Shadow security creates a unique opportunity to consolidate security management goals with actual employee behaviours. Instead of attempting to enforce compliance, security managers can leverage the existence of shadow security in an organisation, using it as a resource to call upon in order to adapt to turbulent times. Measuring, learning and managing it provides organisations with the ability to improve their control-oriented security approaches, using current employee security behaviours as an input to their security strategy. On the surface, control-oriented security may provide a sense of stability that negates the need to place faith in members of the organisation to do the right thing of their own volition. But where it appears to be failing is to change and adapt to what individuals experience as time goes on (as already demonstrated in public transport systems, for instance Molotch, 2013). To implement an adaptable and flexible security management strategy, security managers must be able to recognise when and where shadow security is created, its causes, and how to adapt security provisions to better align those with employee productivity needs. Learning from, and not ignoring, employees can enhance security, aligning it with organisational goals and increasing its effectiveness. If users are not heard, they can become disenfranchised and, should they have a legitimate concern about security, they will not remain passive in the face of ill-fitting solutions. Instead, they will engineer their own shadow security practices, not to evade provisioned security, but as an attempt to balance security and productivity due to the perceived lack of organisational support. The emerging user reaction to an organisation’s security implementation needs to be heard, otherwise it weakens the organisation’s security posture. Once identified, shadow security existence should not be treated as a problem, but as an opportunity to identify shortfalls in current security implementations that can be leveraged to provide more effective security solutions for organisations. As discussed earlier in this chapter, security managers can learn from shadow security in a number of ways: they can identify areas of security that require improvements, measure the effectiveness of security mechanisms after deployment, engage with users in the design of security solutions, and leverage the position of team managers as both mediators for security and conduits for feedback as to the appropriateness of security solutions in supporting productive tasks.
Security management should also understand that shifting more responsibility for security towards employees is ineffective. No matter how good employee intentions are, modern security challenges are getting more and more complicated, thus maintaining sufficient and accurate understanding of the variety of threats an employee may face is an unrealistic expectation. Asking employees to take action to
mitigate a large number of risks significantly increases the emerging security-related cognitive load on them. Combined with security management’s failure to deliver security hygiene, the emerging incompatibility of security with employee primary tasks leads to significant friction between security and productivity. To effectively encourage employee participation in risk mitigation, security management should aim to listen to employees, understand the challenges they face and adapt security management to those, choosing solutions that are also compatible with role-related risks. This allows emerging policies and mechanisms to be context-specific, eliminating the problems with blanket security rules discussed in section 7.3, improving alignment between security and primary tasks. Attempts for improved alignment through learning may require increased resources at their early stages, but they should be seen as an investment: the more resources security management invests on aligning security implementations with employee priorities, the less the impact of the former on employees’ primary task, thus the less the employee resources that will be expended on security. In addition, the emerging practices should deliver improved risk mitigation.
Effective security also needs to aim for a productive balance between trust and assurance. The findings of this work suggest that employees possess both the ability and motivation to behave securely, honouring the trust shown towards them by the organisation (organisation-employee trust), also aided by contextual motives to do so. But when security creates conflict with other parts of their work and their relationships with their colleagues, non-compliance becomes their only option to preserve the existing trust relationships in the social environment of the organisation (inter-employee trust). To reduce this conflict, security management needs to take advantage of trust and aid in its development, refraining from over-assurance once trust is developed. Employees that have been screened, trained and understand the risks of insecure behaviour, should not need to choose between organisation-employee trust and inter-employee trust when interacting with security mechanisms: both trust relationships contribute to the organisation achieving its productivity targets while remaining secure. Security design that accommodates for this can lead to the creation of a high-trust/low-assurance environment which can introduce significant economic benefits for organisations: compliance coming from employees motivated to behave securely, not forced to do so, reduces the need for expensive assurance mechanisms. As a result, as long as everyone sticks to the rules, individuals or organisations can benefit from the cost savings of a trusted environment. But when the rewards from not playing by the rules are significantly higher than the consequences of not doing so, assurance mechanisms need to exist to change the risk-reward structure, dis-incentivising untrustworthy behaviour.
The shadow-security driven metrics presented in this chapter make it possible to design and deploy more effective and efficient information security management. All the suggested measurements can be generated without imposing significant resource overheads: much of the information needed to identify the existence of shadow security behaviours is already available in various forms around various organisational systems (or relatively easy to generate and collect). A combination of the above metrics (together with additional ones organisations can implement based on their own security challenges) can provide a suite of indicators for not just the performance of technical systems, but also the performance of processes that support employee behaviours. Security managers should use the metrics and security management processes presented in this chapter to build context-specific security mechanisms that effectively address security risks, according to their organisation’s risk appetite. The aforementioned
metrics and processes should be used as the basis for creating an organisation-wide, continuous learning and improvement process for security management, allowing effective and efficient deployment of new security mechanisms and improvement of existing ones. Despite that, they should not be seen as an off-the-shelf solution to manage employee security behaviour, but as useful starting points, based on the improved understanding of security behaviours that emerged from the case studies presented in this thesis. Each organisation should consider which of the metrics and processes are compatible with their security priorities, and then tailor their security management approach to match those. The emerging improvements in security-productivity alignment can reduce the overhead of security on employee primary tasks, increase the levels of employee security compliance, and lead to more effective and efficient security implementations.