On the possible impact of security technology design on policy adherent user behavior
Results from a controlled empirical experiment
This contribution provides results from a controlled experiment on policy compliance in work environments with restrictive security technologies. The experimental setting involved subjects forming groups and required them to solve complex and creative tasks for virtual customers under increasing time pressure, while frustration and work impediment of the used security technology were measured. All subjects were briefed regarding existing security policies in the experiment setting, and the consequences of violating these policies, as well as the consequences for late delivery or failure to meet the quality criteria of the virtual customer. Policy breaches were observed late in the experiment, when time pressure was peaking. Subjects not only indicated maximum frustration, but also a strong and significant correlation (.765, p<.01) with work impediment caused by the security technology. This could indicate that user-centred design does not only contribute to the acceptance of a security technology, but may also be able to positively influence practical information security as a whole.