Available online at www.sciencedirect.com
ScienceDirect Procedia Computer Science 56 (2015) 213 – 216
The 10th International Conference on Future Networks and Communications (FNC 2015)
Information Security Management in Saudi Arabian Organizations Maryam Alsaif, Nura Aljaafari، Abdul Raouf Khan* Department of Computer Sciences, King Faisal University, P.O.Box 400, Alhassa, 31982, Saudi Arabia.
Abstract Information security is a growing concern among various organizations and companies worldwide. Though organizations are generally focusing on external security threats but there could be substantial threats within the organization. This paper presents a detailed survey conducted on various organizations of Saudi Arabia to have a deep insight into how the issues of deterrence for the information security violation are dealt with within organizations. It focuses on the awareness and effectiveness of information security policies of the organization among its employees. © 2015 2015The TheAuthors. Authors.Published Published Elsevier © by by Elsevier B.V.B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer-review under responsibility of the Conference Program Chairs. Peer-review under responsibility of the Conference Program Chairs Keywords: Information Security Management; Deterrence; Information Security Policy; Security Violation
1. Introduction The principles of information security are generally divided into three different categories: prevention, detection and correction. Information security also includes the avoidance, deterrence and segregation of corrective measures1. The management of information security is one of the important issues in the field of information security. Organizations willing to reach an adequate level of security must be able to identify security holes and develop a mechanism to prevent any misuse thereof. It is not enough for organizations just to have adequate information security guidelines and policies to avoid potential threats. The development and maintenance of information security is a continuous process in addition to
* Corresponding author. Tel.: +966 13 5898129; fax: +966 13 5899237. E-mail address:
[email protected]
1877-0509 © 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer-review under responsibility of the Conference Program Chairs doi:10.1016/j.procs.2015.07.201
214
Maryam Alsaif et al. / Procedia Computer Science 56 (2015) 213 – 216
know and correct the threats from outside the system, it’s important for information security managers to understand the threats to information security within the organization. With the advent of wireless technologies, portable storage and computing devices, organizations face increased probability of threats within the organization2. Subsequently, organizations have established information security policies to guide the legitimate use of information and its resources. As a result, almost 75% of the organizations have developed compliance policies for their employees3. However, various recent surveys report that a tax by employees such as information theft, privilege misuse and non-compliance are increasing3,4. The traditional approach for dealing with security threats, committed by the employees which include violation of security policy, information theft and illegitimate misuse of information and its resources, is from the deterrence perspective5,6,7. Our study aims at understanding deterrence in information security policy in Saudi Arabian organizations and proposes a better method to increase the effect of deterrence ultimately leading to better information security management.
2. Deterrence Deterrence is a strategy to influence the behavior of employees to follow policy under the fear of sanctions. So, it is composed of certainty and severity of sanctions8. Recently it has been reported that security policies were violated when the benefits of violation were substantial9. This implies that organizations should not completely depend on awareness of sanctions because violations may occur regardless of emphasis on it. As a result, organizations must consider the use of detection as a method to increase the probability of identity of violation. Therefore, the certainty of sanctions should be viewed from the perspective of awareness as well as detection. As to the severity of sanctions, it is argued that mere punishment has no influence on deterring violations10. The method of sanctions must include other methods such as shame, moral beliefs and informal sanctions9, 10. Therefore, the severity of sanctions must be approached through variety of sanctions and intensity of sanctions. Since our focus in on Saudi Arabian organizations, we conducted a survey in which 137 participants took part. 83% were full time employees while as the others included part time and casual workers. Our questions were focused on awareness of sanctions, detection of violation, variety of sanctions and intensity of sanctions. The organizations where we conducted the survey included ARAMCO, SABIC, King Faisal University (KFU), Saudi Telecom Company (STC), and Zain.
3. Analysis and results 3.1. Certainty of sanctions: Several questions were asked regarding the certainty of sanctions. The questions focused on the awareness of company policies and penalties and measures to detect violations. Organizations usually inform their employees of information security policies. However, our results show that only 61% of the participants are aware that their organizations have a security policy and less than 40% of the participants have been trained on how to maintain the information security. In fact, 70% of participants are aware that they have IT security teams in their organizations. This leads to the conclusion that IT managers of organizations don’t utilize the information security teams effectively. Our analysis shows that 87% of participants are not sure who to contact in case they detect a virus or any malicious software or a hacking attack. As far as awareness of attacks and threats are concerned, only 43% of the participants are generally careful while opening an email attachment, only 42% are aware of fishing attacks and 33%
Maryam Alsaif et al. / Procedia Computer Science 56 (2015) 213 – 216
are aware of email spams and their identification. This leads to the conclusion that employees are not well trained to be aware of common threats in the IT sector which include email spams and attachments as well as fishing attacks. As far as violations are concerned a variety of questions were asked which included transfer of confidential information, downloading or installing software on company machines, use of official information at home using company accounts and logging in to company accounts from public computers like cyber cafes and hotel lobbies. To our surprise 33% of the participants can use their mobile phones and other personal devices to store or transfer confidential company information. 44% of the participants have downloaded and installed software on official machines without realizing the severity of risks involved. However, 18% of the participants take official information and use computers at home to work on it regularly and 44% agreed to do the same but occasionally. These results support the fact that 44% of the employees agreed that they partially follow policy rules of their organization and 14% participants either don’t follow the policy rules at all or are not aware if any such policy exists. In addition, limited usage policies regarding websites and personal emails are not well known to the majority of the participants. 49% of the participants are not aware if any email usage policy exists in their organization and 31% are not aware if there are any policies limiting visits to certain websites. This leads to the conclusion that company policies are not well circulated among the employees. Analysis was made as to why and under what circumstances violation of information security policy was made. 14% of the participants agreed that they violated the company policies as there was no other choice to complete a task and 13% of the participants violated to complete the task within the tight deadline schedules. There were 29% of the participants who agreed that violating information security policy compensates good job performance. Even though the percentages are less, the organizations must take such violations seriously and encourage alternative methods. Because 51% of the participants perceive that violation of security policies help them save work time and 30% of the participants feel that it saves effort. 3.2. Severity of sanctions: Severity of sanctions can be viewed in terms of variety and intensity. Five types of punishment were lifted which deter employees from violating information security policies of the organization. These include personal shame, family shame, loss of job, penalty or jail for financial loss, one’s conscience. 56% of the participants do not violate due to moral consciousness and 18% of the participants fear that they may lose the job and only 5% avoid it due to fear of penalty and legal punishment. Those avoiding it fearing personal and family shame account to 15% and 6% respectively. 78% of the participants are not aware if the organization ever punished any violator or not, which could otherwise deter other employees from violating security policies. In fact, 64% of the participants agree that punishments for violations may help implement security policies of the organizations effectively and efficiently. Hence, the employees should have a clear concept on the certainty of being caught for any violation. The above results suggest that awareness efforts like education, training and making announcements have to emphasize that violations are detected and the violators are identified.
4. Conclusion: Organizations usually have information security policies that inform their employees of what legal authority the organizations have and what organizations could do to identify violators and the punishments thereof. However, this study shows that the employees are not well aware of the policies and the consequences of violations. In addition, the detection of violations is not conducted systematically. The organizations need to develop technically sound tools and effective mechanism to detect violations and the violators. From a severity perspective, there is no relationship between the intensity of punishment and occurrence of violations.
215
216
Maryam Alsaif et al. / Procedia Computer Science 56 (2015) 213 – 216
References 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
D. B. Parker, “Computer Security Management”, Reston Publishing Co, Inc, 1981. Hayward C, Glendinning D, “Delivering enterprise-wide data protection controls for mobile computing devices”. RSA conference 2010, San Francisco. Richardson R, “CSI computer security crime and security survey”, computer security institute, 2011. Kesel PV, ‘’Outpacing change: Ernst and Young’s 12th annual global information security survey”, Ernst and Young, 2009. Straub DW, Nance WD, “Discovering and disciplining computer abuse in organizations: a field study”, MIS Q Vol. 14, No. 1, pp. 4562, 1994. D’arcy J et al, “ user awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf Syst Res, Vol. 20, No. 1, pp. 79-98, 2009. Vroom C, Solms RV, “towards information security behavioural compliance.” Computer security Vol. 23, No. 3, pp. 191-198, 2004. Park S. et al, “Towards understanding deterrence: information security managers’ perspective”. Proceedings of the international conference on IT convergence and security, pp.21-37, 2011. Siponen M., Vance A, “Neutralization: New insights into the problem of employee information systems security policy violations”, MIS Q Vol. 34. No. 3, pp. 487-502, 2010. Hu Q et al, “Does deterrence work in reducing information security policy abuse by employees?”, communications ACM Vol. 54, No. 6, pp. 54-60., 2011.