Information Security – Is it important?

Lizzie Coles-KempInformation Security Group

Culture

Towards a Culture Of Security

• OECD (Organisation for Overseas Economic Co-Operation and Development)

• 2002: OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security

• Introduced 9 principles

Nine Principles

• Awareness• Responsibility• Response• Ethics• Democracy• Risk assessment• Security design and implementation• Security management• Re-assessment

“Compliance alone does not in itself imply an acceptable level of security.” [McCulloch, I., Armstrong, A., and Johnson, A. 2013]

“Humans are fallible and errors are to be expected, even in the best organisations” [Reason, J, 2000]

Security from what? Security by whom? Security achieved through which means?’ [Liotta, 2002: 474–475]

“Employees, however, seldom comply with these IS security procedures and techniques, placing the organizations’ assets and business in danger” [Stanton, J. M., Stam, K. R., Mastrangelo, P. and Jolton, J., 2005 ]

http://www.opte.org/maps/

https://engineering.purdue.edu/ECN/AboutUs/NetMaps/Maps/2004/PrintableMap.pdf

Uta Eisenreich, Network/Teamwork sociogram 2002

“The Security Debate: Attack, Parry and Riposte” – [Hoogensen, G., Vigelend Rottem, S. 2004]

People-Centered Security

• Security is a relational concept• Ask the individual about their security needs• Talk with individuals to explore security needs

and wants• Listen to security anxieties in the context of

values and beliefs - needs differ

‘making each secure in the other’ (McSweeney, 1999: 14–15)

Nine Principles

• Awareness• Responsibility• Response• Ethics• Democracy• Risk assessment• Security design and implementation• Security management• Re-assessment

Culture