Cultura de segurança da informação: um processo de mudança organizacional na Petrobrás

Vieira, Patrícia dos Santos

21 December 2009

Submitted by paulo junior (paulo.jr@fgv.br) on 2010-03-09T21:17:23Z No. of bitstreams: 1 Patricia dos Santos.pdf: 977688 bytes, checksum: 9e6fe91d2790db95dce8e99b8103981a (MD5) / Approved for entry into archive by paulo junior(paulo.jr@fgv.br) on 2010-03-09T21:17:38Z (GMT) No. of bitstreams: 1 Patricia dos Santos.pdf: 977688 bytes, checksum: 9e6fe91d2790db95dce8e99b8103981a (MD5) / Made available in DSpace on 2010-03-11T18:01:15Z (GMT). No. of bitstreams: 1 Patricia dos Santos.pdf: 977688 bytes, checksum: 9e6fe91d2790db95dce8e99b8103981a (MD5) Previous issue date: 2009-12-21 / This study aims to verify whether and to what degree the criteria proposed by Kotter to the implantation of an information security culture were attended at Petrobras. Petrobras, for several years, was an oil country-wide state company. As in several other companies, with the internationalization process, more players with interests in valuable information started interacting with the company. The necessity of conducting a change management process to implant an information security culture was verified. The model defined by Kotter has eight steps that, if followed, guarantee a successful change. In order to achieve the study’s purpose, bibliographic research and Petrobras’ files and documents research and field research were done. The period of study was from 2002 until 2009. The process evaluation has shown some fails at the steps defined by Kotter. It is possible to mention: high complacency; sense of urgency attributed only in the first moment; long-term vision was not widely declared; the reason of change was not explicit throughout time; information security organization structure in the fields is still deficient; there was not complete alignment of the company’s management systems; the existence of structures and systems that make the evaluation of the actions and the recognition of the people involved in the cultural change process more difficult; and lack of worrying in commemorating short-term achievements. / O estudo objetivou verificar até que ponto foi atendido o critério proposto por Kotter para a implantação de uma cultura de segurança da informação na Petrobras. A Petrobras, durante muitos anos, foi uma empresa estatal de petróleo com atuação nacional. Assim como diversas outras empresas, com o advento do processo de internacionalização, mais atores com interesses por informações valiosas começaram a interagir com a empresa. Verificava-se a necessidade de conduzir um processo de gestão da mudança para implantar uma cultura de segurança da informação. O modelo definido por Kotter possui oito etapas que, se seguidas, podem garantir uma mudança bem-sucedida. Para atingir o objetivo do estudo, utilizou-se pesquisa bibliográfica, pesquisa documental em arquivos e documentos da Petrobras e pesquisa de campo. O período analisado foi de 2002 a 2009. A avaliação do processo indicou que algumas falhas foram encontradas nas etapas definidas por Kotter. Pode-se citar: complacência alta; senso de urgência atribuído somente no primeiro momento; visão de longo prazo não foi amplamente declarada; o porquê da mudança, ao longo do tempo, não ficou explícito; estrutura organizacional de segurança da informação nas áreas ainda é deficiente; não houve total alinhamento dos sistemas de gestão da empresa; existência de estruturas e sistemas que dificultam a avaliação das ações e reconhecimento dos envolvidos no processo de mudança cultural e pouca preocupação em comemorar as conquistas de curto prazo.

Cultura de segurança da informação

Mudança organizacional

Gestão da mudança

Information security culture

Change management

Organizational change

Administração de empresas

Cultura organizacional - Estudo de casos

The human connection to information security : A qualitative study on policy development, communication and compliance in government agencies / Den mänskliga kopplingen till informationssäkerhet : En kvalitativ studie om policyutveckling, kommunikation och efterlevnad inom statliga myndigheter

Abdulhadi, Osama

January 2023

The human factor and insider threats play a crucial role in information security. In today’s digital age, protecting organizational data requires a deep understanding of human behaviour and its impact on information security. The increasing volume of electronically stored data has led to a rise in cyber threats and breaches, necessitating effective information security policies and regulations. This study focuses on the experiences and perspectives of employees and top management in government agencies regarding the development, communication, compliance, and attitudes towards information security policies and regulations. Semi-structured interviews were conducted with participants from both top management or information security officers and regular employees, which allowed for an in-depth exploration of their experiences and perspectives. The findings show that government agencies systematically develop policies by engaging stakeholders, ensuring accessibility, and adhering to legal frameworks. Addressing the human factor involves training, awareness programs, and top management support. Policy development and implementation include risk assessment, stakeholder identification, objective setting, continuous review, and integration into daily operations. Communication channels such as intranets, training, coordinators, and awareness events are utilized, but their effectiveness is not directly measured. Proposed improvements include enhancing accessibility, improving policy document management, and using clearer language. Employees generally possess a positive attitude towards information security, though their understanding varies, and challenges to their understanding include complex language and unclear instructions. Compliance also varies, with difficulties arising from technical terminology and information overload. Enhanced compliance can be achieved through simplified language, providing better resources, and top management support. Proactive incident management focuses on learning and risk minimization. The human factor and insider threats remain significant concerns, which emphasizes the need for further education, awareness training, and motivation.

Communication

compliance

development

effectiveness

government agencies

human factor

information security

information security awareness

information security culture

information security management system

information security policy

insider threat

Information Systems, Social aspects

L'évolution du droit en matière de sûreté nucléaire après Fukushima et la gouvernance internationale / The nuclear safety legal framework modernisation after Fukushima and the international Governance

Dhoorah, Marie Sabrina

16 July 2014

Le 11 mars 2011, le Japon a subi un séisme suivi d’un tsunami aux conséquences terribles. Dans la centrale de Fukushima Dai-ichi s’est produit un accident nucléaire de niveau 7 (le plus élevé) sur l’échelle internationale, qui a marqué les esprits comme celui de Tchernobyl en 1986. Cet accident a laissé le monde en émoi face à ces nouvelles formes de menaces, d’autant que l’exploitant TEPCO n’a pas su maitriser la situation ni tirer les leçons du passé. Depuis Fukushima, l’échelle des fondamentaux en Europe et dans le monde a donc été bouleversée et la question de la sûreté et de la sécurité des centrales se pose avec une acuité renforcée, qui a nécessité de redéfinir en droit et en pratique certaines normes et principes au niveau national, européen et international en concordance avec ces nouvelles menaces extérieures, vers le plus haut niveau de sûreté. Mais les révisions entreprises nécessitent d’être plus ambitieuses. L’avenir du nucléaire implique dès lors : au niveau européen, une révision plus ambitieuse de la directive sûreté; la mise en place d’une autorité de réglementation indépendante de jure ; la définition d’un droit de la responsabilité civile harmonisé au sein de l’UE en faveur des victimes dans l’hypothèse d’un accident. Au niveau international, la gouvernance s’impose comme étant le vecteur d’une commune culture de sûreté et de sécurité nucléaires ; bien que la diversité des modèles nationaux de gestion et de contrôle de l’industrie nucléaire paraisse rendre a priori difficile l’évolution vers des règles communes. De même au niveau européen, dans ce même esprit, l’écriture d’un texte unique en droit de la réparation des dommages serait nécessaire. La révision de la Convention sûreté nucléaire est également un chantier important pour l’avenir. Dans l’immédiat, l’harmonisation concerne de nombreux domaines dont, pour l’essentiel : la gestion de crise pendant et après un accident nucléaire ; la mise en place des principes de sûreté et de sécurité les plus performants et les plus élevés, de la conception au démantèlement d’une installation ; la maîtrise d’une interaction adaptée entre sûreté et sécurité nucléaires. Il conviendra, par ailleurs, de veiller à l’intégration du public au processus décisionnel dans les domaines du nucléaire, condition nécessaire à l’acceptabilité de cette énergie. / On March 11, 2011, the Japan suffered an earthquake followed by a tsunami to the terrible consequences. In nuclear power plant Fukushima Dai-ichi happened a nuclear accident of level 7 (highest) on the international scale, which marked the spirits such as rivaled that of Chernobyl in 1986. This accident left the world agog with these new forms of threats, especially since the TEPCO operator did not master the situation or learn the lessons of the past. Since Fukushima, the fundamentals in Europe and worldwide has so upset been turned upside-down and this raises the question of safety and security of power plants with renewed acuity, which necessitated. It is imperative to redefine in law and in practice some standards and principles at the national, European and international level in accordance with these new threats to the highest level of safety. But the legal revisions need to be more ambitious. The future of nuclear power suggest therefore: at the European level: a more ambitious revision of the directive on nuclear safety; the establishment of a regulatory body with effective independence de jure ; the definition of a liability law harmonised throughout the EU and the IAEA for victims in the event of an accident. At the international level: the governance is necessary as a vector of a common safety culture and security culture ; although the diversity of national models of management and control of the nuclear industry appears a priori difficult to move towards common rules. As well as at the European level, the writing of a single text entitled to the repair of damages would be necessary for the same reasons already stated. The revision of the Convention on nuclear safety is also as important crucial for the future. For immediate harmonization concerns many fields, for the most part: during and after a nuclear accident crisis management; the implementation of the principles of safety and security at the most efficient and highest level from the conception to the dismantling of an installation; strengthening interaction adapted between nuclear safety and nuclear security ; but also the integration of the population in the decision-making process in the areas of nuclear is mandatory for the acceptance of nuclear energy.

Tchernobyl

Fukushima

Energie nucléaire

Sûreté et sécurité nucléaires

Autorité de réglementation

Indépendance de jure

Responsabilité civile nucléaire

Démantèlement

Accident nucléaire

Gestion de crise

Droit nucléaire (droit international)

Chernobyl

Fukushima

Nuclear energy

Convention on nuclear safety

Nuclear liability regime

European nuclear safety directive

Nuclear accident crisis

Regulatory body of independance de jure

340

Mänskligt beteende - ett ofrånkomligt hot mot informationssäkerhet?

Swartz, Erik

January 2021

Information har idag kommit att bli så viktigt att det av många aktörer kallas för den nya digitala oljan, och med anledning av just detta är information idag en av de främsta tillgångar en organisation kan besitta. För att skydda informationen lägger organisationer massiva summor pengar på tekniska och fysiska åtgärder. Tillsammans med dessa åtgärder utfärdas även interna bestämmelser och riktlinjer för hur IT-system och information får eller inte får hanteras. Trots detta sker både intrång och andra säkerhetsrelaterade incidenter som kan härledas till mänskligt felaktigt beteende, eller den så kallade mänsklig faktorn. I den här uppsatsen har därför författaren gjort en djupdykning i ämnet för att studera vilka samband som kan finnas mellan beteendevetenskapliga teorier och efterlevnad av informationssäkerhet. Med kvalitativa metoder har bland annat litteraturstudier genomförts för att ta reda på vilka teorier som är mest relevanta i sammanhanget. Intervjuer har sedan nyttjats för att bredda författarens uppfattning om vilka faktorer som kan påverka mänskligt beteende. De personer som intervjuats har bland varit yrkesverksamma som säkerhetschefer, säkerhetskyddshandläggare och ledande forskare inom det specifika området.

Information security

compliance

security culture

human behavior

general deterrence theory

protection motivation theory

social learning theory

neutralization techniques

Informationssäkerhet

efterlevnad

säkerhetskultur

mänskligt beteende

general deterrence theory

protection motivation theory

social learning theory

neutralization techniques

Computer and Information Sciences

Data- och informationsvetenskap

Information Systems, Social aspects

Human Aspects of ICT

Mänsklig interaktion med IKT