Abstract

Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Employees will have limited resources for identifying optimal security-related choices, and must consider options alongside other workplace pressures. Reconciling traditional economics and behavioural economics can identify misalignments – current approaches to security behaviour provisioning mirror rational-agent economics, even where behavioural economics is encapsulated in the promotion of security behaviours. We present a framework for ‘good enough’ decisions about security-related behaviours, to support the bounded security decision-making of employees. The capacity of the framework to identify sustainable security behaviours is also discussed, to consider policy concordance (negotiation of workable behaviours) and ‘no blame’ security cultures. The framework is also considered in the context of provisioning for employees in smaller businesses, and home user security.