A qualitative study of users' view on information security
Introduction
The information security role of users is an important part of a holistic approach to information security management. Dhillon and Backhouse (2000) have argued that the role, responsibility and integrity of users are important principles of information security management in new forms of organisations, which can be characterized by blurred organisational and geographical borders; use of mobile equipment; and information and knowledge being the organisation's most important resources. Users should play an active part in the information security work by preventing unwanted incidents; protecting an organisation's material and immaterial assets; and reacting to incidents. Users can contribute with several security actions in their daily work, e.g. locking the computer when absent from it; password etiquette; cautious use of e-mail and Internet; avoid using unlicensed software; cautious use of organisational assets when working outside the organisation; and reporting information security breaches. A user can be characterized as a person with legitimate access to the organisation's information systems. This study concentrates itself on users with no management responsibility and low degree of information security awareness and knowledge about information systems.
This paper aims at providing knowledge of users' experience of information security and their individual security role in daily work. This purpose is approached by qualitative interviews of users at a Norwegian bank and a Norwegian IT-company. The following research questions are discussed in the paper:
- -
How do users experience their own information security role and the administrative information security measures in their work processes?
- -
Why do users experience the information security work the way they state?
- -
Are there arguments in the users' views on information security that imply alternative approaches to information security management at the studied companies?
Editorials of this journal have called for more papers on the human factor in information security (Schultz, 2004, Schultz, 2005). Current human related information security research has been categorized into four main directions by Stanton et al. (2005): (1) user interfaces of security-related systems; (2) information security management concerns for risk, business processes and finance; (3) organisational issues related to information security behaviour; and (4) counterproductive computer usage. This paper positions itself into the third line by studying users' understandings of organisational issues related to individual information security behaviour, as the study mainly is about administrative aspects, and does not discuss users' views on technological security measures.
A user's view on information security is created by several interlocking organisational, technological and individual factors. The context of a user's work may, e.g. create information security trade-offs. Furthermore, social norms and interactions at the work place influence individual understanding of information security. The quality of information security management also affects users' awareness, motivation and behaviour in some way. Technological information security solutions influence users by framing what it is possible for users to do in information systems as well as function as a foolproof security mechanism for whatever actions users may do. Individual factors such as motivation, knowledge, attitudes, values and behaviour also influence individual views on information security. How people perceive risk is also a part of the explanation for users' view on information security. The paper mainly explains users' experiences of information security by organisational factors. It is, however, impossible to neglect individual and technological factors in this exploration due to the interwoven relations between organisation, technology and individuals.
Section snippets
Users' role in information security
The information security function of each user is an important part of information security. Users are often the weakest link in the information security chain (Schneier, 2000), as users might be a single or the least reliable barrier to prevent unwanted incidents. Hence, users should contribute with information security actions such as cautious use of e-mail and password etiquette. Loss prevention behaviour is created by a combination of several factors (Aarø and Rise, 1996): personal
The study
The research questions were approached by analysing qualitative data from two interview studies of users in a service centre at a Norwegian IT-company and in a department of customer counselling at a Norwegian bank. The two cases were chosen because the researcher had cooperated with security professionals at the companies on past occasions, thus the security professional functioned as gatekeepers for the interviews. Both cases were interesting to study as they are organisations where
Results
This section presents the major patterns in the data material. Three main findings are presented: users' view on their information security role and responsibility; users' perception of functionality issues related to information security; and users' evaluation of behavioural effects of information security measures. First, an interpretation of the informants' information security awareness is presented. This presentation of awareness among the informants is valuable in order to understand the
Discussion
In Section 4, three main patterns of results are mapped: users do not perform many information security actions; users prioritise other work tasks in front of information security; and users experience current tools for influencing individuals as ineffective for that purpose. The interviews indicate that a main problem regarding users' role in the information security work is their lack of motivation and knowledge regarding information security and related work. This poor quality of users'
Conclusion
The results of this qualitative study of users and information security should not be seen as generalized facts. Rather, the results are interpretations of some users' experiences of information security in their daily work. It should thus be considered whether the findings are transferable to certain organisations by comparing them to the context of this study. The results of this study are created by qualitative interviews of users in a service centre at an IT-company and in a consultancy
Acknowledgements
The author thanks Prof. Jan Hovden at the Norwegian University of Science and Technology for valuable input and discussions. The author also thanks the interviewed users and the security officers at the studied companies for sharing their experiences on information security. Eirik Albrechtsen's PhD project is financed by Vesta insurance company.
Eirik Albrechtsen is a PhD student at the Department of Industrial Economics and Technology Management at the Norwegian University of Science and Technology. He obtained his Master of Science degree at the same Department in 2002. His current research interests include human and organisational aspects of information security and information security management strategies.
References (43)
- et al.
Computer security impaired by legitimate users
Computers and Security
(2004) - et al.
Accident prevention. Presentation of a model placing emphasis on human, structural and cultural factors
Safety Science
(2004) Human errors. A taxonomy for describing human malfunction in industrial installations
Journal of Occupational Accidents
(1982)Risk management in a dynamic society: a modeling problem
Safety Science
(1997)Security training and awareness – fitting a square peg in a round hole
Computers and Security
(2004)The human factor in security
Computers and security
(2005)- et al.
Risk homeostasis and risk assessment
Safety Science
(1996) - et al.
Analysis of end user security behaviours
Computers and Security
(2005) - et al.
Den menneskelige faktor
Norwegian [The human factor]
(1996) - et al.
Users are not the enemy
Communications of the ACM
(1999)
The usability challenge
Gammeldags tenkning i moderne organisasjoner? Om IKT-sikkerhet i kunnskapsorganisasjoner. Norwegian [old-fashioned thinking in modern organisations? On ICT-security in knowledge organisations]
Organizational learning II
Risk society: towards a new modernity
Labor and Monopoly Capital
The organization of hypocrisy
Talk, decisions and actions in organizations
Information system security management in the new millennium
Communications of the ACM
Current directions in IS security research: towards socio-organizational perspectives
Information Systems Journal
Risk and culture
An essay on the selection of technological and environmental dangers
Scandinavian design: on participation and skill
How safe is safe enough?
Cited by (253)
A quest for research and knowledge gaps in cybersecurity awareness for small and medium-sized enterprises
2023, Computer Science ReviewThe recent trends in cyber security: A review
2022, Journal of King Saud University - Computer and Information SciencesInformation systems security research agenda: Exploring the gap between research and practice
2021, Journal of Strategic Information SystemsCitation Excerpt :Duality in secure systems development is succinctly defined by White and Dhillon (2005) as resulting when an “information system and its security are designed, built and implemented into an organizational environment separately, allowing for the possibility of conflict between a system’s functionality and its security.” System developers continue to consider security as an afterthought in terms of having different priorities between security goals and information use (Karlsson et al. 2017), or even when the proposed system sees resistance to security implementation (Albrechtsen 2007). Spagnoletti and Resca (2008) characterize such duality in terms of a “drift” - when the technological system does not match the original design.
Ethical requirements in job advertisements: A deep learning approach
2024, European Management Review
Eirik Albrechtsen is a PhD student at the Department of Industrial Economics and Technology Management at the Norwegian University of Science and Technology. He obtained his Master of Science degree at the same Department in 2002. His current research interests include human and organisational aspects of information security and information security management strategies.