Increasingly, organizations are acknowledging the importance of human factors in the management of security in workplaces. There are challenges in managing security infrastructures in which there may be centrally mandated and locally managed initiatives to promote secure behaviours. We apply a co-design methodology to harmonize employee behaviour and centralized security management in a large university. This involves iterative rounds of interviews connected by the co-design methodology: 14 employees working with high-value data with specific security needs; seven support staff across both local and central IT and IT-security support teams; and two senior security decision-makers in the organization. We find that employees prefer local support together with assurances that they are behaving securely, rather than precise instructions that lack local context. Trust in support teams that understand local needs also improves engagement, especially for employees who are unsure what to do. Policy is understood by employees through their interactions with support staff and when they see colleagues enacting secure behaviours in the workplace. The iterative co-design approach brings together the viewpoints of a range of employee groups and security decision-makers that capture key influences that drive secure working practices. We provide recommendations for improvements to workplace security, including recognizing that communication of the policy is as important as what is in the policy. ... Read more

Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Decision-makers then face choices, where this is not simply a binary decision of whether to comply or not, but also how to approach compliance and secure working alongside other workplace pressures, and limited resources for identifying optimal security-related choices. Conflict arises because of information asymmetries present in the relationship, where influencers and decision-makers both consider costs, gains, and losses in ways which are not necessarily aligned. With the need to promote good enough' decisions about security-related behaviours under such constraints, we hypothesize that actions to resolve this misalignment can benefit from constructs from both traditional economics and behavioural economics. Here we demonstrate how current approaches to security behaviour provisioning in organizations mirror rational-agent economics, even where behavioural economics is embodied in the promotion of individual security behaviours. We develop and present a framework to accommodate bounded security decision-making, within an ongoing programme of behaviours which must be provisioned for and supported. Our four stage plan to Capture, Adapt, Realign, and Enable behaviour choices provides guidance for security managers, focusing on a more effective response to the uncertainty associated with security behaviour in organizations. ... Read more