Information increases security

The complexity and connectivity of ICT-systems are increasing faster than ever. New technology innovations are born frequently and IT is embedded in all imaginable things. This fast-paced change guarantees, that information security challenges will be plenty. No one person can master the whole huge information security field. Being "an information security expert" is as impossible as being "an Internet expert". Information security professional can be either a generalist, who has wide understanding of the field, or a specialist, who has deep knowledge of one or two specific areas.

The flood of information is a challenge. There is so much to read, watch and learn. Self-motivated learning is a must for information security professionals. I strongly believe in Friedman's formula CQ + PQ > IQ, which says that curiosity and passion are more important for professionals than intelligence.

I recommend Twitter to all colleagues who want to keep themselves on the pulse of information flow. Books, magazines, blogs and research papers are good sources for getting deeper understanding of selected information security topics. Network with you colleagues to share practical experiences - what works and what doesn't. Conversations with fellow experts are also a good therapy - it's soothing to know that everyone has same challenges with their information security programs and practices. Nowadays many seminars are mostly good for networking rather than actually learning something new.

When you are experienced enough and feel that information security talks and challenges start to be same old stuff over and over again, it's time to broaden your horizon. For example better understanding of risk management, business management and behavioral economics will give you tools for applying your information security skills in new and innovative ways. I have find Coursera online courses valuable learning tools.

It's said that the more you learn the better you understand how little you know. In other words, if you think you already master information security, you are still a novice.

Finnish version of this text is available here.

How to convince the board to accept information security investment?

In last years I've been involved in some information security research projects led by a Finnish University. One of these projects studied what makes the executive board to accept a security investment proposal. Professor Mikko Siponen, who is responsible of this research, has given couple of public presentations explaining the findings. Mikko was ranked best European Information Systems researcher on 2011 and 2012 (world #29) by Association for Information Systems.

Since there's no public version available in English, I summarize here the main points of the research findings.

Earlier research on information security investments is based on following assumptions:

• decision makers can assess risks neutrally
• decision makers are able to make rational decisions based on complex calculations
• investment has a linear effect to risks
• all relevant information is available
• decision makers know all the possible choices
• decision makers always try to maximize net profits

In reality the assumptions are not realistic:

• information is asymmetric and incomplete
• some information is subjective (opinions) or guesses
• adversaries may have other goals than maximising profit
• calculations require simplified models

The research:

• questionnaire was sent to 690 biggest Finnish businesses
• 134 answers, mostly CEOs, Executive Vice President and some CIOs
• questions were information security investment scenarios and the respondents were asked about their decision
• each person got five scenarios, which were randomly selected from 162 different scenarios
• scenarios had elements like: negative vs. positive presentation approach, likelihood and possible impact of the security threat, cost of mitigation/countermeasures (security investment)

The goal was to study decision making styles (rational vs. emotional) and persuasion methods.

Findings from the study:

• in general persons who respond to emotional arguments, tend to support the investment proposal presented in a negative manner (e.g. emphasizing threats, losses)
• in general persons who respond to rational/factual arguments, tend to support the investment proposal presented in a positive manner (e.g. emphasizing benefits)
• increasing likelihood and severity of the threat effected positively and linearly to the investment decision
• increasing costs of the investment decreased linearly the willingness to invest
• investment proposal presented using negative language (threats) is more likely to be accepted than the proposal emphasizing positive outcomes
• even investments meant to tackle low level threats are not so easily rejected, when presented in a negative manner
• information security investment is a complicated process, which success factors are rarely understood by any individual alone
• ROI and ROSI do not play any significant role in information security investment decisions
• CISO must get allies from different levels of the organization
• CISO needs to understand both the management view and the "regular" staff  view
• CISO's communications skills and personal relationships to other players are very important
• a justified need for the information security investment coming from the organization helps to get the investment accepted
• one key challenge is that the need for the information security investment is usually crystal clear for the CISO, but it's not so for the management and the staff
• clear organizational responsibilities are important
• In general, staff support of the information security solution (investment) and solution's usability, suitability to current processes and social acceptance are more important factors than strength/quality of the solution or ROI/ROSI calculations

I hope I managed to catch the core points of the research. I can't give more background information or justifications of the results since I'm not the researcher:-)  It's easy for me to agree with the results, though.