Kirlappos, I;
Beautement, A;
Sasse, MA;
(2013)
"Comply or die" is dead: Long live security-aware principal agents.
In:
Financial Cryptography and Data Security.
(pp. 70 -82).
Springer: Berlin.
PDF
Kirlappos-Comply or Die.pdf Available under License : See the attached licence file. Download (414kB) |
Abstract
Information security has adapted to the modern collaborative organisational nature, and abandoned "command-and-control" approaches of the past. But when it comes to managing employee's information security behaviour, many organisations still use policies proscribing behaviour and sanctioning non-compliance. Whilst many organisations are aware that this "comply or die" approach does not work for modern enterprises where employees collaborate, share, and show initiative, they do not have an alternative approach to fostering secure behaviour. We present an interview analysis of 126 employees' reasons for not complying with organisational policies, identifying the perceived conflict of security with productive activities as the key driver for non-compliance and confirm the results using a survey of 1256 employees. We conclude that effective problem detection and security measure adaptation needs to be de-centralised - employees are the principal agents who must decide how to implement security in specific contexts. But this requires a higher level of security awareness and skills than most employees currently have. Any campaign aimed at security behaviour needs to transform employee's perception of their role in security, transforming them to security-aware principal agents.
Type: | Proceedings paper |
---|---|
Title: | "Comply or die" is dead: Long live security-aware principal agents |
Event: | FC 2013 Workshop, USEC 2013, Okinawa, Japan, 01 Apr 2013 - 05 Oct 2013 |
Open access status: | An open access version is available from UCL Discovery |
DOI: | 10.1007/978-3-642-41320-9_5 |
Publisher version: | http://dx.doi.org/10.1007/978-3-642-41320-9_5 |
Additional information: | © International Financial Cryptography Association 2013. The original publication is available at www.springerlink.com |
UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science |
URI: | https://discovery.ucl.ac.uk/id/eprint/1419506 |
Archive Staff Only
View Item |