UCL logo

UCL Discovery

UCL home » Library Services » Electronic resources » UCL Discovery

Learning from "shadow security": understanding non-compliant behaviours to improve information security management

Kirlappos, I; (2016) Learning from "shadow security": understanding non-compliant behaviours to improve information security management. Doctoral thesis , UCL (University College London). Green open access

Kirlappos_thesis final.pdf

Download (3MB) | Preview


This thesis examines employee interaction with information security in large organisations. It starts by revisiting past research in user-centred security and security management, identifying three research questions that examine (1) employee understanding of the need for security, (2) the challenges security introduces to their work, together with their responses to those challenges, and (3) how to use the emerging knowledge to improve existing organisational security implementations. Preliminary examination of an available interview data set, led to the emergence of three additional research questions, aiming to identify (4) employee actions after bypassing organisational security policy, (5) their response to perceived lack of security support from the organisation, and (6) the impact of trust relationships in the organisation on their security behaviours. The research questions were investigated in two case studies inside two large organisations. Different data collection (200 interviews and 2129 surveys) and analysis techniques (thematic analysis and grounded theory) were combined to improve outcome validity and allow for generalisability of the findings. The primary contribution of this thesis is the identification of a new paradigm for understanding employee responses to high-friction security, the shadow security: employees adapt existing mechanisms or processes, or deploy other self-devised solutions, when they consider the productivity impact of centrally-procured security as unacceptable. An additional contribution is the identification of two trust relationships in organisational environments that influence employee security behaviours: organisationemployee trust (willingness of the organisation to remain exposed to the actions of its employees, expecting them to behave securely), and inter-employee trust (willingness of employees to act in a way that renders themselves or the organisation vulnerable to the actions of another member of the organisation). The above contributions led to the creation of a structured process to better align security with organisational productive activity, together with a set of relevant metrics to assess the effectiveness of attempted improvements. The thesis concludes by presenting a case study attempting to apply the above process in an organisation, also presenting the emerging lessons for both academia and industry.

Type: Thesis (Doctoral)
Title: Learning from "shadow security": understanding non-compliant behaviours to improve information security management
Event: UCL (University College London)
Open access status: An open access version is available from UCL Discovery
Language: English
UCL classification: UCL > School of BEAMS
UCL > School of BEAMS > Faculty of Engineering Science
URI: http://discovery.ucl.ac.uk/id/eprint/1521997
Downloads since deposit
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item