The challenge to plug the human leak
"Disclosures can also be made through
inadvertent errors."
Image: kr7ysztof/iStockphoto

Behind the sensational WikiLeaks controversy and political fallout lies a simple human action. In short, without a leaker, Julian Assange would have no information to publish.

It is this very human propensity to want to share information, so starkly illustrated by the WikiLeaks saga, that new Swinburne University of Technology research will address. A new Australian Research Council Linkage Project will examine people’s behaviour with a view to strengthening information management systems within government agencies.

Professor Suresh Cuganesan, who is heading the project – Management Control Systems for Effective Information Sharing and Security in Government Organisations – says the greatest risk from an information security perspective is people: the staff and officials who manage and deal with information as part of their day-to-day duties.

Professor Cuganesan, Swinburne’s Centre for Enterprise Performance director, says it is well established that humans are the weakest link when it comes to information control.

There are numerous examples of the deliberate leaking of information for financial, political or personal gain, but disclosures can also be made through inadvertent errors.

Losing portable data devices such as USB sticks is one example: a high profile case emerged in 2006 when a CD containing a report into the death of an Australian soldier in Iraq was left in an airport lounge computer.

Accidental disclosures can also occur through general conversation or simply when an employee is unaware of procedures.

Behaviour change

“Our project will look at how government agencies can design effective controls that generate appropriate information-management behaviour,” Professor Cuganesan says.

And he emphasises that ‘information management’ not only applies to keeping information secure but also helping government agencies to effectively deliver information. This is the project’s flipside – a study of ways to better share information that needs to be circulated.

“If we get it right, it has a significant upside, if more information gets to the right people, resulting in better government service delivery.”

Professor Cuganesan will be examining the use of management control systems (MCS) that consider an organisation’s culture and values, policies and procedures, and which can measure an employee’s information management performance.

“It’s not about putting firewalls in place to prevent hackers,” Professor Cuganesan says. “It’s actually about trying to get government staff to engage in appropriate information-management practices.”

Recent Auditor-General reports in Victoria and Western Australia suggest this is currently not the case, highlighting serious deficiencies in the control and security of government-held information. Reasons why government information needs adequate security – and any number of examples have come to light over the years – include protecting the privacy and the security of individuals, as well as protecting databanks from fraud or other criminal activities.

The challenge is that there is increasing pressure on government agencies to improve information sharing through channels that are more open and functional. However, Professor Cuganesan says at the moment there are gaping inconsistencies between the policies and operations of different government departments and their private sector partners when it comes to information management.

Real-life research sites

Designing and operating a management control system that improves information security as well as information sharing is going to be complex.

To this end, Professor Cuganesan will be working closely with project partner Professor Yun Yang from the Swinburne Centre for Computing and Engineering Software Systems (SUCCESS) as well as government partners Victoria Police and the Department of Transport (Victoria).

Professor Cuganesan will design management control systems and study their effects on organisations and employees, while Professor Yang will develop and analyse the technology that will be critical to supporting these systems. Part of Professor Yang’s work will examine how IT-based controls can help enforce, track and monitor information sharing and security. It will also investigate how IT-based controls can measure trust, risk and threat in the workforce.

The university’s government partners, Professor Cuganesan says, will be real-life research sites and test-beds for the systems. They will also provide crucial insights into the issues and challenges that departments face in trying to control ‘information behaviours’.

“We want to analyse what is going on now, identify what works well and where the opportunities are for improvement. We will then start to design refinements and test them.”

Both informal and formal controls are among a range of MCS elements that could be tested. Informally, this could be through connecting people’s information-management behaviour to the organisation’s broader values, such as integrity or respect. More formal measures might include physical or electronic controls on document access, or staff performance indicators for information behaviours.

“We are looking at both sides of the coin,” Professor Cuganesan says. “We are not just looking to clamp down on information and build technology to restrict it. Yes, we do need to look at security, but information also needs to move.”

A story provided by Swinburne Magazine. This article is under copyright; permission must be sought from Swinburne Magazine to reproduce it.