P1. “Directly discussing problems of security implementations and compliance with employees can lead to improved understanding of the reasons driving employee insecure behaviours”
As discussed in section 2.8 of the literature review, research discussing problems with security implementation in organisations has been limited and mostly focused on employee password behaviours.
Using semi-structured employee interviews managed to reveal interesting insights on their security behaviours:
1. Identification of relationships between friction-inducing elements of the organisational security implementation and the emerging employee security behaviours.
2. Categorisation of the underlying conditions leading to insecure behaviours, based on specific properties of the security implementation/environment that created those.
The findings in this section provided sufficient evidence that P1 is a valid proposition, but, as discussed earlier, they only covered a subset of the available dataset. By analysing the full set of available interviews, and collecting an additional interview set in a second organisation, the research presented in the next two chapters managed to enrich and strengthen understanding of the paradigms presented in this chapter, also strengthening current findings that suggest P1 validity.
P2. “Engagement with employees can allow falsifying current beliefs that employees can be forced to comply with security”
In section 2.6.3 it was explained that attempts to enforce security mechanisms or processes upon employees without assessing the effect of those on their primary task completion ability can create a number of problems: (1) high cost of policy-prescribed behaviours leads to non-compliance, (2) inability to discipline when non-compliance is widespread, due to high volume of false positive alerts, (3) creation of a negative attitude towards security, (4) decreased organisational adaptability to respond to changes in the threat landscape, (5) inability to provide flexibility where required (e.g. home and remote working).
The findings of this chapter revealed another problem: employees will always find a way around security restrictions, often attempting to alleviate related perceived risks through self-devised security practices (e.g. employee using Summer01 for password, downloading files at home, sharing files on unencrypted USBs and erasing those afterwards). Currently security management attempts to eliminate these behaviours through enforcement, without first taking care to remove friction-inducing elements of the security implementation. This creates further friction between employee primary task completion and security, increasing the risks from emerging insecure behaviours. Similarly to P1, the findings of the thematic analysis suggest that P2 is a valid proposition. Despite this, further in-depth examination of employee responses to organisational policy enforcement attempts was required, in order to improve understanding of the effect of those on employee attitude towards security. The follow up data collection process and analyses aiming to improve the above understanding are presented in the remainder of this thesis, together with emerging results and their implications for organisational security management.
P3. “Engagement with employees can allow identification of employee responses to friction-inducing security”
Past research suggested that employees respond to high-friction security by developing their own, productivity-focused coping strategies (section 2.6.2). In addition to re-organising their primary tasks to reduce exposure to high-cost security (Inglesant and Sasse, 2010) or sharing information through informal
channels (Bartsch and Sasse, 2012), the findings of this chapter suggest that, when security is perceived as inadequate or expensive, security-aware employees may take other actions that they consider as mitigating security risks (e.g. use of unencrypted USB drives, erasing the data afterwards). As this was not the focus of the analysis presented in this chapter, detailed description and understanding of those actions based on the results presented in this chapter is not possible. But the identification of their existence drove the focus of the analysis presented in chapter 5, aiming to better understand and characterise those.
P4. “Engagement with employees can allow the identification of problems in security implementations (both policies and mechanisms) that organisations have not currently identified through other means”
Past empirical organisational research has provided valuable insights on employee interaction with security that created problems in primary task completion (section 2.6.2). But it did not attempt to holistically explore organisational environments to identify and characterise different instances of insecure employee behaviour. The behaviours identified and discussed in this chapter provide a first step towards such an analysis, with many of the identified behaviours being impossible for Company A to identify without direct interaction with employees: despite some behaviours being easier to observe (e.g.
clear desk, screen lock, employees using own USBs), other more complex ones would be much harder to capture (e.g. ineffectiveness of communication, password sharing or storing documents locally on laptops). The findings presented in this chapter provide evidence for potential validity of P4, but further analysis was required to strengthen it. This was done by the grounded theory analysis on the full interview set from the two organisations presented in chapter 5.
P5. “Engagement with employees can improve existing organisational ability to manage current information security challenges”
Other than identifying the need to eliminate friction-inducing security mechanisms and improve security communication and training, the analysis of the results presented in this chapter did not provide sufficient employee security behaviour insights to allow creating an approach that organisations can use to identify fiction and redesign their security implementation accordingly. As a result, no evidence for P5 validity emerged, but this proposition is revisited after the analyses presented in chapters 5 and 6, and discussion in chapter 7.
The shadow security
The findings of the thematic analysis presented in chapter 4 improved existing understanding of the impact of friction-inducing organisational security on employee behaviours. But, as discussed at the end of the previous chapter, the findings only provided partial answers to the research questions this thesis aims to answer. Better understanding was required on (1) employee understanding of the need for security as a primary task enabler and the behaviours that emerge from it, (2) employee responses to perceived lack of organisational security support, (3) challenges to employee primary tasks created from an organisation’s security mechanisms and processes, together with (4) corresponding employee behaviours emerging from those, (5) employee behaviours when deployed security is perceived as inadequate, (6) the development of trust in the organisation and its influence on employee behaviour, and (7) potential lessons information security management emerging from all the above in order to deliver less taxing and more effective security. The need to investigate the above points, led to the emergence of an updated question set, driven by the findings of chapter 4 and repeated here for the benefit of the reader:
1. Do employees understand the need for security mechanisms in the organisation? If yes or no, why?
2. What security-related challenges do employees find when attempting to proceed with their primary tasks? How do they respond to friction between their primary task and security mechanisms and processes?
3. When organisational security provisions appear to provide inadequate risk mitigation, what do employees do?
4. How do employees respond to perceived lack of organisational security support? What are the risks from their behaviours and what can organisations learn from those?
5. How can the improved understanding from the previous questions be used to transform the systems in place to eliminate the problems discovered, avoiding the need to redesign the systems completely?
6. What trust relationships develop in an organisation and how do they influence security behaviours?
Building on the insecure behaviour driver categorisation of section 4.6, the first half of this chapter presents a grounded theory analysis of the 118 Company A interviews, investigating employee experience with the organisation’s security implementation and their emerging behaviours. This analysis led to a detailed, empirically-founded understanding of employee responses to friction-inducing security, through the emergence of a new security behaviour paradigm, the shadow security: employees deploying own solutions when security is perceived as not serving their primary task focus. This new paradigm characterises employee interaction with friction-inducing security elements of their work environment, using identified behavioural narratives. It then provides improved understanding of employee responses to friction-inducing security. Building on this improved understanding, the second half of this chapter analyses the drivers of shadow security development, the emerging risks and consequences for organisational security management, and the lessons security managers can draw from it in order to reduce security-productivity friction. It also explains how data and methodological triangulation approaches were used to improve the validity of the findings: a large-scale survey was used to verify the
existence of identified insecure behaviours on a scale wider than the 118 interviews. In addition, a new round of interview data collection and analysis from Company B and another large-scale survey verified the existence of identified employee practices, improving the validity and understanding of the emerging behavioural phenomena.