SoylentNews is people
SoylentNews
from the I-shouldn't-tell-you-this,-but dept.
Researchers from Simon Fraser University's Beedie School of Business have found that organizations implementing rules that govern confidential information (CI) can make it difficult for employees to fulfill their roles – resulting in rule breaking or bending.
Their paper, "Why and How Do Employees Break and Bend Confidential Information Protection Rules?" was co-authored by Dave Hannah, an associate professor in the Beedie School and Kirsten Robertson, an assistant professor at the University of the Fraser Valley, and published in the spring in the Journal of Management Studies.
The study examined two high-tech organizations that enforce CI protection rules. It found that these rules sometimes proved to be restrictive for employees, forcing them to choose between rule compliance and working efficiently.
Employees were often required to break the rules in order to carry out their jobs effectively, or bend them in ways that enabled them to meet some rule requirements.
"Many organizations rely on CI – the formula for Coca Cola, for example – which they must entrust to employees to allow them to do their jobs," says Hannah.
"Yet as soon as employees know this CI they become a potential vulnerability, forcing organizations to put in place rules to protect their CI that employees must follow."
The researchers found that by implementing CI rules they can create three types of tension among employees: obstruction tension, making it difficult for people to work; knowledge network tension, disrupting information flow in personal networks; and identity tension, where employees cannot fulfill the role with which they identify.
The study revealed that employees react to these types of tension by breaking or bending the rules in specific ways: shortcutting, circumventing rules that slowed work; conspiring, where they work together to get around rules; and selectively disclosing, where they allow external networks access to certain aspects of the CI.
(Score: 3, Insightful) by MrGuy on Wednesday August 12 2015, @03:26PM
The generalization of this problem is that there needs to be trust on both sides for this system to work.
Employers need to trust employees to respect the decision to designate something as confidential as something generally deserving of extra effort to secure. Employees need to trust that most items should not be considered confidential (non-confidential is the default), and that the decision to mark something as confidential was made thoughtfully and for a good reason.
It should be obvious to most employees on reading them why a confidential document is marked as such, and it should be obvious to everyone creating documents what types of things should cause them to think "should this be confidential?" When that's not true (e.g. excessive documents being designated as confidential), the trust basis erodes, and the desired behaviors won't follow.
The structural issue is that there's (in most companies) an asymmetry around the "should this be confidential?" decision that inherently erodes this trust. Often, there's no downside to an individual for designating a document as confidential that really didn't need to be marked as such - nobody walks in demanding to know why a document was over-restricted. However, there's a STRONG downside for failing to designate a document that actually contains confidential information as confidential. If confidential information leaks, and the buck stops with whoever failed to designate the document as confidential (written reprimands, firing people, etc.), then any remotely ambiguous cases will wind up marked as "confidential." Because then, hey, I'm protected. Trust in the system? Gone.
If management isn't holding up their end of the bargain, they really shouldn't expect employees will uphold theirs.