Decision-making factors contributing to the management of information security in organisations

Abstract

Namen prispevka: V preglednem znanstvenem prispevku analiziramo aktualne varnostne trende in sociološke ter psihološke ovire, s katerimi se sooča varnostni management, z namenom pojasniti dileme pri zagotavljanju informacijske varnosti. V času negotovih razmer v poslovnem okolju postaja informacijska varnost vse pomembnejši poslovni proces. Učinkovitost je pogojena z različnimi okoljskimi, strukturnimi in osebnostnimi dejavniki, ki jih je potrebno upravljati, če se želi ustrezno obvladovati tveganja, ki ogrožajo obstoj organizacij. Metode: Analiza varnostnih trendov je izvedena s pregledom aktualnih mednarodnih raziskav o trenutnem stanju informacijske varnosti. Prav tako je bil izveden pregled teorij, ki pojasnjujejo vpliv psiholoških dejavnikov na odločitvene procese. S sintezo ugotovitev smo izoblikovali predpostavke o vzrokih neracionalnih odločitev, teoretične pristope pa smo nadgradili z njihovo umestitvijo v organizacijsko in varnostno področje. Ugotovitve: Ugotavljamo, da organizacije funkcije informacijske varnosti ne razvijajo ustrezno. Pregled aktualnih raziskav je pokazal, da se organizacije pogosto neučinkovito odzivajo na povečana varnostna tveganja, saj jim to onemogočajo neugodne poslovne razmere, strokovna nepodkovanost in tradicionalna vodstvena mentaliteta, spremembe na področju varnostnih rešitev in kognitivne pristranskosti pri odločevalcih. Prav tako ugotavljamo, da je učinkovitost informacijske varnosti vse bolj pogojena z netehničnimi ukrepi, pri čemer največjo vlogo odigra usposobljen, dobro razvit in strateško naravnan varnostni management. Praktična uporabnost: Varnostni trendi, ki jih predstavljamo v prispevku, za večino sodobnih organizacij predstavljajo velik izziv pri doseganju poslovne uspešnosti. S prispevkom želimo opozoriti na sodobne varnostne dileme in prispevati k večji ozaveščenosti odgovornega managementa. Ponujamo tudi izhodiščne točke za učinkovito soočanje s kognitivnimi ovirami pri sprejemanju odločitev. Izvirnost/pomembnost prispevka: Prispevek je aktualen, saj analizira najnovejše raziskave o informacijski varnosti in na osnovi tega predstavlja sodobne trende. Prav tako je izviren, ker združuje spoznanja s področja psihologije tveganj in odločitev ter informacijske varnosti v organizacijski kontekst.Purpose: Information security is becoming an ever more important business process in this period characterised by uncertainty in the business environment. Its efficiency depends on various environmental, structural, and personal factors which need to be managed in order to adequately control all risks threatening organisations‘ survival. This paper analyses current security trends, as well as sociological and psychological obstacles in security management, with a view to clarifying different dilemmas related to the provision of information security. Design/Methods/Approach: The analysis of security trends was conducted on the basis of an overview of current international research on the present state of play in the field of information security. It also includes an overview of theories explaining the impact of psychological factors on decision-making processes. Assumptions regarding the reasons for irrational decisions were drawn by performing the synthesis of findings, while theoretical approaches were upgraded by placing them in the organisational and security fields. Findings: The authors find that organisations are not developing the function of information security in an adequate manner. The overview of current research shows that organisations are often inefficient in their response to higher security risks, since they are prevented from doing so by unfavourable business conditions, lack of expertise, traditional management mentality, changes in the field of security- related solutions and cognitive bias found in decision-makers. The authors also find that the efficiency of information security is ever more dependent on non- technical measures, whereby trained, well-developed and strategically-oriented security management plays a crucial role. Practical Implications: For the majority of modern organisations, security trends presented in this paper represent a great challenge in terms of achieving business success. This paper wishes to draw attention to contemporary security-related dilemmas and raise the awareness of responsible management. The paper also provides several starting points enabling an efficient confrontation with cognitive obstacles in the course of decision-making. Originality/Value: This paper is up-to-date, as it analyses the latest research into information security and uses such analysis to present contemporary trends. It is also original, since it combines findings from the fields of the psychology of risk and decision- making, as well as from information security, and places them in organisational context