Methodological triangulation - Survey

As explained in section 3.4.1, a large set of survey data with 1488 employees of Company A was available for secondary analysis. The data was not used to confirm the presence of shadow security, as data collection was already completed before commencing this research; instead, it was used to demonstrate that the behaviours which lead to shadow security identification and definition were widely prevalent in the organisational environments examined.

5.4.1.1 Analysis of results

In order to provide validation for the insecure behaviours identified in the interviews, the analysis of the survey results focused on: (1) verification of employee propensity to act in a secure way and (2) identification of the existence and prevalence in Company A of friction-related insecure behaviours on a wider scale than the 118 interviewed employees.

5.4.1.1.1 Attitude

5 security attitude-related scenarios were analysed to verify the validity of the suggestions presented in section 5.2, stating that employees are aware of the need for security, motivated to protect the organisation, willing to report potential security risks, able to identify insecure practices, and willing to challenge those. This section presents the attitude scenarios included in the interviews, together with the number of employees that responded to each one and the numbers that chose each of the available actions.

1. In a scenario of unsupervised people without a visible visitor's badge waiting near the barrier door and occasionally ‘tailgating’ to get into the main building, answered by 359 employees.

a. 123 (34%): Notify security that you have observed visitors tailgating past the barrier.

b. 206 (57%): Confront the people tailgating, ask them to show you some ID (if they are not known) and supervise them back to reception.

c. 16 (5%): Assume the people have access and have been checked by the reception staff and continue with your work so as not to disrupt their work or yours.

d. 14 (4%): Confront the people and then report their names to either your manager or security.

2. Identification of access to information and sharing with others by people not gone through vetting process to handle sensitive data (796 employees)

a. 581 (73%): Report observations to manager, and urge them to take action.

b. 107 (13%): Send violators an informal email, reminding that sharing sensitive documents with non-cleared employees is not allowed.

c. 107 (13%): Initiate an audit of other department to attempt to track the use and distribution of the sensitive documents.

d. 1 (1%): Do nothing - If something goes wrong, the Senior Manager in charge of the department that is sharing the information will be held responsible.

3. Colleague often prints out confidential documents to work whilst travelling on the train to/from home - not always using the Confidential, but normal recycle bin as the paper will be destroyed when it is recycled anyway (133)

a. 0: working practises are acceptable; recycling the paper is good for the environment and destroys any sensitive information at the same time.

b. 95 (71%): Should ensure any paper copies are disposed of specifically in a confidential recycle bin to ensure secure shredding once finished with them – hard copies are a major source of information leaks.

c. 0: Is right to work in the way that suits him best – without access to the company systems even if someone did get hold of a few bits of information they couldn’t damage the company anyway.

d. 38 (28%): Employee is totally reckless with customer’s information – should stop printing out work unless it is absolutely necessary.

4. Notice a blue van parked outside the entrance gates - several times over the last couple of weeks.

Inside are two individuals who appear to take pictures of the building/people around the building. As soon as the individuals are noticed, the van pulls away in a hurry. (347)

a. 1 (1%): Ignore it. The van was there several times and nothing has happened at the site so it probably isn’t a threat.

b. 53 (15%): Report the incident to line manager; it is better to report such incidents even if no obvious breach is noticed.

c. 292 (84%): Report suspicions directly to security so they can take the appropriate action.

d. 1 (1%): Do nothing now but keep an eye out for the van in the future to confirm his suspicions. Report if it shows up again.

5. Employee notices that several confidential documents/records were missing and there was no audit trail of who had used them last. Colleague behaves weirdly and objects to being challenged (877)

a. 8 (1%): Do nothing, colleague has always been eccentric

b. 581 (66%): Discuss colleague’s behaviour with the department manager – it isn’t acceptable for an individual in the department to have their own methods.

c. 8 (1%): Accommodate their work practises by adjusting their own.

d. 280 (32%): Call the Business Conduct helpline and make a report about colleague’s behaviour – it is suspicious that there appears to be no proper audit of his work.

The above results confirm the identified employee awareness of the need to protect the organisation: the majority of employees chose actions that indicate an understanding of the risks related to potentially insecure behaviours. They were also willing to take action when they observed such behaviours, either directly or, most of the time, by reporting potential concerns to appropriate authorities.

5.4.1.1.2 Behaviour

After confirming the existence of employee awareness of the need for security, 5 behaviour scenarios were analysed to identify employee chosen courses of action when security requirements created primary task overheads.

6. Problematic SharePoint setup scenario (slow approval, need for urgent access - 877).

a. 74 (8%): Request that those with access share their (main log-in) account details and passwords with others to allow them access to the information.

b. 261 (30%): Burn a copy of the files onto a CD/DVD and distribute to the work group.

c. 412 (47%): Email the document archive directly to the general work group mailing list using your company email address.

d. 130 (15%): Move the files to an unrestricted folder on the internal network to allow the work group to have continued access to it.

7. Problems in delegating access-granting responsibilities when going away. In addition, guidelines for granting access are not always clear and require some degree of discretion (865)

a. 154 (18%): Leave password with secretary who, although temporary, is a trusted employee, with instructions to use account to resolve "emergency situations".

b. 454 (53%): Leave password with a trusted member of the department and ask them to handle "all decision making" while they are away.

c. 64 (7%): Grant blanket access rights to the whole department for the duration of absence.

d. 193 (22%): Give out login details of a range of access permissions (used by temporary workers) with instructions that they be used where existing permissions do not allow access.

8. Unavailable encrypted USB stick, client presentation includes embedded media too large to email, problems accessing internal network from outside (133)

a. 49 (37%) Take the required data on an unencrypted USB stick they have available.

b. 61 (46%) Borrow an encrypted stick from a colleague - make a note of their password.

Colleague asked not to share / erase the confidential data already on the stick.

c. 13 (10%) Use the available unencrypted stick to put a copy of the data on a colleague laptop and ask them to take it to the client's site.

d. 10 (7%) Upload the files to a public online storage service and recover at client's site.

9. Occasionally works from home in the evening, gets there by train. Leave laptop at work - recently had it stolen. Backup all work files on personal computer to access without having to connect to the company system - home network connection is not always reliable. Knows this is against policy, but lives in a safe neighbourhood. To transfer files to home computer, uses a variety of methods (278).

a. 60 (22%) Use own USB sticks to carry current work on the train.

b. 15 (5%) Email files to your personal email account and download at home.

c. 11 (4%) Use an online storage service such as DropBox, deleting files once you have made a local copy.

d. 192 (69%) Log in to the company VPN and make local copies via that connection.

10. Contractor asks for some commercially sensitive information not publicly available through the company’s web site without following request procedure 3rd-parties need to go through.

Contractor becomes persistent, reminds that they used to be colleagues, mentioning the names of several senior people in both companies that would be extremely unhappy if she does not get this information that day. Also says she is still in contact with line manager and will explain everything to him later, so it should be ok to provide this information today. (359)

a. 28 (8%): Accede to the request for information to ensure that senior personnel are satisfied and contractor’ productivity isn't hampered.

b. 18 (5%): Send the information requested but immediately inform line manager of what information has been provided.

c. 29 (8%): Ask specifically which pieces of information contractor needs - send through a redacted or edited version of the documents.

d. 284 (79%): Send the information through but password protect the file and wait until they have spoken to line manager before releasing the password.

5.4.1.2 Survey discussion

The attitude scenarios provided additional evidence of employee goodwill and understanding of the need to take action and contribute to delivering organisational security. The majority of employees were willing to act when they identified potential security risks, challenge insecure behaviours of their colleagues, report violations to central security, securely dispose confidential information, and discuss security concerns with their line managers. Despite the identified willingness to act securely, the behaviour scenarios demonstrated that when security created problems in proceeding with their primary task activities, a large proportion of employees chose to proceed with insecure options (e.g. sharing credentials, using unencrypted drives, emailing sensitive documents). These findings strengthen the results of the interview analysis, suggesting that employees consider non-compliant behaviours as acceptable when they encounter friction-inducing security.