"Shadow security" as a tool for the learning organization

Kirlappos, Iacovos; Parkin, Simon; Sasse, M. Angela

doi:10.1145/2738210.2738216

Cited by 41 publications

(30 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Non-compliance is an opportunity for security managers to make security better [12]. Kirlappos et al [6] identified the following main reasons for non-compliance:…”

Section: Methodsmentioning

confidence: 99%

A technique for using employee perception of security to support usability diagnostics

Parkin

Epili

2015

2015 Workshop on Socio-Technical Aspects in Security and Trust

Self Cite

View full text Add to dashboard Cite

Problems of unusable security in organisations are widespread, yet security managers tend not to listen to employees' views on how usable or beneficial security controls are for them in their roles. Here we provide a technique to drive management of security controls using end-user perceptions of security as supporting data. Perception is structured at the point of collection using Analytic Hierarchy Process techniques, where diagnostic rules filter user responses to direct remediation activities, based on recent research in the human factors of information security. The rules can guide user engagement, and support identification of candidate controls to maintain, remove, or learn from. The methodology was incorporated into a prototype dashboard tool, and a preliminary validation conducted through a walk-through consultation with a security manager in a large organisation. It was found that user feedback and suggestions would be useful if they can be structured for review, and that categorising responses would help when revisiting security policies and identifying problem controls. Keywords-information security; analytic hierarchy process; security policies; human factors of securityI.

show abstract

“…Non-compliance is an opportunity for security managers to make security better [12]. Kirlappos et al [6] identified the following main reasons for non-compliance:…”

Section: Methodsmentioning

confidence: 99%

A technique for using employee perception of security to support usability diagnostics

Parkin

Epili

2015

2015 Workshop on Socio-Technical Aspects in Security and Trust

Self Cite

View full text Add to dashboard Cite

show abstract

“…The social practice of security 8 flourishes in the compromises and gaps between the processes that seek to shepherd the activities and outputs of security enactment. 9 It's here that we see an opportunity to improve security dialogues, risk communication, and security culture.…”

Section: Social Practice Of Securitymentioning

confidence: 99%

Security Dialogues: Building Better Relationships between Security and Business

Ashenden

Lawrence

2016

IEEE Secur. Privacy

View full text Add to dashboard Cite

A police officer sees a drunk man searching for something under a streetlight and asks what he's lost. The drunk man says that he's lost his keys. They both look under the streetlight together. After a few minutes, the officer asks the man whether he's sure he lost them here; the drunk replies "no," and that he lost them in the park. The officer asks why he's searching here, and the drunk replies, "This is where the light is. "

show abstract

“…Information security policy can prompt employees to consult with experts before any action in a suspicious situation, such as phishing, social engineering and misleading software. Information security policies and procedures should be clear and easy to understand (Kirlappos, Parkin et al, 2015). These policies should be updated frequently due to the dynamic nature of the threats (Ifinedo, 2014).…”

Section: Complaining With Organizational Policiesmentioning

confidence: 99%

Human errors in the information security realm – and how to fix them

Safa

Maple

2016

Computer Fraud & Security

View full text Add to dashboard Cite

Information security breaches and privacy violations are major concerns of many organizations. Human behaviour, either intentionally or through negligence, is a great potential of risk to information assets. It is acknowledged that technology alone cannot guarantee a secure environment for information assets; human considerations should be taken into account as well as technological and procedural aspects. This article strives to present a useful classification of users' mistakes in the domain of information security. The outputs of this study shed some light for both academics and practitioners. IntroductionIt is well-understood that an information security breach can have serious consequences for an organization. Losing reputation, competitive advantage, funds, future revenue, productivity, intellectual property and in the worst scenario bankruptcy are some results of information security breaches. For example, the defence industry has usually several suppliers; they share information among each other to increase productivity. Information security leakage in such a sector can have serious impacts on national security. For these reasons, considering all aspects that can mitigate the risk of information security breaches is necessary. A remarkable portion of these threats relates to the human mistakes. Sharing password and user name with colleague, writing login information on a sticky paper and putting on monitor or desk, using social number as password, using simple password without special characters (dictionary words), downloading software from the Internet, carrying organizational data in external hard or pen drive, leaving systems logged-in while in unattendance, opening unknown email and its attachments, changing password through the email (phishing) and so forth are simple examples of employees' mistakes. Users' negligence, ignorance, lack of awareness, mischievousness, apathy and resistance are usually the reasons for information security breaches (Sohrabi Safa, Von Solms et al., 2016).

show abstract

"Shadow security" as a tool for the learning organization

Cited by 41 publications

References 21 publications

A technique for using employee perception of security to support usability diagnostics

A technique for using employee perception of security to support usability diagnostics

Security Dialogues: Building Better Relationships between Security and Business

Human errors in the information security realm – and how to fix them

Contact Info

Product

Resources

About