Author(s): Iacovos Kirlappos, Martina Angela Sasse

Download: Paper (PDF)

Date: 7 Feb 2015

Document Type: Briefing Papers

Additional Documents: Slides

Associated Event: NDSS Symposium 2015


Current approaches to information security focused on deploying security mechanisms, creating policies and communicating those to employees. Little consideration was given to how policies and mechanisms affect trust relationships in an organization, and in turn security behavior. Our analysis of 208 in-depth interviews with employees in two large multinational organizations found two trust relationships: between the organization and its employees (organization-employee trust), and between employees (inter-employee trust). When security interferes with employees’ ability to complete work tasks, they rely on inter-employee trust to overcome those obstacles (e.g. sharing a password with a colleague who is locked out of a system and urgently needs access). Thus, non-compliance is a collaborative action, which develops inter-employee trust further, as employees now become “partners in crime”. The existence of these two relationships also presents employees with a clear dilemma: either try to comply with cumbersome security (and honor organization-employee trust) or help their colleagues by violating security (preserving inter-employee trust). We conclude that designers of security policies and mechanisms need to support both types of trust, and discuss how to leverage trust to achieve effective security protection. This can enhance organizational cooperation to tackle security challenges, provide motivation for employees to behave securely, while also reducing the need for expensive physical and technical security mechanisms.