Blaming Noncompliance Is Too Convenient: What Really Causes Information Breaches?

Security&Privacy
2012
Issue No. 3 - May-June
Abstract - Blaming Noncompliance Is Too Convenient: What Really Causes Information Breaches?

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Karen Renaud

Blaming Noncompliance Is Too Convenient: What Really Causes Information Breaches?

May-June 2012 (vol. 10 no. 3)

pp. 57-63

	ASCII Text	x
	Karen Renaud, "Blaming Noncompliance Is Too Convenient: What Really Causes Information Breaches?," IEEE Security & Privacy, vol. 10, no. 3, pp. 57-63, May-June, 2012.

	BibTex	x
	@article{ 10.1109/MSP.2011.157, author = {Karen Renaud}, title = {Blaming Noncompliance Is Too Convenient: What Really Causes Information Breaches?}, journal ={IEEE Security & Privacy}, volume = {10}, number = {3}, issn = {1540-7993}, year = {2012}, pages = {57-63}, doi = {http://doi.ieeecomputersociety.org/10.1109/MSP.2011.157}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - MGZN JO - IEEE Security & Privacy TI - Blaming Noncompliance Is Too Convenient: What Really Causes Information Breaches? IS - 3 SN - 1540-7993 SP57 EP63 EPD - 57-63 A1 - Karen Renaud, PY - 2012 KW - information breaches KW - compliance KW - policies KW - computer security KW - information security VL - 10 JA - IEEE Security & Privacy ER -

Karen Renaud, University of Glasgow, Glasgow

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2011.157

Web Extra: View Supplemental Material (.pdf)

Information breaches demand a vigorous response from organizations. The traditional response is to institute policies to constrain and control employee behavior. Information security policies inform employees about appropriate uses of information technology in an organization. Unfortunately, limited evidence exists that such policies effectively reduce confidentiality breaches or information loss. This article explores the possible reasons for this and reports on a survey aiming to detect the presence of these factors in a UK National Health Service health board. This article argues that you must pay attention to the entire system, instead of focusing merely on individuals in the system. The survey shows how the pressures on the organization's staff members and the rules imposed by the policies often place staff in an impossible or untenable position. They sometimes feel this leaves them no option but to break the rules just to do their work. The Web extra is a list of additional resources.

1. CSI Computer Crime and Security Survey, Computer Security Inst., 2009.
2. P.F. Drucker, "Management and the World's Work," Harvard Business Rev., Sept. 1988, pp. 65–76.
3. C. Vermeulen and R. von Solms, "The Information Security Management Toolbox—Taking the Pain out of Security Management," Information Management & Computer Security, vol. 10, no. 3, 2002, pp. 119–125.
4. M.E. Thomson and R. von Solms, "Information Security Awareness: Educating Your Users Effectively," Information Management & Computer Security, vol. 6, no. 4, 1998, pp. 167–173.
5. P. Mascini, "The Blameworthiness of Health and Safety Rule Violations," Law & Policy, vol. 27, no. 3, 2005, pp. 472–490.
6. A. Adams and M.A. Sasse, "Users Are Not the Enemy: Why Users Compromise Security Mechanisms and How to Take Remedial Measures," Comm. ACM, vol. 42, no. 12, 1999, pp. 40–46.
7. D. Florêncio and C. Herley, "A Large-Scale Study of Web Password Habits," Proc. 16th Ann. Conf. World Wide Web (WWW 07), ACM, 2007, pp. 657–666.
8. J. Finegan, "The Impact of Personal Values on Judgments of Ethical Behaviour in the Workplace," J. Business Ethics, vol. 13, no. 9, 1994, pp. 747–755.
9. J.E. Driskell and E. Salas, Stress and Human Performance, Lawrence Erlbaum, 1996.
10. E.B. Dent and S. Galloway Goldberg, "Challenging 'Resistance to Change,'" J. Applied Behavioral Science, vol. 35, no. 1, 1999, pp. 25–41.
11. K. Höne and J.H.P. Eloff, "What Makes an Effective Information Security Policy?," Network Security, June 2002, pp. 14–16.
12. J.K. White and R.A. Ruh, "Effects of Personal Values on the Relationship between Participation and Job Attitudes," Administrative Science Q., vol. 18, no. 4, 1973, pp. 506–514.
13. A.E. Bauman et al., "Asthma Information: Can It Be Understood?," Health Education Research, vol. 4, no. 3, 1989, pp. 377–382.
14. P. Slovic and A. Tversky, "Who Accepts Savage's Axiom?," Behavioral Science, vol. 19, no. 6, 1974, pp. 368–373.
15. A. Degani, "Pilot Error in the 90s: Still Alive and Kicking," keynote address at 44th Ann. Meeting Flight Safety Foundation/Nat'l Business Aviation Assoc. (FSF/NBAA 99), 1999; http://ti.arc.nasa.gov/m/profile/adegani Pilot%20Error%20in%20the%2090s.pdf.
1. E.M. Madigan, C. Petrulich, and K. Motuk, "The Cost of Non-compliance: When Policies Fail," Proc. 32nd Ann. ACM SIGUCCS Fall Conf. (SIGUCCS 04), ACM, 2004, pp. 47-51.
2. M.E. Thomson and R. von Solms, "Information Security Awareness: Educating Your Users Effectively," Information Management & Computer Security, vol. 6, no. 4, 1998, pp. 167-173.
3. G.A. Cohen, Rescuing Justice and Equality, Harvard Univ. Press, 2008.
4. P. Mascini, "The Blameworthiness of Health and Safety Rule Violations," Law & Policy, vol. 27, no. 3, 2005, pp. 472-490.
5. K. Dismukes, B.A. Berman, and D. Loukopoulos, The Limits of Expertise: Rethinking Pilot Error and the Causes of Airline Accidents, Ashgate, 2007.
6. J.E. Driskell and E. Salas, Stress and Human Performance, Lawrence Erlbaum, 1996.
7. C. Perrow, Normal Accidents, Princeton Univ. Press, 1999.
1. E.M. Madigan, C. Petrulich, and K. Motuk, "The Cost of Non-compliance: When Policies Fail," Proc. 32nd Ann. ACM SIGUCCS Fall Conf. (SIGUCCS 04), ACM, 2004, pp. 47-51.
2. M.E. Thomson and R. von Solms, "Information Security Awareness: Educating Your Users Effectively," Information Management & Computer Security, vol. 6, no. 4, 1998, pp. 167-173.
3. G.A. Cohen, Rescuing Justice and Equality, Harvard Univ. Press, 2008.
4. P. Mascini, "The Blameworthiness of Health and Safety Rule Violations," Law & Policy, vol. 27, no. 3, 2005, pp. 472-490.
5. K. Dismukes, B.A. Berman, and D. Loukopoulos, The Limits of Expertise: Rethinking Pilot Error and the Causes of Airline Accidents, Ashgate, 2007.
6. J.E. Driskell and E. Salas, Stress and Human Performance, Lawrence Erlbaum, 1996.
7. C. Perrow, Normal Accidents, Princeton Univ. Press, 1999.

Index Terms:

information breaches, compliance, policies, computer security, information security

Citation:

Karen Renaud, "Blaming Noncompliance Is Too Convenient: What Really Causes Information Breaches?," IEEE Security & Privacy, vol. 10, no. 3, pp. 57-63, May-June 2012, doi:10.1109/MSP.2011.157

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.

Print and Online Advertising Opportunities