High-profile cases ofsensitive data loss from governmenthave led to calls
for even tighter security controls. However, in most of these cases
it appears to be the human element that is at fault, not the
technological solutions that protect the data,writes
Andrew Kays, head of development atNexor.
Nexor, working with cyberpsychology researchers at Nottingham
Trent University, has been looking at the factors that influence
human behaviour and people's attitudes towards security, in
particular their responses to rules defined in published security
policies.
If a security policy mandates a specific behaviour, why do
people choose to take a different course of action? The research
texts refer to this as "pro-social rule breaking", which is defined
as an intentional violation of an explicit organisational policy
with the intention to perform a job more efficiently, help a
colleague, or provide good customer service.
The research has shown that despite people knowing the rules, if
these are considered counterproductive and adversely affect the
person's ability to do their job, people tend to "bend" them to
improve their personal efficiency and effectiveness. Details of a
policy's restrictions and instructions are usually well understood
by senior users, but complacency can set in when they have been
working in the same area for a long time and know they will "get
away with it".
The interesting inference here is that it is the longer term
employees that need to have repeat training and not the newer
recruit who will tend to follow the culture and examples set by the
longer term people who present "well the policy says this, but we
always ignore it". This appears to be exactly what has happened in
many recent government data loss examples and has to be countered
with regular and relevant user training.
The research also looked at how people react to monitoring and
enforcement systems that validate the policy. It suggested that
people's behaviour is shaped by the monitoring environment.
Explaining the general ramifications of people's non-compliant
actions or the rationale for monitoring conformance is not
considered sufficient. Instead, it has to be explained in the
specific context of the person's role, otherwise people will feel
it does not apply to them and circumvent it.
This suggests, that monitoring may make the situation worse, not
better.
The human factor will always be an issue in security and will
always be an organisation's most vulnerable point. Effective and
regular education has a part to play, but the research shows it has
to be personally targeted and put in a context meaningful to the
individual. The role of technology then needs to be considered
carefully to help and support this weak link.
The insight gained through this work can now influence future
technology research and development. This will lead to solutions
that complement progress in improved behaviours and reduce the
effects of policy non-compliance as well as the non-compliance
itself.
Security Zone
Security Zone is a regular series in Computer Weekly covering
all aspects of IT security management. Each article is written by a
member of the International Information Systems Security
Certification Consortium (ISC)2.
Read more Security Zone articles >>