Use this URL to cite or link to this record in EThOS:
Title: Learning from "shadow security" : understanding non-compliant behaviours to improve information security management
Author: Kirlappos, I.
ISNI:       0000 0004 8498 0885
Awarding Body: UCL (University College London)
Current Institution: University College London (University of London)
Date of Award: 2016
Availability of Full Text:
Access from EThOS:
Full text unavailable from EThOS. Please try the link below.
Access from Institution:
This thesis examines employee interaction with information security in large organisations. It starts by revisiting past research in user-centred security and security management, identifying three research questions that examine (1) employee understanding of the need for security, (2) the challenges security introduces to their work, together with their responses to those challenges, and (3) how to use the emerging knowledge to improve existing organisational security implementations. Preliminary examination of an available interview data set, led to the emergence of three additional research questions, aiming to identify (4) employee actions after bypassing organisational security policy, (5) their response to perceived lack of security support from the organisation, and (6) the impact of trust relationships in the organisation on their security behaviours. The research questions were investigated in two case studies inside two large organisations. Different data collection (200 interviews and 2129 surveys) and analysis techniques (thematic analysis and grounded theory) were combined to improve outcome validity and allow for generalisability of the findings. The primary contribution of this thesis is the identification of a new paradigm for understanding employee responses to high-friction security, the shadow security: employees adapt existing mechanisms or processes, or deploy other self-devised solutions, when they consider the productivity impact of centrally-procured security as unacceptable. An additional contribution is the identification of two trust relationships in organisational environments that influence employee security behaviours: organisationemployee trust (willingness of the organisation to remain exposed to the actions of its employees, expecting them to behave securely), and inter-employee trust (willingness of employees to act in a way that renders themselves or the organisation vulnerable to the actions of another member of the organisation). The above contributions led to the creation of a structured process to better align security with organisational productive activity, together with a set of relevant metrics to assess the effectiveness of attempted improvements. The thesis concludes by presenting a case study attempting to apply the above process in an organisation, also presenting the emerging lessons for both academia and industry.
Supervisor: Not available Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available