Samenvatting

IT organizations and CEO’s are –and should be- very concerned about the lack of data confidentiality and the usage of ‘shadow IT’ systems by employees. Data breaches may result in monetary loss, public embarrassment for the company or even fines or imprisonment for senior management. This makes it essential that employees comply with the IT security policies. This paper presents a study which aimed to identify factors which influence the usage of Shadow IT, carelessness and non-compliance towards data security. Since Shadow IT and noncompliance can be the result of reduced spending on IT projects, the study was also focusing on finding out if it is the perception of employees that their company displays an increased focus on IT control and IT investment selectivity. Significant factors were selected using a review of the existing literature, and then tested in a survey among employees of PricewaterhouseCoopers in The Netherlands and Belgium. Desk research identified factors, which cause employees not to follow the IT security policies, including:
- Carelessness. Surveys indicated that most data breaches are often caused by careless or ignorant employees. Carelessness is caused by an incorrect assessment of the risk involved.
- Lack of awareness and lack of training and education. Businesses with IT security training programs in place have reduced levels of risk.
- Lack of Business – IT alignment. Poor accessibility, slow responsiveness, lack of dedication and knowledge of the users’ business are drivers for employees to look for IT solutions outside the company IT department.
- Increased attention for IT Governance has been tested as a driver for non-compliant behavior towards IT Security. Stricter IT Governance results in stricter policies, stronger security measures and tighter budgets.
- Different national cultures. Research by Hofstede was used when analyzing links between national cultural dimensions and information security behavior. The survey, which was conducted in The Netherlands and in Belgium, asked the respondents to agree or disagree with 16 statements on awareness, carelessness and compliance with IT security policies. The results showed differences in attitude and behavior between nationality, gender and age. The survey results did not establish clear links with poor Business – IT alignment or with reduced capacity or funding for IT projects (IT Governance). Dutch survey respondents showed higher assertiveness and more non-compliant behavior than Belgians. Employees from both countries would equally break the IT security policies if their boss asks them. Women showed different IT security behavior then men. Older employees showed more compliance with these policies than younger employees. Against expected outcomes, employees did not feel the impact of increased IT governance. Most respondents just didn’t know if less budget for IT initiatives was available than before. It was not a motive for non-compliant behavior. Overall, respondents are satisfied with the technology the IT department provides to them. However that doesn’t prevent them to often bend or bypass the IT security rules whenever they are not convenient. Based on desk research and survey results, a framework has been presented to assist in developing programs for effective security awareness training and developing, improving, monitoring and/or developing or rethinking the IT security guidelines. The outer layer of the model shows the influencing factors researched in this thesis. The middle layer gives the cycle for setting up policies, conducting training, monitor compliance and review of policies. The core of the framework shows the four key elements of effectively communication the policies to the end users: What, How, Why and Where.