The Psychology of Information Security by Leron Zinatullin

Author:Leron Zinatullin [Leron Zinatullin]
Language: eng
Format: epub
Tags: Information Technology/Operations, Security
Publisher: IT Governance Publishing
Published: 2016-01-25T22:00:00+00:00

There is an inability to comply

There are extreme cases in which enforced compliance fails to be an option for employees, even when they are more than willing to invest their time and effort. In such cases, the predominant scenario is that users cannot comply because the security mechanisms do not match their basic requirements.

Examples include an organisation giving employees encrypted USB drives with too little storage space, forcing them to share files via email or via larger, non-encrypted drives. It is also common to see users copying files onto laptops because remote accessibility is problematic, or because their network drive capacity is too small.

Another recurring issue is a requirement for numerous passwords to access different corporate systems, all of which employees tend to have difficulty in memorising. Users will “fix” this problem by writing down their passwords, either physically on a document they carry with them or in an electronic form on their laptop.

People tend to be aware of how their behaviour can pose an increased risk, but feel justified in finding these workarounds because the organisation has failed to provide them with a proper technical implementation. They assume that the organisation would rather allow security violations than stop the main business process: an opinion that also happens to be adopted by managerial staff. When everybody shares this inadequate and risky perspective, the organisation is an accomplice in the employees’ non-compliant behaviour.

The researchers concluded that implementation of security compliance seems to create a strain and enlarges the gap between security professionals and the rest of the organisation. Employees tend to develop a negative view of information security in general and respond to security enforcers with scepticism, or may simply ignore them.

This bias can easily discourage employees from behaving in a compliant manner with security controls, regardless of how sensibly designed they may be.

Overly complicated security mechanisms are usually implemented at the cost of the organisation’s productivity, because they tend to consume valuable employee resources. It is not unusual to find that important parts of the organisation will foster non-compliant behaviour, because they value productivity over security and don’t perceive any immediate risk.

Employees generally try to comply with an organisation’s security policies, but, most importantly, they simply want to get their work done. Sometimes employees may violate an organisation’s security policy through malicious behaviour, but it is often because of poor control implementation which does not consider their needs.

Here is where information security professionals’ job gets interesting. When non-compliant behaviour is identified, they should first rule out the possibility of malicious behaviour, and then should understand where and why the security policy failed to work properly, forcing the employees to find workarounds.

The more a security policy implementation facilitates employee values and priorities, the better it fosters employee incentives and strengthens the security culture.

In order to achieve alignment between security and employee perspective, the process of formulating security policies must be focused on employee behaviour. A security professional should remember that employee performance is goal-oriented.

These goals are usually focused on business processes

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.