The curious incidence of security breaches by knowledgeable employees and the pivotal role a of security culture

Abstract

Computer users are often referred to, rather disparagingly as "the weakest link" in information security. This resonates with the frus- tration experienced by organisations who are doing their best to secure their systems, only to have an employee compromise everything with an insecure act. Organisations put a great deal of effort into education and training but it has become clear that this, on its own, is not sufficient. A wide range of relevant literature has been consulted in order to produce a model that reflects the process from ignorance to actual behaviour, and to highlight the factors that play a role in this pathway. This is the pri- mary contribution of this paper. The model introduces the notion of two gulfs. The gulf of evaluation has the undecided user at one side, at the other a user with an intention to behave securely. A set of factors that help to bridge the gulf have been identified from the research literature. The second gulf is called the gulf of execution, which has to be bridged, assisted or deterred by a number of factors, so that users will convert intentions to actual behaviours. Interestingly, one of the factors that play a role in bridging both gulfs is security culture. Particular attention is paid to this factor and its role in encouraging secure behaviour. © 2014 Springer International Publishing.