Information security professionals constantly face a conflict between the security team and the rest of the business.
They must ensure that their organization is adequately addressing information security risks, but they also must communicate the value of security appropriately to be successful.
Security professionals and end users often share different views on security-related activities, so it is important that the security team considers employee behavior when implementing new security policies, tools, and practices.
The psychology behind employees’ non-compliance
February’s book of the month, The Psychology of Information Security, reveals the reasons behind employees’ security decisions, and examines why the choices they make are often non-compliant:
- There is no clear reason to comply
- The cost of compliance is too high
- The means of compliance are obstructive
When policies are put in place without any clear guidance or scrutiny, an organization can invite problems. Employees may come under additional strain because of their increased workload, preventing them from performing their core business tasks, so they may find ways to avoid security measures.
David Ferbrache, technical director at KPMG UK, says: “No approach can ever succeed without considering people – and as a profession we need to look beyond our computers to understand the business, the culture of the organization, and, most of all, how we can create a security environment which helps people feel free to actually do their job.”
Resolving conflicts between your security team and the rest of the business
To help communicate new security policies, tools, and practices to your organization, The Psychology of Information Security recommends:
- Articulating the benefits by positioning new processes in a way that highlights the benefits to each team
- Clearly outlining the steps so staff can realise these benefits
- Communicating frequently at the right level so that priorities and expectations can be aligned
Security professionals must remember that employee performance is goal-orientated, so the process of formulating security policies must focus on employee behavior.
Create a robust security culture that is understood by your staff
To gain a comprehensive understanding of human behavior and motivations, we recommend you read our book of the month, The Psychology of Information Security.
This bestselling book is based on insights gained from academic research and interviews, and considers information security from both security professionals and end users’ perspectives. It will help you:
- Ensure the success of your security program by revealing the psychology behind information security
- Mitigate many of the challenges faced in risk management with helpful advice and tips
- Improve your security culture with valuable insights and recommendations