Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday August 12 2015, @01:07PM   Printer-friendly
from the I-shouldn't-tell-you-this,-but dept.

Researchers from Simon Fraser University's Beedie School of Business have found that organizations implementing rules that govern confidential information (CI) can make it difficult for employees to fulfill their roles – resulting in rule breaking or bending.

Their paper, "Why and How Do Employees Break and Bend Confidential Information Protection Rules?" was co-authored by Dave Hannah, an associate professor in the Beedie School and Kirsten Robertson, an assistant professor at the University of the Fraser Valley, and published in the spring in the Journal of Management Studies.

The study examined two high-tech organizations that enforce CI protection rules. It found that these rules sometimes proved to be restrictive for employees, forcing them to choose between rule compliance and working efficiently.

Employees were often required to break the rules in order to carry out their jobs effectively, or bend them in ways that enabled them to meet some rule requirements.

"Many organizations rely on CI – the formula for Coca Cola, for example – which they must entrust to employees to allow them to do their jobs," says Hannah.

"Yet as soon as employees know this CI they become a potential vulnerability, forcing organizations to put in place rules to protect their CI that employees must follow."

The researchers found that by implementing CI rules they can create three types of tension among employees: obstruction tension, making it difficult for people to work; knowledge network tension, disrupting information flow in personal networks; and identity tension, where employees cannot fulfill the role with which they identify.

The study revealed that employees react to these types of tension by breaking or bending the rules in specific ways: shortcutting, circumventing rules that slowed work; conspiring, where they work together to get around rules; and selectively disclosing, where they allow external networks access to certain aspects of the CI.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by snick on Wednesday August 12 2015, @03:23PM

    by snick (1408) on Wednesday August 12 2015, @03:23PM (#221720)

    When the process to stamp something CONFIDENTIAL is ... to stamp it CONFIDENTIAL, and the process to release something without a CONFIDENTIAL stamp on it is to meet with legal, have the document reviewed for a month, and then signed off on by a director, the cafeteria menu is going to be stamped CONFIDENTIAL.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by acid andy on Wednesday August 12 2015, @04:01PM

    by acid andy (1683) on Wednesday August 12 2015, @04:01PM (#221736) Homepage Journal

    The point is common sense says that it wouldn't really be a breach of trust nor security to bypass that release procedure for the cafeteria menu. It could be somehow worked around by, for example, not considering the menu as a company document. This is exactly what the TFA is getting at.

    Procedures only create the illusion of security anyway. Security comes from having trustworthy employees that understand why the procedures are there.

    The cafeteria menu would be a classic case where bending the rules could actually save the business a whole lot of time and money. That is if it weren't for security audit / ISO dude turning up and logging the non conformance.

    --
    If a cat has kittens, does a rat have rittens, a bat bittens and a mat mittens?
    • (Score: 1) by khallow on Wednesday August 12 2015, @10:14PM

      by khallow (3766) Subscriber Badge on Wednesday August 12 2015, @10:14PM (#221957) Journal

      Security comes from having trustworthy employees that understand why the procedures are there.

      And procedures that work and trustworthy employees that follow those procedures well enough.

      • (Score: 2) by monster on Thursday August 13 2015, @07:12AM

        by monster (1260) on Thursday August 13 2015, @07:12AM (#222158) Journal

        The problem is that if a trustworthy employee follows those procedures 99% of the time, she is still bending or breaking them 1% of the time and so, by definition, she wouldn't be trustworthy.

        The point being that in a normal world, common sense rules would be enough and there would be some leeway to doing things as long as you follow the spirit of those rules, but in many businesses common sense ruling left the building many years ago and we are stuck with this mess of ultratight rules that stand in the way of effective procedures, overzealous vigilance as and end by itself and a deep desire to have somebody else to point fingers at when the shit hits the fan.

        • (Score: 1) by khallow on Thursday August 13 2015, @02:30PM

          by khallow (3766) Subscriber Badge on Thursday August 13 2015, @02:30PM (#222310) Journal

          The problem is that if a trustworthy employee follows those procedures 99% of the time, she is still bending or breaking them 1% of the time and so, by definition, she wouldn't be trustworthy.

          Depends on how you define trustworthy and whether the procedures are only followed 99% of the time. You could even bake in the "leeway" to bend the rules so that it would be more possible to follow the rules 100% of the time.

          The point being that in a normal world, common sense rules would be enough and there would be some leeway to doing things as long as you follow the spirit of those rules, but in many businesses common sense ruling left the building many years ago and we are stuck with this mess of ultratight rules that stand in the way of effective procedures, overzealous vigilance as and end by itself and a deep desire to have somebody else to point fingers at when the shit hits the fan.

          And I think I covered that situation with my remark about "procedures that work".