Modelling conflicts between information security compliance and behaviour

With this post I’m starting a series of articles on information security compliance and behaviour issues.

It is important for security managers to understand that their decisions affect the company as a whole.  However, there are instances when business activities and security tasks are not synchronised. For example, the New York Times website was unavailable for several hours on the 14th of August 2013. While a malicious attack was initially suspected, the problem was caused simply by scheduled system maintenance procedure.
On the one hand, violation of compliance requirements may result in significant losses for an organisation. On the other hand, poorly implemented security policies may obstruct users’ goal-driven behaviour and may result in non-compliance.

Security managers and users may share different views on security activities. In order to ensure that users in the organisation will comply with security policies, the security manager should broaden his perspective and make users a part of the system.

Lack of clear guidance in this decision-making process may result in the situation in which a company is formally compliant with the standard but users perform their core business activities inefficiently and/or are forced to violate poorly implemented security policies.