Staff ignore good cyber security practices if systems and policies are badly designed - report

Organisations need to improve their security practices to encourage staff to adhere to them, claims Government Office for Science report

A report by Northumbria University for the Government Office for Science has suggested that staff will ignore good cyber security practice if an organisation's systems and policies are badly designed.

The report suggests that many organisations need to to take a closer look at their policies and procedures if they are to ensure that staff take computer security seriously.

"Security should not rely on the knowledge and behaviours of end-users and attempts should continue to be made to ensure people are secure by default," claimed the report. "One of the main reasons that users do not behave optimally is that security systems and policies are poorly designed."

"If a security system is difficult to use, users will make mistakes when using it and/or find ways to avoid it. If a security policy includes behaviours that no one is expected to comply with, then compliance with other parts of the policy will be weakened. It is essential for security and privacy practices to be designed into a system from the very beginning.

"This requires a coordinated effort from government, security specialists and application developers to ensure an effective end-to-end solution," it continued.

The report provided a host of reasons why staff don't comply with security best practices. These included:

* The need to be connected at all times outweighs any of the risk;
* People have become accustomed to habitually clicking "yes" or "accept" in dialogue boxes;
* Convenience always wins out over security;
* The effort required is too high - the need to remember scores of different passwords, for example, encourages people to re-use the same one against security best-practice;
* Staff under-estimate the risks;
* Staff share machines and, hence, passwords - which they often re-use on many different sites and/or systems;
* People over-estimate their ability to perceive and understand the security threats;
* Lack of clear links between inadequate security behaviour and the consequences.

"Mass communication is required to make people aware of the risks and the actions they should take in response," according to the report. "However this can backfire if users start to perceive it as scare mongering and never experience consequences... Knowledge and awareness is a prerequisite to change but not necessarily sufficient and must be implemented in conjunction with other influencing strategies."