ArticlePDF Available

"Shadow security" as a tool for the learning organization



Over the past decade,security researchers and practitioners have tried to understand why employees do not comply with organizational security policies and mechanisms. Past research has treated compliance as a binary decision: people comply or they do not. From our analysis of 118 in depth interviews with individuals (employees in a large multinational organization) about security non compliance, a 3rd response emerges shadow security. This describes the instances where security - conscious employees who think they cannot comply with the prescribed security policy create a more fitting alternative to the policies and mechanisms created by the organization’s official security staff. These workarounds are usually not visible to official security and higher management – hence ‘shadow security’. They may not be as secure as the ‘official’ policy would be in theory, but they reflect the best compromise staff can find between getting the job done and managing the risks that the assets they understand face. We conclude that, rather than trying to ‘stamp out’ shadow security practices, organizations should learn from them: they provide a starting point ‘workable’ security: solutions that offer effective security and fit with the organization’s business, rather than impede it.
Learning from “Shadow Security”:
Why understanding non-compliant behaviors provides the basis for effective security
Iacovos Kirlappos, Simon Parkin, M. Angela Sasse
Department of Computer Science
University College London
London, United Kingdom
{i.kirlappos, s.parkin, a.sasse}
AbstractOver the past decade, security researchers and
practitioners have tried to understand why employees do not
comply with organizational security policies and mechanisms.
Past research has treated compliance as a binary decision: people
comply, or they do not. From our analysis of 118 in-depth inter-
views with individuals (employees in a large multinational organ-
ization) about security non-compliance, a 3rd response emerges:
shadow security. This describes the instances where security-
conscious employees who think they cannot comply with the
prescribed security policy create a more fitting alternative to the
policies and mechanisms created by the organization’s official
security staff. These workarounds are usually not visible to offi-
cial security and higher management hence ‘shadow security’.
They may not be as secure as the ‘official’ policy would be in
theory, but they reflect the best compromise staff can find be-
tween getting the job done and managing the risks that the assets
they understand face. We conclude that rather than trying to
‘stamp out’ shadow security practices, organizations should learn
from them: they provide a starting point ‘workable’ security:
solutions that offer effective security and fit with the organiza-
tion’s business, rather than impede it.
Keywords Information security management; compliance;
security design
Information Security has traditionally been implemented
through policies and technical solutions. It was seen as reason-
able to secure systems with policies that dictate what users can
and cannot do, and technical mechanisms that enforce this [1].
As IT progressively supports more and more activities within
the working environment, this approach becomes problematic
because policies and mechanisms demand too much effort, and
when the effort becomes unreasonable, humans make mistakes
or cease to comply [2][3]. Human error and social engineering
can be bigger vulnerabilities than many technical attacks [4].
The organization's technical systems must be fortified, yet
effective security management needs to consider the physical
and social environment in which those technical implementa-
tions are used [5][6].
This new environment pushes responsibility for protecting
the organization beyond its information security experts: em-
ployees - the users of organizational IT systems - play a key
role in delivering the policy. Security experts in organizations
usually work together in a central function and try to create and
maintain a shared sense of appropriate security behavior
through policies. They attribute employee non-compliance to
lack of understanding. Thus, when non-compliance is detected,
they respond with security education campaigns, which exhort
users to comply with proscribed security mechanisms and pro-
cesses. But the truth is that almost no organization evaluated
whether these policies and mechanisms were fit-for-purpose in
the real working environment [7]. In addition, the increasing
complexity of the threat makes it difficult to anticipate, define
and communicate all desired policy-compliant behaviors for all
potential exceptions and circumstances [8]. Thus, the tradi-
tional, centralized “command and control” approach to security
becomes impossible [9], and we need to rethink of the way
information security is implemented and managed. We know
that an employee's choice as to whether to comply with securi-
ty policies is influenced by his/her own task goals, perceptions,
attitudes and norms [2][10]. Security design should
acknowledge this and develop an approach for a “middle
ground” solution that balances employee and security experts’
priorities [11].
We suggest that this is where understanding "shadow secu-
can help: understanding the security practices outside the
jurisdiction of the organization, developed by employees who
do not willfully disregard security. When security experts
insist on ‘standard’ or ‘best practice policies’, these users are
left to procure, deploy and refine their own solutions, outside
the control of the organization's designated security manage-
In this paper we present an organizational case study of
shadow security behaviors. We analyzed 118 interviews with
employees in a large multi-national organization, in which they
discussed their security practices. We outline how understand-
ing their practices can improve the process of deploying and
refining security in the organization, involving users in the
process of evolving security. We argue this is a plausible route
to achieving productivity-enhancing, rather than productivity-
Shadow IT is defined as: “employees going around IT to get the IT services
they want on their own” [12]
Permission to freely reproduce all or part of this paper for noncommercial
purposes is granted provided that copies bear this notice and the full citation on
the first page. Reproduction for commercial purposes is strictly prohibited
without the prior written consent of the Internet Society, the first-named author
(for reproduction of an entire paper only), and the author's employer if the
paper was prepared within the scope of employment.
USEC '14, 23 February 2014, San Diego, CA, USA
Copyright 2014 Internet Society, ISBN 1-891562-37-1<007>
hampering information security; a key requirement for getting
users involved in shaping the security environment around
them is the creation of feedback channels to security profes-
A. Mechanisms, Policies and Communication
To effectively reduce their exposure to security risks, or-
ganizations formulate security policies, and implement them
through technical mechanisms (e.g. access control, authentica-
tion and authorization mechanisms). Based on regulations and
international standards (e.g. ISO27000 series) organizations
write security policies to communicate security goals to em-
ployees, and implement technical mechanisms to enforce be-
haviors considered necessary to meet those goals. Policies
usually reside on an organization’s intranet, define the security
objectives of the organization, responsibilities of employees
and expected behaviors and sanctions in case of non-
compliance. Policy content is communicated to employees via
leaflets (often given on the 1st day at work) and/or security
awareness and education campaigns. This approach may seem
plausible, but evidence of widespread non-compliance (from
research studies and analysis of security breaches) suggests it is
not effective:
1) It’s Impossible to Comply with Policies and Get Work
Done: security mechanisms that are impossible or difficult to
use sap employee resources and reduce organizational produc-
tivity [13]. Security experts focus on security and attribute
non-compliance to user ignorance or willful disobedience [7].
Failure to consider the requirements of the business process,
the context and the environment in which human-technology
interaction takes place means that, in practice, security gets in
the way [13]: all compliance scenarios are essentially treated as
the same, regardless of employee role, the sensitivity of infor-
mation that individuals deal with, or the variance in threat envi-
ronment as employees move across locations (e.g. home work-
er, office worker, field worker) [14].
2) Current Policies are Irrelevant and Burdensome: In-
formation security policies are supposed to provide employees
with a clear understanding of security objectives and responsi-
bilities [15]. Despite their importance as a tool that defines the
security expectations of the organization, the current approach
to information security policy formulation and communication
is mostly reactive, driven by past failures. This concentrates
security on protecting the organization from breaches closely
resembling prior threats, which can be dangerous in a fast-
changing environment where new threats appear day-to-day
[11]. There is no systematic approach to make sure policies do
not contradict each other, nor is effectiveness of policies evalu-
ated [16].
B. Enactment
When mechanisms and policies do not lead to the desired
security behavior security experts respond in two ways: Disci-
pline or persuasion:
1) The Hard Approach Discipline: In theory, breach of
security policy is punished with warnings and sanctions. But
given the widespread use, monitoring to detect breach of policy
is expensive. And given that non-compliance is widespread, an
unmanageably large number of employees would have to be
disciplined [9]. Sanctions that are not enforced are not an
effective deterrent, and heavy-handed enforcement increases
tension between security enforcers and the rest of the
organization the scenario first described in “Users Are Not
the Enemy” [7].
2) The Soft Approach - Persuasion: responding to non-
compliance with security awareness (of the risks) and training
(of correct behavior) can potentially influence employee
behavior towards compliance. But if polcies and mechanisms
are burdensome and get in the way of productive activity, these
attempts are just perceived as ‘more time wasted by security’
[3]. The associated frustration creates a negative attitude to
information security, resulting in any and all communication to
be discredited, and discouraging compliance even with
mechanisms that do not create high friction because ‘it all
adds up’[5][20].
The insight that both current routes do not work ought to
focus organization’s attention on the root of the problem: that
non-compliance springs from the friction between security and
productive activity. Employees have no other way to respond
to security that gets in the way [8][9]. The workarounds we
observed are employees’ only way to shaping a security envi-
ronment that they can work in. The emerging negative attitude
towards security, combined with the continuously increasing
security risks organizations face [21][22], suggest a need to
radically rethink the management of information security to
provide effective protection to organizations.
Past research on usable security mostly focused on devising
principles to design new, bespoke software or systems to fit the
requirements of specific work environments (e.g. [23][24]). In
addition, the only attempt we are aware of that aimed to char-
acterize security behaviors in the environment in which the
interaction of end-users and security happens resulted in sug-
gestions that called for radical redesign of technological solu-
tions, including security from the start of the design process
[11]. We have encountered many organizations where re-
placement is not an option, and have been asked to help them
to evolve their security policies and mechanisms. This moti-
vated us to develop a methodology to identify high-friction
security and replace it with a solution that provides a better fit
with individual and organizational business processes [25].
The first step towards creating such an approach is to iden-
tify current non-compliance instances in organizations, the
factors that contribute to their occurrence and the employee
responses that manifest. Usable security research has touched
on this in the past: Bartsch and Sasse [17] identified user re-
sponses to unusable access control setups and mechanisms,
while Weirich [26] and Inglesant and Sasse [27] articulated the
true impact of unusable password policies in organizations.
Kirlappos et al. [9] provided a categorization of the various
factors that lead to employees adopting non-compliant behav-
1. Lack of awareness: Employees unaware of security risks
or policy content have no incentive to exhibit security-
conscious behavior.
2. High compliance costs: Mechanisms or processes impact-
ing heavily upon productivity leave employees with no
other option than non-compliance.
3. Compliance impossible: Prescribed behavior could not be
followed due to problematic mechanisms; employees re-
sorted to finding other ways to proceed with their primary
This previous research has informed understanding how
specific security policies and mechanisms for authentication
and access control can be changed to fit with primary tasks.
Here, we develop a detailed, empirically-founded understand-
ing of shadow security practices, and discuss how security
experts can leverage these to develop secure and workable
solutions in their organizations.
To understand how employees respond to unworkable se-
curity with shadow security practices, we analyzed a set of
interviews conducted with employees of a large multinational
organization. The organization gave us access to their employ-
ees, and allowed us to explore employee interaction with - and
sentiment toward - their current security policies and mecha-
nisms. This allowed us to identify friction points between
security and business processes within the organization that
lead to non-compliant behaviors. The interviews were semi-
structured and conducted one-to-one by a team of three re-
searchers (including one of the authors). Interviews with indi-
vidual employees lasted approximately 50 minutes each, allow-
ing for elicitation of a suitably rich representation of the em-
ployee experience of security. Participants held various lower-
level and lower to middle management positions within a
number of organizational divisions, including network mainte-
nance, customer service, marketing, administration, finance,
procurement and IT and worked in either a US or UK location.
Employees were recruited via the company email newsletter,
sent to all company employees - the Chief Information Security
Officer encouraged participation and assured that participants
would not be identified or followed up. The first 120 respond-
ers were scheduled for interview in person or by phone. Partic-
ipants were given a consent form that described how transcripts
would be anonymized and only aggregated results reported to
the organization; that they could ask the interviewer further
questions about the process and terminate the interview at any
point. After the interview, participants were paid the equiva-
lent of $40.
The structure of interviews touched upon aspects of securi-
ty awareness and compliance, including:
a. What is the employee perception of how security impacts
their role? Are they aware of the potential sensitivity of
the information they handle?
b. What do employees appreciate in terms of organizational
support for security? Are they aware of the existence of
security policies and those security mechanisms that they
should or could use to protect information and reduce
security risks?
c. Where employees exercise non-compliance as a response
to shortcomings or frictions in the organizational security
experience, what conditions led to those behaviors
divergent from organization policy? Are they still
conscious about the need for security? If so, what do they
do about it?
We did not encourage participants to tell us about security
infractions, but simply asked about their awareness of, and
experience with, a set of corporate security policies.
Interviews were recorded and transcribed, and a Grounded
Theory analysis [28] using open, axial and selective coding
conducted, using Atlas Ti. A preliminary thematic analysis by
one of the authors produced the non-compliance categorization
that is described in Section III and was previously published in
Kirlappos et al. [9]. From this emerged that in many cases,
employees were trying to act in a secure way even when they
were not complying with policies. We decided to conduct a
further, more in-depth analysis of those responses.
All three authors coded an initial set of ten interviews and a
codebook and related categories were devised. This was then
used for the full analysis of all the interviews by one of the
authors, which aimed to accurately understand the conditions
that lead to the creation of shadow security in the organization.
The results of this analysis are presented in the next section.
Our analysis identified narratives of employee security be-
haviors, how the organization environment contributes to non-
compliance, and how employees respond. The Grounded The-
ory categories of non-compliance that emerged fell into four
groups: (i) compliance drivers and capacity of employees to
behave securely, (ii) shadow security emergence due to high
security overheads, (iii) security mediation at team level and,
(iv) existence of employee willingness to report security prob-
lems, which then appears to be ignored. In this section we
frame the emerged categories as narratives using interview
extracts that include both friction causes (problem with securi-
ty mechanisms and processes) and the associated effect (em-
ployee response). We also include a quantitative measure of
the number of code occurrences related to each narrative, as
identified in the analysis, which indicates the prevalence of the
identified behaviors in the organizational environment that was
A. Employee Compliance Drivers
Contrary to the archetypal view held by security managers,
employees appear sufficiently motivated to comply with secu-
rity and possess some individual capacity to do so effectively.
All 118 participants showed awareness of the importance of the
information they handle within their role, and the potential
consequences of information leaks. 108 participants said they
take active measures to protect such information. For example:
P24: “Some folks in my area have privileged access to custom-
er address information, usage information, that certainly other
industries and other entities that are interested in selling to our
customers would have interest in acquiring and it’s part of our
roles and responsibilities and ethics requirements that we do
not release that information, either for someone else’s gain or
for our own gain.”
Fifty-six participants explicitly mentioned that the main driver
for secure behavior was security communication (as we explain
later this does not necessarily mean communication from the
organization’s security enforcers):
P86: “We’ve just been told not to mention it on social network-
ing sites, because of the critical importance and the kind of
environment we live in now, it’s best not to share that kind of
stuff. It’s just company policy, that’s the way they want it.
For 15 participants security motivation existed even when they
were not aware of an applicable clause in the security policy on
the topic:
P112: “I guess general like not leaving confidential infor-
mation around on your desks and bits and bobs like that really
but I do not know any policies”.
This suggests that, despite some understanding about the need
for security being present amongst employees, the organization
did not communicate relevant aspects of policy to them (in this
case the clear desk policy). It also suggests that individual
employees try to compensate for perceived gaps in policy.
We found some cases where the environment supported
policy, and this had a positive compliance effect. Nineteen
participants mentioned that security “piggybacking” on other
business processes or imposing minimal compliance cost had
lead them to behave securely:
P65: “the new wing has just been opened up that’ll be hot-
desks, you won’t be able to leave anything out. ‘Cause you
won’t know tomorrow if you're going to sit at the same desk
Individual secure behavior was increased by peers who
encouraged secure behavior in others: 20 participants reported
that the actions of colleagues - reminding others to comply, and
actively responding to peers' insecure behavior - also acted as a
driver for their own secure behavior:
P95: I have somebody on my team who likes to change the
mouse buttons round and turn your screen upside down if you
don’t, so you kind of get used to locking your screen when you
leave your desk.
This willingness to proactively communicate the need to be
secure and take action to remind colleagues about it was also
present in one participant’s reports that they remind their man-
agers about the need to lock their screen:
P116: But my line manager was not until I insisted that he
locked it.
There were also reports that past security incidents act as a
reminder for company employees to behave securely. Twenty-
one participants mentioned that their awareness of past security
incidents affected their perception about the need for security:
P61: “When I saw some of the recent security breaches, people
losing disks and CDs and laptops, things like that. It is some-
thing that I'm aware of and do try and minimize what's on
The above example again suggests there is concern for security
and employee capacity to behave securely; it also suggests that
employees are able to relate security consequences to personal
practices, which can act as a motivator to improve their securi-
ty behavior.
In general, employees appeared motivated to invest some
proportion of their time to keep the organization secure. They
appeared willing to take action to address potential risks when
insecure conditions or behaviors were identified (i.e., take care
to protect information, behave securely when the overhead is
minimal). Individuals also encouraged their colleagues and
superiors to behave securely, implying that if security enforcers
manage to instill appropriate behaviors in employees, these can
then be reinforced across the employee base. In addition, the
findings of this section reinforce past research reports that se-
curity mechanisms that imposed minimal additional workload
have positive effect on employee compliance behaviors [2][9].
B. Effects of Burdensome Security Implementations
Despite recognition of the need to protect the organization
and the resulting practices of secure behavior, some employees
spoke of security as something that creates significant addi-
tional burden to them. The perception of an excessive impact
upon the ability to proceed with a business task lead to em-
ployees choosing to procure their own - less demanding and
less disruptive - solutions to support (what they believed to be
more proportionate) security behavior. In the majority of the
examples we present here, participants appeared to recognize
their chosen action as an insecure approach, but provided some
reasoning to legitimize their behavior; either due to compliant
behavior constituting an unreasonable draw upon their time, or
compliance being regarded as simply impossible. The security
burden was variously articulated in terms of time, cognitive
load, organizational adaptability, and disruption.
1) Time: Time-related problems occurred when employees
found themselves in situations where enacting the prescribed
security behavior resulted in slower completion of primary
business processes (47 participants):
P49: “You should use an encrypted one but, you know, for ease
and generally because, I haven’t got an encrypted one so I just
use an unencrypted one, whip it across and then just delete the
copy off the flash stick which isn’t perfect but it’s quicker, easi-
er than having to follow the policy.
Individuals would then have to find other, lower-impact, ways
to proceed with their primary tasks. For instance, problems in
the VPN connections led to 12 participants maintaining local
versions of active files:
P111: “At times we do have to transfer the data to our laptops
because the network is slow, response times can be really bad
and some of the files are quite large so we transfer them to our
laptops to work on and then transfer them back at the end of
the day.”
The slow or unresponsive nature of IT support had the same
effect. Thirty-eight participants reported that they are at times
forced to derive their own security solutions, due to slow re-
sponse from IT support, and the processes for configuring se-
cured access to systems proving slow. A demonstrative exam-
ple mentioned by 13 participants involved employees using the
system accounts of other employees to afford access to infor-
mation, due to the need for immediate access and slow access
control setup processes:
P91: “That does happen sometimes. It’s just partly to fill a gap
in IS, you know - because we use lots of systems here, and they
take ages to set up, and sometimes when someone joins a team,
[…] he actually only obtained access to the systems about four
months later, when he was going to leave, so in the interim
time, he was sort of using other people’s logins.”
2) Lack of Adaptability: A lack of adaptability in the
organizational IT systems to account for changing
organizational conditions also caused disruption problems. In
many cases employees did not have timely access to
information necessary for their role, and so had to derive ad-
hoc solutions when a problem arose (28 participants):
P97: “There has been an instance where I have, I was off for a
month earlier this year and because of the resolutions were
coming through and no-one had an idea what these resolutions
or this packs were not being resolved so I gave it to one of my
colleagues for him to go to my e-mail to check for the resolu-
tions and that’s been the only instance I think.
3) Increased Cognitive Load: Employees also needed to
devise their own security mechanisms when the organisation's
password policies produced excessive cognitive load. Thirty-
seven participants reported that they felt necessary to
physically write down the passwords for system accounts that
they rarely used (and as such could not readily recall), then
applying security principles to take some action to protect the
physical artefact recording the password(s):
P58: I have got a list of passwords written down somewhere
unfortunately. I just find there’s too many to remember other-
wise, and we’ve got a different username and password most of
the time for each of each of the logins, so it’s written down on
a bit of paper.”
4) Disruption: In other cases, security restrictions led to
disruption of employee tasks; fifty-three participants
mentioned that they found themselves in situations wherein
security mechanisms were blocking their primary task:
P101: Sometimes it can be quite frustrating because you are
genuinely waiting for work documents to come in from external
sources, and where our security’s so tight, some of the docu-
ments that we’re waiting for can’t get into us, so sometimes
that can be a hindrance as well.
In response to this type of situation, 43 employees reported that
they had to resort to other non-prescribed practices:
P2: “The first trick that was taught to me was you tell them to
send it as a different type of file. Change the extension so you
can get the file so that you can get your work done
Another employee reported he carried two laptops with them,
as access restrictions did not permit all of the tasks he needed
to complete to be carried out on the same machine:
P88: I've got two company computers, one laptop unlocked
which allows me virtual areas so that I can install software and
use it for technical reasons. And I've got my day to day laptop
which is going to be locked up again.
The findings in this section indicate that shadow security
behavior was caused by security either imposing a prohibitive
personal cost, or simply not fitting to the primary task. The
alternative security solutions and circumventions derived by
employees were driven by their focus on business process.
C. Security Mediation at Team Level
The way security is managed in the organization also con-
tributed to shadow security practices. Managers are directly
responsible for managing many security functions within their
teams: they take access control decisions, provide security
decision support and prescribe behaviors to team members.
Sixty-two participants reported that there is a lack of adequate
communication about security from the organization, and 57
said security messages are internalized at team level through
discussion with their manager or colleagues:
P14: “One gentleman that works in my group gave us a whole
workshop at one of our team meetings, on how to create secure
passwords. Not to use your pet’s name and your birthday, you
know, simple things that people could figure out, like your
phone number.”
P96: “Well basically we were introduced to the security policy
through my team leader. He outlined and gave us a site tour of
what we can and cannot do.”…“(in team talks we discuss)…if
we have encountered what we could identify as a security mo-
ment it could be like you know a door being left open or your
computer left being switched on or not been locked or any
sensitive information lying on your desk, to be mindful of put-
ting away security information also using a flash drive which
are not company issued and stuff like that really.”
Eighteen participants also reported that their managers provide
additional support when they require advice on the sharing of
information, both internally within the organization and exter-
nally when there’s a need to share documents with external
P108: “…I have got my immediate manager that helps me un-
derstand what I need to do and what needs to go out and not.
P29: “I know from my point of view being an analyst. If I were
to ever share any information with any priority, even if I was
not sure I would first go to my manager and ask him about it.
In addition to communication, 29 employees reported that their
managers are responsible for access control (authorizing em-
ployee access to data) and information management:
P79: the manager of each team is responsible for allocating
Despite their key role in managing security within their teams,
the three managers participating in the study reported that they
have had no security training:
“I: Are you responsible for their security awareness in any
sense?” “P98: That’s an interesting point. That’s not something
that has ever been particularly made clear to me. I suspect I
would take that on board as a normal encompassing responsi-
bility with regards to having people at work for me doing the
right thing but I don’t recall any specific guideline
One manager explicitly reported that the behaviors they pre-
scribe are their personal beliefs (not company directives):
P36: You know, because my responsibility is financial, pro-
tecting the, the financial data. I, I take it upon myself to make
sure that we’re staying abreast of what is appropriate, what's
not appropriate. What some of the new requirements may be
as they’re released. Not that I'm aware of.”
The findings in this section show that the communication,
deployment and evolution of security behavior within organi-
zational sub-divisions mostly relies on managers as a conduit.
But the organization did not provide adequate support or train-
ing to them, which invites the evolution of local, ad-hoc prac-
tices, which may divert from the organization's policy. The
absence of a consistent security position encourages independ-
ent action on managing security at team level; shadow security
is seen to be implicitly permitted by the organization and ex-
plicitly by the team manager. The result are ad-hoc practices
(P118: “not policy, my own best practice”). This results in
inconsistent communication, knowledge and interpretation, in
effect fostering many differing security behaviors within the
same organization.
D. Employee Feedback Goes Unnoticed
In many ways, perceptions of the organization's existing
security implementations, as elicited from employees, indicate
where they believe the organization has failed to provide them
with adequate security support or indeed failed to keep the
organization secure. Housekeeping around access control, for
example, was not seen by employees as being managed proper-
ly and 19 participants expressed concerns to that effect:
P109: “There is five or six people that have since left the busi-
ness or, have gone elsewhere in the business but that they have
the password.”
Despite some employees taking action and reporting perceived
security problems, 8 participants reported that to them it seems
that their reported concerns go unnoticed:
P53: I’ve raised security issues and you never get anywhere
with them. I raised the issue of memory sticks, I also raised an
issue where I had a contractor came to work for the company
and he was given a laptop. And it belonged, it had belonged
clearly to one of the directors and it had all his information
still on it. [..] You were still made to do it and you could, sort
of, flag your reservations up but they wouldn’t be listened to”,
and 13 others reported that they saw no attempts to improve the
current organizational security implementation:
I: So, which way would you say the culture is moving? Is it
that, security is getting tighter, or it is weakening?”, P110: “To
be honest from day to day things, I do not really see it moving
to be honest.”
There appears to be a general perception amongst employ-
ees that the organization demands security but does not listen
to feedback, and does not respond in an adequate or timely
manner when shortcomings are identified. This validates em-
ployees who adapt security in their own way when an alterna-
tive solution is needed.
The shadow security practices we identified represent the
sum of self-made security measures created by productivity-
focused employees when the organization's existing security
implementation does not meet their needs. Rather than remain-
ing passive, employees, peer groups, and managers who have
their own understanding of security, individually or collective-
ly devise their own adaptations to unsatisfactory security
measures or introduce their own novel solutions. These are
perceived by employees as serving the purpose of maintaining
security. Isolated from the security division, the alternative
solutions deployed are based on their own understanding of
what the security experience should be like. But often, shadow
security practices do not manage the organization’s risks ade-
Security communication emerges as dysfunctional; there is
limited awareness of the existence of security policies and
formal procedures. Employees are willing to report problems
and suggest better solutions, but there is no effective feedback
channel for this purpose. In reality, key stakeholders in the
organization (line managers, for instance) are complicit in the
development of shadow security, primarily because these prac-
tices moderate the negative impact of security on productivity:
like their employees, they value productivity more. Security
measures that reduce productivity cause disgruntlement: indi-
viduals refuse to accept the interference with their primary
task, on which they are ultimately judged. They accept the
need for security, but security that does not fit forces them to
develop their own solutions. Without security management
actively soliciting feedback from employees to identify securi-
ty-productivity friction points and subsequent employee re-
sponses, the security of the organization becomes that which
managers and employees - assumed non-experts in security -
consider to provide the best fit for their business processes.
Whilst it is understandable that employees resort to a “Do It
Yourself” approach to security, turning a blind eye harbors a
number of potential risks for the organization:
It creates a false sense of security: employees believe they
are protecting the organization, but their understanding of
the risks the organization faces can be incomplete or inac-
curate (e.g. I delete data from unencrypted USB drive).
As a result they develop their own rationalizations of how
to manage security. This approach can potentially be ef-
fective if employees are significantly aware about security
related risks or happen to choose actions that protect the
organization, but any security management approach
based on ad-hoc solutions devised in isolation by employ-
ees may fail to reflect the actual risks the organization fac-
es: employees cannot be assumed to be security experts.
In some cases, procured solutions force employees to re-
shape their primary task to adapt to badly designed securi-
ty (e.g. “I carry two laptops”), instead of security adapting
to the task. This can quickly exhaust the employee’s com-
pliance budget [2]: in a situation where the perceived cost
is too high (e.g. a need to travel regularly with two com-
puters instead of one), employees' response may be inse-
cure (e.g. travel with the one laptop that has the widest
possible access and perform all tasks on it [29]).
Ineffective communication of policy to managers - those
best-placed to convey behaviors to employees - can lead to
the development of varying security “micro-cultures” in
smaller teams. Without appropriate training, managers
cannot be assumed to be sufficiently aware of the policy
and also lack an overview of the security risks that exist
within the organization. As a result, managers can only
communicate to employees what they themselves believe
is important about security at the time and, like employees,
they cannot be assumed to be security experts. This can
result in divergent behaviors developing, out of the organ-
ization’s control, rendering the organization vulnerable to
insecure employee behaviors that can become common
The divergence of behavior across different teams pro-
vides freedom for the development of team security folk
models [30], which are reinforced by both team managers
and team members. This can act as an additional level of
resistance to attempts by the organization to change em-
ployee behaviors and account for divergence from pre-
scribed behaviors or current mechanisms when a good rea-
son for it exists.
"Hard" technical solutions that the organization refuses to
change or replace may prevent shadow security practices
from developing, but cause disgruntlement. This can lead
to further alienation of users, adding to any existing user-
security divide [20], and compounding resistance to cen-
trally-dictated expectations. The identified lack of a re-
sponse from security to reported employee security con-
cerns (as in Section V.D., P53) can accentuate this divide:
if employees resort to shadow security practices, this may
indirectly serve to reduce their frustration with security.
While shadow security practices persist, the organization
has an inconsistent security posture which does not align with
its productivity goals. However, the existence of shadow secu-
rity also suggests the presence of a latent capacity for users to
appreciate and play an active part in the provision of security,
albeit driven by their internalized sense of what security should
achieve for the primary task. Employees deploy their own
security solutions when they believe a required “affordable”
policy or infrastructure is missing, instead of doing nothing or
passively relying on the organization to remediate. Security
experts should be aware of this individual capacity and the
potential for employees to consciously consider security in
their activities. Shadow security can inspire more workable
security implementations that align with productivity objec-
tives, provide effective protection, and minimize security over-
In the remainder of this section we discuss four specific as-
pects of the organization and its approach to security, where
the identified shadow security practices can be used as a lever-
age for improvements: (a) Reduction of the complexity of
mechanisms and processes required for compliant behaviors,
(b) Engagement with users in rationalizing the current security
implementation, (c) Attention to the assessment of the suitabil-
ity of proposed security solutions, and (d) Training and partici-
pation of managers in guiding security decisions. These areas
are related closely to the experiences of individuals within the
partner organization, and specifically examples where signifi-
cant friction between security and the primary task led to the
development of activities that can be characterized as shadow
A. Reducing Compliance Costs
We learnt 15 years ago that organizations with unusable se-
curity mechanisms are not effectively protected, because error
and workarounds create vulnerabilities [7]. We have since
learnt that a high level of non-compliance creates noise in
which signs of attacks are hard to detect [2], and people just
ignore security advice that requires high effort for little benefit
[3]. But our results show there has been little progress in iden-
tifying and removing ‘ill-fitting security policies and mecha-
nisms: organizations still do not track the effort that individuals
have to expend on security. Burdensome or disruptive security
implementations promote shadow security - users create their
own workable security solutions. Security experts need to
acknowledge that effective security can only be achieved by if
it fits and supports, rather than hinders, productive activity.
The increasing decentralization of modern IT implementations
means that security challenges need to be solved in a decentral-
ized, cooperative way [31]. This requires a move away from
‘standard’ and ‘best practice’ solutions for managing a security
risk, to a participative approach that works with users to under-
stand where and how security can fit in the productive activity
that users are focused on.
B. Engagement of Users in Security Design and Effectiveness
The capacity of users to participate in security can provide
leverage to create new, seamless security solutions that are
better aligned with their primary tasks. As previously dis-
cussed, users do not dismiss security, but act concoct "more
appropriate" security solutions when they encounter unworka-
ble security. Employees rationalize their experience with secu-
rity, and these rationalizations may not necessarily be those
that the security experts expect [32]; but these rationalizations
dictate how individuals interact with IT security, and the value
they see in compliance. Stochastic models have shown that
more effective security solutions can at times be counterintui-
tive to entrenched wisdom [14][33]. Organizations may
choose to accept that employee responses happen naturally. In
this way, (i) employees are the first indicator if security solu-
tions are not serving the business, and (ii) security management
must determine a strategy for engagement with security needs
and the associated two-way dialogue with users. Security
should not indirectly promote shadow security simply through
lack of proper channels for remediation. Where shadow secu-
rity practices occur, contributory factors can and should be
analyzed and leveraged to improve organizational security.
To reduce the likelihood of shadow security developing in
the first place, users can be involved in security design as an
integral part of the process. The importance of involving users
in systems design was first identified by Checkland et al. [34],
and the value of participatory and contextual design is widely
accepted among developers. But this approach is still not
adopted in security, with a few exceptions [32] in the formula-
tion of authorization policies. A participatory security design
approach includes representation of users' tasks and this
knowledge can be used to find a low-friction solution that does
not compete for users’ attention or effort, disrupts productivity
activity, or leads to errors. It also helps to identify security
goals and values [35] as this study shows, employees do try
and protect organizational assets against risks they understand.
Many security experts still talk (and think) that usability and
security create a tradeoff: that usability is nice, but security is
important, so it's ok to ask users to make extra effort. But usa-
bility is a hygiene factor for security: solutions that are not
usable will not work as intended, period. At worst, users will
become disgruntled and see security as obstacles to scoot
around. At best, security-conscious users will create a shadow
security solution that is workable as far as they are concerned,
but may not manage organization risks effectively. Our partic-
ipants openly discussed how security problems interrupt their
workflow, and what coping mechanisms they developed as a
response. They were also able to articulate ways for the organi-
zation to improve (e.g. Section V.D., P53, P109). All this con-
stitutes valid and useful feedback (even without recognizing
employees as security experts), which could be repurposed to
improve the organization's security posture [31].
C. Deploy, then Measure
Organizations need to measure the impact of security on
employees and productive activity, and keep monitoring it.
Currently there is no post-deployment assessment of the impact
of deployed security mechanisms on business processes; a lack
of complaints may be seen as proof that everything is well, but,
as the manifestation of shadow security reveals, silence does
not mean security is working as the organization has specified.
Regular assessment of the suitability of systems would turn
security management into an iterative process, moving away
from a static, “fire and forget”
approach. For example, the
introduction of a new business system that requires password
authentication adds one more credential to the cognitive load
placed upon users (Section V.B. P58); this strains their capaci-
ty to both recall individual passwords (encouraging use of
recall aids) and generate truly unique credentials for individual
systems (making re-use of existing passwords an increasingly
attractive solution) [27] user reaction to such a process can
only be accurately assessed after deployment.
D. Management Training Recognise the Importance of Low-
and Middle-Management in Security
Security is a collective achievement [36] and managers are
participating in it in many ways: employees turn to them for
Military term for missiles that require no further guidance after launch
support regarding their security decisions; they make local -
and potentially ad-hoc - decisions about access control and
information sharing, and they prescribe and moderate security
behavior amongst their team members, thus contributing to the
evolution of shadow security practices. Security awareness
and behavior amongst managers is thus important: employees
listen to and follow their managers’ behavior [37]. Security
management needs to understand that any security awareness
or education they broadcast will be interpreted and mediated
locally. They need to be aware of this, and (1) listen to manag-
ers’ questions, problems and concerns, and (2) help them to
develop correct and consistent security advice about security.
If organizations neglect to do so, managers and their teams will
continue to create their own rationalizations as to what their
interactions with IT-security mean, and how to achieve their
ultimate goal: to proceed with their primary tasks with minimal
damage on the organization’s security. Security-specific train-
ing should be tailored for managers to acknowledge their role
as mediators of security - instead of being overloaded with
security knowledge, training for managers can consider organi-
zational goals and organizational security principles. In this
way, when individuals consult their managers, they are more
likely to design novel solutions that account for the risks faced
by members of the team. In addition, managers of small teams
interact much more frequently with employees and have a
unique perspective of the frictions between security and
productivity tasks; soliciting feedback from them can contrib-
ute to an effective amalgamation of shadow and prescribed
security practices.
User reaction to an organization’s security implementation
needs to be heard, lest it weaken the organization's security
posture: learning from, and not ignoring, employees can en-
hance security, aligning it with organizational goals and in-
creasing its effectiveness. If users are not heard, they can be-
come disenfranchised, and should they have a legitimate con-
cern about security, they will not remain passive in the face of
ill-fitting solutions - they will engineer their own shadow secu-
rity environment. Organizations must be able to recognize
when and where shadow security is created, its causes, and in
turn how to adapt security provisions to respond to user needs -
without a consistent means of engagement with users, security
enforcers cannot claim absolute certainty that the security in-
frastructure exists exactly as intended. We propose that securi-
ty managers can learn from shadow security in a number of
ways: simplifying compliance with security, measuring the
effectiveness of security mechanisms after deployment, engag-
ing users when designing security solutions, and leveraging the
position of team managers as both a mediator for security and a
conduit for feedback as to the appropriateness of security solu-
tions in supporting productive tasks. Essentially, shadow secu-
rity should be treated as an opportunity to identify shortfalls in
current security implementations and their effects on the organ-
izational environment, to be leveraged in providing more effec-
tive security solutions for organizations.
The identification of shadow security creates a number of
future research challenges. To determine if shadow security
practices can be leveraged within a holistic security manage-
ment process, we are currently conducting similar analyses on
additional sets of interviews from two further organizations,
and are negotiating deployment of solutions - informed by
identified shadow security behaviors - within partner organiza-
tions. This will allow deployment of security solutions in-
formed by shadow security behaviors and assessment of their
real-world effectiveness.
We also agreed with a partner organization to conduct fur-
ther interviews and in-depth analyses studying the rationale of
employees engaging in shadow security behaviors: in many
cases employees admitted to knowing that their practices were
compromising security, so there is a need to determine if and
how they assess the risks created by their behaviors before
following a course of action (e.g. P49 on use of unencrypted
USB sticks, was the participant aware that simply "deleting"
unencrypted files does not stop an attacker from recovering
them from the flash drive?). We also aim to examine the com-
patibility of shadow security- driven information security man-
agement with current regulatory frameworks and international
standards with which modern organizations need to comply.
The authors are supported in part by UK EPSRC and
GCHQ, grant nr. EP/K006517/1 (“Productive Security”) and
the EPSRC-funded UCL SECReT Doctoral Training Centre.
We thank IT security managers at our partner organizations
for facilitating the interviews with employees and Philip In-
glesant and Simon Arnell for conducting some of the inter-
We also thank our USEC shepherd, Sameer Patil, for com-
ments and guidance.
[1] B. Von Solms. “Information security–the fourth wave”. Computers &
Security, 25(3), pp.165-168, 2006.
[2] A. Beautement, M. A. Sasse and M. Wonham. “The compliance budget:
managing security behaviour in organizations”. In Proceedings of the
2008 New Security Paradigms Workshop pp. 47-58. ACM, 2008.
[3] C. Herley. “So Long, and No Thanks for the Externalities”. In New
Security Paradigms Workshop (NSPW), 2009.
[4] B. Schneier. “Secrets and lies: digital security in a networked world”.
Wiley, 2000.
[5] M. Karyda., E. Kiountouzis, and S. Kokolakis. “Information systems
security policies: a contextual perspective.” Computers &
Security, 24(3), pp.246-260, 2005.
[6] M. A. Sasse, S. Brostoff, and D. Weirich. “Transforming the ‘weakest
link’—a human/computer interaction approach to usable and effective
security.” BT technology journal, 19(3), pp.122-131, 2001.
[7] A. Adams and M. A. Sasse. “Users are not the
enemy”. Communications of the ACM, 42(12), pp. 40-46, 1999.
[8] G. Stewart and D. Lacey. “Death by a thousand facts: Criticising the
technocratic approach to information security awareness”. Information
Management & Computer Security, 20(1), pp.29-38, 2012.
[9] I. Kirlappos, A. Beautement and M. A. Sasse. “Comply or Die Is Dead:
Long live security-aware principal agents.” FC 2013 Workshops, USEC
and WAHC 2013, Okinawa, Japan, April 1, pp.70-82, 2013.
[10] T, Herath and H. R. Rao. "Protection motivation and deterrence: a
framework for security policy compliance in organisations." European
Journal of Information Systems 18 (2), pp. 106-125, 2009.
[11] P. Dourish, R. E. Grinter, J. D. De La Flor, and M. Joseph. "Security in
the wild: user strategies for managing security as an everyday, practical
problem." Personal and Ubiquitous Computing 8, no. 6: 391-401, 2004.
[12] M. Settle. “Shadow IT: Are you solving the problem or just policing it?”
BMC Software, 2013.
[13] I. Fléchais. “Designing Secure and Usable Systems”. PhD diss.,
University College London, 2005.
[14] A. Beautement, R. Coles, J. Griffin, C. Ioannidis, B. Monahan, D. Pym,
M. A. Sasse, M. Wonham. “Modelling the Human and Technological
Costs and Benefits of USB Memory Stick Security”. In Managing
Information Risk and the Economics of Security. pp.141-163. Springer
US, 2009.
[15] H. Fulford and N. F. Doherty. “The application of information security
policies in large UK-based organizations: an exploratory investigation”.
Information Management & Computer Security 11(3), pp.106-114,
[16] F. Björck. “Security Scandinavian style”. PhD diss., Stockholm
University, 2001.
[17] S. Bartsch and M. A. Sasse. “How Users Bypass Access Control - And
Why: The Impact Of Authorization Problems On Individuals And The
Organization”. ECIS 2013: 53
[18] M. G. Morgan, B. Fischhoff., A. Bostrom., and C. J. Atman. “Risk
communication: A mental models approach”. Cambridge University
Press, 2001.
[19] C. C. Wood. “An unappreciated reason why information security
policies fail”. Computer Fraud & Security, (10), pp. 13-14, 2000.
[20] E. Albrechtsen and J. Hovden. “The information security digital divide
between information security managers and users”. Computers &
Security 28(6), pp.476-490, 2009.
[21] PWC, “UK Information Security Breaches Survey Results”, 2012.
[22] GRT Corporation, “British Intelligence Speaks Out On Cyber Threats”,
[23] I. Fléchais, C. Mascolo and M. A. Sasse. “Integrating security and
usability into the requirements and design process”. International
Journal of Electronic Security and Digital Forensics, 1(1), pp.12-26,
[24] S. Faily and I. Fléchais. “A meta-model for usable secure requirements
engineering. In Proceedings of the 2010 ICSE Workshop on Software
Engineering for Secure Systems (pp. 29-35). ACM, 2010.
[25] T. S. H. Teo and W. R. King. “Integration between business planning
and information systems planning: an evolutionary-contingency
perspective”. In Journal of management information systems, pp.185-
214, 1997.
[26] D. Weirich. “Persuasive Password Security”. Doctoral dissertation,
University College London, 2005.
[27] P. G. Inglesant and M. A. Sasse. “The true cost of unusable password
policies: password use in the wild.” In Proceedings of the 28th
international conference on Human factors in computing systems. pp.
383-392. ACM, 2010.
[28] A. Strauss and J. Corbin. “Basics of qualitative research: Techniques
and procedures for developing grounded theory”. Sage Publications,
Incorporated, 2007.
[29] A. Sasse, “A Tale of two laptops”, Personal communication, 2011
[30] R. Wash. “Folk models of home computer security”. In Proceedings of
the Sixth Symposium on Usable Privacy and Security, p. 11. ACM,
[31] F. Pallas. Information Security Inside Organizations-A Positive Model
and Some Normative Arguments Based on New Institutional
Economics. Available at SSRN 1471801, 2009.
[32] S. Bartsch and M. A. Sasse. “Guiding Decisions on Authorization
Policies: A Participatory Approach to Decision Support”. In ACM SAC
2012, Trento, Italy, 2012.
[33] S. Arnell, A. Beautement, P. Inglesant, B. Monahan, D. Pym, and M. A.
Sasse. “Systematic Decision Making in Security Management
Modelling Password Usage and Support”. Presented at the International
Workshop on Quantitative Aspects in Security Assurance. Pisa, Italy,
[34] P. B. Checkland and J. Poulter. “Learning for Action: A short definitive
account of Soft Systems Methodology and its use for Practitioners,
teachers and Students”, Wiley, 2006.
[35] B. Friedman, P. H. Kahn Jr, and A. Borning. "Value sensitive design
and information systems." Human-computer interaction in management
information systems: Foundations 5: 348-372, 2006.
[36] P. Dourish and K. Anderson. "Collective information practice: exploring
privacy and security as social and cultural phenomena." Human-
computer interaction 21 (3), pp.319-342, 2006.
[37] M. E. Johnson and E. Goetz. “Embedding information security into the
organization”. Security & Privacy, IEEE, 5(3), 16-24, 2007.
... The reinforcement or enactment of CSA learning is performed generally through these two approaches: the persuasive or soft approach (i.e., persuade the users to comply through motivations or rewards) or the enforcing or hard approach (i.e., compel the users to comply through threats of sanctions) [36]. In general, it is often recommended to apply a soft approach for long-term behavioral change in the CSA [36][37][38]. ...
... The reinforcement or enactment of CSA learning is performed generally through these two approaches: the persuasive or soft approach (i.e., persuade the users to comply through motivations or rewards) or the enforcing or hard approach (i.e., compel the users to comply through threats of sanctions) [36]. In general, it is often recommended to apply a soft approach for long-term behavioral change in the CSA [36][37][38]. However, there exists a contrary belief that advocates for the hard approach in the CSA [39]. ...
... Their investigation resulted in the following four metrics: the risky behavior scale (RBS), the conservative behavior scale (CBS), the exposure to offense scale (EOS), and the risk perception scale (RPS). Finally, Kirlappos et al. [36] examined employee behavior and identified a third category of employees apart from those who do and do not comply with prescribed security policies. This third type of employee believes that they cannot comply with the prescribed security policies, so they create a more suitable alternative to the policies and mechanisms in order to get the job done and manage the risks. ...
Full-text available
The proliferation of information and communication technologies in enterprises enables them to develop new business models and enhance their operational and commercial activities. Nevertheless, this practice also introduces new cybersecurity risks and vulnerabilities. This may not be an issue for large organizations with the resources and mature cybersecurity programs in place; the situation with small and medium-sized enterprises (SMEs) is different since they often lack the resources, expertise, and incentives to prioritize cybersecurity. In such cases, cybersecurity awareness can be a critical component of cyberdefense. However, research studies dealing with cybersecurity awareness or related domains exclusively for SMEs are rare, indicating a pressing need for research addressing the cybersecurity awareness requirements of SMEs. Prior to that, though, it is crucial to identify which aspects of cybersecurity awareness require further research in order to adapt or conform to the needs of SMEs. In this study, we conducted a systematic literature review that focused on cybersecurity awareness, prioritizing those performed with a particular focus on SMEs. The study seeks to analyze and evaluate such studies primarily to determine knowledge and research gaps in the cybersecurity awareness field for SMEs, thus providing a direction for future research.
... To the best of our knowledge we are the first investigating security friction through the lens of security management within real-world contexts -which is also the case because especially CISOs have a busy, high-pressure job, so researchers asking for in-depth interviews face a challenge. Previous work focused either usable security within software engineering [39] or on end-users [55,56]. Our contributions are the following: (I) we describe possible causes of frictions and the real world impact. ...
... Time and subjective satisfaction of the users is what needs to be achieved [34,85]. While usable security studies often focus on understanding the (un)usability or improvement of tools, in our work we took a wider look: we consider security friction as a problem created through a multitude of badly written security policies and measures that cost time, effort, and nerves, and are not aligned with employees routines, ultimately leading to reduced productivity [76], shadow security [55] (the implementation of alternative security mechanisms by employees, if they perceive the prescribed as too complicated), or a reduced security level. ...
... Impact Our analysis revealed that participants consider friction in security as a source of risk. Although security can be increased through certain measures, the sword of Damocles can also hang over the security of the organization: in the case of the perception of friction, the employees tend to circumvent the required measures or change to a shadow security behavior [55,56], where they try to keep the security level high, but following their own rules. This finding suggests that security managers are at least aware of the friction between the actual work tasks and security measures. ...
Conference Paper
Full-text available
Security managers often perceive employees as the key vulnerability in organizations when it comes to security threats, and complain that employees do not follow secure behaviors defined by their security policies and mechanisms. Research has shown, however, that security often interferes with employees primary job function, causing friction and reducing productivity-so when employees circumvent security measures , it is to protect their own productivity, and that of the organization. In this study, we explore to what extent security managers are aware of the friction their security measures cause, if they are aware of usable security methods and tools they could apply to reduce friction, and if they have tried to apply them. We conducted 14 semi-structured interviews with experienced security managers (CISOs and security consultants , with an average 20 years experience) to investigate how security friction is dealt with in organizations. The results of the interviews show security managers are aware that security friction is a significant problem that often reduces productivity and increases the organization's vulnerability. They are also able to identify underlying causes, but are unable to tackle them because the organizations prioritize compliance with relevant external standards, which leaves no place for friction considerations. Given these blockers to reducing security friction in organizations, we identify a number of possible ways forward, such as: including embedding usable security in regulations and norms, developing positive key performance indicators (KPIs) for usable security measures, training security managers, and incorporating usability aspects into the daily processes to ensure security frictionless work routines for everyone.
... The challenge remains to align the security theatre to the security reality by raising the feeling of security in the desired direction [Sch08b]. In an organisational context, employees may create their own security measures based on their understanding of security risks as a compromise to stay productive [KPS15]. This so-called "shadow security" [KPS15] expresses unofficial security workarounds from which an organisation can learn to improve and align existing security policies. ...
... In an organisational context, employees may create their own security measures based on their understanding of security risks as a compromise to stay productive [KPS15]. This so-called "shadow security" [KPS15] expresses unofficial security workarounds from which an organisation can learn to improve and align existing security policies. In a private setting where no organisational security policy exists, end-users rely on their own or a friend's risk assessment when using security-relevant services, for instance, to determine whether an e-mail is trying to phish them for their e-banking credentials. ...
... If these security workarounds exist without the knowledge of security policy makers, they become uncontrollable and may harm the security landscape. The concept of "shadow security" suggests that an organisation can learn from such security workarounds if known, transforming them to desired workarounds [KPS15]. ...
Full-text available
When technical protection mechanisms are too inflexible and security decisions are passed to users, users become part of the attack surface of a socio-technical system. This thesis contributes to the science of security regarding Social Engineering (SE), where users are the core enabler of successful attacks. Various sources were consulted to identify, analyse, and understand SE, enabling the development of a multidisciplinary knowledge base and appropriate safeguards. A suitable definition comprising five SE indicators was developed to examine anecdotes whether they express SE. Court documents (phishing), Lego modelling (cloud), and a novel SE poetry slam concept served as sources for in-depth analyses.
... That is also the case in IT security -an ENISA meta-review [12] of studies trying to link human characteristic or motivational factors to "good" security found no systematic link (except self-efficacy, see Sect. 2.) In this paper, we bring insights from behaviour change literature together with specific literature on human behaviour in security ( [7,19,27,31]), and spell out what organisations need to foster secure behaviours among their employees: ...
... In the original Awareness Maturity Curve, this was mentioned in the text, but not represented in the curve itself -which in hindsight was a mistake. Research has shown that when employees don't follow security policies, it is mostly because either they cannot do it [1], or because doing so would noticeably reduce their productivity [7], [19]. Parkin et al. [25] outlined an approach for tracking security workload in organisation, but virtually none keep track of their employees workload. ...
Full-text available
Most organisations are using online security awareness training and simulated phishing attacks to encourage their employees to behave securely. Buying off-the-shelf training packages and making it mandatory for all employees to complete them is easy, and satisfies most regulatory and audit requirements, but does not lead to secure behaviour becoming a routine. In this paper, we identify the additional steps employees must go through to develop secure routines, and the blockers that stop a new behaviour from becoming a routine. Our key message is: security awareness as we know it is only the first step; organisations who want employees have to do more to smooth the path: they have to ensure that secure behaviour is feasible, and support their staff through the stages of the Security Behaviour Curve – concordance, self-efficacy, and embedding – for secure behaviour to become a routine. We provide examples of those organisational activities, and specific recommendations to different organisational stakeholders.
... Problems also became clear in the LSP models, e.g. the apprentices built a model that showed that a multitude of information security policies and slow IT department delay learning and working in the organization. These perceived problems sometimes have an impact on everyday work and can, e. g., promote security friction [9,30] or shadow security [41,42]. If these already existing guidelines and practical troubles had been included in the planning of the workshop, it would have been possible to discuss with the apprentices their assessment of current measures as well as about their perception of related hurdles, difficulties and challenges in their daily work -in the sense of a joint dialogue [4] and a collaboration process [66]. ...
... By engaging in one behaviour repeatedly this may provide a platform for engaging in other behaviours. However, in instances where security advice is difficult to implement (Sasse, 2015), behaviours interfere with users' primary goals (Kirlappos et al., 2015) and/or require significant time or effort (Beautement et al., 2009) IoT device users are less likely to conduct best practice cyberhygiene behaviours. Future collaborative research with IoT users and designers is required to determine the perceived ease, likelihood and impact of specific behavioural changes considered important for maintaining cybersecurity by IoT experts. ...
Full-text available
The Internet of Things (IoT) connects computing devices embedded in everyday objects via the internet, enabling them to send and receive data. Little is known about behaviours required to protect IoT users. The study sought to develop expert consensus on the key protective behaviours, risk behaviours, and threats for IoT cybersecurity. An online, three-round Delphi consensus study was conducted with IoT experts. In Round One, experts’ responses to open-ended questions were analysed using inductive and content analyses to categorise them into behavioural categories. In Round Two, experts rated the importance of protective behaviours, and the likelihood that risk behaviours and threats would lead to IoT breaches. In Round Three experts re-evaluated their responses based on their own and the group’s responses. Experts agreed that 28 protective behaviours, one risk behaviour, and six threats were critical for IoT cyberhygiene. Five of the top 10 protective behaviours for conventional computing were also deemed important for IoT, i.e. ‘_Limit sharing of your personal information with devices’_,_ ‘Keep your IoT devices updated’_;_ ‘Read articles about IoT security, safety and privacy risks’, ‘Use a strong firewall’, and ‘Use strong passwords on devices, networks and services_’. The study provided information on the key behaviours and threats for IoT settings, and the extent to which recommendations for conventional computing settings may also be suitable for IoT settings. These findings can inform the development of tailored behaviour change interventions to improve cybersecurity.
... Such an individual could be someone with authority or someone with similar characteristics, such as peers. Regarding communication, it should consider the psychological and other influencing factors that increase the audience's participation and drive them to practice (or translate into actions) the security knowledge they learn from the program (see [33,34]). Enactment Approach. The ultimate objective of CSA is behavior change. ...
This chapter discusses present and prospective aspects of cybersecurity awareness (CSA) initiatives. Concerning the first, it presents practices suggested by numerous past research studies that involve both CSA and other relevant fields of study in order to build a more effective CSA program. The second segment recommends leveraging the capabilities of artificial intelligence (AI) and machine learning (ML) to design and deliver a more customized and personalized experience to CSA program audiences. This utilization of AI and ML will presumably contribute to making CSA programs more effective and efficient.
... Cormac Herley [34] argued that the time users needed to invest to follow security advice on passwords and phishing was simply not worth it, and that security advocates treat user time as a free resource. Parkin et al. [52] suggested a tool for tracking employee security effort in an organisation, and Kirlappos et al. [40] suggested that adapting technology and processes to secure employee routines would be more effective and efficient than trying to change employees' behaviours for the sake of security. ...
Conference Paper
Full-text available
In larger organisations, the security controls and policies that protect employees are typically managed by a Chief Information Security Officer (CISO). In research, industry, and policy, there are increasing efforts to relate principles of human behaviour interventions and influence to the practice of the CISO, despite these being complex disciplines in their own right. Here we explore how well the concepts of human-centred security (HCS) have survived exposure to the needs of practice: in an action research approach we engaged with n = 30 members of a Swiss-based community of CISOs in five workshop sessions over the course of 8 months, dedicated to discussing HCS. We coded and analysed over 25 hours of notes we took during the discussions. We found that CISOs far and foremost perceive HCS as what is available on the market, namely awareness and phishing simulations. While they regularly shift responsibility either to the management (by demanding more support) or to the employees (by blaming them) we see a lack of power but also silo-thinking that prevents CISOs from considering actual human behaviour and friction that security causes for employees. We conclude that industry best practices and the state-of-the-art in HCS research are not aligned.
Many professional domains require the collection and use of personal data. Protecting systems and data is a major concern in these settings, making it necessary that workers who interact with personal data understand and practice good security and privacy habits. However, to date, there has been little examination of perceptions, behaviors, and challenges among these professionals. To address this gap, we conducted an interview study of 19 individuals working in the education, finance, and health fields. We discovered an overarching theme centered on caring in relation to how these professionals feel responsible for protecting other people’s personal data and take on a “data guardian” role. The identification of the experiences and challenges of data guardians can aid organizations in recognizing and supporting this critical role. Study insights can also help designers of systems that process personal data to better align with the needs and constraints of data guardians.Keywordscybersecurityprivacypersonal data
Conference Paper
Full-text available
Non-compliance with security mechanisms and processes poses a significant risk to organizational security. Current approaches focus on designing systems that restrict user actions to make them ‘secure’, or providing user interfaces to make security tools ‘easy to use’. We argue that an important but often-neglected aspect of compliance is trusting employees to ‘do what’s right’ for security. Previous studies suggest that most employees are intrinsically motivated to behave securely, and that contextual elements of their relationship with the organization provide further motivation to stay secure. Drawing on research on trust, usable security, and economics of information security, we outline how the organization-employee trust relationship can be leveraged by security designers.
Conference Paper
Full-text available
Information security has adapted to the modern collaborative organisational nature, and abandoned “command-and-control” approaches of the past. But when it comes to managing employee’s information security behaviour, many organisations still use policies proscribing behaviour and sanctioning non-compliance. Whilst many organisations are aware that this “comply or die” approach does not work for modern enterprises where employees collaborate, share, and show initiative, they do not have an alternative approach to fostering secure behaviour. We present an interview analysis of 126 employees’ reasons for not complying with organisational policies, identifying the perceived conflict of security with productive activities as the key driver for non-compliance and confirm the results using a survey of 1256 employees. We conclude that effective problem detection and security measure adaptation needs to be de-centralised - employees are the principal agents who must decide how to implement security in specific contexts. But this requires a higher level of security awareness and skills than most employees currently have. Any campaign aimed at security behaviour needs to transform employee’s perception of their role in security, transforming them to security-aware principal agents.
Conference Paper
Full-text available
Over the past decade, security researchers and practitioners have tried to understand why employees do not comply with organizational security policies and mechanisms. Past re-search has treated compliance as a binary decision: people comply, or they do not. From our analysis of 118 in-depth interviews with individuals (employees in a large multinational organization) about security non-compliance, a 3rd response emerges: shadow security. This describes the instances where security-conscious employees who think they cannot comply with the prescribed security policy create a more fitting alter-native to the policies and mechanisms created by the organization?s official security staff. These workarounds are usually not visible to official security and higher management ? hence ?shadow security?. They may not be as secure as the ?official? policy would be in theory, but they reflect the best compromise staff can find between getting the job done and managing the risks that the assets they understand face. We conclude that rather than trying to ?stamp out? shadow security practices, organizations should learn from them: they provide a starting point ?workable? security: solutions that offer effective security and fit with the organization?s business, rather than impede it.
People today must make decisions about many health, safety, and environmental risks. Nuclear power, HIV/AIDS, radon, vaccines, climate change, and emerging infectious diseases are just some issues that may face them in the news media, ballot box, or doctor's office. In order to make sound choices they need to get good information. Because their time is limited, that information has to be carefully selected and clearly presented. This book provides a systematic approach for risk communicators and technical experts, hoping to serve the public by providing information about risks. The procedure uses approaches from risk and decision analysis to identify the most relevant information; it uses approaches from psychology and communication theory to ensure that it is understood. This book is written in nontechnical terms, designed to make the approach feasible for anyone willing to try it. It is illustrated with successful communications, on a variety of topics.
Conference Paper
Most organizations have access control policies, and many have to change them frequently to get work done. Currently, the way such changes are made often has a significant impact on the organization's security, productivity, and employee satisfaction. Those who have to make the decisions are put on the spot, and depending on their perspective and circumstances, the decision is biased towards business or security interests. A decision support system for access control policies could mitigate these problems, but to be effective, such a system needs a significant amount of information about specific security and business risks and benefits, and collecting this information requires significant investment. In this paper, we present a participatory approach to collecting this information, which not only reduces cost, but increases effectiveness because it ensures that specific local knowledge and downstream risks are represented and visible to decision-makers. We evaluated our systematically developed decision-support prototype in formative evaluations with employees and decision-makers from a variety of backgrounds. We found that, among others, decision support is highly dependent on the organizational context and that the collected factors need to be contextualized for the contributing individuals.
Many organizations struggle with ineffective and/or inefficient access control, but these problems and their consequences often remain invisible to security decision-makers. Prior research has focused on improving the policy-authoring part of authorization and does not show the full range of problems, their impact on organizations, and underlying causes. We present a study of 118 individual's experiences of authorization measures in a multi-national company and their self-reported subsequent behavior. We follow the recent advances in applying economic models to security usability and analyze the interrelations of authorization issues with individuals' behaviors and organizational goals. Our results indicate that authorization problems significantly impact the productivity and effective security of organizations. From the data, we derive authorization Personas and their daily problems, which are to a large extent caused by the procedures for policy changes and the decision-making, and lead to the circumvention of the measure. As one research contribution, we develop a holistic model of authorization problems. More practically, we recommend to monitor non-compliance, such as password-sharing, for indications of authorization problems, and to establish light-weight procedures for policy changes with adequate degrees of centralization and formalization, and support for decision-making.
Die Arbeit entwickelt ein abstraktes, theoriebasiertes Verständnis organisationsinterner Informationssicherheit. Hierzu wird etabliertes Wissen aus dem Gebiet der Informationssicherheit auf Basis zweier unterschiedlicher Dimensionen restrukturiert: Die historische Dimension unterscheidet drei "Epochen" und setzt diese in Relation zu zeitgleichen Paradigmenwechseln der Computernutzung. Das "Sicherheitsdreieck" charakterisiert drei unterschiedliche "Meta-Instrumente" der Informationssicherheit und hebt die Existenz eines übergeordneten regulato­rischen Rahmens hervor. Zudem basiert die Arbeit auf Prinzipien der Neuen Institutionenökonomik. Insbesondere werden Informationsasymmetrien, Transaktionskosten und Prinzipal-Agenten-Beziehungen sowie deren Relevanz für die Realisierung von Kooperation betrachtet. Kooperation wird dabei als das Zusammenspiel von Koordination und Motivation modelliert. Auf Basis dieser theoretischen Grundlagen wird daraufhin ein ökonomisch geprägtes, positives Modell der Informationssicherheit in Organisationen entwickelt. Das Modell liefert abstrakte und theoretisch fundierte Erklärungen für die in der Vergangenheit aufgetretenen Wechsel vorherrschender Vorgehensweisen der Informationssicherheit. Neben diesem erklärenden Aspekt wird das Modell zudem prospektiv angewendet. Derzeitige technologische Entwicklungen werden voraussichtlich zu zunehmend "verflochtenen" informationstechnischen Strukturen und somit zu einem weiteren Paradigmenwechsel der Computernutzung führen. Die Anwendung des positiven Modells legt nahe, dass sich derzeit etablierte Vorgehensweisen wie Verhaltensrichtlinien oder üblicherweise mit dem Begriff "Sicherheitskultur" verbundene Maßnahmen zunehmend als ineffizient und damit unangemessen erweisen werden. Organisationen müssen daher entweder alternative Ansätze nutzen oder bestehende Vorgehensweisen anpassen. Hierzu existieren bereits diverse Vorschläge, von denen einige auf Basis des ökonomisch geprägten, positiven Modells untersucht werden. Diese Analyse führt zu wohlfundierten Empfeh­lungen, welche Vorgehensweisen unter welchen Rahmenbedingungen angewendet werden sollten. Zudem unterstützt das ökonomische Verständnis die Entwicklung neuer, bislang noch nicht diskutierter Ansätze. Schlussendlich wird auch die zukünftige Rolle des regulatorischen Rahmens beleuchtet. Auch dieser bedarf der Anpassung an die zu erwartenden, veränderten Rahmen­be­dingungen um zu verhindern, dass Organisationen allein aus Compliance-Gründen zur Anwen­dung hochgradig ineffizienter Vorgehensweisen gezwungen werden. Insgesamt liefert das entwickelte positive Modell damit Erklärungen für beobachtete Phänomene der organisationsinternen Informationssicherheit, ermöglicht wohlfundierte Vorher­sagen zu erwartbaren zukünftigen Entwicklungen und führt zu normativen Aussagen zu notwen­digen Änderungen etablierter Ansätze und Vorgehensweisen. Es kann sich damit für zukünftige Forschungen in vielerlei Hinsicht als nützlich erweisen.
Conference Paper
Organizations deploy systems technologies in order to support their operations and achieve their business objectives. In so doing, they encounter tensions between the confidentiality, integrity, and availability of information, and must make investments in information security measures to address these concerns. We discuss how a macroeconomics-inspired model, analogous to models of interest rate policy used by central banks, can be used to understand trade-offs between investments against threats to confidentiality and availability. We investigate how such a model might be formulated by constructing a process model, based on empirically obtained data, of the use of USB memory sticks by employees of a financial services company.
Sociological study of normal routine behavior informs us of the mechanisms through which safety and social order are maintained. From ethnographic studies of public sites such as the New York subway system, we learn how workers' routines fit or do not fit into official security-era policies coming from above. Suggestions are provided for concrete mechanisms likely to enhance security while providing collateral benefits of enhanced efficiency and pleasure to members of the public.