Security management also needs to understand and allow for the effects of organisational trust relationships on security behaviours. As discussed in chapter 6, in a highly social environment like a large organisation, inter-employee trust is often more important to employees than complying with security. This should not be used as a pretext to treat employees as untrustworthy though: employees possess both the ability and motivation to exhibit trustworthy behaviour as long as their ability to complete their primary tasks is not significantly hindered by security. Using the improved understanding of trust relationships and their impact on security behaviours emerging from chapter 6, this section discusses what organisational security management can do in order to accommodate for organisational security trust relationships in security implementations.
7.4.1 Ignoring trust creates problems
Many organisational operations depend on the presence of trust (chapter 6), thus security cannot silently accept its presence but refuse to account for it. Security management should aim to formalise trust presence, understand its impact on security behaviours, and manage it to deliver more effective risk mitigation. The results of chapters 5 and 6 demonstrated that organisational insistence on using technical mechanisms and sanctions to eliminate or reduce the need to trust employees has a number of negative effects:
1. Friction between security and productivity: Attempts to restrict employee actions within pre-defined domains often lead to high security-primary task friction, encouraging shadow security development. Attempts to eliminate this through excessive assurance lead to a negative attitude towards security. The emerging disgruntlement drains identified employee capacity to behave securely and can damage employee emotional connections with the organisation, increasing the risk for insider attacks and loss of human capital.
2. Increased security violations and shadow security development: Assurance often asks employees to treat their colleagues as untrustworthy (e.g. “don’t share your password”). But employees prioritise inter-employee trust relationships from security compliance, with temporal and contextual incentives to develop and preserve relationships with their colleagues leading to violations of security policy (password sharing, information sharing through unofficial channels, tailgating etc.). In the end, assurance ends up turning inter-employee trust to a readily-available, low cost resource for collaboration and enabler of productive activity when employees need to minimise the impact of friction-inducing security.
3. Insecure culture development: Lack of enforcement (e.g. password sharing not penalised when detected) leads to the development of a culture where breaking security is justified. Long-term reliance on collective trust violations leads to security spinning out of organisational control, with security behaviours significantly deviating from security policies.
The above points suggest that, in order to effectively manage security, the presence of trust relationships needs to be acknowledged and leveraged by security management in the organisational security implementation.
7.4.2 Formalise trust presence in security management
Organisations trust their employees, but currently there is no formalisation of this trust in security management. Current approaches to organisational security implicitly trust employees: many of the policy clauses in the organisations examined were not accompanied by mechanisms to enforce those or identify policy violations. Information handling for example, was significantly dependent on employee actions, with employees being free to copy information to external drives and share it with their colleagues. The trust shown by the organisation towards employees has been defined in chapter 6 as organisation-employee trust. This needs to be formalised and leveraged by security management to take advantage of both users and technology to achieve effective protection. To deliver this, security management needs to (1) understand the importance of security hygiene as a trust prerequisite, (2) formalise a “when to trust” and “when to assure approach”, (3) support correct trust development through
inclusion of trust in security communication, (4) avoid over-enforcement where trust develops, but also (5) enforce assurance when required to mitigate risks where trust is not an acceptable risk mitigation approach.
7.4.2.1 Understand the importance of security hygiene on trust incentives
User-centred security is a pre-requisite to trusting employees. Employee secure behaviour requires removal of unusable elements of the security implementation, with security communication and training providing sufficient motivation for secure behaviour. As a result, user-centred security design and communication principles, discussed earlier in this chapter, should be treated as a prerequisite (or hygiene requirement) of any attempt to include trust in organisational security management.
7.4.2.2 Formalise trust and assurance in risk management
As previously discussed, implementing assurance mechanisms for all possible employee behaviours is prohibitively expensive. The productivity benefits of trust have been identified in non-security related contexts: trust between members of an organisation leads to highly cooperative behaviours, acting as a substitute for control (Costa et al., 2001). In addition, employees that feel connected to an organisation are more committed and involved with it (Bussing, 2002). Organisations should aim to achieve similar benefits in a security context, leveraging already existing trust relationships to provide effective protection. They need to take advantage of the intrinsic incentives driving employee secure behaviours, taking advantage of second-order trust benefits (goodwill, positive culture development and reduced assurance costs). Ability to solve security challenges through goodwill and improved awareness also allows for efficient reallocation of resources available to security, to address other risks.
Trust should also be part of organisational security risk management. Formal decisions need to be made on where assurance is necessary and where trust is required. Trust should be present when employees have adequate incentives (both contextual and intrinsic) to behave securely (e.g. when organisational provisions for sharing of information allow effective and efficient primary task activity). Assurance on the other hand is required when the rewards from not playing by the rules are significantly higher than the consequences of not doing so. In such cases an organisation needs to take actions to reduce potential exposure to malicious behaviours (e.g. block potential for leavers to access sensitive information, or monitor and audit access and copying of data from sensitive corporate fileservers from where employees should not be downloading vast amounts of information). Some of the actions in question may not constitute an offence on their own, but can provide sufficient grounds for further investigation; where the line is drawn depends on organisational risk appetite. Where an organisation decides to implement assurance instead of trust, the “business, not personal” nature of the controls put in place needs to be made clear to employees through security communication. Employees are not deemed as untrustworthy;
controls are required in order to protect the organisation from malicious outsiders and insiders. Finally, where organisational reliance on employees exists, it should be formalised in order to be better reflected in information security management strategies: after identification of security-related risks the mitigation method (assurance vs trust), together with the related organisational actions required (mechanisms implemented, communication sent, training module content updates) should be recorded as a formal risk management decision and revisited over regular intervals to assess potential need to reconsider it.
7.4.2.3 Include trust in security communication
Where security management decides trust is required and can be beneficial to the organisation, its presence should be made explicit. After security mechanisms are implemented in a way that encourages trustworthy behaviour, Security Awareness, Education and Training campaigns (SAET) should be used to enable employees to better understand the actual risks the organisation faces. For example, in Company B, home working is quite prevalent, with many employees being either full time home workers or working from home two or three times a week. This makes it impossible for the organisation to restrict employee actions: if no trust is shown on their ability to protect the information they carry with them, they will be unable to proceed with their primary tasks. This organisational dependency on employee behaviour should be communicated to employees, to explain their responsibility and contribution in keeping the organisation secure. The emerging SAET approaches should: (1) make it clear to employees that they are trusted and supported in their security decisions (to improve motivation), also explaining the
“it’s business, not personal” need for security vigilance, and (2) include information on current threats and how real-world trust development signals break down when using computer systems (improving ability).
7.4.2.4 Once developed - don’t enforce it!
If an organisation considers its employees as trustworthy, this decision needs to be formalised and honoured. The first assessment of an employee’s trustworthiness comes even before they join the organisation, through recruitment background checks and vetting procedures. This process uses past employee behaviour as an indicator of potential future actions. When the organisation establishes that ability and motivation for trustworthy behaviour are present, there’s no need to over-assure. Employees that pass the screening process should be considered trustworthy and treated as such instead of being subject to continuous restrictions. Visible presence of trust towards employees can further increase employee trustworthiness, by injecting secure behaviour in the organisation-employee psychological contracts that dictate organisational employee behaviour. The emerging cooperation can benefit all stakeholders (employees, top management and security management), providing three major advantages:
1. People in an organisation develop shared values and a shared-sense of responsibility for the well-being of the organisation, based on shared formal or informal norms promoting cooperation (Fukuyama, 2001; Resnick, 2001), which also affect their security behaviour (Pfleeger et al., 2014). Secure behaviour should be driven by a feeling of contribution to common organisational interests, rather than rule-driven actions to avoid sanctions.
2. Organisational attempts to enforce friction-inducing security will be reduced. This will reduce both productivity-driven and trust-driven policy violations, lowering the levels of “noise” the above introduce in security monitoring; precursors of serious attacks (e.g. intellectual property theft26) can be lost in false-positive alarms if employees frequently violate security for
26 Intellectual property theft accounts for a small percentage of all cybercrimes, but results to the majority of the resulting monetary losses, Rantala, 2008)
productivity or collaboration reasons. As a result, organisational ability to monitor, detect and enforce its security policy will improve, improving the overall efficiency of the organisation’s security implementation. The resources saved from reduced noise can be reinvested in implementing other more effective security mechanisms, enabling the implementation of clever monitoring to identify serious malicious activity (insider or outsider attacks - Caputo et al., 2009).
3. Flexibility strengthens employee ability to defend the organisation. Attackers are likely to adapt to new technologies, but attacks are much harder to succeed with suspicious employees, motivated to protect the organisation and a culture that favours secure behaviour. This is not uncommon in other security implementations: for example biometrics at passport control points are considered to be more effective than individuals, but when a problem is identified, a human can take over and use a much richer and broader set of factors from the context of the environment to assess a passenger’s trustworthiness (Fléchais et al., 2005). The presence and formalisation of trust, together with the emerging perceived responsibility, acts as an additional motivator for employees to behave securely.
7.4.2.5 Enforce assurance through contextual incentives when necessary
Trust should never be perceived by employees as inability of security management to enforce security rules. Security management needs to accept that formal rules left unenforced are ineffective, especially if lack of enforcement is visible. Risk-aware employees, interacting with well-designed security mechanisms, no longer have reasons to violate security. As a result, when the rewards from not playing by the rules (benefits from malicious actions) are significantly higher than the consequences of not doing so, assurance mechanisms need to exist to change the risk-reward structure, thus dis-incentivising untrustworthy behaviour. In such cases, violations can be detected by improving current monitoring implementations to include contextual information on user behaviours, which can be used to detect employee trust abuse and precursors of insider attacks. Malicious actions should then be followed up with serious consequences that are visibly enforced. Visible enforcement can act both as a deterrence for future misbehaviour and as a motivation improver, reminding employees that they are trusted and responsible to keep the organisation safe. On the other hand, organisational inability or unwillingness to enforce the policy (as identified in the interviews) is seen as weakness, leading to security appearing as less important to employees, reducing compliance incentives (reduced motivation and perceived contextual incentives). By making contextual incentives visibly enforceable through assurance and enforcement, security management deters potentially malicious behaviours or other actions that put the organisation at risk, but also reduces shadow security development stemming from perceived ineffectiveness of official security.
7.4.3 Accommodate urgency, encourage self-reporting and follow it up
Security management also needs to implement formalised processes for unusual circumstances where security may need to be bypassed. Employees may, under rare and unusual conditions, have to circumvent security for productivity reasons. In such cases mechanisms should be in place for employees to report their non-compliant behaviours (Bartsch, 2014). Clear instructions should then exist for employees and security management on how to deal with emerging vulnerabilities. For example, an
employee who shared their password with a colleague in an emergency situation should recognise this as a violation, then login to a “violation logging” system and report the behaviour. The same should apply to physical access control: an employee who forgot their access pass should be easily able to get a daily pass through a simple verification process. In both cases, the organisation should encourage self-reporting by communicating that no action will be taken against employees who self-report, while those who do not should be susceptible to sanctions. The organisation should also ensure adequate measures were taken to close any resulting loopholes (e.g. forcing the employee who shared their password to change it within two hours). Accommodating for urgency should not be implemented as a substitute to usable systems though. Violations, even reported ones, need to be infrequent enough to avoid non-compliance becoming part of organisational security culture, also avoiding introducing significant resource overheads to address the loopholes created by frequent circumventions. Insecure behaviour cannot be totally eliminated, as this is both uneconomical and prohibitive for productivity, but enhancement of the organisation-employee trust relationship can ensure that it happens rarely and employees take appropriate mitigating actions.