How can business ensure security technologies are aligned with work processes so that it is easy for end-users to do the right thing and not circumvent controls?
Internet and IT risk have an impact on all employees, and controls required to mitigate these risks will inevitably constrain or hamper the activities of all users. A reality of human behaviour is that whenever controls are implemented that affect what people do, many of them will modify their behaviour in unexpected or undesirable ways.
That said, there are some strategies that can improve user acceptance of security controls and reduce the impact that these controls have on the daily working lives of employees.
From the acceptance perspective, establishing and maintaining awareness regarding security threats and potential impacts on the business is a key starting point for influencing the behaviour of end-users. Unfortunately, security awareness communication is one of the least well understood, and poorest funded, security activities in many organisations. Security management should leverage internal or external communications skills to make awareness campaigns effective.
Awareness should result in a willingness among staff to change behaviour, along with the ability (eg, skills, attitudes, peer recognition) to do so.
Regarding the impact of security controls, a key principle is to limit the amount of security-related changes that are retro-fitted to new IT services. Implementing ad hoc security controls, or modifying existing ones, after deploying a new application does little to foster user acceptance. More emphasis on integrating security into application, service and infrastructure development or acquisition lifecycles can mitigate this problem.
Operational security tasks (eg, malware scans, system updates/patches) often degrade the user experience. Attention to time scheduling and task resource priorities can reduce this.
Nevertheless, one of the biggest user bugbears about security is the authentication experience. Any moves to improve this (eg, via single sign-on or self-service password reset) typically engender positive responses.
Tom Scholtz is a research vice-president at Gartner