DETROIT ? The topic of this article is best summed up in an observation by Judith Olson; “When in Rome, do as the Romans. But in a today’s groupware-supported environment, the question is, Where is Rome?” In effect, globalization and the attendant demand for multicultural teamwork has placed a new emphasis on the ability for information assurance professionals to know where Rome is. And accordingly, all members of the security community will have to understand that cultural difference exists and that it has to be dealt with order to do secure and meaningful security work.

Cultural difference poses a substantial risk when it comes to security. For example, sixty-seven percent of CIOs surveyed by Silicon.com identified cultural difference as the primary cause of security problems in outsourcing. Moreover, the conclusion from a range of studies has been that the inability or unwillingness of members of multicultural teams to see and deal directly with cultural difference will adversely impact the effectiveness of their work.

I?m Right – and the Rest of you Are Wrong ? Right?

Cultural difference is a factor because of inherent socialization. In essence, according to Esther Wanning people don’t view their own way of doing things as a product of life-long conditioning. Instead, because of their own experiences they see their perceptions and values as inherently correct. Then, when people from other cultures act in a way that is counter to their conditioned perceptions, they jump to the conclusion that those other people must suffer from ?grave failings”.

In its most generic form, all security work takes place within a system of common experiences, ideas and values that have been integrated into a set of perceptions and behaviors that we call culture. Thus, the assurance system is developed for people within a specific context and because of that context; the innate difference between the values and perceptions of a client in one country and one in another can create a lot of potential vulnerabilities. Consequently, a consideration of cultural influence has to be one of the primary factors in secure software work.

Human and social factors that complicate an already complicated process are likely to affect the way the actual day-to-day security operates in many adverse ways. Therefore, the literature consistently emphasizes that before multicultural teams can get down to the business of addressing the hard problems of assuring multinational corporations, their members have to be actively trained to incorporate shared understanding and communication

Since worldwide outsourcing has emerged as an important aspect of global business, it might seem given that specific measures would be in place in all big companies to accommodate the obvious concerns raised by cultural difference. Nevertheless, that is not the case. Worse, in the companies where some accommodation has actually been made the stressful conditions that are a cost-of-doing-business will usually defeat any program of cultural sensitivity.

Raw Fish and Slabs of Cow

This article presents the details of a program that has been conducted over the past two decades at the University of Detroit Mercy. The program is designed to ensure that information assurance professionals will be aware of, and able to adjust to cultural difference. The approach centers on cultural immersion. The intention is to prepare information assurance students to work effectively across cultures. The aim is to create an information assurance professional who can work successfully in global team environments no matter what the actual conditions.

Joel Spolsky best sums up why the ability to adjust is important ?Yes, we all eat food, but over there, they eat raw fish using wood sticks, while over here, we eat slabs of ground cow with our hands. Cultural difference doesn’t mean that American stomachs can’t digest sushi or that Japanese stomachs can’t digest Big Macs, and it doesn’t mean that there aren’t lots of Americans who eat sushi or Japanese who eat burgers, but it does mean that Americans getting off the plane for the first time in Tokyo are going to be confronted with an overwhelming feeling that this place is strange.?

The University of Detroit Mercy?s International Studies in Information Security Program (ISIS) was formulated to help students overcome that ?strangeness? factor. Nonetheless, it is not, and has never been the intention of the ISIS to make students fully conversant in the values and norms of all cultures. Our goal is to start students on a voyage of personal self-discovery by helping them to understand that cultural differences exist and have real impacts.

Structure of the Program

The aim of the ISIS program is to make students optimally effective as information assurance professionals by helping them understand the diverse ways that a different culture will approach a common goal. The specific intent is to help the student better understand how to obtain security requirements and prepare a detailed information assurance management system (ISMS) design to meet the needs of a culture that is not their own. In order to achieve that purpose, students are expected to have formulated and internalized their own personal understanding of how to deal with cultural difference.

The actual program has been conducted in the EU (England). Earlier aspects of this program were also conducted in Argentina, China, Holland and Mexico. The course is divided into two parts. First, there is a local classroom experience conducted prior to moving to the host site and the actual work experience. Most of the classroom work in the U.S. sessions is devoted to making specific comparisons of the requirements of the two security cultures.

Since the work will involve teams, the faculty in the host culture also conducts similar sessions, with a similar group, where questions and answers are raised about American practices. The actual study product is a practical detailed design case, which is executed on-site and which ideally involves teams composed of American and host country students.

Learning Objectives

The program has two general learning objectives. The first is to: help students understand that there are models of practice that may not originate from, or be a part of their culture. The second is to: equip them to work within the rules and practices of the target culture. The following topic areas are explored in detail in service of those aims:

Strategic Business Environment and Standards Overview: this provides a top level understanding of the business environment of the target culture as well as an essential background comparison of that environment and American environments as they apply to information assurance work. We discuss technical, financial, and organizational issues. This is done primarily in the classroom in both the UDM and the host country but it also includes trips to view host country business settings, Standards bodies and governmental operations as part of the initial orientation. At the end of this, students should have an in-depth understanding of the business and technical issues that drive the target culture.

Process Primitives: This differentiates the standard information assurance process elements of the target culture from their American counterparts. The objective is for students to see and understand the exact characteristics of the security environment and organizational culture of the host country. That includes such things as work practices, ethics and normative cultural influences. The overall aim is to have the American security professional understand that their norms are not universal.

Standard Specifications of Information assurance Process: This explores differences in the ways that the target culture approaches the actual information assurance