2 Fast 2 Secure: A Case Study of Post-Breach Security Changes

Parkin

2022

JCS

Self Cite

Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Decision-makers then face choices, where this is not simply a binary decision of whether to comply or not, but also how to approach compliance and secure working alongside other workplace pressures, and limited resources for identifying optimal security-related choices. Conflict arises because of information asymmetries present in the relationship, where influencers and decision-makers both consider costs, gains, and losses in ways which are not necessarily aligned. With the need to promote ‘good enough’ decisions about security-related behaviours under such constraints, we hypothesize that actions to resolve this misalignment can benefit from constructs from both traditional economics and behavioural economics. Here we demonstrate how current approaches to security behaviour provisioning in organizations mirror rational-agent economics, even where behavioural economics is embodied in the promotion of individual security behaviours. We develop and present a framework to accommodate bounded security decision-making, within an ongoing programme of behaviours which must be provisioned for and supported. Our four stage plan to Capture, Adapt, Realign, and Enable behaviour choices provides guidance for security managers, focusing on a more effective response to the uncertainty associated with security behaviour in organizations.

Section: Implementation Stepsmentioning

confidence: 99%

The boundedly rational employee: Security economics for behaviour intervention support in organizations1

Parkin

2022

JCS

Self Cite

“…We introduce our approach in the form of a co-design methodology that is a modification of the classical modelling cycle. -In Section 5, we present a case-study which largely shaped our understanding of co-design [10]. Through reflections, we discuss the methods and approaches that worked, as well as shortcomings.…”

Section: Structurementioning

confidence: 99%

“…To demonstrate how an attempt to co-design looks like in a real-world context, as well as reflect on potential improvements, we present an in-depth case-study of a single company, previously published in [10].…”

Section: Case Study: Reflectionsmentioning

confidence: 99%

“…Here we provide a brief profile of Company A, focussing on the historical security context of the organization as well as their current security structure, policies, and processes. A more detailed description of the company can be found in [10].…”

Section: The Organizationmentioning

confidence: 99%

“…The company had a much more informal attitude towards security and only basic controls. Then, Company A suffered an information security breach in the form of an insider attack [10]. This breach seriously threatened the company's financial and reputational stability and could have potentially ended the business.…”

Section: The Organizationmentioning

confidence: 99%

See 2 more Smart Citations

Found in Translation: Co-design for Security Modelling

Socio-Technical Aspects in Security

Caulfield

2022

Self Cite

Background. In increasingly complex and dynamic environments, it is difficult to predict potential outcomes of security policies. Therefore, security managers (or other stakeholders) are often challenged with designing and implementing security policies without knowing the consequences for the organization. Aim. Modelling, as a tool for thinking, can help identify those consequences in advance as a way of managing decision-making risks and uncertainties. Our co-design approach aims to tackle the challenges of problem definition, data availability, and data collection associated with modelling behavioural and cultural aspects of security. Method. Our process of modelling co-design is a proposed solution to these challenges, in particular for models aiming to incorporate organizational security culture. We present a case study of a long-term study at Company A, where using the methods of participatory action research, humble inquiry, and thematic analysis, largely shaped our understanding of co-design. We reflect on the methodological advantages of co-design, as well as shortcomings. Result. Our methodology engages modellers and system stakeholders through a four-stage co-design process consisting of (1) observation and candidate data availability, (2) candidate model design, (3) interpretation of model consequences, and (4) interpretation of domain consequences. Conclusion. We have proposed a new methodology by integrating the concept of co-design into the classical modelling cycle and providing a rigorous methodology for the construction of models that captures the system and its behaviours accurately. We have also demonstrated what an attempt at co-design looks like in the real-world, and reflected upon necessary improvements.

You’ve Left Me No Choices: Security Economics to Inform Behaviour Intervention Support in Organizations

Parkin

Lecture Notes in Computer Science

2021

Self Cite

Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Decision-makers then face choices, where this is not simply a binary decision of whether to comply or not, but also how to approach compliance and secure working alongside other workplace pressures, and limited resources for identifying optimal securityrelated choices. Conflict arises due to information asymmetries present in the relationship, where influencers and decision-makers both consider costs, gains, and losses in ways which are not necessarily aligned. With the need to promote 'good enough' decisions about security-related behaviours under such constraints, we hypothesize that actions to resolve this misalignment can benefit from constructs from both neoclassical economics and behavioural economics. Here we demonstrate how current approaches to security behaviour provisioning in organizations mirror rational-agent economics, even where behavioural economics is embodied in the promotion of individual security behaviours. We develop and present a framework to accommodate bounded security decision-making, within an ongoing programme of behaviours which must be provisioned for and supported. We also point to applications of the framework in negotiating sustainable security behaviours, such as policy concordance and just security cultures.