Information Security Inside Organizations - A Positive Model and Some Normative Arguments Based on New Institutional Economics

Pallas, Frank

doi:10.2139/ssrn.1471801

Cited by 7 publications

(10 citation statements)

References 156 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our findings resonate with consistent themes in the literature around the relations between organizations and technology: centralization, de-centralization, hierarchy, and co-operation. From the perspective of information asymmetries, transaction costs and principal-agent relationscentral themes of new institutional economics -Pallas [32] investigates the security implications of co-ordination and motivation in organizations,. Enforced Figure 4: Re-thinking circuits of power in acceptable use enforcement control introduces hierarchical organization costs while at the same time relies on (human) actors who may not always complya clear instance of a principal-agent problem [25] which we could re-specify, in Callon's [9] terms, as a failure of interessement.…”

Section: Discussionmentioning

confidence: 99%

“…it's a pretty tedious process, but you just put in the request for what you want, fill in a form, send the request away, and then it gets approved by your manager. -European staff memberIn effect, maintenance is more centralized and controlled, constraining the availability of software; and this, too, carries organizing costs[32]. Company power is maintained by disempowering staff members, in Clegg's[12] terms: Even though the policy is enforced by technological means, this does not mean that compliance is total; a participant describes a simple form of avoidance, using a home computer when software required for business uses was not readily available:…”

mentioning

confidence: 99%

See 1 more Smart Citation

Information security as organizational power: A framework for re-thinking security policies

Inglesant

Sasse

2011

2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST)

View full text Add to dashboard Cite

Successful enforcement of information security requires an understanding of a complex interplay of social and technological forces. We focus on organizational security policies, and on power in organizations, drawing on socio-technical literature to develop an analytical framework. We present three case studies from a large empirical study in an international company including 55 interviews with staff members at all levels; each study highlights a different aspect of our framework. We suggest ways in which our framework enables existing security policies to be rethought. We conclude by showing how our findings complement recent research in the institutional economics of information security.

show abstract

Section: Discussionmentioning

confidence: 99%

mentioning

confidence: 99%

Information security as organizational power: A framework for re-thinking security policies

Inglesant

Sasse

2011

2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST)

View full text Add to dashboard Cite

show abstract

“…Pallas [43] applies institutional economics to revisit information security in organizations, developing a structured explanation of how the centralised security function and decentralized groups of employees interact in an environment of increasingly localised personal computing. Pallas delineates three forms of security apparatus for achieving policy compliance in organizations (as in Table 1): architectural means (which prevent bad outcomes by strictly controlling what is possible); formal rules (such as policies, defining what is allowed or prohibited for those in the organization); and informal rules (primarily security awareness and culture, as well as security behaviours).…”

Section: Applying Economics To Organizational Securitymentioning

confidence: 99%

You’ve Left Me No Choices: Security Economics to Inform Behaviour Intervention Support in Organizations

Demjaha

Parkin

Pym

2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Decision-makers then face choices, where this is not simply a binary decision of whether to comply or not, but also how to approach compliance and secure working alongside other workplace pressures, and limited resources for identifying optimal securityrelated choices. Conflict arises due to information asymmetries present in the relationship, where influencers and decision-makers both consider costs, gains, and losses in ways which are not necessarily aligned. With the need to promote 'good enough' decisions about security-related behaviours under such constraints, we hypothesize that actions to resolve this misalignment can benefit from constructs from both neoclassical economics and behavioural economics. Here we demonstrate how current approaches to security behaviour provisioning in organizations mirror rational-agent economics, even where behavioural economics is embodied in the promotion of individual security behaviours. We develop and present a framework to accommodate bounded security decision-making, within an ongoing programme of behaviours which must be provisioned for and supported. We also point to applications of the framework in negotiating sustainable security behaviours, such as policy concordance and just security cultures.

show abstract

“…Information security breaches originating from human behavior lead people being described as the "weakest link" in the security chain [16]. The main human-related threats to security can be attributed to three areas: (1) human error leading to data leakages or creating vulnerabilities that can be exploited by attackers [17], (2) social engineering, where attackers psychologically manipulate people into performing securitycompromising actions or divulging information [18] and (3) insider attacks, when employees intentionally exceed or misuse authorized levels of access to networks, systems, or data to steal confidential or proprietary information from the organization [19]. To counter these threats, organizations implement various assurance mechanisms (e.g.…”

Section: Treating Users As a Problem: The Quest To Eliminate "Hummentioning

confidence: 99%

“…Traditionally, information security seeks to mitigate security risks by implementing policies and technical mechanisms that specify employee behavior; policies also may threaten sanctions in case of non-compliance. The impact of this "comply-or-die" approach on day-to-day functioning of an organization is significant: organizations not only pay a cost for security mechanism operations, but also create constraints for honest employees seeking to perform well [1]. It slows down their production tasks, sometimes even completely blocking them, mostly due to security mechanisms and processes not being designed around employee needs and priorities [2][3][4][5].…”

Section: Introductionmentioning

confidence: 99%

Fixing Security Together: Leveraging trust relationships to improve security in organizations

Kirlappos¹,

Sasse²

2015

Proceedings 2015 Workshop on Usable Security

View full text Add to dashboard Cite

Current approaches to information security focused on deploying security mechanisms, creating policies and communicating those to employees. Little consideration was given to how policies and mechanisms affect trust relationships in an organization, and in turn security behavior. Our analysis of 208 in-depth interviews with employees in two large multinational organizations found two trust relationships: between the organization and its employees (organization-employee trust), and between employees (inter-employee trust). When security interferes with employees' ability to complete work tasks, they rely on inter-employee trust to overcome those obstacles (e.g. sharing a password with a colleague who is locked out of a system and urgently needs access). Thus, non-compliance is a collaborative action, which develops inter-employee trust further, as employees now become "partners in crime". The existence of these two relationships also presents employees with a clear dilemma: either try to comply with cumbersome security (and honor organizationemployee trust) or help their colleagues by violating security (preserving inter-employee trust). We conclude that designers of security policies and mechanisms need to support both types of trust, and discuss how to leverage trust to achieve effective security protection. This can enhance organizational cooperation to tackle security challenges, provide motivation for employees to behave securely, while also reducing the need for expensive physical and technical security mechanisms.

show abstract

Information Security Inside Organizations - A Positive Model and Some Normative Arguments Based on New Institutional Economics

Cited by 7 publications

References 156 publications

Information security as organizational power: A framework for re-thinking security policies

Information security as organizational power: A framework for re-thinking security policies

You’ve Left Me No Choices: Security Economics to Inform Behaviour Intervention Support in Organizations

Fixing Security Together: Leveraging trust relationships to improve security in organizations

Contact Info

Product

Resources

About