Defining Security Culture

Document Sample
Defining Security Culture Powered By Docstoc
					  Defining Security Culture

                       Peteris Treijs,
project manager, State Information Network Agency, Latvia
There are several OECD documents concerning information security and

security culture:

    – OECD Guidelines for the Security of Information Systems and
      Networks: Towards a Culture of Security, adopted as a
      Recommendation of the OECD Council at its 1037th Session on
      25 July 2002.
    – Implementation Plan for OECD Guidelines for the Security of
      Information Systems and Networks: Towards a Culture of Security
    – The Promotion of a Culture of Security for Information Systems
      and Networks in OECD Countries (16-Dec-2005).
    – OECD Guidelines for the Security of Information Systems and
      Networks: Towards a Culture of Security, Questions and Answers
• Neither of the mentioned papers contains comprehensive, clear-cut
  definition of the concept ‘Security Culture’.
• Why authors of these papers avoided defining security culture and
  preferred to confide in the intuitive understanding of the term?
• “Organization culture is like pornography - it is hard to define, but you
  know it when you see it“, Ellen Wallach.
• However, if we are going to create security culture in our organisations
  we have to make clear to ourselves:
• - What the ‘security culture’ means?
• - What makes the difference between applicable security legislation,
  regulations, standards, policies, rules or instructions and Security
Quotation from article ‘Creating A Security Culture’ published by Animal
Liberation Front:

  ‘Those who belong to a security culture also know what behavior
   compromises security and they are quick to educate and reprimand
   those people who, out of ignorance, forgetfulness, or personal
   weakness, partake in insecure behavior. This security consciousness
   becomes a "culture" when the group as a whole makes security
   violations socially and morally unacceptable within the group’.

   The last clause of the quotation is essential – actually it answers the
   question what makes the difference.
 Safety and Security are different stuff; however there are a lot of
similarities between them:
- both are linked with risks and
- lack of both may cause considerable, even catastrophic damage.

Concept of Safety culture is more mundane and much more widely
 used. Safety rules and instructions are ever-present. Safety is the top
 priority in areas like shipping, nuclear energy industry etc.
 The International Atomic Energy Agency gives the following official
 definition of Nuclear Safety Culture:
‘Safety Culture is that assembly of characteristics and attitudes in
 organisations and individuals which establishes that, as an overriding
 priority, nuclear plant safety issues receive the attention warranted by
 their significance’.

And further we read: ’…Safety culture has to be inherent in the
thoughts and actions of all the individuals at every level in an

Concept of ‘attitudes’ included in the definition is of crucial
 importance. It makes the difference.
Replacing ‘safety” by ‘security” we can get to workable statements for

Security culture:

 Security culture is that assembly of characteristics and attitudes in
  organisations and individuals, which establishes that, issues of
  security of information systems and networks, as a high priority,
  receive the attention warranted by their significance.
 Security culture has to be inherent in the thoughts and actions of all the
  individuals at every level in an organization.
 Actually it is another wording of the above-mentioned requirement to
  make security violations socially and morally unacceptable.

  This kind of security culture definition is in reality just a statement of a
  goal, which, if reached, is the best guarantee for information and
  information systems protection .
Creating and/or changing organisation’s culture is a very difficult long-
 term managerial task, and security culture is no exception, it is part and
 parcel of the overall corporate culture.
So we are confronted with the difficult task of changing corporate
Writing security standards, policies and instructions alone does not
 create culture.

We are not going to discuss all aspects of establishing the desired
culture in organization; we shall only emphasize those, which are of
particular importance in the area of information security.
In the OECD Guidelines awareness is mentioned as the first principle.
Being aware of importance of security, of the risks and available
safeguards is of crucial importance.
But requirement of awareness is closely linked with competence and
knowledge in the area of information security at all levels in the
Without adequate knowledge no real awareness is possible.
As ICT is fast changing industry it means that maintaining security
culture has to be linked with permanent learning process.
The effect of insufficient competence at the level of individual users is
quite obvious - the individual himself becomes the weak point in the
whole system of information and information system protection.
For example, if a person did not manage the very fundamentals of
public key cryptography, he or she may be unaware of situations when
his or her actions (when using digital signature) may cause serious

It is completely unacceptable that people, whose position or
occupation clearly requires competence in these matters, promote
incorrect understanding, for instance, of issues around digital
 Announcements like “digital signature is in your smart card” or “you
will receive your digital signature from certification service provider”
send utterly wrong messages about the very essence of digital
Whatever simplifications are used (for the sake of convenience or
briefness) they should not lead to wrong understanding of the subject,
because those, who do not possess the respective knowledge, are
learning from what the allegedly competent (official) person says.

Insufficient competence at the level of political appointees in
government and/or governmental organizations results into slow and
inefficient process of establishing the necessary security institutions,
Public Key Infrastructure, Computer Emergency Response Teams or
Computer Security Incident Response Teams.
The level of necessary competence depends on the role person
performs in the Information society, but it is clear requirement of
Security culture that the respective adequate competence is ensured
and maintained at all levels.
It is indispensable prerequisite of both the Information society and
Security culture.

                Tank you for attention

Shared By: