|
Juhani
Anttila
HASTE IN KNOWLEDGE-INTENSIVE WORK: A MAJOR THREAT TO INFORMATION SECURITY MANAGEMENT IN BUSINESS ENVIRONMENTS Abstract Information security is a comprehensive and specialized discipline and related to many different topics of business and science. In this framework, this paper focuses on the role and behavior of business leaders in the hectic modern business environments in realizing and practicing business-related information security management. One of the most obvious characteristics of our modern society and all kinds of organizational activities is an immense haste. This is a major threat to organizations’ performance including information security. The aim of the paper is mainly practical to bring forward problems and challenges of today’s business environments in order to help organizations and their leaders avoid or repeat pitfalls. Topics presented are new breakthrough issues compared to typical current organizational applications and researches in the field information security management. The paper may also be seen as a source of ideas for interesting and significant future research topics. The situational knowledge for the paper is based on observations by the authors. The paper provides viewpoints of industrial practitioner and university researcher knowing by experience real difficulties and possibilities. Also recognized researchers have been referred for linking to statistical data, and sound knowledge from different cross-scientific sources has been combined from the information security point of view. Introduction Work has much become as a race against the clock in our organizations. You come to work at eight in the morning and easily find yourself going till ten same evening. Even then you only finish the most urgent, absolutely essential jobs. And it does not stop there. You tuck a laptop under your arm on the way out the door and keep on working at home till two in the morning. Weekends are typically more of the same. Additionally, many of us are actively networked with international partners around the world in different time zones and that has impacts to our working schedules and rhythm. This makes us study of the price of our race against time [4] and particularly in this paper in the context of organizational information security management. Time pressures cause many dangers and problems in the work of business leaders and employees. Obviously haste is also a major cause for business crises and conflicts. Many researches have proved that human resources are causes to serious risks towards information security in organizations [3]. Therefore haste should be taken explicitly into account in the context of organizational information security management. In this paper we consider particularly hasty business leaders’ behavior and its impacts on practical managerial activities for information security. Time, speed and agility are also necessary and positive factors of our businesses and lives in the modern society [10, 24]. These aspects are, however, not considered in details in this paper. Time pressures in information security management Information security is related to many different topics of business and science (see figure 1). All these aspects should be taken adequately into account also in practical organizational situations in order to consider management of informatio security comprehensively. Fig. 1. comprehesive approach to information security and its management. Behavior models and memes (learned cultural items in brains) [8] of people have an essential position in the organizational realization of information security management. Time pressure and haste are related to the behavior of business leaders and also other organizational members. Implementation of information security forms an integral part in all business activities, management activities in particular, both on the strategic and operational management level. Thus, we speak of integrated information security management. An organization with superior information security knowledge in practice has a great advantage over the competition, a lead that is difficult to close. To achieve this, information security requires a professional approach in business management and effective cooperation between security experts and business executives. Information security management belongs squarely to business leaders’ personal responsibility. They cannot delegate that responsibility to others [3], and their actions are controlled by their rational, emotional, and spiritual basis [31]. Particularly at managerial level emotional and spiritual aspects are often are beeing emphasized. Mental and spiritual aspects control business leaders’ behavior Neither technological nor software-based security measures are sufficient as such [12, 13]. It is hardly likely that information security could be accomplished by means of separate information security systems. These might in fact cause more harm than benefit. Business management systems have no room for such systems; all business activities must be directly flavored by appropriate professional information security measures. An important element in the diagram of figure 1 is the area of human aspects that influence operations of business processes and actions of business leaders, and the business performance in organizations at large. All information security measures – including policy-related, organizational, and technical issues – are strongly based on the understanding, commitment, and decisions of business leaders of an organization. Business leaders’ and managers’ inherent behavior model has influence on their commitment and decisions within their organizations’ business processes. Especially business leaders’ role is essential in strategic management to formulate, implement and evaluate organization-wide and cross-functional decisions that will enable the organization to achieve its overall objectives. Information security management decisions in organizations are always cross-functional. At operational level, daily business duties and routines are being done by employees within operational business processes. Still very often information security has not yet been taken explicitly into account within organizations’ normal operational management systems [12, 13]. Human behavior models in organizations exist as memes [8] in the minds of people including both business leaders and employees. Memes are learned cultural items, such as cultural practices or ideas in human mind including thoughts, beliefs, theories, gestures, practices, fashions, habits, and values or patterns of behavior. Meme is a rather new concept and its exact definition is still vague. The word is originated from the Greek mimeisthai meaning imitate and copy. Memes may describe methods or procedures for doing something, and their practical effectiveness is apparently most important. Memes propagate themselves and can move through the cultural sociosphere, a system of people action on the social level. Memes are viral and are transferred from one individual to another, and subjected to mutation, crossover and adaptation. Information security culture [23] of organizations and societies depends on its members and their interactions. Learning takes place principally by collaborative cooperation in practice [5]. Also positioning towards time pressure and haste depends on organizational culture although also individual human behavioral aspects have a great influence. Meme items have property of being true or false, or partly true and partly false on the basis of their correspondence with the reality outside the human mind. In business context this may be useful or injurious. Behavior is mostly rational, but often appearance and survival of memes depend also on non-rational factors. Information security factors are very complicated and often felt abstract by nature. Therefore non-rational considerations are easily influencing latently in decisions. An immense haste is one of the most obvious characteristics of our modern society and all kinds of organizational activities. It is also a major threat to organizations’ performance including information security. Particularly hurry human behaviors are influenced spontaneously by memes without the control of general or contextual rational reflection. Haste has also impact on the propagation of memes in communities. The “Time scissors” dilemma and its concequence Seghezzi [26] has illustrated the development of human actions – particularly in management – in terms of “Time Scissors” (figure 2). He brought to light an essential perspective on reasons why we are always in a hurry. This is because of working life and, in particular, the context, in which organizations and their management operate have become more complex. The amount of time factually required for a certain act of management has increased significantly during the recent decades, because the equipment, systems and phenomena involved have become much more complex. By the same token, the amount of time that a person has for one task of management has become shorter, as there is a lot more that one has to get done in the course of a day.
Fig. 2. The Time Scissors dilemma of time needed and time available by business leaders. Shortness of time (human resource) is a challenge and risk for organization’ business performances and success. Business leaders have not time enough to think and use necessary information and profound knowledge in their decisions. In dealing with the limits of human performance Niemi [21] made the point that people’s mental performance and ability to work often crumble when things get complicated, as this also means great uncertainty. Information security is a clear example about how complex an important management domain may be. Information security today deals with multi-disciplinary aspects like financial, legal, quality, social responsibility, human resource, etc. Events related to information security problems and breaches are mostly singular and unexpected. Business environments have changed from orderly and predictable to disorderly and unpredictable. Circumstances organizations find themselves operating in today seem complicated and chaotic. According to Stacey [30], the business processes in today’s organizations are “complex responsive processes of relating”. Such processes evolve over time, driven by their own internal, nonlinear dynamics. Complex processes cannot be controlled by human intervention in a meaningful sense, and they evolve in unpredictable ways. Understanding the parts of complex processes will not lead to an understanding of the whole. While the interaction of the process activities appears chaotic, complex processes, however, generate observable and to some extent predictable patterns. Responsible business leaders should be capable to recognize these patterns by self-organization. Business processes are the most essential area of information security management in all organizations [2]. Not only have business-integrated information security phenomena become more complex and “multidisciplinary”, and communication more difficult. Our language is imprecise and it seems that experts from different disciplines find it almost impossible to understand one another. We will not even mention the prospect of general managers in organizations understanding highly specialized security experts. What often happens in such situations is the development of distinct specialized management systems, e.g. information security management systems, quality management systems, etc. by different experts. Procedural guidelines and even contracts end up being superficial or established and maintained only by experts. E.g. business leaders are not fulfilling effectively requirements of significant information security standards in their normal managing activities [3, 12]. They have no time to go into specialized matters in any depth enough. This induces, that business leaders Modern business teachings emphasize the requirements of agility and flexibility. Agility Manifesto [1] says: Agility is contradictory to many other fundamental requirement of business management based on maturity: Maturity is justified by the needs of ensuring and conducting business in a consistent and systematic way. Both stagnant maturity and hasty agility are dangerous in information security management. Agility-maturity paradox is a challenge to business leaders to be positively busy but not negatively hasty. Today’s recognized references of information security management don’t take properly into account the requirements of modern business environments [3]. Information security practices principally follow maturity principles [15]. It is a challenge to information security experts and researchers to develop new methodologies for information security management based on business models and scenarios of modern and future business environments [28]. There are already some weak signals to this direction in the field of quality management that is very analogical to the information security management [10]. Knowledge-intensive work in haste Successful management of organizations is based on right foundation and body of business related information and knowledge, and management skills to use the right knowledge on time effectively and efficiently for the current business needs [8]. Business leaders also need in their daily tasks a lot of very specialized knowledge and information. An important part of daily business communications takes place in many various meetings. As one respected consultant we know put it, “if I want to provide my clients with the most effective and highest quality service possible, I can only set up four face-to-face meetings a week”. However, if we look at what our officials and decision-makers do in the course of a day, all we see is that they are running from one meeting to another. For many workers and managers, meetings have become a permanent handicap and for those who arrange meetings, they have become a ritual forum for performance. Constant meetings seem to be a way to control business situations and change without actually having to change anything - or at least without having to be personally responsible for the outcome. Non-stop and weakly managed meetings do not show efficiency as much as they show a lack of vision that is risky and detrimental also from information security management point of view. In many fields work pressures have become unbearable and recovering from them requires more time. This is often still combined with pressures of leisure time. According to time-usage researches, people have enjoyed more leisure time in the last twenty years [16, 27]. However, as the proportion of people other than workers in the population has increased – including students and pensioners – the leisure time of 18 to 64 aged people has factually declined. Previously, the well educated had more free time than those with less education. Today, those with education and responsible position work longer days than anyone else and have the least free time. Although statistics show that the amount of time spent in working per year has decreased, the total working time of those of working age has increased. Salaried work, work done at home, and work-like activities have become confounded. Highly educated workers do more things simultaneously than others and all this work is very information/knowledge intensive. Attitudes towards time have changed. People have started talking more and more about being busy. It has become a measure of success and is often a blanket excuse that one can invoke with pride. People work long days, because their work is interesting but also because long working days have a high status today. One obvious reason why people do not have enough time to do their jobs is that there are not enough of them in workplace for the work that has to be done. This has often been explained by productivity reasons and downsizing activities. E.g. many organizations have downsized their information security resources and as a result also active development of information security solutions for their particular business-dedicated needs resulting easily in more inefficient general standard-solutions. Also the other negative aspects of working life – uncertainty and unanticipated changes – have increased, and middle management in particular is suffering more than most from stress-related symptoms and a fear of work exhaustion. Our constant rush is the product of modern society. It is often the outcome of faster transmission of information, necessity of updated and correct information, increased formal business requirements for assurance by customers, business partners or authorities, a more exact measurement of time and timetables, and increased competition. Even unsuitable or inappropriate security solutions or restrictions may add time pressure and work frustration, e.g. due to their insufficient business-integrated development and implementation. More detailed timetables have increased feelings of urgency in that more exact deadlines are set for objectives. One is more easily aware of delays and missed deadlines. When we are pressed for time, we look for ways to use the time available more efficiently; we do things faster, replace a time-consuming activity with one that we can complete faster, do many things simultaneously, or set up a tight schedule for getting things done. These measures often only lead to superficiality and a feeling of still greater urgency, and to life becoming even more constrained. Many workers are caught in the squeeze of knowledge work. Information technology has not solved problems. Due to excessive information flood, “info bloat”, we cannot concentrate on our work proper. Research has shown that office workers typically have less than fifteen minutes of uninterrupted working time. Interruptions place stress on the brain. One gets the feeling that one never has the chance to finish anything properly. [27] In order to manage blurry information and knowledge content situations, organizations have invested in IT (Information Technology) solutions. However, development and use of IT solutions has very often been problematic in practice. During the past years nearly every new application and idea created by IT industry has made the jobs of people more complex and difficult for them, rather than simplified their duties [7]. Corporate-wide systems are complex and typically designed for a specific purpose and function, and IT departments have deployed many different and often unrelated applications and modules to fulfill the information and processing needs of the entire organization. Corporate intranets were originally designed and implemented to meet the needs for shared information across the organization. As intranet sites grew larger, a new set of problems created chaotic situations with information access, information maintenance, knowledge-sharing, and security. An incredible amount of training time was needed for employees to learn how use such a complex suite of applications. Organizations have also carried out formal training and education programs of information security for leaders and employees. However, in that kind of programs people can learn only the basics but the real awareness and skills of information security may be achieved only by informal learning in real working and collaborative environments [5]. Genuine awareness is, however, a necessity because information security cannot be achieved in practice by following instructions or handbooks. Particularly this is situation within business leaders. It is not their practice to act by following formal documented procedures. Haste-based exhaustion, burnout, conflicts and superficiality in business management Often underlying work exhaustion there are excessive quantitative and qualitative demands of a job. If these demands constantly exceed a person’s resources, the resulting stress can lead to serious exhaustion. The person experiences general and long-term fatigue, and this feeling does not go away even during leisure time. Those who are susceptible to work exhaustion are often hard working and very committed to their work, frequently demanding more of themselves and taking on too much responsibility. An exhausted worker takes a cynical attitude towards his or her work and it ceases to be enjoyable or sensible. These workers’ professional esteem is eroded and they begin to fear that they can no longer cope with their work. This feeling increases dissatisfaction, anxiety and various physical ailments. People’s personal relationships also suffer. Night work causes shortage of sleep and tiredness. One night without proper sleep corresponds to a serious state of drunkenness. Alcoholic itself is also often involved with the work exhaustion. All these aspects may have serious negative impacts on information security, too, and even lead to information crimes. [16, 27] Shortage of time is an individual human issue. If one feels shortage of time that may cause depending on the person and situation stress, work pressure, harassment or oppression. Burn out is a debilitating psychological condition brought about by unrelieved work stress, resulting in: Burnout cases may be characterized and evaluated in more details among organizations, teams and individuals by using Bergen Burnout Indicator [22]. Results may be used for the development of working practices and managerial procedures and taken into account in evaluating organization-internal potential risks and threats of information security. When people are continuously in hurry, their rational basis begins to crumble and they begin to rely on emotions and intuition [11, 18]. This entails a risk that conflicts of interest between people will emerge at work and they will no longer enjoy what they are doing there. This in turn brings risks that work will fail or that problems and dangerous situations will crop up. A lack of time and frustration may be seen as major reasons for information security problems and also more general security management problems, too. When there is not enough time to do things right, also accidents may happen. Very often the cause of such situations is noted as a human error but in practice human errors often take place due to people being in a hurry. Conflict situations are those in which the concerns or interests of people appear to be incompatible. In conflicts, an individual's behavior can be described along assertiveness (extent to which the person attempts to satisfy his own concerns) and cooperativeness (extent to which the person attempts to satisfy the other person's concerns). Broadly used assessment tool for understanding how different conflict-handling modes affect interpersonal and group dynamics and respond to conflict situations is Kilmann Conflict Mode Instrument that characterizes five behavior modes: Competing, accommodating, avoiding, collaborating and compromising [17]. Only collaboration may be useful for striving for an excellent information security. Lack of time also causes a business to lose its identity and organizational privacy. That is really a large scale threat for organizational information security. What is more, there is no time for innovation either; the sources of innovation dry up. According to Deming [9], one requirement for doing business successfully is a profound knowledge of the company’s total operations in its business environment, of the actors involved, of how things fluctuate, and of changes and developments. Without this, the natural day-to-day operations of a company will be disrupted. In the context of information security, this includes reflecting and understanding general situations and trends [e.g. 25], and possibilities and means for countermeasures and prevention. Today it is typical that organizations have not enough time to think entrepreneurial activity in its all necessary viewpoints. Business leaders in particular, however, require deep know-how and knowledge in many specialized areas, e.g., finance, technology, security, quality, and human resources development. The situation may be quite similar in all types of organizations including big and small organizations and private companies, civil service public organizations and third sector not-for-profit organizations. If a business does not have the time to develop a profound understanding of these matters and their underlying bases, it will drift into inefficient and even negative development where management is concerned. What typically happens is that things are a) limited only to immediate bug fixes and cures of symptoms, b) done superficially or by buying the services of dubious outside “experts” or c) allowed to drift, and everyone is quiet and hopes nothing bad will happen [3]. We can very easily recognize this kind of phenomena in organizations’ information security management. These phenomena demonstrate business crises in organizations. Typically crisis relates to Crises and conflicts are always in human minds not in organizations. Crises may be seen as turning points leading to a decisive change. Crisis is a stage in a sequence of events at which the trend of future events - especially for better or for worse - is determined. Decision making is a core issue in business crisis management. In fact, the word crisis originates from Greek krísis meaning decision. One type of decision is also if one leaves undone a decision, e.g. due to haste. Often due to haste and conflicts business situation develops to worse. Business crises are strongly information and knowledge related situations. Can we control time pressures in work? Obviously many persons at the highest levels of productivity and accomplishment seem to be very busy but not hasty. They have work attitudes, habits, techniques and insights that can be observed. How could we learn from this “knowledge”? Many of those individuals recognized time as an important issue in their business and life. We have examples [6, 24]: A key issue among those examples is awareness, which is the basis for self-management. That includes: Information security management is always seamlessly integrated with top business leaders’ general managerial behavior. It cannot be extracted as a separate issue. Conclusion It seems that there must be some progress made where time pressure is concerned, at least in business and management. We can only win the race against the clock through an entirely different behavioral model. Zohar [31] submits that in order to really have time to act under time pressure, one must, paradoxically, stop. Idea is not any new one but it was included already in old Eastern wisdoms, as e.g. in LaoTsu’s well-known poem number 26 [19]. This gives a person time to think and understand the situation as a whole. This creates possibilities for continual fact-based and rational problem elimination and proactive breakthrough improvements by using systematic managerial principles and tools [29]. This is also essential for developing a business-integrated organizational information security culture [23], organizational and individual security awareness [3], creating organization-wide information security infrastructure, and application of proven professional, effective and efficient information security management practices [12, 14]. The very basis of the work of organizations is thinking the actors involved and their collective mental system. The foundation of organizational systemic capacity is that there is time. This capacity is a necessity to create appropriate organizational mental models and systems, as well as the collective memory of the entire organization. It also makes it possible to understand the new challenging non-linear time concept kairos in addition to the traditional physical time khronos [20, 29] for radical business transformations that are necessary in managing business performance and in that context also information security’s all aspects including information availability, integrity and confidentiality in today’s suddently changing business environments. References 1. Agile Alliance. (2001). Manifesto for Agile Software Development [This text has been presented in Fukuoka, Japan in 2009 (ARES2009)] |
|
|
|
|
|
