IT security managers need to understand the psychology of IT
users to
manage risk, says David Lacey, an independent security
researcher.
Very few are successful in managing the
human factor in information security, he said. They tend to
create a
blame culture, but this does not work and often makes the
situation worse.
"Blaming individuals is the worst thing to do," said Lacey. "It
makes everyone terrified of making a mistake and leads to a lie
culture."
IT security managers should learn from the safety industry,
which realised decades ago that incidents are caused by a
combination of factors and not by individuals, said Lacey.
They should monitor every incident and then analyse the causes
to improve security rather than waiting for a major incident and
then pinning the blame on an individual in a knee-jerk reaction, he
said.
"Instead, IT security managers should create a blame-free
culture in which people report and admit problems they are having,"
said Lacey.
Most IT security managers fail to exploit the knowledge of
end-users to help make decisions, find out the status of security,
and identify where things are going wrong, he said.
Another common failing, said Lacey, is that even if IT security
managers realise the need for security awareness programmes, they
lack the skills to understand and change user behaviour.
They should, therefore, enlist the help of psychologists to
understand what influences people's attitudes and create policies
that will encourage good security practice.
IT security managers should also enlist the help of journalists
to write those policies in a way that is easy for end-users to
understand.
"They should not try to do something they do not have the
knowledge or the skills to do, but it does need to be done," said
Lacey.
Building on his new book "Managing the Human Factor in
Information Security," Lacey will explain the nature of people and
networks in a presentation at
Infosecurity
Europe 2009 at Earls Court in London on 29 April.
Infosec 2009: an essential guide for IT professionals
>>