Understanding shadow security and its drivers can become a powerful tool for security management, providing a unique opportunity to deliver user-centred security improvements. Shadow security should be treated as a learning opportunity, as it can help the organisation identify where employees are putting to practice what the organisation should be doing but refusing. As Taleb (2010) notes, identification of problematic events within an environment can be used both to build robustness around negative ones and exploit positive ones. Shadow security provides such an opportunity: it allows for engagement with employees to increase their participation in attempts to deliver the security improvements presented in the previous section, and implement new or adapt existing security controls to better fit employee productivity tasks, while still delivering organisational security goals.
In order to take advantage of shadow security, security managers working within organisations need to understand the drivers behind its evolution and, as Schein (2010) puts it, aim to become perpetual learners. Modern corporate environments are fast-paced and unpredictable: the nature of organisational operations and technologies change constantly, together with security threats becoming more complex (e.g. effective security management of BYOD and home working were amongst the challenges Companies A and B had to deal with). Security managers can learn from shadow security in a number of ways: (1) engaging users to identify security problems and design appropriate solutions, (2) measuring the effectiveness of security mechanisms after deployment, and (3) leveraging the position of team managers as both a mediator for security and a conduit for feedback, as to the appropriateness of security solutions in supporting productive tasks. In order to effectively develop this learning process, security managers need to start by accepting that employee responses to friction-inducing security happen naturally. They are the first indicator of security solutions not serving the business, and security management must
engage with employees to identify security needs, perceived risks, impact of current implementation on their productivity, and the emerging shadow security behaviours. Essentially, as the remainder of this chapter explains, shadow security should be treated as a diagnostic tool and an opportunity to identify shortfalls in current security implementations, their impact on the organisational environment, and leverage those to provide more effective security solutions for organisations.
7.3.1 Involving employees in security management
The development of shadow security suggests that employees are motivated to help the organisation and willing to suggest potential ways to improve existing security practices. Their lack of accurate security risk awareness though, often leads to insecure behaviours. Security management can leverage this employee goodwill to participate in security, by engaging with them in the design and operation of security controls. Such an approach requires moving away from current solutions for mitigating security risks, towards a more participative approach that works with employees to understand where and how security can fit in the productive activities.
7.3.1.1 User engagement and participatory security management
The importance of involving users in systems design is well documented in approaches like Soft Systems Methodology (SSM - Checkland and Poulter, 2006), and the value of participatory and contextual design is widely accepted among developers. As Checkland and Poulter explain, a real-world system undergoing change to improve on a problematic situation needs to be understood in its entirety (or as much as possible) before attempting to deliver that change, but also during delivery as part of a continuous learning cycle (Figure 15). Otherwise, deployed changes will fail to capture the tasks and priorities of different stakeholders and the impact of attempted changes on those. Unfortunately, participatory approaches are currently not adopted by security design, with very limited research attempting to apply those in information security: Bartsch and Sasse (2013) used a participatory approach to provide guidance on improving the formulation of authorisation policies, while James (1996) demonstrated the potential of participatory design as a security management tool. Creating a continuous, participatory design-based security management process using the lessons learned from shadow security (together with the metrics presented later in this chapter), can allow building more accurate employee activity models, improving the effectiveness of proposed improvements and their alignment with organisational productivity priorities.
Figure 15: The SSM learning Cycle (Checkland and Poulter, 2006, p13)
7.3.1.2 Incorporating feedback-driven security design
Security management should aim to use employees as a resource for learning to identify specific points of friction and candidate improvements. As previously discussed, users do not dismiss security, but devise
“more appropriate” shadow security solutions when they encounter unworkable security. The emerging practices may not necessarily be those that the security experts expect, but employee rationalisations dictate how they interact with security, and the value they see in compliance. This capacity of users to participate in security can provide leverage to create new, seamless security solutions that are better aligned with their primary tasks. To take advantage of this capacity, two-way communication between security and employees needs to be implemented, repurposing user feedback to improve the organisation’s security approach. This can also bridge the divide often observed between security and productivity-focused organisational divisions (Ashenden and Sasse, 2013). The purpose of feedback solicitation is to learn something from users that security implementers could neither predict nor detect from their position outside of the primary task. Security managers do not see security from the perspective of employees, and so cannot assume they have designed security that fits their primary task, unless they have otherwise engaged with them in the design and deployment of security solutions. This learning and communication approach can be achieved through:
1. Persistent and readily-accessible feedback channels as part of the organisation’s structure and culture (e.g. a “we’ve just upgraded your email client, is it working well for you?” pop-up that
“gobbles up” any post-deployment frustration). If an employee reports a security concern, there should be a visible response that describes the impact their feedback has made.
2. Security enforcement among team members should be scaled to cover the wider organisation:
employees can champion secure behaviour within their teams, situating security practices in primary roles in a more meaningful way than sanctioned security communications.
3. By advertising a capacity to listen, security managers can leverage employee experiences as an additional layer of assurance that security mechanisms are serving the business. In addition to receiving feedback for improvements on security mechanisms and policies, advertising organisational capacity to listen can increase employee positive attitude towards security, increasing their propensity for secure behaviour.
Comparison Perceived real-world
problematical situation
Purposeful activity models (based on stakeholder worldviews)
Set up Structured discussion
about change Action to
improve
4. This approach also makes it possible to improve communication and training, by logging employee misunderstandings or reported insecure behaviours, identifying areas where actions are most urgently required.
To conclude, engagement with employees should aim to reframe security in the organisation as a collaborative activity, not as a barrier to work, taking advantage of internal employee propensity to participate in security risk mitigation, and use it to deliver security implementations that accommodate for employee primary task priorities.
7.3.1.3 Employee participation does not mean delegation of responsibility
Adopting a participatory approach to security management should not be misinterpreted as delegation of responsibility for organisational protection to employees. Pallas (2009) argues that the increasing decentralisation of modern IT implementations means that security challenges need to be solved in a decentralised, cooperative way, arguing that hierarchical security management leads to suboptimal outcomes. He then argues for more autonomy, explaining that coordination costs for centrally-administered security can be too high, and that formal rules are more expensive than delegating responsibility to employees. But, despite the identified motivation for secure behaviour, delegating responsibility to employees also requires accurate risk awareness, which employees often do not possess, as the findings of this thesis suggest. Information security is complex and quickly changing, with effective security risk mitigation being a challenge even for experts; delegation of more responsibilities to employees cannot provide effective protection. Herley (2014) echoes this by also explaining that directing more responsibility towards users is not an effective way to manage security: employees should not be expected to incur additional costs due to the failure of security management to identify other solutions. This cost can be prohibitive if no formal procedures exist to identify and eliminate friction-inducing security: employee attempts to behave securely can consume a significant proportion of their resources, and thus the total organisational resources invested to deliver security. In addition, the emerging primary task disruption can lead to further user alienation from security, reducing their propensity to contribute to organisational protection.
Organisational security management should not try to shift responsibility for protection towards employees, but learn from them and improve its practices. As the findings of chapters 4 and 5 demonstrated, well-designed security acts as a secure behaviour driver. Deploying a learning-based security management approach, reduces the coordination costs of security management, a factor that Pallas considered prohibitive to centrally managing security. It is a cheaper approach to implement and much easier to control, while at the same time using employee understanding and behaviours to drive centralised security management decisions. Well-designed security based on collaborative, participatory management can provide effective risk mitigation, leading to what Camp (2011) described as a
“community based production of security”. This can lead to the development of a security-conscious organisational culture, and enable better coordination and employee participation in security protection and improvements.
7.3.2 Management Training – Engage with Low- and Middle-Management
A decentralised and collaborative approach to security management also requires effective low-to-middle management engagement. As explained in chapter 5, line managers are in a powerful position to act as motivators for effective security behaviours. Thus, it is important to ensure they possess adequate and accurate security awareness and understanding amongst them, in order to promote secure behaviours and culture development amongst employees. Security managers need to be aware of this, and (1) understand manager role in shadow security development and that any security awareness or education they broadcast will be interpreted and mediated locally, (2) listen to managers’ questions, problems and concerns, incorporating those as another source of information in participatory security design, and (3) help them develop correct and consistent security advice for their teams through tailored training.
7.3.2.1 Role in shadow security development
Security is a collective achievement and line managers play a central role in shaping security decisions and behaviours within organisational sub-divisions. In both companies examined, employees often turned to their managers for security support when existing security mechanisms created significant primary task friction (e.g. slow access control), or when policies did not provide comprehensive, role-specific answers to security challenges (e.g. what to do under emergency need for access conditions). In those cases managers had to prescribe actions that address the emerging friction, but also preserve team productivity. They ended up making local, and often ad-hoc, decisions about security, like access control granting and recommending information sharing practices. The emerging security practices lead to shadow security evolution, varying security behaviours, and micro-culture development across organisational sub-divisions, eventually leading to security behaviour spinning out of central control. But the impact managers have on their teams also means that when individuals consult their managers, they are more likely to design novel solutions that better address the risks faced by team members, also preserving productive capabilities. Their significant role in managing security at local level, together with their understanding of role-specific challenges, suggests that line managers are well-placed to help security management accurately capture security behaviours and learn from shadow security development.
7.3.2.2 Provide role-specific training
Security-specific training should be tailored for managers to acknowledge their role as mediators of security. Rather than overloading them with security information, communication to managers should focus on role-specific goals and related security principles. It should also formalise and communicate their team-level security management responsibilities, also providing them with adequate resources, support and knowledge to respond to those. In this way, when managers need to support their team members, they will be more likely to come up with novel solutions that effectively address their role-specific risks.
7.3.2.3 Include managers in security improvements
The importance of line managers in shaping organisational security behaviours, calls for inclusion of them as an integral part of organisational security improvements. They frequently interact with employees and have a unique perspective of the friction between security and productivity tasks.
Soliciting feedback from them can contribute to an effective amalgamation of shadow and prescribed security practices. Communication also needs to be two-way, extending participatory security design to include line managers: in addition to influencing their staff’s security decisions, they can also elicit feedback from them on the challenges creates for their primary tasks. Security management should liaise with them to deliver role-specific and consistent security advice to different organisational divisions, also using manager feedback to drive security improvements. Essentially managers need to act as a bottom-to-top feedback channel for identification of friction-inducing security. They can also communicate to security management on the evolution of informal rules (Pallas, 2009) at team level, which can then be formalised, if they are consistent with organisational risk appetite. If organisations neglect to do so, managers and their teams will continue to create their own rationalisations as to what their interactions with information security mean, and how to balance their perceived need for security with their main goal of primary task completion.
7.3.3 Employee involvement improves motivation
Involving employees and managers in security improvements creates a participatory security environment that can improve employee security behaviours. Pallas argues that, given lack of control, employees will always act opportunistically, which then increases non-cooperative behaviour and corresponding secure behaviour motivation costs for security management. But the findings presented in chapters 4, 5 and 6 of this thesis suggest that, if employees understand the need for security, and security mechanisms and processes are well-designed (minimal cost), employees are sufficiently motivated to invest some resources (time and effort) to protect the organisation instead of behaving opportunistically. This willingness to participate in security needs to be further encouraged by security management, through visible communication of the positive impact of employee participation and inclusion of security in group meeting agendas. This can lead to increased employee awareness about the actions required to keep the organisation secure and improve employee ability to connect with the risks presented by their managers or colleagues. This increase in their perceived contribution and ownership of security implementation amongst employees, can further trigger internalised norms and benevolence-related compliance identified in chapter 6, further discussed in the next section of this chapter.