Iacovos Kirlappos, Simon Parkin, M. Angela Sasse


Traditionally, organizations manage information security through policies and mechanisms that employees are expected to comply with. Non-compliance with security is regarded as undesirable, and often sanctions are threatened to deter it. But in a recent study, we identified a third category of employee security behavior: shadow security. This consists of workarounds employees devise to ensure primary business goals are achieved; they also devise their own security measures to counter the risks they understand. Whilst not compliant with official policy, and sometimes not as secure as employees think, shadow security practices reflect the working compromise staff find between security and “getting the job done”. We add to this insight in this paper by discussing findings from a new interview study in a different organization. We identified additional shadow security practices, and show how they can be transformed into effective and productivity-enabling security solutions, within the framework of a learning organization. Date: February 1, 2015 Published: ACM Computers & Society Special Issue on Security, Privacy, and Human Behavior, Volume 45 Issue 1, February 2015, pp 29-37. Publisher: ACM Publisher URL: https://dl.acm.org/citation.cfm?doid=2738210.2738216 Full Text: https://dl.acm.org/ft_gateway.cfm?id=2738216 DOI: http://dx.doi.org/10.1145/2738210.2738216 Open Access: http://discovery.ucl.ac.uk/1462481/