• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
The Problem of Compliance with Organizations’ Security Policies

 
ABSTRACT 
Non-compliance is a widely acknowledged problem for employers. Such non-compliance can be related to wider models of human error [24]. Non-compliance can be attributed to many factors. As far as security policies are concerned, the argument can be made that people may not have sufficient knowledge to maintain good security [36] and employees are often unaware of the possible consequences of their insecure actions [57] – they do not understand enough about the impact of their decisions. If this is the case then it is clear that organizations are failing to make employees aware of security issues and the consequences of their actions [28]. Such awareness can only be achieved if we utilise our understanding of human behavioural factors so as to improve information security by tailoring awareness programmes effectively.
 
Keywords: Compliance, Security Policy.
1.0 Introduction
Employees are the major security vulnerability point in many organisations. Even the best security technologies,organizational controls and restrictions become useless if employees leave the required locks open or unguarded bynot complying with the organization's security policies and procedures. On the other hand, employees can also actpositively to mitigate crises [6]. Organisations have to find a way to harness their potential for enhancing securitywhile finding ways of reducing employee vulnerability. Many organisations mitigate internal security threats byformulating a security policy with the expectation that employees will comply with the instructions in the policy [30].Ensuring such compliance is vital if an organization is to protect its information assets [46]. This includes bothconforming to organizational security rules and regulations and also actively protecting organization assets andvalues [45].Unfortunately, even employees' minor decisions and actions have the potential to create security incidents [15, 38],purely because security policies and standards simply cannot prescribe how employees should behave in everypossible situation [21]. An example of one such circumstance is the to social engineering attack, which comes in anynumber of forms. One particularly prevalent attack involves manipulating someone into disclosing confidentialinformation to be used against the organization [54]. The findings of the 2008 Information Security Breaches Surveyshow that employees are increasingly targeted by a variety of social engineering attacks [16] and all too many ofthese succeed [17].According to McIlwraith, [27] maintaining a good technical security infrastructure is not as essential as simply gettingemployees to do what they are told. There is evidence that organizations find it difficult to implement policies that willbe followed and respected by all employees [11]. McIlwraith suggests some helpful techniques for organizations toapply to foster a culture of good information security:- Employees should be able easily to report security incidents, even if they were responsible for the incident.- Employees should be aware of their organization’s security issues.- Employees should want to improve the security of their organization.However sound these recommendations, they do not address the “how” of achieving this state of affairs. Someorganizations fail even to measure compliance [47] and as a result they may:
-
Not be able to determine where weaknesses exist so that remedial action can be taken.
-
Lack data about whether employees understand the policy or which employees might need further training.Unfortunately the reasons why employees commit information security breaches are not well understood [50].According to Workman & Gathegi [55], there is little in the literature to explain the reasons behind non-compliance inthe field of information security. Understanding how and why employees make particular security judgements isessential to designing and implementing security features that employees are likely to implement and utilize [15].Much research has been undertaken into compliance in the field of health and safety. The fact that frequent handwashing helps to avoid infections has been known since the 19
th
century [39], and yet 21
st
century publications stillfind it necessary to emphasise this [43]. Even though everyone is aware of the need for hand hygiene, compliance isstill low [13], not only in health care but also in wider society. Another compliance issue is related to indoor smoking,which has been banned in many countries, including the UK and the USA. Williams et al. [52] conducted a survey ofNew Hampshire restaurants to evaluate compliance with the Indoor Smoking Act. Their survey suggests thatcompliance with provisions of the Indoor Smoking Act is low. Studies such as these, all of which report poorcompliance in the health and safety field, motivate the need for this study, the purpose of which was to investigateemployee compliance with security policies. Gershon et al. [13] found the following aspects which influenced
©Informatics '09, UM 2009
 
 RDT6 - 219 Proceeding of the 3rd International Conference on Informatics and Technology, 2009
 
 
compliance in the health field: (1) employee perceptions of the organization’s commitment to safety, (2) conflictsbetween workers' need for protection and patients medical care needs; (3) employee risk-taking propensity; (4) riskperception; (5) knowledge of HIV transmission rates; and (6) training. Some of these are specific to the healthindustry and an investigation into compliance in the information security area is required in order to identify reasonsfor non-compliance in this arena. Diaz & Resnick [7] identified the employee’s propensity to take risk as a predictor ofnon-compliance. They also found that the organization’s commitment to their policies played a positive role inpredicting employee compliance.The issue of employee training is an important one. The general approach to compliance is the attitude thatorganizations should address the different types of vulnerabilities and threats through a combination of policy,security mechanisms (controls), education, training and awareness programs [51]. Certainly Gershon et al.’s studyfound that compliance was improved by training. The ideal situation would be that, as a result of awarenessprograms, employees will change their behaviour from being vulnerable to being defensive. Siponen [40] indicatesthat awareness training does indeed help to reduce employee errors. It is clear therefore that organizations shouldnot underestimate the importance of information security awareness training [25]. Such training should involve allmembers of the organization from the top management down to the end-users. Ultimately, everyone has a differentrole in information security.Although awareness and training programmes clearly reduce errors, they do not eliminate them. Thus evenawareness of the issues does not guarantee compliance, meaning that despite an adequate technical infrastructure,good controls and awareness training, some factor is still at play which subverts the best efforts of the securitypersonnel. Workman et al. [56, p. 2] pose the question:
why do people who are aware of IS security threats and countermeasures neglect to implement them? 
” They argue that this is not yet understood and needs furtherinvestigation. Therefore, this study investigates employee non-compliance.
2.0 Research Methods
The objective of this study was to identify the reasons for employee non-compliance with respect to security policies.A number of semi-structured interviews, used to provide structure for the discussion, were conducted to uncoverthese reasons. Grounded theory was used to analyse the data.
2.1 Semi-Structured Interview
The selected participants for the semi-structured interviews represent a cross-section of twenty five employees fromdifferent departments of a British University. Laws and standards related to computer misuse and data protectionlaws were introduced in the UK in the 1990s so, one could expect employees to be somewhat familiar with therudimentary concepts of information security. For such sensitive investigations about employee compliance withsecurity policy it was decided that participant anonymity would be guaranteed.The interviewer started off with warm-up questions and gradually narrowed the scope. To begin with, intervieweeswere given a written statement which pointed out ethical issues such as confidentiality. There was also a descriptionof the research study and the explanation of the right to decide whether or not to take part in the interview. Finally,permission was requested to record the interview. In the majority of cases, the interviewees engaged actively in thediscussion about their compliance with security policies.The semi-structured interview focused on three widely applicable areas:
-
Organization Information Security Policy:
this section investigated how long employees have beenworking with their organization sand explored whether they were aware of their organization’s policy and towhom they would report security incidents.
-
Organizational Security Culture:
this section focused on the employee’s opinions about working in theirorganization; what the culture of the organization was in terms of information security and what their actionswould be in response to a serious security breach.
-
Compliance with Security Policy
: this section covered two aspects, the first focused on the employee’spersonal compliance with their organisation’s security policy and what impact their behaviour could have onthe organization. The second section presented some scenario based questions to elicit comments about a“third-party’s” security behaviour. These described security breaches in different situations to explore theemployee’s attitudes and opinions.
3.0 Research Findings
The next section presents excerpts from the semi-structured interviews. The following section presents the scenariobased questions, used to explore the interviewee's point of view of activities where a security choice has to be made.
©Informatics '09, UM 2009
 
 RDT6 - 220 Proceeding of the 3rd International Conference on Informatics and Technology, 2009
 
 
The interviewees were asked to provide opinions based on their recommendations to the person depicted in thescenario.
3.1 Security Policy Compliance
No employee is likely to admit to non-compliance, and will claim to be willing to comply with their organizations’security policy. However, under the cloak of anonymity, our participants revealed some cogent reasons for poorcompliance. All participants expressed their views on the reasons for non-compliance. These included laziness andirresponsibility,
"I think my ignorance about security policy is because there are people like MIS (management information services)"; 
Also another admitted that they personally
“could be careless in applying the system policy".
Some believe that they are skilled enough to bend the rules:
“a bit of laziness and a little of people thinking 'that won't happen' or they are 'too clever to allow it to happen to their machine' and sometimes people are frightened and do not understand how to set the computer up with the software”.
Also
“there are times if you have enough experience not to cause a problem you can manipulate things not to cause any problems but to deal with something that I would not advise an inexperienced person to do".
Some related it to work pressure when jobs need to be done on time, as explained:
"Sometimes I want to do things that need finished. There have been times when I wanted to do things, maybe sometimes it is necessary to get things done.” 
Moreover, another response was:
"Overwork can be a problem, just too much to do at a particular time you are thinking of the paper record mainly where it is a time consuming task that might get delayed but that should not affect the security, but would holding on [to] information after that data protection people expect us to remove such information, but I do not see that as a serious failing" 
. According to Spurling [42], many people want to get their jobfinished and perhaps see controls and restrictions as needless bureaucracy.Some related non-compliance to a lack of awareness and understanding of the policy, such as,
"Because they are not fully aware of the policy and they might not understand how important it is".
Another said:
"It could be a lack of understanding of the system".
Also, employees are not aware of the consequences of their organization's policy, forexample, one responded that they were:
"Possibly unaware of the danger, possibly a burden as well not aware of security policy as well.” 
Another:
"they are not aware of the consequences of the importance of the policy 
".Another employee explained that non-compliance could also be because that the policy itself is not clear:
“…if it were too complicated, too unclear to understand and whether the policy was not distributed among a number of different places 
”. This is supported by a comment from one of the participants who noted that understanding the policy andappreciating the need for such policy makes him follow it:
"It's probably because I understand the need for it and I do not see there is anything in it that makes me say that it's stupid, I know the reasons for it".
 Others see that compliance to the policy is for their own benefit in protecting them and their information as well as themachine's safety as evidenced by the following comment:
“This policy is to protect me." 
And to, "
Minimize the threat, I want also to protect my own machine data. For instance my machine knows who I am, knows about me, it has an idea where I live, it has an idea of my age, and my name. So there are reasons I do it for myself"; 
Another answered:
 "[I] suppose that's basic computer safety".
 One of the employees explained how some employees' behaviour is unpredictable even if the policy is workingproperly as commented: "
Yes as far as I know, you can never guard against employees who want to make confidential information they have public 
". Other reasons for not complying could be related to the organization'sculture as explained in previous chapters. If management is not paying attention to information security, employeesmay not take it seriously:
"I do not know, I suppose people do not think they will get caught. You know like copying a music CD and that kind of thing, people do that a lot, mainly because they do not have the facility at home. They do have equipment at work so they use work equipment 
".Employees also offered explanations for why they do choose to comply with organizations' rules and regulations.Some employees explained: "
If it came from the director directly to the head of department then we must follow this policy 
"; "
it is the instructions from your supervisor that make you follow it. If somebody tells you to do it you will follow it 
"; "
If it was the rule it was the rule. I guess if I do not see a problem with that 
"; and "
It is an official policy, it is part of the rules you accept so you do not have a choice but just to follow it 
". The reason could be that employees cannot bean expert in everything. As one commented:
" The key part of any large organization is that you cannot do everything yourself but there are people who are experts with dealing with the press, there are people who are expert with dealing with security, people who are experts to deal with IT systems. So the individual is not expected to be an expert in all fields. In the majority of cases the individual employee does a fairly particular task which they do not anticipate or expect the employee to have very deep skills in all subjects related to that point".
One of the employees had a different opinion:
"I still believe that as a human you are capable of free thought and individual actions and if the company wants clones they can hire clones but I won't put myself in that category. I am an individual with free thought but I know where the line is, certain things you do not do. Sometimes you bend the rules a bit. It will depend on the circumstances whether it was not of a significant or serious enough nature to damage 
©Informatics '09, UM 2009
 
 RDT6 -
221
 
 Proceeding of the 3rd International Conference on Informatics and Technology, 2009
 
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...