Applying Double Loop Learning to Interpret ...

28 downloads 27330 Views 60KB Size Report
they had never read any of their company's security policies, a quarter had not read them in over two years, and. 70 percent of companies admitted not tracking ...
Applying Double Loop Learning to Interpret Implications for Information Systems Security Design* Angela Mattia Virginia Commonwealth University Richmond, VA, U.S.A.

Gurpreet Dhillon Virginia Commonwealth University Richmond, VA, U.S.A.

[email protected]

[email protected]

Abstract - The security of information systems (IS) continues to be one of the most serious issues of the twenty-first century. Past research indicates human factors to be the prime reason for IS security breaches. Human factors are repertoires of behavior that evolve from the reasoning and actions that individuals follow. These actions become the ‘theories of action’ individuals espouse and their ‘theories-in-use’, which are the actions they actually use. We argue that IS security problems occur when an organization’s ‘espoused theory’ and their ‘theory-in-use’ (what they actually do) are contradictory. It is important, therefore, that human factors be addressed in (IS) security. The current focus on technological methods alone is an incomplete solution. The purpose of this paper is to present double loop learning as a strategy for designing and implementing security actions that bring an organization’s ‘espoused theory’ and their ‘theory-inuse’ (what they actually do) into congruence . Indeed, by doing so double loop learning is a proactive security method that never becomes outdated.

the findings of the "2002 Computer Crime and Security Survey" which confirmed that the threat from computer crime and other information security breaches continues unabated and that the financial toll continues to mount. Eighty percent of the organizations acknowledged financial losses due to computer breaches [2]. Many enterprises live with the lost-time cost of widespread employee abuse of e-mail and Internet access. But it’s much worse than that. Gartner estimates that more than 70 percent of unauthorized access to information systems is committed by employees, as are more than 95 percent of intrusions that result in significant financial losses [3]. In addition, the PentaSafe survey, “Security Awareness Index (SAI)" reported that “one out of ten employees said that they had never read any of their company's security policies, a quarter had not read them in over two years, and 70 percent of companies admitted not tracking or following up cases where staff had not signed a statement to say they had read and understood the security policy” [4].

Keywords: IS Security, interpretive perspective, IS security design, socio-organizational perspective, double loop learning.

This paper proposes using double loop learning [5-7], which pertains to first, learning about the governing variables of an organization and then using what is learned to solve problems that are complex and which change as problem-solving advances. Double loop learning is based upon a "theory of action" perspective. An important aspect of the theory is the distinction between an individual's “espoused theory” (organizational goals and mission, formal documents, such as policy statements) and their "theory-in-use" (what they actually do); bringing these two into congruence is a primary concern of double loop learning.

1

Introduction

In today’s world, public awareness of computer security is at an all time high because of terrorism, hacking and just the general attention given to computer abuse. It continues to be important, therefore, that we remember that Information systems (IS) security is a much broader perspective than computer security and as such, it must include manual systems and “human processors.” It is this need for a more complete means of security that opens up the behavioral aspects of information security [1], such as motivation, cognition and organizational learning. Yet this broader behavioral view seems to be often ignored. In addition, an organization espouses policies, rules and puts in place management controls that do not reflect what they actually do. This contradiction leads to security problems that cause considerable financial loss. This was evident in *

0-7803-7952-7/03/$17.00  2003 IEEE.

2

Double loop learning

Reasoning is a process where people create premises, inferences are derived from the premises, and conclusions follow. A person’s theory of action requires reasoning about how to produce the consequences they intend. The effectiveness of the reasoning process is based on the degree that people produce the consequences intended. As Argyris notes:

“Theories of action, therefore, are theories about effectiveness, and because they contain propositions that are falsifiable, they are also theories about truth. Truth is this case means truth about how to behave effectively [7].” Theories of action are based on the assumption that the key activity in life is to bring about the consequences one intends. We conceptualize ways our actions can produce certain intentions, this allows us to design the actions we intend to produce. Theories of action include theories-inuse (what people actually do) and espoused theories, which are the actions that they wrote or talked about. Theoriesin-use have degrees of effectiveness, which are learned. “Human factors” especially the fact that human begins are programmed to be unaware of certain things, under certain situations is explained by the fact that our actions are learned through socialization and therefore are highly skilled. Highly skilled actions have a crucial feature, which is that they are produced by a mental program that is preformed automatically. This mental program is tacit thus, contributing to our unawareness. It is not reflected on because it is sanctioned by the culture of the organization. If the programmed actions fail then the individual blames someone else or life in general. This allows the unawareness to continue and no learning occurs [7].

Discovery

Evaluation & Generalization

Learning Cycle

Production

Invention

Figure 1. The learning process Learning is defined as the process of discovery, but Argyris [7] goes beyond that to include learning that leads to new action and new problem solving (figure 1). This is important because it enables individuals and systems to keep learning and innovating. It has become increasingly clear that organizations may not survive unless they innovate [8]. Thus setting the stage for double loop learning, which is the most effective way to achieve the desired consequences and innovations.

Double loop learning is crucial because it allows as to examine and correct the way we are dealing with any security issue (the security theory-in-use) and our underlying assumptions about it. This becomes a theoryin-use that is best used for nonroutine, nonprogrammed, difficult security issues that cannot or should not be solved without reexamining the organizational values and assumptions. The strategy of all organizations is to decompose double loop problems into single loop ones [7] because everyday organizational life must be manageable. Single loop learning is basically learned through the socialization process and may or may not be based on valid information. The single loop supplies the most appropriate theory-inuse for routine, programmed security activities or emergency situations. Since security is often, needed the most when emergency arise this makes the single loop a crucial companion to double loop learning by allowing prompt and unilateral action.

3

Double loop learning applied to information systems security

Security management controls consisting of risk analysis, checklists, and evaluation are some of the most mainstream security practices used [9]. They offer the potential for an organization to double-loop learn. As the most well-known security methods, checklists help identify every possible control that may be implemented. The controls were based on “what can be done”, rather than “what needs to be done” [10, 11]. Since the available security controls have multiplied and the complexity has increased, checklist security design struggles to be a comprehensive solution and may even add unnecessary, expensive modifications by being all-inclusive. Risk analysis developed as a way to balance the allinclusiveness of checklists with the probability of a security problem happening. Risk is the possibility of harm or loss to any software, information, hardware, administrative, physical, communications, or personnel resource within an information system or activity [12]. This is a scientific way used to guess at the correspondence between threat and vulnerability [9]. Risk analysis is a way to be selective and avoid the implementation of unnecessary, expensive controls. Security evaluation stems from the need to measure security success and failures. The narrow technical criteria developed from checklists and risk analysis allowed security to be separated from organizational content. Evaluation criteria became a security method, a control that was measurable. Later improvements to evaluation methods have taken a discrete event-oriented approach. The implications of the mainstream account of security controls and the action science account are very different ways of dealing with failure to achieve intended security

consequences. The mainstream epistemology of security practice (single-loop learning) is a rationality that focuses on the means or measures that reach the end result. Failure to achieve the intended ends leads to a reexamination of means [13] and a search for more efficient measures. Operational and technical controls, which are used for routine, programmed security activities or emergency situations would fall into this area of single-loop learning. The action science epistemology of security practice (double-loop learning) focuses on framing or conceptualizing the problem, as well as on focusing on the means, reasoning or problem solving that is occurring. Failure to achieve intended security consequences may, lead to reflection on the original frame and the formation of a different problem [13]. The security of information systems involves individuals and social systems; consequently, the framework must consider both for double loop learning to occur. In addition, we must take into consideration that we are unaware of many of our theories-in-use. This means that we supply the data that we can learn from but don’t see it. Others must see our theories-in-use that we are unaware of and we must see theirs. This means people are crucial to each others learning [7] and the security of their information systems. Double loop learning is especially relevant to decisionmaking skills that are necessary for security related management controls since it focuses on analysis of the assumptions and implicit rules underlying the organization. Consequently, double loop learning is an effective way to manage the two forms of the theory of action. Espoused Theory is the theory of action, which is advanced to explain or justify a given pattern of activity. Examples include checklists, risk analysis and security evaluation, policies, plans and formal rules. Theory-in-use is the theory of action, which is implicit in the performance of the pattern of activity. Theory-in-use is not a “given,” it must be constructed from observation of the pattern of action in question. Organizational learning is two-fold, double loop learning occurs when mismatches are corrected by first examining and altering the governing variables and then the actions. Where as, single loop learning occurs when matches are created, or when mismatches are corrected by changing actions [6]. The classification of lower level system security is a single loop process, which yields organizational characteristics such as rules and routine. In double loop security, assumptions underlying management controls are questioned and hypotheses about their behavior are tested publicly. Double loop learning [5, 6], pertains to learning about the governing variables of an organization and then using what is learned to solve security problems that are complex and which change as problem-solving advances. The Double Loop learning

design of system security results in changing the underlying governing variables, policies, and assumptions of either the individual or the organization. Thus, double loop learning is especially relevant to the decision-making skills that are necessary for the formation of security related espoused theory. Furthermore, to make everyday organizational life manageable, organizations need both, espoused single and double loop security processes to secure systems.

4

The double loop Security framework

learning

IS

A double loop learning design creates a mindset that consciously seeks out security problems, in order to resolve them. The double loop mindset results in changing the underlying governing variables, policies, and assumptions of either the individual or the organization. Fiol and Lyles [14] classify higher-level organization learning as a double loop process, yielding organizational characteristics such as acceptance of non-routine managerial behavior, insightfulness, and heuristics behavior. In contrast, the single loop mindset ignores any security contradictions. One reason is that the blindness is designed by the mental program that keeps us unaware. We are blind to the counterproductive features of our security actions. This blindness is mostly about the production of an action, rather than the consequences of the actions. That is why we sometimes truly do not know how we let something happen. Thus, organizations exhibiting single loop security have the mindset that Fiol and Lyles classify as coming from lower level organization learning, which yields organizational characteristics such as rules and routine [14]. Governing Variables

Inquiry

Espoused Theories & Theories-In-Use Argyris (1993)

ACTION

Consequenc es

MATCH MISMATCH

SINGLE-LOOP

DOUBLE-LOOP

Figure 2. Double loop learning When using the double loop learning security framework (figure 2), assumptions underlying current espoused theories and theories-in-use are questioned and hypotheses about their behavior are tested publicly. The double loop is significantly different from the inquiry characteristics of single loop learning. To begin, the organization must become aware of the security conflict. The actions have produced unexpected outcomes; this is a mismatch (error), a surprise. They must reflect upon the surprise to the point where they become aware that they cannot deal with it adequately by doing better what they already know how to

do. They must become aware that they cannot correct the error by using the established security controls more efficiently under the existing conditions. It is important to discover what conflict is causing the error and then undertake the inquiry that resolves the security conflict. In such a process, the restructured governing variables become inscribed in the espoused theories. Consequently, allowing the espoused theories and theories-in-use to become congruent and thus more susceptible to effective security realization. Discovery of espoused and theory-inuse

Generalization

of consequences

into an organizational

match.

Double loop security designing cycle Generation

of new actions

Bring into congruence, inventing new governing variables

Figure 3. Double loop security design process In summary, the proposed double loop security design (figure 3) has four basic steps: (1) discovery of espoused and theory-in-use, (2) bring these two into congruence, inventing new governing variables, (3) generation of new actions, and (4) generalization of consequences into an organizational match.

5

Case Study Example

It is useful to illustrate concepts in double loop learning and their applicability to IS security design through the use of a case study. The case is set in a UK local authority, where a conscious effort was being made to manage access to corporate networks and other information resources. Considering the organizational situation, a number of issues emerged that could be appropriately placed in the categories of espoused theory and theories-in-use. Examples of double and single loop learning were noted in case study for illustration. It is important to remember that the strategy of all organizations should be decompose double loop problems into single loop ones[7] because everyday organizational life must be manageable. Single loop learning is basically learned through the socialization process and may or may not be based on valid information. This was significant because it establishes the conceptual

relationships necessary to understand the importance of the double loop learning IS security framework. Organizations have extensively relied on technical controls like access control systems as a principal means to manage access of authorized users. While research continues on more sophisticated methods of authentication and access control, password mechanisms remain the predominant method of identifying computer system users within organizations. A ‘typical’ password system is summed up by the National Bureau of Standards (September 1980) as one where “..... a user typically logs onto a system and then provides a nominal (claimed) identity such as a user name and ID. The system then requests the password which when entered correctly serves to verify the user’s identity”. Password mechanisms however suffer the same problems as any other authentication method, the “human factor” i.e. reliance on user knowledge as proof of identity. If a perpetrator finds, guesses or steals a user’s password, the perpetrator then has key to an account and can use it to gain unauthorized access into the system and can keep doing so until the password changes. Senior management’s perception about security in the case study organization is to protect the integrity, confidentiality and the availability of vital information stored in its corporate information systems, mainly the mainframes. It has delegated this responsibility in the form of (espoused theory) roles and responsibilities to the IT Security Manager, line managers and ultimately to the users. Management views security as a technical problem and has therefore provided technologically up to date access control systems. However users (human factors) are rarely involved in the process of implementation of such control systems. Since the NOLIS mainframe in use at the Local Authority, holds sensitive information, its access management was rigorously managed. On the LAN/Servers and PCs latest access control software packages have been installed without adequate guidelines and training (espoused theory) for the users. This again demonstrates the management’s lack of concern (single loop learning) for user involvement. Controls are perceived as something that could easily (single loop learning) be imposed by the management on the organizational environment. The users have a very narrow perception about access control. They view it as solely dependent on the use of their passwords to restrict access to vital information. As long as the access control mechanism did not hinder their normal work routine (single loop learning), they are satisfied. But as soon as security requirements place any additional burden, it is resented and adherence to normal practices is jeopardized (theories-in-use). This lack of participation has caused a radical reaction in one of the user departments, which holds a totally conflicting

(theories-in-use) view point in the management of access control. The Finance department believes that the information that they make use of is public information and therefore needs no protection (theories-in-use). The finance manager’s ideology in managing access control is to build a ‘wall’ around his department. Passwords are commonly shared among staff and as long as they are not disclosed to anyone outside the ‘wall’, it is acceptable (theories-in-use). Therefore, within the finance department access control mechanisms and their requirements are rejected and bypassed (theories-in-use). The hierarchical nature of the Council management structure has a significant effect on the communication between the central IT and the users. The flow of communication is primarily from (single loop learning) top to bottom. There was little evidence of users’ requirements being communicated (single loop learning) to the management. The Councils structure therefore has important consequences on the informal and formal culture (single loop learning) prevalent in the organization, and in the enforcement of guidelines. A manager related with security commented: “There are no set of proper procedures and guidelines (espoused theory)”. Brief guidelines in the form of do’s and don’ts were issued from time to time for computer users. These were neither comprehensive nor did they cover all aspect of access control. The situation was worse when it came to LAN/Server environment. There was confusion among the users as to what rules and procedures existed, what they were supposed to follow and who had the responsibility of creating them. This had lead the LAN/Server users in making their own rules and procedures regardless of consistency, effectiveness (single loop learning) and their enforcement. There was also the absence of proper standards (single loop learning). A senior departmental manager commented “Some sort of a policy document (espoused theory) is essential around here otherwise people tend to follow all types of practices (theories-in-use) and even get away with it” (emphasis added). There was mention of a security policy (espoused theory) in the brief guidelines which were issued to the employees but it emerged that in actual fact (single loop learning) there was no overall corporate security policy (espoused theory). “The IT department is in the process of developing a security policy (espoused theory) for the past five years and it never seems to get one out (single loop learning)” (emphasis added), was a comment from a manager very much put off by the current security environment within the council. Although there was awareness and support (espoused theory) for security aspects at the Council level, active commitment and enthusiasm was lacking (single loop learning). This could be one of the reasons for the delay in developing a corporate wide security policy (espoused

theory). It is possible that the Council may be reluctant to introduce organization-wide measures, for fear of personal exposure in case to failure. Future integrity and general well-being of the council could be affected if some IT disaster were to happen which could have been avoided had there been a formal IT Security Policy (espoused theory) in place with the relevant procedures implemented. Actual experience shows that many organizations learn to develop a corporate wide security policy the hard way, when a major disaster strikes (single loop learning), rather than taking a proactive approach (double loop learning) to policy formulation.

6

Conclusions

We have identified double loop learning as social means to address the “human factors” in IS security. After many years of technical progress, IS security may have reached a point where the progression of effectiveness and efficiency require a marriage of the social-technical world. Reasoning, actions and learning are “human factors”, which are needed to detect and correct security problems. IS security research seems unable to make much progress beyond this point without the integration of the social and behavioral areas, such as this studies use of organizational learning. Consequently, it is important to remember that IS security is an organization need and as such, the stream of organizational research would and should be applicable to developing improved security competencies. Therefore, the contribution of this research is that it identifies a relationship between learning and security. It goes beyond that to include learning that leads to new security solutions by new actions and new problem solving. This is important because it enables individuals and systems to keep learning. Within organizational learning resides double loop learning [6] which is especially relevant to IS security since it is based on a deep analysis of the assumptions and implicit rules underlying the organization. Accordingly, the purpose of this research was to describe a comprehensive framework for information security using a double loop design that secures all IS system components and protects them from potential misuse and abuse by unauthorized users. Double loop learning is an effective way to problem solving about IS security issues, by frequently doing public testing of theories-in-use against the espoused theory of security checklists, risk analysis and evaluation. The consequence of double loop security is increased effectiveness in decision-making and better acceptance of failures and mistakes as a tool that increases learning and prevent security failures. The end result is increased effectiveness in decision-making which leads to not necessarily increased security, but appropriate security that is effective.

Simply put, double loop learning capitalizes on the human ability to design our actions. We can design conditions that allow organizations to discover security problems, invent solutions, produce the solutions, and evaluate the effectiveness of the security solution. Initially, the security problems to be discovered are related to the contradiction between the theory-in-use of the organization and their espoused theories. Finally, the more IS security professionals design solutions that remain within the boundaries of single loop issues, the more they will become know in the organizational world as “techies [7].” Argyris (1982) explains that “techies” are highly skilled people that are concerned with technical issues and therefore are not very informative or helpful to top management who are trying to understand the bigger picture. IS security professionals who design solutions that include double loop learning understand the bigger picture, consequently becoming a valuable management resource. Indeed, using double loop learning is a security solution worth every organization pursuing. We contend that advancement could come about from the awareness of action theory and how espoused theories and theories-inuse are related. The framework develops the explicit documentation of how to recognize double loop learning as pertaining to IS security issues. Double loop security is a solution to practical problems that is conscious and systematic in its organizational evolution. Application of double loop learning to IS security seems advantageous and further research will develop the theory and method to address a range of questions.

References [1]

R. Baskerville, "The Developmental Duality of Information Systems Security," Journal of Management Systems, vol. 4, pp. 1 - 12, 1992.

[2]

C. F. Computer Security Institute, "2002 Computer Crime and Security Survey," cited. March 30, 2003: http://www.gocsi.com/press/20020407.html, 2002.

[3]

R. Hunter, "Enterprises and Employees: The Growth of Distrust," 2003.

[4]

F. Quinn, "SECURITY SURVEY REVEALS ALARMING RESULTS," cited. March 30, 2003: http://www.humanfirewall.org/articles.asp, 2002.

[5]

C. Argyris and D. A. Schon, Organizational learning. Reading, Mass.: Addison-Wesley Pub. Co., 1978.

[6]

C. Argyris, On organizational learning. Cambridge, Mass.: Blackwell Publishers, 1993.

[7]

C. Argyris, Reasoning, learning, and action : individual and organizational, 1st ed. San Francisco: Jossey-Bass, 1982

[8]

C. Argyris, Organization and innovation. Homewood, Ill.,: R. D. Irwin, 1965.

[9]

G. Dhillon and J. Backhouse, "Current directions in IS security research: towards socioorganizational perspectives," Information Systems Journal, vol. 11, pp. 127–153, 2001.

[10]

R. Baskerville, Designing information systems security. Chichester England; New York: Wiley, 1988.

[11]

G. Dhillon, Information security management : global challenges in the new millennium. Hershey Pa.: Idea Group Pub., 2001.

[12]

M. Swanson, "Security Self-Assessment Guide for Information Technology Systems," cited March 30, 2003: National Institute of Standards and Technology (NIST) http://csrc.nist.gov/publications/nistpubs/80026/sp800-26.pdf, 2001.

[13]

C. Argyris, R. Putnam, and D. M. Smith, Action science, 1st ed. San Francisco: Jossey-Bass, 1985.

[14]

C. M. Fiol and M. A. Lyles, "Organizational learning.," The Academy of Management Review, vol. 10, pp. 803-813, 1985.