Debi Ashenden - PowerPoint PPT Presentation

1 / 17

About This Presentation

Title:

Debi Ashenden

Description:

For IA Managers to become more self aware ... Mixed messages leading to cognitive dissonance. Focus on tools/frameworks rather than messages ... – PowerPoint PPT presentation

Number of Views:61

Avg rating:3.0/5.0

Slides: 18

Provided by: Dunca45

Category:

more less

Transcript and Presenter's Notes

Title: Debi Ashenden

1
The Organisational Identity ofthe Information
Assurance Manager
Debi Ashenden
Senior Research Fellow, Cranfield
University,Defence Academy of the UK
2
RESEARCH OVERVIEW

For IA Managers to become more self aware
To understand the problems of communicating
information security issues
To find ways of achieving that elusive culture of
information security that we hear so much about

3
CHANGING STRUCTURES

Disappearing hard boundaries
Aiming for efficient integration of individuals
and groups
Devolving trust decisions
To an individual level
Exploiting tacit knowledge
Time and resource constraints
Looking for a loose/tight structure
Both within and between organisations/communities

4
IA AND THE ORGANISATION
Success of InfoSec Managers depends on power
plays
Security is, more than just locks and keys and
must relate to the social grouping and behaviour
Ezingeard et al
Dhillon Backhouse
5
REALITY CHECK

Why do we keep going round the same loop?
Specialist/technical IA knowledge is insufficient
to solve all the problems
Delegation by senior managers
Impact on power relations

6
WHAT IS THE PROBLEM?

Failure to appreciate social nature of
organisations
Lack of communication with end users
causes them to construct their own model of
possible security threats and the importance of
security and these are often wildly inaccurate
(Adams Sasse)
Role identity of those responsible
Command and control approach does not match new
organisational structures and processes

7
MIND THE GAP

Were too close to the subject its too
important to us, its not important to anybody
else
If youre a security person you think that
people should follow the book. People do not
walk into the office saying, Im going to follow
the security rule book today

8
IA IN THE ORGANISATION

Everyone is focused on doing the business.
Anything else is an extra, sort of running
alongside
We did a survey and we found that users were
very confident that the network protected them
from everything, extremely confidentwe, of
course, asked IT how well the network was
protected and they all said, oh its dreadful it
leaks like a sieve
They want to do the right thing at a senior
management level. I think the challenge lies
with the treacle of middle management

9
PRACTICAL OBSERVATIONS

One-way model of communicating IA requirements
Transmit rather than receive
Imposed rather than negotiated
Mixed messages leading to cognitive dissonance
Focus on tools/frameworks rather than messages
The communication medium and the process
Lack of MoE

10
WHAT ARE WE TRYING TO CHANGE?

Pattern of assumptions
A framework to be used in response to problems
Three dimensions of organisational culture
Observable behaviour and norms
Attitudes and perceptions that can be inferred
Core values
We wont get to the second and third levels by
looking at technology and processes .

11
THE CULTURAL WEB
12
A DIFFERENT APPROACH