Managing Change in Information Security

Breaches in information security are commonplace.

In May 2006 an unencrypted national database on a laptop, with names, Social Security numbers, dates of births, and some disability ratings for 26.5 million veterans, active-duty military personnel and spouses was stolen in the US. Veteran’s Affairs estimated it would cost $100 million to $500 million to prevent and cover possible losses from the theft.

In August 2006 data on more than 20 million web inquiries, from more than 650,000 AOL users, including shopping and banking data were posted publicly on a web site.

In 2013 Vodafone Germany admitted that a person with insider knowledge had stolen the personal data of two million of its customers from a server located in Germany.

In 2014 an employee from personal credit ratings firm Korea Credit Bureau was arrested and accused of stealing the data from customers of three credit card firms while working for them as a temporary consultant.

As it can be seen, the annals of information management are replete with tales of lost and stolen information. In managing information security, organisations not only need to guard against this all too frequent loss of confidentiality and integrity of information lack of availability, but also against the lack of accessibility of information to those with a right and a need to know. It is also incumbent upon organisations to guard against fraud and disclosure of sensitive information by allowing individuals with incident history to be in trusted positions. All of the foregoing requires effective controls enabled by a high level of information security maturity.

Many organisations have a low level of information security maturity, failing to align significantly with standards such as ISO27001/27002. In order to improve their maturity, organisations need to embark upon the definition and implementation of an Information Security Management System (ISMS).

The benefits of doing so include, but are not limited to:

  • Understanding of the ongoing investment required as an organisation to appropriately manage information security risks
  • A coordinated approach reducing the costs of information security
  • Adequate information to make informed decisions about managing organisational security risks

Much of the effort in creating such a system involves building a security architecture and processes across network hardware and software outside the scope of a records and information management system. However, the importance of security management within a records and information management system within an overall information security management system is very high.

Whereas the management of change affecting network hardware and software requires a small number of people to change their habits and practices, the changes in a records and information system to improve the maturity of information security requires major changes in behaviour across the whole of the organisation.

Developing a Case for Change

The case for change in implementing an information security management system emanate from managing risks to brand, physical, financial and intellectual property assets.

The benefits in making the change include reducing the prevalence of

  • Reputation loss stemming from incidents including loss of service
  • Regulatory non-compliance e.g. privacy
  • Revenue loss e.g. through protection of intellectual property and strategic plans or loss of service
  • Discontinuity of business processes e.g. after natural and man-made disasters

In order to deliver on those outcomes, an information security management system change management plan must deliver on five key changes:

  • Making staff aware of information security as subject they should be interested in
  • Making staff aware of information security policies and procedures and their responsibility in executing those policies and procedures
  • Change employee’s habits in their approach to information security
  • Motivate managers to assess and evaluate their information security risks and build appropriate response to reduce the risk to an acceptable level as within the information security management system framework
  • Change the perception of line management of information security in order to embed information security in their day-to-day processes and their business planning and evaluation processes

In order to create the environment where people do change their behaviours, the change management plan must be effective at two levels (Fig 1):

  • Creating an intention in individuals to change their behaviour
  • Ensuring that line management are engaged enough in the change to help individuals turn that intention into action.

Environment for change model

Figure 1: Change Management Plan objectives

When the change management plan delivers neither an intention to change nor line management engagement, low levels of adoption of improved security practices is ensured.

If individuals do form the intention to change their behaviours, but line managers are not engaged pockets of individuals do form, albeit short lived, changes in behaviours. The approach is not sustainable.

Alternatively, when managers are engaged, even if individuals have not independently formed an intention to adopt new practices, charismatic leaders can make it work. The changes resulting from this environment are much slower though, and with many more missteps than when individuals form the intention to change practices and line managers are fully engaged.

Changing Individual Behaviours

Changing people’s behaviour is hard work. Organisations which attempt to change people’s behaviour usually do not achieve as much change as they would like. One of the reasons is that the process used does not enable change at a personal level.

Organisations which typically rely on a “change management program” which is a linear project plan of events such as process redesign, standards, key performance indicators and some training, which whilst they are good tactics to use, miss an important aspect of change which is the need to change people’s behaviour.

A very useful behavioural change framework is provided by the “Theory of Planned Behaviour” developed by Ajzen (Ajzen, 1985).

According to Ajzen, intention, as the precursor of human behaviour, is guided by three considerations: behavioural beliefs, normative beliefs and control beliefs (Fig 2).

Intention to change

Figure 2: Forming the intention to change (Ajzen)

Behavioural beliefs produce a favourable or unfavourable attitude toward the behaviour. For example, unless an employee believes good information security practices are good for the organisation and themselves, then they are unlikely to change their behaviour. In addition, the employee needs to believe that good information security is better for them than other behaviours that also bring benefits.

Normative beliefs result in subjective norms. For example, if an employee believes that all of his or her colleagues actively support, and especially those they respect, are engaged in good information security practices, then they are more likely to form the intention to do so themselves.

Control beliefs give rise to perceived behavioural controls. For example, if an employee believes they do not know how to adopt good information security practices or that good information security practices are too hard to adopt or that their manager does not rate good information security practices as a priority for them, they are unlikely to form an intention to adopt good information security practices.

Ajzen also notes that actual control and intention form the basis of actual behaviour. This means that staff must be observed to determine whether their perceived control is real and adjustments made if it is not. For example, a person may perceive they have authority to make changes in the way they conduct their business life. However, in reality, their manager controls what they do to such an extent that they have no real authority to make the changes. When they attempt to make the changes in line with their schedule of authorities, their manager stops them making the changes through the force of their personality.

Behavioural Beliefs and Attitudes

For an information security management system program, it is my observation that most people are convinced that good information security practices are desirable. If not, the global levers at our disposal include:

  • Senior management support
  • Outstanding audit findings
  • Examples of information security case studies within and outside of our organisation

All of these levers can be brought to bear by spreading their understanding amongst the existing low intensity practitioners of information security and potential new practitioners.

What is less certain is our ability to convince individual and team members, using the generic levers described above, at or below branch level, that they should care more about good information security practices than maintaining existing practices that have generated other benefits for them.

For this reason, the change management plan must include a means by which good information security practices are seen as desirable over the status quo at branch level or lower, in addition to the global reasons why the change is desirable.

To change people’s beliefs about the desirability of good information security practices we must first raise the issue of the belief in their consciousness; human beings are only capable of holding a few beliefs in their consciousness at one time.

That means a campaign about the topic of information security. The campaign components may include such elements as:

  • Policies, processes and standards showing how to keep information secure in easy to access and assimilate formats
  • An awareness campaign about information security using multiple mediums including video, briefings, face-to-face learning, web pages, brochures, posters, newsletter articles, case studies, quizzes and competitions for the best branch/team or the most improved branch/team

To change the perception of the desirability of good information security, we may consider:

  • A reward and recognition program that rewards the achievement of implementation milestones such as:
    • Completing training
    • Planning implementation of an ISMS
    • Completing implementation of an ISMS
    • Using an ISMS effectively or innovatively
  • A feedback process that praises or criticises, dependant on the level of deviation from the desired standard of information security
  • Coaching for people to plan and implement good information security practices
  • Inclusion of the ISMS milestones in individual manager scorecards, if necessary
    • Matched to the implementation project plan timing

Normative Beliefs and Subjective Norm

To create a set of beliefs of what is normal in good information security practices; there are three elements to consider.

  1. Changing the exposure to groups which symbolise what good information security means and its impact on the organisation; for example:
  • Increase the degree of interaction between individuals/teams and people who are impacted upon by poor information security in their branch/division
  • Have people addressed regularly by senior managers on what and why they care about good information security practices and the progress being made
  • Training people explicitly in the desired behaviours of good information security
  1. Introduce people to new groups that symbolise good information security practices. This might include:
  • Expose staff to “experts” in the business of good information security, for example, the Information Management Council members, and leave them with the do’s and don’ts of successful behaviours.
  • Build local expertise amongst people they trust. For example, “Information security champions”
  • Expose people to other state government bodies’ approach to information security practices and behaviours
  1. Change the motivation to comply. This might include:
  • Measure the level of errors or positive results in good information security practices and publish a league table
  • Build a reward and recognition scheme around the fulfilment of the desired information security behaviours
  • Explicitly include the desired behaviours in the organisation’s appraisal process for those divisions/branches affected
  • Coach and counsel those who do not exhibit the desired information security behaviours

Changing normative beliefs and the motivation to comply (subjective norm) is as important as understanding people’s attitudes towards a behaviour. Without appropriate subjective norms, behaviour will not change. Attitudes towards behaviour are mainly in the hands of the individual. Creating the appropriate subjective norms is mainly in the hands of leaders.

Control Beliefs and Perceived Behavioural Control

To change the perceived control beliefs of people with regard to good information security practices there are five elements to consider:

  1. Train people to do what constitutes good information security for them:
  • Make training relevant to the learner’s day-to-day life and likely practice of information security
  • Layer training, building skills at a pace learner’s can absorb leaving them with a high perception of control
  • Segment training so that expectations of what is required of people to adequately execute their role in good information security matches their ability in their day-to-day role.
  1. Create pools of expertise that is easy to access so that people can deal with ambiguity about what they should do, easily:
  • Ready reference sheets containing work instructions, standards, tips and any important policy matters pertaining to the task
  • Web pages
  • Information security guides
  1. Train people to be problem solvers:
  • Information security champions at branch or division level
  • ISMS Project team members initially and when implemented the person responsible for IT Security
  1. Reward people who take control:
  • Reward innovative development of ISMS processes and procedures at branch level that improves reduces risk and improves information security practices
  1. Use data as often as possible to determine what can and cannot be done:
  • Create on-line and in-person forums for information security practices


To change the actual level of control of people with regard to good information security practices there are four elements to consider:

  1. Promulgation of information security policy down from the organisation executives through managers to staff involved in day-to-day business processes.
  2. Inducting new starters in good information security practices:
  • New to company
  • New to division/branch/section
  1. Developing and delivering training which is engaging and memorable:
  • e-learning for knowledge
  • Instructor lead training for skills and behaviour
  • Reference guides
  • Web pages
  1. Designing point of use materials which provide the facts of information security to users in support of the training:
  • Work instructions; “How to”
  • Standards; “What quality”
  • Policy; “Why”

Changing Corporate behaviour strategy

Getting engagement

The implementation of an ISMS usually occurs at division/branch level. The success of the rollout at division/branch level is dependent on the level of engagement with management at division/branch level.

Engagement (Fig 3) can be measured at five levels of increasing depth by finding the answers to:

  • Do they understand the change?
  • Do they believe the change is necessary or will benefit them?
  • Do they care enough about the change to give priority to learning new skills and knowledge and to change their behaviour
  • Are they consciously planning to make the change?
  • Is there evidence that the change is being implemented and that they have the ability to implement the required knowledge skills and behaviours?

Tactics need to be devised to move line managers in the divisions and branches affected through each stage of engagement. For example:

  • Understanding the change
    • High impact communication across different channels and repeated often enough to reach most manager’s consciousness without becoming annoying
  • Belief that the change will benefit them
    • Published case studies of success
    • Recognition and rewards for implementation and innovation
  • Caring about the change
    • Division/branch involvement in designing “their” change
    • Inclusion in scorecards
  • Planning to make the change
    • Assistance in creating a division/branch plan/business case
  • Implementing the change
    • Training
    • Help with implementation issues

Stages of Engagement

Figure 3: Five stages of engagement

During the timeline of the ISMS implementation, the level of engagement with management at division/branch level must be measured to understand what tactics being employed as part of the change management, stakeholder management, communication and training plans need to be revised to create more effective tactics.


Information security is hardly ever a popular subject and is often left to the controllers of our hardware and networks to manage somewhat behind the scenes. However, records and information management practitioners have a significant role to play in ensuring access to information on a need to know basis is easy for employees, whilst protecting information which should have higher levels of security. To have high levels of information security requires changes in behaviours of all employees in most organisations. Leading that change in behaviours requires records and information mangers to have a clear and effective change management plan that helps employees form the intention to change their behaviours and engages line managers to give them the means and motivation, by which they turn the employee’s intention into action.

Works Cited

Ajzen, I. (1985). Theory of Planned Behavior. Retrieved from Theory of Planned Behavior:


2 responses to “Managing Change in Information Security”

  1. Ray Steele says:

    This is an excellent article on this subject. When was it written? I have used it for a primary reference for a subject assessment that I am completing in my Masters of Cybersecurity at Deakin University

  2. Kevin Dwyer says:

    May 2012 was when it was written.