The boundedly rational employee: Security economics for behaviour intervention support in organizations

Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Decision-makers then face choices, where this is not simply a binary decision of whether to comply or not, but also how to approach compliance and secure working alongside other workplace pressures, and limited resources for identifying optimal security-related choices. Conflict arises because of information asymmetries present in the relationship, where influencers and decision-makers both consider costs, gains, and losses in ways which are not necessarily aligned. With the need to promote ‘good enough’ decisions about security-related behaviours under such constraints, we hypothesize that actions to resolve this misalignment can benefit from constructs from both traditional economics and behavioural economics. Here we demonstrate how current approaches to security behaviour provisioning in organizations mirror rational-agent economics, even where behavioural economics is embodied in the promotion of individual security behaviours. We develop and present a framework to accommodate bounded security decision-making, within an ongoing programme of behaviours which must be provisioned for and supported. Our four stage plan to Capture, Adapt, Realign, and Enable behaviour choices provides guidance for security managers, focusing on a more effective response to the uncertainty associated with security behaviour in organizations

Co-design and modelling of security policy for cultural and behavioural aspects of security in organisations

Organisations have historically applied a technology-oriented approach to information security. However, organisations are increasingly acknowledging the importance of human factors in managing secure workplaces. Having an effective security culture is seen as preferable to enforced compliance with policy. Yet, the study of security culture has not been addressed consistently, either in terms of its conceptual meaning or its practical implementation. Consequently, practitioners lack guidance on cultural elements of security provisioning and on engaging employees in identifying security solutions. To address existing problems relating to security policy in respect of organisational culture, this thesis explores behavioural and cultural aspects of organisational security. We address gaps in human-centred research, focusing on the lack of work representing real-world environments and insufficient collaboration between researchers and practitioners in the study of security culture. We address these gaps through analytical work, a novel co-design methodology, and two user studies. We demonstrate that current approaches to security interventions mirror rational-agent economics, even where behavioural economics is embodied in promoting security behaviours. We present two case studies exploring the dynamics between security provisioning and organisational culture in real-world environments, focusing on distinct groups of users — employees, security managers, and IT/security support — whose interactions are understudied. Our co-design methodology surfaces the complex, interconnected nature of supporting workable security practices by engaging modellers and stakeholders in a collaborative process producing mutually understood and beneficial models. We find employees prefer local support and assurances of secure behaviour rather than guidance without local context. Trust-based relationships with support teams improve engagement. Policy is perceived through interactions with support staff and by observing everyday workplace security behaviours. We find value in engaging with decision-makers and understanding their decision-making processes. We encourage researchers and practitioners to engage in a co-design process producing multi-stakeholder views of the complexities of security in organisations