Discussing how to manage your information

the crossroads of Information, People, Technology, and Organizations

Wikileaks and weak links

with 2 comments

Photo of an unlocked gate padlockThis post is about Wikileaks, without being about Wikileaks. We know the most recent Wikileaks release was an overwhelmingly large set of data, generated by a fairly low-ranking intelligence analyst, and contains potentially sensitive information. The aspects of the Wikileaks scandal that fascinate me, however, are the human and organizational factors affecting data security.

Why did Bradley Manning do it? He must have known he would be subject to a long prison sentence (at best), and made no efforts to hide his actions. Assuming he was acting rationally, the benefits he imagined from doing so outweighed the prospect of certain punishment. Manning must have evaluated the volume and nature of the data at his disposal – data owned by his organization, effectively the U.S. government – and chose to place his individual motivations above those of the organization to which he belonged.

His own Wikipedia page and various media reports describe Manning’s “disillusionment,” and some opinion pieces paint him as “disgruntled.”

Disgruntled at the age of 23?

This fact points to the causes of the leak: it’s a people problem, more than an information problem. This includes security clearances, i.e., how many eyes need to see the information, but the solution is not about security clearances. Safeguarding organizational data such as that shared in the Wikileaks event is ultimately a management issue, for the following reasons:

A change in employee behavior is a crucial signal to management. It would surprise me if Manning’s behavior changed overnight from unassuming analyst to data thief. A good manager should look for changes in employee behavior that signal a shift in attitude. Furthermore, a manager should ensure he has enough information to act on if restricting or revisiting information flows becomes necessary, particularly in the event that an employee’s risk profile changes.

Digital natives exhibit different workplace values than their older counterparts. At 23, Manning is a digital native. Individuals under the age of 30 have grown up with technology in a world where a sense of possession is poorly defined in digital terms. Digital natives have a different notion of right and wrong in sharing information than previous generations of workers, even when information is proprietary to their organizations. Generation Y is also less loyal to organizations, and expects authority figures to earn their respect, rather than commanding it automatically. (I realize the Army is a very special kind of organization; however, the military cannot claim to be modernizing for warfare in the Information Age and expect to preserve outdated management philosophies, particularly when recruiting overwhelmingly from the digital natives demographic.)

Technology itself distracts from the human issues. Security specialists discuss access protocols and authentication procedures, but focusing on such issues is like staring at the end of someone’s finger when she points to a mountain in the distance. Internal data leaks are a real threat, but they are also perpetrated by people. The Information Age is changing the relationship between people and organizations. Adding to the urgency of the problem, today’s technological capabilities allow people to share and act on information as quickly as they think to do so. When “think it – do it” is the norm, it is important for an organization’s management to communicate expectations about information use and dissemination and to assess and monitor, in an honest way, the risks associated with information flows.

The landscape of information behavior is undergoing a major shift, and technology is merely an enabler of behavior. An individual’s ability to act impulsively, and with powerful tools that can execute enormously impactful actions digitally, should prompt organizations to manage closely the human aspects of internal security threats. It takes one weak link in an organization – unmonitored, disillusioned – to commit a destructive act with sensitive data. Although individuals should be empowered to make ethical, informed decisions when acting on behalf of their organizations, management culture must continue to adapt to the new Information Age, and its digital natives.

Photo by -Tripp-. Used in accordance with a Creative Commons 2.0 license.

About these ads

2 Responses

Subscribe to comments with RSS.

  1. In the article one of the points you make is that management should monitor changes in employee behavior and proactively adjust levels of access if it seems like they may present a threat to information security. This strikes me as something that would be difficult to find the right balance on and might even present a legal problem. Probing too deeply into an employee’s behavior is something that would make many managers uncomfortable, yet it seems that it may be required to prevent Wiki Leaks types problems. Are there any tips you would recommend for when to start throwing up red flags and when to start cutting people off?

    Nick Malone

    December 6, 2010 at 12:45 pm

  2. The changing access rights thing is an absolute last resort, and I don’t condone, say, spying on an employee or anything illegal.

    I guess I’m talking more about taking some time to evaluate whether interactions change. A manager will generally have a baseline of interaction with an employee, and if the turnaround on projects change, or if patterns of behavior change (coming in late when the employee was always punctual), then there are probably other, even better reasons (e.g. work/life balance) for a manager to ask if the employee needs extra help.

    I don’t think that particular conversation, assuming it’s approached in a compassionate and understanding way, is ever a bad idea if something has changed about interaction with an employee.

    Jordan Eschler

    December 6, 2010 at 5:14 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: