Abstract
Workarounds are often a necessary response to obstructions or inefficiencies within organisations. Their utilisation could, however, introduce information security risk into an organisation. It is, therefore, important for organisations to firstly identify, then determine the reasons for information security workarounds, and how to assess the potential risk they pose to the organisation. Workarounds are generally triggered by human factors which can be explained with the Protection Motivation Theory, as well as environmental influences that exist within an organisation. This is shown in the paper using a flowchart to illustrate the decision-making process of employees regarding information security workarounds. Having understood why workarounds occur within a particular organisation, the value of their information security risk can be determined using a Risk Assessment Matrix for information security workarounds and an accompanying Information Security Workaround Risk Index. Using the tools proposed in this paper, information security officers can respond appropriately to information security workarounds and, where necessary, make modifications to their information security policies, depending on the potential risk associated with the identified information security workarounds.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Ajzen, I.: The theory of planned behavior. In: Handbook of Theories of Social Psychology, vol. 1, pp. 438–459 (2012). https://doi.org/10.4135/9781446249215.n22
Alter, S.: Theory of workarounds. Commun. Assoc. Inf. Syst. 34(1), 1041–1066 (2014). https://doi.org/10.17705/1CAIS.03455
Bagayogo, F., Beaudry, A., Lapointe, L.: Impacts of IT acceptance and resistance behaviors: a novel framework. In: International Conference on Information System, ICIS 2013, vol. 3, pp. 2077–2095 (2013). Theme: Reshaping Society Through Information Systems Design
Beautement, A., Sasse, M.A., Wonham, M.: The compliance budget: Managing security behaviour in organisations. In: Proceedings of the New Security Paradigms Workshop, pp. 47–58 (2009). https://doi.org/10.1145/1595676.1595684
Burns, A.J., Young, J., Roberts, T., Courtney, J., Ellis, T.S.: Exploring the role of contextual integrity in electronic medical record (EMR) system workaround decisions: an information security and privacy perspective. AIS Trans. Hum. Comput. Interact. 7(3), 142–165 (2015). https://doi.org/10.17705/1thci.00070
Friedman, A., et al.: A typology of electronic health record workarounds in small-to-medium size primary care practices. J. Am. Med. Inf. Assoc.21(E2) (2014). https://doi.org/10.1136/amiajnl-2013-001686
Ifinedo, P.: Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput. Secur. 31(1), 83–95 (2012). https://doi.org/10.1016/j.cose.2011.10.007
Ignatiadis, I., Nandhakumar, J.: The effect of ERP system workarounds on organizational control: an interpretivist case study. Scand. J. Inf. Syst. 21(2), 59–90 (2009)
Kobayash, M., Fussell, S.R., Xiao, Y., Seagull, F.J.: Work coordination, workflow, and workarounds in a medical context. In: Conference on Human Factors in Computing Systems, pp. 1561–1564 (2005). https://doi.org/10.1145/1056808.1056966
Koppel, R., Smith, S., Blythe, J., Kothari, V.: Workarounds to computer access in healthcare organizations: you want my password or a dead patient? Stud. Health Technol. Inform. 208, 215–220 (2015). https://doi.org/10.3233/978-1-61499-488-6-215
Lalley, C., Malloch, K.: Workarounds: the hidden pathway to excellence. Nurse Lead. 8(4), 29–32 (2010). https://doi.org/10.1016/j.mnl.2010.05.009
Maddux, J.E., Rogers, R.W.: Protection motivation and self-efficacy: a revised theory of fear appeals and attitude change. J. Exp. Soc. Psychol. 19(5), 469–479 (1983). https://doi.org/10.1016/0022-1031(83)90023-9
Patterson, E.S.: Workarounds to Intended use of health information technology: a narrative review of the human factors engineering literature. Hum. Factors 60(3), 281–292 (2018). https://doi.org/10.1177/0018720818762546
Röder, N., Wiesche, M., Schermann, M., Krcmar, H.: Why managers tolerate workarounds - the role of information systems. In: 20th Americas Conference on Information Systems, AMCIS 2014, pp. 1–13 (2014)
Sadok, M., Alter, S., Bednar, P.: It is not my job: exploring the disconnect between corporate security policies and actual security practices in SMEs. Inf. Comput. Secur. 28(3), 467–483 (2020). https://doi.org/10.1108/ICS-01-2019-0010
ISO/IEC: ISO/IEC 27005: 2012 International Organization for Standardization—Information technology—Security techniques—Information security risk management, International Organization for Standardization (2012)
Shapiro, S.P.: Agency theory. Ann. Rev. Sociol. 31, 263–284 (2005). https://doi.org/10.1146/annurev.soc.31.041304.122159
Thomson, K.L., von Solms, R.: Towards an information security competence maturity model. Comput. Fraud Secur. 2006(5), 11–15 (2006). https://doi.org/10.1016/S1361-3723(06)70356-6
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Slabbert, E., Thomson, KL., Futcher, L. (2021). Towards a Risk Assessment Matrix for Information Security Workarounds. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2021. IFIP Advances in Information and Communication Technology, vol 613. Springer, Cham. https://doi.org/10.1007/978-3-030-81111-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-81111-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-81110-5
Online ISBN: 978-3-030-81111-2
eBook Packages: Computer ScienceComputer Science (R0)