UCL logo

UCL Discovery

UCL home » Library Services » Electronic resources » UCL Discovery

Finding Security Champions in Blends of Organisational Culture

Becker, IF; Parkin, S; Sasse, MA; Finding Security Champions in Blends of Organisational Culture. In: Proceedings of the 2nd European Workshop on Usable Security - 2017. Internet Society: Paris, France. Green open access

Security_Champions_Becker_Parkin_Sasse_cameraReady-EuroUSEC.pdf - ["content_typename_Published version" not defined]

Download (159kB) | Preview


Security managers define policies and procedures to express how employees should behave to 'do their bit' for information security. They assume these policies are compatible with the business processes and individual employees' tasks as they know them. Security managers usually rely on the 'official' description of how those processes are run; the day-to-day reality is different, and this is where security policies can cause friction. Organisations need employees to participate in the construction of workable security, by identifying where policies causes friction, are ambiguous, or just do not apply. However, current efforts to involve employees in security act to identify employees who can be local representatives of policy - as with the currently popular idea of 'security champions' - rather than as a representative of employee security needs. Towards helping organisations 'close the loop' and get input from employees, we have conducted employee surveys on security in the context of their specific jobs. The paper presents results from secondary analysis of one such survey in a large commercial organisation. The analysis of 608 responses finds that attitude to policy and behaviour types - the prevailing security cultures - vary greatly in the organisation and across four business divisions examined in further detail. There is a role in contributing to the effectiveness of security policies not only for those who follow policy, but also for those who question policy, socialise solutions, or expect security to justify itself as a critical part of their productive work. This demonstrates that security champions cannot be uniform across the organisation, but rather that organisations should re-think the role of security champions as diverse 'bottom-up' agents to change policy for the better, rather than communicators of existing 'top-down' policies.

Type: Proceedings paper
Title: Finding Security Champions in Blends of Organisational Culture
Event: 2nd European Workshop on Usable Security - EuroUSEC '17
Location: Paris, France
Dates: 29 April 2017 - 29 April 2017
ISBN: 1891562487
Open access status: An open access version is available from UCL Discovery
DOI: 10.14722/eurousec.2017.23007
Publisher version: https://www.internetsociety.org/sites/default/file...
Language: English
Additional information: Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author’s employer if the paper was prepared within the scope of employment. EuroUSEC ’17, 29 April 2017, Paris, France Copyright 2017 Internet Society, ISBN 1-891562-48-7 http://dx.doi.org/10.14722/eurousec.2017.23007
UCL classification: UCL > School of BEAMS
UCL > School of BEAMS > Faculty of Engineering Science
URI: http://discovery.ucl.ac.uk/id/eprint/1554762
Downloads since deposit
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item