Information Security Awareness

Amongst Top Management

Joseph M. Katz Graduate School of Business November 26, 2007

University of Pittsburgh

Information Security has

increasingly become a
critical IS management
issue amongst businesses.
Majority of the problem
arises because of lack of
proper understanding
amongst business and IT
leaders of negative effects of
lack of information
security…

Author: Saahil Goel

Executive Summary

I nformation is the lifeblood of almost every organization in today’s electronic communication

oriented world. IT has changed its position drastically from once being a support function to
becoming the chief business driver. Even though information systems are so heavily relied
upon by businesses, the same kind of importance is not given to securing this information. While
it seems obviously logical to protect information which is so sensitive to the workings of many
companies, in reality many companies do not consider information protection to be a critical
issue.
Most of the issue exists because of the attitude that business leaders and decision-makers have
towards information security implementation initiatives. Most business leaders view information
security as a purely IT initiative rather than a company-wide one. Further, ignorance about the
devastating effects that lack of information security can have further exacerbates the problem. By
not investing in spreading (and learning) information security awareness, businesses expose
themselves to various risks – such as lawsuits, loss of customer trust, loss of business, loss of
sensitive information to competitors, etc.
Business leaders need to understand that information security is as important as obtaining the
information in the first place. This is especially relevant for businesses in the financial services
industry. Companies in the FSI sector have sensitive customer information, loss of which not
only affects the reputation of the company but may also cause actual financial losses to the
customer. Also, because most transactions are electronic in the current banking environment, a
hole in boundary protecting information can cause a lot of damage. Businesses need to make sure
that information security decisions go hand in hand with all business decisions. For example, if a
company is undergoing a merger with another company, it becomes imperative that information
security considerations are given as much importance as is given to the actual consolidation of
transactional and profile data from both companies. Also business leaders need to be made
responsible and accountable for heading information security initiatives in companies rather than
this responsibility being solely in the reigns of the information technology departments.
Information security training is also something companies are embracing. However the rate of
adoption is not very encouraging. Top management needs to ensure that in addition to learning
about information security themselves, they also make the need for following stringent
procedures and policies felt within their companies - right from the top to the bottom-most
employees in a company. The threat posed by leakage of information can happen at any vertical
in an organization; it is up to the business leaders to make sure that their attitude and their
decisions support their organization’s ability to counter this threat at all levels. Not only should
robust and technically advanced information security technology be implemented, it should be
kept current and should be utilized to its maximum potential. Not only can information security
implementations help companies prevent disasters that may be caused by information
compromises, it can also help them save money and in some cases provide them with
opportunities for additional business.

Page 2 of 12
The Issue, context and motivation

B y and large, every organization has had their share of breach of information security.
Information security breaches can be both internal and external – the former being the
more dangerous kind. Internal breaches are of a higher concern since the attacker (or
hacker) will have relevant information about the company and will know where the loop-holes
exist. Other cases in which breaches arise could also be unintentional. In fact, awareness about
information security is the key to reducing if not eliminating losses caused by compromise in
security. Employers must take on the responsibility of training their employees about the
possible effects of irresponsibility on their (employees) part towards following security
guidelines. Further, business board members themselves need to be aware about the potential
consequences of information security violations can have.
With strong government regulations around security in organizations, such as Sarbanes Oxley
2002, organizations have taken measures to comply with regulation. However, awareness and a
drive to protect information are still lacking. Organizations have been taking the reactive
approach to solving information security problems rather than a proactive one. This is harmful in
the long run for organizations. For example: all financial services companies, such as banks,
insurance, trading companies, etc. maintain all their customer data online. If this information was
to get in the wrong hands, the company could face a severely hurt reputation, lack of trust from
its customers, lawsuits or even bankruptcy. Apart from saving a company from these troubles, a
well implemented information security system also adds value to companies by providing cost
benefits by enabling efficiency in the workplace.
From the “2007 Global Security Survey” conducted by Deloitte Consulting LLP, 71% to 89%
financial services companies across the globe feel that security has risen to the attention of the
corporate board members as a critical area of business. However, only 0% to 18% financial
services companies reported that their information security strategy is led and embraced by line
and functional business leaders. Hence, information security is currently regarded purely a
technology initiative.
The real challenge with information security is that of spreading awareness and concern about
information security to the business leaders in every organization so that it is given key
importance in business functioning. Further, with increase in volume of businesses – both
vertically and horizontally, complexity of technology and enterprise solutions and the global
nature of the economy also lead to highly complex information security requirements and the
risks that come along with not implementing the same.
Information security is one aspect of technology and risk management which affects all
organizations. Even though it might affect some organizations more than others (banks,
insurance, government, universities, aviation, logistics, stock trading, online retailing) eventually
it will have major impact on all kinds of organizations. In fact, governments in many countries
other than the USA have not taken deep initiatives to move towards e-governance and electronic
citizen maintenance yet – but it is imperative that at some point they will. To take an example
even within the USA, there is discussion about digitizing all health records across all hospitals
and universities in the United States to better serve patients and to make medical research easier

Page 3 of 12
by collaborative knowledge sharing. This initiative will require strict security controls as any
intended/unintended tampering/modification to information in this situation could mean the
difference between life and death.
Of all the issues related to information security, Identity and Access Management is usually
considered one of the key issues from an organizational view point. According to Deloitte’s
survey mentioned above, the top five initiatives of financial services organizations are Identity
and Access Management, Security and Regulatory Compliance, Security training for awareness,
governance for security and disaster recovery and business continuity. Identity and Access
Management will become all the more important and difficult with governments implementing
systems to authenticate citizens using centralized stores of database. Already governmental
organizations such as the Federal Bureau of Investigation and Central Intelligence Agency have
centralized and highly secure databases of information on criminal activity across the world.
Within organizations information security (particularly identity and access management) is
difficult to implement thoroughly mostly because of awareness and training. For example, even
though a company’s IT department would drive management towards implementation of such a
system, unless management sees a potential cost-saving such an initiative, they are not too
supportive of it. This mindset needs to change. Top-level management needs to be more aware
about the potential risks that they are open to and should openly adopt technology to secure them
from this risk.
Another difficulty arises because of the complexity and scope of information security systems.
Before Sarbanes Oxley was enforced, most organizations worked with multiple systems
(sometimes hundreds) having multiple digital identities. The digital identities were human
controlled and de-centralized to various systems. As a result, people could have accesses to
resources which should be normally restricted. Sometimes this was a result of pure carelessness -
human error. At other times, it was fueled by malicious intentions. To further illustrate the
problem of accurate role definition with respect to digital identities consider this example - a
system administrator, who is relatively low in the organizational hierarchy as compared to the
sensitivity of the information being protected, had all the rights in the world to go into any
system and grant anyone any access. This particular example illustrates that information security
troubles need to be captured at the root level. In some companies this may even mean
organizational re-structuring. Some companies who were converting to digital information
security systems post SOX, even proper audit trails were not in place. This gave rise to many
information security breaks and leaks – some which even went unreported. As a result of
Sarbanes Oxley, organizations scrambled to secure their information and infrastructure.
While larger corporations are able to do this by investing huge amounts of capital in enterprise
wide systems which help efficient implementations of technology risk management solutions,
many of the smaller companies compromised with self-built systems which are not long lasting
nor provide any value addition to the companies. Even though technology risk management,
information security, identity management and privacy are recognized as issues of importance by
the government and some business leaders, there are no concrete guidelines in place on how deep
the information security infrastructure of a company needs to be. As a result of this companies
have gone for external certifications such as the ISMS (ISO 27001 by BSI) so that they have
reputation and standing in the market.

Page 4 of 12
Again, for medium-sized and smaller organizations getting such certifications is a challenge.
Firstly, their budgets do not allow such implementations and secondly because of the way their
current systems are setup, it is very difficult to be able to change these systems to comply with
the guidelines set forth by this certification. For example, to be able to centralize all identities
from all applications running within an organization, to have a single audit trail of each and
every identity, a centralized access control matrix is a difficult task. Also important is for
companies to be able to grant relevant accesses to people automatically rather than by allowing
de-centralized control of these decisions. Many organizations still follow the process where an
employee’s hiring manager is responsible for making these decisions. A risk averse system
would be one in which these accesses are automatically granted to relevant individuals with very
little human intervention. Any human intervention that takes place should be under the wing of a
risk management department within a company which can judge the impact of any change to the
status quo of the access control matrix. Further, there should be external auditing enabled for
these access controls by external agencies and results monitored by governments. This poses a
great challenge for SME (small and medium enterprises) as well. To achieve this target, a highly
controlled input of data is required (such as Human Resources which create an employee’s
record on joining the company). Also is required is a very high stress on quality of data is being
entered into the system since a small mistake can have a major impact to the organization’s
security. For example, companies where employee accounts are manually controlled might fail to
de-activate an employee’s account long after he/she has left the company. With the availability
of company employee intranets over the internet and with high attrition faced by many
organizations, a devious employee could easily retrieve confidential information – such as a
company’s plan for a new product line, or a company’s new initiative against competition and
make that information available to its competitors causing the company to actually lose profits.
In conclusion, the chief issue around information security is the lack of awareness amongst
employees, non-technology departments and leading management in a company. This is
surmounted by the growing size of companies and the need for extremely complex enterprise
solutions systems. Further, there is not enough support from the government in terms of
enforcement or existence of technology-risk specific guidelines. Also, initiatives such as identity
management can help companies save money and in some cases even make money. Therefore a
lack of awareness of such initiatives is causing companies to incur heavy opportunity costs and
putting them at competitive disadvantage.

Page 5 of 12
The Position and perspective

A
s is clear from the above discussion the chief reason for the lack of existence of security
control systems revolves around awareness of information security. For people to feel
the need for awareness, awareness of the need for information security awareness is
required. For example, human resources in a company may not view information security as
critically as would a person in technology – for the simple fact that they do not have the
awareness about the potentially devastating effects their actions could have. The training and
awareness issue can only be resolved by government controls, management focus and adequate
training for all employees in a company. Internal certifications on information security should be
made mandatory for employees within a company – as part of training for information security.
The role of government is vital in the establishment of information security initiatives. Along the
lines of Sarbanes Oxley (2002) in the USA, “J-SOX” – Japan’s Financial Instruments and
Exchange Law will be effective from April 2008. This is causing Japanese financial services
companies to standardize their information security processes and systems. This example
highlights a trend towards government compliance in other parts of the world in the future and
towards the fact that a government decision on information security can be very influential in
pushing organizations towards implementation of effective controls.
The ignorance and indifference displayed towards security is also portrayed by the article
“Businesses More Concerned About Mobile, Remote Security, But Still Ignore Training” in
Information Weeki. Lack of information security awareness not only causes direct impact such as
breaches and the negative effects associated with that, but also causes users to become
complacent about implementing security at all. This could lead to a vicious circle where lack of
information security leads to further complacency towards learning about it – leading to a
potentially dangerous situation. Further, with an organization’s employees uneducated about
security, it becomes business unit leaders to take an initiative and hence the top management
follows suits – it has a cascading effect. Information security awareness has to begin at the
lowest level and needs to proliferate its way to the top management for any results. According to
Jones, even though sixty percent of organizations reported an increase in security issues related
to mobile corporate users over the last 12 months, most companies ignore security training.
Further only 10% of the companies plan to implement security training over the next 12 months
(according to the research from TNS Prognostics). In fact, the article also mentions that 90% of
the companies who implemented information security awareness training have seen a reduction
in the number of information security breaches.
Besides the problem of lack of awareness amongst business leaders about the various
technologies available, the devastating effects lack of information security, the potential savings
that certain kinds of implementations can generate – business leaders also need to check their
attitude towards information security and systems implementations in general. Not only are
many executives unaware of the weak security that exists within their organizations, they are
also unwilling to implement better security to protect their businesses unless they see a clearly
tangible economic advantage in the effort. As described in the article “Info Security ‘from the
Ground Up’” in Business Weekii, even though CEO’s have made considerable investments for
security infrastructure following the September 11 attacks, they still view security as a sunk cost.
That is, they do not find any real benefit to business from implementing security. Management

Page 6 of 12
still needs to know (and measure) the economic benefits that would come of out implementation
of enterprise information security system. The fact that information security implementations do
offer economic benefits in savings (from potential law suits, bankruptcy, leakage of confidential
information and fraudulent transactions) and in increasing productivity, efficiency and brand
equity, it is still “hard” to sell information security to management. This brings out an underlying
difference of opinion and perhaps the unwillingness of business leaders to learn about
information security holistically. The problem could lie in the fact that the current information
that is available is not easy to understand for a non-IT individual. As pointed out by Gary S.
Miliefsky, one of the seven best information security practices is to deliver corporate security
and awareness training and make it simple enough that an 8th grader can understand itiii. The
problem could also exist in the way information security is presented to management. Unless all
business unit leaders are involved in a security implementation initiative at a company, top
management will not take notice of it. If each business unit leader is made aware of the potential
benefits of security and the savings it could have for their unit, it would be easier to approach top
management with support from senior management.
Even though there is lack of security awareness amongst management in most industries, the
financial services industry has a higher information security spend than other industries. It also
employs latest technologies for protection of their information. Since the primary goal of a
person trying to compromise security is money, financial services institutions become prime
targets for such attempts. FSIs also have most of their operating data electronically available
over the internet since customers directly deal with these companies using corporate portals.
Further, financial service companies are able to write off information security expenses in
linkages with business processes. The FSIs report the lowest cyber-crime rates amongst all
industries and have employed technologies such as Identity Management and intrusion detection
tools. According to “The Global State of Information Systems 2006” report by CIO, security
executives still need to persuade top management to implement information securityiv. It might
be easier for security executives working in the FSI as they can tangible measure the benefits
from security implementations and the addition of value to shareholders. In fact, FSIs are one of
the few industries which measure the result of information security implements in return on
investment and in potential impact on revenue terms. Further, FSIs are governed by regulations
such as the Sarbanes Oxley Act of 2002. The report further states that since regulations play such
an important part in healthcare, government and education sectors as well, those too would
employ high security. But that is not the case. The government and healthcare sectors benchmark
themselves with other sectors (non FSI) to keep “abreast” of the information security trends. The
above discussion in the report outlines two important results – firstly, companies still have
“Security Executives” doing the “selling” work to top-management. Even though it might work
in the FSI industry, it will not work as well in other industries where it is hard to justify the cost
of implementation. Secondly, it shows that there is a problem of lack of awareness amongst all
sectors of work – some which even need critical attention to security and do NOT have budget
constraint problems – such as the government. There is either a lack of information security
awareness in certain sectors or if the information is there, it is not understandable or it not
tailored according to its audience.
Even though information security currently affects the financial services industry with respect to
government regulations, other industries will soon be impact by this. The lack of information
security can have devastating impacts. For example, if a person higher up in the organization,

Page 7 of 12
having accesses to very sensitive data about the organization is not careful about his access
controls and/or standard security procedures he/she could inadvertently cause a breach. For
example, a fund manager for a mutual fund company has relevant financial data on his system.
While logging on to the corporate intranet, he is a victim of a phishing attack where his
credentials are compromised and intercepted by a hacker helping a competitor. All information
about the mutual fund which is being electronically shared would be compromised. If the
manager was trained specifically for use of certain company systems, he/she could have followed
certain checkpoints. For example, some companies have a unique token generated on the login
page of sensitive software which is recognized only by the user – this is an attempt to foil
phishing attacks. Since there are other sophisticated ways of extracting access credentials,
companies are also moving towards token-based and bio-metric authentication measures as well.
For example, some companies require certain employees to swipe their fingerprints over a read
along with entering their access details into a system. This way, even if somebody is able to
obtain the access details in text, without the bio-metric authentication access would be restricted
to highly sensitive applications. Since bio-metrics may be considered too extreme for some cases
(because of the cost involved and the complexity of implementation), other alternatives such as a
physical token with a random number generator can also be employed. HSBC currently uses this
technology for all its customers in Asia who hold their credit cards. Without a combination of a
correct username, password and a random number generated every 30 seconds or so by the hand-
held token device a user is not allowed to gain access to the online system.
Information security implementations not only protect companies from breach of security and
loss of reputation, business, etc. but can also help companies save and in some cases actually
make money if implemented in a proper and recommended fashion. Companies may lose large
amount of money by facing lawsuits and by placating irate customers – both of which arise out
of a breach in security. Companies may also go bankrupt if critical information reaches their
competitors and they capitalize on a life-saving plan for a particular company. However, systems
such as identity and access management in the information security domain can help companies
generate and save money. For example, a simple IAM system which brings down the number of
helpdesk calls related to password resets, say, can save some companies about 30% of their
helpdesk costs. Further the lost employee productivity due to forgotten passwords, though
immeasurable, also comes down and hence increases overall business productivity. By enabling
robust security systems companies can also allow customers to directly interact with the
company cutting down on costs of several physical layers which exist currently and enabling
sophisticated automation. For example, customers may be able to purchase products such as
health insurance directly online without actually interacting with anybody. This not only brings
down costs of additional manpower but also enhances the customer experience thus leading to
intangible benefits as well. Using systems for federation companies can drastically reduce
transaction costs which would exist without it. Federation allows two companies to conduct
business in a seamless fashion (with respect to connectivity) even though they are organized as
two separate entities. This is useful when companies work on collaborative projects or when
there are partial mergers for a particular project – as an entire revamp is not required in these
cases.

Page 8 of 12
Recommendations

T he first step towards implementing information security is to create awareness amongst

top management of viewing information security spend not as a sunk cost but as an
investment. Only if this awareness exists will business leaders take proactive steps
towards implementation of such systems. Also, involvement of information security teams in
critical business decisions is something that should be engrained in business leader’s minds.
Information security can be effectively leveraged only if it is built into the systems and processes
within a company rather than be treated as an additional function. It is best thought of as a
“wrapper” for all systems and processes thereby allowing most efficient streamlining and robust
and secure computing environments.
To successfully make business leaders aware of information security and its advantages, the
communication gap between top management and security professionals needs to be reduced.
Also since business leaders are not involved directly in heading/managing information security
initiatives, information security is usually less aligned than it can be from business objectives –
leading to a greater gap of communication. Thus, business unit leaders and top management
should actively be involved in heading information security projects and should make key
decisions in this area – the implementation may be left to the security personnel.
In addition to improvement in communication amongst various parties a corporate culture needs
to be established which encourages computing in a threat-free environment. This will not only
improve the attitude of a company’s employees towards security but also that of the top
management. A company’s employees follow what the leaders have to say – only when security
is demonstrated as a critical element by way of top-down pressure will it be taken as seriously as
it should.
Businesses also need to realize that information security is something that should be
implemented as a proactive measure rather than a reactive one. For this there are numerous
examples of mistakes made by other companies which have caused them millions of lost dollars
along with severed reputations. To this effect, governmental regulations will help a lot.
Therefore, in addition to corporate responsibility towards security measures, governmental
support and enforcement should be made stringent and more detailed. Currently companies are
certified by external agencies (ISMS/ISO27001). In future, the government could partner with
these agencies and make these certifications mandatory for certain kinds of businesses. This will
not only ensure that security is actually implemented – but will also send out a message to
employees, customers, stakeholders and top management of other companies about how critical
security is to a company’s success or failure.
Since information security awareness is so critical, some of the possible specific steps that can be
taken are outlined below:
a) Top Management Buy In and Awareness: Top management needs to understand what the
relevant business savings and cost advantages are of using information security systems.
Currently enough material and/or training modules do not exist for measurement of
benefits from security systems implementations. Since such information does not exist, it

Page 9 of 12
 is not easy for corporate leaders to imbibe purely technical information easily. Such
information material and return measurement techniques and tools should be created
which would then generate the relevant material and help create two kinds of knowledge
– technical knowledge and implementation knowhow and business benefit knowledge,
threat knowledge, understanding risk assessment, etc.
b) Employee Training: apart from top management being aligned to a company’s security
needs, the next most important entity is an organization’s employees. Most security
breaches occur from within an organization – both intentional and unintentional.
Incentivized training programs for employees should be incorporated within
organizations. Mandatory internal certification programs should be organized and
surprise internal audits should be conducted. Defaulters should be penalized to show
seriousness. External security certifications (such as Certified Ethical Hacker and Cisco
Security Certifications) can be offered to technical personnel within the company for
free. This would serve a dual purpose – encourage employees to take these certifications
and would help the company by creating a culture which is aligned to information
security and of course, industry level security systems as well. Information security
training should be imparted to employees in all departments – legal, HR, operations, IT,
accounts and finance. This will ensure that the knowledge penetrates even non-technical
verticals within a company. Employees should be made aware of the role they have to
play in the security process.
c) Stringent security policies: It is amazing that even after availability of the technical
knowhow and the right tools – companies still don’t implement stringent security
policies. Simple security policies such as non-allowance of default passwords and
changing passwords every certain time interval does not require heavy investments – just
the right mind-set towards security. Companies should take the technology that they
already have and make optimal use of them. Also these policies should be strictly
enforced. For example, if there is a certain process set around resetting forgotten
password, it should be followed stringently. No compromise should be made on this
process. Such measures will ensure that security policies are not just implemented but
also enforced.
d) Intrusion detection systems and auditing: Even though many organizations have certain
kinds of information security systems implemented, rarely do organizations have
documented breach control processes in place. Specific documentation should be put in
place on effective handling of a situation in which a security breach arises. Specific
people should be made accountable for handling these breaches in a streamlined fashion.
Before breaches can be reported, intrusion detection systems should be put in place.
While off-the-shelf products are available for this purpose in the network security arena,
not many effective products are available for data security. In-house development or
customized solutions should be put in place for intrusion detection. Further, auditing and
reporting should be done and analyzed on a timely basis. Once such report could be
maximum number of unique logins on a particular application from one desktop. Over
several time periods this data would help recognize potentially malicious employees (or
desktops being used) within an organization. Also, failed authentication attempts,
unchanged passwords, maximum length of inactive sessions, etc. Such reports will help

Page 10 of 12
identify users which are insensitive to security – both careless and those with malicious
intent. Also, auditing will help maintain a trail of which actions were undertaken by
which employees thereby making corrective action easier. These steps will ensure that
the training imparted to employees was successfully absorbed and if need be, re-training
should be conducted and/or penalties should be imposed.

Page 11 of 12
References

http://www.informationweek.com/showArticle.jhtml;jsessionid=C4SCFOM3W2ESQQSNDLPSKHSCJUNN2
JVN?articleID=202802456&queryText=information+security+awareness
“Businesses More Concerned About Mobile, Remote Security, But Still Ignore Training” By K.C. Jones
November 5, 2007
A report by The Computing Technology Industry Association describes that despite a rise in the security
breaches related to mobile computing users (which is increasingly gaining popularity in IT/Consultancy
sector companies) organizations are complacent about implementing information security or conducting
awareness and training sessions for its employees.

ii
http://www.businessweek.com/technology/content/apr2004/tc20040413_9762_tc146.htm?chan=search
“Info Security ‘from the Ground Up’” By Alex Salkever
April 13, 2004
Many CEO’s have taken attention to information security post the September 11 attacks and have invested
considerable amount of resources and money towards this initiative. However, they are still following the
“reactive” method of information security awareness and do not take an active stand on it. Security
spending is still viewed by management as only a cost without any real benefit to core business. This article
demonstrates a clear lack of understanding of information security and its benefits on the part of
management leaders.
iii
http://www.networkworld.com/columnists/2007/011707miliefsky.html
“The 7 best practices for network security in 2007” By Gary S. Miliefsky
January, 17, 2007
This article describes ways to improve information security within an organization by providing 7 best
practices as guidelines which corporations could follow to develop their own guidelines. Even though it
doesn’t directly describe the current knowledge about information security awareness, it does make the
reader aware of the current state of affairs in organizations with respect to information security by
mentioning the attitudes of people in organizations and the kind of steps that are required to implement it.

iv
http://www.cio.com/article/24979/The_Global_State_of_Information_Security_/6
“The Global State of Information Security 2006” By Allan Holmes
September 15, 2006
This article is a report on the global state of information security in 2006. It has a section on information
security which highlights the current state of information security and awareness in various sectors such as
finance, education, healthcare and public. It draws an important argument in support for the fact that
management is only concerned with economic benefit from information security rather than a long-term
approach to running a business efficiently and securely.

Page 12 of 12