It is difficult to ensure effectiveness of information security programme in the company without paying attention to users’ behaviour. One of the challenges for the security manager, when implementing information security policy, is to differentiate between malicious non-compliance and non-compliance due to the obstruction of business activities.
The main goal of this project is to gain an insight into information security behavior issues, from both an end-users’ and security managers’ perspectives. The study aims to develop a model to support security managers’ decision-making process when implementing security policy in the organisation. It is important to help security managers make a user a part of the system and to go beyond formal box-ticking when ensuring compliance with legal and regulatory requirements.
In order to achieve the objectives of the study, a method consisting of three parts was followed, including presenting example scenario and development of the model to address the research question for the first part, a survey and interviews for the second part, and interviews for the third part.
Stage one: Develop a model
The objective of the first stage is to motivate the research problem, presenting example scenario of poorly implemented security policy in the fictitious company, and to develop a model to support security manager’s decision-making process in implementing security controls in a company.
The example scenario presents the hypothesis that users’ experience and role of the manager are mismatched. Manager may think that user’s effort is unlimited. At the moment there is no way of directly comparing users’ and security manager’s perception of behavioural impact of security policy in the organisations.
The model is developed to support security managers’ decision-making process when implementing security policy in a company and to provide a tool of assessing users’ workload with security tasks.
The following stage shows that described mismatch exists and the developed model deals with the outlined problem.
Stage two Comparing views on security compliance behaviour in an organisation
The aim of the second part is to gather real-world data to highlight the importance of security compliance behavior and identify relevant problems which can arise when a security manager chooses a particular way of implementing information security controls in the organization. Moreover, this part aims to compare views of security managers and users on the problem of compliance behaviour.
For the purpose of this stage a combination of qualitative and quantitative methods was used.
As a part of the quantitative method, semi-structured interviews with five information security experts were conducted. In parallel 64 users were surveyed using an online surveying platform. For the purpose of the survey, eleven multiple-choice questions were developed, in collaboration with an academic with experience in this field.
Stage three: Validation of the developed model
The goal of the third stage of the study was to validate the model and gather relevant feedback from information security experts.
Five semi-structured interviews were conducted with information security experts.
Invitations for an interview were also distributed to outline the approximate duration of the interview, intended questions, to give insight on the procedure and to provide high-level information on the study.
Written consents were collected from the interviewees prior to the interview.
Interviews with security experts consisted of two parts:
- General questions on the security manager’s decision-making process regarding the implementation of security controls when ensuring compliance within the company (Stage two).
- Validating the model to support the security manager’s decision-making process (Stage three).
Pilot interviews were first carried out. Feedback gathered from the pilot interviews was used to improve model presentation technique, modify existing questions, and add new questions. Materials from the pilot interviews were not included in the thesis.
Each interview took approximately 50 minutes. All interviews were conducted face-to-face and at participants’ offices at a time convenient for them.
In the second part of the interview the same experts were presented the model after they had answered the question around validation of the importance of compliance behaviour. The study aims to assess how the presented model changed their decision-making process when thinking in terms of making users an essential part of the system.
Audio recordings were subsequently used by the researcher to develop interview transcripts, parts of which are presented in this work to support various points and provide insight on relevant issues.