The majority of employees within an organisation are hired to execute specific jobs, such as marketing, managing projects, manufacturing goods and overseeing financial investments. Their main – sometimes only – priority is to efficiently complete their core business activity, so information security is usually only a secondary consideration.
Consequently, employees are oftentimes reluctant to invest more than a limited amount of effort and time on such a secondary task that they rarely understand and from which they perceive no benefit.
Research suggests that when security mechanisms cause additional work, employees favour non-compliant behaviour in order to complete their primary tasks quickly.
There is a lack of awareness among security managers about the burden that security mechanisms impose on employees because it is assumed that the users can easily accommodate the effort that security compliance requires. In reality, employees tend to experience a negative impact on their performance because they feel that these cumbersome security mechanisms drain both their time and their effort.
The risk mitigation achieved through compliance, from their perspective, is not worth the disruption to their productivity. In extreme cases, the more urgent the delivery of the primary task is, the more appealing and justifiable non-compliance becomes regardless of employees’ awareness of the risks.
When security mechanisms hinder or significantly slow down employees’ performance, they cut corners and reorganise and adjust their primary tasks in order to avoid them. This seems to be particularly prevalent in file sharing, especially when users are restricted by permissions, by data storage or transfer allowance, and by time-consuming protocols.
People usually work around the security mechanisms and resort to the readily available commercial alternatives, which may be insecure. From the employee’s perspective, the consequences of not completing a primary task are severe as opposed to the ‘potential’ consequences of the risk associated with breaching security policies.
If organisations continue to set equally high goals for both security and business productivity, they are essentially leaving it up to their employees to resolve potential conflicts between them. Employees focus most of their time and effort on carrying out their primary tasks efficiently and in a timely manner, which means that their target can maximise their own benefit as opposed to the company’s.
It is, therefore, vital for organisations to find a balance between security and productivity, for when they fail to do so, they lead – or even force – their employees to resort to non-compliant behaviour.
When companies are unable to recognise and correct security mechanisms and policies that affect performance, and when they exclusively reward their employees for productivity, not for security, they are effectively enabling and reinforcing non-compliant decision-making on behalf of the employees.
Employees comply with security policies only if they are motivated to do so; they must have the perception that compliant behaviour results in personal gain. People must be given the tools and the means to understand the potential risks associated with their roles, as well as the benefits of compliant behaviour – both to themselves and to the organisation.
Once they are equipped with this information and awareness, they must be trusted to make their own decisions that can serve to mitigate risks at the organisational level.
For information on where security professionals’ priorities should lay, please click here.
About the Author: Leron Zinatullin (@le_rond) is an experienced risk consultant, specialising in cyber security strategy, management and delivery. He has led large scale, global, high-value security transformation projects with a view to improving cost performance and supporting business strategy. He has extensive knowledge and practical experience in solving information security, privacy and architectural issues across multiple industry sectors. Visit Leron’s blog here: https://zinatullin.com/
To find out more about the psychology behind information security, read Leron’s book, The Psychology of Information Security.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.