Dates: October 2012 – June 2016
Lead researchers: Professor Angela Sasse, Ruhr University Bochum, Professor David Pym UCL
There has been a growing body of evidence that security policies and controls are not effective because employees either can’t or won’t comply. A key reason for non-compliance is the workload and complexity of security controls chosen – employees simply cannot cope with an ever-increasing number of long, complex passwords. Yet most security decision- makers do not factor the impact on employees, their tasks, and the company’s business processes, into their decision about which security controls to put in place. Current attempts to ‘educate’ employees about the need for security are largely ineffective because they simply push more information on people who are already overworked. Even in organisations with a high security awareness, non-compliance can be observed because security policies cause excessive friction or are not agile enough to meet the needs of the business.
The project team worked primarily with two large companies to conduct empirical research on how security and security behaviours fit within the workday. This provided the companies with a catalogue of their security mechanisms and the employee effort associated with them, and a survey tool and set of organisation-specific scenarios for measuring their employees’ security attitudes and likely behaviour.
The work improved employees’ understanding of organisational risks, the role of security controls, and how their behaviour can prevent or facilitate security breaches. Engaging directly with employees to understand their perception of security in their jobs and the workplace resulted in a number of findings. These included indications that training should maintain relevance as the organisation changes and employees change roles, and that organisations should have a consistent approach to communicating security awareness.
Interviews and custom surveys to directly engage employees on policies where there are compliance issues. They developed methods and tools to measure the impact of security controls on employees and further determine how well they fit with business processes and employees’ tasks.
The research findings were used by NCSC to promote the adoption of usable security policies and measures, and engaging staff in security. This included their 2015 Password Guidance: Simplifying Your Approach which guides system owners and service providers toward taking more responsibility for protecting accounts, rather than putting all workload on end-users. The new advice is: don’t impose long passwords, complex rules or frequent changes on users. In 2018, the NCSC changed its Guidance on how to effectively combat phishing which also incorporated findings from the Productive Security project.
This project, alongside the CySeCa project and work by The Centre for Research and Evidence on Security Threats (Crest) on Security Dialogues informed the NCSC ‘You Shape Security’ guidance collection. https://www.ncsc.gov.uk/collection/you-shape-security.
Find out more
RISCS, Hewlett Packard Enterprise (HPE) and NCSC published a white paper encouraging organisations to engage employees in order to improve cyber security, co- authored by Productive Security researchers Professor Angela Sasse and Dr Simon Parkin. Available here: https://www.riscs.org.uk/wp-content/uploads/2015/12/Awareness-is-Only-the- First-Step.pdf
External collaborators: Hewlett Packard Enterprise (HPE)
Follow on work: The Cyber Readiness for Boards project builds on the outcomes of this work.