In the article Security Zone: understanding why staff break the rules,
Andrew Kays describes some research undertaken by Nexor with cyberpsychology researchers at Nottingham Trent University to look at the underlying causes of sensitive data loss. The research looked specifically at the factors that influence human behaviour and people’s attitudes towards security, in particular their responses to rules defined in published security policies.
Quoting from the article:
If a security policy mandates a specific behaviour, why do people choose to take a different course of action? The research texts refer to this as “pro-social rule breaking”, which is defined as an intentional violation of an explicit organisational policy with the intention to perform a job more efficiently, help a colleague, or provide good customer service.
The research has shown that despite people knowing the rules, if these are considered counterproductive and adversely affect the person’s ability to do their job, people tend to “bend” them to improve their personal efficiency and effectiveness. Details of a policy’s restrictions and instructions are usually well understood by senior users, but complacency can set in when they have been working in the same area for a long time and know they will “get away with it”.
This has certainly been my experience where security has been a barrier – something that makes it more difficult to do a specific task. Typically employers create an environment to motivate employees to do a good job, using techniques such as commission, bonuses, praise, peer pressure – and on the flip side employees typically want to be seen by their boss and peers as doing a good job.
So its hardly surprising that when security becomes a barrier, employees may look to ways of bypassing the barriers to get the job done.
Partly, this will be overcome by better education around the issues caused by good information assurance. But do we need to consider security incentives? What could such an incentive look like? Is peer pressure / corporate culture sufficient?
Culture is an interesting here too, particularly the reference to senior / long term staff. The report observes:
…it is the longer term employees that need to have repeat training and not the newer recruit who will tend to follow the culture and examples set by the longer term people who present “well the policy says this, but we always ignore it”.
How true is that! Remember the Bob Quick secret document casually displayed in Downing Street?
This confirms the view you can’t just run a security training course and tick the “done” box. It has to be a continual programme of reinforcement; but more that this, the report concludes:
The human factor will always be an issue in security and will always be an organisation’s most vulnerable point. Effective and regular education has a part to play, but the research shows it has to be personally targeted and put in a context meaningful to the individual.
Are your security training programmes targeted at specific user groups, to match the vulnerability / risk profile they bring to your organisation?