Productive Security: Improving security compliance and productivity through measurement
The Productive Security project is based at University College London, and staffed by researchers from its Computer Science department’s Information Security Research Group, led by Professor Angela Sasse.
The aim of the Productive Security project is to scientifically assist decision makers in the field of information security to make more optimal choices with respect to both their organisation’s security and productivity.
Over recent years, there has been a growing body of evidence that security policies and controls are not effective because employees either can’t, or won’t, comply. Many employees are left to make choices between complying with security, and getting their work done – and overwhelmingly choose the latter. Most organisations do not measure the effort associated with compliance, nor invest in integrating security into their business processes, leaving their employees to deal with the ‘friction’ this causes.
When it comes to security controls used within companies, the workload placed on employees still seems to be ignored, with negative consequences for security and productivity. Non-compliance can undermine security –inflexible access control systems, for instance, lead to informal sharing of restricted information through channels outside the system. This means that the organisation loses both control and the audit trail (which is often a regulatory requirement). Employees reorganize their primary tasks to avoid or minimize the amount of exposure to security mechanisms that are too onerous.
What is missing is a systematic investigation of how much individual and accumulated effort leads to such responses, and what the approximate impact is on risk and productivity.
Decisions about security controls are currently most often guided by the need to comply with legal and regulatory requirements, and industry standards or ‘best’ practice. Without hard evidence about the resulting risk mitigation or impact on productivity, decision-makers have little choice but to be guided by these factors.
Security decision-making can be changed through tools which enable decision-makers to consider a wider range of options than those they habitually choose, and which show the predicted impact on productivity as well as risk mitigation. There exists a strong requirement for a structured, scientifically-grounded decision-making framework into which existing data can be inserted, alongside the key ‘missing link’ measurements of employee’s workload, risk perception, and resulting security behaviors.
Productive Security is about:
- Creating methods and analytic tools to measure the impact of security controls on employees, and further determine how well they fit with business processes and employees’ tasks, based on a foundation of empirical evidence.
- Improving, by way of positively altering existing perceptions, employees’ understanding of: organizational risks; the role of security controls, and; how their own behavior can prevent or facilitate security breaches.
The initial focus is to develop a systematic framework which allows organisations to gather a significant data set on security behavior using scientific measurements, to provide hard evidence to support security decision-making. In the long run, we are developing an evidence-based productive security model, based on the science-based Plan-Do-Check-Act cycle.