Why do Staff Break Security Rules?

A recent report by Northumbria University for the Government Office for Science, strongly echoes research we at Nexor conducted in 2009 with Prof. Monica Whitty of the University of Leicester.

Our research showed that even though staff may understand the need for security, if it gets in the way of their job, then they’ll look for ways to circumnavigate it.

(Reproduced from http://www.computerweekly.com/opinion/Security-Zone-understanding-why-staff-break-the-rules, 2009)

Nexor, working with cyberpsychology researchers at Nottingham Trent University, has been looking at the factors that influence human behaviour and people’s attitudes towards security, in particular their responses to rules defined in published security policies.

If a security policy mandates a specific behaviour, why do people choose to take a different course of action? The research texts refer to this as “pro-social rule breaking”, which is defined as an intentional violation of an explicit organisational policy with the intention to perform a job more efficiently, help a colleague, or provide good customer service.

The research has shown that despite people knowing the rules, if these are considered counterproductive and adversely affect the person’s ability to do their job, people tend to “bend” them to improve their personal efficiency and effectiveness. Details of a policy’s restrictions and instructions are usually well understood by senior users, but complacency can set in when they have been working in the same area for a long time and know they will “get away with it”.

The interesting inference here is that it is the longer term employees that need to have repeat training and not the newer recruit who will tend to follow the culture and examples set by the longer term people who present “well the policy says this, but we always ignore it”. This appears to be exactly what has happened in many recent government data loss examples and has to be countered with regular and relevant user training.

The research also looked at how people react to monitoring and enforcement systems that validate the policy. It suggested that people’s behaviour is shaped by the monitoring environment. Explaining the general ramifications of people’s non-compliant actions or the rationale for monitoring conformance is not considered sufficient. Instead, it has to be explained in the specific context of the person’s role, otherwise people will feel it does not apply to them and circumvent it.

This suggests, that monitoring may make the situation worse, not better.

The human factor will always be an issue in security and will always be an organisation’s most vulnerable point. Effective and regular education has a part to play, but the research shows it has to be personally targeted and put in a context meaningful to the individual. The role of technology then needs to be considered carefully to help and support this weak link.

The insight gained through this work can now influence future technology research and development. This will lead to solutions that complement progress in improved behaviours and reduce the effects of policy non-compliance as well as the non-compliance itself.

The question that Organisations and Industry have to face is how do how we move past this – little progress have been made in the 5 years between our research and that of Northumbria University?

One of the hopes on the horizon is the CESG Secure by Default initiative, which Nexor wholeheartedly supports.