Embed Size (px)
Citation preview
Page 1 of 12
Information Risk Management: Some Social-psychological Issues
Malcolm R Pattinson
University of South Australia [email protected]
Grantley Anderson Anderson Analyses
Abstract The main purpose of this paper is to provide support of the statement that �If we can influence the risk-taking behaviour of computer end-users within an organisation, correspondingly we can influence the general level of information security in that organisation so that it is likely to be improved.� To substantiate this statement a selection of social-psychological concepts and their associated phenomena are introduced and discussed in terms of their relevance to the information security function. The paper concludes by outlining research currently being conducted by the authors in an attempt to provide empirical support for the hypothesis alluded to in the above statement. Keywords Information Security; Risk Perception; Risk Communication; Cognitive Style; Social Psychology; Psycho-social Issues; Message Framing; Risk Homeostasis (RH); Target Risk; Repertory Grid; Social Inhibition; Bystander Intervention; Bystander Effect; Risk-taking Behaviour, Goal Attainment Scaling (GAS) Introduction In the broadest sense, information security is about mitigating the risks to an organisation�s information assets to a level that is acceptable to management. At the same time a balance must be sought between these risks and the investment of energy, time and resources into safeguards and countermeasures. This concept is supported by Anderson (2003) who defines enterprise information security as �A well-informed sense of assurance that information risks and controls are in balance� (p. 310). Today there is an abundance of literature available on how this can best be achieved. However, until about 3 years ago, most of these solutions were very much based on the implementation of computer and telecommunications hardware and the application of software. Very little research was focussed on sociological and human behavioural solutions. This situation has changed and we are now witnessing a more healthy balance in terms of solutions, with a good proportion of research dedicated to the people issues associated with information security. One of the associated aims of this paper is to contribute to the ever-increasing body of literature that is slowly but surely breaking down the long-held view that information security is predominantly achieved by applying technical measures. Generally, IT
Page 2 of 12
professionals and IT academics are beginning to realise that perhaps a more effective means of reducing information risk is to address the behaviour of individuals and organisations as a whole. This is a view that is supported by Schneier (2004). He is of the opinion that ��the biggest security vulnerability is still that link between keyboard and chair� (p. 1). Schneier claims that people will continue to violate security, and that, although we can do things to reduce their risk-taking behaviour it, is going to be difficult to change it significantly. There are two primary aims of this paper. Firstly, to further emphasise the importance of human behavioural and social issues as management strive for an acceptable level of information security within their organisations. Secondly, to improve the awareness and understanding of computer end-user behaviour by introducing a selection of generally accepted risk-related concepts which have been sourced from the psychological and sociological disciplines. These concepts are then discussed, both in the context of attitudes to risk, and also in terms of the risk-taking behaviour of typical computer end-users. Finally, this paper outlines the current research being undertaken by the authors and presents some indication of their planned future research. This is done with the aim of encouraging feedback in the form of thoughts, suggestions, and constructive criticism from other conference attendees. Understanding End-user Behaviour As a social science discipline, social psychology has generated a large amount of literature, research and knowledge related to human behaviour. Numerous theories have been espoused, many phenomena have been analysed and reported on and many concepts and principles have been developed and generally accepted throughout the world (Lippa, 1994). It would seem quite inappropriate for this store of intelligence to be ignored by the information security research fraternity. It is the opinion of the authors that information security academics and practicing security professionals have a responsibility to consider this material and examine how it may impact on their information security environments. This paper looks at a particular selection of social-psychological concepts and their associated phenomena, and examines these in terms of their relevance in the context of information risk management. They are as follows:
• Risk Homeostasis • Risk Perception • Cognitive Style • Social Inhibition
In each case the concept is explained and its relevance to enterprise information security is examined by providing real world scenarios designed with the intention of demonstrating how that concept might impact upon the management of information risk in an organisational environment.
Page 3 of 12
Risk Homeostasis (RH)
Risk Homeostasis (RH) is described by Wilde (1994, 2001) as a risk management theory that maintains that individuals, groups, organisations and even whole societies have an �inbuilt� level of risk that they are prepared to accept. This means that if their perception of risk in one area increases then it will decrease in another such that the overall level of risk remains the same. Wilde (1994) calls this the �target risk� that an individual or a group is/are willing to accept or resort to subconsciously. Essentially the theory implies that as controls and safeguards are put in place in an effort to make a situation safer and less risky, people will simply display more risky behaviour with the result that the level of risk swings back to that of a comfort zone. Another similar theory is known as �the conservation of misery� theory. This states that the level of risk is not necessarily reduced by making things safer because people are much more likely to take on additional risk when there is the perception of safety (Advogato, 2000).
Wilde (1994) maintains that �In any ongoing activity, people continuously check the amount of risk they feel they are exposed to. They compare this with the amount of risk they are willing to accept, and try to reduce any difference between the two to zero. Thus, if the level of subjectively experienced risk is lower than is acceptable, people tend to engage in actions that increase their exposure to risk. If, however, the level of subjectively experienced risk is higher than is acceptable, they make an attempt to exercise greater caution.� (Ch 1). Filley (1999) puts it in a slightly different way. He claims �Risk homeostasis predicts that people become accustomed to some acceptable level of risk, and that when they are required to reduce risk they are exposed to, they will increase other risks until they have re-established the level of risk they have become accustomed to.� (p.1). Figure 1 below refers to two different scenarios. Scenario A is when the target risk is greater than the perceived risk, and scenario B is the reverse. In scenario A, people perceive that adequate control mechanisms are in place and therefore there is less need to be as cautious or as vigilant because they believe no harm will come by taking more risks. This is because the amount of risk they feel exposed to (that is, perceived risk) is less than the amount of risk they are willing to accept (that is, target risk). Scenario B, on the other hand, is when people feel uncomfortable because they believe that there are not enough controls in place and so they need to be more vigilant and cautious. This is because they perceive the risk to be greater than their target risk (Pattinson & Anderson, 2004).
Page 4 of 12
Figure 1 The Theory of Risk Homeostasis
Scenario A Scenario B
Does RH occur in the information security domain? Do computer end-users become less vigilant or less careful when they know that a bunch of IS controls have been implemented? Do end-users ignore the risk of contracting a virus when accessing dubious web sites because they know their organisation �is handling it� with firewalls and antivirus software controls? Some specific situations where RH may apply are:
• Installation of firewalls and anti-virus software does not necessarily reduce the number of virus attacks. These controls give end-users a false sense of security and consequently they are likely to take more risks by opening dubious email attachments, accessing more sinister and deviant web sites, leaving their computer connected to the Internet for long periods or downloading files from floppy disks and CDs of unknown origin.
• The introduction of a policy that requires all end-users to encrypt their email messages is enforced so that the risk of sensitive information falling into the wrong hands is reduced. The theory of RH suggests that end-users are likely to include much more sensitive information in their emails than before because of their perception that the risk is less than before encryption. In fact, the risk of information leakage and the subsequent loss of confidentiality are probably greater after the recipient decrypts the message.
• Physical entry to areas that house computing facilities is controlled by the installation of door locks, biometric devices and the wearing of ID badges to ensure that only authorised personnel are allowed in. These controls are put in place to prevent theft, damage to equipment and access to sensitive information held on storage media. The theory of RH claims that people will take additional risks because they perceive that the risk of an unauthorised person gaining entry to these areas has been reduced. This additional risk is likely to be in the form of less vigilance in monitoring and continually checking that the people present are authorised.
• The threat of accidental human error during the data entry process is often realised. This presents the risk of invalid, incorrect or inaccurate information that can have serious consequences in terms of decision making. There are
Page 5 of 12
various software controls that can be coded into data entry programs that can minimise this risk, for example, range checks, reasonableness checks (Forcht, 1994), check characters and database integrity checks. If RH existed in this area of data integrity, then it would mean that data entry personnel, armed with the knowledge (or perception) that it was almost impossible to make a mistake, would be less careful with the entry of names, numbers, dates and amounts. This apparent relaxation of vigilance may cause lots of other input errors to occur, indicating that the overall risk of human error reverts back to what it was before extensive software controls were implemented.
Risk Perception The manner in which people see the risks associated with information security determines what decisions they will make regarding the actions they will take (or not take) in conjunction with whatever security measures their particular organisation has put in place. Unfortunately, to date, not much is known about the perceptions that computer end-users hold concerning information systems risk. However, research into risk perception in general has identified some important factors. The influence these factors have on risk perception is considered to be a function of the extent to which the risk is viewed as (a) voluntary, (b) under control, (c) representing a threat or catastrophe, or (d) having potential for a reduction in gains, or an increase in losses (Heimer, 1988). The literature on risk perception seems to be devoid of research into its prevalence in the information security domain. However, in terms of general risk perception research, there is an abundance of articles and studies that look at factors that influence risk perception. For example, Bener (2000) claims that there is a range of social, cultural and psychological factors that contribute to risk perception. Furthermore, Otway (1980) lists other factors that shape risk perception such as the information people have been exposed to, the information they have chosen to believe and the social experiences they have had, to name a few. The media plays a significant role in influencing people�s perception of information system risk. One only has to look at the impact of the terrorist attack on the world trade centre twin towers on September 11, 2001. Another example is the reporting of the phishing software that logs keystrokes and subsequently gains banking information including ID and password. A good practical example of risk perception relates to the process of backing up our personal data. Assume that you are writing a large, but very important business report for your senior management and it is taking many days and much research effort. How often do you backup your work? What is your perception of the risk that you could lose all the good work you have done because of some computer problem or whatever? Some people have no appreciation of the intricacies of a computer and what can go wrong - these people are blithely unaware of the risks of losing everything. Yet it has probably happened to all of us at least once! Other more informed people are aware of the unpredictability of computers and that they sometimes crash for no apparent reason. People like this will back up regularly and to various mediums. In the end, we do personal backups to the extent that we are
Page 6 of 12
confident that we won�t lose anything or any time. This is where we differ as individuals. Some people are risk-takers by nature and feel that they can rely on the automatic server backup that occurs every hour. On the other hand, some of us are more conservative and backup almost too often, just to be sure. One of the factors that is purported to have an influence on risk perception is the way in which the risk message is communicated to computer end-users and IT management. Bener, (2000) is one such author that supports this view, and he claims that when risk is communicated within an organisation it influences the risk perception of the different individuals within that organisation. Lippa (1994) also supports this view and claims that a person�s perception of risks is shaped by the way in which risky situations are communicated to them. It then follows that if people�s perception of risk is changed, there is the likelihood that their risk-taking behaviour will change. If this behaviour changes for the better, then it can be argued that the actual risk is lessened. Figure 2 below shows the relationship between a computer end-user�s perception of the information risks and his or her risk-taking behaviour. If a person perceives the risk to be high then it is likely that he or she will be more cautious and vigilant and take fewer risks. Conversely, if the information risk is perceived to be low then a computer end-user is more likely to take more risks and act less responsibly.
Figure 2
Cognitive Style The cognitive style of an individual refers to the way that she or he collects and interprets information that is presented to her or him. As a personality dimension, individual cognitive style has a significant impact on how well that individual understands and comprehends that which is communicated to her or him.
Page 7 of 12
Very little has been written about individual differences in the way that individual computer end-users process information that has been presented to them, be that by hard copy written communications or by computer interface methods. Consequently, it would not be surprising to find that few information security managers and supervisors are aware that human information processing factors are predominately a consequence of an individual computer end-user�s personal cognitive style. Cognitive style is not considered to be a fixed personality trait, rather it is viewed as the preferred and habitual approach that an individual adopts when organising and presenting information. A number of such styles are described in the literature. However, since it describes how effectively an individual is able to restructure information using salient cues and field arrangements, the dimension of Field Dependence (FD) versus Field Independence (FI) seems the most appropriate one to discuss and examine here. FD/FI has been researched extensively (Witkin et al, 1977; Ausburn & Ausburn, 1978) and is an established construct in the domain of psychology. This personal characteristic is important because one way of changing individual risk perceptions is to communicate in a way that is aligned to each individual�s FD/FI cognitive style. Table 1 below compares characteristics between FD and FI people and provides clues as to how to �frame� messages about threatening situations.
Table 1. Summary of the FD/FI cognitive style construct (Pattinson & Anderson, 2005)
Individuals classified as FD Individuals classified as FI
Drawn to people Enjoys own company Like to have people around them Not sensitive to others around
them More non-verbal behaviours Less non-verbal behaviour
Prefer occupations which require involvement with others
Prefer occupations with less interaction
Take a longer time to solve problems
Solve problems rapidly
Alert to social cues More aloof, theoretical Highly developed social skills More abstract & analytical
Sensitive to social criticism Initially thought to be males but inconclusive
Extremely influenced by others Less inclined to be influenced Teachers Prefer maths & physical sciences
Global way of perceiving Analytic way of perceiving
Social Inhibition This psychological phenomenon refers to the inhibition of a helping action or response that may occur when an individual is confronted with a possibly dangerous
Page 8 of 12
or emergency situation in which other people are present. This inhibition is usually more likely to be prevalent when there are a number of other people present or involved. Principally because individuals tend to assume that someone else will act to intervene or respond. This phenomenon is also sometimes called �bystander apathy� (Wikipedia, 2005). However, it should not be confused with a similar phenomenon known as the �Diffusion of Responsibility�. In situations where this phenomenon occurs, decision-making in groups tends to lead to more risky decisions because no individual person considers himself or herself totally responsible. Bystander intervention studies designed to examine social inhibition effects often examine behaviour in situations resembling those in which a similar form of diffusion of responsibility occurs, but in which the consequences of non-intervention are much more dramatic and adverse. These latter studies are associated with experimental observations of what is known in the social-psychological literature as the �Bystander Effect�. The origins of the Bystander Effect date back to 1964. In that year Kitty Genovese was stabbed to death by a mentally ill serial rapist and eventually murdered in front of her New York City apartment. During police investigations, it became evident that at least 38 people actually witnessed the 30-minute murder and none of them went to the aid of the victim � they all failed to respond. In fact, not one of them even rang the police from their home! This unwillingness to intervene in a dangerous or emergency situation became known as the Bystander Effect, and was later demonstrated by Latane & Darley (1969) in several laboratory studies using volunteer but naïve subjects. They concluded that if an individual perceives that other people witness the same dangerous event as themselves, they are less likely to do anything about it because they believe that someone else will report it or take action in some way, so why should they bother. There are numerous reasons given as to why individuals behave in this manner. For example, we may assume that others may be better qualified to help or we may be concerned that our efforts are not appreciated. Latane & Darley (1969) suggest an additional reason for this individual non-action is that the inaction of others gives them the impression that the �situation� is not serious, that is, the �no-one else seems to be concerned� syndrome. Most of the literature relating to studies designed to demonstrate the Bystander Effect has been concerned with situations of extreme emergency, such as the conduct of a serious crime, or someone in considerable pain due to suffering a potentially fatal illness. While there are some very sparse anecdotal accounts relating to �whistle blowing� in organisations, almost no research literature is evident that connects the psychological phenomenon of social inhibition, viz-a-viz behavioural intervention studies, to dangerous business situations. For example, knowledge that fraudulent activities are occurring or that malicious software is being written surreptitiously. Consequently, the question to be asked is this. Are there situations where this phenomenon of social inhibition occurs in the information security field? To provide you with some food for thought on the matter, consider the following scenarios and how you might react.
Page 9 of 12
Scenario 1: An email arrives in your inbox, supposedly from a well-known bank, however, because you are security aware, you realise that this is a bogus email and you recognise that the URL is not that of the bank. Furthermore, the tone of the email is that you click on the hypertext address (which you recognise as being bogus) so that your bank records can be updated or something � an obvious case of phishing. What do you do? This author found himself just ignoring this recent potential breach in the belief that the IT people would already be advised of this hack by some other end-user and so it would be a waste of time. Would you have taken responsible intervention action, unlike this author�s passive response? Scenario 2: This author visited the local branch of a well-known Australian bank. After taking a numbered slip he sat and waited for his number to be called. Whilst he was waiting, a bank employee walked to a door that provides access to the back office and is only accessible to authorised personnel. This door has a keypad that is used by authorised people to key in a pass code. The author was able to see the 6-digit code that was keyed-in by the bank employee. This is a potentially dangerous situation. So, why didn�t this author alert the bank�s management staff of this threat that unauthorised people could possibly obtain an entry pass code and then gain physical access to the back room? Why didn�t this author do the responsible thing and report this potential security breach? The reason is because he felt that somebody else would have already (or would eventually) report this weakness in security procedures. Scenario 3: Many work environments are open space concepts these days which means that often we may see people walking around in authorised areas that we don�t recognise and may or may not wear any form of security badge. Do you ever ask these people to verify whether they are authorised to be in your vicinity? Why don�t we intervene more often?
There are many situations within the information security domain, like the three mentioned above, in which the failure of individuals to intervene could be explained as a consequence of the situation bearing a similarity to those that given rise to the bystander effect. Summary The previous section discussed a series of human behavioural concepts and phenomena that were shown to be relevant to computer end-users in terms of their risk-taking behaviour. The real-world examples and scenarios that were described demonstrate that:
Page 10 of 12
• computer-end-users do seem to be subject to risk homeostasis by having a level of risk that they invariably resort to;
• computer-end-users tend to behave in accordance with their individual perception of the risks and
• some of the behaviour of computer end-users could be a result of the Bystander Effect (which is a form of Social Inhibition).
Overview of Research Figure 3 below is an overview of the Risk Management Process and has been extracted from the Australian Standard on Risk Management (AS/NZS 4360:2004, p. 16). This framework has been overlaid with the four social-psychological concepts discussed in this paper (shown in the darker grey rectangles) and shows how they relate to the process. In addition, Figure 3 also shows the research tools and techniques that have been, and intend to be, used (shown in the lighter grey shapes). Information about how these research tools and techniques were used to gather empirical data/information will be provided at the conference.
Figure 3 Research Activity within the Risk Management Process
Page 11 of 12
Conclusion Managing the risks associated with an organisation�s computer systems, and the information that these systems process, store, and transmit, can be achieved in various ways. For example, as is usually the case, it can be accomplished by means of installing hardware, implementing software, and developing effective policies and procedures. The authors of this paper, however, claim that focusing entirely on the above factors might result in those responsible for an organisation�s overall information risk management taking a somewhat limited perspective of such a complex issue. It is suggested that an examination of some perhaps lesser known social-psychological factors, such as risk homeostasis and risk perception, will be helpful in explaining how the risk-taking behaviour of computer end-users is ultimately determined. The authors are firmly of the belief that the more accurately the risk-taking behaviour of computer end-users within an organisation can be predicted, then, correspondingly, the greater the chance that the general level of information security in that organisation can be improved beyond its existing level. This paper does not provide any �silver-bullet� solutions for management in terms of what they can do towards managing information risk. This was not the aim of this paper. However, it does outline the research that is being undertaken by the authors at the time of writing and the aim of this research is to subsequently advise management on how they can best address psycho-social issues once their prevalence and impact have been evaluated. When solutions to the psycho-social issues are deployed in conjunction with hardware and software solutions, management is more likely to achieve that balance between information risks and controls that Anderson (2003) defines as Information Security. References
Advogato, 2000, �Advogato�s Number: Conservation of Misery in Software Complexity�, viewed 6th August 2004
Anderson, J. M., 2003, �Why we Need a new definition of Information Security�, Computers & Security, Vol 22, No. 4, May, Elsevier Ltd, pp 308 � 313.
Ausburn, L. J. & Ausburn, F. B., 1978, �Cognitive Styles: Some information and implications for instructional design�, Educational Communication and Technology Journal.
AS/NZS 4360:2004, Risk Management AS/NZS 4360:2004, Standards Australia/Standards New Zealand.
Bener, A. B., 2000, �Risk Perception, Trust and Credibility: A Case in Internet Banking�, PhD thesis, London School of Economics and Political Sciences, Available at http://is.lse.ac.uk/research/theses/default.htm, viewed 27 April 2005.
Forcht, K. A., 1994, Computer Security Management, Boyd & Fraser Publishing Co., Danvers, MA, USA.
Page 12 of 12
Filley D, 1999,�Risk Homeostasis and the Futility of Protecting People from Themselves� Independence Institute, Colorado, USA, http://www.i2i.org, p. 1-10 viewed 7th November 2003.
Heimer, C. A., 1988, �Social Structure, Psychology, and the Estimation of Risk�, Annual Review of Sociology, Vol 14, pp. 491-519.
Latane, B. & Darley, J., 1969, �Bystander Apathy�, American Scientist, Vol 57, pp. 244 � 268.
Lippa, R. A., 1994, Introduction to Social Psychology, Second Edition, Wadsworth (Belmont, CA).
Otway H. J., 1980, �Risk Perception: A Psychological Perspective�, Technological Risk: Its Perspective and Handling in Europe, M. Dierkes, S. Edwards & R. Coppock.
Pattinson, M. R. & Anderson, G., 2004, �Risk Homeostasis as a Factor of Information Security�, Proceedings of 2nd Australian Security Management Conference, Perth, Western Australia, 26 November.
Pattinson, M. R. & Anderson, G., 2005, �Risk Communication, Risk Perception and Information Security�, Proceedings of IFIP WG11.1 & WG11.5 Working Conference, Fairfax, Virginia, USA, December 1-2.
Schneier, B., 2004, �The People Paradigm�, http://www.csoonline.com/read/110104/counsel.htm, viewed 20/01/2006.
Wikipedia, 2005, �Bystander Effect�, Available at http://en.wikipedia.org/wiki/Bystander-effect, viewed 21 December 2005.
Wilde, G.J.S., 1994, Target Risk, PDE Publications, Toronto, Canada. Wilde, G.J.S., 2001, Target Risk 2, PDE Publications, Toronto, Canada.
Witkin, H. A., Moore, C. A., Goodenough, D. R. & Cox, P. W., 1977, �Field-independent and Field-independent Cognitive Styles and their Educational Implications�, Review of Educational Research, 47 (1), 1-64.
