Visible to the public 2 Fast 2 Secure: A Case Study of Post-Breach Security Changes

Title2 Fast 2 Secure: A Case Study of Post-Breach Security Changes
Publication TypeConference Paper
Year of Publication2019
AuthorsDemjaha, A., Caulfield, T., Sasse, M. Angela, Pym, D.
Conference Name2019 IEEE European Symposium on Security and Privacy Workshops (EuroS PW)
KeywordsCompanies, Data analysis, Data Breach, employees, financial data processing, financial investment, humble inquiry, Interviews, Investment, organisational aspects, organization security division, participatory action research, Personnel, policy-based governance, post-breach security, post-breach security changes, Productivity, pubcrawl, security behaviour, security breach, security controls, security culture, security division, security of data, security policies, Security Policies Analysis, security theatre, Task Analysis, zero risk appetite
AbstractA security breach often makes companies react by changing their attitude and approach to security within the organization. This paper presents an in-depth case study of post-breach security changes made by a company and the consequences of those changes. We employ the principles of participatory action research and humble inquiry to conduct a long-term study with employee interviews while embedded in the organization's security division. Despite an extremely high level of financial investment in security, and consistent attention and involvement from the board, the interviews indicate a significant level of friction between employees and security. In the main themes that emerged from our data analysis, a number of factors shed light on the friction: fear of another breach leading to zero risk appetite, impossible security controls making non-compliance a norm, security theatre underminining the purpose of security policies, employees often trading-off security with productivity, and as such being treated as children in detention rather than employees trying to finish their paid jobs. This paper shows that post-breach security changes can be complex and sometimes risky due to emotions often being involved. Without an approach considerate of how humans and security interact, even with high financial investment, attempts to change an organization's security behaviour may be ineffective.
Citation Keydemjaha_2_2019