Purpose: The study aims to develop a model to support security managers’ decision-making process when implementing security policies in their organisations and incorporates users into the system in a way that mitigates the negative impact of users’ behaviour on security controls
Background: Security managers in companies lack a clear process to implement security controls in order to ensure compliance with various regulations and standards. The company can be formally compliant but still inefficient in performing its revenue-generating activities.
Security managers may take ISO 27001 standard as a framework and then make a decision on any particular implementation based on their experience. Such implementations run the risk of creating collisions with users’ business activities and result in violation of security policies in the company, because they introduce friction with the business process. Users try to avoid such friction. It is important, however, to differentiate between malicious non-compliance and cases when security policy obstructs business processes leading to workarounds. There is a mismatch between users’ and security managers’ perception of workload, introduced by security tasks
Method: To achieve the goal of the study, a combination of quantitative and qualitative methods is applied to research the perception of information security by both users and security managers.
Research benefits. The model points a security manager in the direction of a better understanding of the users in his company. It provides the means to gain an insight into users’ core business activities and reflect on how they relate to the security tasks. This can help security managers to come up with more usable security policies and reduce the number of potential complaints, and instances of violation of security policy.
Moreover, this model can help the security manager to understand how much time users in his company spend on various security activities. This information can be used to make better investment decisions, and help in security policy optimisation. Additionally understanding that the security manager’s decisions affect the whole organisation may result in cost savings from pre-implementation security analysis and its relation to main business processes of the company