Is a psychological approach to IT security required?
What does employee responsibility for security look like in the modern organisation? The stakes are increasing for organisations who do not manage employees properly and educate them in IT security. The 13th annual Ernst & Young Global Information Security Survey found that six in every 10 respondents perceived increased risk from the use of social networking, cloud computing and personal mobile devices at work. Almost two thirds perceived data protection as one of the top threats to IT security.
Perhaps the most shocking figure from the report, which surveyed almost 1600 senior executives in 56 countries, is that 92% of respondents viewed employee awareness of security as a challenge. Put simply, workers don't get it.
What can we do about this problem? The conventional wisdom suggests basic measures such as including rudimentary security training in employees' induction or ‘on-boarding’ sessions. That's all very well, but throwing a little awareness training at an employee once is unlikely to have much of an effect for too long. Instead, a culture of personal responsibility must be ingrained into an organisation.
Ultimately, achieving a sense of personal responsibility requires a broader sense of belonging within a company. American psychologist Abraham Maslow happened to be writing during the Second World War, when he developed what became known as his Hierarchy of Needs. His hierarchy, originally published in a paper called "A Theory of Human Motivation", defines basic needs at the bottom of a pyramid. Unless these needs are met, an individual feels tense and embattled. Once they are met, the individual can become ‘self actualised’, realising their potential as a creative, spontaneous, problem-solving individual.
It is perhaps unsurprising that one of the most basic needs can be labelled as ‘belonging’. In an environment that claims at least 40 hours of an individual's time each week, how heavily does that sense of belonging feature? Are employees fighting for a common goal? Are they inspired by their employer and its mission statement? Until workers buy into their organisation at this level, CIOs will have an uphill struggle persuading them to take personal responsibility for anything. Engaging employees in this way leads to a mature organisation with happier individuals. That may please the CEO – but it will please a security-conscious CIO just as well.