Abstract
Traditionally, organizations manage information security through policies and mechanisms that employees are expected to comply with. Non-compliance with security is regarded as undesirable, and often sanctions are threatened to deter it. But in a recent study, we identified a third category of employee security behavior: shadow security. This consists of workarounds employees devise to ensure primary business goals are achieved; they also devise their own security measures to counter the risks they understand. Whilst not compliant with official policy, and sometimes not as secure as employees think, shadow security practices reflect the working compromise staff find between security and "getting the job done". We add to this insight in this paper by discussing findings from a new interview study in a different organization. We identified additional shadow security practices, and show how they can be transformed into effective and productivity-enabling security solutions, within the framework of a learning organization.
- Kirlappos, I., Parkin, S., Sasse, M. A. 2014. Learning from "Shadow Security": Why understanding non-compliance provides the basis for effective security. In Workshop on Usable Security.Google ScholarCross Ref
- Von Solms, B. 2006. Information security--the fourth wave". In Computers & Security, 25(3), pp. 165--168. Google ScholarDigital Library
- Beautement, A., Sasse, M. A. and Wonham, M. 2008. The compliance budget: managing security behaviour in organizations. In Proceedings of the 2008 New Security Paradigms Workshop pp. 47--58. ACM. Google ScholarDigital Library
- Herley, C. 2009. So Long, and No Thanks for the Externalities. In New Security Paradigms Workshop (NSPW). Google ScholarDigital Library
- Schneier, B. 2000. Secrets and lies: digital security in a networked world. Wiley. Google ScholarDigital Library
- Karyda, M., Kiountouzis, E., and Kokolakis, S. 2005. Information systems security policies: a contextual perspective. In Computers & Security, 24(3), pp. 246--260. Google ScholarDigital Library
- Sasse, M. A., Brostoff, S., and Weirich, D. 2001. Transforming the 'weakest link'---a human/computer interaction approach to usable and effective security. BT technology journal, 19(3), pp. 122--131. Google ScholarDigital Library
- Adams, A. and Sasse, M. A. 1999. Users are not the enemy. In Communications of the ACM, 42(12), pp. 40--46. Google ScholarDigital Library
- Herath T. and Rao, H. R. 2009. Protection motivation and deterrence: a framework for security policy compliance in organisations. In European Journal of Information Systems 18 (2), pp. 106--125, 2009.Google ScholarCross Ref
- Kirlappos, I., Beautement, A. and Sasse, M. A. 2013. Comply or Die Is Dead: Long live security-aware principal agents. In FC 2013 Workshops, USEC and WAHC 2013, Okinawa, Japan, April 1, pp. 70--82, 2013.Google Scholar
- Dourish, P., Grinter, R. E., De La Flor, J. D. and Joseph, M. 2004. Security in the wild: user strategies for managing security as an everyday, practical problem. In Personal and Ubiquitous Computing 8, no. 6: 391--401. Google ScholarCross Ref
- Fléchais, I. 2005. Designing Secure and Usable Systems. PhD diss., University College London.Google Scholar
- Fulford H. and Doherty, N. F. 2003. The application of information security policies in large UK-based organizations: an exploratory investigation. In Information Management & Computer Security 11(3), pp. 106--114.Google ScholarCross Ref
- Björck, F. 2001. Security Scandinavian style. PhD diss., Stockholm University.Google Scholar
- Herley, C. 2014. "More is Not the Answer", In IEEE Security & Privacy magazine.Google Scholar
- Albrechtsen, E. and Hovden, J. 2009. The information security digital divide between information security managers and users. In Computers & Security 28(6), pp. 476--490. Google ScholarDigital Library
- Bartsch S. and Sasse M. A. 2012. Guiding Decisions on Authorization Policies: A Participatory Approach to Decision Support. In ACM SAC 2012, Trento, Italy. Google ScholarDigital Library
- Da Veiga, A. and Eloff, J. H. P. 2010. A framework and assessment instrument for information security culture. In Computers & Security, 29(2), 196--207. Google ScholarDigital Library
- Kirlappos, I., Sasse, M. A. 2014. What usable security really means: Trusting and engaging users. In HCI International. Google ScholarDigital Library
- Moore, A. P., Cappelli, D., Caron, T. C., Shaw, E. D., Spooner, D. and Trzeciak, R. F. 2011. "A preliminary model of insider theft of intellectual property", Technical Report, Carnegie Mellon University.Google Scholar
- Ken Blanchard, "Building Trust", Ken Blanchard companies, 2010, retrieved from: http://www.kenblanchard.com/img/pub/Blanchard-Building-Trust.pdfGoogle Scholar
- Checkland P. B. and Poulter, J. Learning for Action: A short definitive account of Soft Systems Methodology and its use for Practitioners, teachers and Students, Wiley, 2006.Google Scholar
- Pallas, F. 2009. Information Security Inside Organizations-A Positive Model and Some Normative Arguments Based on New Institutional Economics. Available at SSRN 1471801, 2009.Google Scholar
- Friedman, B., Kahn Jr, P. H. and Borning, A. 2006. Value sensitive design and information systems. In Human-computer interaction in management information systems: Foundations 5: 348--372.Google Scholar
- Inglesant, P. G. and Sasse, M. A. 2010. The true cost of unusable password policies: password use in the wild. In Proceedings of the 28th international conference on Human factors in computing systems. pp. 383--392. ACM. Google ScholarDigital Library
- Hart, S. G. and Staveland, L. E. 1988. Development of NASA-TLX (Task Load Index): Results of empirical and theoretical research. In Advances in psychology, 52, 139--183.Google Scholar
- Schein, E. 2010. Organizational Culture and Leadership. 4th Edition, Jossey-Bass.Google Scholar
- Molotch, H. 2013. Everyday Security: Default to Decency. In Security & Privacy, IEEE, 11(6), 84--87. Google ScholarDigital Library
- Brotby, W. Krag, and Gary Hinson. 2013. Pragmatic Security Metrics: Applying Metametrics to Information Security. CRC Press, 2013.Google ScholarCross Ref
- http://www.sans.org/reading-room/whitepapers/auditing/guide-security-metrics-55Google Scholar
- http://www.iso.org/iso/catalogue_detail?csnumber=42106Google Scholar
- Hubbard, D. W. 2014. How to measure anything: Finding the value of intangibles in business. John Wiley & Sons.Google Scholar
Index Terms
- "Shadow security" as a tool for the learning organization
Recommendations
Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness
Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information security. Since employees who comply with the information ...
Information security: a corporate governance issue
Integrity and internal control in information systems VInformation is a valuable resource for any organisation today and is critical for the success of the organisation. It is the corporate board's responsibility to ensure the success of the organisation; therefore the board is also responsible for the ...
Information Security Awareness at Saudi Arabians' Organizations: An Information Technology Employee's Perspective
Information security awareness is human and organizational attitudes which can be described as a behavior or an attitude of an organization and/or its members towards protecting the organization's information assets. The goal of this paper is to ...
Comments