On Security Guidelines and Policy Compliance: Considering Users’ Need for Autonomy

AutorOlt, Christian M.; große Deters, Fenne
ArtConference Proceedings
AbstraktRecent studies raise the concern that the regular communication of security guidelines and policies and their updates is not always the best option for organizations to protect information system's security. Users show symptoms of being frustrated or overwhelmed by security guidelines and consequently either ignore policies or actively pursue workarounds. Our aim is first, to understand the affective states of employees being confronted with security-related guidelines and the reasons for negative emotions. Second, we develop a communication strategy for security policies that avoids negative affective states and reduces the chance of security policies being ignored or worked around to foster compliance. In this paper, we introduce a framework by connecting the theories of security fatigue, psychological reactance, and the elaboration likelihood model. Our framework moreover considers different strategies to communicate security guidelines or policies. Finally, we draft an experimental setup to empirically evaluate our research model.