Sumantra Sarkar, Binghamton University – Employees and Internet Security Policies

Digital security will only get more important in the future.

Sumantra Sarkar, associate professor of management at Binghamton University, discusses how to keep your business safe.

Sarkar is a behavioral information systems (IS) researcher focusing on IT security, health information technology, organizational processes, agile development, and IT governance. He employs both qualitative and quantitative methodologies in his research. His work has appeared in premier IS journals like

Information Systems Research (ISR), Journal of Management Information

Systems (JMIS), European Journal of Information Systems (EJIS), Information

Systems Journal (ISJ) etc. He has over two decades of experience in the industry holding senior management positions in IT organizations of large multinational corporations like GEC, Novell, Hutchison Whampoa, and ABN

AMRO Bank. Before he moved to research and academia permanently, he headed the IT delivery group for the Indian operations of Royal Bank of Scotland as Vice President, Head of Infrastructure and Shared Delivery.

Employees and Internet Security Policies

The frequency and cost of data breaches have been increasing dramatically in recent years. A majority of these cases happen because humans are the weakest link in the security chain. Non-compliance to information security policies by employees is one of the most important factors.

My colleagues and I wanted to understand why certain employees were more likely to violate (or non-comply) with information security policies, also known as ISP’s, than others in an organization.

We sought to determine how subcultures influence ISP compliance. We focused on ISP compliance within three subcultures found in a hospital setting – physicians, nurses and support staff.

Every organization has a culture that is typically set by top management. But within that, you have subcultures among different professional groups. Each of these groups are trained in a different way and are responsible for different tasks. First, we found that each subculture within an organization responds differently to the organization-wide ISP. Secondly, employees tend to violate ISPs that are not grounded in the realities of an employee’s work responsibilities and priorities. Both of these, leave organizations vulnerable and open to a higher possibility of data breaches.

We recommend an overhaul of the design and implementation of ISP, and to work with employees to design ISPs that seamlessly integrate into their day-to-day tasks.

Information security professionals should have a better understanding of the day-to-day tasks of each professional group in an organization, and then find ways to design ISPs that do not impede with their daily job tasks. It is critical that we find ways to redesign ISP systems and processes in order to create less friction. For example, in the context of a hospital setting, I recommend touchless proximity-based authentication mechanisms which could automatically lock or unlock workstations when an employee approaches or leaves a workstation.