People, the Weak Link in Cyber‐security: Can Ethnography Bridge the Gap?

Information Technology (IT) professionals are racing to keep up with cyber‐security threats in the workplace. But, as any cyber‐security expert will tell you, security technology is only as good as the people who use it. And, people are a mystery to most cyber‐security professionals making them the weak link for security interventions in organizations. To broadly impact current cyber‐security awareness, interventions and education, it is crucial to understand how security is understood and applied by the users of technology. Thus, it is no surprise that more and more cyber‐security studies are focusing on the individual employee to understand computer‐user risk mediation. However, users and their actions do not exist in a vacuum, and their perceptions and subsequent behaviors regarding security risk are shaped by a vast array of beliefs, social relations and workplace practices. This paper reports on a fresh theoretical approach to cyber‐security as a group phenomenon that is well suited to ethnography. Results to date have demonstrated that communication between IT security professionals and users is not effective. Rather, this ethnographic study found that communication is breaking down between user communities and IT security departments because of mismatched understandings of the other. Each of the groups studied maintain myths and misconceptions about cyber‐security that must be addressed and dispelled within their respective communities to secure the link between people and their technology.