Learning from “Shadow Security”: Why understanding non-compliance provides the basis for effective security.
(Proceedings) Workshop on Usable Security.
Kirlappos et al. - 2014 - Learning from “Shadow Security” Why understanding.pdf
Available under License : See the attached licence file.
Over the past decade, security researchers and practitioners have tried to understand why employees do not comply with organizational security policies and mechanisms. Past re-search has treated compliance as a binary decision: people comply, or they do not. From our analysis of 118 in-depth interviews with individuals (employees in a large multinational organization) about security non-compliance, a 3rd response emerges: shadow security. This describes the instances where security-conscious employees who think they cannot comply with the prescribed security policy create a more fitting alter-native to the policies and mechanisms created by the organization’s official security staff. These workarounds are usually not visible to official security and higher management – hence ‘shadow security’. They may not be as secure as the ‘official’ policy would be in theory, but they reflect the best compromise staff can find between getting the job done and managing the risks that the assets they understand face. We conclude that rather than trying to ‘stamp out’ shadow security practices, organizations should learn from them: they provide a starting point ‘workable’ security: solutions that offer effective security and fit with the organization’s business, rather than impede it.
|Title:||Learning from “Shadow Security”: Why understanding non-compliance provides the basis for effective security|
|Event:||Workshop on Usable Security|
|Location:||San Diego, California|
|Dates:||2014-02-23 - 2014-02-26|
|Open access status:||An open access version is available from UCL Discovery|
|Additional information:||Copyright 2014 Internet Society. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.|
|UCL classification:||UCL > School of BEAMS > Faculty of Engineering Science > Computer Science
UCL > School of BEAMS > Faculty of Engineering Science > Security and Crime Science
Archive Staff Only