I was at the EuroUSEC ’17 workshop in Paris at the end of April. Our own Angela Sasse was also there to deliver the keynote talk, and Ruba Abu-Salma presented our paper “The Security Blanket of the Chat World: An Analytic Evaluation and a User Study of Telegram” (which was based on research by undergraduate students studying UCL’s COMP3096 “Research Group Project” module). I presented secondary analysis, conducted with Ingolf Becker and Angela Sasse, of a survey deployed at a large partner organisation. This analysis builds on research we presented at the Symposium on Usable Privacy and Security (SOUPS) in 2016. Based on survey responses and voluntary free-text comments, we saw potential for employees to inform policy from the ‘ground up’, in contradiction to the current trend for identifying security champions as local representatives of pre-determined policy.
Top-down security policies
Organisational policies are intended to promote a unified approach to security, one that all the organisation’s employees are expected to follow. If security procedures and mechanisms are unusable, policies risk being seen as impossible to follow, or may be sidelined if they lack clear relevance to business goals. This can result in deliberate or unwitting non-compliance, and workarounds to prescribed procedures.
Organisations may promote security champions, as local representatives to promote policy in their part of the organisation. However, these security champions can be effective only if policy is workable. Encouraging ‘top down’ policy compliance assumes that policy is correct, complete, and appropriate. It also assumes that policy applies to everyone equally and that employees have no role to play in shaping effective policy. Our analysis explores the potential for employees to inform effective policies, in particular whether it was possible to (i) identify local pockets of security expertise, and (ii) target engagement with employees that involves them in the creation of workable security solutions.
Identifying security champions ‘from the ground up’
| Level | Attitude | Approach |
| 1 | Uninfluenced | Security behaviour is driven by personal knowledge. |
| 2 | Technically Controlled | Technical controls enforce compliance with policy. |
| 3 | Ad-hoc Knowledge and Application | Shallow understanding of policy. Knowledge absorbed from surrounding work environment. |
| 4 | Policy Compliant | Comprehensive knowledge and understanding of policy. Willing policy compliance. Role model for organisation’s security culture. |
| 5 | Active Approach to Security | Actively promote and advance security culture. Intent of policy carried into work activities Leverage well-understood values that support both security and business. |
A scenario-based survey was deployed in the partner company. Scenarios were based upon in-depth interviews with employees that explored security behaviours in the workplace. Each scenario involved a dilemma, where fixed options described different responses and included an element of non-compliance or an implicit cost. Participant choices indicate their Behaviour Type (above) and Attitude Level (below), which we recorded across groups of employees to characterise the security culture of the organisation and in four specific divisions. Both interviews and surveys represent a cross-section of divisions, locations, and age groups. We collected 608 survey responses; crucially, the survey allowed participants to comment on the scenarios and the available options – we also looked at 267 additional free-text comments that were provided.
| Behaviour-Type | Description |
| Individualists | Rely on self for solutions |
| Egalitarians | Rely on social or group solutions |
| Hierarchists | Rely on existing systems or technologies |
| Fatalists | Take a ‘naive’ approach, that their actions are not significant in creating outcomes |
Continue reading Find Security Champions in Blends of Organisational Culture