Use this URL to cite or link to this record in EThOS:
Title: 'Mission impossible' : how conflicting security and productivity demands induce non-compliance with security policies
Author: Karppinen, I. A.
ISNI:       0000 0004 8504 0182
Awarding Body: UCL (University College London)
Current Institution: University College London (University of London)
Date of Award: 2016
Availability of Full Text:
Access from EThOS:
Full text unavailable from EThOS. Please try the link below.
Access from Institution:
Safety and security policies are a vital part of protecting a range of organisational assets and personnel. Safety research though, has focused on avoiding major catastrophes (from nuclear to aviation) and attributing responsibility for causation of accidents at both individual and organisational levels (Reason, 1990). Accident causation models that come from high-risk industries have limited application to organisations in the security industry though, where procedural non-compliance rarely results in a major catastrophe. As noted in the previous research (Karppinen, 2010), they do not adequately explain why employee non-compliance exists. The information security field, however, has identified security requirements which impede task productivity as a significant factor (Beautement, Sasse and Wonham, 2008). This research is a case-study of non-compliance in a secure logistics organisation whose operations are underpinned by critical physical security rules and procedures. It expands on previous research (Karppinen, 2010), making this a unique longitudinal case-study. Across six of its branches, archival (228 security breaches) and direct security-related observations (262) were obtained. Second, 70 operational-level employees (couriers) and 15 managers completed a Q-sorting task and were interviewed. Finally, an intervention method that was grounded in the data collected was introduced. This addressed the primary causes of non-compliance in an attempt to trigger behaviour change. The intervention followed the persuasive technology approach, with persuasive messages delivered to 139 couriers over a four-week period via each courier's existing communication device. There were 85 pre-intervention and 76 post-intervention surveys completed and 26 CCTV observations were carried out during the intervention. The results showed that the persuasive messaging did not affect security compliance. However, the research offers insights into compliance with physical security rules, concluding that achieving full compliance with a security policy is 'mission impossible' where that policy is not designed, implemented and delivered in a manner that aids compliance.
Supervisor: Not available Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available