Previous case studies demonstrate that security professionals often fail to consider how the policies they put in place could affect the day-to-day activities of employees in their companies.
First, we need to understand whether security managers perceive this as a problem. To explore this further, a number of interviews were conducted with security managers of major UK-based firms.
All of the information security experts selected to participate in the study had seven or more years of work experience in the field of information security and were holding managerial positions in their companies at the time of the interview.
The following insights from security managers were gathered as part of research at University College London.17 Answers were anonymised to preserve the privacy of the individuals.
The main goal of these interviews was to gather insight into information security managers’ awareness of the fact that decisions regarding the particular implementation of security controls affect organisations as a whole, and that their actions may negatively impact users’ performance.
“When I’m making a decision to implement some aspect of the ISO 27001 standard in my organisation,” one security manager stated, “much of the decision centres on what the particular implementation would actually look like. ISO 27001 is very high-level and is by all means not a policy in itself – it just gives you one or two criteria or one or two suggestions as to how your security policies should look. As a result of the freedom of implementation, you actually have to write the policies yourself.”
Security managers also understand the role of involving business management in the process of implementing security controls.
“If there is no benefit to the business, you don’t do it,” another expert mentioned, “You should start with the business – find the people who these controls directly affect and get their buy-in.”
A common theme throughout was that business objectives should always be the priority. “Many security managers think that security is the most important thing. I personally don’t think so,” one manager admitted. “Paying shareholders is more important. Inhibiting those activities or encouraging dangerous activities because of what you are doing makes the situation worse.”
There is also awareness among security managers of how to detect non-compliance in their organisations. “I walk around the building on occasion,” one expert mentioned, “I wiggle doors and I check workstations for locked screens. The other way to gain insight into compliance is through rumours or chatting with people.”
Most interviewed security managers agree that one should not punish users for non-compliance reflexively. One has to first understand the root cause of the problem. For instance, one expert suggested, “You don’t react to non-compliance with anger, you try to find out why it happened, rather than just the fact that it has failed. Moreover, you use it as a possible trigger for education and awareness and possibility for improvement.”
Another expert reinforces this point of view: “At the end of the day it failed because with high probability, you implemented it badly, because you forced some particular way of working or method which your employees can’t use, so they worked around it.”
Another common theme was that information security managers are, to a certain degree, aware of the impact of the security policy on users’ behaviour. “Yes, I think I’m aware of the impact of my policies,” one security manager said, “because when it affects users in a negative way, we hear about it. There are lots of complaints.”
A number of information security managers backed up their statements with examples: “Some users want to look at a spreadsheet or use an application on their tablets but can’t, because security controls don’t allow access to the business applications via a tablet. So they have to use a laptop rather than a device of their own choice, and they are unhappy. So yes, we are aware of such tension.”
Several security managers stated that it is difficult to assess the impact of security controls on user behaviour: “We never measured it,” one manager admitted, “we don’t have a way of measuring it. So we don’t know.”
This view was echoed: “It is one thing to put controls in place and another to measure effectiveness. When it comes to users it is very difficult. They are not like servers, where you can look at, for example, CPU performance before and after some change.”
A subsequent theme emerged that focused on whether security managers are aware of the employees’ daily business activities. It appears that they are, but only to the degree required in order to successfully manage their security projects.
“At a high level we are aware,” one security manager said; “at the detailed process level really only when we are doing a project in that department, when we need to understand the processes within our project.”
Another example that supports the same argument was brought up: “There are situations where we do a particular project on a new system. For example, if we are working on a new credit card system which is being implemented, we work through the users’ roles and we work through the general data storage, so we become familiar with the supporting department’s user activities.”
All of the interviewed managers agreed that knowledge of what users in their company are doing can help them to improve the implementation of information security policies. One security manager stated, “For instance, we worked with our studio manager and looked at the process of data transfer to the client. We chose one particular brand of encrypted USB keys, and believed that adoption would be very high, because they are great-looking devices. It feels good for our creative workers to give this type of drive to the client, rather than sharing data using a cheap plastic USB stick – there is no story, there is no sort of emotional attachment, which is so particularly important for creative workers. But in order for us to come up with such a decision we actually spend some time observing and understanding our users.”
This resulted in employees using secure, encrypted devices to transfer potentially confidential information rather than their own unencrypted drives.
The majority of security managers understand the importance of involving the user and assessing the possible impact on their behaviour when deciding how to implement particular security controls. However, they also agree that their awareness of users’ business activities is reactive and based mainly on complaints.
We’ve heard from security managers, but the analysis is not complete until we have compared these views to those of the end-users themselves, in the next chapter.
17 Leron Zinatullin, “Modelling Conflicts between Security Compliance and Human Behaviour”, dissertation, University College London, 2013.