Drivers of shadow security behaviour

The conditions leading to employee deviation from prescribed security practices can be grouped under six major categories: (1) impact of friction-inducing security on employee productivity, (2) lack of organisational response to employees reporting security problems, (3) reliance on local security decision making without providing effective guidance, (4) security communication and training being generic, overloaded, and thus ineffective, (5) ineffective security management perception by employees, and (6) perceived problems in organisational culture that reduce employee motivation to follow organisational processes. This section discusses each of the above, explaining their effect on employee primary task and security perceptions, also explaining how those led to employees having to devise their own adaptations to organisational security.

5.3.1.1 Productivity impact – security-productivity friction

Contrary to the archetypal view of “lazy, ignorant and wilfully disobedient users” held by security managers (Adams and Sasse, 1999), employees appear sufficiently motivated to comply with security and demonstrate some individual capacity to do so effectively. The problems start when security starts negatively affecting productivity. Time overheads, disruption in primary task completion and increased cognitive load in order to deal with security mechanisms, all damage employee ability to proceed with productivity related activities, causing disgruntlement. Employees then come up with their own

solutions, based on their own understanding of what workable security should look like. Inflexible organisational provisions for file sharing for example, led to employees having to either wait for central IT management to approve requested access to resources, or find less taxing information sharing mechanisms. They address this by either (1) sharing information using unencrypted USB drives, deleting the information once file transfer is completed, (2) sharing files using emails (potentially leaving permanent impressions of documents on their local drives) or (3) using third party provisions for document and information sharing (e.g. DropBox), believing that careful access granting solely to their colleagues provides adequate information protection. In the majority of the examples presented in the previous section, participants recognised their chosen approaches as insecure, but provided some reasoning to legitimise their behaviour; either due to compliant behaviour creating unreasonable time overheads, or due to compliance being regarded as simply impossible. Employee self-devised practices are less demanding and less disruptive, supporting what employees believed to be more proportionate and appropriate effort for security behaviour.

5.3.1.2 Lack of feedback response

The second driver of shadow security development comes from employees perceiving the organisation as unable to respond to their reports about security creating problems to employee primary tasks.

Employees report to their managers or central security on both primary task overheads created by security mechanisms and potential security risks they identify within their working environment (e.g. problems with access revoking leading to potential unauthorised access to information). In many cases, where the organisational response appears inadequate, employees believe the organisation demands security but does not listen to their feedback. This also negatively affects employees’ perceived importance of security to the organisation’s leadership, providing additional validation for their decisions to adapt security in their own way when productivity reasons justify this.

5.3.1.3 Communication and training problems

Based on the narratives presented in this chapter, the overall organisational security communication and training processes emerge as dysfunctional. There is limited awareness amongst employees of the existence of security policies and formal procedures that aim to mitigate organisational security risks.

Employees also lack accurate knowledge of role-related risks, also perceiving information included in security communication and training as not useful to them. Confusion is also present on how to identify and protect sensitive information, but also on how organisational mechanisms (e.g. physical security desk) may be bypassed by attackers. As employees mentioned, the above problems were a result of:

1. Lack of effective security training from the organisation: employees reported that some security training was provided when they joined, with no follow up after that. They also referred to the content as generic and could not recall the desired behaviours described in it.

2. Security communication emerging as dysfunctional: sending large amounts of information to all the employees creates a negative attitude towards security managers and security in general.

The communicated information is then ignored, dismissed as useless and, when employees are aware of the need for security, drives the deployment of shadow security solutions.

5.3.1.4 Ineffective security management perception

Inability of the organisation to enforce its security policy and respond to reported risks also leads to shadow security development. Non-enforcement of policy (e.g. clear desk) is perceived by some employees as lack of interest from the organisation to achieve security. They then disregard official security principles and behave in ways they know can get away with, to efficiently proceed with quick primary task completion. Their negative perception of security is accentuated by the inability of the existing processes to accommodate for organisational conditions that deviate from normal day-to-day working practices. For example, employees who find the systems in place as not supporting responsibility delegation to their colleagues when they need to go away, find it easier to just share their passwords with them. In addition, employees often identify problems and potential risks in the security implementation (e.g. leavers access not revoked promptly) and even go the extra mile to report those.

But, as they said, the organisation appears not to respond to the reported problems, which further accentuates their perception that security is not a top organisational priority.

5.3.1.5 Reliance on local decision making without effective guidance

Deployment and evolution of security behaviour within organisational sub-divisions mostly relies on managers as a conduit. Managers constantly face the challenge of having to communicate behaviours that minimise work-related organisational risks, but also focus on ensuring uninterrupted completion of productivity-related tasks within their teams (e.g. how to seamlessly share information). But the organisation did not provide adequate security support or training to them, so they prescribe practices they see as best fitting (e.g. use self-procured USB drives). This invites the evolution of local, ad-hoc habits and security culture, which may significantly divert from the organisation’s policy. The emerging perceived absence of a consistent organisational security position encourages independent action to manage security at team level, based on manager’s own knowledge and interpretation. In addition, the lack of effective guidance and enforcement, leads to shadow security through manager recommendation and procurement of own solutions perceived as implicitly permitted by the organisation. Similarly, the procurement of employee-devised strategies is also seen as implicitly permitted by the team manager. As a result, shadow security practices become standard practice (e.g. P118: “not policy, my own best practice”), fostering many differing and inconsistent security behaviours within the same organisation;

potentially increasing organisational exposure to security risks.

5.3.1.6 Organisational security culture problems

The widespread problems with security mechanisms led to an overall disregard for those. With their colleagues not following the recommended security practices, employees are likely to follow suit, further fostering the development of a non-compliant, ad-hoc and self-devised security culture within the organisation. Deploying self-devised security may initially start as a “one-off solution” (e.g. use an unencrypted drive to transfer data and delete the data immediately afterwards), but can eventually become standard practice amongst team members. When this happens, new joiners are also likely to mimic their more experienced colleagues’ behaviours, with the emerging practices becoming part of team security cultures in an organisation.