individual interpret the meaning and importance of information security. The development of a common information security culture for an organization is a huge task, because it shall be based on mutually agreed visible signs, practices and images, values and basic assumptions. The paper presented key findings of information security assessments performed in SMEs in Tampere region in Finland. The emphasis of information security in the assessed companies was in the technical wave of information security. The technical aspects of information security were implemented well and the technical threats to business had been thoroughly analysed. For example, backup policies, virus detection, and data communications security were subject to nearly no complaints in the assessment reports. In addition, the management wave of the information security was partially covered. Even in the smallest firm the information security had been concerned when planning the functions of the firm. However, most of the assessed companies had not prepared documented information security policy, procedures or methods. In addition, the information security responsibilities were not clearly defined in all firms, the substitutes for the responsible persons were not nominated in all firms and generally there was no information security training arranged. The key improvement proposal presented to the firms was the development of information security documentation and information classification procedures. None of the firms had reached the institutionalisation wave of the information security. So, there is a need to develop instructions for SMEs about developing and measuring of information security culture. This is the topic of future research. This research will be based on a broad view to information security culture. Information security culture will be regarded a complex system. It is developed over time by changing the behavior in an organization to the desired direction. This takes place both by formalizing the framework of information security as well as by influencing to the mental models, attitude, motivation and explicit and especially tacit knowledge of personnel. 438 FRONTIERS OF E-BUSINESS RESEARCH 2003 REFERENCES Applehans, W., Globe, A., Laugero, G. 1999. Managing Knowledge, Boston MA, Addison-Wesley. Awad, E., Ghaziri, H. 2003. Knowledge Management, Prentice Hall. Chia, P. A., Ruighaver, A.B., Maynard, S.B. 2002. Understanding Organizational Security Culture, Proc. of PACIS2002, Japan Detert, J., R. Schroeder & J. Mauriel, A. 2000. Framework For Linking Culture and Improvement Initiatives in Organisations, The Academy of Management Review 25(4): 850-863, 2000 Dhillon, G. 1997. Managing Information System Security, MacMillan Press Ltd, Great Britain. 210 p. Fisher, C., Lovell, A. 2003. Business Ethics and Values. Prentice Hall, 332 p. Helokunnas, T., Kuusisto, R. 2003. Information Security Culture in a Value Net. Proc. of the 2003 IEEE International Engineering Management Conference. USA, 2003, pp.190-194 Huomo, Sundquist, Muhonen, Soini 2002. Kansalliseen tietoturvastrategiaan liittyvä tietoturvakatsaus., HM & V Research Oy, Finland. Krogh, G., Ichijo, K. & Nonaka, I. 2000. Enabling Knowledge Creation: How to Unlock the Mystery of Tacit Knowledge and Release the Power of Innovation, Oxford University Press. Martins, A., Eloff, J. 2003. Information Security Culture, Proc. of IFIP TC11 17th International Conference on Information Security (SEC2002), Cairo, Egypt. IFIP Conference Proceedings 214, pp. 203-214 Nosworthy, J. 2000. Implementing Information Security in the 21st Century - Do You Have the Balancing Factors, Computers and Security, 19(4): 337-347, 2000 Schein, E.H. 1992. Organizational Culture and Leadership. 2nd ed. Jossey-Bass, San Francisco, USA Siponen, T. 2000. A conceptual foundation for organizational information security awareness, Information Management & Computer Security 8/1 2000, 31-41 Schlienger, T., Teufel, S. 2002. Information Security Culture: The Socio-Cultural Dimension in Information Security Management, Proc. of IFIP TC11 17th International Conference on Information Security (SEC2002), Cairo, Egypt. IFIP Conference Proceedings 214, pp. 191-202 Straub, D., Loch, K., Evaristo, R., Karahanna, E., Strite, M. 2002. Toward a Theory-Based Measurement of Culture. Journal of Global Information Management. Jan-March 2002, 10(1): 13-23 Virtanen, T. 2002. Four Views on Security. Publications in Telecommunications Software and Multimedia. Espoo, Finland. Von Solms, B. 2000. Information Security - The Third Wave? Computers and Security 19(7): 615-620, 2000 Zakaria, O., Gani, A. 2003. A Conceptual Checklist of Information Security Culture, Proc. of the 2nd European Conference on Information Warfare and Security, Reading, UK Zakaria, O., Jarupunphol, P., Gani, A. 2003. Paradigm Mapping for Information Security Culture Approach, Proc. of the 4th Australian Conference on Information Warfare and IT Security. Adelaide, Australia 439