Productive Security: A Scalable Methodology for Analysing Employee Security Behaviours

Organisational security policies are often written without sufficiently taking in to account the goals and capabilities of the employees that must follow them. Effective security management requires that security managers are able to assess the effectiveness of their policies, including their impact on employee behaviour. We present a methodology for gathering large scale data sets on employee behaviour and attitudes via scenario-based surveys. The survey questions are grounded in rich data drawn from interviews, and probe perceptions of security measures and their impact. Here we study employees of a large multinational company, demonstrating that our approach is capable of determining important differences between various population groups. We also report that our work has been used to set policy within the partner organisation, illustrating the real-world impact of our research.

[1]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[2]  Heather Shearer,et al.  The Human Contribution: Unsafe Acts, Accidents and Heroic Recoveries , 2009 .

[3]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[4]  Linda Little,et al.  Unpacking Security Policy Compliance: The Motivators and Barriers of Employees' Security Behaviors , 2015, SOUPS.

[5]  John Adams,et al.  4. Risk and Morality: Three Framing Devices , 2003 .

[6]  Karen Renaud,et al.  Blaming Noncompliance Is Too Convenient: What Really Causes Information Breaches? , 2012, IEEE Security & Privacy.

[7]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..

[8]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[9]  Rossouw von Solms,et al.  Towards an Information Security Competence Maturity Model , 2006 .

[10]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[11]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[12]  Mark C. Paulk,et al.  Capability Maturity Model for Software , 2001 .

[13]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[14]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[15]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[16]  Eirik Albrechtsen,et al.  The information security digital divide between information security managers and users , 2009, Comput. Secur..

[17]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[18]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[19]  S. Pfleeger,et al.  From Weakest Link to Security Hero: Transforming Staff Security Behavior , 2014 .

[20]  Wendy Goucher,et al.  The Curious Incidence of Security Breaches by Knowledgeable Employees and the Pivotal Role a of Security Culture , 2014, HCI.

[21]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[22]  M. Angela Sasse,et al.  "Shadow security" as a tool for the learning organization , 2015, CSOC.

[23]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[24]  Helmut Krcmar,et al.  Why Managers Tolerate Workarounds - The Role of Information Systems , 2014, AMCIS.

[25]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[26]  Aggeliki Tsohou,et al.  Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs , 2015, Comput. Secur..

[27]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[28]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[29]  Henrik Artman,et al.  The security awareness paradox: A case study , 2014, 2014 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM 2014).

[30]  M. Angela Sasse,et al.  Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security , 2008, WEIS.

[31]  V. Braun,et al.  Using thematic analysis in psychology , 2006 .

[32]  Simon Parkin,et al.  Combining Qualitative Coding and Sentiment Analysis: Deconstructing Perceptions of Usable Security in Organisations , 2016 .

[33]  M. Angela Sasse,et al.  Employee Rule Breakers, Excuse Makers and Security Champions:: Mapping the risk perceptions and emotions that drive security behaviors , 2015, NSPW.