Blaming Noncompliance Is Too Convenient: What Really Causes Information Breaches?

Information breaches demand a vigorous response from organizations. The traditional response is to institute policies to constrain and control employee behavior. Information security policies inform employees about appropriate uses of information technology in an organization. Unfortunately, limited evidence exists that such policies effectively reduce confidentiality breaches or information loss. This article explores the possible reasons for this and reports on a survey aiming to detect the presence of these factors in a UK National Health Service health board. This article argues that you must pay attention to the entire system, instead of focusing merely on individuals in the system. The survey shows how the pressures on the organization's staff members and the rules imposed by the policies often place staff in an impossible or untenable position. They sometimes feel this leaves them no option but to break the rules just to do their work. The Web extra is a list of additional resources.

[1]  G. Cohen Rescuing Justice and Equality , 2008 .

[2]  P. Mascini The Blameworthiness of Health and Safety Rule Violations , 2005 .

[3]  D. Mccormick Normal Accidents , 1991, Bio/Technology.

[4]  Elinor M. Madigan,et al.  The cost of non-compliance: when policies fail , 2004, SIGUCCS '04.

[5]  Eduardo Salas,et al.  Stress and human performance , 1996 .

[6]  A. Bauman,et al.  Asthma information: can it be understood? , 1989 .

[7]  A. Tversky,et al.  Who accepts Savage's axiom? , 1974 .

[8]  Rossouw von Solms,et al.  The information security management toolbox - taking the pain out of security management , 2002, Inf. Manag. Comput. Secur..

[9]  Jan H. P. Eloff,et al.  Feature: What Makes an Effective Information Security Policy? , 2002 .

[10]  J. K. White,et al.  Effects of Personal Values on the Relationship Between Participation and Job Attitudes. , 1973 .

[11]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[12]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[13]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[14]  R Key Dismukes,et al.  The Limits of Expertise: Rethinking Pilot Error and the Causes of Airline Accidents , 2007 .

[15]  Eric B. Dent,et al.  Challenging “Resistance to Change” , 1999 .

[16]  J. Finegan The impact of personal values on judgments of ethical behaviour in the workplace , 1994 .