Kirlappos, I; Parkin, S; Sasse, MA; (2015) "Shadow security" as a tool for the learning organization. ACM SIGCAS Computers and Society , 45 (1) pp. 29-37. 10.1145/2738210.2738216.

Preview

Text Kirlappos%2C Parkin%2C Sasse - Shadow Security-nocop.pdf Download (472kB) | Preview

Abstract

Traditionally, organizations manage information security through policies and mechanisms that employees are expected to comply with. Non-compliance with security is regarded as undesirable, and often sanctions are threatened to deter it. But in a recent study, we identified a third category of employee security behavior: shadow security. This consists of workarounds employees devise to ensure primary business goals are achieved; they also devise their own security measures to counter the risks they understand. Whilst not compliant with official policy, and sometimes not as secure as employees think, shadow security practices reflect the working compromise staff find between security and "getting the job done". We add to this insight in this paper by discussing findings from a new interview study in a different organization. We identified additional shadow security practices, and show how they can be transformed into effective and productivity-enabling security solutions, within the framework of a learning organization.

Download activity - last month

Export as XMLJSONCSV

Download activity - last 12 months

Export as CSVJSONXML

Downloads by country - last 12 months

Export as JSONXMLCSV

Archive Staff Only

View Item