How Users Bypass Access Control – And Why: The Impact Of Authorization Problems On Individuals And The Organization

Many organizations struggle with ineffective and/or inefficient access control, but these problems and their consequences often remain invisible to security decision-makers. Prior research has focused on improving the policy-authoring part of authorization and does not consider the full range of underlying problems, and their impact on organizations. We present a study of 118 individuals’ experiences of authorization measures in a multi-national company, and their self-reported subsequent behavior. Building on recent research that applies economic models to show the impact of lack of...

Computer Security and Risky Computing Practices: A Rational Choice Perspective

Despite rapid technological advances in computer hardware and software, insecure behavior by individual computer users continues to be a significant source of direct cost and productivity loss. Why do individuals, many of whom are aware of the possible grave consequences of low-level insecure behaviors such as failure to backup work and disclosing passwords, continue to engage in unsafe computing practices? In this chapter we propose a conceptual model of this behavior as the outcome of a boundedly rational choice process. We explore this model in a survey of undergraduate students (N = 167)...