Respecting employees as security decision-makers

Building an evidence-based roadmap To practice secure working, employees must be supported in the workplace

Presentation overview

Employee security in the workplace has been gaining more attention over recent years, notably through employee awareness and training. Much of the focus has been on the development of secure working practices, and the provision of skills to employees to detect threats and address the associated risks. These efforts can cover behaviours such as credential management, anti-phishing training, data-sharing practices, and secure practices in outward-facing activities such as social media. Here we examine the necessary step of fitting learned security practices alongside other, non-security demands and the specifics of the working environment.

The challenges of secure working practices are recast, as a need to recognise that employees must make decisions about how to fit security into their day, and the need for information to support those decisions. Matching security tasks to work is not trivial, and everyday security is not all routine – there can be dilemmas, complexities, and unexpected events, for security just as for any other activity in the work environment. Behaviour change, security usability, risk management, and security economics will be considered together, to take a different view of how secure working fits into the workplace. This concerns not only the expectations of the security manager, but naturally also the employee and workplace support structures. There are opportunities to support the planning of secure working practices, so that workplace security is less ad-hoc and instead more predictable, and ultimately more workable. Alternative approaches will be explored for making secure working workable, identifying gaps in the provision and communication of employee-facing security.