Tuesday, March 13, 2007

Using Semantics in an Academic & Business Environment to Build Support

(Final Section to "A Case Study...")

Author: Linda M. Lane, (UW Candidate MSIM 2008) March 15, 2007

In "A CASE STUDY OF COLLABORATIVE, ENTERPRISE WIDE, INFORMATION SECURITY C-LEVEL MANAGEMENT AT THE UNIVERSITY OF WASHINGTON" problems statement we concluded that the second most prevalent problem is:

(2) - Risk Calculation at UW
"With the increasing sophistication and complexity of security attacks, developing a solution of the addressed problems should take a high priority in the university risk management plan."

Not only should the university develop a security solution in the university risk management plan, the document should be framed within the academic semantic sensibility to insure greater chances for adoption and success. The semantics of the business language used within the university risk management plan will contribute to its success both inside and outside its environment by appearing to make every attempt for appropriate risk management while conforming to recognized social and academic norms. Evidence shows no relationship between the adoption of security policy and breaches of security. Moreover, even careful planning processes may produce worse strategic plans rather than better ones.

So what value does the risk management plan have? The language used can influence the appearance in order to gain cooperation and acceptance, build support and insure legal compliance. Effective use of language is a solution in itself to ensure success, regardless of the business management techniques actually applied to plan, enforce policies, and compliance.

According to one study there appears to be "no statistically significant relationships between the adoption application of security policies and the incidence or severity of security breaches." [i] The reason for semantically appropriate security policies is for appearances sake both with the university's environment, a "decentralized yet collaborative entity with an energetic, entrepreneurial culture" and outside, when courts seek evidence of best practices any time the university is held liable for security (PII) breaches.

Dessler [ii] writes that Knowing Your Business is an extremely important aspect of planning and further presents evidence that the best laid strategic plans can go astray. "You have to be able to answer the question "what business are we in? before you do any business planning. You need a strategy for your company…" Strategic planning is "in a class of its own…. It's often highly subjective. Tom Peters… reportedly offered $1,000. to the first manager who could demonstrate that he or she had created a successful strategy from a planning process. His point was that a careful planning process many produce worse – not better – strategic plans."

The language used by the Board of Regents description of the University's goals is "…committed to maintaining an environment for objectivity and imaginative inquiry and for the original scholarship and research that ensure the production of new knowledge in the free exchange of diverse facts, theories, and ideas." [iii] The language used in describing the policy and practices the university is recommended to act upon is," to ensure that the UW creates an excellent compliance model built on best practices, while protecting its decentralized, collaborative and entrepreneurial culture." [iv] These are the university's facets of value, and how it views itself. Both statements show insight into the fact they know who they are and what they do.

That terminology is in stark contrast to the best practices language used for "…the management of information security (Barnard & von Solms, 1998), by defining: "the broad boundaries of information security" as well as the responsibilities of information resources users (Hone & Eloff, 2002b, p. 145). More specifically, a good security policy should: "…outline individual responsibilities, define authorized and unauthorized uses of the systems, provide venues for employee reporting of identified or suspected threats to the system, define penalties for violations, and provide a mechanism for updating the policy." (Whitman, 2004, p.52)." (Doherty, Fulford, 2004)

In the first heading of Information security: management's effect on culture and policy , authors Knapp, Marshall, Rainier and Ford, on page 28, state:
•"Top management support is positively associated with a security culture." They follow with explanations that security cultures are built from the leaders,
"Without top management support the creation training and enforcement of the organizations security policies would not occur or would not be taken seriously by the employees."
•"Without executive level support even a robust security comprehensive documented security policy does not guarantee enforcement across the enterprise." [v]
To prevail in creating a security culture within an environment dedicated to the free exchange of ideas, the university leadership must choose it's wording with care to obtain commitment from all the schools and campus leaders.

Even the responsibility of the CISO is to direct, not enforce, security and privacy policies, as stated in the UW CISO job description draft [vi], under the Duties section:
"Direct the development and enforcement of information security and privacy policies in compliance with federal and state regulations and standards."
These university policies must be written in a way to semantically reflect both the values of the university and to appear that it complies with all laws through best practices.

Taking these issues together, it does not appear to matter which business management methods it uses to accomplish these tasks as long as it uses appropriate language to obtain a committed security culture. Due to the culture, the language being used is a key issue for success, because the law requires the appearance of effort in doing security and risk management, and does not specify ways to apply compliance (HIPAA for example), while the university values objectivity, imagination, and a free exchange of ideas which applies to policy as well.

The academic environment only requires that such management fit its social norms, and the institution's goals, and the management style may be outside of its concerns or relevance, while the semantics and language used are relevant for appearance and cooperation.

The business of the academic and educational environment semantics of using "risk management as a service", "distributed management," and "voluntary compliance" sounds like the university. When contrasted and compared with the terminology and phrases used in traditional risk management planning language such as "unauthorized uses," "define penalties for violations," "reporting suspected threats" -- this language does not hit the mark.

To provide one example, "Sense and Sensibility" is a semantically different way of saying "Information and Aesthetics" or "Perception and Guiding Principles" but the semantic meaning differs. Aesthetically Sense and Sensibility is a graceful, elegant, polished way of saying those same things; but it is more poetic, cultured and sophisticated, and self-reflective. In a similar fashion compliance is what the CISO office wants and needs to produce and project - but "compliance" and the related terms "unauthorized uses," "define penalties for violations," "reporting suspected threats" are full of forced implications, inferences of power, and totalitarian references that do not fit with a university's urbane sensibility, raison d'être and social norms.

The business terms the university draws upon to include all the schools and campuses are likely to attract light critical attention if chosen with careful semantic intention, they will fit the academic environment. The university has no choice-- it needs to protect its people, service, reputation and brand. However, it is in the interest of the university to allow risk management to match its academic framework semantically.

An example of their semantic thinking is demonstrated in mentioning "disciplinary actions" the entire phase used is "disciplinary actions and incentives" which keeps in mind the appropriate semantic tone of university writing by including "incentives."

The university's CISO compared himself in his job to a junkyard dog - but that does not fit the semantic model for cooperation at the university. Junkyard dogs are mongrels generally found in junkyards, and not in ivory citadels of academia, with their land grants, traditions, and loyalty. CISOs in academic business environments are more like highly trained, prize winning dogs; never the less like any dog potentially dangerous when threatened. At the UW the image of a husky, their mascot, in drawing references may suit his position semantically better.

Creating culturally sensitive written policy is not just appearance outside the university it is a semantic tool which lends social cohesion inside the university. Using the correct terminology is likely to actually obtain willing, successful compliance in risk management issues because the university knows their business and how to speak in a language that will be heard and understood by managers and employees alike, in their decentralized, collaborative, and entrepreneurial culture. This same language will be understood outside of the university by courts and attorneys to be erudite, cooperative, displaying every attempt to deploy best practices within the school.

________________________________________
Resources Used

[i] Doherty, Neil . (2005) Do Information Security Policies reduce the Incidence of Security Breaches, An Exploratory Analysis. [Electronic Version] , Information Resources Management Journal, 18, 21 .

(Do Information Security Policies reduce the Incidence of Security Breaches, An Exploratory Analysis. Neil F. Doherty and Heather Fulford, Loughborough University UK, Information Resources Management Journal; Oct-Dec 2005; 18, 4; ABI/INFORM Global pg. 21 Copyright Group Idea 2005)

"The findings presented in this paper are somewhat surprising because they show no statistically significant relationships between the adoption application of security policies and the incidence or severity of security breaches."

[ii] Dressler, Gary. (2004). Management, Principles and Practices for tomorrow's leaders. Upper Saddle River, New Jersey: Prentice Hall.

Chapter 5, Strategic Management, Knowing your business, discusses organizational goals and ways to align the organization and culture to achieve them.

[iii] Warren, V. (March-10-2007) Collaborative Enterprise Risk Management, Final Report.

http://www.washington.edu/admin/finmgmt/erm/ermsummary021306b.pdf

(COLLABORATIVE ENTERPRISE RISK MANAGEMENT, Final Report, University of Washington , by V'Ella Warren, Vice President, Financial Management, vwarren@u.washington.edu 206-543-8765, and David C. Hodge, Dean, College of Arts and Sciences, hodge@u.washington.edu 543-5340 , February 13, 2006)

"The University of Washington (UW) is a decentralized yet collaborative entity with an energetic, entrepreneurial culture. The community members are committed to rigor, integrity, innovation, collegiality, inclusiveness and connectedness."

"The UW's excellence is reflected in the institution's reputation, "the bottom line" which links us to the community."

"The objective of this paper is to ensure that the UW creates an excellent compliance model built on best practices, while protecting its decentralized, collaborative and entrepreneurial culture. This paper lays out a conceptual framework for thinking about risk management. The framework is followed by information on models used by other universities, including four case studies. An evaluation of the UW's current situation comes next. Finally, the paper argues that a collaborative, institution-wide model works the best, and proposes recommendations for implementing that approach."

"Clearly, the creation of a culture of compliance needs to be driven by our core values and commitment to doing things the right way, to being the best at all we do. …we need to know that the manner in which we manage regulatory affairs is consistent with the best practices in existence."

"As a core value to serve its purpose "the University is committed to maintaining an environment for objectivity and imaginative inquiry and for the original scholarship and research that ensure the production of new knowledge in the free exchange of diverse facts, theories, and ideas" (Board of Regents 1998)."

[v] Knapp, Kenneth . (2006) Information security: management's effect on culture and policy . Information Management & Computer Security . Retrieved March 10, 2007, from Emerald Group Publishing Limited 0968-5227.

(Information security: management's effect on culture and policy
Kenneth J. Knapp, US Air Force Academy, Colorado Springs, Colorado, USA and
Thomas E. Marshall, R. Kelly Rainer and F. Nelson Ford
Department of Management, College of Business, Auburn University, Auburn Alabama, USA
Information Management & Computer Security
Vol. 14 No 1, 2006, pp. 24-36 @ Emerald Group Publishing Limited 0968-5227)

[vi] Unknown Group Author. (March-10-2007) UW Chief Information Security Officer job description, 2003-2004 .
www.washington.edu/president/tacs/utac/meetings/2003-04/materials/security.officer.description.pdf

Additional Resources

Bailey K. (2007). Personal Interview. University of Washington, Seattle. February 22, 2007

"A CASE STUDY OF COLLABORATIVE, ENTERPRISE WIDE, INFORMATION SECURITY C-LEVEL MANAGEMENT AT THE UNIVERSITY OF WASHINGTON"
Written by "The Documents":
Dany Dahler
Linda Lane
Joel Larson
Michael Paulsmeyer

for more on Semantics see:
http://ocw.mit.edu/OcwWeb/Linguistics-and-Philosophy/24-903Spring-2005/CourseHome/index.htm