Understanding Shadow Practices: Shadow practices refer to behaviors or practices that deviate from officially sanctioned security protocols within an organization. These practices are often seen as non-compliant or risky because they do not align with the established security policies. However, there is a growing recognition among researchers and practitioners that these practices do not always signify negative behavior. Instead, they can offer valuable insights into how security policies are experienced by users and how these policies might be improved.
Productive and Useful Security Behaviors: The paper by Kirlappos, Parkin, and Sasse titled “Learning from ‘Shadow Security:’ Why understanding non-compliant behaviors provides the basis for effective security” argues that shadow practices can be a source of learning for organizations. By examining why users engage in non-compliant behaviors, organizations can identify gaps in their security policies and understand the practical challenges that users face in adhering to these policies.
The authors emphasize that shadow practices often emerge because users find official security measures too cumbersome, complex, or disruptive to their workflow. For instance, if employees consistently bypass a multi-factor authentication system because it slows down their work, this could indicate that the system is not well-suited to the needs of the users. By understanding the reasons behind such behavior, organizations can redesign their security measures to be more user-friendly, thereby encouraging compliance without sacrificing security.
Key Arguments from the Paper:
- Non-compliance as Feedback: The paper highlights that non-compliant behavior should not be dismissed as mere disobedience. Instead, it should be seen as feedback on the usability and effectiveness of current security measures.
- Bridging the Gap: Shadow practices can help bridge the gap between security policy design and real-world application. By studying these practices, security professionals can develop a more nuanced understanding of how to create security measures that are both secure and practical.
- Encouraging Collaboration: The authors suggest that instead of punishing non-compliance, organizations should collaborate with users to identify the root causes of shadow practices and work together to find solutions that enhance security while also being mindful of user needs.
Further Reading and Book Reference: For those interested in exploring this topic further, the paper by Kirlappos et al. is a valuable resource. It can be found in the proceedings of the Internet Society’s 2014 conference.
Additionally, for a broader understanding of the human aspects of cybersecurity, consider reading:
- “People-Centric Security: Transforming Your Enterprise Security Culture” by Lance Hayden (ISBN: 978-0071846772). This book delves into how security cultures can be shaped by understanding and addressing user behavior, including non-compliance.
- “Security Behavior: An Organizational Perspective” by Sarah Spiekermann (ISBN: 978-1107064915). This book discusses how organizational culture and user behavior intersect with security practices.
These resources provide a comprehensive view of the importance of understanding user behavior in the context of cybersecurity and offer practical advice on how to create security policies that users are more likely to follow.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.