Finding Security Champions in Blends of Organisational Culture

Security managers define policies and procedures to express how employees should behave to ‘do their bit’ for information security. They assume these policies are compatible with the business processes and individual employees’ tasks as they know them. Security managers usually rely on the ‘official’ description of how those processes are run; the dayto-day reality is different, and this is where security policies can cause friction. Organisations need employees to participate in the construction of workable security, by identifying where policies causes friction, are ambiguous, or just do not apply. However, current efforts to involve employees in security act to identify employees who can be local representatives of policy — as with the currently popular idea of ‘security champions’ — rather than as a representative of employee security needs. Towards helping organisations ‘close the loop’ and get input from employees, we have conducted employee surveys on security in the context of their specific jobs. The paper presents results from secondary analysis of one such survey in a large commercial organisation. The analysis of 608 responses finds that attitude to policy and behaviour types — the prevailing security cultures — vary greatly in the organisation and across four business divisions examined in further detail. There is a role in contributing to the effectiveness of security policies not only for those who follow policy, but also for those who question policy, socialise solutions, or expect security to justify itself as a critical part of their productive work. This demonstrates that security champions cannot be uniform across the organisation, but rather that organisations should re-think the role of security champions as diverse ‘bottom-up’ agents to change policy for the better, rather than communicators of existing ‘top-down’ policies.

[1]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[2]  Izak Benbasat,et al.  Quality and Fairness of an Information Security Policy As Antecedents of Employees' Security Engagement in the Workplace: An Empirical Investigation , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[3]  Martina Angela Sasse,et al.  Fixing Security Together: Leveraging trust relationships to improve security in organizations , 2015 .

[4]  S. Pfleeger,et al.  From Weakest Link to Security Hero: Transforming Staff Security Behavior , 2014 .

[5]  John Adams,et al.  4. Risk and Morality: Three Framing Devices , 2003 .

[6]  M. Angela Sasse,et al.  "Comply or Die" Is Dead: Long Live Security-Aware Principal Agents , 2013, Financial Cryptography Workshops.

[7]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[8]  H. Tohidi,et al.  Organizational culture and leadership , 2012 .

[9]  D. M. Clarke The human contribution: unsafe acts, accidents and heroic recoveries , 2011 .

[10]  S. Furnell,et al.  Understanding the influences on information security behaviour , 2012 .

[11]  M. Angela Sasse,et al.  Employee Rule Breakers, Excuse Makers and Security Champions:: Mapping the risk perceptions and emotions that drive security behaviors , 2015, NSPW.

[12]  Lemuria Carter,et al.  Dispositional and situational factors: influences on information security policy violations , 2016, Eur. J. Inf. Syst..

[13]  J. Doug Tygar,et al.  Investigation of Employee Security Behaviour: A Grounded Theory Approach , 2015, SEC.

[14]  Simon Parkin,et al.  Learning from "Shadow Security": Why understanding non-compliant behaviors provides the basis for effective security , 2014 .

[15]  Kat Krol,et al.  Productive Security: A Scalable Methodology for Analysing Employee Security Behaviours , 2016, SOUPS.

[16]  Eirik Albrechtsen,et al.  The information security digital divide between information security managers and users , 2009, Comput. Secur..

[17]  Matthew W. Keefer The righteous mind: why good people are divided by religion and politics , 2013 .

[18]  Matthew Smith,et al.  Debunking Security-Usability Tradeoff Myths , 2016, IEEE Security & Privacy.

[19]  M. Angela Sasse,et al.  "Shadow security" as a tool for the learning organization , 2015, CSOC.

[20]  Tom L. Roberts,et al.  Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders , 2014, Inf. Manag..

[21]  Paul Benjamin Lowry,et al.  The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness , 2015, Inf. Syst. Res..

[22]  C. Freese Understanding psychological contracts at work: A critical evaluation of theory and research , 2006 .

[23]  Debi Ashenden,et al.  Security Dialogues: Building Better Relationships between Security and Business , 2016, IEEE Security & Privacy.

[24]  Steven Furnell,et al.  Selecting security champions , 2011 .

[25]  Amy L. Spawr Drive: the surprising truth about what motivates us, Pink, D.H. (2009). New York, NY (pp. 1–242) , 2012 .

[26]  Sidney Dekker,et al.  The Field Guide to Understanding 'Human Error' , 2014 .