NSPW '96 Proceedings of the 1996 workshop on New security paradigms
Communications of the ACM
Pretty good persuasion: a first step towards effective password security in the real world
Proceedings of the 2001 workshop on New security paradigms
Secrets & Lies: Digital Security in a Networked World
Secrets & Lies: Digital Security in a Networked World
Bringing security home: a process for developing secure and usable systems
Proceedings of the 2003 workshop on New security paradigms
The user non-acceptance paradigm: INFOSEC's dirty little secret
NSPW '04 Proceedings of the 2004 workshop on New security paradigms
Managing Cybersecurity Resources (The Mcgraw-Hill Homeland Security Series)
Managing Cybersecurity Resources (The Mcgraw-Hill Homeland Security Series)
Why Johnny can't encrypt: a usability evaluation of PGP 5.0
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Embedding Information Security into the Organization
IEEE Security and Privacy
Proceedings of the 2008 workshop on New security paradigms
An information security ontology incorporating human-behavioural implications
Proceedings of the 2nd international conference on Security of information and networks
So long, and no thanks for the externalities: the rational rejection of security advice by users
NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
The true cost of unusable password policies: password use in the wild
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Where do security policies come from?
Proceedings of the Sixth Symposium on Usable Privacy and Security
Information security management: An entangled research challenge
Information Security Tech. Report
Proceedings of the 2010 workshop on New security paradigms
Information security governance: integrating security into the organizational culture
Proceedings of the 2010 Workshop on Governance of Technology, Information and Policies
Reducing normative conflicts in information security
Proceedings of the 2011 workshop on New security paradigms workshop
The security cost of cheap user interaction
Proceedings of the 2011 workshop on New security paradigms workshop
SP'11 Proceedings of the 19th international conference on Security Protocols
Why trust seals don't work: a study of user perceptions and behavior
TRUST'12 Proceedings of the 5th international conference on Trust and Trustworthy Computing
Proceedings of the 2012 workshop on New security paradigms
Hi-index | 0.00 |
A significant number of security breaches result from employees' failure to comply with security policies. Many organizations have tried to change or influence security behaviour, but found it a major challenge. Drawing on previous research on usable security and economics of security, we propose a new approach to managing employee security behaviour. We conducted interviews with 17 employees from two major commercial organizations, asking why they do or don't comply with security policies. Our results show that key factors in the compliance decision are the actual and anticipated cost and benefits of compliance to the individual employee, and perceived cost and benefits to the organization. We present a new paradigm -- the Compliance Budget - as a means of understanding how individuals perceive the costs and benefits of compliance with organisational security goals, and identify a range of approaches that security managers can use to influence employee's perceptions (which, in turn, influence security behaviour). The Compliance Budget should be understood and managed in the same way as any financial budget, as compliance directly affects, and can place a cap on, effectiveness of organisational security measures.