How can business ensure security technologies are
aligned with work processes so that it is easy for end-users to do
the right thing and not circumvent controls?
Internet and IT risk have an impact on all employees, and
controls required to mitigate these risks will inevitably constrain
or hamper the activities of all users. A reality of human behaviour
is that whenever controls are implemented that affect what people
do, many of them will modify their behaviour in unexpected or
undesirable ways.
That said, there are some strategies that can improve user
acceptance of security controls and reduce the impact that these
controls have on the daily working lives of employees.
From the acceptance perspective, establishing and maintaining
awareness regarding security threats and potential impacts on the
business is a key starting point for influencing the behaviour of
end-users. Unfortunately, security awareness communication is one
of the least well understood, and poorest funded, security
activities in many organisations. Security management should
leverage internal or external communications skills to make
awareness campaigns effective.
Awareness should result in a willingness among staff to change
behaviour, along with the ability (eg, skills, attitudes, peer
recognition) to do so.
Regarding the impact of security controls, a key principle is to
limit the amount of security-related changes that are retro-fitted
to new IT services. Implementing ad hoc security controls, or
modifying existing ones, after deploying a new application does
little to foster user acceptance. More emphasis on integrating
security into application, service and infrastructure development
or acquisition lifecycles can mitigate this problem.
Operational security tasks (eg, malware scans, system
updates/patches) often degrade the user experience. Attention to
time scheduling and task resource priorities can reduce this.
Nevertheless, one of the biggest user bugbears about security is
the authentication experience. Any moves to improve this (eg, via
single sign-on or self-service password reset) typically engender
positive responses.
Tom Scholtz is a research vice-president at Gartner
Read more expert advice from the Computer Weekly Security Think
Tank >>