Learning from “Shadow Security”: Why understanding non-compliant behaviors provides the basis for effective security Iacovos Kirlappos, Simon Parkin, M. Angela Sasse Department of Computer Science University College London London, United Kingdom {i.kirlappos, s.parkin, a.sasse}@cs.ucl.ac.uk Abstract—Over the past decade, security researchers and practitioners have tried to understand why employees do not comply with organizational security policies and mechanisms. Past research has treated compliance as a binary decision: people comply, or they do not. From our analysis of 118 in-depth inter- views with individuals (employees in a large multinational organ- ization) about security non-compliance, a 3 rd response emerges: shadow security. This describes the instances where security- conscious employees who think they cannot comply with the prescribed security policy create a more fitting alternative to the policies and mechanisms created by the organization’s official security staff. These workarounds are usually not visible to offi- cial security and higher management – hence ‘shadow security’. They may not be as secure as the ‘official’ policy would be in theory, but they reflect the best compromise staff can find be- tween getting the job done and managing the risks that the assets they understand face. We conclude that rather than trying to ‘stamp out’ shadow security practices, organizations should learn from them: they provide a starting point ‘workable’ security: solutions that offer effective security and fit with the organiza- tion’s business, rather than impede it. Keywords — Information security management; compliance; security design I. INTRODUCTION Information Security has traditionally been implemented through policies and technical solutions. It was seen as reason- able to secure systems with policies that dictate what users can and cannot do, and technical mechanisms that enforce this [1]. As IT progressively supports more and more activities within the working environment, this approach becomes problematic because policies and mechanisms demand too much effort, and when the effort becomes unreasonable, humans make mistakes or cease to comply [2][3]. Human error and social engineering can be bigger vulnerabilities than many technical attacks [4]. The organization's technical systems must be fortified, yet effective security management needs to consider the physical and social environment in which those technical implementa- tions are used [5][6]. This new environment pushes responsibility for protecting the organization beyond its information security experts: em- ployees - the users of organizational IT systems - play a key role in delivering the policy. Security experts in organizations usually work together in a central function and try to create and maintain a shared sense of appropriate security behavior through policies. They attribute employee non-compliance to lack of understanding. Thus, when non-compliance is detected, they respond with security education campaigns, which exhort users to comply with proscribed security mechanisms and pro- cesses. But the truth is that almost no organization evaluated whether these policies and mechanisms were fit-for-purpose in the real working environment [7]. In addition, the increasing complexity of the threat makes it difficult to anticipate, define and communicate all desired policy-compliant behaviors for all potential exceptions and circumstances [8]. Thus, the tradi- tional, centralized “command and control” approach to security becomes impossible [9], and we need to rethink of the way information security is implemented and managed. We know that an employee's choice as to whether to comply with securi- ty policies is influenced by his/her own task goals, perceptions, attitudes and norms [2][10]. Security design should acknowledge this and develop an approach for a “middle ground” solution that balances employee and security experts’ priorities [11]. We suggest that this is where understanding "shadow secu- rity" 1 can help: understanding the security practices outside the jurisdiction of the organization, developed by employees who do not willfully disregard security. When security experts insist on ‘standard’ or ‘best practice policies’, these users are left to procure, deploy and refine their own solutions, outside the control of the organization's designated security manage- ment. In this paper we present an organizational case study of shadow security behaviors. We analyzed 118 interviews with employees in a large multi-national organization, in which they discussed their security practices. We outline how understand- ing their practices can improve the process of deploying and refining security in the organization, involving users in the process of evolving security. We argue this is a plausible route to achieving productivity-enhancing, rather than productivity- 1 Shadow IT is defined as: “employees going around IT to get the IT services they want on their own” [12] Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment. USEC '14, 23 February 2014, San Diego, CA, USA Copyright 2014 Internet Society, ISBN 1-891562-37-1 http://dx.doi.org/10.14722/usec.2014.23<007>