Skip to main content
Springer Nature Link
Log in

“Comply or Die” Is Dead: Long Live Security-Aware Principal Agents

  • Conference paper
Financial Cryptography and Data Security (FC 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7862))

Included in the following conference series:

Abstract

Information security has adapted to the modern collaborative organisational nature, and abandoned “command-and-control” approaches of the past. But when it comes to managing employee’s information security behaviour, many organisations still use policies proscribing behaviour and sanctioning non-compliance. Whilst many organisations are aware that this “comply or die” approach does not work for modern enterprises where employees collaborate, share, and show initiative, they do not have an alternative approach to fostering secure behaviour. We present an interview analysis of 126 employees’ reasons for not complying with organisational policies, identifying the perceived conflict of security with productive activities as the key driver for non-compliance and confirm the results using a survey of 1256 employees. We conclude that effective problem detection and security measure adaptation needs to be de-centralised - employees are the principal agents who must decide how to implement security in specific contexts. But this requires a higher level of security awareness and skills than most employees currently have. Any campaign aimed at security behaviour needs to transform employee’s perception of their role in security, transforming them to security-aware principal agents.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. GRT Corporation, http://www.grtcorp.com/content/british-intelligence-speaks-out-cyber-threats

  2. Schneier, B.: Secrets and lies: digital security in a networked world. Wiley (2000)

    Google Scholar 

  3. Beautement, A., Sasse, M.A., Wonham, M.: The compliance budget: managing security behaviour in organisations. In: NSPW 2008: Proceedings of the 2008 Workshop on New Security Paradigms, pp. 47–58 (2008)

    Google Scholar 

  4. Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop (NSPW 2009), pp. 133–144. ACM, New York (2009)

    Chapter  Google Scholar 

  5. Adams, A., Sasse, M.A.: Users Are Not The Enemy: Why users compromise security mechanisms and how to take remedial measures. Communications of the ACM 42(12), 40–46 (1999)

    Article  Google Scholar 

  6. Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the “weakest link”: A human-computer interaction approach to usable and effective security. BT Technology Journal 19(3), 122–131 (2001)

    Article  Google Scholar 

  7. Weirich: Persuasive password Security. PhD thesis, University College London (2005)

    Google Scholar 

  8. Friedman, B., Howe, D.C., Felten, E.: Informed consent in the Mozilla browser: Implementing value-sensitive design. In: Proceedings of the 35th Annual Hawaii International Conference on System Sciences, HICSS. IEEE (2002)

    Google Scholar 

  9. Fulford, H., Doherty, N.F.: The application of information security policies in large UK-based organizations: an exploratory investigation. Information Management & Computer Security 11(3), 106–114 (2003)

    Article  Google Scholar 

  10. Higgins, H.N.: Corporate system security: towards an integrated management approach. Information Management and Computer Security 7(5), 217–222 (1999)

    Article  Google Scholar 

  11. Bartsch, S., Sasse, M.A.: Guiding Decisions on Authorization Policies: A Participatory Approach to Decision Support. In: ACM SAC 2012, Trento, Italy (2012)

    Google Scholar 

  12. Björck, F.: Security Scandinavian style. PhD diss., Stockholm University (2001)

    Google Scholar 

  13. Fléchais, I.: Designing Secure and Usable Systems. PhD diss., University College London (2005)

    Google Scholar 

  14. Wood, C.C.: An unappreciated reason why information security policies fail. Computer Fraud & Security (10), 13–14 (2000)

    Google Scholar 

  15. Flechais, I., Riegelsberger, J., Sasse, M.A.: Divide and conquer: the role of trust and assurance in the design of secure socio-technical systems. In: Proceedings of the 2005 Workshop on New Security Paradigms (NSPW 20005), pp. 33–41. ACM, New York (2005)

    Chapter  Google Scholar 

  16. Albrechtsen, E., Hovden, J.: The information security digital divide between information security managers and users. Computers & Security 28(6), 476–490 (2009)

    Article  Google Scholar 

  17. Karyda, M., Kiountouzis, E., Kokolakis, S.: Information systems security policies: a contextual perspective. Computers & Security 24(3), 246–260 (2005)

    Article  Google Scholar 

  18. PWC (2012), http://www.pwc.co.uk/audit-assurance/publications/uk-information-security-breaches-survey-results-2012.jhtml

  19. Ashford, W. (2012), http://www.computerweekly.com/news/2240148942/Infosec-2012-Record-security-breaches-cost-UK-firms-billions

  20. Deloitte (2009), http://www.deloitte.com/assets/Dcom-UnitedKingdom/Local%20Assets/Documents/UK_ERS_2009_CB_Security_Survey.pdf

  21. Bartsch, S., Sasse, M.A.: How Users Bypass Access Control and Why: The Impact of Authorization Problems on Individuals and the Organization. In: ECIS 2013: The 21st European Conference in Information Systems (in press, 2013)

    Google Scholar 

  22. Strauss, A., Corbin, J.: Basics of qualitative research: Techniques and procedures for developing grounded theory. Sage Publications, Incorporated (2007)

    Google Scholar 

  23. Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness. MIS Quarterly 34(3), 523–548 (2010)

    Google Scholar 

  24. Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: Proceedings of the 28th International Conference on Human Factors in Computing Systems, pp. 383–392. ACM, Atlanta (2010)

    Google Scholar 

  25. Adams, J.: Risk. University College London Press (1995)

    Google Scholar 

  26. Wash, R.: Folk models of home computer security. In: Proceedings of the Sixth Symposium on Usable Privacy and Security. ACM (2010)

    Google Scholar 

  27. http://www.pcworld.com/article/261754/does_the_windows_logon_password_protect_your_data_.html

  28. Sasse, M.A., Ashenden, D., Lawrence, D., Coles-Kemp, L., Fléchais, I., Kearney, P.: Human vulnerabilities in security systems. Human Factors Working Group, Cyber Security KTN Human Factors White Paper (2007)

    Google Scholar 

  29. Pallas, F.: Information Security inside organisations. PhD Thesis, Technical University of Berlin (2009)

    Google Scholar 

  30. Teo, T.S.H., King, W.R.: Integration between business planning and information systems planning: an evolutionary-contingency perspective. Journal of Management Information Systems, 185–214 (1997)

    Google Scholar 

  31. Trompeter, C.M., Eloff, J.H.P.: A framework for the implementation of socio-ethical controls in information security. Computers & Security 20(5), 384–391 (2001)

    Article  Google Scholar 

  32. Dhillon, G., Backhouse, J.: Current directions in IS security research: towards socio-organizational perspectives. Information Systems Journal 11(2), 127–153 (2001)

    Article  Google Scholar 

  33. Checkland, P.B., Poulter, J.: Learning for Action: A short definitive account of Soft Systems Methodology and its use for Practitioners, Teachers and Students (2006)

    Google Scholar 

  34. Furnell, S.M., Jusoh, A., Katsabas, D.: The challenges of understanding and using security: A survey of end-users. Computers & Security 25(1), 27–35 (2006)

    Article  Google Scholar 

  35. James, H.L.: Managing information systems security: A soft approach. In: Proceedings of the 1996 Information Systems Conference of New Zealand (ISCNZ 1996). IEEE Computer Society, Washington, DC (1996)

    Google Scholar 

  36. Von Solms, B., von Solms, R.: From information security to business security. Computers & Security 24(4), 271–273 (2005)

    Article  Google Scholar 

  37. Kirlappos, I., Sasse, M.A.: Security Education against Phishing: A Modest Proposal for a Major Rethink. IEEE Security & Privacy 10(2), 24–32 (2012)

    Article  Google Scholar 

  38. Vroom, C., Von Solms, R.: Towards information security behavioural compliance. Computers & Security 23(3), 191–198 (2004)

    Article  Google Scholar 

  39. Riegelsberger, J., Sasse, M.A., McCarthy, J.D.: The mechanics of trust: a framework for research and design. International Journal of Human-Computer Studies 62(3), 381–422 (2005)

    Article  Google Scholar 

  40. Schlienger, T., Teufel, S.: Analyzing information security culture: increased trust by an appropriate information security culture. In: Proceedings of the14th International Workshop on Database and Expert Systems Applications, pp. 405–409. IEEE (2003)

    Google Scholar 

  41. Caputo, D., Maloof, M., Stephens, G.: Detecting insider theft of trade secrets. IEEE Security & Privacy 7(6), 14–21 (2009)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University College London, London, United Kingdom

    Iacovos Kirlappos, Adam Beautement & M. Angela Sasse

Authors
  1. Iacovos Kirlappos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Adam Beautement
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. M. Angela Sasse
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Centre for Business Information Ethics, Meiji University, Kanda Surugadai 1-1, 101-8301, Tokyo, Japan

    Andrew A. Adams

  2. Distributed Computing and Security Group, Leibniz Universität Hannover, Schloßwender Straße 5, 30159, Hanover, Germany

    Michael Brenner  & Matthew Smith  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kirlappos, I., Beautement, A., Sasse, M.A. (2013). “Comply or Die” Is Dead: Long Live Security-Aware Principal Agents. In: Adams, A.A., Brenner, M., Smith, M. (eds) Financial Cryptography and Data Security. FC 2013. Lecture Notes in Computer Science, vol 7862. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41320-9_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41320-9_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41319-3

  • Online ISBN: 978-3-642-41320-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics