Information Security Best Practices: 205 Basic Rules
Section 3: Awareness and Management Commitment to Security
The first step in implementing information security is to create a security policy. Before creating a security policy, however, an organization's management must consider arguments for the security risks: how security breaches may impact business, such as the reputation of the company if it is hacked (negative publicity), and the potential financial risk that is at stake. Also, some businesses, such as healthcare, will need to implement information security because it is required by law. If the risks to the organization are not perceived as high, or are not believable, then you will not be able to effectively enforce or maintain your security policy.
Much of the time management is simply not aware of the risks or does not fully understand them. They may not believe the organization is vulnerable to attack for some reason. Managers of small companies, for example, tend to downplay security risks. I have found a general lack of management awareness of security risks at all levels and types of organizations. Security at best is perceived as a necessary evil and at worst is seen as a costly and undesirable intrusion. It must be seen as an integral part of an organization's overall business strategy. Security risks must be translated in the minds of managers to financial loss, either through lost business, reduced productivity, lost data, revealed corporate secrets or compromised integrity. The threat by hackers must be perceived as real. Examples of recent hacker attacks on similar organizations may need to be presented...