This article can also be found in the Premium Editorial Download "Information Security magazine: Compliance and risk modeling."
Download it now to read this article plus other related content.
It’s a recurring theme. Security is the IT department’s problem. We see it time after time. When asked about security, middle and senior management defer to IT managers and associated staff for answers.
Delegating the technical aspects of security to IT departments, especially staff that specialize in security, makes sense. Middle and senior management should have input into decisions that affect everyday business operations, however. Do business managers possess enough IT security literacy to ensure IT practices and policies aren’t adversely affecting business productivity? Unfortunately, many times, they can’t even ask the right questions to determine if their input is needed or not.
When a user’s account gets compromised at one organization that we know of, the user is locked out for 24 hours. The account is literally turned off. The person comes to work, but they can’t log into a single system to get anything done. This “24-hour lockout” policy was determined by the IT specialists who setup the authentication hardware. The policy wasn’t created by the business managers, who are responsible for getting work done.
If this were a production line, in which each person’s function along the line is essential, the loss of that individual could cause a slowdown or major work stoppage. Although, we don’t think of our employees as line workers, each person has an essential role to play each day, and when they can’t complete their job because the IT staff has locked their account, productivity declines and work cessation occurs.
Further, this scenario could set the stage for a denial of service attack. Compromise a whole department’s accounts and you shut down their work for an entire day. Make it a rolling compromise of the accounts in the department and you could stop work for at least a week, maybe more.
Active role in IT security and policy decisions
IT staff is made up of specialists—developers, database administrators, IT managers and architects—some of whom concentrate on technical security applications and theory. Should these folks make policies for the entire company based upon the technical aspects of the technology? When it comes to security policies and personnel matters, an organization’s mid-level and senior managers need to take an active role in developing policies and procedures.
We don’t believe every manager or business student needs to understand all aspects of IT security. That’s why we train computer engineers, computer scientists and MIS students to understand the technical security issues, as well as the human aspects of security. Managers and students, however, would benefit from taking one or two courses to increase their IT security knowledge. If technical literacy is properly taught, business managers as well as those entering the workforce would understand security from a holistic perspective.
Traditionally the government, industry and higher education have considered awareness campaigns that provide top-10 lists and catchy slogans adequate IT security education for the masses. While phrases such as “Passwords are like underwear…change yours often” are laughable and memorable, they don’t explain the reasons behind it—changing passwords forces individuals who are attempting to crack them to hack moving targets.
Additionally, most awareness campaigns don’t inform users that changing passwords frequently isn’t the panacea to keeping systems safe. If users continue to write the newly-changed passwords on sticky notes and post them under the keyboard, on the monitor or in a desk drawer, they are defeating the purpose. While this is a very basic concept in password security, and you think, it couldn’t happen at my company; look around the support staff’s offices and see how many sticky notes you find. It is an eye-opening experience, even now, a good 15 years into the “interconnected, always on” world.
Like awareness campaigns, even websites that strive to provide security tips and advice don’t provide everyday context or in-depth explanations to help users understand the relevance to their daily work routines.
IT security education beyond computer science majors
A better approach to IT security literacy education—and one that we have become evangelists for—is to teach IT security in a way in which everyone can understand it and use it daily. People of all technical levels can comprehend IT security when it is put in the context of current events; when analogies to common items are made; and when non-technical explanations of how mechanisms such as firewalls and anti-virus software work are provided.
Although we argue that students in finance, accounting and marketing at the undergraduate level would benefit from learning more about security, we believe it is imperative for the students at the Masters of Business Administration (MBA) level to include technical security literacy. These students may take risk management and ethics courses, but generally these classes do not cover information technology. Many MBA students aspire to manage and work in the executive levels of companies. Shouldn’t they understand the IT threats and the potential ways to prevent those threats at a technical security level? Likewise, people who plan to work in human resources or personnel management need to understand the possibility of insider threats and the problem with disgruntled employees, or employees who are summarily dismissed.
And, while it is vital to educate our future business leaders, isn’t it just as important for organizations to bring current management up-to-speed by offering security literacy workshops? Managers—as well as their employees—could benefit from this training.
Government, industry and higher education are to blame for letting security awareness campaigns serve in place of IT security literacy. Until we treat IT security as everyone’s problem, and employees and managers at all levels contribute to the company’s security; we will continue to lose the security battle.
About the authors:
Doug Jacobson is a professor in the department of electrical and computer engineering at Iowa State University and director of the Information Assurance Center, which was one of the original seven NSA-certified centers of academic excellence in information assurance education.
Julie A. Rursch is a lecturer in the department of electrical and computer engineering at Iowa State University and director of the Iowa State University Information Systems Security Laboratory, which provides security training, testing and outreach to support business and industry. Send comments on this column to firstname.lastname@example.org.
This was first published in May 2013