1. Principles of Information System Security: Text and Cases Gurpreet Dhillon PowerPoint Prepared by Youlong Zhuang University of Missouri-Columbia

2. Principles of Information System Security: Text and Cases Chapter Ten Security of Informal Systems in Organizations: An Introduction

3. Copyright 2006 John Wiley & Sons, Inc.10-3 Learning Objectives Understand the concept of pragmatics Interpret of silent messages Explain the results of technology interventions Understand the informal behavior

4. Copyright 2006 John Wiley & Sons, Inc.10-4 Why Is Informal System Important? Informal system is the natural means to sustain the formal system The formal systems cannot work on their own unless people adopt and accept them It is often the softer issues that have had an adverse impact on the security

5. Copyright 2006 John Wiley & Sons, Inc.10-5 What Is Pragmatics? Pragmatics is the term used to describe the context of an activity, the characteristics of the people, and the prevalent acts of communication Context is a set of signs that relate in a certain way A sign is a result of a mental connection between a sign-vehicle and the content

6. Copyright 2006 John Wiley & Sons, Inc.10-6 What Is Pragmatics? (Cont’d) The sign-vehicle could take the form of an expression such as a sound or a word The content relates to the image of what is signified The link between sign-vehicle and the content is arbitrary

7. Copyright 2006 John Wiley & Sons, Inc.10-7 Constituents of Pragmatics, Fig 10.1

8. Copyright 2006 John Wiley & Sons, Inc.10-8 What Is Pragmatics? (Cont’d) There are three particular relations that constitute pragmatics The relation between the sign and a concept It is a causal relationship It means nothing without the context and the culture It is significant impacted by social and psychological factors

9. Copyright 2006 John Wiley & Sons, Inc.10-9 What Is Pragmatics? (Cont’d) The relation between a concept and a referent It is based on the notion that all concepts are grounded in reality The name and image for a particular ‘thing’ is determined by past experience, knowledge, and current context of use

10. Copyright 2006 John Wiley & Sons, Inc.10-10 What Is Pragmatics? (Cont’d) The relation between the sign and the referent It is an indirect relation It is used by someone to stand for a referent An act of communication has been performed

11. Copyright 2006 John Wiley & Sons, Inc.10-11 Nature of IS Security at the Pragmatic Level Communication is one of the main ingredients of pragmatics Culture is shared and can be understood through a range of subtle silent messages Proper attention to the silent messages ensures development of a security culture

12. Copyright 2006 John Wiley & Sons, Inc.10-12 Nature of IS Security at the Pragmatic Level (cont’d) There are four attitudes (silent messages) identified by Stamper 1. The speaker influence listener’s attitude towards the subject being spoken about 2. The speaker tends to cause listener to adjust personal attitude towards the speaker 3. Less consciously the attitude of the listener towards oneself also gets influenced 4. The attitude of the listener towards the message itself

13. Copyright 2006 John Wiley & Sons, Inc.10-13 Four Attitudes Influenced by a Communication, Figure 10.2

14. Copyright 2006 John Wiley & Sons, Inc.10-14 An Example A psychiatric hospital implemented a computer based system to control time allocated and used by nurses for therapy sessions Originally designed to automate duty schedule It was now possible to see a graphical display of the ‘free’ and ‘busy’ times of each staff It did not represent the meanings attributed to various tasks and actions

15. Copyright 2006 John Wiley & Sons, Inc.10-15 An Example (cont’d) The “speaker” is the nursing supervisor The “listener” is the nurse “What is being said” is the task of allocating individual therapy sessions “What is spoken about” is the patient

16. Copyright 2006 John Wiley & Sons, Inc.10-16 An Example (cont’d) 1: The allocation of the therapy session by “Speaker” to the “Listener”, the attitude of “Listener” towards the patient gets influenced. The implications could be rather serious since the “Listener” knows that all activities are being monitored. The content of the therapy session gets influenced as well. This has an impact on the quality of services delivered. Given the criticality of the task at hand, lack of quality is a precursor to possible security breaches.

17. Copyright 2006 John Wiley & Sons, Inc.10-17 An Example (cont’d) 2: The attitude of the “Listener” towards the “Speaker” also gets influenced. The onus of adjusting personal attitude for successful delivery of services resides with the “Listener”. Inability to handle this relationship often results in superior-subordinate conflicts. This also leads to possible creation of disgruntled employees, which is a serious security threat.

18. Copyright 2006 John Wiley & Sons, Inc.10-18 An Example (cont’d) 3: The situation thus created also influences the attitude of the “Listener” towards oneself. This also has serious consequences. Lack of self confidence and morale are particular outcomes. This could potentially have a serious impact on maintaining integrity of the organization.

19. Copyright 2006 John Wiley & Sons, Inc.10-19 An Example (cont’d) 4: The attitude of “Listener” towards the message itself is very interesting in the context of organizational change. The “Speaker”, perhaps unintentionally, but often deliberately may convey some measure of confidence that should be placed in what is said. However, when the “Listener” interprets the message as emerging from the technical system, there are conflicting messages that the “Listener” may draw.

20. Copyright 2006 John Wiley & Sons, Inc.10-20 Another Example An email received by a researcher at a university It clearly illustrates the level of seriousness attached to issues of confidentiality It is a silent message emanated by the organization

21. Copyright 2006 John Wiley & Sons, Inc.10-21 Illustration of Respect for Confidentiality, Fig 10.3

22. Copyright 2006 John Wiley & Sons, Inc.10-22 Technology Enabled Intervention Changes in an organization are usually the starting point for disruptions in an existing security culture Whenever there is a technology enabled intervention, there are silent messages that are emanated that might have implications for the security and integrity of the enterprise

23. Copyright 2006 John Wiley & Sons, Inc.10-23 Typical technology interventions resulting in potential security compromises Table 10.1

24. Copyright 2006 John Wiley & Sons, Inc.10-24 Typical technology interventions resulting in potential security compromises Table 10.1 (Cont’d)

25. Copyright 2006 John Wiley & Sons, Inc.10-25 Informal Behavior Informal behavior is fundamental to describe those characteristics of people, organizations and acts of communication that affect information Management of information systems is the same as the management of communication

26. Copyright 2006 John Wiley & Sons, Inc.10-26 Informal Behavior (cont’d) The management of information system security connotes the management of integrity of communications There is a cause effect relationship between an antagonistic behavior, breakdown in communication and a possible security breach Complete management of security can only be ensured if the informal behavioral aspects of individuals and groups are understood

27. Copyright 2006 John Wiley & Sons, Inc.10-27 Copyright 2006 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permission Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information herein.