T 3.77 Insufficient acceptance of information security

Various circumstances can lead to a lack of acceptance of information security in an organisation or parts of an organisation, and therefore a lack of understanding of the need to impose and implement security safeguards. This could be due to any of the following reasons, for example:

• the culture of the government agency or company (along the lines of: "That's how it has always been!", "We trust our employees, so we don't have to lock anything up", "What can go wrong?", or "These security safeguards just disrupt workflows"),
• lack of role models, for example when a superior does not lead by setting a good example, or
• different social environments or cultural backgrounds ("Different countries, different customs!"). Typical problems may arise when certain user rights or even the hardware or software allocated to a user are viewed as status symbols. Restrictions in these areas may meet enormous resistance.

Example:

• In a military environment, superiors often assume that they can order their subordinates to implement security safeguards. However, experience has also shown in these cases that employees who have not been informed of the reasons and purpose of the security safeguards will bypass them when the security safeguards are simply viewed as a hindrance to their actual duties.
• An order to only use secure passwords on a military IT system led to the implementation of a password generator. It generated random 16-character passwords that were displayed on the screen one time only for 10 seconds. This provided enough time to write the password on a note. However, since many people find it difficult to remember a password like "aN§3bGP?tz1BuH89", the notes were not destroyed as ordered and were often stored in the vicinity of the computers instead.