Every day your employees face issues that threaten the security of your organisation’s information. Whether they are confronted with a new face in the office, have to remember multiple passwords or need to transfer sensitive data, your information security depends on how they decide what to do in these scenarios.
In The Psychology of Information Security, Leron Zinatullin delves into the reasons behind how employees make security decisions and why the choices they make are often non-compliant.
- There is no clear reason to comply
Zinatullin found that “employees usually don’t have an accurate concept of what information security is and what it aims to protect […] Even in those rare cases where employees are aware of a security policy and interpret it correctly, the motivation to comply is still lacking.”
Typical examples of non-compliant behaviour are:
- Deleting data after completing a file transfer – this does not provide adequate protection unless the transfer is encrypted.
- Using personal USB sticks on an organisation’s systems, providing an easy access point for malware.
- The cost of compliance is too high
The majority of employees within an organisation are hired to execute specific jobs, such as marketing, managing projects, and manufacturing goods. Therefore, an employee’s main priority is often to ensure efficient completion of their core business activity, and information security will usually only be a secondary activity. Zinatullin finds that, when security mechanisms cause additional workload, employees will favour non-compliant behaviour in order to complete their primary tasks quickly.
- The means of compliance are obstructive
Sometimes, employees are unable to comply even if they are willing because the security mechanisms of the organisation do not match their basic requirements. Examples include an organisation giving employees encrypted USB drives with too little storage space, forcing them to share files via email or non-encrypted drives. Another problem is having to use multiple passwords to access multiple systems. Users normally resolve this problem by writing down their passwords.
Resolve conflicts between security compliance and human behaviour
Based on insights gained from academic research, as well as interviews with UK-based security professionals from various sectors, this book explains the importance of careful risk management and how to align a security programme with wider business objectives, and provides methods and techniques to engage stakeholders and encourage buy-in.
Not only will this be an interesting read, it will also help you further understand how to create a robust security culture that really is understood by your staff and the business.
Parts of this blog post were excerpts from The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour.