When good computer users do bad things

In a perfect world, employees would always follow company online privacy and security protocols. They’d safeguard passwords, heed warnings about invalid or obsolete programming, and only use websites with valid SSL certificates.

Ross Koppel, an adjunct professor in the Department of Sociology in Penn Arts & Sciences, says that employee circumvention of online privacy and security rules is the norm, opening the door to hackers, computer malware, and viruses like the catastrophic Heartbleed Bug.

“The Heartbleed Bug shows that we only know a small percentage of the vulnerability associated with a connected world,” he says.

In research focused on health care IT, Koppel found that that doctors and nurses are required to perform workarounds when computer system rules are clunky or non-responsive to work flow.

Koppel is co-author of the study, “Circumvention of Security: Good Users Do Bad Things,” published in the journal Institute of Electrical and Electronic Engineers Security & Privacy. The report was conducted for the Army Research Office.

Koppel’s research team conducted a series of in-depth interviews with cyber-security experts, chief information and chief medical information officers, IT workers, computer users, and managers on perceptions of computer security rules, logic, protocols, norms, and actual practice. 

Workers in the study described some computer privacy and security regulations as so onerous, cumbersome, inflexible, or illogical that they created workarounds to perform their duties.

Faced with having to change passwords every 90 days, workers in the defense industry would call their help desk, say they forgot their passwords, and continue to use their old password. Employees in other industries would circumvent computer standby modes by putting Styrofoam cups over proximity detectors to trick their systems into sensing they’d never left. To circumvent a hospital’s rules that forbid the release of medical images, a doctor would take a screenshot and drop the image into a conventional and unprotected email.

“When the rules are so clunky and convoluted that even careful users are confused, then all is made much more difficult and dangerous,” Koppel says. “The obligation of IT leaders is to make cyber security sufficiently clear that average users can follow the rules and be safe.”