As discussed in section 2.8, there is a strong need for a process that will improve security management’s ability to accurately identify current employee behaviours and use those to drive subsequent security management decisions. This section uses the paradigms that emerged from the research presented earlier in this thesis to: (1) revisit and enrich existing understanding of employee security behaviours, (2) use the improved understanding to update the security behaviour model of section 4.6.4 to reflect the presence of shadow security in the organisation, and (3) Explain how shadow security can be used to improve existing security management implementations.
7.1.1 Revisiting security behaviour drivers
Chapter 4 identified employee propensity for secure behaviour, but also conditions that lead to policy violations. Employees followed policy-prescribed behaviours when the impact on their primary task was minimal, but also bypassed security when it disrupted or slowed down their primary tasks, even when they were aware of the need to behave securely. Evidence of their awareness of the need for security was accentuated by chapter 5 findings: they even adapted friction-inducing policies and mechanisms to deliver some organisational protection. The findings from chapters 4 and 5 suggest that employee awareness does not always lead to compliance; it is only the first step towards achieving it. To improve on employee compliance, it needs to be encouraged by an organisation’s security implementation. This can only happen if employee security behaviours are well understood and accommodated in information security management. As discussed in section 2.8.3 of the literature review, employees were up to now considered as either behaving securely or insecurely, with insecure practices also seen as opportunistic behaviour:
Pallas (2009) claimed that employees will always go for low cost, opportunistic behaviour when no control is in place.
Weirich (2005) stated that users structure discourse about password security issues in a manner that makes it possible to justify malpractice.
Ashenden (2015) suggests that the presence of cognitive dissonance when employee behaviours were inconsistent with their attitudes, led to them changing attitudes to be consistent with their actions, thus rationalising their insecure behaviours.
Shadow security challenges the above suggestions. Even when employees have perfectly valid productivity reasons to bypass security mechanisms, they take additional care to mitigate potential risks emerging from their malpractice (e.g. encrypting personal drives on which corporate data is backed up due to lack of sufficient backed-up network storage in company B). The presence of shadow security suggests that policy-prescribed practices are not the only way to achieve security, especially if they give rise to significant security-productivity friction. Security managers need to understand the presence of in-between behaviours and leverage their presence to enhance both learning and better management.
The identification of shadow security suggests a need to revisit Alfawaz et al.’s (2010) model of security awareness and behaviour presented in section 2.7.3. In that model, non-compliance with policies is attributed to lack of awareness, with “doing” referring to acting in accordance to the policy. But, given the development of shadow security, and insecure behaviours being used as a coping mechanisms for high-friction security, the “knowing” stages of the model need to be modified in order to: (1) distinguish between malicious acts and employees choosing to do something else due to friction-inducing security in the “knowing-not doing” condition, and (2) distinguish between compliance with well-designed security and compliance with high-friction security that is unsustainable in the long-run (due to productivity overheads) for “knowing-doing”. Using the shadow security findings to modify the Alfawaz model, led to the identification of six security behaviour levels (Table 8).
Alfawaz state Revised security behaviour Description Related Findings Not knowing
– not doing Unaware of security Lack of awareness from ineffective
communication and training None of the employees was in this state
Not knowing
Compliant but expensive Employees “do” because they have to Both due to enforcement and lack of alternative perceived as secure
The above classification comes can be challenging for security managers attempting to rank these steps on an “insecure to secure” scale. From a security point of view the security level would be 1 to 6 (from insecure to secure). If productivity impact was calculated as part of a holistic risk management approach, 4 and 5 may need to be swapped: shadow security behaviours may offer adequate cost-effective risk mitigation compared to expending employee resources to comply with friction-inducing mechanisms. In addition, potential unsustainable long term compliance with resource-demanding mechanisms (level 5 in the above model) can easily exhaust employee’s compliance budget, influencing their ability to behave securely when interacting with other policies or mechanisms.
7.1.2 Updated security behaviour model
The improved understanding of employee behaviours that emerged from shadow security identification and the factors that lead to its development, created the need to adapt the security behaviour model presented in section 4.6.4. The new model (
Figure 14) incorporates the enriched understanding of employee responses to friction-inducing security, together with the effect of long term employee reliance on shadow security behaviours on organisational security culture development. The emerging culture and habits cycle is where security management needs to act to (1) identify current shadow security behaviours and the specific elements of the security implementation that drive those, (2) disrupt the culture cycle by reducing the drivers of shadow security and communicate the changes to employees, in order to aid the development of new security behavioural norms and culture.
7.1.3 Incorporating shadow security in security management
Security managers need to consider the development of shadow security as an opportunity for improvements. It suggests the presence of a latent capacity for users to appreciate and play an active part in the provision of security, driven by their internalised understanding of the need for security and their focus on their primary task. Employees deploy their own security solutions when they believe a required
“affordable” policy or infrastructure is missing, instead of doing nothing or passively relying on the organisation to remediate. They take self-devised actions, still aiming to preserve security, both at the individual and the collective (team) level, often managed locally by their line managers. In addition, the presence of inter-employee trust acts as an additional driver for shadow security development: it provides employees with a readily available resource to resolve the productivity impact of high-friction security.
The perceived justification for security violations in order to preserve their relationships with their colleagues, leads to loss of control of security behaviours by security management, with employees essentially becoming “partners in crime”. Attempting to reduce or eliminate the emerging shadow security practices through increased assurance, without attempting to reduce high-friction security in organisational production tasks, creates additional burden for employees: assurance mechanisms accentuate primary task impact, which leads to further non-compliance, shadow security emergence and insecure culture development. Shadow security should be used as a tool to intervene and improve existing security implementations, to inspire more workable security that aligns with organisational productivity objectives, provides effective protection, and minimises security overheads.
The development of shadow security suggests the need for security management to rethink organisational security practices, processes and mechanisms, and attempt to better align security with employee primary tasks. Without actively soliciting feedback from employees to identify security-productivity friction points and their subsequent responses, the security of the organisation becomes that which managers and employees, assumed non-experts in security, consider as best fitting their business processes. Despite potential risks, shadow security presents the only workable security for the organisation; its presence indicates that the organisation has an inconsistent security posture, which does not align with its productivity goals. In order to eliminate this problem, security managers should aim to learn from employees and line managers, take advantage of their capacity to consciously consider security in their activities and use the emerging shadow security practices as a driver for improvements. In order to
provide security managers with a research-inspired approach to identify shadow security and improve their security implementations, the remainder of this chapter discusses how shadow security and trust can be incorporated in attempts to holistically rethink organisational security management.
Figure 14: Secure behaviour model