Information Security management: A human challenge?

This paper considers to what extent the management of Information Security is a human challenge. It suggests that the human challenge lies in accepting that individuals in the organisation have not only an identity conferred by their role but also a personal and social identity that they bring with them to work. The challenge that faces organisations is to manage this while trying to achieve the optimum configuration of resources in order to meet business objectives. The paper considers the challenges for Information Security from an organisational perspective and develops an argument that builds on research from the fields of management and organisational behaviour. It concludes that the human challenge of Information Security management has largely been neglected and suggests that to address the issue we need to look at the skills needed to change organisational culture, the identity of the Information Security Manager and effective communication between Information Security Managers, end users and Senior Managers

Security dialogues: building better relationships between security and business

In the real world, there's often a discrepancy between an organization's mandated security processes and what actually happens. The social practice of security flourishes in the space between and around formal organizational security processes. By recognizing the value of risk management as a communication tool, security practitioners can tap opportunities to improve the security dialogue with staff

‘IT Fauna’ and ‘Crime Pays’: Using Critical Design to Envision Cyber Security Futures

The research presented is a collaboration between social scientists, designers and technologists that explored whether critical design could be used to envision cyber security futures. The research imperative was to examine the use of critical design as a way of imagining future or alternative scenarios of cyber security. We evaluated research methods that would encourage cyber security practitioners and policy makers to discuss and re-consider cyber security risk. The research used critical design to produce speculative scenarios that would encourage a new way of thinking about cyber security risk. ‘Specimens of IT Fauna’ is a visualisation and celebration of our imaginary bestiary of software. ‘Crime Pays’ is a video installation that envisions a future where there is effectively a tax on online privacy

Design Thinking for Cyber Deception

Cyber deception tools are increasingly sophisticated but rely on a limited set of deception techniques. In current deployments of cyber deception, the network infrastructure between the defender and attacker comprises the defence/attack surface. For cyber deception tools and techniques to evolve further they must address the wider attack surface; from the network through to the physical and cognitive space. One way of achieving this is by fusing deception techniques from the physical and cognitive space with the technology development process. In this paper we trial design thinking as a way of delivering this fused approach. We detail the results from a design thinking workshop conducted using deception experts from different fields. The workshop outputs include a critical analysis of design provocations for cyber deception and a journey map detailing considerations for operationalising cyber deception scenarios that fuse deception techniques from other contexts. We conclude with recommendations for future research

Why Should I? Cybersecurity, the Security of the State and the Insecurity of the Citizen

Assumptions are made by government and technology providers about the power relationships that shape the use of technological security controls and the norms under which technology usage occurs. We present a case study carried out in the North East of England that examined how a community might work together using a digital information sharing platform to respond to the pressures of welfare policy change. We describe an inductive consideration of this highly local case study before reviewing it in the light of broader security theory. By taking this approach we problematise the tendency of the state to focus on the security of technology at the expense of the security of the citizen. From insights gained from the case study and the subsequent literature review, we conclude that there are three main absences not addressed by the current designs of cybersecurity architectures. These are absences of: consensus as to whose security is being addressed, evidence of equivalence between the mechanisms that control behaviour, and two-way legibility. We argue that by addressing these absences the foundations of trust and collaboration can be built which are necessary for effective cybersecurity. Our consideration of the case study within the context of sovereignty indicates that the design of the cybersecurity architecture and its concomitant service design has a significant bearing on the social contract between citizen and state. By taking this novel perspective new directions emerge for the understanding of the effectiveness of cybersecurity technologies

Design thinking for cyber deception

Cyber deception tools are increasingly sophisticated but rely on a limited set of deception techniques. In current deployments of cyber deception, the network infrastructure between the defender and attacker comprises the defence/attack surface. For cyber deception tools and techniques to evolve further they must address the wider attack surface; from the network through to the physical and cognitive space. One way of achieving this is by fusing deception techniques from the physical and cognitive space with the technology development process. In this paper we trial design thinking as a way of delivering this fused approach. We detail the results from a design thinking workshop conducted using deception experts from different fields. The workshop outputs include a critical analysis of design provocations for cyber deception and a journey map detailing considerations for operationalising cyber deception scenarios that fuse deception techniques from other contexts. We conclude with recommendations for future research

CISOs and organisational culture: Their own worst enemy?

Many large organisations now have a Chief Information Security Officer (CISO1). While it may seem obvious that their role is to define and deliver organisational security goals, there has been little discussion on what makes a CISO able to deliver this effectively. In this paper, we report the results from 5 in-depth interviews with CISOs, which were analysed using organisational behaviour theory. The results show that the CISOs struggle to gain credibility within their organisation due to: a perceived lack of power, confusion about their role identity, and their inability to engage effectively with employees. We conclude that as the CISO role continues to develop CISOs need to reflect on effective ways of achieving credibility in their organisations and, in particular, to work on communicating with employees and engaging them in security initiatives. We also identify a key responsibility for effective CISOs; that is to remove the blockages that prevent information security from becoming ‘business as usual’ rather than a specialist function. For researchers, our findings offer a new piece of the emerging picture of human factors in information security initiatives

Risk Management for Computer Security

Andrew Jones, 'Risk Management for Computer Security', (London; Butterworth-Heinemann, 2005), ISBN-10: 0750677953, eISBN 9780080491554.Risk Management for Computer Security provides IT professionals with an integrated plan to establish and implement a corporate risk assessment and management program. The book covers more than just the fundamental elements that make up a good risk program for computer security. It presents an integrated how-to approach to implementing a corporate program, complete with tested methods and processes, flowcharts, and checklists that can be used by the reader and immediately implemented into a computer and overall corporate security program. The challenges are many and this book will help professionals in meeting their challenges as we progress through the twenty-first century