"Shadow security" as a tool for the learning organization

Article English OPEN
Kirlappos, I. ; Parkin, S. ; Sasse, M. A. (2015)
  • Publisher: ACM
  • Subject: Information security management, Compliance, Security design

Traditionally, organizations manage information security through policies and mechanisms that employees are expected to comply with. Non-compliance with security is regarded as undesirable, and often sanctions are threatened to deter it. But in a recent study, we identified a third category of employee security behavior: shadow security. This consists of workarounds employees devise to ensure primary business goals are achieved; they also devise their own security measures to counter the risks they understand. Whilst not compliant with official policy, and sometimes not as secure as employees think, shadow security practices reflect the working compromise staff find between security and "getting the job done". We add to this insight in this paper by discussing findings from a new interview study in a different organization. We identified additional shadow security practices, and show how they can be transformed into effective and productivity-enabling security solutions, within the framework of a learning organization.
  • References (31)
    31 references, page 1 of 4

    [2] Von Solms, B. 2006. Information security-the fourth wave”. In Computers & Security, 25(3), pp.165-168.

    [3] Beautement, A., Sasse, M. A. and Wonham, M. 2008. The compliance budget: managing security behaviour in organizations. In Proceedings of the 2008 New Security Paradigms Workshop pp. 47-58. ACM.

    [4] Herley, C. 2009. So Long, and No Thanks for the Externalities. In New Security Paradigms Workshop (NSPW).

    [5] Schneier, B. 2000. Secrets and lies: digital security in a networked world. Wiley.

    [6] Karyda, M., Kiountouzis, E., and Kokolakis, S. 2005. Information systems security policies: a contextual perspective. In Computers & Security, 24(3), pp.246-260.

    [7] Sasse, M. A., Brostoff, S., and Weirich, D. 2001. Transforming the 'weakest link'-a human/computer interaction approach to usable and effective security. BT technology journal, 19(3), pp.122-131.

    [8] Adams, A. and Sasse, M. A. 1999. Users are not the enemy. In Communications of the ACM, 42(12), pp. 40-46.

    [9] Herath T. and Rao, H. R. 2009. Protection motivation and deterrence: a framework for security policy compliance in organisations. In European Journal of Information Systems 18 (2), pp. 106-125, 2009.

    [10] Kirlappos, I., Beautement, A. and Sasse, M. A. 2013. Comply or Die Is Dead: Long live security-aware principal agents. In FC 2013 Workshops, USEC and WAHC 2013, Okinawa, Japan, April 1, pp.70-82, 2013.

    [11] Dourish, P., Grinter, R. E., De La Flor, J. D. and Joseph, M. 2004. Security in the wild: user strategies for managing security as an everyday, practical problem. In Personal and Ubiquitous Computing 8, no. 6: 391-401.

  • Metrics
    views in OpenAIRE
    views in local repository
    downloads in local repository

    The information is available from the following content providers:

    From Number Of Views Number Of Downloads
    UCL Discovery - IRUS-UK 0 201
Share - Bookmark

  • Download from
  • Cite this publication