Becker, IF;
Parkin, S;
Sasse, MA;
Finding Security Champions in Blends of Organisational Culture.
In:
Proceedings of the 2nd European Workshop on Usable Security - 2017.
Internet Society: Paris, France.
Preview |
Text
Security_Champions_Becker_Parkin_Sasse_cameraReady-EuroUSEC.pdf - Published Version Download (159kB) | Preview |
Abstract
Security managers define policies and procedures to express how employees should behave to 'do their bit' for information security. They assume these policies are compatible with the business processes and individual employees' tasks as they know them. Security managers usually rely on the 'official' description of how those processes are run; the day-to-day reality is different, and this is where security policies can cause friction. Organisations need employees to participate in the construction of workable security, by identifying where policies causes friction, are ambiguous, or just do not apply. However, current efforts to involve employees in security act to identify employees who can be local representatives of policy - as with the currently popular idea of 'security champions' - rather than as a representative of employee security needs. Towards helping organisations 'close the loop' and get input from employees, we have conducted employee surveys on security in the context of their specific jobs. The paper presents results from secondary analysis of one such survey in a large commercial organisation. The analysis of 608 responses finds that attitude to policy and behaviour types - the prevailing security cultures - vary greatly in the organisation and across four business divisions examined in further detail. There is a role in contributing to the effectiveness of security policies not only for those who follow policy, but also for those who question policy, socialise solutions, or expect security to justify itself as a critical part of their productive work. This demonstrates that security champions cannot be uniform across the organisation, but rather that organisations should re-think the role of security champions as diverse 'bottom-up' agents to change policy for the better, rather than communicators of existing 'top-down' policies.
Type: | Proceedings paper |
---|---|
Title: | Finding Security Champions in Blends of Organisational Culture |
Event: | 2nd European Workshop on Usable Security - EuroUSEC '17 |
Location: | Paris, France |
Dates: | 29 April 2017 - 29 April 2017 |
ISBN: | 1891562487 |
Open access status: | An open access version is available from UCL Discovery |
DOI: | 10.14722/eurousec.2017.23007 |
Publisher version: | https://www.internetsociety.org/sites/default/file... |
Language: | English |
Additional information: | Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author’s employer if the paper was prepared within the scope of employment. EuroUSEC ’17, 29 April 2017, Paris, France Copyright 2017 Internet Society, ISBN 1-891562-48-7 http://dx.doi.org/10.14722/eurousec.2017.23007 |
UCL classification: | UCL UCL > Provost and Vice Provost Offices UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Security and Crime Science |
URI: | https://discovery.ucl.ac.uk/id/eprint/1554762 |
Archive Staff Only
View Item |