publication . Conference object . 2014

Learning from “Shadow Security”: Why understanding non-compliance provides the basis for effective security

Kirlappos, I.; Parkin, S.; Sasse, M. A.;
Open Access English
  • Published: 01 Feb 2014
  • Country: United Kingdom
Over the past decade, security researchers and practitioners have tried to understand why employees do not comply with organizational security policies and mechanisms. Past re-search has treated compliance as a binary decision: people comply, or they do not. From our analysis of 118 in-depth interviews with individuals (employees in a large multinational organization) about security non-compliance, a 3rd response emerges: shadow security. This describes the instances where security-conscious employees who think they cannot comply with the prescribed security policy create a more fitting alter-native to the policies and mechanisms created by the organization’s of...
Related Organizations
Download from
UCL Discovery
Conference object . 2014
37 references, page 1 of 3

[1] B. Von Solms. “Information security-the fourth wave”. Computers & Security, 25(3), pp.165-168, 2006.

[2] A. Beautement, M. A. Sasse and M. Wonham. “The compliance budget: managing security behaviour in organizations”. In Proceedings of the 2008 New Security Paradigms Workshop pp. 47-58. ACM, 2008.

[3] C. Herley. “So Long, and No Thanks for the Externalities”. In New Security Paradigms Workshop (NSPW), 2009. [OpenAIRE]

[4] B. Schneier. “Secrets and lies: digital security in a networked world”. Wiley, 2000.

[9] I. Kirlappos, A. Beautement and M. A. Sasse. “Comply or Die Is Dead: Long live security-aware principal agents.” FC 2013 Workshops, USEC and WAHC 2013, Okinawa, Japan, April 1, pp.70-82, 2013. [OpenAIRE]

[10] T, Herath and H. R. Rao. "Protection motivation and deterrence: a framework for security policy compliance in organisations." European Journal of Information Systems 18 (2), pp. 106-125, 2009.

[11] P. Dourish, R. E. Grinter, J. D. De La Flor, and M. Joseph. "Security in the wild: user strategies for managing security as an everyday, practical problem." Personal and Ubiquitous Computing 8, no. 6: 391-401, 2004.

[12] M. Settle. “Shadow IT: Are you solving the problem or just policing it?” BMC Software, 2013.

[13] I. Fléchais. “Designing Secure and Usable Systems”. PhD diss., University College London, 2005. [OpenAIRE]

[14] A. Beautement, R. Coles, J. Griffin, C. Ioannidis, B. Monahan, D. Pym, M. A. Sasse, M. Wonham. “Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security”. In Managing Information Risk and the Economics of Security. pp.141-163. Springer US, 2009.

[15] H. Fulford and N. F. Doherty. “The application of information security policies in large UK-based organizations: an exploratory investigation”. Information Management & Computer Security 11(3), pp.106-114, 2003. [OpenAIRE]

[16] F. Björck. “Security Scandinavian style”. PhD diss., Stockholm University, 2001.

[17] S. Bartsch and M. A. Sasse. “How Users Bypass Access Control - And Why: The Impact Of Authorization Problems On Individuals And The Organization”. ECIS 2013: 53 [OpenAIRE]

[18] M. G. Morgan, B. Fischhoff., A. Bostrom., and C. J. Atman. “Risk communication: A mental models approach”. Cambridge University Press, 2001.

[19] C. C. Wood. “An unappreciated reason why information security policies fail”. Computer Fraud & Security, (10), pp. 13-14, 2000.

37 references, page 1 of 3
Powered by OpenAIRE Research Graph
Any information missing or wrong?Report an Issue