Reducing normative conflicts in information security

Security weaknesses often stem from users trying to comply with social expectations rather than following security procedures. Such normative conflicts between security policies and social norms are therefore undesirable from a security perspective. It has been argued that system developers have a "meta-task responsibility", meaning that they have a moral obligation to enable the users of the system they design to cope adequately with their responsibilities. Depending on the situation, this could mean forcing the user to make an "ethical" choice, by "designing out" conflicts. In this paper, we ask the question to what extent it is possible to detect such potential normative conflicts in the design phase of security-sensitive systems, using qualitative research in combination with so-called system models. We then envision how security design might proactively reduce conflict by (a) designing out conflict where possible in the development of policies and systems, and (b) responding to residual and emergent conflict through organisational processes. The approach proposed in this paper is a so-called subcultural approach, where security policies are designed to be culturally sympathetic. Where normative conflicts either cannot be avoided or emerge later, the organisational processes are used to engage with subcultures to encourage communally-mediated control.

[1]  A. Pettigrew On Studying Organizational Cultures , 1979 .

[2]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[3]  Pascal van Eck,et al.  Multi-step attack modelling and simulation (MsAMS) framework based on mobile ambients , 2008, SAC '09.

[4]  Christian W. Probst,et al.  An extensible analysable system model , 2008, Inf. Secur. Tech. Rep..

[5]  M. Alvesson Understanding organizational culture , 2002 .

[6]  Peter J. Frost,et al.  Organizational Culture: Beyond Struggles for Intellectual Dominance , 2004 .

[7]  Frédéric Cuppens,et al.  Analyzing consistency of security policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[8]  Wolter Pieters,et al.  The (Social) Construction of Information Security , 2011, Inf. Soc..

[9]  L. Floridi The Ontological Interpretation of Informational Privacy , 2005, Ethics and Information Technology.

[10]  R. Cialdini CURRENT DIRECTIONS IN PSYCHOLOGICAL SCIENCE Crafting Normative Messages to Protect the Environment , 2022 .

[11]  P.J.D. Drenth "Cultures consequences" in organizations , 1996 .

[12]  Frédéric Cuppens,et al.  Merging security policies: analysis of a practical example , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[13]  A. Sinclair Approaches to organisational culture and ethics , 1993 .

[14]  H van der Flier,et al.  Railway signals passed at danger. Situational and personal factors underlying stop signal abuse. , 1988, Applied ergonomics.

[15]  Casey Neil McGinnis,et al.  Paraconsistency and deontic logic: Formal systems for reasoning with normative conflicts , 2007 .

[16]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[17]  Donn B. Parker,et al.  Fighting computer crime , 1983 .

[18]  John L. Darby,et al.  Risk-Based Cost-Benefit Analysis for Security Assessment Problems , 2011 .

[19]  Marshall Abrams,et al.  Abstraction and Refinement of Layered Security Policy , 2006 .

[20]  Wolter Pieters,et al.  Representing Humans in System Security Models: An Actor-Network Approach , 2011, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[21]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[22]  R. Thaler,et al.  Nudge: Improving Decisions About Health, Wealth, and Happiness , 2008 .

[23]  Pieter H. Hartel,et al.  Portunes: Representing Attack Scenarios Spanning through the Physical, Digital and Social Domain , 2010, ARSPA-WITS.

[24]  Catholijn M. Jonker,et al.  Modelling Trade and Trust Across Cultures , 2006, iTrust.

[25]  Anja Lindroos,et al.  Addressing Norm Conflicts in a Fragmented Legal System: The Doctrine of Lex Specialis , 2005 .

[26]  I.Th.M. Snellen,et al.  Public administration in an information age : a handbook , 1998 .

[27]  Paul H. Barnes,et al.  Integrating information security policy management with corporate risk management for strategic alignment , 2010 .

[28]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[29]  Alexandre Padilla Review of Richard H. Thaler and Cass R. Sunstein, Nudge: Improving decisions about health, wealth, and happiness , 2009 .

[30]  Sandro Etalle,et al.  Approaches in Anomaly-based Network Intrusion Detection Systems , 2008 .

[31]  William A. Wulf,et al.  A practical approach to security assessment , 1998, NSPW '97.

[32]  Hector Garcia-Molina,et al.  Data Leakage Detection , 2011, IEEE Transactions on Knowledge and Data Engineering.

[33]  M. Angela Sasse,et al.  A stealth approach to usable security: helping IT security managers to identify workable security solutions , 2010, NSPW '10.

[34]  Trajce Dimkov,et al.  Alignment of organizational security policies: Theory and Practice , 2012 .

[35]  G. Hofstede Identifying Organizational Subcultures: An Empirical Approach , 1998 .

[36]  Rafael Capurro,et al.  Ethical regulations on robotics in Europe , 2007, AI & SOCIETY.

[37]  Gert-Jan C. Lokhorst,et al.  Engineering and the Problem of Moral Overload , 2011, Sci. Eng. Ethics.

[38]  S. Barman,et al.  Writing Information Security Policies , 2001 .

[39]  S. Jajodia,et al.  Information Security: An Integrated Collection of Essays , 1994 .

[40]  Yvan Allaire,et al.  Theories of Organizational Culture , 1984 .