Employee Rule Breakers, Excuse Makers and Security Champions:: Mapping the risk perceptions and emotions that drive security behaviors

We introduce a new methodology for identifying the factors that drive employee security behaviors in organizations, based on a well-known paradigm from psychology, the Johari Window. An analysis of 93 interviews with staff from 2 multinational organizations revealed that security behavior is driven by a combination of risk understanding and emotional stance towards security policy. Furthermore, we found that a quantitative analysis of these dimensions is capable of differentiating between the staff populations of the two organizations. Organization B showed a healthier set of security behaviors, as a result of its employees having better risk understanding and a more positive emotional stance. The framework distinguishes between 16 theoretical behavioral types, (3 of which are rule breakers, excuse makers and security champions). It can be used to identify groups of employees that potentially pose a risk to the organization, as well as those with beneficial skills and expertise. This allows highly specific messages to be targeted to change the risk perception and emotional stance of such groups. Assuming the organization has ensured security hygiene (i.e. its policies can be complied with in the context of productive activity), this can shift behavior towards compliance. Our framework thus offers diagnostic and intervention-shaping tools for the next step in improving security culture.

[1]  M. Angela Sasse,et al.  What Usable Security Really Means: Trusting and Engaging Users , 2014, HCI.

[2]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[3]  M. Angela Sasse,et al.  "Comply or Die" Is Dead: Long Live Security-Aware Principal Agents , 2013, Financial Cryptography Workshops.

[4]  Christopher K. Hsee,et al.  Risk as Feelings , 2001, Psychological bulletin.

[5]  A. Terry Morris,et al.  Risk Acceptance Personality Paradigm: How We View What We Don't Know We Don't Know , 2011 .

[6]  Frank Pallas,et al.  Information Security Inside Organizations - A Positive Model and Some Normative Arguments Based on New Institutional Economics , 2009 .

[7]  Kathleen M. MacQueen,et al.  Applied Thematic Analysis , 2011 .

[8]  Eugene H. Spafford,et al.  Incentive Alignment and Risk Perception: An Information Security Application , 2013, IEEE Transactions on Engineering Management.

[9]  Paul Slovic,et al.  Affect, risk, and decision making. , 2005, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[10]  Simon Parkin,et al.  Learning from "Shadow Security": Why understanding non-compliant behaviors provides the basis for effective security , 2014 .

[11]  Jessika Schulze,et al.  Handbook Of Affect And Social Cognition , 2016 .

[12]  Paul Slovic,et al.  The affect heuristic , 2007, Eur. J. Oper. Res..

[13]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[14]  Chiehwen Ed Hsu,et al.  Journal of Homeland Security and Emergency Management Towards Shared Situational Awareness and Actionable Knowledge – An Enhanced , Human-Centered Paradigm for Public Health Information System Design , 2011 .

[15]  Paul Jones,et al.  Secrets and Lies: Digital Security in a Networked World , 2002 .

[16]  S. Pfleeger,et al.  From Weakest Link to Security Hero: Transforming Staff Security Behavior , 2014 .

[17]  Lawrence Porter,et al.  Reading book for human relations training , 1982 .

[18]  N. McGlynn Thinking fast and slow. , 2014, Australian veterinary journal.

[19]  Karen Gasper,et al.  Affect as information , 2013 .

[20]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[21]  Bruce Schneier,et al.  The psychology of security , 2007, CACM.