Senior Executives Commitment to Information Security - from Motivation toResponsibility

Jorma KajavaUniversity of Lapland

P. 0. Box 122, FIN- 96101 Rovaniemi,Finland

Jorma.Kajava(ulapland.fi

Rauno VaronenUniversity of Oulu

P. 0. Box 7200, FIN- 90014 University ofOulu, Finland

Rauno.Varonen@oulu.fi

Juhani AnttilaQuality Integration

Rypsikuja 4, FIN-00660 Helsinki,Finland

Juhani.Anttila@telecon.fi

Reijo SavolaVTT Technical Research Centre of Finland

P. 0. Box 1100, FIN-90571 Oulu,Finland

Reijo.Savola@vtt.fi

Juha RoningUniversity of Oulu

P. 0. Box 4500, FIN- 90014 University of Oulu, FinlandJuha.Roning(ee.oulu.fi

Abstract

For senior executives, information security is abasic requirement for business success. Yet, despitebeing well-motivated, top managers often have only asuperficial understanding of information security,which may lead them to make decisions that are notconducive to raising the organization's security level.Enhancing information security awareness among allemployees has been found necessary, but the key tosuccess is raising the awareness level of seniormanagement. Playing a decisive role, they mustassume overall responsibility for information security.The question is how to achieve this in an efficient andnatural way.

1. Introduction: Information Security andSafety at Odds

Attitudes toward information security vary.Everyone knows the fundamentals, but few have adeeper understanding of it. Some time ago, anextensive survey, conducted in a Finnish company,indicated that although all employees were well-

motivated, senior management lacked the necessaryinformation security management skills. This wasevidenced by the fact that an external consultantmanaged to convince the top management to agree to awork safety study without asking experts on thecompany payroll, who anticipated a better informationsecurity solution. Examples such as this one can befound also in governmental offices and at univiersities.

Our work aims at elucidating the significance ofsenior management in the promotion of organizationalinformation security. A great number of organizationsboast extensive security awareness programmes, butthe top management often shies away from them.Damage caused by an individual employee may havefar-reaching consequences for a company, but whendamage is inflicted by senior management, the effectsmay be devastating. Thus, it is important to get topmanagers to endorse the adopted information securitysolutions whole-heartedly, which involves not onlybeing motivated to follow security principles, but alsoaccepting the responsibilities that go with the highestpositions.

As its starting-off point, this paper takes the newinternational standard ISO 17799 [1] However, as weare dealing with a serious issue, standards are not

1-4244-0605-6/06/$20.00 C2006 IEEE. 1519

sufficient, we must advance from a discussion onstandards to a change in culture [6].

2. Day to Day Business

Business life tends to value ease-of-use more thansecurity. A change of values occurs often only after aserious mishap, although only part of the damage maybe expressed directly in terms of money.

The prevailing view seems to be that informationsecurity produces costs, not profit. Unless we changeour way of thinking, we will soon find that the cost ofdoing nothing is even higher. As indicated by oursurvey, there are great deficiences in the managementof information security, particularly as regards thecommitment of senior managers. To remedy thissituation, we must find the means of gaining thiscommitment, before some hostile party forces thechange.

As a rule, information security management is seenfrom the viewpoint of large corporations. In today'sworld, however, we must become cognizant of the factthat business is based on networking. Even giantcorporations are not islands, they are connected withother, smaller companies through subcontracting andoutsourcing, for instance. As a result, negligence in themanagement of information security, even when itoccurs several nodes down from some largecorporation, may nevertheless affect it through thenetwork. Commitment to information security istherefore of utmost importance for the entire network.By their commitment, corporate managers help pavethe way towards the information society.

3. Commitment of Senior Executives

Ultimate responsibility for managing informationsecurity is borne by corporate management, whichprovides the resources and sets the requirements on thebasis of which the IT security manager promotes andcoordinates security activities. A lively discussion hasbeen going on for some time now on the commitmentof senior management to information security.

The objects and activities of information securitymust be in line with the organization's businessobjectives and the requirements imposed by them.Senior management must take charge of this andprovide visible support and show real commitment. Todo this, they have to understand the seriousness of thethreat that information risks pose to corporate assets.Further, they need to ensure that middle managementand other staff fully grasp the importance of the issue.The organization's information security policy and

objectives must be known by corporate employees aswell as by external partners.

Information security policy represents the positionof senior management toward information security,and sets the tone for the entire organization. It isrecommended that coordinating the organization'sinformation security policy should be the responsibilityof some member of top management.

Encouragement should be given to the extensiveapplication of information security within theorganization and among its stakeholder groups to makecertain that problems are dealt with in an efficient andregular manner. When necessary, externalprofessional assistance should be sought to keepabreast of advances, standards and values in the field.At the same time, this enables establishing forms ofcollaboration for potential security breaches.

The key component of information security work isthe visible support and engagement of seniormanagement. In practical terms, this commitmentinvolves allocating necessary funding to informationsecurity work and responding without delay to newsituations. Nevertheless, swelling the size of theinformation security organization is unwise, for a smallorganization is often more flexible and faster on thedraw. A better alternative to enlarging security staff isto enhance information security skills and knowledgeat all levels of the organization, because that is wherethe actual work processes are. Yet another way ofshowing management commitment is participation in arange of information security-related events, whichserves to underline the importance attached to thetopic.

4. Evidence Supplied by Surveys

We became aware of the sensitive nature of thetopic in 2002, when several reports were publishedhighlighting the commitment of senior management tocorporate information security solutions. Of particularinterest was the report stating that the commitmentlevel among Finnish managers was slightly above 20percent [5]. This finding provided a good starting pointfor a national discussion. When the result wasexplained to a group of Austrian researchers, theycongratulated us on the high percentage rate. This wasa little confusing, as the title of the original paperdeclared that information security does not interestcorporate management. Moreover, the paper went onto point out that only two managers out of ten haverealized that information security is of strategic valueto their company. And yet this survey involved 50companies among the top 500 businesses in Finland

1-4244-0605-6/06/$20.00 c2006 IEEE. 1 520

listed by business magazines. The crucial questionwas: how is this result to be understood and evaluatedobjectively.

One central issue identified by the survey was thatmerely 11 of the 50 largest companies had aninformation systems manager or a correspondingperson on the management team. This is a far cry fromshowing commitment, and is undoubtedly reflected incorporate attitudes and practices. Thus, the sentimentsimplied in the title of the paper, information securitydoes not interest corporate management, describe thesituation spot on, because smaller companies displayeven less commitment.

At around the same time, we conducted a survey ina Northern Finnish company with 500 employees. Itturned out that all members of the fairly largemanagement team as well as key personnel were well-versed in information security and its attendant risks.Yet, although they were motivated to deepen theirknowledge and hone their skills, we were leftwondering, whether they had internalized their ownroles in the management of information security [6].

What does commitment to security work entail? Akey factor is enthusiasm, "getting personallyinvolved", believing in what you are doing. Anotherimportant factor is providing resources for the work.Everyone must also know who is responsible fortaking decisions and directing activities. On this road,the first step involves motivation and gaining anunderstanding of information security. Obtainingfunding serves to anticipate future needs and has far-reaching consequences, but training staff and winningtheir support are equally important.

At the management team level, the delicate issue ofauthority and responsibility often leads to conflict.Authority should be exercised in a manner thatpromotes performance even under difficultcircumstances. Responsibilities stand in relief whenthings go wrong and a mishap occurs. Authority andresponsibilities are also necessary during the followingrecovery period, and should be considered in advance.Most information security breaches and violations takeplace within the organization, by its own staff, who areinvolved either wittingly or unwittingly. Incidents ofthis type show how important it is that the personcharged with coordinating information security reallyhas the support of the senior management and actswith their authorization. Although it may bedisconcerting, action must be taken to prevent insiderabuse before anything serious happens.

5. Information Security AwarenessProgrammes

Success in information security management, asstated in the ISO/IEC 17799 standard (2005) [1],demands two things: commitment of seniormanagement and provision of information securityawareness programmes to all staff. The contents ofsuch a programme were already outlined in earlierdocuments of the ISO/IEC JTC 1/SC 27/WG 1. In2002 - 2004, we applied this information to create anintranet-based learning environment for informationsecurity [3].An information security awareness programme may

incorporate at least the following topics:* factors that influence organizational information

security policy together with such extensions tothe policy, guidelines, directives and riskmanagement strategy that enable a deeperunderstanding of risks and security measures,

* implementing the information securityprogramme/plan and verifying the effects ofsecurity measures,

* basic data protection requirements,* a classification scheme for protection of

information,* reporting procedures for information security

breaches, attempts thereof and investigation ofsuch breaches,

* significance of security extensions to end usersand the entire organization,

* work procedures, responsibilities and jobdescriptions,

* security audits and checks,* managing activities and organizational structures,* explaining effects of unauthorized activities.

There are several avenues of obtaining guidelineson information security training. It may be confusingfor some employees that they receive security-relatedinformation from several sources or through manydifferent channels. In larger organizations, theimplementation of information security programmes iscoordinated by IT security managers. Nevertheless,these awareness programmes are invariably theresponsibility of senior management who mustintegrate the approach with the organization's genuinebusiness needs.

6. Promoting a Culture of Security

An approach that considers the best interests of allparticipants and the characteristics of information

1-4244-0605-6/06/$20.00 C)2006 IEEE. 1521

systems, networks and associated services can be bothefficient and secure [7].

The OECD approach comprises nine principles thatdeal with awareness, responsibility, response, ethics,democracy, risk assessment, security design andimplementation, security management andreassesment: "Security management should be basedon risk assessment and should be dynamic,encompassing all levels ofparticipants' activities andall aspects of their operations. It should includeforward-looking responses to emerging threats andaddress prevention, detection and response toincidents, systems recovery, ongoing maintenance,review and audit. Information system and networksecurity policies, practices, measures and proceduresshould be coordinated and integrated to create acoherent system of security. The requirements ofsecurity management depend upon the level ofinvolvement, the role of the participant, the riskinvolved and system requirements." [7].

In addition, the OECD guidelines state thatfostering a culture of security requires both leadershipand extensive participation. Security design andmanagement should be an important element incorporate management, and all participants mustappreciate the value of security. The principles set upby the OECD form a foundation for promoting aculture of security across the society. All participantsmust assimilate and promote this culture as a way ofthinking about, assessing and implementinginformation systems and networks.

Organizations are exhorted to adopt a proactiveapproach to information security. Business is likely tosuffer if senior management has insufficientknowledge of security. This state of affairs poses asevere threat not only to the organization's reputation,but to its entire business and existence.

This paper seeks to emphasize the role of seniormanagement in the creation of an organizationalculture of security. A solution that is custom-tailored toa particular organization is only applicable to thatorganization. This raises the issue of how generalprinciples and standards could be utilized to create anapproach to information security and securitymanagement that is adaptable to differentorganizations with certain adjustments. This leads us topropose that the starting point for an informationsecurity awareness model designed for seniormanagement should incorporate the following aspects:senior management* must understand their own roles as business

leaders. A better grasp of information security infact facilitates their work, as it enables them to set

policy objectives and take a leading role also insecurity;

* should define what the critical assets are that mustbe protected. For that, they need to have a basicunderstanding of information classification; and

* must pledge a holistic commitment to informationsecurity, manifested, for example, by activeparticipation in business continuity planning.

7. Conclusions

We have discussed one of the most remarkablepractical-level problems of information securitymanagement in organizations: the lack of seniormanagement commitment to information security.

This problem is difficult to solve because manyprofessionals think that it is not a good idea to "teach"their managers, or "preach" to them. However, if theinformation security awareness of senior managementof a company is at too low a level, the consequencesmay be very dramatic to the company's business.Products - goods and services - with poor informationsecurity solutions can be very easily driven out of themarket by consumers. In addition, co-operationpartners may vanish after they realize that a companyis not paying enough attention to its informationsecurity management and that the key persons - seniormanagement- are not committed.

8. References

[1] ISO/IEC 17799:2005. "Information TechnologySecurity Techniques - Code of Practice for InformationSecurity Management", ISO, Geneve. (2005).[2] ISO/IEC 27001:2005. "Information Technology -

Security Techniques - Information Security ManagementSystems - Requirements", ISO, Geneve. (2005).[3] Heikkinen, I., Ramet, T., "E-Learning as a Part ofInformation Security Education Development fromOrganisational Point of View". Oulu University, Oulu,Finland., In Finnish (2004).[4] Kajava, J., "Critical Success Factors in InformationSecurity Management in Organizations: The Commitment ofSenior Management and the Information Security AwarenessProgramme". Hallinnon tutkimus - Administrative Studies,Volume 22, Number 1, Tampere. (2003).[5] Kajava, J., Varonen, R., Tuormaa, E. Nykanen, M.,"Information Security Training through eLearming - SmallScale Perspective". In VIEWDET 2003. Nov. 26-28. Vienna,Austria. (2003).[6] Lempinen H., "Security Model as a Part of the Strategyof a Private Hospital" (In Finnish), University of Oulu,Finland. (2002).[7] OECD, "OECD Guidelines for the Security ofInformation Systems and Networks - Towards a Culture ofSecurity", OECD Publications, Paris, France, 29 p. (2002).

1-4244-0605-6/06/$20.00 C 2006 IEEE. 1522