Christos Ioannidis, David Pym, Julian Williams and Iﬀat Gheyas
In this work we address the main issues of IT consumerisation that are related to security risks, and propose a ‘soft’ mitigation strategy for user actions based on nudging, widely applied to health and social behaviour influence. In particular, we propose a complementary, less strict, more flexible Information Security policies, based on risk assessment of device vulnerabilities and threats to corporate data and devices, combined with a strategy of influencing security behaviour by nudging. We argue that nudging, by taking into account the context of the decision-making environment, and the fact that the employee may be in better position to make a more appropriate decision, may be more suitable than strict policies in situations of uncertainty of security-related decisions.
Date: June 24, 2014
Presented: Workshop on the Economics of Information Security (WEIS) 2014, Penn State University, 23-24 June, 2014.
Full Text: http://weis2014.econinfosec.org/papers/Ioannidis-WEIS2014.pdf