One of the most important foundations for a successful information security effort is a supportive motivational system. If motivational systems encourage compliance with information security requirements like policies, then an information security effort is likely to be supported by widespread compliance with requirements. If motivational systems discourage compliance with requirements, then there's no chance that any sort of meaningful compliance is going to be achieved. This Policy Tip discusses one useful type of motivation system called an action-forcing mechanism.
Consider, for example, the case of a hypothetical salesman at a software vendor. The salesman is getting nervous because the end of the quarter is coming up, and he is far from meeting his quota. If he misses his quota he might be fired. The salesman has one particularly large and somewhat promising potential sale that could put him over his quota. He wonders what he could do to motivate this prospect to buy now rather than later, and then hits on the idea of disclosing the plans for an upcoming version of the software. Sure enough, the prospect is impressed, and the sale goes through. There is no consequence for disclosing confidential information to an outside party without a confidentiality agreement. The operational motivational system is the quota, and it encourages the salesman to disregard an information security policy.
MORE INFORMATION ON SECURITY POLICIES:
- Learn how
- some companies are using employee dismissal to set an example for policy infractions in this article, Pink slips motivate policy compliance.
- Read about the importance of having one internal source for all information security policies in this tip also written by Charles Cresson Wood.
- Listen to this on-demand webcast with speaker Charles Cresson Wood on essential strategies for policy development.
Most organizations have multiple long-standing motivational systems that discourage people from following information security requirements. One example involves a bonus paid to middle managers for restricting departmental spending. If this type of a motivational system exists to the extent that meeting information security requirements involves additional spending at the departmental level, information security is likely to be ignored. Certainly, information security will always involve tradeoffs between competing objectives like cost, ease-of-use and time-to-market with a new product. But without strong motivational systems that support compliance with information security requirements, competing objectives and their motivational systems will most likely overwhelm what little management support there is for information security.
One example of an action-forcing mechanism that encourages information security compliance is the required sign-off from the information security manager for all software systems developed in-house. If the controls on a new or significantly modified application do not meet the information security manager's minimum control criteria, he can withhold his signature. Without his signature, a new application cannot be moved into production. Developers are likely to take security more seriously knowing there is a possibility that this signature will be withheld.
There are many other examples of action-forcing mechanisms -- ways that we can establish motivational systems to encourage and even push workers to comply with information security requirements. Ideally, these action-forcing mechanisms should be approved at the time that the related requirements are established. Management needs to understand that without such action-forcing mechanisms, policies and other requirements documents will simply be ignored.
About the author
Charles Cresson Wood, CISSP, CISA, CISM, is an independent information security consultant based in Sausalito, Calif. He specializes in the development of information security documents including policies, standards, procedures and job descriptions. He is also the author of Information Security Policies Made Easy.
This was first published in April 2004