CSOB 2Information security managers should look for patterns in how employee groups respond to incidents to better determine communication strategies.Information security within a business depends on more than an organization’s ability to successfully manage incidents on an individual basis. It should include the underlying social dynamics within employee groups, according to researchers from the University of Alabama at Birmingham.

In a joint effort among researchers across the University of Alabama System, a new study looks at why certain employee groups are more capable than others in recognizing and responding to information security incidents in a manner consistent with the organization’s security policies and procedures.

“Information security is a growing concern for most organizations,” said Jack Howard, Ph.D., professor in the UAB Collat School of Business and interim chair of the Department of Management, Information Systems and Quantitative Methods. “Most often, it is looked at on an individual level. By examining how groups of employees react to information security breaches, we are able to find patterns of why one unit is more successful than another.”

The study, published in the Journal of the Association for Information Systems, is the first of its kind to identify the social and ecological properties of an employee group that contribute to an organization’s collective security ability. The success of an organization’s response to a security information incident depends on the response and influence of employee groups, or a collection of individuals working within the same of unit of a larger ecosystem.

An important bridge between individual response and employee group response is how security information is perceived. Most people see security information policies as an organizational problem that is being pushed on them, as opposed to something in which they play an integral role in developing and managing.

Investigators recommend that information security managers understand their organization’s employees and the various groups that are associated with it. Knowing how they interpret information about security incidents and what the expectations for response are can help develop security policies that influence employee behavior in predictable and organizationally consistent ways.

According to the study, the incident response success of an organization depends on the interactive, coordinative and synergistic capabilities of the organization’s employees in the form of employee groups.

“Employees know the policies that are in place, but may not understand their individual roles in information security,” said Paul Di Gangi, associate professor in the UAB Collat School of Business. “If conversations are targeted for employee groups and cater to their understanding of information security, we may see a more efficient response.”

Di Gangi notes that using employee groups to create conversations around information security may enhance the response.

“Although the quality of each individual thread, or employee, has proved to be an important component to security threat mitigation, interlaced threads, or an employee group, may be able to mitigate the weaknesses of a single thread to ensure that the organization responds to security incidents in an appropriate and effective manner,” Di Gangi said.

The study is based on a joint collaboration within the University of Alabama System with faculty at the University of Alabama at Birmingham and University of Alabama business schools. UAB is a National Center of Academic Excellence in Cyber Defense Research, which is designated by the Department of Homeland Security and National Security Agency.