It's actually fascinating stuff. He starts with pointing out that while organizational computer security measures are usually concentrated on technical solutions, anything that's in place can easily be compromised if people who work for the organization don't follow security policies. He's right — be honest now — how many of you have jotted down a hard-to-remember have-to-change-it-every-three-months password on a Post-It and stuck it to the front of your monitor?
Then he goes into his research question: why don't people follow security procedures? What factors influence people's decisions whether or not to follow procedures?
After over 150 pages of truly mind-numbing literature review, methodology, data collection details and construct reliability and validity (gack!), he gives his conclusions — among them, that people consider punishment for not following procedures to be more motivational than reward for following them (interesting), that there's a high prevalence of apathy (probably because the IS people who make up the policies don't have day-to-day management responsibilities for the people who are supposed to follow them), and that the way people perceive risk and what they actually do about it have a really, really dysfunctional relationship.
The end is in sight — defense scheduled for July 11th. It's not really a spectator sport (thought technically it's open to everybody). Maybe I'll invite people after all, and we can sit in the back and do the wave.
Go Scott!
1 comment:
Totally Jealous. I would like to sit in the back and make funny faces.
Post a Comment