Security-related behavior of PC users in organizations

This paper discusses the problems invovled in controlling the security-related behavior of personal computer users in organizations. It presents a framework for analyzing these issues and discusses how it was applied to a field study of PC users’ behavior and attitudes towards backup, documentation, data storage, and file access practices. Seventy PC users from 12 organizations in the Boston area were interviewed. The variables with the most significant relationship to security-related behavior were PC user knowledge and informal department norms. The existence of formal policies regarding PC security did not appear to be associated with security-related behavior. Interesting interactions were also revealed among formal policies, informal norms, and PC user knowledge; policies and norms are more influential when the users’ level of knowledge is low; and knowledge was found to be more influential when there are no policies and when norms are weak.