Safeguarding sensitive information - no matter how sophisticated the IT system - can never be foolproof, according to research by Leeds University Business School.
The loss of a CD by HM Revenue & Customs in November 2007 containing personal and financial details of over 7 million families claiming child benefit was swiftly followed by assurances that such a mistake would never happen again. Earlier this week, an agency of the Department for Health(1) admitted that over 4,000 NHS smartcards, giving potential computer access to patient records, had been lost or stolen - and nearly a third of these in the last year alone.
But no matter what steps an organisation takes, they will always run the risk of being compromised by human psychology and the way we perceive risk on a day-to-day basis, says Professor Gerard Hodgkinson, Director of the Centre for Organisational Strategy, Learning and Change (COSLAC).
"Our research shows that organisations will never be able to remove all latent risks in the protection and security of data held on IT systems, because our brains are wired to work on automatic pilot in everyday life," he says.
"People tend to conceptualise the world around them in a simplified way. If we considered and analysed the risks involved in every permutation of every situation, we'd never get anything done! If I make a cup of tea, I don't stop to weigh up the probability of spilling boiling water on myself or choking on the drink."
Survey participants, all of whom regularly used IT systems in the course of their work, were asked to list examples of possible data security risks, either imagined or from their own personal experiences. A further group were asked to comment on the probability, underlying causes and likely consequences and impacts of the most commonly described scenarios.
Despite the survey data being collected over a period of two years, many of the risk examples envisaged by the study participants ironically matched - with surprising accuracy - some of the recent security lapses relating to information technology.
Says co-author Dr Robert Coles, "The results showed that when asked to focus on potential problems, employees seemingly exhibit a highly sophisticated perception and categorisation of risk, and insight as to the consequences of risky scenarios. However, this perception isn't always translated into practice and elementary errors are still happening - and will continue to happen."
The authors say that the results are useful for highlighting blind spots in what workers perceive as risk and probability, which will enable organisations to improve their induction and training processes.
The research also highlights the need to pay closer attention to the design of information security processes themselves. "Perhaps organisations should consider involving the potential users when developing crucial business processes," says Dr Coles. "A well designed system should not allow these mistakes to be made. We need more triggers and mechanisms in the workplace that make us stop and think before we act."
Professor Hodgkinson's research, published in the February issue of the international journal Risk Analysis, is the first time that risk perception has been specifically analysed in terms of workplace information security.
The research was funded through Prof Hodgkinson's tenure as a Senior Fellow of the ESRC/EPSRC Advanced Institute of Management programme (AIM).
For further information:
Please contact the University of Leeds Press Office on +44 (0)113 343 4031 or email email@example.com
Notes to editors:
(1) The data was released by Connecting for Health, an agency of the Department for Health charged with overseeing the Government's NHS IT upgrade. NHS staff use smartcards to access confidential patient records by keying in a six digit pin code. A total of 4,147 smartcards have been reported lost or stolen, with 1,240 since January 2007. As of 01 January 2008, a total of 429,691 smartcards have been issued to NHS staff, with the number of users eventually expected to top 1.2 million.
(2). The study used a representative sample of 55 employees who regularly used IT systems in the course of their work. A further sample of 57 employees were asked to consider the 18 most commonly described scenarios and comment on the probability, the underlying causes (whether criminal or negligent) and their potential consequences and likely impacts. These scenarios, which were subdivided into deviant/criminal acts and accidental/negligent acts included:
i. No backup of data files is made and information is lost;
ii. A computer disk or tape is lost or stolen containing secret/strategic information;
iii. Credit card numbers are stolen by a hacker
iv. personal data is mistakenly disclosed causing a breach of the Data Protection Act and a breach of Trust
v: critical information is entered incorrectly into a computer system
(3). Professor Gerard P Hodgkinson holds a senior fellowship under the ESRC/EPSRC Advanced Institute of Management Research (AIM) initiative. He is a Chartered occupational psychologist, whose expertise encompasses human cognition, thinking and reasoning - specifically the ways in which individuals and groups represent knowledge in a workplace context, and the psychology of strategic management and strategic decision making.
(4) Dr Robert Coles is an information security practitioner and Advanced Institute of Management Research (AIM) associate and is a director of the Institute of Information Security Professionals. This work was undertaken as part of his PhD.
(5). The paper, A Psychometric Study of Information Technology Risks in the Workplace, by Robert Coles and Gerard P Hodgkinson, is published in the February issue of Risk Analysis (Vol 28, No 1, 2008). A copy of the paper is available on request.
(6).The Centre for Organisational Strategy, Learning and Change (COSLAC)
was formed in 2006. Its specialised research activities endeavour to understand the processes and outcomes of strategy, learning and change within organisations. Collaborating with colleagues from other disciplines within and beyond the University of Leeds, including architects, physical and social scientists, computer engineers, economists and psychologists, COSLAC's expertise enables it to offer a uniquely wide-ranging research and consultancy service to commercial clients and partners. These include Rolls-Royce, Network Rail, John Lewis and Jaguar. http://lubswww2.leeds.ac.uk/COSLAC/
(7) The University of Leeds is one of the largest higher education institutions in the UK with more than 30,000 students from 130 countries. With an annual research income of more than £91m, Leeds is one of the top ten research universities in the UK, and a member of the Russell Group of research-intensive universities. It was recently placed 80th in the Times Higher Educational Supplement's world universities league table and the University's vision is to secure a place among the world's top 50 by 2015.