Dr Simon Parkin
Respecting employees as security decision-makers
Building an evidence-based roadmap To practice secure working, employees must be supported in the workplace
Simon is an Assistant Professor in the Cybersecurity group in the Technology, Policy, and Management (TPM) faculty at the Delft University of Technology (TU Delft, Netherlands). His specialization is in human-centred security: usability and perceptions of security-related technologies, security behaviour change, security economics, and decision-making in security technology management, support, and policy.
Current research includes: multi-stakeholder perspectives on the management of employee-facing security in organizations; practitioner experiences and decisions in patching of IT systems in complex organizations, and; examining how best to position security and remediation support for users of consumer IoT devices.
Employee security in the workplace has been gaining more attention over recent years, notably through employee awareness and training. Much of the focus has been on the development of secure working practices, and the provision of skills to employees to detect threats and address the associated risks. These efforts can cover behaviours such as credential management, anti-phishing training, data-sharing practices, and secure practices in outward-facing activities such as social media. Here we examine the necessary step of fitting learned security practices alongside other, non-security demands and the specifics of the working environment.
The challenges of secure working practices are recast, as a need to recognise that employees must make decisions about how to fit security into their day, and the need for information to support those decisions. Matching security tasks to work is not trivial, and everyday security is not all routine – there can be dilemmas, complexities, and unexpected events, for security just as for any other activity in the work environment. Behaviour change, security usability, risk management, and security economics will be considered together, to take a different view of how secure working fits into the workplace. This concerns not only the expectations of the security manager, but naturally also the employee and workplace support structures. There are opportunities to support the planning of secure working practices, so that workplace security is less ad-hoc and instead more predictable, and ultimately more workable. Alternative approaches will be explored for making secure working workable, identifying gaps in the provision and communication of employee-facing security.