SEARCH

SEARCH BY CITATION

Abstract

  1. Top of page
  2. Abstract
  3. Introduction
  4. Human Information Behavior and Information Security Behavior
  5. The Cisco Global Data Leakage Study — Background, Methods, and Findings
  6. Critiques of the Study
  7. Directions for Future Research
  8. References

Data Leakage Worldwide, a 2008 research study commissioned by Cisco Systems, Inc. explored the information security behaviors of information technology (IT) users and decision makers in ten countries around the world. Based upon an online survey, the results published by Cisco Systems concluded that end users engage in risky information security behaviors that negatively impacted the companies for which the worked. The survey also revealed differences in awareness of proper security practices between end users and IT decision makers, as well as a lack of effectiveness in company security policies. One important aspect of the research was the exploration of differences in information security behaviors between respondents in different countries. While the Cisco study is important, a number of questions exist regarding the methods used, data collected, and conclusions made in the survey publications. But regardless of these critiques, the study provides a useful starting point for research into human information security behaviors.


Introduction

  1. Top of page
  2. Abstract
  3. Introduction
  4. Human Information Behavior and Information Security Behavior
  5. The Cisco Global Data Leakage Study — Background, Methods, and Findings
  6. Critiques of the Study
  7. Directions for Future Research
  8. References

In September 2008 Cisco Systems, Inc., a multinational network equipment manufacturer, announced the results of a global research study, Data Leakage Worldwide, which explored data security risks faced by organizations relying on information technology (IT) infrastructures around the world. The study analyzed the effectiveness of corporate information security policies and associated user security behaviors across ten countries in the Americas, Europe, and Asia-Pacific regions (Vamosi, 2008). The research study was commissioned by Cisco and the survey research conducted by Insight Express, a commercial research firm. Among the goals and findings of the survey was the analysis of differences exhibited across different countries in how IT users and managers perceived information security, how they incorporated security into their daily practices, and how effective were the organizational policies designed to promote or enforce security behaviors among IT users (Cisco, 2008a). The results of the global survey were published as three separate Cisco white papers (Cisco, 2008a; Cisco, 2008b; and Cisco, 2008c) as well as three detailed data presentations by the research firm InsightExpress (InsightExpress, 2008a; InsightExpress, 2008b; and InsightExpress, 2008c). All associated white papers and data presentations were made public and posted on Cisco's corporate web site as part of a public relations campaign designed to publicize the result of the research study.

The Cisco research study and the resulting publications merits further consideration by information science practitioners. The study occupies a unique intersection between the study of human information behaviors across cultural and regional boundaries and the study of information security behaviors by users of IT. While a variety of research studies have explored one or another of these topics, the Cisco study provides new insights into both. This paper describes the background and findings of the research study, but also offers a critique of the research in terms of its scope and analytical direction. The study privileges certain research findings most directly relevant to the marketing of commercial security technologies while seeming to ignore equally interesting questions about information security and human information behaviors at the social and cultural levels. The result is a study that is compelling to the field of information science but also incomplete. Researchers into areas of human information behavior, the development of socio-technical systems in global environments, and information security may all find the Cisco study a source of inspiration for future research directions and projects.

Human Information Behavior and Information Security Behavior

  1. Top of page
  2. Abstract
  3. Introduction
  4. Human Information Behavior and Information Security Behavior
  5. The Cisco Global Data Leakage Study — Background, Methods, and Findings
  6. Critiques of the Study
  7. Directions for Future Research
  8. References

A great deal of research has been conducted into human information behavior in general as well as into specific aspects of the use of information in a variety of environments and under a variety of influences.

General studies of human information behaviors and user information needs have been conducted within information science for decades. These studies have been effectively summarized over time in a number of reviews (Wilson, 1997; Spink & Cole, 2006; Wilson, 2006; Case, 2007), including multi-disciplinary analyses of information behavior research. Research studies have also been conducted into human information behaviors in specific organizational or industrial contexts, including manufacturing organizations (White, 1986) and healthcare environments (Reddy & Jansen, 2008).

More directly interesting to the Cisco Systems research are those studies that explore human information behaviors in the context of information security or from the perspective of cultural and regional influences on information seeking and use. While less common within the information science literature or the literatures of other fields, there are nevertheless numerous studies that address these aspects of human information behavior as well.

Cultural and regional effects on the use of information, particularly in the context of IT, are increasingly important as globalization exerts a more profound influence on society and industry. Jarvenpaa & Ives (1994) explored the perceived challenges of building globally connected information and knowledge networks that would provide users with the necessary information to complete tasks and support organizational goals, while creating new and unforeseen challenges for business and technology managers tasked with managing these large and increasingly distributed networked entities. At the time of Jarvenpaa & Ives article, the nascent Internet had not yet seen the development of the global World Wide Web and even technologically sophisticated organizations had yet to realize the potential benefits (and risks) that new information technologies represented. Zaheer & Zaheer studied the ways that country differences influenced the information seeking behaviors of firms competing in the global finance industry. The authors were concerned with the differences in how these firms, located in different countries, engaged in an information-intensive industry that was highly similar globally, particularly how the firms looked for information that would help them prosper. Where Zaheer & Zaheer studied different organizations engaged in a global industry, Dutta (2008) reviewed various research studies into the information behaviors of indigenous peoples in developing countries, including both urban and rural users. And Chau, Cole, Massey, Montoya-Weiss, & O'Keefe (2002) conducted empirical research into the information behaviors of online consumers in the United States and in Hong Kong, looking for evidence that cultural differences could account for differences in online consumer behaviors.

Information security behaviors among users have also proved a fruitful subject for research in information science and other fields. No accepted definition for information security behavior exists, although some scholars have attempted to define information security behavior through the creation of taxonomies and categories of types of information behavior specific to security practitioners (Vroom & von Solms, 2004; Stanton, Stram, Mastrangelo, & Jolton, 2005). More generally, information security behaviors can reasonably be inferred as the ways in which IT users and other individuals interact with information resources that have been determined to require certain protections. Assignation of such protection or the requirement of security information behaviors in regards to particular systems or data is a complex process influenced by state, organizational, and individual decisions and activities. Some studies, including empirical research efforts, have closely examined the roles and behaviors of users in the context of information security (Thomson & von Solms, 1998; Adams & Sasse, 1999). Other studies have examined security from the larger organizational context, exploring security awareness, policy, and enforcement more broadly (Siponen, 2000; Workman, Bommer, & Straub, 2008; Herath & Rao, 2009). Common themes across these studies, and ones which are similar to the purposes and results of the Cisco data leakage research study, include the need to understand how users conceptualize security practices and responsibilities, and how both individual and management behaviors can be improved in order to make information security efforts more effective in the environments in which they exist.

The Cisco Global Data Leakage Study — Background, Methods, and Findings

  1. Top of page
  2. Abstract
  3. Introduction
  4. Human Information Behavior and Information Security Behavior
  5. The Cisco Global Data Leakage Study — Background, Methods, and Findings
  6. Critiques of the Study
  7. Directions for Future Research
  8. References

Cisco Systems is a global manufacturer of networking equipment, beginning with the routers and switches that function as the core infrastructure of the Internet. In addition to network hardware and software systems, Cisco has grown into other IT markets, creating and manufacturing many other IT products including systems for Internet telephony, online collaboration, and information storage. The growth of the company into areas of information technology that were increasingly concerned with processing and managing user data rather than simply transmitting that data “over the wire” have caused Cisco to require more sophisticated capabilities for information security. Today Cisco also manufactures and markets security products and services as part of its corporate strategy, and the data leakage research project discussed here represents a component of Cisco's security marketing efforts. The situating of this research study into Cisco's security marketing strategy proves a limiting factor to the research findings, a critique I will elaborate upon later. But the results of the Cisco-sponsored survey nonetheless offer important insights into the differences in information security behavior across regions and cultures.

The stated purpose for commissioning the data leakage survey was “to understand the challenges that increasingly distributed mobile businesses face in protecting sensitive information” (Cisco, 2008a, p. 1). Networking technology has allowed organizations to attain global reach while centralizing IT environments within a single organization. Many multi-national companies, including Cisco, have relatively mono-cultural IT infrastructures built upon standard user computing systems and backend network infrastructures. A Cisco employee, for instance, traveling from the corporate headquarters in San Jose, California to corporate offices in Bangalore, Dubai, Budapest, or Sao Paulo find a remarkable uniformity in IT environments all of which conform to Cisco's technological culture. Of course the social cultures between these regions are far less homogenous. While many companies attempt to train their employees about proper security behaviors, Cisco questions the effectiveness of these efforts noting that hundreds of millions of sensitive pieces of data have been stolen in recent years. Cisco also points out that many of these incidents are not the result of hackers breaking into corporate systems but the result of employee behaviors (whether intentional or not) (2008a, p.2).

In an attempt to better understand how geographical and cultural differences influence employee security behaviors, Cisco commissioned InsightExpress to conduct a global survey into the problem of data leakage and risky security behaviors on the part of users and the effectiveness of organizational responses to these risks. It was hoped that by understanding user behaviors when dealing with issues of information security that IT organizations would be better able to respond to internal security risks and encourage more security-conscious user practices. InsightExpress conducted the research through two surveys conducted in ten countries (Australia, Brazil, China, France, Germany, India, Italy, Japan, the United Kingdom, and the United States). For each country in the study, InsightExpress conducted an online survey of individual respondents. Respondents were divided into two categories: “end users,” defined in the study as a “non-IT professional” and “IT decision makers,” who were defined as “having some influence in purchasing or policy decisions regarding information technology. It was not clear from the published information how membership in a category was established (for instance by self-selection on the part of the respondent or by a survey question related to job roles within the respondent's organization.) Approximately 100 respondents of each type for each country were included in the research study for a total of 1009 end-users and 1011 IT decision makers (n=2020 respondents total). Survey data was collected over a period from July 16 – August 4, 2008 (InsightExpress, 2008a, p. 2). Country selection for the research study was based upon “contrasting social and business cultures, as well as each workforce's relative tenure with the Internet and corporate IP [Internet Protocol]-based networks” (Cisco, 2008a, p. 2).

InsightExpress published the survey findings in three separate report presentations (2008a, 2008b, & 2008c). Cisco incorporated the resulting data into three accompanying white papers (2008a, 2008b, & 2008c), specially structured corporate documents that are designed both to convey the results of the research and to act as a marketing tool usable by Cisco employees when promoting Cisco's products and services. While the InsightExpress publications offer much more specific detail regarding the data, the Cisco white papers attempt to contextualize the survey findings and embed them within narrative structures that are more likely to be well-received by specific (primarily Cisco customer) audiences. Both the InsightExpress presentations and the Cisco white papers divided the survey findings into three broad categories: a general report on the survey and the common security risks and mistakes faced by users of IT systems (InsightExpress, 2008a; Cisco, 2008a), a review of the survey findings that specifically addressed the risk of “insider threats” represented by malicious or disgruntled users who deliberately attempted to subvert organizational security controls (InsightExpress, 2008b; Cisco, 2008b), and an analysis of the effectiveness of security policies employed by organizations as a response to security risks (InsightExpress, 2008c; Cisco, 2008c). For clarity, this paper will discuss the findings of the overall research study as represented within these same three categories selected by Cisco in its publication of the results.

General User Security Findings

The survey research found that IT end users in all countries exhibited “risky behaviors that put corporate and personal data at risk” despite the presence of security mechanisms put in place by their organizations. The Cisco white paper Data Leakage Worldwide: Common Risks and Mistakes Employees Make (2008a) highlighted four findings that applied to IT end user security behaviors generally:

  • The use of unauthorized programs and applications led to as many as half of all security incidents resulting in data loss
  • 44% of employees misuse corporate computers, including unauthorized sharing of devices
  • 39% of IT decision makers reported employees accessing physical and network resources without authorization
  • 46% of users reported sharing files between work and personal computers when working from home (p. 1).

While these findings were foregrounded in the published Cisco white paper, they represented a subset of the findings generated by the InsightExpress research data. InsightExpress included other key findings, such as end user respondents indicating that over half of all end users deliberately bypass or change security settings on company-issued computers in order to visit restricted web sites (InsightExpress, 2008a, p. 7).

While the research generated security behavior findings applicable to respondents across all surveyed countries, of special interest are those findings that show significant differences in information security behavior between countries. Cisco highlighted five findings that it described as “noteworthy” examples of such differences:

  • Computer abuse in China is so problematic as to require regular audit for unauthorized content by IT decision makers
  • 65% of Japanese end users reported violating corporate IT policies and this trend is increasing
  • Respondents in India used corporate resources such as email and instant messaging for personal use, and changed security settings to view unauthorized Web content
  • Brazilian users reported using corporate resources for personal use such as downloading music
  • With only 16% of end users reporting compliance with security policies, France had the lowest rate of IT policy compliance in the study (Cisco, 2008a, p. 2).

As with the general user respondent findings, Cisco chose a subset of findings to promote within the white paper. To understand the differences between security behaviors between particular countries that were statistically significant a reader would have to refer back to the data presentation provided by InsightExpress, which provides a great deal more detail regarding differences between country respondents (2008a).

Insider Threat Findings

The second Cisco white paper published from this research study was Data Leakage Worldwide: The High Cost of Insider Threats (Cisco, 2008b), and is accompanied by a supporting InsightExpress data presentation (2008b). The second white paper attempts to present the survey results in the context of how risky end user behaviors presented “insider threat” risks to IT decision makers and, by extension, organizations that were dependent upon IT infrastructures. Insider threats are considered to be security-related behaviors by employees who were “uninformed, careless, or disgruntled.” Cisco found that the risks posed by these user behaviors are more dangerous than is commonly recognized by IT professionals, and more likely to cause financial losses due to data loss than threats from external sources such as hackers or cybercriminals (Cisco, 2008b, p. 1).

To support these conclusions, Cisco cited findings from the survey data. Roughly dividing these findings into those results related to negligence on the part of end users and those related to disgruntled employees who deliberately committed security violations, Cisco concluded that universal serial bus (USB) drives were the most common potential data loss vector cited by IT decision makers responding to the survey. In addition to specific means of data loss, Cisco identified other threats including a lack of awareness and diligence regarding proper security behavior on the part of end users as well as a lack of awareness by IT decision makers regarding the number and nature of security incidents that their organizations experienced over a particular time period. In one case of deliberate security violations on the part of disgruntled employees, Cisco cited a finding that over 10% of end user respondents claimed to have stolen data or computers that they then sold for a profit (2008b, p. 3).

Unlike Data Leakage Worldwide: Common Risks and Mistakes Employees Make, Cisco's second white paper does not make an effort to address differences in behaviors between countries. For these findings readers must to refer to the accompanying presentation, Data Leakage Worldwide: The Insider Threat and the Cost of Data Loss (InsightExpress, 2008b). As in the case of the first published data results, the InsightExpress presentation contains much more detail regarding the formal results of the survey, including which countries exhibited significant differences in referenced end user and IT decision maker responses.

Effectiveness of Security Policies Findings

Cisco's final survey-related white paper, Data Leakage Worldwide: The Effectiveness of Security Policies (2008c) and the accompanying data presentation (InsightExpress, 2008c) discusses the research findings related to how organizations attempt to deal with risky security behaviors by IT end users and the extent to which those attempts are or are not successful. As with the previous two white papers, Cisco chooses certain survey findings to promote and includes findings that apply generally to security practices globally. In this white paper, as with the first, Cisco also discusses country differences between certain behaviors although these discussions are not exhaustive and are conducted at a high level of abstraction.

Cisco's primary conclusions regarding organizational security policies are that they are often ineffectual and in many cases do not even exist within an organization (as evidenced by 23% of the survey responses). One key finding Cisco draws from the research data is that a large discrepancy (20-30% of respondents across various countries) exists between end user and IT decision maker awareness of the presence of security policies within an organization. Cisco concludes from this discrepancy “IT is not sufficiently educating and communicating security policies to employees, and that employees may not be paying attention” (Cisco, 2008c, p. 1).

After discussing general problems with security policy effectiveness, Cisco examines differences between countries in regards to how policies are implemented, disseminated, and received by end users. Cisco is particularly concerned with failures to communicate security policies and expected behavioral norms within organizations both at the time of hiring new employees and throughout an employee's tenure. Some of the findings cited and conclusions drawn from the survey data include:

  • European respondents, particularly those from the United Kingdom, France, and Germany exhibited a higher prevalence for the belief “that security policies were never communicated to them or that they were never educated about the policy”
  • Companies in Australia, China, Japan, and the United States communicated security policies most often to newly hired employees
  • The United States had the largest gap (42%) between IT decision maker responses that newly hired employees were educated on company security policies, and IT end user responses claiming that policies had not been communicated at the time they were hired (2008c, p. 3).

Critiques of the Study

  1. Top of page
  2. Abstract
  3. Introduction
  4. Human Information Behavior and Information Security Behavior
  5. The Cisco Global Data Leakage Study — Background, Methods, and Findings
  6. Critiques of the Study
  7. Directions for Future Research
  8. References

Cisco's Data Leakage Worldwide study contains a great deal of information of interest to the information science research community. The analysis of cross-cultural security behaviors by IT end users represents a relatively unique research perspective that is missing from the literature. However, the study also has several flaws that must be addressed in the course of any discussion of its findings and any conclusions drawn or generalizations made regarding the research findings. These problems include a lack of transparency regarding InsightExpress' research methods and the data collected as a result of those methods, and questions of possible confirmation and publication bias in the findings and conclusions that Cisco draws from the research data.

Uncertain Methods and Data Quality

The Cisco research study exhibits a problematic lack of transparency into the methods and data used in conducting the survey. InsightExpress, commissioned by Cisco to conduct the survey, is a provider of commercial research to industry and is under no obligation to disclose survey instruments or methods that might be considered the intellectual property of the firm. While the research data presentations published as part of the study contained a great deal of data regarding the survey results, including notations of statistical significance and the levels of reported significance, no access is given to the specific research instruments or statistical analyses that were used for the study. A reader is unable, as a result, to make a judgment regarding the selection of survey respondents, the survey instrument itself, or which statistical techniques were used to generate findings.

Without detailed information regarding the structure and conduct of the research study it becomes impossible to assess the quality of the study, and quite possible that some areas of the study were flawed to the degree that the findings are rendered suspect. One example of the uncertainties surrounding InsightExpress' methods is the collections of almost exactly 100 respondents from each country surveyed, for both IT end users and IT decision makers. According to InsightExpress the primary research instrument was an online survey that was posted for twenty days. It seems coincidental that a survey posted for a set time period would collect data from almost exactly the same number (n=100) of respondents across two distinct categories of respondent and ten separate countries. Without any insight into how the survey was structured or managed, however, any conclusions that might be drawn about methodological problems remain speculative. Of course if respondents were selected or the data altered to create a predetermined data set, then the overall findings and conclusions of the research study would be subject to question.

Bias in Findings and Conclusions

Cisco uses the findings of the InsightExpress survey to make certain conclusions, promoted within the published white papers, which may not be supported by the data in the research presentations. One of the pitfalls of commercially sponsored social research is the temptation by industries or companies to privilege certain findings that may support the company's strategies while ignoring or downplaying findings that do not support or even refute those strategies. While there is no direct evidence that Cisco sought to mislead or otherwise misrepresent the results of the InsightExpress survey, there are instances where evidence of confirmation bias or publication bias may be present.

In one example, a conclusion cited previously, Cisco finds that computer abuse in China was so prevalent that it required Chinese IT decision makers to regularly audit for unauthorized content. This conclusion directly supports Cisco's corporate goals given that China is a large market for Cisco's products, including security products that can be used to facilitate such audits. But neither InsightExpress nor Cisco defines what constitutes abuse or unauthorized content, or specifically relates unauthorized content to data loss in a security sense. Unauthorized content could also refer to any data that is proscribed for political or cultural reasons unrelated to IT security. Such content may also different markedly between countries and cultures, and assuming that the data supporting this conclusion was the result of a generic survey question rather than specific questions regarding types of content that were problematic, the conclusion is questionable. By making conclusions that support Cisco sales and marketing efforts, but do not acknowledge the discrepancies in the data, Cisco weakens its own arguments although given that the research is intended for a non-academic audience this may not be viewed as a limitation. It would likely be seen as non-productive for Cisco to explore larger socio-political implications of the research, particularly when such explorations would offer little or no benefit to company sales.

Directions for Future Research

  1. Top of page
  2. Abstract
  3. Introduction
  4. Human Information Behavior and Information Security Behavior
  5. The Cisco Global Data Leakage Study — Background, Methods, and Findings
  6. Critiques of the Study
  7. Directions for Future Research
  8. References

While the Cisco Data Leakage Worldwide study is a useful contribution to research into human information behavior and information security literatures, it is incomplete. Ostensibly commissioned to explore cultural and national differences in information security behaviors at both the individual and organizational levels, the research conclusions that Cisco chose to publish do not demonstrate a sincere interest in the socio-cultural differences in the way users perceive information security across different geographic regions. Perhaps to expect a commercial technology vendor to exhibit such scholarly curiosity is unfair. Cisco purchased the research behind this study as part of a corporate strategy to further the company's business interests, not as an academic research project. Yet the findings made available through the InsightExpress data presentations offer tantalizing glimpses into the effects of globalization on human information behaviors. Despite the methodological and analytical critiques offered previously, the Cisco study remains important, if for no other reason than its novelty.

Data Leakage Worldwide can and should act as a starting point for further research into information security behaviors across cultures and regions. One way in which the existing study could be leveraged into further research would be to obtain the full set of instruments, methods, and data used by InsightExpress. While this approach offers ease of analysis, it might prove much more difficult logistically. The proprietary nature of the research makes it likely that InsightExpress would not be willing to share or make public details about the study, nor does Cisco have much motivation to do so either. Researchers seeking to make use of the existing data are then forced to analyze and extrapolate based only on the publicly available reports.

Researchers might also use the Cisco research study as a starting point for planning and conducting follow-on research into information security behaviors. It might be useful to attempt to replicate the results of the Cisco study by designing a similar survey instrument and gathering data from similar respondents across the same countries analyzed as part of this study. A rigorous empirical methodology combined with more transparency in data collection and findings could be contrasted with the results of the Cisco study to determine if discrepancies exist.

A final example of the research that might grow from a close reading of the Cisco study is the potential for more in-depth qualitative inquiry into the ways that IT security behaviors manifest within companies. The Cisco study was based on an online survey, with no evidence that the researchers attempted to elicit additional data from respondents in the form of interviews or other means of data collection. Yet many of the findings of the research imply not only differing behaviors between countries but different contexts and even different definitions of what constitutes security or risk. The study makes many descriptive claims regarding information security behaviors without attempting to analyze why those differences may exist, and whether the differences are localized in the individual, in the company for which the individual works, or in the way that the survey instrument structured individual responses. Without such insights much of the value to be gained by answering the questions posed by the research remains untapped.

This final point on the nature of information security behaviors between countries is instructive not only for information researchers looking to learn from or expand upon the Cisco survey. Cisco has raised questions through this research study that are important to its own success as a producer and marketer of IT security technologies. In the white papers Cisco concludes that organizations need to improve their security policies and security awareness programs in order to counter the threats of negligent and disgruntled employees. But the research study stops short of attempting to understand why some users are not aware of proper security behaviors, despite the presence of formal policies and procedures, or why some users choose to deliberately circumvent security or to harm their employer by stealing or abusing IT systems and data. These reasons are also, quite possibly, subject to cultural and regional differences that are not explored.

One of Cisco's purposes in conducting the survey was to demonstrate a global awareness that is appropriate to a multinational firm with an IT infrastructure and employees in most countries on the planet. Fostering such a global image is important to Cisco's marketing and public relations. But future success in the global marketplace will also depend upon a deliberate understanding of the differences between cultures not only at a general descriptive level but also at the level of individual human choices and motivations. Data Leakage Worldwide shows that such differences exist and can impact how companies control sensitive information and protect the privacy and security of users and customers. As such, the Cisco study should be seen as an important initial step in understanding human information behaviors in an information security context.

References

  1. Top of page
  2. Abstract
  3. Introduction
  4. Human Information Behavior and Information Security Behavior
  5. The Cisco Global Data Leakage Study — Background, Methods, and Findings
  6. Critiques of the Study
  7. Directions for Future Research
  8. References