Learning from “Shadow Security:” Why Understanding Non-Compliant Behaviors Provides the Basis for Effective Security

Kirlappos, Iacovos; Parkin, Simon; Sasse, M. Angela

doi:10.14722/usec.2014.23007

Cited by 75 publications

(94 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In another systematic study of password use in the real world 5 , Sasse and her colleagues documented the ways in which workers at a large multinational organization side-stepped the official security requirements without (they hoped) being totally reckless. The employees' methods -writing down a list of passwords, for example, or transferring files between computers using unencrypted flash drives -would be familiar in most offices, but essentially created a system of 'shadow security' that kept the work flowing.…”

Section: Know Your Audiencementioning

confidence: 99%

How to hack the hackers: The human side of cybercrime

Waldrop

2016

Nature

View full text Add to dashboard Cite

Section: Know Your Audiencementioning

confidence: 99%

How to hack the hackers: The human side of cybercrime

Waldrop

2016

Nature

View full text Add to dashboard Cite

“…An implicit assumption of this work has been that -if people are able to use a security mechanism correctly, they would be motivated to do so [4][5][6][7][8][9]. But work by usability researchers who listen closely to users [10], [11] and economics-inspired researchers looking at cost and benefits of security mechanisms [12], [13] suggests that the assumption that 'users want security, provided it's not too difficult to use' may be wide off the mark [11], [12], [14]. Users look for efficiencies in their daily lives, and that means 'the less I have to think about security, the better'.…”

Section: Current State Of Security Implementations In Organizationsmentioning

confidence: 99%

“…The traditional "command-and-control" approach to information security management treats employees as untrustworthy components, whose behavior has to be constrained [4]. But recent research has revealed that even employees who do not comply with some security policies are motivated and act responsible when they recognize a security risk, and the cost to them is reasonable [10], [11], [15].…”

Section: Current State Of Security Implementations In Organizationsmentioning

confidence: 99%

“…This approach assumes users do not possess intrinsic motives to behave securely. But most employees in most organizations are trustworthy, and suggesting and they are not is counterproductive [11], [15], [23]: (i) it increases security enforcement costs, (ii) makes employees feeling untrusted, (iii) encourages creation of non-compliant environments, and (iv) negatively impacts security experts' ability to detect violations.…”

Section: Treating Users As Untrustworthy Componentsmentioning

confidence: 99%

See 1 more Smart Citation

What Usable Security Really Means: Trusting and Engaging Users

Kirlappos

Sasse

2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Non-compliance with security mechanisms and processes poses a significant risk to organizational security. Current approaches focus on designing systems that restrict user actions to make them 'secure', or providing user interfaces to make security tools 'easy to use'. We argue that an important but often-neglected aspect of compliance is trusting employees to 'do what's right' for security. Previous studies suggest that most employees are intrinsically motivated to behave securely, and that contextual elements of their relationship with the organization provide further motivation to stay secure. Drawing on research on trust, usable security, and economics of information security, we outline how the organization-employee trust relationship can be leveraged by security designers.Keywords: trust, usable security, information security management. Current State of Security Implementations in OrganizationsFor most people, the term 'information security' evokes technical mechanisms -such as authentication and access control -implemented to protect organizational assets [1]. Over the past two decades, awareness has been growing that many information security breaches were results of human error and social engineering; Bruce Schneier described people as the "weakest link" in the security chain [2]. Whilst some security experts have, unhelpfully, described users as stupid or careless [3], others have tried to increase compliance by providing 'more usable' security in some form. An implicit assumption of this work has been that -if people are able to use a security mechanism correctly, they would be motivated to do so [4][5][6][7][8][9] . Users look for efficiencies in their daily lives, and that means 'the less I have to think about security, the better'. And given that is the case, trust becomes important. The traditional "command-and-control" approach to information security management treats employees as untrustworthy components, whose behavior has to be constrained [4]. But recent research has revealed that even employees who do not comply with some security policies are motivated and act responsible when they recognize a security risk, and the cost to them is reasonable [10], [11],[15].Thus, designers of security mechanisms should consider how trust between an organization and its employees affects security behaviors. The role of trust in technology design has been examined by research aiming to create technology platforms that enable the development of trust relationships in online commerce and gaming [16][17][18][19][20][21]. In this paper we take a different path, building on the trust model by Riegelsberger et al. [16] to explain the benefits of treating employees as trusted entities in organizational security implementations. We (1) use the model explain the creation of a trust relationship between employees and organization, (2) analyze how that affects employee compliance decisions with security policies and mechanisms, and (3) present how the organization-employee trust relationship can be leverag...

show abstract

“…Assertions about the effectiveness of password reset policies are then weakened if end-users feel pressured to respond to the burden in unanticipated ways. It may not be possible for those responsible for maintaining security to observe these unanticipated responses (or otherwise seem obvious for them to monitor behaviours if they have no evidence that policy is not being enacted) [3].…”

Section: Introductionmentioning

confidence: 99%

Assessing the User Experience of Password Reset Policies in a University

Parkin

Driss

Krol

et al. 2016

Technology and Practice of Passwords

Self Cite

View full text Add to dashboard Cite

Organisations often provide helpdesk services to users, to resolve any problems that they may have in managing passwords for their provisioned accounts. Helpdesk logs record password change events and support requests, but overlook the impact of compliance upon end-user productivity. System managers are not incentivised to investigate these impacts, so productivity costs remain with the end-user. We investigate how helpdesk log data can be analysed and augmented to expose the user's personal costs. Here we describe exploratory analysis of a university's helpdesk log data, spanning 30 months and 500,000 system events for approximately 10,000 staff and 20,000-plus students. The scale of end-user costs was identified in log data, where follow-on exploratory interviews and NASA-RTLX assessments with 20 students exposed issues which log data did not adequately represent. The majority of users reset passwords before expiration. Log analysis indicated that the online self-service system was vastly preferred to the helpdesk, but that there was a 4:1 ratio of failed to successful attempts to recover account access. Log data did not capture the effort in managing passwords, where interviews exposed points of frustration. Participants saw the need for security but voiced a lack of understanding of the numerous restrictions on passwords. Frustrations led to adoption of diverse coping strategies, for example deliberately waiting to reset a password after reaching the post-expiry grace period. We propose ways to improve support, including real-time communication of reasons for failed password creation attempts, and measurement of timing for both successful and failed login attempts.

show abstract

Learning from “Shadow Security:” Why Understanding Non-Compliant Behaviors Provides the Basis for Effective Security

Cited by 75 publications

References 27 publications

How to hack the hackers: The human side of cybercrime

How to hack the hackers: The human side of cybercrime

What Usable Security Really Means: Trusting and Engaging Users

Assessing the User Experience of Password Reset Policies in a University

Contact Info

Product

Resources

About