Security managers in companies lack a clear process to implement security controls in order to ensure compliance with various regulations and standards.
Interviews with experts show that security managers may take ISO 27001 standard as a framework and then make a decision on any particular implementation based on their experience.
Such implementations run the risk of creating collisions with users’ business activities and result in violation of security policies in the company, because they introduce friction with the business process. Users try to avoid such friction. It is important, however, to differentiate between malicious non-compliance and cases when security policy obstructs business processes leading to workarounds.
This piece of research presents example scenarios of such clashes and explores the root causes of events of non-compliance.
A model is developed that supports security managers’ decision-making process and incorporates users into the system in a way that mitigates the negative impact on users’ behaviour of security policy.
A combination of quantitative and qualitative methods is applied to research the perception of information security by both users and security managers: the survey was created and 64 participants were surveyed to gain an insight into users’ perspective of implemented information security controls; semi-structured interviews with five experts were conducted, who have seven or more years of experience in the information security field and currently hold managerial positions.
The study illustrates that company can be formally compliant but still inefficient in performing its revenue-generating activities. Moreover, there is a mismatch between users’ and security managers’ perception: security managers think that they are already paying attention to the users, but 23% users complain that security activities negatively affect their performance.
The presented model is validated by information security experts and provides clear guidance to security managers in organisations as to implementation of security controls. The majority of experts liked the approach, but said that it needs to be tried with real-world processes.