Albesë Demjaha, David Pym, Tristan Caulfield, Simon Parkin
{"title":"‘The trivial tickets build the trust’: a co-design approach to understanding security support interactions in a large university","authors":"Albesë Demjaha, David Pym, Tristan Caulfield, Simon Parkin","doi":"10.1093/cybsec/tyae007","DOIUrl":null,"url":null,"abstract":"Increasingly, organizations are acknowledging the importance of human factors in the management of security in workplaces. There are challenges in managing security infrastructures in which there may be centrally mandated and locally managed initiatives to promote secure behaviours. We apply a co-design methodology to harmonize employee behaviour and centralized security management in a large university. This involves iterative rounds of interviews connected by the co-design methodology: 14 employees working with high-value data with specific security needs; seven support staff across both local and central IT and IT-security support teams; and two senior security decision-makers in the organization. We find that employees prefer local support together with assurances that they are behaving securely, rather than precise instructions that lack local context. Trust in support teams that understand local needs also improves engagement, especially for employees who are unsure what to do. Policy is understood by employees through their interactions with support staff and when they see colleagues enacting secure behaviours in the workplace. The iterative co-design approach brings together the viewpoints of a range of employee groups and security decision-makers that capture key influences that drive secure working practices. We provide recommendations for improvements to workplace security, including recognizing that communication of the policy is as important as what is in the policy.","PeriodicalId":44310,"journal":{"name":"Journal of Cybersecurity","volume":"14 1","pages":""},"PeriodicalIF":2.9000,"publicationDate":"2024-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Cybersecurity","FirstCategoryId":"1093","ListUrlMain":"https://doi.org/10.1093/cybsec/tyae007","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"SOCIAL SCIENCES, INTERDISCIPLINARY","Score":null,"Total":0}
引用次数: 0
Abstract
Increasingly, organizations are acknowledging the importance of human factors in the management of security in workplaces. There are challenges in managing security infrastructures in which there may be centrally mandated and locally managed initiatives to promote secure behaviours. We apply a co-design methodology to harmonize employee behaviour and centralized security management in a large university. This involves iterative rounds of interviews connected by the co-design methodology: 14 employees working with high-value data with specific security needs; seven support staff across both local and central IT and IT-security support teams; and two senior security decision-makers in the organization. We find that employees prefer local support together with assurances that they are behaving securely, rather than precise instructions that lack local context. Trust in support teams that understand local needs also improves engagement, especially for employees who are unsure what to do. Policy is understood by employees through their interactions with support staff and when they see colleagues enacting secure behaviours in the workplace. The iterative co-design approach brings together the viewpoints of a range of employee groups and security decision-makers that capture key influences that drive secure working practices. We provide recommendations for improvements to workplace security, including recognizing that communication of the policy is as important as what is in the policy.
越来越多的组织认识到人的因素在工作场所安全管理中的重要性。在管理安全基础设施方面存在着挑战,其中可能有中央授权和地方管理的措施来促进安全行为。我们在一所大型大学中采用了共同设计方法来协调员工行为和集中式安全管理。这包括通过共同设计方法进行的一轮又一轮的访谈,访谈对象包括:14 名处理高价值数据并有特殊安全需求的员工;7 名跨本地和中央 IT 及 IT 安全支持团队的支持人员;以及两名组织中的高级安全决策者。我们发现,员工更喜欢本地支持,以及确保他们行为安全的保证,而不是缺乏本地背景的精确指示。对了解本地需求的支持团队的信任也会提高员工的参与度,尤其是那些不知道该怎么做的员工。员工通过与支持人员的互动,以及看到同事在工作场所实施安全行为,就能理解政策。迭代式共同设计方法汇集了一系列员工群体和安全决策者的观点,抓住了推动安全工作实践的关键影响因素。我们提出了改进工作场所安全的建议,包括认识到政策沟通与政策内容同等重要。
期刊介绍:
Journal of Cybersecurity provides a hub around which the interdisciplinary cybersecurity community can form. The journal is committed to providing quality empirical research, as well as scholarship, that is grounded in real-world implications and solutions. Journal of Cybersecurity solicits articles adhering to the following, broadly constructed and interpreted, aspects of cybersecurity: anthropological and cultural studies; computer science and security; security and crime science; cryptography and associated topics; security economics; human factors and psychology; legal aspects of information security; political and policy perspectives; strategy and international relations; and privacy.