Examining the employee behaviour themes that emerged from the thematic analysis, two main categories of behavioural drivers were identified: (1) Secure behaviour drivers (elements of the security implementation or employee understanding that encouraged secure behaviour) and (2) Insecure behaviour drivers (elements of the security implementation or employee understanding that led to behaviours that increased organisational security risk exposure). This section analyses both the above categories, explaining how the employee behaviour examples presented in section 4.5 allowed identification and characterisation of the impact of a widely varying set of elements of the organisational environment on employee security behaviours. It also discusses how the perceived lack of enforcement leads to insecure security culture development and presents a preliminary model of security behaviour drivers, which is refined further in the next chapters of this thesis.
4.6.1 Secure behaviour drivers
Employee motivation for secure behaviour stemmed from both organisational security communication and employees’ personal risk awareness. Security communication led to understanding of organisational security risks, with employees then complying with communicated behaviours (e.g. the need for information sharing to be done on a “need to know” basis). In other cases though, employees identified potential security risks that were not included in the organisation’s security policy or communication (e.g.
the need to protect their laptops). In order to mitigate those, they acted in ways they deemed as appropriately secure (e.g. take laptop with them).
Despite leading to secure behaviours, employee actions driven by own understanding of security risks can also increase organisational risk exposure. Long-term employee reliance on those self-devised security behaviours can lead to security habit and culture development invisible to central security management.
When employees devise their own security processes, security management is less able to monitor their behaviours, which also reduces their ability to assess current levels of security protection.
4.6.2 Insecure behaviour drivers
The results presented in section 4.5 identified a number of different insecure employee practices.
Analysing the relationships between the themes that emerged from the analysis, three main categories of drivers for those practices emerged:
1. Inaccurate security understanding and risk perceptions: Employees failing to understand security purpose, combined with their inaccurate risk perceptions, make non-compliance more attractive on a cost-benefit scale than the effort required to comply with security mechanisms (e.g. downloading files locally and bringing those in the organisation believing they pose no risk, instead of contacting the unresponsive security helpdesk to unblock access to a website).
2. Compliance not possible: The mechanisms required for employees to behave securely are currently not present (e.g. a network drive being full leading to employees copying files locally).
3. Compliance too expensive: Employees may correctly perceive the risks involved in their actions, but consciously choose not to comply due to high compliance costs (e.g. increased time-overhead of encrypted USB sticks leading to the use of personal unencrypted ones).
The remainder of this section discusses each of the above insecure behaviour drivers, analysing the conditions that led to their emergence, presenting the risks they create for the organisation, but also discussing why security management appears to be complicit to their existence.
4.6.2.1 Inaccurate security understanding and risk perceptions
The need for some of the existing information security mechanisms and policy clauses was unclear to employees. Despite possessing some awareness about the need to protect sensitive information, reports like “just confidentiality not security” suggest lack of understanding of what information security tries to achieve; one of the key goals of information security is to preserve confidentiality of information. This inaccurate knowledge and awareness about potential security threats, led to inaccurate risk perceptions and development of incorrect mental models20 on the operations of the systems in place amongst employees, making non-compliance an attractive option when they encountered friction-inducing security. A few examples of this:
1. Employees rarely considered the possibility that using USB drives to copy data they downloaded at home on their corporate machines might lead to malware infections. They seemed to misunderstand how a virus may propagate though the organisation’s systems (modern viruses are extremely complicated and propagate using various clever mechanisms – botnets, for example, are almost invisible to the end-user, while other viruses may be programmed to deliver their payload later in time etc.). With their simplistic understanding, employees assumed that a downloaded file that causes no harm to their home computer is safe to be used on a corporate one, adopting this practice when they could not access a file from inside the organisation.
20 “A mental model is the “user’s belief” about a system in hand” (Nielsen, 2010) or “A theory people build to explain the causal behaviour of systems” (Dix et al., 2003).
2. They also failed to consider that data deleted from unencrypted USB drives can be easily recovered; they believed that deleting all the data from a drive after a file transfer provides adequate protection in the case the drive falls in unauthorised hands.
3. Employees also stored sensitive files locally on their laptops, assuming the presence of a Windows password prevented someone from accessing those files. But a Windows password is only effective for access control purposes and, even with encryption added on top, the data on it is still vulnerable to brute force attempts, if an attacker manages to get unconstrained access to the laptop (Halderman et al. 2009).
The impact of inaccurate employee understanding of employee behaviours was often made worse by the organisational security policy not providing clear indications on what the correct risk-mitigating actions are (e.g. policy on password sharing: “NOT access any information or system using another employee's or system's password unless explicitly authorised to do so” – in this case no clarification existed on who is allowed to give that authorisation).
In general, most employees did not have a good understanding of what information security is, and what it tries to protect. Security aim is not just to “prevent computers from getting infected by viruses”, as one interviewee said, but also protecting information and providing uninterrupted access to it. The presence of those misconceptions led to a reduced perceived benefit from complying with security, making non-compliance an economically attractive option for employees, when secure behaviour required significant time or effort investment (see section 4.6.2.3). They also downplayed their role in organisational protection: they perceived the information they handle as generically not-sensitive, which led to the wide range of insecure behaviours, described in section 4.5.
4.6.2.2 Compliance not possible
In many cases, compliance was not an option regardless of how much time or effort employees were willing to invest to achieve it. Employees reported inability to comply with parts of the security policy, because the mechanisms required for secure behaviour were either difficult to use or absent. A number of examples of this behaviour were identified:
1. Employees justified copying files locally to their laptops when there was insufficient space on their network drive, or to avoid problems with remote file access when working from home or while travelling.
2. They also found the encrypted USB drives provided by the organisation to be too small, which created the need for alternative file-sharing methods such as using unencrypted drives or emailing files to each other.
3. The large number of passwords required for various corporate systems resulted in employees being unable to recall those from memory. Employees then wrote their passwords down, either in electronic form on their laptop or in a document/notebook they carry with them all the time.
4. In order to cope with website blocking preventing access to information needed for work purposes, employees downloaded the required content at home and brought it in the organisation, using either USB drives or through email.
In the four examples above, the majority of employees were aware of the increased risks associated with their behaviour, but felt that the organisation failed to provide a properly working technical implementation. This forced them into workarounds, so they could keep working towards primary task completion. In addition, managers appeared happy to encourage non-compliant behaviours, as long as mitigating actions were taken (e.g. delete documents from USB drive when done); this accentuated employees’ belief that the organisation would prefer security transgressions to “letting everything grind to halt”.
4.6.2.3 Compliance too expensive
The third driver for employee insecure behaviours was the high individual resource investment (time, cognitive or physical effort) that certain security mechanisms demanded:
1. Employees shared their passwords for quick access to systems because it “would take ages” to get the permissions changed. They also expected their colleagues to do the same for them. Even some managers reported this as common and acceptable practice: “employees newly-involved in a project access the system using someone else’s credentials until their access is sorted out”.
2. They also used personal unencrypted USB drives to share data with their colleagues because it is faster and easier than using company-issued encrypted ones. The effort involved in using the latter was perceived to be “not worth it for simple file transfers around the office”. Some interviewees, who understood potential risks from this practice, reported they “immediately wiped the drives afterwards” to prevent information from falling in the wrong hands.
3. Employees also resorted to file sharing through emails and unencrypted USBs, as the organisational file sharing solutions were either unreliable or inaccessible.
In this category of behaviours, compliance with policies was possible, but employees perceived the impact of compliant actions on their primary tasks to be higher that what they were willing to accept to protect the organisation (confirming past research suggestions that security behaviours are an economic cost-benefit decision - see section 2.7.1).
4.6.3 Lack of enforcement and security culture development
Despite security violations appearing to be widely prevalent in the organisation, employees reported minimal attempt for security policy enforcement. This perceived lack of enforcement suggested to employees that security is not part of organisational priorities. In the interviews, they mentioned that clear desk inspections were “stopped some time ago”, screen lock motivation did not come from enforcement but from colleagues playing jokes on each other, while their managers advocated for password sharing whenever setting up access was perceived as “not worth it” time-wise. Long term occurrence of such behaviours, combined with perceived organisational failure to prevent those (no attempts to create security solutions that fit the primary task or enforce policy), leads to employees considering policy violations as justified. Over time, such behaviours become habitual to employees and become part of organisational security culture, leading to increased organisational exposure to security risks.
4.6.4 Security behaviour drivers model
The identified relationships between elements of the organisational security environment and related employee behaviours (Appendix F) led to the emergence of a security behaviour model, presented in Figure 9.
Figure 9: Security behaviour model
It is important to note here that some of the relationships presented in the model in Figure 9 were extracted from a small number of employee reports, often just one or two (e.g. support problems leading to justification to bypass). As a result, this model should be seen as a preliminary suggestion for now and is revisited and adjusted later in the thesis based on the findings emerging from chapters 5 and 6.