Venture Knowledgist Quality Integration
SENIOR EXECUTIVES COMMITMENT TO INFORMATION
SECURITY - FROM MOTIVATION TO RESPONSIBILITY
For senior management, information security is a basic requirement
for business success. Yet, despite being well-motivated, top managers
often have only a superficial understanding of information security,
which may lead them to make decisions that are not conducive to raising
the organization's security level. Enhancing information security
awareness among all employees has been found necessary, but the key
to success is raising the awareness level of senior management. Playing
a decisive role, they must assume overall responsibility for information
security. The question is how to achieve this in an efficient and
Introduction: Information security
and safety odds
Attitudes toward information security vary. Everyone knows the fundamentals,
but few have a deeper understanding of it. An extensive survey, conducted
in a Finnish company, indicated that although all employees were well-motivated,
senior management lacked the necessary information security management
skills. This was evidenced by the fact that an external consultant
managed to convince the top management to agree to a work safety study
without asking experts on the company payroll, who anticipated a better
information security solution. Examples such as this one can be found
also in governmental offices and at univiersities.
Our work aims at elucidating the significance of senior management
in the promotion of organizational information security. A great number
of organizations boast extensive security awareness programmes, but
the top management often shies away from them. Damage caused by an
individual employee may have far-reaching consequences for a company,
but when damage is inflicted by senior management, the effects may
be devastating. Thus, it is important to get top managers to endorse
the adopted information security solutions whole-heartedly, which
involves not only being motivated to follow security principles, but
also accepting the responsibilities that go with the highest positions.
As its starting-off point, this paper takes the international standard
ISO 17799  However, as we are dealing with a serious issue, standards
are not sufficient, we must advance from a discussion on standards
to a change in culture .
Day to day business
Business life tends to value ease-of-use more than security. A change
of behaviour occurs often only after a serious mishap, although only
part of the damage may be expressed directly in terms of money.
The prevailing view seems to be that information security produces
costs, not profit. Unless we change our way of thinking, we will soon
find that the cost of doing nothing is even higher. As indicated by
our survey, there are great deficiences in the management of information
security, particularly as regards the commitment of senior managers.
To remedy this situation, we must find the means of gaining this commitment,
before some hostile party forces the change.
As a rule, information security management is seen from the viewpoint
of large corporations. In today's world, however, we must become cognizant
of the fact that business is based on networking. Even giant corporations
are not islands, they are connected with other, smaller companies
through subcontracting and outsourcing, for instance. As a result,
negligence in the management of information security, even when it
occurs several nodes down from some large corporation, may nevertheless
affect it through the network. Commitment to information security
is therefore of utmost importance for the entire network. By their
commitment, corporate managers help pave the way towards the information
Commitment of senior executives
Ultimate responsibility for managing information security is borne
by corporate management, which provides the resources and sets the
requirements on the basis of which the IT security manager promotes
and coordinates security activities. A lively discussion has been
going on for some time now on the commitment of senior management
to information security.
The objects and activities of information security must be in line
with the organization's business objectives and the requirements imposed
by them. Senior management must take charge of this and provide visible
support and show real commitment. To do this, they have to understand
the seriousness of the threat that information risks pose to corporate
assets. Further, they need to ensure that middle management and other
staff fully grasp the importance of the issue. The organization's
information security policy and objectives must be known by corporate
employees as well as by external partners.
Information security policy represents the position of senior management
toward information security, and sets the tone for the entire organization.
It is recommended that coordinating the organization's information
security policy should be the responsibility of some member of top
Encouragement should be given to the extensive application of information
security within the organization and among its stakeholder groups
to make certain that problems are dealt with in an efficient and regular
manner. When necessary, external professional assistance should be
sought to keep abreast of advances, standards and values in the field.
At the same time, this enables establishing forms of collaboration
for potential security breaches.
The key component of information security work is the visible support
and engagement of senior management. In practical terms, this commitment
involves allocating necessary funding to information security work
and responding without delay to new situations. Nevertheless, swelling
the size of the information security organization is unwise, for a
small organization is often more flexible and faster on the draw.
A better alternative to enlarging security staff is to enhance information
security skills and knowledge at all levels of the organization, because
that is where the actual work processes are.
Yet another way of showing management commitment is participation
in a range of information security-related events, which serves to
underline the importance attached to the topic.
Evidence supplied by surveys
We became aware of the sensitive nature of the topic, when several
reports were published highlighting the commitment of senior management
to corporate information security solutions. Of particular interest
was the report stating that the commitment level among Finnish managers
was slightly above 20 percent. This finding provided a good starting
point for a national discussion. When the result was explained to
a groups of Austrian researchers, they congratulated us on the high
percentage rate. This was a little confusing, as the title of the
original paper declared that information security does not interest
corporate management. Moreover, the paper went on to point out that
only two managers out of ten have realized that information security
is of strategic value to their company. And yet this survey involved
50 companies among the top 500 businesses listed by Talouselämä
magazine. The crucial question was: how is this result to be understood
and evaluated objectively.
One central issue identified by the survey was that merely 11 of
the 50 largest companies had an information systems manager or a corresponding
person in the management team. This is a far cry from showing commitment,
and is undoubtedly reflected in corporate attitudes and practices.
Thus, the sentiments implied in the title of the paper, information
security does not interest corporate management, describe the situation
spot on, because smaller companies display even less commitment.
At around the same time, we conducted a survey in a Northern Finnish
company with 500 employees. It turned out that all members of the
fairly large management team as well as key personnel were well-versed
in information security and its attendant risks. Yet, although they
were motivated to deepen their knowledge and hone their skills, we
were left wondering, whether they had internalized their own roles
in the management of information security .
What does commitment to security work entail? A key factor is enthusiasm,
"getting personally involved", believing in what you are
doing. Another important factor is providing resources for the work.
Everyone must also know who is responsible for taking decisions and
directing activities. On this road, the first step involves motivation
and gaining an understanding of information security. Obtaining funding
serves to anticipate future needs and has far-reaching consequences,
but training staff and winning their support are equally important.
At the management team level, the delicate issue of authority and
responsibility often leads to conflict. Authority should be exercised
in a manner that promotes performance even under difficult circumstances.
Responsibilities stand in relief when things go wrong and a mishap
occurs. Authority and responsibilities are also necessary during the
following recovery period, and should be considered in advance.
Most information security breaches and violations take place within
the organization, by its own staff, who are involved either wittingly
or unwittingly. Incidents of this type show how important it is that
the person charged with coordinating information security really has
the support of the senior management and act with their authorization.
Although it may be disconcerting, action must be taken to prevent
insider abuse before anything serious happens.
Information security awareness programmes
Success in information security management, as stated in the ISO/IEC
17799 standard , demands two things: commitment of senior management
and provision of information security awareness programmes to all
staff. The contents of such a programme were outlined already in earlier
An information security awareness programme may incorporate at least
the following topics:
- Factors that influence organizational information security policy
together with such extensions to the policy, guidelines, directives
and risk management strategy that enable a deeper understanding of
risks and security measures
- Implementing the information security programme/plan and verifying
the effects of security measures
- Basic data protection requirements
- A classification scheme for protection of information
- A reporting procedures for information security breaches, attempts
thereof and investigation of such breaches
- The significance of security extensions to end users and the entire
- Work procedures, responsibilities and job descriptions
- Security audits and checks
- Managing activities and organizational structures
- Explaining effects of unauthorized activities
There are several avenues of obtaining guidelines on information
security training. It may be confusing for some employees that they
receive security-related information from several sources or through
many different channels. In larger organizations, the implementation
of information security programmes is coordinated by the IT security
manager. Nevertheless, these awareness programmes are invariably the
responsibility of senior management in order to integrate the approach
with the genuine business needs.
Promoting a culture of security
An approach that considers the best interests of all participants
and the characteristics of information systems, networks and associated
services can be both efficient and secure .
The OECD approach comprises nine principles that deal with awareness,
responsibility, response, ethics, democracy, risk assessment, security
design and implementation, security management and reassesment: "Security
management should be based on risk assessment and should be dynamic,
encompassing all levels of participants' activities and all aspects
of their operations. It should include forward-looking responses to
emerging threats and address prevention, detection and response to
incidents, systems recovery, ongoing maintenance, review and audit.
Information system and network security policies, practices, measures
and procedures should be coordinated and integrated to create a coherent
system of security. The requirements of security management depend
upon the level of involvement, the role of the participant, the risk
involved and system requirements." .
In addition, the OECD guidelines state that fostering a culture of
security requires both leadership and extensive participation. Security
design and management should be an important element in corporate
management, and all participants must appreciate the value of security.
The principles set up by the OECD form a foundation for promoting
a culture of security across the society. All participants must assimilate
and promote this culture as a way of thinking about, assessing and
implementing information systems and networks.
Organizations are exhorted to adopt a proactive approach to information
security. Business is likely to suffer if senior management has insufficient
knowledge of security. This state of affairs poses a severe threat
not only to the organization's reputation, but to its entire business
This paper seeks to emphasize the role of senior management in the
creation of organizational culture of security. A solution that is
custom-tailored to a particular organization is only applicable to
that organization. This raises the issue of how general principles
and standards could be utilized to create an approach to information
security and security management that is adaptable to different organizations
with certain adjustments. This leads us to propose that the starting
point for an information security awareness model designed for senior
management should incorporate the following aspects:
- Senior management must understand their own roles as business leaders.
A better grasp of information security in fact facilitates their work,
as it enables them to set policy objectives and take a leading role
also in security
- Senior management should define what the critical assets are that
must be protected. For that, they need to have a basic understanding
of information classification
- Senior management must pledge a holistic commitment to information
security, manifested, for example, by active participation in business
In this paper, we have discussed one of the most remarkable practical-level
problems of information security management in organizations: the
lack of senior management commitment to information security.
This problem is difficult to solve because many professionals think
that it is not a good idea to "teach" their managers, or
"preach" to them. However, if the information security awareness
of senior management of a company is at too low level, the consequences
might be very dramatic to the business of the company. Products -
goods and services - with poor information security solutions can
be very easily voted out of the market by consumers. In addition,
co-operation partners can vanish after they realize that a company
is not paying enough attention to its information security management
and the key persons - the senior management is not committed.
 ISO/IEC 17799:2005. "Information Technology - Security
Techniques - Code of Practice for Information Security Management",
ISO, Geneve. (2005).
 ISO/IEC 27001:2005. "Information Technology - Security Techniques
- Information Security Management Systems - Requirements", ISO,
 Heikkinen, I., Ramet, T., "E-Learning as a Part of Information
Security Education Development from Organisational Point of View".
Oulu University, Oulu, Finland., In Finnish (2004).
 Kajava, J., "Critical Success Factors in Information Security
Management in Organizations: The Commitment of Senior Management and
the Information Security Awareness Programme" (Abstract in English).
Hallinnon tutkimus - Administrative Studies, Volume 22, Number 1,
 Lempinen H., "Security Model as a Part of the Strategy of
a Private Hospital" (In Finnish), University of Oulu, Finland.
 OECD, "OECD Guidelines for the Security of Information Systems
and Networks - Towards a Culture of Security", OECD Publications,
Paris, France, 29 p. (2002).
[This text is based on a paper of Jorma Kajava, Juhani Anttila, Rauno
Varonen, Reijo Savola and Juha Röning presented at the CIS2006
conference in Guangzhou, China in 2006]