Some will argue the perspective that human nature is complex by default. Behaviour is a state which can be influenced by numerous factors such as experience, emotions, family and friends, regulations, personal life and the list goes on. Therefore, a question arises: how can we control human behaviour in information security? Everything is a matter of management.

At this point, the practical challenge is how to organise and run an efficient information security approach or program that is persistent, offers high-grade protection and in turn how to reap the benefits from this system without anyone getting harmed. The answer lies in risk management. As in every situation that progresses, security evolves and this evolvement entails risks. In this respect, human behaviour can be determined and influenced by utilising risk practices to avoid information security risks, namely confidentiality, integrity and availability, and exploit opportunities such as business growth and protection of personal data.

Easy to apply risk management practices involve the identification, analysis and evaluation, and treatment of risks and opportunities. Every organisation that has a worldwide presence and respects competition should possess a risk management team which will be accountable for delivering risk values to all risk exposures, such as employees and partners that affect its operation. Information security risks should be managed within the business context with an aim to satisfy customer needs, such as protection of personal data.

Every risk situation should have a risk owner who will be accountable for the progress of the risk. Decision making is also important since top management and risk management team should decide how much security is optimally needed. Undoubtedly, information security and risk management are on the top of the concerns of executives since everyone is recognising the fact that we all live and thrive in a risk world. This implies that everyone should opt to operate or behave in a risk-optimised fashion.

Compliance affects human behaviour, especially with the advent of GDPR and Cybersecurity, requiring monitoring and dedication of resources to avoid regulation penalties. Towards this perspective, monitoring requires security metrics that analyse the situation in real time, improve performance and increase accountability through the collection, analysis and reporting of incidents. Management reports provide the oversight to ensure that the risk management team actually implements and addresses the issues raised.

Alexandros Papanikolaou
InnoSec, Greece