A recent post by Alex Hutton on the New School of Information Security blog discusses the notion of “User Frustration” in the context of users accessing Web applications (e.g. an organisation’s internal travel expenses Web application). Alex’s argument is that where an investment is made in an information security solution, there needs to be an appreciation of whether the chosen solution is likely to hinder productivity (“is security seamless, or does it roadblock getting business done?”).
Alex suggests a method for measuring “User Frustration” for an organisation’s internal Web applications. Here individuals within the organisation would use a simple application to log the time that they believe they have wasted to successfully get a specific application to do what they want it to do (or not, as the case may be). There is a suggestion of also allowing users to document what they believe to be the main cause of the “frustration”. It is suggested that this approach would then give security managers the information necessary to determine whether investing in a particular technology or application is still appropriate when considering the accounts of ‘wasted’ work hours submitted by users. There may be a subjective element to this approach (relying on a user’s perception of time spent on one task and their justifications for feeling frustrated), but it nonetheless informs an IT manager’s knowledge of how their management decisions directly affect the work practices of individuals within the organisation. This is quantified somewhat by the number of ‘wasted’ hours, whereas feedback regarding the causes of “User Frustration” provides insights from an employee’s perspective that IT managers might not appreciate (or in some cases even consider) when deploying IT solutions.
Alex links “User Frustration” to security further by pointing out that there are security implications if users become frustrated with IT. Misaligned security policies might act against the behaviour promoted by the organisation (i.e. its desired risk approach), pushing employees to work outside of the policy to get their job done. This theme is reflected in the work of Beautement et al. in defining an individual’s “Compliance Budget”. Here, an individual within an organisation may have their own perceived costs and benefits of adherence to the organisation’s security policies. Costs may be in terms of the time taken to adhere to a particular procedure, or the “cognitive load” required to remember security information artefacts (such as passwords) and procedure details (the steps to follow to access a secured system). The “Compliance Budget” is then the “amount of extra effort an individual is prepared to make for no personal gain“. In this context the “Compliance Budget” translates to the amount of frustration (measured in hours) that a user is willing to endure before they choose to take an approach of policy avoidance where before they (perhaps grudgingly) chose policy adherence. Beautement et al. remark that an individual’s “Compliance Budget” may be steadily eroded as they are required to perform more and more security-oriented tasks seemingly for the benefit of the organisation without experiencing any such benefit themselves. As such it would be necessary for IT security managers to either convince users that these tasks are worthwhile (through security awareness programs) or rethink approaches to problems that were once addressed by ‘frustrating’ solutions.

An entry in the ISC2 blog by Gary Hinson discusses whether the foundation for the Certified Information Systems Security Professional (CISSP) IT security qualification, the Common Body of Knowledge (CBK), should be formally expanded to explicitly consider the “human factors” that influence IT security management. This same suggestion is also applied to the ISO/IEC 27000 family of information security management standards.
The post argues that people respond to security controls in different ways. This may for instance depend upon their education regarding security (or conversely their ignorance of the need for security procedures). Information security management often focuses on the deployment of technology solutions to provide security, without necessarily considering how people will (want to or have to) interact with these solutions.
Policy enforcement measures can be employed to promote or punish particular behaviours (e.g., approach towards security, learned actions etc.). This takes the form of incentives and sanctions associated with particular actions, which act to guide individuals towards the behaviours that security managers want them to adopt. However, different people respond in their own ways to such measures (perhaps again as a result of their awareness or ignorance of security matters). Individuals essentially rely on their personal cognitive biases (as mentioned in the blog), where they take action proportionate to their own perception of a threat, where this action may not necessarily be the most appropriate response. There is no typical, predictable response that can be expected in all individuals as a reaction to any particular security measure or policy enforcement practice.
It may also be appropriate to consider that cognitive biases influence those individuals that are responsible for defining policies and managing information security. Identifying and formalising human factors provides a foundation for measuring and quantifying aspects of behaviour that impact upon an IT security programme. This then serves as a means of aligning the subjectivity of a security officer’s opinion and belief with the reality of how their security programmes are affecting people within their organisation both in providing security and preserving productivity.

There is a response to the original ISC2 blog entry on the same blog by Rob Slade that argues that “human factors” is already deeply entrenched in IT security management. This would certainly be the case for IT security management programs that succeed (i.e. those that see security measures and employees co-existing with minimal friction). The problem here is that many IT security managers might not dedicate much thought to “human factors” on its own, as such impairing the potential of their security programs while still (in their view) maintaining a perceived sense of security. For instance, employees may become frustrated or disaffected with security if IT security managers deploy cumbersome security mechanisms, or refuse to communicate with senior departmental managers and employees in general to assess usability requirements and gain stakeholder support. Security as an integrated quality of IT-related processes is more desirable than security procedures that get in the way of IT-related processes and ultimately hinder the human element that they exist to serve.

An article by Christopher Burgess of Cisco describes the “Social Elements of Security Policy and Messaging”. It is argued that IT security managers must identify the operational requirements of individuals in an organisation, and integrate security controls into the associated processes in a way that does not inhibit the work of employees.
With this, Burgess makes a distinction between various factors that may influence an individual’s security compliance and flexibility requirements within the workplace. These are identified as ’social differences’, and serve to indicate the expectations and concerns that should be addressed when deploying security measures in proximity to specific groups of workers. These social differences are divided into geographical, cultural, generational and functional factors. As an example the article describes needing to “deal with individuals who are entering the workforce having collaborated and communicated openly using social media and other collaborative tools” as a generational concern.
Different groups of employees have different ways of approaching business opportunities. Security managers should attempt to understand the operational requirements of these different groups, and deploy security measures accordingly. By distinguishing between different kinds of social drivers, the behaviour of employees towards security can be (to some extent) anticipated and approached in a structured manner.

Rich Mogull of Securosis has posted a blog entry about “Selective Inverse Recency Bias In Security”. The article discusses some of the psychological and emotional foundations for identifying trends in security events and justifying security management decisions.
The article reiterates some truisms relating to human behaviour as a component of an organisation’s security environment (“We know that human behavior doesn’t change, people will make mistakes, and are predictably unpredictable”). It does also however serve to highlight that in order to be objective, security managers must acknowledge their own innately human responses to security events.
Security managers should keep in mind that even with a wealth of monitoring data and preventive controls at their disposal, it is still possible that they may respond to security threats in a human way, i.e. an emotive way. Their beliefs and ‘gut feelings’ about past events will influence the management decisions they make in the moment. The Securosis article argues that an emotional investment can only serve to skew trends and data in a security manager’s mind, in a way that could potentially drive them to find the evidence that supports their emotionally-driven decisions to the exclusion of that which does not.
Shostack and Stewart’s “The New School of Information Security” discusses how security managers can consciously use fear as a tool to justify security decisions and expenditure in the boardroom. However these same security managers may also subconsciously use this fear as a tool to convince themselves of the efficacy or inappropriateness of a given approach (depending on their feelings toward it), by disregarding those events (both recent and historical) that do not support their established way of thinking (or in this case, feeling).
Arguably, security managers operate in an environment that is naturally predisposed to fear and suspicion. Previous experiences and monitoring data may be used selectively to justify management decisions that have already been pre-determined by these emotions. It is perhaps just as important then to equip security managers with the emotional tools to be able to weigh the benefits and risks of a given course of action, so that decisions are not only justified, but also rational.

Computer Weekly’s Security Trends for 2009 article discusses a number of information security threats that require greater attention in 2009 due to the use of ever more flexible data-sharing practices within the workplace.

As an example, Daniel Dresner of the National Computing Centre (NCC) is quoted as saying:

“The thing that concerns me most is the idea that there is a magic door people go into when they go to work, and that you are a private person when you leave work.”

Personal and business information may flow backwards and forwards both within and outside the workplace, across seemingly inseparable and always-connected computing environments. Dresner subsequently refers to the “human firewall”, which may be perceived as an individual’s ability to monitor and control the flow of (in this case their company’s) data using their own judgement.
This judgement (the ‘rules’ of the human firewall, if we are to maintain the analogy) can of course be informed through information security training & education within the organisation. With this there is a need to align the principles of an information security policy with an individual’s own sensibilities. That is to say, if an employee should be given rules to follow by information security advisors within the organisation, these rules should be framed in terms that mean something to the individual (and not just the organisation in general).
It is also equally necessary to ensure that the individual is aware of where those rules apply i.e. that they know which information security concerns apply at a given time (e.g. ensuring that they only disclose information exclusively to those who are meant to receive it, whether it be in the canteen, at the entrance to the company building, or in e-mails send from a personal e-mail account). This also however raises the point that in many cases security concerns are either satisfied but obscured (e.g. data marked ‘confidential’ on a “need to know” basis), or unsatisfied and omitted (“security through obfuscation” i.e. the belief that no-one can find a security flaw if it isn’t mentioned anywhere); neither of these approaches helps those who are otherwise not paid any extra money to keep themselves adequately informed about information security as part of their day-job.

The article also discusses the problem of “insider exploitation”, essentially where an outside body influences individuals within an organisation to carry out specific tasks to satisfy their criminal ends. With the global economy suffering, it is possible to imagine that individuals within an organisation will be more susceptible to activities of this kind (e.g. through disaffection towards their employer), and that there will be an increased number of tech-savvy security specialists turned criminals willing to exploit their own security knowledge for malicious purposes.
As well as securing the technology infrastructure, organisations need to ensure that their staff comply with security policy, and that the policy accounts for the movement of staff in and out of the organisation. In this case there must be a clear statement of the sanctions and incentives within an organisation to protect data and processes, just as organised criminals (with their own increasingly sophisticated ‘business models’) will use coercion (e.g. blackmail, or threats of physical harm) and bribes to achieve their ‘business’ goals. Also, just as criminals will determine who to target within an organisation to get what they want, organisations should have a sense of who has access to what is already theirs.

An article in the US National Law Journal details cases of staff from various companies (including AT&T Inc. and Cigna Corp.) who believe that they should still receive pay for time spent waiting for their work computers to boot-up. They may be resting on the argument that they find other work to do while they wait for their machines to become useable (e.g. making phonecalls and arranging their work calendar), although the defendants in these cases argue that in these situations employees instead engage in “non-work activities”.
A concern that is raised from a Trust Economics perspective is that this is a simple case of computer infrastructure management decisions (specifically power-management policies) affecting user productivity in an ambiguous way. It may not be too much of a leap to imagine similar situations where information security infrastructure can have a bearing on an employee’s ability to use their workstation (e.g. waiting for virus scans of externally-connected devices, configuring security software on a machine at start-up etc.).

Prominent information security specialist Charles Cresson Wood recently talked to ThreatChaos about the future of information security policies. Among other things, discussion touched upon the importance of user education within the organisation, and the use of expert systems and instrumentation to automatically determine policy compliance.

A recent Network World article rounds up a number of experts from the field of information security to discuss some of the prevailing beliefs that they encounter. The article covers a series of interesting topics, such as regulatory compliance (“You can be extremely secure but not compliant. Just as you can easily be compliant but not secure.”), the virtues of open source software, and the measurement of security Return-on-Investment (ROI).
One particular section focuses on the training of employees to behave in a more secure manner. As one of the experts, the 451 Group’s Nick Selby, points out: “… resisting social engineering is really, really hard, as most people you’d want to hire are socially disposed to try to be, at the very least, helpful”. If the goal of an organisation is to train their staff to behave in a more predictable and security-conscious manner, care should be taken so as not to stifle the ‘human factor’ altogether (e.g. unpredictable behaviour doesn’t necessarily always produce bad results). It is often this same ‘human factor’ that is relied upon to further the prospects of the organisation.

A Computer Weekly article discusses comments made by RSA’s Art Coviello during the RSA Europe Conference 2008. Discussion focuses on Coviello’s view that an urgency to comply with industry regulations is distracting security practitioners from those security projects which may serve the ambitions of the organisation. As the article puts it, “regulation has to be focused on an intended result and not on a prescriptive list of controls”.
These comments highlight the need to consider how the implementation of industry regulations must be approached on a per-organisational basis, so as to benefit an organisation in its pursuit of specific productivity targets without putting unnecessary barriers in the path of the activities that ultimately contribute to those targets. Furthermore, a reasoned and transparent consideration at board-level of how regulatory compliance should be approached would help to clarify instances where resources are being diverted away from security projects towards compliance procedures.

A recent BBC article discusses the ‘Network Citizens’ report (published by the Demos thinktank) about the value of allowing social networking applications to operate within a business environment.

It is argued that by allowing employees to use social networking tools within the workplace, they are essentially able to forge and utilise interpersonal connections that have potential business value. Furthermore, social networking tools negate the restrictions that a person’s physical location would otherwise place upon their ability to meet and communicate with potential collaborators both within and outside of their work environment.

It is important to identify the potential for social networking to further the ambitions of business, and as such one of the report’s authors, Peter Bradwell, states that the use of social networking tools “must be tied to a business goal”. The authors go on to say that guidelines must be put in place that define ‘appropriate use’ of social networking tools.

With regards to information security management, Mr. Bradwell comments that:

“In today’s difficult business environment, the instinctive reaction can be to batten down the hatches and return to the traditional command-and-control techniques that enable managers to closely monitor and measure productivity.

“Allowing workers to have more freedom and flexibility might seem counter-intuitive, but it appears to create businesses more capable of maintaining stability.”

If an organisation were to adopt the aforementioned change in approach, it would be necessary to educate staff regarding their information security obligations, and determine exactly what information they have access to.

Staff should be educated to ensure that they are aware of the information that they have access to within the organisation, why that information is important to the organisation, and what the consequences would be (both for the individual and the organisation) should they disclose the information using social networking tools.

The difficulty here would be in finding a balance between:

• the potential benefits to the business of allowing staff to communicate information to other parties in a context where connections can be rapidly (and perhaps tenuously) established (e.g. new business alliances, greater cohesion amongst staff, instigation of new and different projects), and;
• the potential losses (e.g. disclosure of sensitive data, time lost to unproductive or otherwise ‘pointless’ networking connections).

Just as risk assessment has become an integral part of information security management, it may be that ‘benefit assessment’ becomes just as important to those businesses that allow their workforce greater operating freedoms.