Employee rule breakers, excuse makers and security champions:
Mapping the irks perceptions and emotions that drive security
behaviours. (Beris et al. 2015)
Employee Rule Breakers, Excuse Makers and Security Champions: Mapping the risk perceptions and
emotions that drive security behaviors
· Shadow security - employees create workarounds when ‘official’ security is too burdensome,
yet are still security-conscious and take other measures to protect against the risks they understand
· Security hygiene - process of identifying and re-designing high-friction security
· Security hygiene - necessary, but not sufficient condition for compliance - staff may still be
tempted to cut corners where they perceive risks as negligible, or think the organization does not
‘deserve’ their contribution to security
· Security managers typically only consider lack of knowledge as a driver of security behavior –
but not appreciating severity of a risk
- First step - systematically identify and categorize meaningful heterogeneous characteristics
within an employee population Measures of behavioral types in the social sciences focus on aspects
of personality
- Emotional responses consciously or unconsciously shape employees’ general attitude
towards security, and their risk perception
- Risk perception is also based on an individual’s skill at assessing risk, backed by the relevant
information or knowledge they may have
Security behavior results from
1) an individual’s affective responses to security
2) their competence in assessing risk
- Organizations with a healthy security culture are likely to have high levels of risk
understanding, combined with positive emotion towards security
· The affect heuristic is also applied to both conscious and subconscious modes of thinking -
Kahneman suggests that we are likely to default to automatic and intuitive processing in risk
assessments particularly under pressure, referred to as System 1, rather than a more analytical
approach, referred to as System 2
Johari Window - psychological framework used to facilitate a better understanding of an individual’s
relationship with themselves and others
- 2 x 2 grid - expresses four states of awareness, combining what is known and not known by the
self and what is known or not known by others
- Widely used in conceptualizing risk in other domains such as space exploration
,- Massie and Morris’ risk model builds on Johari Window to explore how known and unknown
information influences decision-making under conditions of risk
Behavioral Security Grid (BSG) – revised version of the Johari Window - four states of awareness
incorporated into the Johari Window which are referred to as: Open, Blind, Hidden and Unknown
Open area - refers to what is known by both the self and others, the Blind area refers to what others
know about the person but they are not aware of themselves
Hidden area - refers to what the person knows about themselves but others are not aware of
Unknown area - refers to what is not known by self and others
- Quadrants of the Johari Window, Open, Blind, Hidden and Unknown offer a basic heuristic to
express the employee’s style or mode of security behavior
- Aims to better understand the relationship between individuals and organizational security
policy - useful framework to represent differences in security behavior
- Discard the Johari Window axes relating to the self and others, since it does not fit the
model
· Affective Security (AS) – emotional dimension, assigned to y-axis
· AS - deals with individual’s emotional response to security, as represented by the
organization’s security policy
· Risk Understanding (RU) – dimension of competence, assigned to x-axis
· RU - denotes the individual’s ability to accurately perceive the existence and severity of the
risks associated with the actions they take themselves, as well as those they observe in the
surrounding environment
· Application of these axes, along with the re-orientation of the window, results in BSG
· Second stage - use revised Johari Window to categorize members of two different
organizations in order to identify differences between their populations
Affective Security
• Strong Positive (AS++) - these individuals regard security as their personal business and
responsibility
- They feel organization has effectively designed and implemented its security strategy
- May act as leaders and have the capacity to positively influence those around them
- Clear indication that the individual personally takes action to comply with, or support, the
security policy of the organization, such as adopting practices aligned with the policy, or challenging
non-compliant practices they observe in their environment
,• Weak Positive (AS+) - positive inclination toward security and statements reflecting a reasonably,
but not strongly, positive stance
- Express a view that organizational policy is useful, but do not necessarily see it as their
personal responsibility
- Appreciate the need for security in a general sense but less likely to take personal initiative
to ensure security
• Weak Negative (AS-) - Think security processes are useful to the organization in the abstract, but
when it comes to applying personal effort to the task they frequently make excuses
- Security tasks take up too much time, or effort, because organizational policy is not as
effective as it could be
• Strong Negative (AS--) - Highly frustrated by current security policy and seek to implement ad hoc
workarounds that minimize their involvement with it
- Taking direct action on their own behalf, and may also set unwanted precedents for others
(particular those falling in the weak negative category)
- Intentionally circumventing the policy, or expressed a desire to circumvent, even if it was not
actually feasible to do so
Risk Understanding
• Strong Positive (RU++) – display a comprehensive understanding of risk factors, including the
ability to understand the causal relationship between their actions, risk, and any associated
outcomes
- Understood not only that a risk exists, but what causes the risk and the impacts associated
with it
• Weak Positive (RU+) - existence of risks is recognized but individuals are less clear about what
causes them, or do not demonstrate an understanding of the relationship between their actions and
the risk (or its mitigation)
- Risks are correctly identified, either explicitly or implicitly, but no further discussion is
offered as to their causes or impacts
• Weak Negative (RU-) - omissions in their ability to recognize risk
- Knowledge is accurate but incomplete, leading them to make errors in judgment, or be
uncertain as to how to proceed in a given situation
, • Strong Negative (RU--) - actively hold misconceptions about risk, they do not just fail to mention
that they exist but make statements that are incorrect
- Believe they are right while making significant mistakes
- Discussion of risk and emotive responses to security were more prevalent during the semi-
structured interviews
Blind
1) Strong Positive AS & Strong Negative RU: “Gung Ho”
· Individuals of this type pose a significant, if unintentional, threat to the organization
· See security as something they should be personally involved in, but are burdened by
inaccurate risk perception
· Leads them to propagate undesirable culture traits
· as they will seek to take a leadership role, but will not have a clear view of what constitutes
effective action
· Keen to follow the existing policy, but lack of understanding regarding the risks it addresses
may lead to perceive some or all of it as arbitrary, increasing their likelihood of non-compliance
2) Strong Positive AS & Weak Negative RU: “Uncertain”
· Strongly motivated by security, however are unaware of the risks they may encounter,
leading them to be unsure as to why certain policies may be in place, or unclear as to the
consequences of any potential workarounds
· May wish to play a role in creating a positive security culture but lack the knowledge to
consistently choose between good and bad, leaving them uncertain of where to place their effort
3) Weak Positive AS & Strong Negative RU: “Naïve”
· Hold a generally positive outlook toward security, but are more likely to contravene security
policy when it negatively impacts their primary task
· Combined with active misconceptions regarding what constitutes risky behavior
4) Weak Positive AS & Weak Negative RU: “Passive”
· Feel that security is necessary for the organization, although not something they themselves
should have to put time in to
· Aware of the policy but not clear why it exists, leaving them following rules by rote
Mapping the irks perceptions and emotions that drive security
behaviours. (Beris et al. 2015)
Employee Rule Breakers, Excuse Makers and Security Champions: Mapping the risk perceptions and
emotions that drive security behaviors
· Shadow security - employees create workarounds when ‘official’ security is too burdensome,
yet are still security-conscious and take other measures to protect against the risks they understand
· Security hygiene - process of identifying and re-designing high-friction security
· Security hygiene - necessary, but not sufficient condition for compliance - staff may still be
tempted to cut corners where they perceive risks as negligible, or think the organization does not
‘deserve’ their contribution to security
· Security managers typically only consider lack of knowledge as a driver of security behavior –
but not appreciating severity of a risk
- First step - systematically identify and categorize meaningful heterogeneous characteristics
within an employee population Measures of behavioral types in the social sciences focus on aspects
of personality
- Emotional responses consciously or unconsciously shape employees’ general attitude
towards security, and their risk perception
- Risk perception is also based on an individual’s skill at assessing risk, backed by the relevant
information or knowledge they may have
Security behavior results from
1) an individual’s affective responses to security
2) their competence in assessing risk
- Organizations with a healthy security culture are likely to have high levels of risk
understanding, combined with positive emotion towards security
· The affect heuristic is also applied to both conscious and subconscious modes of thinking -
Kahneman suggests that we are likely to default to automatic and intuitive processing in risk
assessments particularly under pressure, referred to as System 1, rather than a more analytical
approach, referred to as System 2
Johari Window - psychological framework used to facilitate a better understanding of an individual’s
relationship with themselves and others
- 2 x 2 grid - expresses four states of awareness, combining what is known and not known by the
self and what is known or not known by others
- Widely used in conceptualizing risk in other domains such as space exploration
,- Massie and Morris’ risk model builds on Johari Window to explore how known and unknown
information influences decision-making under conditions of risk
Behavioral Security Grid (BSG) – revised version of the Johari Window - four states of awareness
incorporated into the Johari Window which are referred to as: Open, Blind, Hidden and Unknown
Open area - refers to what is known by both the self and others, the Blind area refers to what others
know about the person but they are not aware of themselves
Hidden area - refers to what the person knows about themselves but others are not aware of
Unknown area - refers to what is not known by self and others
- Quadrants of the Johari Window, Open, Blind, Hidden and Unknown offer a basic heuristic to
express the employee’s style or mode of security behavior
- Aims to better understand the relationship between individuals and organizational security
policy - useful framework to represent differences in security behavior
- Discard the Johari Window axes relating to the self and others, since it does not fit the
model
· Affective Security (AS) – emotional dimension, assigned to y-axis
· AS - deals with individual’s emotional response to security, as represented by the
organization’s security policy
· Risk Understanding (RU) – dimension of competence, assigned to x-axis
· RU - denotes the individual’s ability to accurately perceive the existence and severity of the
risks associated with the actions they take themselves, as well as those they observe in the
surrounding environment
· Application of these axes, along with the re-orientation of the window, results in BSG
· Second stage - use revised Johari Window to categorize members of two different
organizations in order to identify differences between their populations
Affective Security
• Strong Positive (AS++) - these individuals regard security as their personal business and
responsibility
- They feel organization has effectively designed and implemented its security strategy
- May act as leaders and have the capacity to positively influence those around them
- Clear indication that the individual personally takes action to comply with, or support, the
security policy of the organization, such as adopting practices aligned with the policy, or challenging
non-compliant practices they observe in their environment
,• Weak Positive (AS+) - positive inclination toward security and statements reflecting a reasonably,
but not strongly, positive stance
- Express a view that organizational policy is useful, but do not necessarily see it as their
personal responsibility
- Appreciate the need for security in a general sense but less likely to take personal initiative
to ensure security
• Weak Negative (AS-) - Think security processes are useful to the organization in the abstract, but
when it comes to applying personal effort to the task they frequently make excuses
- Security tasks take up too much time, or effort, because organizational policy is not as
effective as it could be
• Strong Negative (AS--) - Highly frustrated by current security policy and seek to implement ad hoc
workarounds that minimize their involvement with it
- Taking direct action on their own behalf, and may also set unwanted precedents for others
(particular those falling in the weak negative category)
- Intentionally circumventing the policy, or expressed a desire to circumvent, even if it was not
actually feasible to do so
Risk Understanding
• Strong Positive (RU++) – display a comprehensive understanding of risk factors, including the
ability to understand the causal relationship between their actions, risk, and any associated
outcomes
- Understood not only that a risk exists, but what causes the risk and the impacts associated
with it
• Weak Positive (RU+) - existence of risks is recognized but individuals are less clear about what
causes them, or do not demonstrate an understanding of the relationship between their actions and
the risk (or its mitigation)
- Risks are correctly identified, either explicitly or implicitly, but no further discussion is
offered as to their causes or impacts
• Weak Negative (RU-) - omissions in their ability to recognize risk
- Knowledge is accurate but incomplete, leading them to make errors in judgment, or be
uncertain as to how to proceed in a given situation
, • Strong Negative (RU--) - actively hold misconceptions about risk, they do not just fail to mention
that they exist but make statements that are incorrect
- Believe they are right while making significant mistakes
- Discussion of risk and emotive responses to security were more prevalent during the semi-
structured interviews
Blind
1) Strong Positive AS & Strong Negative RU: “Gung Ho”
· Individuals of this type pose a significant, if unintentional, threat to the organization
· See security as something they should be personally involved in, but are burdened by
inaccurate risk perception
· Leads them to propagate undesirable culture traits
· as they will seek to take a leadership role, but will not have a clear view of what constitutes
effective action
· Keen to follow the existing policy, but lack of understanding regarding the risks it addresses
may lead to perceive some or all of it as arbitrary, increasing their likelihood of non-compliance
2) Strong Positive AS & Weak Negative RU: “Uncertain”
· Strongly motivated by security, however are unaware of the risks they may encounter,
leading them to be unsure as to why certain policies may be in place, or unclear as to the
consequences of any potential workarounds
· May wish to play a role in creating a positive security culture but lack the knowledge to
consistently choose between good and bad, leaving them uncertain of where to place their effort
3) Weak Positive AS & Strong Negative RU: “Naïve”
· Hold a generally positive outlook toward security, but are more likely to contravene security
policy when it negatively impacts their primary task
· Combined with active misconceptions regarding what constitutes risky behavior
4) Weak Positive AS & Weak Negative RU: “Passive”
· Feel that security is necessary for the organization, although not something they themselves
should have to put time in to
· Aware of the policy but not clear why it exists, leaving them following rules by rote
