High-profile cases of sensitive data loss from government have led to calls for even tighter security controls. However, in most of these cases it appears to be the human element that is at fault, not the technological solutions that protect the data, writes Andrew Kays, head of development at Nexor.
Nexor, working with cyberpsychology researchers at Nottingham Trent University, has been looking at the factors that influence human behaviour and people's attitudes towards security, in particular their responses to rules defined in published security policies.
If a security policy mandates a specific behaviour, why do people choose to take a different course of action? The research texts refer to this as "pro-social rule breaking", which is defined as an intentional violation of an explicit organisational policy with the intention to perform a job more efficiently, help a colleague, or provide good customer service.
The research has shown that despite people knowing the rules, if these are considered counterproductive and adversely affect the person's ability to do their job, people tend to "bend" them to improve their personal efficiency and effectiveness. Details of a policy's restrictions and instructions are usually well understood by senior users, but complacency can set in when they have been working in the same area for a long time and know they will "get away with it".
The interesting inference here is that it is the longer term employees that need to have repeat training and not the newer recruit who will tend to follow the culture and examples set by the longer term people who present "well the policy says this, but we always ignore it". This appears to be exactly what has happened in many recent government data loss examples and has to be countered with regular and relevant user training.
The research also looked at how people react to monitoring and enforcement systems that validate the policy. It suggested that people's behaviour is shaped by the monitoring environment. Explaining the general ramifications of people's non-compliant actions or the rationale for monitoring conformance is not considered sufficient. Instead, it has to be explained in the specific context of the person's role, otherwise people will feel it does not apply to them and circumvent it.
This suggests, that monitoring may make the situation worse, not better.
The human factor will always be an issue in security and will always be an organisation's most vulnerable point. Effective and regular education has a part to play, but the research shows it has to be personally targeted and put in a context meaningful to the individual. The role of technology then needs to be considered carefully to help and support this weak link.
The insight gained through this work can now influence future technology research and development. This will lead to solutions that complement progress in improved behaviours and reduce the effects of policy non-compliance as well as the non-compliance itself.
Security Zone is a regular series in Computer Weekly covering all aspects of IT security management. Each article is written by a member of the International Information Systems Security Certification Consortium (ISC)2.