UCL logo

UCL Discovery

UCL home » Library Services » Electronic resources » UCL Discovery

"Comply or die" is dead: Long live security-aware principal agents

Kirlappos, I; Beautement, A; Sasse, MA; (2013) "Comply or die" is dead: Long live security-aware principal agents. In: Financial Cryptography and Data Security. (pp. 70 -82). Springer: Berlin. Green open access

[img] PDF
Kirlappos-Comply or Die.pdf
Available under License : See the attached licence file.

Download (414kB)


Information security has adapted to the modern collaborative organisational nature, and abandoned "command-and-control" approaches of the past. But when it comes to managing employee's information security behaviour, many organisations still use policies proscribing behaviour and sanctioning non-compliance. Whilst many organisations are aware that this "comply or die" approach does not work for modern enterprises where employees collaborate, share, and show initiative, they do not have an alternative approach to fostering secure behaviour. We present an interview analysis of 126 employees' reasons for not complying with organisational policies, identifying the perceived conflict of security with productive activities as the key driver for non-compliance and confirm the results using a survey of 1256 employees. We conclude that effective problem detection and security measure adaptation needs to be de-centralised - employees are the principal agents who must decide how to implement security in specific contexts. But this requires a higher level of security awareness and skills than most employees currently have. Any campaign aimed at security behaviour needs to transform employee's perception of their role in security, transforming them to security-aware principal agents.

Type: Proceedings paper
Title: "Comply or die" is dead: Long live security-aware principal agents
Event: FC 2013 Workshop, USEC 2013, Okinawa, Japan, 01 Apr 2013 - 05 Oct 2013
Open access status: An open access version is available from UCL Discovery
DOI: 10.1007/978-3-642-41320-9_5
Publisher version: http://dx.doi.org/10.1007/978-3-642-41320-9_5
Additional information: © International Financial Cryptography Association 2013. The original publication is available at www.springerlink.com
URI: http://discovery.ucl.ac.uk/id/eprint/1419506
Downloads since deposit
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item