Information Technology Reference
In-Depth Information
Respondent
:
Okay. What, like writing a password down, and using your dog or cat's name
as your password, using the same password, never changing your password,
those kinds of things, like we all do, you know, stick up notes on your PC? I
mean giving your password to your friends, those are all things that every-
one, IT professionals included, would do. You know I must have a couple of
dozen passwords that I use for accounts that I try to use, and I have a hard
time trying to keep track of all of that. Doesn't everybody?
As this quote suggests, both information security professionals and regular employees some-
times engage in inappropriate security-related behaviors without malign intent. Regular employees
often mentioned that the reasons they circumvented security controls revolved around balancing
productivity and security: Security controls were often perceived as inconvenient and counterpro-
ductive. Information security professionals also cited awareness and education of end users as a
key issue that could either enhance or detract from security. We also ascertained that a wide range
of behaviors and many variants on behaviors relevant to information security existed. Finally, we
noted the presence of motivational conflicts in which the desire to “do the right thing” might
become thwarted by other concerns such as productivity and convenience. Together, the results of
this qualitative work suggested to us that an important next step might involve the development of
a systematic and organized list of the important security-related behaviors that occur in organiza-
tional contexts.
RESEARCH PHASE 2: DEFINING THE BEHAVIORAL DOMAIN
Our goal for this phase was to construct and test a set of categories for information security behaviors.
We hoped that this knowledge would support later research efforts that focus on understanding the
antecedents and consequences of information security behavior. We began by conducting 110
additional interviews with managers, information technology professionals, and regular employ-
ees during which we asked respondents to describe both beneficial and detrimental behaviors that
employees within organizations enact that affect information security. From the transcripts of
these interviews we compiled a raw list of security related behaviors. Next, we prepared a card
deck listing the eighty-two resultant behaviors. Ten individuals (graduate students and faculty in
information technology) sorted the cards into self-generated categories. By collapsing across the
many similarities among these independently generated categories, we developed a six-element
taxonomy of security behavior that varied along two dimensions: intentionality and technical
expertise. The intentionality dimension appeared to capture whether the behavior described on the
card was intentionally malicious, intentionally beneficial, or perhaps somewhere in between (i.e.,
absent explicit intention to help or harm). The technical expertise dimension focused on the degree
of computer or information technology knowledge and skill that the actor needed to have in order
to perform the behavior described on the card.
The Six Categories
Figure 12.1 below depicts the six categories arranged on two dimensions. To illustrate with con-
trasting categories, “aware assurance” refers to positive security practices conducted by well-trained
personnel, while “detrimental misuse” refers to the inappropriate and intentional behaviors of
inexpert individuals who misuse information resources. An example of aware assurance would
be when a well-trained end user discovers a back door on her desktop PC by using the task and
Search WWH ::
Custom Search