Learning from "shadow security": understanding non-compliant behaviours to improve information security management

This thesis examines employee interaction with information security in large organisations. It starts by revisiting past research in user-centred security and security management, identifying three research questions that examine (1) employee understanding of the need for security, (2) the challenges security introduces to their work, together with their responses to those challenges, and (3) how to use the emerging knowledge to improve existing organisational security implementations. Preliminary examination of an available interview data set, led to the emergence of three additional research questions, aiming to identify (4) employee actions after bypassing organisational security policy, (5) their response to perceived lack of security support from the organisation, and (6) the impact of trust relationships in the organisation on their security behaviours. The research questions were investigated in two case studies inside two large organisations. Different data collection (200 interviews and 2129 surveys) and analysis techniques (thematic analysis and grounded theory) were combined to improve outcome validity and allow for generalisability of the findings. The primary contribution of this thesis is the identification of a new paradigm for understanding employee responses to high-friction security, the shadow security: employees adapt existing mechanisms or processes, or deploy other self-devised solutions, when they consider the productivity impact of centrally-procured security as unacceptable. An additional contribution is the identification of two trust relationships in organisational environments that influence employee security behaviours: organisationemployee trust (willingness of the organisation to remain exposed to the actions of its employees, expecting them to behave securely), and inter-employee trust (willingness of employees to act in a way that renders themselves or the organisation vulnerable to the actions of another member of the organisation). The above contributions led to the creation of a structured process to better align security with organisational productive activity, together with a set of relevant metrics to assess the effectiveness of attempted improvements. The thesis concludes by presenting a case study attempting to apply the above process in an organisation, also presenting the emerging lessons for both academia and industry

ENHANCING USABILITY USING AUTOMATED SECURITY INTERFACE ADAPTATION (ASIA)

2 PUBLISHED CONFERENCE PROCEEDINGS PROVIDED IN APPENDIX E.Many users are now significantly dependent upon computer application. Whilst many aspects are now used very successfully, an area in which usability difficulties continue to be encountered is in relation to security. Thus can become particularly acute in situations where users are required to interact and make decisions, and a key context here is typically when they need to respond to security warnings. The current implementation of security warnings can often be considered as an attempt to offer a one size fits all solution. However, it can be argued that many implementations are still lacking the ability to provide meaningful and effective warnings. As such, this research focuses upon achieving a better understanding of the elements that aid end-users in comprehending the warnings, the difficulties with the current approaches, and the resulting requirements in order to improve the design and implementation of such security dialogues. In the early stage of research, a survey was undertaken to investigate perceptions of security dialogues in practice, with a specific focus upon security warnings issued within web browsers. This provided empirical evidence of end-users’ experiences, and revealed notable difficulties in terms of their understanding and interpretation of the security interactions. Building upon this, the follow-up research investigated understanding of application level security warnings in wider contexts, looking firstly at users’ interpretation of what constitutes a security warning and then at their level of comprehension when related warnings occurred. These results confirmed the need to improve the dialogues so that the end-users are able to act appropriately, and consequently promoted the design and prototype implementation of a novel architecture to improve security warnings, which has been titled Automated Security Interface Adaptation (ASIA). The ASIA approach aims to improve security warnings by tailoring the interaction more closely to individual user needs. By automatically adapting the presentation to match each user’s understanding and preferences, security warnings can be modified in ways that enable users to better comprehend them, and thus make more informed security decisions and choices. A comparison of the ASIA-adapted interfaces compared to standard versions of warnings revealed that the modified versions were better understood. As such, the ASIA approach has significant potential to assist (and thereby protect) the end-user community in their future interactions with security.UNIVERSITY SAINS MALAYSIA (USM), MINISTRY OF HIGHER EDUCATION MALAYSIA(MOHE