Research finds that non-compliance with security is "almost always" because the employees found the security tasks created too much friction.
In organizations, there is a thing that is often slowing everything down and causing everyone unnecessary frustration. It is also the leading reason why employees conduct risky and non-compliant behavior [1]. That thing is “friction".
Friction is when an employee loses time searching for the right file, has trouble running essential apps, is disrupted by software upgrades, or struggles to remember all their passwords. Whenever an employee has to put in effort to use technology for work (or to get the technology to work), that effort is friction. Processes and procedures that are overly complicated, poorly documented or difficult to find, also cause friction for employees.
Having to log on to different systems and software using usernames and passwords not only increases the risk of reused passwords and poor password hygiene (high security risk), it also takes time. If, on average it takes 30 seconds per system per employee, and each employee must log in to an average of 15 systems, that means every employee “wastes” 4 minutes and 30 seconds every day. Double that if they have to log in after lunch too. In an organization with 10 000 employees, that means 45 000 minutes (750 hours) are wasted every day.
Almost anything can cause friction for employees, and that is just one example. However, for this there is a simple solution. Replace those log-in systems with a single-sign-on solution and, even if you’d have to pay for licenses and may need some investment in setting it up properly, you will start saving time and money immediately, across the whole organization.
Studies to understand why employees do not comply with security policies find that it is almost always because the employees found the security tasks created too much friction. In other words: employees feel that many security related tasks get in their way when they are trying to complete their main production tasks. Only occasionally do these studies find that employees are unaware about risks or about secure behaviors. [1]
From issues with password complexity demands and password sharing to cumbersome workflows and sign-in overload, there are numerous examples of well-intended security measures that can cause a roadblock for organizations and its employees - both in terms of security and productivity.
Points of friction make things difficult, frustrating and take longer to get done, which results in missed opportunities and higher costs for the business. And could also be contributing to higher security risks. Processes that are not correct – either because they are outdated or because they never captured the workflow in the first place – force employees to circumvent the security controls added.
As part of a cultural baseline measurement (step 1 of the Praxis Process) in organizations, we will often study employees' interactions with information and technology. It helps identify areas of risk, and often leads to discoveries of poor security behaviors and implementations of policy or tech. It also allows us to understand the various IT needs of different areas of the business, uncover the strengths and weaknesses of the technology currently implemented, and learn how the existing technology might better serve the employee and simplify the task their role requires of them.
Rather than a hurdle to productivity, security should support the business and help make the jobs of its employees easier to do, more securely. Yet, all too often, security is perceived as an obstacle causing friction for the organization. This is especially true in organizations where security is an afterthought consideration and is implemented retrospectively if at all. Security implementations that waste time and sap people's energy cause friction, and do very little to help the Security and IT departments’ image internally.
On the other hand, being the department that helped the business improve its bottom line by raising productivity, cutting costs, and improving security – all whilst reducing the burden on individual employees – will do wonders for your internal PR.
Interested in learning more about how Praxis Security Labs can help your team? Complete our online contact request form or schedule a free consultation (30 minutes) with our advisors.
References
[1] Hielscher, J., Menges, U., Parkin, S., Kluge, A., & Sasse, M. A. (2023, August). “Employees Who Don’t Accept the Time Security Takes Are Not Aware Enough”: The CISO View of Human-Centred Security. In 32st USENIX Security Symposium (USENIX Security 23), Boston, MA. (p.2).