Dr John Leach

John Leach Information

Security

Tel: +44 1264 332 477

Fax: +44 7734 311 567

Email: John.Leach@John

LeachIS.com

Many organisations suspect that their internalsecurity threat is more pressing than theirexternal security threat. The internal threatis predominantly the result of poor usersecurity behaviour. Yet, despite that, securityawareness programmes often seem more likelyto put users to sleep than to improve theirbehaviour. This article discusses theinfluences that affect a user’s securitybehaviour and outlines how a well structuredapproach focused on improving behaviourcould be an excellent way to take securityslack out of an organisation and to achieve ahigh return for a modest, low-risk investment.

A. Introduction

All modern organisations have to rely on thesensible behaviour of their staff every day and inevery operational task that their staff perform. Nomatter how good an organisation’s securitypolicies and standards, security documentationsimply cannot spell out unambiguously how staffshould act in each situation they might encounter.Organisations cannot avoid to have to rely ontheir staff to make sensible security decisions foreach task — no matter how small — that hasany security or control element to it.

Whether diligently checking a transactionbefore it is released, being careful what they sayover the telephone to an external caller,selecting a non-trivial password, or thinkingtwice before opening an unexpected and out-of-context email attachment, staff are continuallyhaving to make day-to-day security decisions. Ifjust one hundredth of these decisions weremade wrongly, a large organisation would becarrying a huge weight of daily security errors,causing a mammoth operational overhead.

A recent study by the ISF (‘InformationSecurity Culture’, The Information SecurityForum, November 2000) and parallel studies ofsafety failures in high-hazard environments(referenced in the above ISF report) suggestthat as many as 80% of major security failures

could be the result not of poor security solutionsbut of poor security behaviour by staff. Hence, awell-focused security programme targeted atimproving user security behaviour couldsignificantly reduce the size of the security-related overhead.

In this article we look at six factors that have astrong influence on people’s security behaviour.We then point to the three key factors wherean organisation can take clear steps to improveits staff behaviour and, thereby, significantlyreduce the internal security threat and the levelof security incidents experienced.

B. The internal security threat

The internal security threat is a threat areaencompassing a broad range of events, incidentsand attacks, all connected by being caused notby external people who have no right to beusing the corporate IT facilities but by thecompany’s own staff, its authorised IT users.

This threat area covers user errors andomissions. It also covers user negligence anddeliberate acts against the company. Itencompasses behaviours such as:

a lack of security common sense1 — usersdoing things that all users should knowbetter than to do, e.g. double-clicking on anodd-looking .exe file that comes in by emailor sharing their password with colleagues;

users forgetting to apply security procedures,e.g. peripatetic staff failing to take back-upsof their desktop data or support staffresetting a user’s password on the strengthof an incoming telephone call;

users taking inappropriate risks because theydid not appreciate or believe the level ofrisk involved, e.g. leaving the PCunattended in an open office withoutlogging off;

Improving user securitybehaviour

Computers & Security Vol 22, No 8 0167-4048/03 ©2003 Elsevier Ltd. All rights reserved. 685

1The Oxford English Dictionary defines common sense as

‘sound practical sense especially in everyday matters’. By

extension, security common sense is sound practical sense

in everyday security matters.

cose 2208.qxd 08/12/2003 15:56 Page 685

deliberate acts of negligence — usersknowingly failing to follow essential securityprocesses, e.g. emailing a highly sensitivedocument outside the company without anyprotection or support staff failing to keepinfrastructure patched simply because it is‘too difficult’;

deliberate attacks — users purposefullyacting against the company’s interests,perhaps because they feel angry with theiremployer, e.g. disclosing a clearly restrictedand highly sensitive report to thecompetition or disclosing significantsecurity vulnerabilities to an outsidebulletin board.

Poor or unacceptable user behaviour is asignificant, perhaps even major, determinant ofthe level of security incidents suffered by acompany. User behaviour can be improvedthrough a variety of interlocking techniqueswhich, together, work to create a strongsecurity culture and to strengthen the way thesecurity culture influences the behaviour ofindividual users. As the internal threat ispossibly the largest source of an organisation’ssecurity pain, there is potentially a huge valueto be gained from understanding how thiscould be done.

C. The factors that influencesecurity behaviour

To manage down the internal security threat, weneed to understand how a company’s culture andpractices can affect people’s behaviour.

The influential factors fall into two groups, asillustrated in Figure 1. The first group,encompassing the user’s understanding of whatbehaviours the company expects of them, isdistinct from the second group, factors whichinfluence the user’s personal willingness toconstrain their behaviour to stay withinaccepted and approved norms.

The user’s understanding of which behavioursare expected of them — shown in the top halfof the diagram — are formed from:

what they are told;

what they see being practiced by othersaround them;

their experience built from decisions theyhave made in the past.

We’ll look at each of these factors in turn.

C1.1 What employees are told

Most organisations have a security manual thatcomprises the company’s formal statement of itsposition on security. This lays out its securitypolicies, practices, standards and procedures. Itmight include an explicit statement of thecompany’s security values and principles, though itis more likely that the values and principles willbe articulated only implicitly through the policiesand standards laid down. This documentation canbe called the company’s body of knowledge.

686

Improving user security behaviour

John Leach

Figure 1: The factors that influence user security behaviours.

cose 2208.qxd 08/12/2003 15:56 Page 686

The body of knowledge’s effectiveness atconveying what constitutes approved securitybehaviours varies according to:

its accessibility;

the completeness of its coverage;

the clarity of the stated security values;

the uniformity of its security values.

C1.2 What employees see in practicearound them

Whether they are new staff trying to understandhow to behave within their new company orexisting staff more subliminally conforming to thenorms of their work environment, people are verystrongly influenced by the behaviour of theirpeers. They build their security attitudes and settheir own security behaviour according to:

the values and attitudes demonstrated inthe behaviour of senior management;

the consistency between the company’sstated values and the evident behaviour oftheir peers and colleagues;

whether other company practices (e.g. itshuman resources practices, its press relationspractices) reflect its security values;

whether the company demonstrates thatgood security is important through havingsystems to monitor security behaviour,reward good behaviour, and respond to badbehaviour.

When there are numerous inconsistenciesbetween the formal statements in the body ofknowledge and what the person observes inpractice around them, people will be guided moreby what they see than by what they are told.

C1.3 The user’s security commonsense and decision making skills

The body of knowledge cannot hope to spell outthe correct security decision for every situationthat the user might encounter. It should, at aminimum, cover those situations where followinga particular procedure correctly is crucial. Itcannot grow to encompass every situation; it mustavoid becoming so extensive that the atoms ofinformation buried within it become inaccessibleto well-intentioned but fully stretched users.Hence staff cannot avoid having to make theirown security decisions as part of their daily tasks.

Staff make most of their security decisions innon-critical situations where moderate deviationfrom the ideal decision can be tolerated. Somedecisions will be made in critical or sensitivesituations where the user has to make an instantdecision about what to do without any referenceto written guidance. Over a period of time, eachperson builds up their own personal history ofsecurity decisions that they have made. They willremember these as either good decisions or baddecisions according to the feedback, if any, thatthey received. In the absence of criticism, adecision will be adopted as an acceptable courseof action, available to be repeated until a bettercourse of action presents itself. In this way, usersbuild their own personal and private body ofknowledge to supplement the shared corporatebody of knowledge.

These three factors combine to create the user’sunderstanding of the accepted and approved

Improving user security behaviour

John Leach

687

cose 2208.qxd 08/12/2003 15:56 Page 687

behavioural norms at work. We now need to lookat the factors that influence the user’s personalwillingness to constrain their behaviour to staywithin those norms. Their willingness to conformis affected by:

• their personal values and standards ofconduct;

• their sense of obligation towards theiremployer;

• the degree of difficulty they experience incomplying with the company’s procedures.

We will now look at each of these in turn.

C2.1 The user’s personal values andstandards of conduct

Most employees ascribe a high value toprinciples and believe in the importance ofshared values and sensible rules. Theseemployees can be expected to take up and applythe company’s system of values and standards,feeling more comfortable working amongstothers to an agreed set of rules than working totheir own proprietary rules or with no rules.

Tensions can arise when there is conflict betweenthe individual’s values and the company’s values.Most people will not sustain that tension for long,

and will either modify their principles or leavethe company. Hence this tension is self-resolvingand rarely leads to problems. There is little anorganisation can do to address this situation, sowe will not discuss it further here.

C2.2 The user’s sense of obligation

Employees feel a psychological pressure tobehave according to company expectations andto constrain their behaviour voluntarily to staywithin the bounds of accepted practice. A largepart of this pressure comes from what is calledthe ‘psychological contract’ between employeeand employer. For some this pressure is strongerthan for others.

Each employee has a psychological contractwith their employer, i.e. an unwritten reciprocalagreement to act in each other’s interest. Theemployee agrees to work diligently at their joband to conform to the company’s behaviouralexpectations in return for the company treatingthem well.

It is in the nature of a contract that each partyhonours the contract to the degree that theyperceive the other party to be honouring it.Hence, if a member of staff feels that they arewell treated, recognised and rewarded, thenthey will gladly respond in kind and act in thecompany’s best interest. If they feel that theyhave been treated unfairly by their employer inany area of their employment relationship, thenthey will feel that the bonds have beenloosened and will not feel as obligated to act inthe company’s best interests. Indeed, if theperson feels that the company has done themwrong, they could feel angry and compelled topunish the company. That is when a company’susers become its security enemies and canbecome the source of major security threats.

Companies recognise that the rewards of workvary from individual to individual. For somepeople, work is largely about being in a socialenvironment with others. For some, work isabout earning a salary to pay the mortgage and

688

Improving user security behaviour

John Leach

cose 2208.qxd 08/12/2003 15:56 Page 688

to buy the toys. For others, it might be aboutgetting good training and experience as theymove quickly on their way to other positions inother companies.

Whatever their reasons for working, people willfeel varying degrees of satisfaction and rewardfrom being at work. Their level of satisfactionwill determine the strength of theirpsychological contract with their employer.The strength of their psychological contractwill determine the degree to which theyconstrain their behaviour to conform toapproved and acceptable company norms.

C2.3 The difficulty in complying

The third component is whether the companymakes it easy for their staff to comply with itsstandards and procedures, and whether there aretemptations of personal gain seducing peoplenot to comply.

If security controls are difficult to perform orare operationally burdensome, if they are oflittle obvious benefit or do not effectivelyprevent people exploiting opportunities forpersonal gain, then users will have a naturalincentive to circumvent the controls. Evenwhen staff recognise that security controls areimplemented for good reasons, they have verylittle tolerance for controls that are neithereffective, nor efficient, nor clear. Theknowledge that their behaviour is beingmonitored and their compliance measured, andthe weight of any penalties used to discouragenon-compliance, will have some limited effecton how far staff are prepared to let theirbehaviour stray from mandated norms, but

they do nothing to improve staff attitudestowards security.

D. The keys to better usersecurity behaviour

There are six influential factors affecting howusers behave. Clearly, a company can expect toinfluence some, but not all, of these. Acompany cannot expect, for example, to havemuch influence over its staff ’s personal valuesand standards of conduct or their intrinsic beliefin the benefit of following rules.

Companies can manage down their internalsecurity threat best by focusing primarily onthose factors that are realistically within theircontrol. They need to get the most leveragethey can out of the factors they can influence,for they cannot presume that all staff will bringto their work high personal standards and anatural faith in the value of following rules.

Three of the above six factors are key toimproving security behaviour and driving downthe impact of the internal security threat. Wewill focus on these three, discussing them in justa moment in sections below. The other three,lesser factors, we can deal with quickly here.

As we have just seen, a company cannot expectto have much influence on its staff’s personalvalues and standards of conduct or their intrinsicbelief in the benefit of following rules. The bestcourse of action is, in a fair way, to divert contra-indicated staff away from roles where thecompany is most exposed to any shortfall in thestandard of its staff’s behaviour.

Improving user security behaviour

John Leach

689

cose 2208.qxd 08/12/2003 15:56 Page 689

The company should make continual efforts toensure that its body of knowledge is readilyaccessible to all its staff. It should recognise thatdifferent staff will need to receive differentmessages and receive those messages throughdifferent channels. Building a strong body ofknowledge is not a trivial task. However, it iswell covered in the literature at large and we donot need to discuss it further here.

The company should make continuous efforts toensure that its security controls are efficient,effective, and properly positioned. This is alabour of continuous improvement. However, itis also obvious and we do not need to discuss itfurther here.

The three factors that are key to improving usersecurity behaviour are:

The behaviour demonstrated by seniormanagement and colleagues.

The user’s security common sense and decision-making skills.

The strength of the user’s psychologicalcontract with the company.

We shall look at each of these in turn.

D1.1 The behaviour demonstrated byothers

What people see in practice around theminfluences their attitudes and behaviour morepowerfully than what they are told. The company’sbody of knowledge will be undermined if its statedprinciples, policies and procedures are contradictedby the practices that people see in evidencearound them. What people are shown needs tosupport rather than contradict what they are told.

If a company wants its users to practice correctsecurity, it needs to back up this desire withsystems to ensure that its principles and policiesare followed. If a few bad security practices areallowed to establish themselves, then all securitypractices are weakened in the eyes of staff.Ensure that all senior management as well as

junior staff have good security behaviour. Make apoint of providing feedback to staff on thecorrectness of their behaviour, and of gatheringinput from staff on where the body of knowledgeis being undermined by contrary messages in thecompany’s pronouncements or contrary practicesin its systems. Reward staff for good securitybehaviour, and require additional training or takeother appropriate steps for staff that demonstrateunacceptable behaviour.

D1.2 The user’s securitycommon sense and decision-making skills

A user’s own security decisions, once made,become a part of the user’s personal body ofknowledge and carry forward into their futuresecurity decisions. Therefore, a company has aclear requirement to help its users to developgood security common sense so that they canmake simple and straightforward securitydecisions reliably and correctly themselves.Otherwise it will not escape suffering a highand persistent background level of securityworries, such as the familiar mistakes of peopleforgetting to change default passwords on newlyinstalled equipment or using their own remotedial-in facilities to avoid having to use thecorporate managed gateway.

Common sense is about having a realisticpractical understanding of how things work inthe real world and being able to make goodpractical decisions unguided. Deciding whetheror not to believe what one hears, deciding howto follow an unclear instruction, and makingtough decisions in complex situations all requiresound common sense. Common sense issomething that everyone recognises when theysee it. It is a decision-making skill, not simplyan accumulation of knowledge.

Security common sense is something that can betaught. Teach the user the principles that theyneed in order to guide their decision making, butkeep the number of examples down to those few

690

Improving user security behaviour

John Leach

cose 2208.qxd 08/12/2003 15:56 Page 690

that are needed to illustrate the principles. Avoidproviding too many examples, which will takedecision making away from the user and put itback in the body of knowledge. You will leavethe user with weaker, not stronger, decision-making skills. This is where many securityawareness and education courses go wrong.

Focus on developing the users’ securitydecision-making skills. Thereafter, providepeople with continual feedback and support.Give them credit when they do something well,and let them know when they err, indicating abetter decision that they could have made.Periodically refresh them with widely applicableexamples so that users can continually re-centretheir decision-making framework and prevent itwandering off-centre over time.

D1.3 The user’s psychologicalcontract with their employer

If a company ensures that its overt behavioursupports rather than contradicts its body ofknowledge, and it helps staff develop andstrengthen their security common sense, it willreduce the number and severity of user securityerrors. It will also want to reduce the willfulcomponent of the internal security threat: usersecurity negligence and deliberate attacks bythe user. This is addressed by ensuring that usersfeel strongly bound by their psychologicalcontracts with the company.

We return to the observation made above that itis in the nature of a contract that people willhonour their psychological contract to the degreethat they perceive the company to be honouringits part of the contract. Hence, a company canbind its users to its code of good security conductby showing that it is bound to the code itself.

Earlier in our discussion, the issue was one ofensuring that practice on the ground was notallowed to contradict the body of knowledge.Here the issue is to ensure that the company isseen to be boldly taking security seriously ratherthan timidly keeping its security efforts hidden

from view. This issue is, of course, closelyinterwoven with the earlier issue, and bothaspects contribute to the creation of a strongsecurity culture. The creation of a strong securityculture is the best way to motivate staff tobehave consistently in a security-conscious way.

Look for guidance from the practices ofcompanies with strong safety cultures. Incompanies working within high-hazardindustries, one would expect to see safetydiscussed regularly by senior management, bothin board and strategy meetings and incommunications with staff. Safety issues wouldbe reported on regularly and openly, andshortcomings would be treated as serious issueswarranting urgent management attention.Safety mandates carry conviction, and staff areconsistently safety-conscious.

For a company to strengthen its security culture,it should expect to follow similar practices. Beseen to be discussing security issues at seniormanagement levels and make security a topic ofregular communication with staff. Report onsecurity issues openly within the company. Dealwith serious shortcomings under seniormanagement direction. Show clearly thatsecurity is an important part of how seniormanagement runs the business. Then thecorporate security mandates will carryconviction, employees will be consistentlysecurity-conscious, and staff will align theirbehaviour to the corporate security mandates.

The converse is too familiar. If security does notfeature in discussions or communications, andthe company’s senior management actsinconsistently from issue to issue, staff willperceive the company to have a weak securityculture and will not consider themselves duty-bound to follow company mandates. They willnot expect to do any more themselves than theysee other people do, even if it falls well short ofthe written policies. If staff feel their corporatesuperiors do not demonstrate that honouringcorporate values and principles is important, they

Improving user security behaviour

John Leach

691

cose 2208.qxd 08/12/2003 15:56 Page 691

will not make any effort to abide by the rulesthemselves, other than by default.

It is a simple matter of leadership. Strongleadership creates a strong culture, and a strongculture gives clear direction to staff at all levels.

This helps to illustrate why honour and strongleadership are so important in the fightingforces, where men and women might be calledon to push themselves to their limits and to putthemselves in positions of personal danger.Interestingly, this also illustrates why companieswith a weak corporate culture find culturechange so difficult, whereas one might at firsthave expected that they, of all companies,would find culture change relatively easy.

E. Conclusion

A company’s primary objective in influencingits users’ security behaviour is to drive down thelevel and severity of the security incidents thatit experiences. Poor user security behaviour is asignificant, perhaps even major, determinant ofthe level of security incidents that a company

suffers. Hence, companies have a readyopportunity to make significant security gainsby having a strong security culture and bystrengthening the influence that the cultureexerts on individual users.

Of the various influential factors, we havefocused on three that are key. A company canmaximise its leverage from these three if it:

makes sure that the behaviour of seniormanagement and the company’s systems supportrather than contradict the body of knowledge;

strengthens the users’ security common senseand trains staff to develop good securitydecision-making skills;

makes sure that senior management is seen tobe taking security seriously and demonstratesthat good security behaviour is important to theway the company operates.

Leadership is the key. After all, if seniormanagement can’t be bothered, then whyshould staff?

692

Improving user security behaviour

John Leach

Figure 9. The ways to improve user security behaviour.

cose 2208.qxd 08/12/2003 15:56 Page 692