UCL Discovery
UCL home » Library Services » Electronic resources » UCL Discovery

Learning from “Shadow Security”: Why understanding non-compliance provides the basis for effective security

Kirlappos, I; Parkin, S; Sasse, MA; (2014) Learning from “Shadow Security”: Why understanding non-compliance provides the basis for effective security. In: (Proceedings) Workshop on Usable Security. Green open access

[thumbnail of Kirlappos et al. - 2014 - Learning from “Shadow Security” Why understanding.pdf] PDF
Kirlappos et al. - 2014 - Learning from “Shadow Security” Why understanding.pdf
Available under License : See the attached licence file.

Download (449kB)

Abstract

Over the past decade, security researchers and practitioners have tried to understand why employees do not comply with organizational security policies and mechanisms. Past re-search has treated compliance as a binary decision: people comply, or they do not. From our analysis of 118 in-depth interviews with individuals (employees in a large multinational organization) about security non-compliance, a 3rd response emerges: shadow security. This describes the instances where security-conscious employees who think they cannot comply with the prescribed security policy create a more fitting alter-native to the policies and mechanisms created by the organization’s official security staff. These workarounds are usually not visible to official security and higher management – hence ‘shadow security’. They may not be as secure as the ‘official’ policy would be in theory, but they reflect the best compromise staff can find between getting the job done and managing the risks that the assets they understand face. We conclude that rather than trying to ‘stamp out’ shadow security practices, organizations should learn from them: they provide a starting point ‘workable’ security: solutions that offer effective security and fit with the organization’s business, rather than impede it.

Type: Proceedings paper
Title: Learning from “Shadow Security”: Why understanding non-compliance provides the basis for effective security
Event: Workshop on Usable Security
Location: San Diego, California
Dates: 2014-02-23 - 2014-02-26
ISBN: 189156237 1
Open access status: An open access version is available from UCL Discovery
DOI: 10.14722/usec.2014.23007
Publisher version: http://dx.doi.org/10.14722/usec.2014.23007
Language: English
Additional information: Copyright 2014 Internet Society. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.
UCL classification: UCL
UCL > Provost and Vice Provost Offices
UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science
URI: https://discovery.ucl.ac.uk/id/eprint/1424472
Downloads since deposit
3,443Downloads
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item