Rethinking the Prevailing Security Paradigm: Can User Empowerment with Traceability Reduce the Rate of Security Policy Circumvention?

Abstract

Information leakage is a major concern for organizations. As information travels through the organization's eco-system, perimeter-based defense is no longer sufficient. Rather, organizations are implementing data-centric solutions that persist throughout the information life-cycle regardless of its location. Enterprise rights management (ERM) systems are an example of persistent data-centric security. ERM defines specific access rules as an instantiation of organizational information security policies and has been suggested as means of role-based access permissions control. Yet, evidence shows that employees often circumvent or work around organizational security rules and policies since these controls hinder task-performance. In this exploratory case study, we use the theory of workarounds as a lens to examine users' workaround behavior. We introduce an empowerment-based ERM system highlighting users' permission to override provisionally assigned access rules. The concept of empowered security policies is novel and presents a shift in the current security compliance paradigm. Subsequently, we compare users' compliance intention between empowered ERM users and conventional ERM users. Our descriptive results indicate that circumventing intention is lower while perceived responsibility and task-performance benefits are higher for the empowered ERM users than for the conventional ERM users. Compliance intention is higher for conventional ERM users than for empowered ERM users.