Abstract
Non-compliance with security mechanisms and processes poses a significant risk to organizational security. Current approaches focus on designing systems that restrict user actions to make them ‘secure’, or providing user interfaces to make security tools ‘easy to use’. We argue that an important but often-neglected aspect of compliance is trusting employees to ‘do what’s right’ for security. Previous studies suggest that most employees are intrinsically motivated to behave securely, and that contextual elements of their relationship with the organization provide further motivation to stay secure. Drawing on research on trust, usable security, and economics of information security, we outline how the organization-employee trust relationship can be leveraged by security designers.
Chapter PDF
Similar content being viewed by others
References
Von Solms, B.: Information security–the fourth wave. Computers & Security 25(3), 165–168 (2006)
Schneier, B.: Secrets and lies: digital security in a networked world. Wiley (2000)
Sasse, M.A.: Designing for Homer Simpson - D’Oh! Interfaces: The Quarterly Magazine of the BCS Interaction Group 86, 5–7 (2011)
Adams, A., Sasse, M.A.: Users Are Not The Enemy: Why users compromise security mechanisms and how to take remedial measures. Communications of the ACM 42(12), 40–46 (1999)
Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the “weakest link”: a human-computer interaction approach to usable and effective security. BT Technology Journal 19(3), 122–131 (2001)
Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceeding of the Twenty-Sixth Annual SIGCHI Conference on Human Factors in Computing Systems, pp. 1065–1074. ACM, New York (2008)
Weirich, D.: Persuasive password Security, PhD thesis, University College London (2005)
Faily, S., Fléchais, I.: Eliciting Policy Requirements for Critical National Infrastructure Using the IRIS Framework. International Journal of Secure Software Engineering (IJSSE) 2(4), 1–18 (2011)
Kirlappos, I., Sasse, M.A.: Security Education against Phishing: A Modest Proposal for a Major Rethink. IEEE Security & Privacy 10(2), 24–32 (2012)
Beautement, A., Sasse, M.A., Wonham, M.: The compliance budget: managing security behavior in organizations. In: Proceedings of the 2008 New Security Paradigms Workshop, pp. 47–58. ACM (2008)
Kirlappos, I., Parkin, S., Sasse, M.A.: Learning from “Shadow security”: Why understanding non-compliant behaviors provides the basis for effective security (in press, 2014)
Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop (NSPW 2009), pp. 133–144. ACM, New York (2009)
Herley, C.: More is Not the Answer. IEEE Security & Privacy Magazine (2014)
Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T.J.: Common sense guide to prevention and detection of insider threats, 3rd edn. version 3.1. CERT, Software Engineering Institute, Carnegie Mellon University (2009), http://www.cert.org
Kirlappos, I., Beautement, A., Sasse, M.A.: “Comply or die” is dead: Long live security-aware principal agents. In: Adams, A.A., Brenner, M., Smith, M. (eds.) FC 2013. LNCS, vol. 7862, pp. 70–82. Springer, Heidelberg (2013)
Riegelsberger, J., Sasse, M.A., McCarthy, J.D.: The mechanics of trust: a framework for research and design. International Journal of Human-Computer Studies 62(3), 381–422 (2005)
Hu, X.R., Lin, Z.X., Zhang, H.: Myth or reality: effect of trust promoting seals in electronic markets. In: Proceeding of the Eleventh Annual Workshop on Information Technologies and Systems (WITS), New Orleans, Louisiana, pp. 65–70 (2001)
Resnick, P., Zeckhauser, R., Friedman, E., Kuwabara, K.: Reputation systems: facilitating trust in internet interactions. Communications of the ACM 43(12), 45–48 (2000)
Kim, D., Ferrin, D., Rao, H.: A trust-based consumer decision-making model in electronic commerce: The role of trust, perceived risk, and their antecedents. Decision Support Systems 44(2), 544–564 (2008)
Ba, S., Whinston, A.B., Zhang, H.: Building trust in online auction markets through an economic incentive mechanism. Decis. Support Syst. 35(3), 273–286 (2003)
Nielsen, J., Molich, R., Snyder, S., Farrell, C.: E-Commerce User Experience: Trust. Nielsen Norman Group, Fremont (2000)
Mayer, R., Davis, J., Schoorman, F.D.: An integrative model of organizational trust. Academy of Management Review 20(3), 709–734 (1995)
Blythe, J., Koppel, R., Smith, S.W.: Circumvention of Security: Good Users Do Bad Things. IEEE Security & Privacy 11(5), 80–83 (2013)
Pallas, F.: Information Security inside organizations, PhD Thesis, technical University of Berlin (2009
Björck, F.: Security Scandinavian style. PhD diss., Stockholm University (2001)
Sasse, M.A.: Computer security: Anatomy of a usability disaster, and a plan for recovery. In: Proceedings of CHI 2003 Workshop on HCI and Security Systems (2003)
Bartsch, S., Sasse, M.A.: How Users Bypass Access Control and Why: The Impact of Authorization Problems on Individuals and the Organization. In: ECIS 2013: The 21st European Conference in Information Systems (2013)
Albrechtsen, E., Hovden, J.: The information security digital divide between information security managers and users. Computers & Security 28(6), 476–490 (2009)
Morrison, E.W., Robinson, S.L.: When employees feel betrayed: A model of how psychological contract violation develops. Academy of Management Review 22(1), 226–256 (1997)
Flechais, I., Riegelsberger, J., Sasse, M.A.: Divide and conquer: the role of trust and assurance in the design of secure socio-technical systems. In: Proceedings of the 2005 Workshop on New Security Paradigms (NSPW 2005), pp. 33–41. ACM, New York (2005)
Hanifan, L.J.: The rural school community center. Annals of the American Academy of Political and Social Science 67, 130–138 (1916)
Tyler, T.R.: Trust within organizations. Personnel Review 32(5), 556–568 (2003)
Bussing, A.: Trust and its relations to commitment and involvement in work and organizations. SA Journal of Industrial Psychology 28(4) (2002)
Tsai, W., Ghoshal, S.: Social capital and value creation: The role of intrafirm networks. Academy of Management Journal 41(4), 464–476 (1998)
Rousseau, D.M.: Psychological and implied contracts in organizations. Employee Responsibilities and Rights Journal 2(2), 121–139 (1989)
Von Solms, B., von Solms, R.: From information security to business security. Computers & Security 24(4), 271–273 (2005)
Castelfranchi, C., Falcone, R.: Trust theory: A socio-cognitive and computational model, vol. 18. John Wiley & Sons (2010)
Caputo, D., Maloof, M., Stephens, G.: Detecting insider theft of trade secrets. IEEE Security & Privacy 7(6), 14–21 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Kirlappos, I., Sasse, M.A. (2014). What Usable Security Really Means: Trusting and Engaging Users. In: Tryfonas, T., Askoxylakis, I. (eds) Human Aspects of Information Security, Privacy, and Trust. HAS 2014. Lecture Notes in Computer Science, vol 8533. Springer, Cham. https://doi.org/10.1007/978-3-319-07620-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-07620-1_7
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07619-5
Online ISBN: 978-3-319-07620-1
eBook Packages: Computer ScienceComputer Science (R0)