Reducing normative conflicts in information security

Wolter Pieters, Lizzie Coles-Kemp

  • 9 Citations

Abstract

Security weaknesses often stem from users trying to comply with social expectations rather than following security procedures. Such normative conflicts between security policies and social norms are therefore undesirable from a security perspective. It has been argued that system developers have a "meta-task responsibility", meaning that they have a moral obligation to enable the users of the system they design to cope adequately with their responsibilities. Depending on the situation, this could mean forcing the user to make an "ethical" choice, by "designing out" conflicts. In this paper, we ask the question to what extent it is possible to detect such potential normative conflicts in the design phase of security-sensitive systems, using qualitative research in combination with so-called system models. We then envision how security design might proactively reduce conflict by (a) designing out conflict where possible in the development of policies and systems, and (b) responding to residual and emergent conflict through organisational processes. The approach proposed in this paper is a so-called subcultural approach, where security policies are designed to be culturally sympathetic. Where normative conflicts either cannot be avoided or emerge later, the organisational processes are used to engage with subcultures to encourage communally-mediated control.
Original languageUndefined
Title of host publicationProceedings of the 2011 New security paradigms workshop, NSPW '11
Place of PublicationNew York
PublisherAssociation for Computing Machinery (ACM)
Pages11-24
Number of pages13
ISBN (Print)978-1-4503-1078-9
DOIs
StatePublished - Sep 2011

Publication series

Name
PublisherACM

Fingerprint

conflict
security
security policy
user
system
responsibility
subculture
system model
qualitative research
obligation
process
expectation
meaning
procedure
situation
control
perspective
development

Keywords

  • METIS-281641
  • IR-78969
  • Subcultures
  • Normative conflicts
  • Security policies
  • Human Factors
  • EWI-20998
  • Information Security
  • Policy alignment
  • System models
  • SCS-Cybersecurity
  • CR-K.6.5
  • Meta-task responsibility

Cite this

Pieters, W., & Coles-Kemp, L. (2011). Reducing normative conflicts in information security. In Proceedings of the 2011 New security paradigms workshop, NSPW '11 (pp. 11-24). New York: Association for Computing Machinery (ACM). DOI: 10.1145/2073276.2073279

Pieters, Wolter; Coles-Kemp, Lizzie / Reducing normative conflicts in information security.

Proceedings of the 2011 New security paradigms workshop, NSPW '11. New York : Association for Computing Machinery (ACM), 2011. p. 11-24.

Research output: Scientific - peer-reviewConference contribution

@inbook{384c18db74fb40a99f4e1bcd0f2d138c,
title = "Reducing normative conflicts in information security",
abstract = "Security weaknesses often stem from users trying to comply with social expectations rather than following security procedures. Such normative conflicts between security policies and social norms are therefore undesirable from a security perspective. It has been argued that system developers have a {"}meta-task responsibility{"}, meaning that they have a moral obligation to enable the users of the system they design to cope adequately with their responsibilities. Depending on the situation, this could mean forcing the user to make an {"}ethical{"} choice, by {"}designing out{"} conflicts. In this paper, we ask the question to what extent it is possible to detect such potential normative conflicts in the design phase of security-sensitive systems, using qualitative research in combination with so-called system models. We then envision how security design might proactively reduce conflict by (a) designing out conflict where possible in the development of policies and systems, and (b) responding to residual and emergent conflict through organisational processes. The approach proposed in this paper is a so-called subcultural approach, where security policies are designed to be culturally sympathetic. Where normative conflicts either cannot be avoided or emerge later, the organisational processes are used to engage with subcultures to encourage communally-mediated control.",
keywords = "METIS-281641, IR-78969, Subcultures, Normative conflicts, Security policies, Human Factors, EWI-20998, Information Security, Policy alignment, System models, SCS-Cybersecurity, CR-K.6.5, Meta-task responsibility",
author = "Wolter Pieters and Lizzie Coles-Kemp",
note = "10.1145/2073276.2073279",
year = "2011",
month = "9",
doi = "10.1145/2073276.2073279",
isbn = "978-1-4503-1078-9",
publisher = "Association for Computing Machinery (ACM)",
pages = "11--24",
booktitle = "Proceedings of the 2011 New security paradigms workshop, NSPW '11",
address = "United States",

}

Pieters, W & Coles-Kemp, L 2011, Reducing normative conflicts in information security. in Proceedings of the 2011 New security paradigms workshop, NSPW '11. Association for Computing Machinery (ACM), New York, pp. 11-24. DOI: 10.1145/2073276.2073279

Reducing normative conflicts in information security. / Pieters, Wolter; Coles-Kemp, Lizzie.

Proceedings of the 2011 New security paradigms workshop, NSPW '11. New York : Association for Computing Machinery (ACM), 2011. p. 11-24.

Research output: Scientific - peer-reviewConference contribution

TY - CHAP

T1 - Reducing normative conflicts in information security

AU - Pieters,Wolter

AU - Coles-Kemp,Lizzie

N1 - 10.1145/2073276.2073279

PY - 2011/9

Y1 - 2011/9

N2 - Security weaknesses often stem from users trying to comply with social expectations rather than following security procedures. Such normative conflicts between security policies and social norms are therefore undesirable from a security perspective. It has been argued that system developers have a "meta-task responsibility", meaning that they have a moral obligation to enable the users of the system they design to cope adequately with their responsibilities. Depending on the situation, this could mean forcing the user to make an "ethical" choice, by "designing out" conflicts. In this paper, we ask the question to what extent it is possible to detect such potential normative conflicts in the design phase of security-sensitive systems, using qualitative research in combination with so-called system models. We then envision how security design might proactively reduce conflict by (a) designing out conflict where possible in the development of policies and systems, and (b) responding to residual and emergent conflict through organisational processes. The approach proposed in this paper is a so-called subcultural approach, where security policies are designed to be culturally sympathetic. Where normative conflicts either cannot be avoided or emerge later, the organisational processes are used to engage with subcultures to encourage communally-mediated control.

AB - Security weaknesses often stem from users trying to comply with social expectations rather than following security procedures. Such normative conflicts between security policies and social norms are therefore undesirable from a security perspective. It has been argued that system developers have a "meta-task responsibility", meaning that they have a moral obligation to enable the users of the system they design to cope adequately with their responsibilities. Depending on the situation, this could mean forcing the user to make an "ethical" choice, by "designing out" conflicts. In this paper, we ask the question to what extent it is possible to detect such potential normative conflicts in the design phase of security-sensitive systems, using qualitative research in combination with so-called system models. We then envision how security design might proactively reduce conflict by (a) designing out conflict where possible in the development of policies and systems, and (b) responding to residual and emergent conflict through organisational processes. The approach proposed in this paper is a so-called subcultural approach, where security policies are designed to be culturally sympathetic. Where normative conflicts either cannot be avoided or emerge later, the organisational processes are used to engage with subcultures to encourage communally-mediated control.

KW - METIS-281641

KW - IR-78969

KW - Subcultures

KW - Normative conflicts

KW - Security policies

KW - Human Factors

KW - EWI-20998

KW - Information Security

KW - Policy alignment

KW - System models

KW - SCS-Cybersecurity

KW - CR-K.6.5

KW - Meta-task responsibility

U2 - 10.1145/2073276.2073279

DO - 10.1145/2073276.2073279

M3 - Conference contribution

SN - 978-1-4503-1078-9

SP - 11

EP - 24

BT - Proceedings of the 2011 New security paradigms workshop, NSPW '11

PB - Association for Computing Machinery (ACM)

ER -

Pieters W, Coles-Kemp L. Reducing normative conflicts in information security. In Proceedings of the 2011 New security paradigms workshop, NSPW '11. New York: Association for Computing Machinery (ACM). 2011. p. 11-24. Available from, DOI: 10.1145/2073276.2073279