The Question Of Obedience Towards IT Security Practices

The Report.png
Recovery Experts.png
Holiday Access.png
Cloud For Dummies.png
The Backup.png

Enforcing Security Policies

To comply with global industrial standards, businesses are often required to set up internal security policies. These policies aim to regulate and make transparent the use of digital equipment, networks, and devices for work and pleasure. On some level, the policies are in place to ensure that the organisation has access to certain private, employee domains and devices, while equally encouraging employee dependance on the organisation (and presumed security provider). However, all of this boils down to a common IT issue: the question of enforcing the security practices and policies in place. The basic, underlying issue here is the question of relevance in reference to internal conceptions or external threats, to maximise the probability of obedience and narrow down the chance that one may choose to overlook the standards in place.

Compliance Mechanics

Classic organisational obedience theories have been built upon various other theories studying the role of fear in ensuring compliance to the policies imposed by an organisation (sovereign in that context). On the other hand, Johnston and colleagues have argued that, in the context of Information Security Policy (ISP) compliance, there are various components to be added and taken into account in order to construct a coherent theory on the ISP compliance mechanics.

The conventional “Fear Appeal Theory” is based on four elements that the subjects were aware of, and thus encouraged behaviors which ensured compliance of the security policy. This theory suggests that if the subject becomes and stays conscious of the severity of a threat, and that it will likely be triggered and have an efficient response, that it will lead to a maximum intent to comply with the policies in place. However, as one can see, this theory is based on violence and animality; in populistic terms it is the same as saying, “do as we say, or we will hit you hard enough so that any reasonable person would make sure not to make the same mistake in order to avoid the punishment.”

Fear Appeal Framework

Johnston et al argue that the fear appeal framework for the ISP requires more elements, namely related to the rhetorics set up to support conventional elements. This ensures that the intention to comply with security policies is clearly communicated with the proper rhetoric to build up the conceptions of both formal and informal certainty and severity of the sanctions. The division of the informal and formal is relevant here, as to highlight the sanctions on the level of immediate peers, rather than just organisational punishment (social pressure). In this, the authors are in line with the current development of governance models from organisational enforcement towards the persuasion by mere social pressure and attachment to the immediate peers.

However, on the fundamental level, can end up supporting the coercive and violent means, and fail to consider the changing organisational settings. They take for granted the workforce as an industrial resource, and thus validate this type of governance for particular organisations, including inducing fear and stress in people. One should heavily consider the concept of organisational security policies in this context and ask if it adapts and is suitable for modern organisations and conceptions of humanity. This type of fear based theory lacks consideration of the effects of these types intrusive mechanisms on an individuals creativity and character development. As such, this type of practice aims – in the old fashion way – to secure the organisation and its governance, rather than provide any security for the people.

White-collar Cyberloafers

One particular compliance problem with cyber security is how to deal with employees idling in the office and misusing company Internet resources. This can lead to security issues such as worms, viruses, spyware and loss of the reputation for the company network. On some level this kind of problem can be seen to belong to the past early years of networking when white-collar workers were newly equipped with browsers and all the fun they bring along. But the issue of employees taking advantage of company resources, time or other privileges for personal gain has always existed. Now, the introduction of the personal communication equipment into the Workplace has once again made the discussion relevant. And a wide array of studies has been published about how to deter cyberloafers.

The fact that such studies neglect to pay attention to the prevalence of the issue in the pre-Internet era highlights contemporary concerns about identifying the governance of the networked equipment, whether on a personal, organizational or state level. In a way, the research and the topic itself contributes to the building of modern cyber identities and attachments by the organization, or other self-proclaimed sovereigns, in the cyber-age. This also forms part of the thinking that would transform societies and organizations from industrial entities into mere service networks, as it aims to establish organizational governance for a phenomena which was not developed for the organization but imposed from outside.

The Machinery of Business

Some studies have highlighted the positive aspects of personal use of communication technologies in the workplace, mostly for recreational purposes and as an important means for personal recovery (Ivarsson, Larsson 2012). However, this notion presumes the stressful nature of the work, thus building upon the old industrial idea that sees people as mere resources in the machinery of business. While other studies on the subject concentrate more on the issue of ensuring compliance (thus recognizing and imposing the authority of the organization), Ivarsson aims to highlight the idea that the use of personal communication equipment in the office is part of the overall process of change in our understanding of the nature of work. Aiming to limit and forbid its usage is therefore like forbidding people to have a cup of coffee or taking a holiday every now and then.

Ivarsson represents the school of thought that considers changing workplace culture, but also changes in organizations and the business environment as a whole. In fact, he concludes by suggesting that the need to govern the personal use of networked resources should be put into context. For example, the nature of the work needs to be balanced against the need to protect against harmful effects of having access to hostile network resources, or even the possibility of illegal activity.

When considering the nature of cyberloafing, or other employee misbehaviours, one must reflect on the structure of the organization, its relation to society as a whole, and its represented ethical and moral values. As other studies have pointed out, idling might be a result of unjust behaviour on the part of the organization itself. If employees have no agency, or the means to just leave, they must find a way to protest silently (Lim 2002, 10.1002/job.161). In these kinds of situations simply punishing employees might not be the way to go.

By Kristo Helasvuo

Chris Collins

Why Cloud Technology is a Smart Business Move for Higher Education

Higher Education Technology Cloud technology is not just for the world of big business. A growing number of higher education institutions are also embracing the cloud’s many advantages, especially for its data gathering and analytics ...
Jim Fagan

Submarine Fiber Life Extension: Bridging The Cloud Capacity Shortage

Submarine Fiber Life Extension There has been no lack of media attention given to the fact that Big Tech is building private subsea cables. Big cloud providers like Google, Facebook, Amazon and Microsoft have invested ...
Flexiant Tony Lucas

There Are Still Opportunities For Service Providers

Opportunities For Service Providers Service providers (SPs) still have a golden, but short-lived opportunity to commercialize the $266.4 billion cloud services market before AWS and others call it “game over.” By being more agile, able to ...
Gary Bernstein

Infographic: The Data That Never Sleeps

Here’s What Happens Every Minute on the Internet in 2020 In 2020, the world changed fundamentally – and so did the data that makes the world go around. As COVID-19 swept the world, nearly every ...
Evelyn Min 180x180

The Companies That Know The Most About You

The Tracking Era (Updated: 11.03.2020) Right now privacy is a hot topic on LinkedIn posts, especially as it pertains to compliance with the General Data Protection Regulation. As a board advisor at Universal Patient Key, we've ...

TECH ELEARNING

The CloudTweaks technology lists will include updated resources to leading services from around the globe. Examples include leading IT Monitoring Services, Bootcamps, VPNs, CDNs, Reseller Programs and much more...

  • Plural Site

    Pluralsite

    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.

  • Isc2

    ISC2

    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary

    Cybrary

    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.