The Psychology Of Information Security – Resolving conflicts between security compliance and human behavior

Author: Leron Zinatullin

In this book the author explains the human side of IT Security. By linking the behavior of the target group (the people in the organization) to the desired outcomes (an information-safer environment) the IT security consultant has to bring this about.

But that requires knowing what the situation is, what the employees’ world is, what they view as their goals. And what they experience as being onerous.

Research shows that there are three objections to information-safe work by the employees:

  • There is no clear reason to comply with the IT security rules
  • The cost of fulfilling it is too high
  • There is an inability to comply with the rules

The author doesn’t claim that this list is exhaustive. The author does not go much further than the fact that you have to solve this with empathy for desired usability. How you do that is by communicating intensely with the target group. Unfortunately, the author proposes a classical scheme of communication, completely bilateral, one on one, instead of a communication in a network of people, many to many.

According to him, the goal of working on the information security culture is to show the employees that it can be an easy way of working. One of the explanations of a weak culture in this area is the “broken windows theory”: if a window falls in a neighborhood, the whole neighborhood will have to deal with a negative influence. But the theory would also work the other way around, and showing the good example is worthwhile.

Then the author talks about the psychology of compliance with the rules: this includes external and internal factors. The external factors include reward, punishment, competition. The internal factors include giving meaning, pleasure and interest. There are interactions between both groups of motivations, strengthening or weakening. In addition, other factors are decisive, such as autonomy, etc.

In the last chapter, the author gives a first glance at how changing the approach to security.

Chasing change : building organizational capacity in a turbulent environment

Authors: Robert C. Thames and Douglas W. Webster

This book is about change management. More specifically, building the change capacity of the organization.

The book starts with a first part about ‘Awareness’: changes can come from everywhere, and change management helps to optimize the survival in a changing environment. With their example of hurricanes and earthquakes, the intuitive link with risk management is immediate. One of the most important starting points of the book, is the importance of the ‘mindset’ of the employees as well as the organizational ‘mindset’: is it a ‘fixed’ mindset in which a changeable environment is impossible, or is it a ‘growth and development mindset’ in which a person and an organization are flexible with regard to a changing environment.

This last mindset is of great importance for the ‘change challenge framework’. So called first order changes and second order changes are important. A first order change is the change that results from a shift of the needs of the environment in relation to the capacities of the organization to meet those needs of the environment. A ‘targeted change gap’ is that portion of the first order change that one wants to close from the ‘First Order Change Gap’ (the total current first order change difference).

A second order change is the actual response of the organization with the intent to close the ‘targeted change gap’.

This results in a so-called ‘Second Order Change Gap’ due to maladjustment of the organization, especially by only filling in the physical dimension and a lack of softness on the changes. In doing so, the term ‘project plan’ is used to indicate the completion of the physical dimension, and the term ‘change plan’ to indicate changes in the organization and the personal mindsets. (This is the closing of the second order change gap).

As you can see, a fairly complex picture emerges, which requires its own terminology.

The second part of the book deals with only one part of the closing of the second order change gap, namely the development of organizational capacities for the possibility of change. The 13 capacities that are being looked at are:

  • Leadership
  • Commitment
  • Liability
  • Thinking forward
  • Innovation
  • Communication
  • Risk tolerance
  • Organizational learning
  • Trust
  • Diversity
  • Empowerment
  • Adaptability
  • Dynamic stability

For each of these topics, the book provides a chapter with a definition and a checklist for a five-point scale. This five-point scale can be used to assess both the current situation and the desired situation.

Chapter 20 discusses the implementation of the change plan. This is further illustrated in Chapter 21 by means of an action plan from a brand new CEO at the so-called ‘Candor Bank’. Chapter 22 provides a case study of hurricane Katrina in New Orleans in 2005 with the aim to illustrate the ‘change model and capability assessment’. In chapter 23, the conclusion, a short summary is given of the main ideas of the entire book.