HIMIS (Human impact management for information security)
HIMIS (Human impact management for information security) is a methodology for managing the human (people) aspect of information security viz. awareness and behaviour.
The objective of HIMIS is to reduce information security risks that occur due to human mistakes. To mitigate these risks, HIMIS views and manages the human aspects of information security through two distinct but interdependent components viz.
To reduce these risks, HIMIS views and manages the human aspects of information security through two distinct but interdependent components viz.
1) Awareness: To know
2) Behaviour: To do (to react)
The ultimate goal of any information security manager managing an ISMS is to have the people under the system to be “aware” about protecting business information and to “behave” in a responsible manner while handling business information and ensure it’s protection.
The problem statement
The current problems in managing the human factor in information security are:
1. “Awareness” is not “behaviour”, but the distinction is not clearly understood: Awareness and behaviour are not the same, though they are interdependent. It is possible that a person may be aware of but may not behave appropriately. An excellent real-life example is how drivers break traffic rules. They may be mindful of the traffic rules, but they still break it due to various reasons.
2. High awareness does not mean lesser risks: By achieving high levels of information security awareness, it is not necessary that the information security risks have reduced. However, information security practitioners often stop at “awareness” and do not view “awareness” as the firsts step towards creating “better” behaviour nor do they measure whether awareness has helped in creating better behaviour.
3. Information security awareness and behaviour management are not well defined: Though information security practitioners understand that the “people” aspect of information security is essential, currently there exists no formal framework for guiding the management of the human factor in information security. By framework, it is intended to be a process for identifying the business reasons for information security awareness and responsible information security behaviour, strategy guidance, delivery guidance and a verification process to check whether awareness has increased and behaviour has improved.
The HIMIS approach and solution
HIMIS provides a solution for managing human risks to information security. The HIMIS approach is,
1. To reduce information security risks due to people mistakes, first people must be made aware of the importance of information security and good information security practices
2. Next, people must practice (behaviour) what they know (awareness). Information security behaviour will change through motivation, enforcement or corrective strategies implemented by the organizations’ management.
3. There must be a continuous process to introduce new awareness and behaviour requirements and spread it in the organization. Existing awareness and behaviour requirements may have to be optimized.
To execute the HIMIS approach, HIMIS provides a method for,
1. Identifying and creating information security awareness and behaviour requirements and linking them to business goals
2. This information security awareness and behaviour requirements are classified into ESPs(Expected Security Practices). Each ESP has an “awareness” component and a “behaviour” component. For example,
a. Logical access control is an example of ESP
b. The “awareness” component of this ESP is “passwords must not be shared in any form.”
c. The “behaviour” component of this ESP is “the user does not share password under duress or does not write it anywhere.”
3. Building a strategy for implementing these ESP’s through awareness creation
and behaviour modification strategies for the target workforce
4. Delivering these strategies to the target workforce
5. Measuring the effectiveness of the program through audits (ESP audits) that check the increase in awareness and change in behaviour
6. Correcting and improving the program based on the audit findings
HIMIS methodology stresses that the real reward of a well-planned awareness campaign is a positive change in behaviour.