The negative image of information security in the organization 117

Information and information technology (IT) are believed to provide significant advantages to organizations. These advantages are posited upon diverse capabilities for acquiring, processing and sharing information. Some of the buzzwords for IT are flexibility, collaboration, information sharing, just-in-time, sense-and-respond, etc. Against IT and its advantages, information security, with its policies, controls and restrictions, comes in as a poor second. With developments in IT, the situation has only worsened over the years. Nearly two decades ago, Baskerville (1993) stated that restrictions imposed by information security are detrimental to the spontaneity provided by IT. More recently, Chipperfield and Furnell (2010) echo the same sentiment when they state that information security is not something that end-users want on their own; according to the authors, end-users continue to find information security policies and controls as time consuming, inconvenient and generally an obstacle in getting their work done. In this context, end-users, more often than not, develop a negative image of information security (Chipperfield & Furnell, 2010). This leads to a resistance towards information security and an inclination to

Branding creates positive image of information security in the minds of end- users

Greater end-user loyalty and compliance to information security policies and controls

Increased effectiveness of awareness, training and education campaigns Reduced vulnerability of end-users to opportunistic behaviour and non- compliance

Greater tolerance of lack of usability and imperfections of information security policies and controls

readily switch to insecure behaviours (Adams & Sasse, 1999; Albrechtsen, 2007; Besnard & Arief, 2004; Chipperfield & Furnell, 2010; Dourish et al., 2004; Whitten & Tygar, 1999).

Albrechtsen (2006) states that end-users’ perception of information security is shaped by organizational, technological and individual factors. These factors include the trade-offs made during day-to-day work; the existence of social norms and the interactions between individuals; the quality of information security management; the technological solutions implemented; and individual factors such as knowledge, attitudes, values, risk perceptions, etc. The remainder of this section discusses the negative image of information security in the organization along the axes of: security as an obstacle or hindrance to work; the delegation of security responsibility or ‘security is not my responsibility’; and negative views on information security management (or managers).

7.3.1 Security as an obstacle or hindrance to work

The first and foremost problem that information security creates for the end-users is that it gets in their way when completing their day-to-day activities. Post and Kagan (2006) state that restricting access to information and IT systems can lead to interference in the completion of end-user activities. The authors label the restrictions as ‘security hindrances’ that represent the problems faced by the end-users since such security procedures and controls interfere with their work. In such situations, security is often sacrificed in the pursuit of work (Desouza & Vanapalli, 2005).

The primary task for most end-users is to complete their day-to-day business activities; security is only a secondary activity. According to Whitten and Tygar (1999), this leads to the ‘unmotivated user property’ of security in which the end-users optimistically, and often mistakenly, assume that security is working; further, if complying with security is too difficult or annoying, then end-users simply give up trying to comply. Often, the end-users develop their own ways and means for compliance which may have the side-effect of weakening the control, e.g. writing down passwords (Adams & Sasse, 1999).

Sometimes, information security policies and controls may be inappropriate for the way in which certain activities or tasks are conducted in the organization, or in certain end-user groups. Adams and Sasse (1999) stated that while individual password ownership is a best practice, it is incompatible with group work in organizations.

It is also possible that restrictions imposed by information security may be unacceptable to end- users and these may lead to a creation of a feeling of animosity towards information security. The monitoring of access or restrictions on Internet access may be unacceptable to end-users and

they may feel that these are unfair and overly restrictive. Monitoring may cause the end-users to feel threatened and lead to a loss of trust (Adams & Sasse, 1999).

Frequently, the risk perceptions of end-users may not be aligned with the risk perceptions of the organization. In this situation, end-users may feel that controls and restrictions are unnecessary. While sharing passwords or confidential information with colleagues, end-users may not appreciate the risks that could well arise from these acts; and therefore, they will tend to ignore the controls and restrictions on these practices.

7.3.2 Delegation of security responsibility or ‘security is not my responsibility’

According to Dourish et al. (2004), end-users, in the course of their day-to-day activities, may abdicate their security responsibilities and delegate them to other entities such as technology or the organization. After the abdication and delegation of security responsibility, end-users continue with their day-to-day work without caring about information security and without making any additional effort required to enforce information security.

7.3.3 Negative views on information security management (or managers).

Albrechtsen and Hovden (2009) state that there is a “digital divide” between end-users and information security managers in the organization. End-users perceive information security managers as invisible and unapproachable and this has made it difficult to report problems or to ask questions. Furthermore, the security documentation is usually overly technical in nature; the content is poorly presented; and the tone of the documentation is admonitory and puts end-users off. Because of these difficulties, end-users often give up on reading the security documentation and continue with low levels of awareness.

This section has highlighted the negative perception of information security in the eyes of end- users in the organization. End-users form a variety of such images. These images are shaped by how end-users experience information security and its management in the organization. The images refer to information security as an obstacle, as a low priority activity, as unnecessary, as intrusive, as unapproachable, etc. Because of this, end-users continue to remain indifferent to information security in the organization. The focus of this chapter is on ISS Branding as a tool to counter this negativity. But before ISS Branding can address this problem, it is important to identify and discuss what a positive image for information security should be. This is the subject of the next section.