Understanding Shadow Practices: Shadow practices refer to unauthorized actions or behaviors within an organization that bypass official security policies and procedures. Examples include the use of unauthorized software (shadow IT), storing sensitive data on personal devices (shadow data), and sharing credentials without approval (shadow access). These practices can increase the risk of data breaches, regulatory violations, and overall security vulnerabilities.
Risks of Shadow Practices:
- Increased Attack Surface: Shadow practices introduce vulnerabilities that may be exploited by attackers.
- Weakening Security Posture: Unauthorized behaviors can undermine the organization’s security framework.
- Regulatory Violations: Bypassing official channels may lead to non-compliance with legal or regulatory requirements.
Discouraging Shadow Practices: To address and mitigate shadow practices, organizations need to influence user behavior and discourage the adoption of such practices. This can be done by understanding the reasons behind these practices and designing targeted interventions.
Behavior Change Intervention Steps:
- Problem Identification: Define the specific shadow behavior, identify the target population, and establish desired behaviors. For example, unauthorized application use may stem from users needing specific functionalities that official applications do not provide.
- Context/Environment Analysis: Investigate the extent and context of shadow practices, considering factors like security culture, usability issues, and user motivations. Understanding the environment helps tailor interventions to be effective within the given organizational context.
- Designing the Intervention: Using behavioral theories and models (such as EAST and MINDSPACE), design solutions that address the root causes of shadow practices. This might include providing alternative tools that meet user needs or creating persuasive messages that encourage compliance.
- Implementation: Put the intervention into action, ensuring that it is practical and aligned with the organizational context. Monitor metrics to assess the impact, such as the reduction in shadow IT use.
- Impact Evaluation: Measure the direct and indirect effects of the intervention using both quantitative (e.g., reduced unauthorized application usage) and qualitative data (e.g., user feedback on the intervention).
- Final Evaluation: Analyze the success of the intervention by comparing pre- and post-intervention behaviors. Adjust the approach if necessary, considering user feedback and the overall effectiveness of the intervention.
Book References:
- “Security Behavior: An Organizational Perspective” by Sarah Spiekermann (ISBN: 978-1107064915) explores how organizational culture and user behavior intersect with security practices.
- “People-Centric Security: Transforming Your Enterprise Security Culture” by Lance Hayden (ISBN: 978-0071846772) provides insights into shaping security cultures by understanding user behavior and addressing non-compliance.
These resources offer a broader understanding of how to manage shadow practices through behavior change strategies and organizational security culture.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.