What is it?
Security measures that staff create to manage security to the best of their knowledge and ability, avoiding official security policies and mechanisms that get in the way of their tasks and reduce productivity.
Why is it important?
Shadow security practices reflect the best compromise staff can find between getting their job done and managing the risks to the assets they use. It presents an opportunity for the organization to learn how to maintain both security and productivity.
Why does a business professional need to know this?
Shadow security emerges in organizations where: (1) employees have reasons to comply with security and are motivated to do so, but (2) security mechanisms are not fit to support their work goals. As a result: (3) a significant amount of security mediation takes place at the team level, and (4) employees become isolated from the security division.
Although not compliant with official policy and sometimes not as secure as employees think, shadow security practices reflect a working compromise between security and getting the job done. Its occurrence signals the presence of unusable security mechanisms. These can lead to errors and workarounds that create vulnerabilities, people ignoring security advice, and systemic non-compliance, all of which can act as noise that makes genuine cybersecurity attacks hard to detect in systems.
Security management should not ignore shadow security. Organizations must be able to recognize when, where, and how shadow security practices are created. Once identified they should not be treated as a problem, but rather as an opportunity to identify shortfalls in current security implementations that can be leveraged to provide more effective security solutions.
This can be done by taking the following steps:
- Simplifying compliance with security
- Measuring the effectiveness of security mechanisms after deployment
- Engaging users when designing security solutions
- Leveraging the position of team managers as both a mediator for security and a conduit, providing feedback as to the appropriateness of security solutions in supporting productive tasks
- Giving team managers the responsibility of acting as mediators for security and as a conduit for feedback from users on the impact of security processes on productivity
- (Kirlappos 2014) Learning from “Shadow Security”: Why understanding noncompliant behaviors provides the basis for effective security.: Kirlappos, Iacovos, Simon Parkin, and M. Angela Sasse (2014). Workshop on Usable Security, San Diego, CA. PDF. Proceedings Paper. doi:10.14722/usec.2014.23. Analysis of in-depth interviews with employees of multinational organizations about security noncompliance. Reveals instances in which employees created alternative shadow security mechanisms that allowed them to complete their work and feel like they were working securely, despite not following official policies and procedures. Suggests that lessons learned from shadow security workarounds can be used to create more workable security solutions in the future.
- (Kirlappos 2015) “Shadow Security” as a tool for the learning organization.: Kirlappos, Iacovos, Simon Parkin, and M. Angela Sasse (2015). ACM SIGCAS Computers and Society, 45 (1), 29-37. PDF. doi:10.1145/2738210.2738216.
- (Jon L 2017) People: the unsung heroes of cyber security: Jon L. (2017), National Cyber Security Centre. Video. Discusses the need to make cybersecurity people-centered in order to defeat cybercriminals. Argues for the importance of exceptional user experiences to help make it easy for employees to comply with cybersecurity guidelines, rules, and regulations.