S 3.83 Analysis of security-relevant personnel factors

Initiation responsibility: IT Security Officer, Head of Personnel

Implementation responsibility: Supervisor

The employees of an organisation are one of the most important cornerstones for an organisation's information security. Experience has shown that even the most sophisticated technical security safeguards are of no use without the proper behaviour of the employees. This essentially requires awareness of what information security means to the organisation and its business processes and the proper way of handling the organisation's information to be protected by the employees.

Therefore, the security safeguards selected for the organisation should always be employee-oriented. In this, their know-how and handling of information and IT should be incorporated. Thus, it makes sense to analyse the different factors contributing to the behaviour of the employees from a security point of view. Building upon the aforementioned, it can then be examined where the personnel and organisational security can be improved, for example by means of information security awareness and training.

The following aspects should be considered:

Security culture

The term security culture comprises the security-related attitudes, values, and basic beliefs of an organisation and all of its employees. The security culture also includes the issue of how open questions regarding information security are handled in the organisation. For example, a trusting and open communication culture is important for addressing security incidents effectively and efficiently so that security incidents are immediately reported and handled in a solution-oriented manner.

• How does the government agency or company handle business-relevant information and risks in general? Is an organisation more risk-oriented or risk-avoiding? Is information forwarded more generously or only restrictively?
• What are the requirements in terms of accuracy and precision? Are minor errors, e.g. in texts, acceptable, because the texts will be subjected to several coordination processes anyway? May severe damage be caused by an input error?
• What are the requirements in terms of availability? Are there numerous tight deadlines? Is it possible to flexibly define processing times for enquiries and business processes? Are minor violations of or changes to the deadline generally acceptable or do they result in severe consequences?

The security culture of an organisation is strongly influenced by the industry the organisation is operating in. In high-security areas, information is naturally handled more restrictively than in research facilities.

Know-how and skills

• What is the employees' level of know-how regarding IT? Is using IT and the internet necessary in order to be able to design business processes more efficiently, or are living and working without IT and internet no longer imaginable?
• What are the employees' experiences and knowledge in terms of information security and data protection? What are their skills in the field of IT-based security safeguards such as encryption? How is the know-how distributed in the different organisational areas?
• How do the employees actually handle questions in the fields of information security and data protection? What is the employees' position regarding the need to protecting information against modifications or unauthorised disclosure?
• Are employees allowed to actively contribute their ideas and suggestions regarding information security to the security process?

Security policies

• Do the security policies of the organisation match the business processes and the internal security culture? Can be policies be implemented easily? Are the policies practical and adapted to the current environmental conditions? Do the policies impair the workflows? Do the policies support desired behaviours?

Applications and IT

• Do the present IT components allow handling of the business-relevant information in such a way that it corresponds both to its protection requirements and the defined security policies?

Management

• What is the management's position regarding information security? Do the supervisors assume an exemplary function? Does management have any wishes regarding the improvement of the security processes?

Cultural backgrounds

• Cultural backgrounds may also generally influence the way information to be protected and security policies are handled. Therefore, it should be examined whether there are regional and national differences regarding the way information security is handled. First and foremost, it should be understood which different approaches to information security exist in the different areas of the organisation. Even individual departments may already develop their own rules and behaviour regarding the way business-relevant information is handled.

Modifications

• All types of large-scale modifications for the employees may change the way they handle information, business processes, and IT. For example, this includes reorganisation processes, job cuts, changing tasks or supervisors.

If the analysis results in the finding that the employees' behaviour deviates from the behaviour that makes sense from a security point of view, this may be handled differently. For example, attempts to change the behaviour could be made (see S 1.13 Information security awareness and training). On the other hand, it may be significantly easier to adapt the security policies or workflows, because changes in behaviour can only be achieved in the long term.

Review questions:

• Does the security design incorporate personnel influencing factors such as the existing security culture?