New Approaches To Managing Information Security Behaviour in Organisations

Organisations try to traditionally manage information security risks through security policies. Some policies can be enforced through technical mechanisms, but organisations also rely on staff behaving in a certain way, and many threaten employees with sanctions in case of non-compliance. In recent years, we have collected many examples of non-compliance, and reasons for them through interviews with hundreds of employees, and surveys with thousands.  We found that the most common cause of non-compliant behaviour is actual experience, or fear of, reduced productivity - and that organisations are often complicit in this behaviour. In this talk, I will present a set of non-compliant  behaviours with authentication and access control, and outline changes in technology and organisational design that can be made to foster compliance. 'Security awareness' is often touted as the solution, but there is plenty of empirical evidence that it does not work in isolation. I will argue that risk communication needs to be combined with low effort security technology, engagement and increased autonomy to achieve lasting behaviour change.