Section 32.4. Motivating Users

32.4. Motivating Users

A technical bias toward security mechanisms has produced a simplistic approach to user authentication: restricting access to data by identification and authentication of a user. This simplistic approach may work well in military environments, but it limits usable solutions to the security problems of modern organizations seeking to encourage work practices such as teamwork and shared responsibility. Such organizations require support for trust and information sharing. The authoritarian approach has also led to security departments' reluctance to communicate with users with regard to work practices. It has been suggested by the U.S. Federal Information Processing Standards^[14] that individual ownership of passwords increases accountability and decreases illicit usage of passwords, because of the possibility of audit trailinga by-product of authentication. However, both of these assumptions rely on users' perceptions, which, as previously mentioned, do not always comply with those of the security departments. FIPS^[15] also suggests that shared passwords for groups are insecure. This study has identified thatwhen users perceive they are using shared passwords for work carried out in a teamthis may increase their perceptions of group responsibility and accountability. If a password mechanism is incompatible with users' work practices, they perceive the security mechanism as "not sensible" and circumvent it (for example, by disclosing their password to other group members). This can lead to a perception that all password mechanisms are "pointless," circumventing all of them and decreasing overall security. This does not mean that individual passwords should not be used in organizations with team-based working; it is worth considering protecting access to shared information with a shared password while leaving individual passwords for individual activities. The increased mental load of an additional shared password may cause fewer problems than the spiraling decline in security behavior caused by "incompatible" mechanisms.

^[14] FIPS 112.

^[15] Ibid.

It is important to challenge the view that users are never motivated to behave in a secure manner. Our results show that the majority of users were security conscious, as long as they perceive the need for these behaviors (for example, because of obvious external threats or the perceived sensitivity of the information protected). These findings are supported by research within Organization B, where both physical and computer security levels were low and security threats were evident to users. In this situation, users demonstrated exemplary behavior with their own passwords . We argue that the need-to-know principle should be jettisoned. The main argument of its proponents is that by informing users about the rationale behind security mechanisms, along with real and potential threats to security, they may be lowering security by increasing the possibility of information leaks. This attitude has led to a two-fold problem:

• Users' lack of security awareness

• Security departments' lack of knowledge about users, producing security mechanisms and systems that are not usable

These two factors lower users' motivation to produce secure work practices. This in turn reinforces security departments' belief that users are "inherently insecure" and leads to the introduction of stricter mechanisms, which require more effort from users. This vicious circle needs to be broken. Communication between security departments and users is therefore often restricted to "ticking off" users caught circumventing the rules. This approach does not fit with modern distributed and networked organizations, which depend on communication and collaboration. Users have to be treated as partners in the endeavor to secure an organization's systems, not as the enemy within. System security is one of the last areas in IT in which user-centered design and user training are not regarded as essentialthis has to change.