Demjaha, A;
Caulfield, T;
Sasse, MA;
Pym, D;
(2019)
2 Fast 2 Secure: A Case Study of Post-Breach Security Changes.
In:
Proceedings of the 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).
(pp. pp. 192-201).
IEEE: Stockholm, Sweden.
Preview |
Text
EuroUsec_Paper_2019_CameraReady.pdf - Published Version Download (138kB) | Preview |
Abstract
A security breach often makes companies react by changing their attitude and approach to security within the organization. This paper presents an in-depth case study of post-breach security changes made by a company and the consequences of those changes. We employ the principles of participatory action research and humble inquiry to conduct a long-term study with employee interviews while embedded in the organization’s security division. Despite an extremely high level of financial investment in security, and consistent attention and involvement from the board, the interviews indicate a significant level of friction between employees and security. In the main themes that emerged from our data analysis, a number of factors shed light on the friction: fear of another breach leading to zero risk appetite, impossible security controls making non-compliance a norm, security theatre underminining the purpose of security policies, employees often trading-off security with productivity, and as such being treated as children in detention rather than employees trying to finish their paid jobs. This paper shows that post-breach security changes can be complex and sometimes risky due to emotions often being involved. Without an approach considerate of how humans and security interact, even with high financial investment, attempts to change an organization’s security behaviour may be ineffective.
| Type: | Proceedings paper |
|---|---|
| Title: | 2 Fast 2 Secure: A Case Study of Post-Breach Security Changes |
| Event: | 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) |
| Location: | Stockholm, Sweden |
| Dates: | 20 June 2019 - 20 June 2019 |
| Open access status: | An open access version is available from UCL Discovery |
| DOI: | 10.1109/EuroSPW.2019.00028 |
| Publisher version: | https://doi.org/10.1109/EuroSPW.2019.00028 |
| Language: | English |
| Additional information: | This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions. |
| Keywords: | data breach, post-breach security, participatory action research, humble inquiry, security culture |
| UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science |
| URI: | https://discovery.ucl.ac.uk/id/eprint/10076390 |
Loading...
Loading...Loading...Loading...Archive Staff Only
 |
View Item |
