Security issues were often linked to the IT department. However, an organization’s information security must be addressed at a management level. Although the technical aspects of security are a matter for the IT department, all decision-making elements should concern an organization’s management.
For example, owners of information systems for administrative units should be involved in the management process and in security decisions related to the systems or assets they are responsible for (e.g. management of logical access). In fact, these decisions impact users’ daily operations.
However, managers of administrative units are not always comfortable with the security guidelines and possible risks they may face. Should IT specialists be responsible for developing guidelines and procedures based on technological aspects for the entire company? At a minimum, they should work with the various managers (e.g. with the organization’s security committee) to ensure that the guidelines are understandable and applicable throughout the organization and to determine the impact on operations.
Many campaigns merely mention some slogans or certain rules to users, such as to change their passwords periodically. However, for users to change their behaviors, certain basic explanations must be provided to them to ensure that the supporting reasons and context for these rules are understood. Thus, if users understand that perpetrators could easily discover their passwords and use their accounts inappropriately, they are more likely to comply with the rules and not write passwords on post-its.
A good security training approach for users is to use language that is comprehensible to them rather than technical terminology. This is also the case for managers and executives. The consequences of certain actions and the possible impacts that may ensue for an organization can be explained and illustrated by using past events or analogies, combined with appropriate language. Direct impacts on the availability, integrity or confidentiality of information can result in various consequences on the organization (e.g. the inability to provide customer service, financial loss, a tarnished reputation, legal repercussions (non-compliance with laws and regulations, etc.).
Master students who aspire to management roles in organizations should also take courses in information technology and expand their knowledge on threats and ways to adequately protect information.
To learn more about this topic, please view the following article:
Moreover, Terranova has developed a new information security awareness program. Please click on the following link for more information: