Serious About Security

Survey tool helps protect a company’s information assets by asking employees what they think about cyber safeguards.

By CHRYSTAL HOUSTON

securityHow secure is your company’s information about customers, accounts and product plans? The answer may depend more on your employees’ opinions about cybersecurity than on your security program, according to researchers at the Mays Business School.

High-profile cases such as those involving TD Ameritrade and Choice Point, where tens of thousands of customer records were lost, have made senior managers painfully aware of the need to protect corporate information assets.

Despite the best security policies and software upgrades, however, a company’s information assets are only as secure as the least dependable employee, the researchers say. One careless, vengeful or unethical employee could cause a devastating security breach.

Employees are more likely to comply with security safeguards if the company creates an environment of security, says Dwayne Whitten, clinical assistant professor of information and operations management at Mays Business School.

The best place for a company to start is by taking stock of the overall attitudes of employees regarding security: Do they believe security rules are essential safeguards or mere guidelines?

Whitten and colleagues have developed a survey instrument that gauges an organization’s information security climate by exploring employee opinions.

The survey measures five factors: employee commitment to security procedures, organizational involvement, strategic importance of security, employee accountability, and organizational accountability.

Once managers determine the baseline of the security climate, they can begin improving employee attitudes through training.

Whitten suggests redistributing the survey after a security initiative to measure gains.

“Especially in the financial and health industries, addressing potential compliance issues before a breach of security is a vital effort,” Whitten says, who notes that the average loss per security event is $200,000.

Bank of America estimates that a security breach that compromised their network could cost $50 million per day. With so much on the line, Whitten says, companies must assess the corporate security climate to understand and mitigate risks.

Back to 2010 Advance Contents