research-article

"Shadow security" as a tool for the learning organization

Authors:

Iacovos Kirlappos,

M. Angela SasseAuthors Info & Claims

ACM SIGCAS Computers and Society, Volume 45, Issue 1

Pages 29 - 37

https://doi.org/10.1145/2738210.2738216

Published: 19 February 2015 Publication History

Abstract

Traditionally, organizations manage information security through policies and mechanisms that employees are expected to comply with. Non-compliance with security is regarded as undesirable, and often sanctions are threatened to deter it. But in a recent study, we identified a third category of employee security behavior: shadow security. This consists of workarounds employees devise to ensure primary business goals are achieved; they also devise their own security measures to counter the risks they understand. Whilst not compliant with official policy, and sometimes not as secure as employees think, shadow security practices reflect the working compromise staff find between security and "getting the job done". We add to this insight in this paper by discussing findings from a new interview study in a different organization. We identified additional shadow security practices, and show how they can be transformed into effective and productivity-enabling security solutions, within the framework of a learning organization.

References

[1]

Kirlappos, I., Parkin, S., Sasse, M. A. 2014. Learning from "Shadow Security": Why understanding non-compliance provides the basis for effective security. In Workshop on Usable Security.

[2]

Von Solms, B. 2006. Information security--the fourth wave". In Computers & Security, 25(3), pp. 165--168.

Digital Library

[3]

Beautement, A., Sasse, M. A. and Wonham, M. 2008. The compliance budget: managing security behaviour in organizations. In Proceedings of the 2008 New Security Paradigms Workshop pp. 47--58. ACM.

Digital Library

[4]

Herley, C. 2009. So Long, and No Thanks for the Externalities. In New Security Paradigms Workshop (NSPW).

Digital Library

[5]

Schneier, B. 2000. Secrets and lies: digital security in a networked world. Wiley.

Digital Library

[6]

Karyda, M., Kiountouzis, E., and Kokolakis, S. 2005. Information systems security policies: a contextual perspective. In Computers & Security, 24(3), pp. 246--260.

Digital Library

[7]

Sasse, M. A., Brostoff, S., and Weirich, D. 2001. Transforming the 'weakest link'---a human/computer interaction approach to usable and effective security. BT technology journal, 19(3), pp. 122--131.

Digital Library

[8]

Adams, A. and Sasse, M. A. 1999. Users are not the enemy. In Communications of the ACM, 42(12), pp. 40--46.

Digital Library

[9]

Herath T. and Rao, H. R. 2009. Protection motivation and deterrence: a framework for security policy compliance in organisations. In European Journal of Information Systems 18 (2), pp. 106--125, 2009.

[10]

Kirlappos, I., Beautement, A. and Sasse, M. A. 2013. Comply or Die Is Dead: Long live security-aware principal agents. In FC 2013 Workshops, USEC and WAHC 2013, Okinawa, Japan, April 1, pp. 70--82, 2013.

[11]

Dourish, P., Grinter, R. E., De La Flor, J. D. and Joseph, M. 2004. Security in the wild: user strategies for managing security as an everyday, practical problem. In Personal and Ubiquitous Computing 8, no. 6: 391--401.

[12]

Fléchais, I. 2005. Designing Secure and Usable Systems. PhD diss., University College London.

[13]

Fulford H. and Doherty, N. F. 2003. The application of information security policies in large UK-based organizations: an exploratory investigation. In Information Management & Computer Security 11(3), pp. 106--114.

[14]

Björck, F. 2001. Security Scandinavian style. PhD diss., Stockholm University.

[15]

Herley, C. 2014. "More is Not the Answer", In IEEE Security & Privacy magazine.

[16]

Albrechtsen, E. and Hovden, J. 2009. The information security digital divide between information security managers and users. In Computers & Security 28(6), pp. 476--490.

Digital Library

[17]

Bartsch S. and Sasse M. A. 2012. Guiding Decisions on Authorization Policies: A Participatory Approach to Decision Support. In ACM SAC 2012, Trento, Italy.

Digital Library

[18]

Da Veiga, A. and Eloff, J. H. P. 2010. A framework and assessment instrument for information security culture. In Computers & Security, 29(2), 196--207.

Digital Library

[19]

Kirlappos, I., Sasse, M. A. 2014. What usable security really means: Trusting and engaging users. In HCI International.

Digital Library

[20]

Moore, A. P., Cappelli, D., Caron, T. C., Shaw, E. D., Spooner, D. and Trzeciak, R. F. 2011. "A preliminary model of insider theft of intellectual property", Technical Report, Carnegie Mellon University.

[21]

Ken Blanchard, "Building Trust", Ken Blanchard companies, 2010, retrieved from: http://www.kenblanchard.com/img/pub/Blanchard-Building-Trust.pdf

[22]

Checkland P. B. and Poulter, J. Learning for Action: A short definitive account of Soft Systems Methodology and its use for Practitioners, teachers and Students, Wiley, 2006.

[23]

Pallas, F. 2009. Information Security Inside Organizations-A Positive Model and Some Normative Arguments Based on New Institutional Economics. Available at SSRN 1471801, 2009.

[24]

Friedman, B., Kahn Jr, P. H. and Borning, A. 2006. Value sensitive design and information systems. In Human-computer interaction in management information systems: Foundations 5: 348--372.

[25]

Inglesant, P. G. and Sasse, M. A. 2010. The true cost of unusable password policies: password use in the wild. In Proceedings of the 28th international conference on Human factors in computing systems. pp. 383--392. ACM.

Digital Library

[26]

Hart, S. G. and Staveland, L. E. 1988. Development of NASA-TLX (Task Load Index): Results of empirical and theoretical research. In Advances in psychology, 52, 139--183.

[27]

Schein, E. 2010. Organizational Culture and Leadership. 4th Edition, Jossey-Bass.

[28]

Molotch, H. 2013. Everyday Security: Default to Decency. In Security & Privacy, IEEE, 11(6), 84--87.

Digital Library

[29]

Brotby, W. Krag, and Gary Hinson. 2013. Pragmatic Security Metrics: Applying Metametrics to Information Security. CRC Press, 2013.

[30]

http://www.sans.org/reading-room/whitepapers/auditing/guide-security-metrics-55

[31]

http://www.iso.org/iso/catalogue_detail?csnumber=42106

[32]

Hubbard, D. W. 2014. How to measure anything: Finding the value of intangibles in business. John Wiley & Sons.

Cited By

van Steen T(2025)Developing a behavioural cybersecurity strategy: A five-step approach for organisationsComputer Standards & Interfaces10.1016/j.csi.2024.10393992(103939)Online publication date: Mar-2025
https://doi.org/10.1016/j.csi.2024.103939
Van Acken JJansen FJansen SLabunets KKelley PKapadia A(2024)Who is the IT department anywayProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696927(527-545)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696927
Alromaih SFlechais IChalhoub GKelley PKapadia A(2024)Beyond the office wallsProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696926(507-525)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696926
Show More Cited By

Index Terms

"Shadow security" as a tool for the learning organization
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Social and professional topics
  1. Professional topics
    1. Management of computing and information systems

Recommendations

Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness

Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information security. Since employees who comply with the information ...
Information security: a corporate governance issue
Integrity and internal control in information systems V

Information is a valuable resource for any organisation today and is critical for the success of the organisation. It is the corporate board's responsibility to ensure the success of the organisation; therefore the board is also responsible for the ...
Information Security Awareness at Saudi Arabians' Organizations: An Information Technology Employee's Perspective

Information security awareness is human and organizational attitudes which can be described as a behavior or an attitude of an organization and/or its members towards protecting the organization's information assets. The goal of this paper is to ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGCAS Computers and Society

ACM SIGCAS Computers and Society Volume 45, Issue 1

February 2015

39 pages

ISSN:0095-2737

DOI:10.1145/2738210

Editors:
Vaibhav Garg,
Dee Weikle

Issue’s Table of Contents

Copyright © 2015 Authors.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 February 2015

Published in SIGCAS Volume 45, Issue 1

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

40
Total Citations
View Citations
1,186
Total Downloads

Downloads (Last 12 months)186
Downloads (Last 6 weeks)68

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

van Steen T(2025)Developing a behavioural cybersecurity strategy: A five-step approach for organisationsComputer Standards & Interfaces10.1016/j.csi.2024.10393992(103939)Online publication date: Mar-2025
https://doi.org/10.1016/j.csi.2024.103939
Van Acken JJansen FJansen SLabunets KKelley PKapadia A(2024)Who is the IT department anywayProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696927(527-545)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696927
Alromaih SFlechais IChalhoub GKelley PKapadia A(2024)Beyond the office wallsProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696926(507-525)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696926
Menges UKluge A(2024)Contrasting and Synergizing CISOs' and Employees' Attitudes, Needs, and Resources for Security Using Personas2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00058(456-472)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00058
Rooney MLevy YLi WKumar A(2024)Comparing experts’ and users’ perspectives on the use of password workarounds and the risk of data breachesInformation & Computer Security10.1108/ICS-05-2024-0116Online publication date: 16-Jul-2024
https://doi.org/10.1108/ICS-05-2024-0116
Chaudhary S(2024)Driving behaviour change with cybersecurity awarenessComputers & Security10.1016/j.cose.2024.103858142(103858)Online publication date: Jul-2024
https://doi.org/10.1016/j.cose.2024.103858
van Steen TDel-Real Cvan den Berg B(2024)What Works Well? A Safety-II Approach to CybersecurityAugmented Cognition10.1007/978-3-031-61572-6_17(250-262)Online publication date: 29-Jun-2024
https://dl.acm.org/doi/10.1007/978-3-031-61572-6_17
Hielscher JSchöps MMenges UGutfleisch MHelbling MSasse MKelley PKapadia A(2023)Lacking the tools and support to fix frictionProceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632194(131-150)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.5555/3632186.3632194
Hielscher JMenges UParkin SKluge ASasse MCalandrino JTroncoso C(2023)"Employees who don't accept the time security takes are not aware enough"Proceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620367(2311-2328)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620367
Menges UHielscher JKocksch LKluge ASasse M(2023)Caring Not Scaring - An Evaluation of a Workshop to Train Apprentices as Security ChampionsProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617099(237-252)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617099
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents