The main aim of this chapter was to investigate and answer research question number 6: What trust relationships develop in an organisation and how do they influence security behaviours? The findings also improved the ability to answer question 1 as well: Do employees understand the need for security mechanisms in the organisation? If yes or no, why?
1. Do employees understand the need for security mechanisms in the organisation? If yes or no, why? Employees understand both the need for security and organisational reliance on them to participate in security risk mitigation. They also understand the need for assurance mechanisms required to protect the organisation, but they also believe that they cannot be implemented to exhaustively cover all security risks an organisation faces. As a result, a large proportion of security management relies on trusting employees to exhibit behaviours that protect the organisation, despite this not being formalised in organisational security strategies.
6. What trust relationships develop in an organisation and how do they influence security behaviours? Employee trust relationships with their colleagues and managers develop though interactions both inside and outside the security domain. Inter-employee trust then acts as a readily available resource to deal with friction-inducing security. It also prevails over organisation-employee trust, when security policies demand from employees not to trust their colleagues. This leads to non-compliance with official security and shadow security development.
The findings of this chapter suggest that both organisational productivity and security can benefit from a shift in security management: rather than restricting and controlling employee actions, security should aim to understand organisational trust relationships and incentivise trustworthy behaviour. It also needs to accommodate for the fact that, for their employees, security is of lower priority to both productivity (primary task completion) and the need to develop and preserve a collaborative social environment (inter-employee trust). Further analysis and discussion of how the to combine the improved understanding emerging from this chapter with the shadow security findings of chapter 5 to deliver effective security protection is presented in the next chapter (chapter 7).
Using shadow security to improve security management
The findings of the analyses presented in chapters 4, 5 and 6 identified three previously unknown employee behavioural phenomena, together with their impact on organisational security management:
1. Employee propensity to behave securely. Employees understand the value of security to the organisation, which motivates them to participate in organisational efforts to deliver it. But, despite this understanding and motivation, three categories of behaviours that increase organisational risk exposure were identified: (1) when organisational security communication is inconsistent with employee priorities, they fail to recognise some risks, and behave insecurely.
(2) When friction-inducing security creates overheads for their primary tasks, employees passively bypass those, ignore policies and avoid organisational security mechanisms. They then (3) use other resources available to them, actively taking initiative to protect the organisation, by adapting existing mechanisms and policies, or by devising their own “secure practices”.
2. The shadow security. When the organisation’s existing security implementation creates friction between security and productive activities, employee productivity focus and their awareness about the need for security leads to them adapting official security or procuring self-devised security practices, both at an individual and a collective level. The emerging practices reduce security-productivity friction to acceptable levels for employees, while also serving their understanding of the need for security and contribution in organisational protection. But shadow security also leads to security management losing control of security culture and habits development, exposing the organisation to risks employees cannot understand or mitigate. This eventually leads to security practices around the organisation being widely varying and out of security management control.
3. Trust relationships and their impact on security. Two security-related trust relationships develop in the organisational environment, influencing security management decisions and employee behaviours: (1) organisation-employee trust, allowing for flexibility in security implementation and reduced control over employee actions, with its visible presence also acting as a motivator for secure behaviour for employees, and (2) inter-employee trust, developed through activities both inside and outside security, acting as a readily available resource for employees to cope with friction-inducing security, also serving their need to preserve or improve their relationships with their colleagues.
In-depth examination of the above phenomena led to the identification and characterisation of a number of different employee behaviour narratives, providing valuable insights to organisational information security management:
1. Employees understand and accept the need for security, together with their responsibility and contribution in achieving it. They also understand organisational reliance on their behaviour and the trust shown towards them by security management, realised through reduced controls
(organisation-employee trust). They are also willing to invest some of their time and effort to keep the organisation secure.
2. Friction-inducing elements of the security implementation cause disgruntlement: employees refuse to accept the resulting primary task overheads, which can often cripple their productive capabilities. Subsequent security management attempts to enforce desired behaviours isolate employees from security managers, creating disgruntlement and a negative attitude towards security in general (perceived to be badly designed, implemented and managed, also creating overheads in their productive activities)
3. Rather than remaining passive, either ignoring official security or working their way around it to avoid related overheads, employees, peer groups, and managers who have their own understanding of security, individually or collectively adapt unsatisfactory security measures to what they consider manageable (in terms of the corresponding primary task overhead) or introduce their own novel solutions. These solutions are perceived by employees as serving the purpose of maintaining security, but at the same time reducing friction and corresponding primary task overheads to levels acceptable to them.
4. The emerging employee-devised shadow security practices often do not manage the organisation’s risks adequately: isolated from security management and without guidance on the actual organisational security risks, the alternative solutions are deployed based on employees’
own risk perceptions and understanding of what the security experience should be like.
5. The existence of trust amongst employees (inter-employee trust) also affects their security behaviours: the need to preserve or improve their relationships with their colleagues, together with their belief in the ability and motivation of those to behave securely, leads to the perception that trust-driven security policy violations are a low risk option to reduce security overheads and proceed with primary task related activities. As a result, inter-employee trust prevails over policy-prescribed behaviours when the two come into conflict: it becomes a readily available resource to cope with the overheads of friction-inducing security, further encouraging security violations and contributing to shadow security development.
6. The development of shadow security, together with organisational inability (or perceived inability) to enforce policy-prescribed behaviours (or identify employee deviations from prescribed practices), leads to security behaviours and culture evolution spinning out of central security management control: employee-devised practices can often be inconsistent with organisational risk appetite, with trust-driven violations becoming the only way to preserve good relationships amongst colleagues. When shadow security practices become part of organisational security culture, or varying micro-cultures developed within organisational divisions and sub-divisions, security behaviours become invisible to official security management, failing to deliver the required protection for the organisation.
This chapter uses the lessons learned from chapters 4, 5 and 6 to provide guidelines that help organisations manage employee security behaviour, but also leverage it to align security management with organisational productivity targets. The suggestions for improvements presented in this chapter focus on five distinct, but also interdependent, areas: (1) The need for security management to move away from its current binary understanding of user behaviour (compliant vs non-compliant), also (2)
understanding that friction-inducing “unusable” elements of security implementations need to be removed before attempting to influence employee behaviours, (3) the need to leverage shadow security as a learning tool to engage employees and line managers in security management and design, also (4) building on the presence of trust in the organisation, using it as an additional defence layer, and (5) deploying measurements using readily available or easy to collect data to identify areas for improvement, and use those to deploy improvements and assess their effectiveness and overall impact on employee behaviours. All the findings discussed and suggestions made in this chapter are related closely to the experiences of individuals within both Companies A and B, focusing specifically on examples where friction-inducing security and the emerging primary task impact led to the development of shadow security activities or trust-driven security violations.