Washington, February 10 : Notwithstanding how sophisticated the IT system becomes in future, safeguarding sensitive information may never be foolproof, suggests a study.
Researchers at Leeds University Business School analysed the findings of a survey they carried out, and came to the conclusion that no matter what steps an organisation takes, they will always run the risk of being compromised by human psychology and the way they perceive risk on a day-to-day basis
"Our research shows that organisations will never be able to remove all latent risks in the protection and security of data held on IT systems, because our brains are wired to work on automatic pilot in everyday life," says Professor Gerard Hodgkinson, Director of the Centre for Organisational Strategy, Learning and Change (COSLAC).
"People tend to conceptualise the world around them in a simplified way. If we considered and analysed the risks involved in every permutation of every situation, we'd never get anything done! If I make a cup of tea, I don't stop to weigh up the probability of spilling boiling water on myself or choking on the drink," he adds.
All participants in the survey regularly used IT systems in the course of their work. The researchers asked them to list examples of possible data security risks, either imagined or from their own personal experiences.
A further group were asked to comment on the probability, underlying causes and likely consequences and impacts of the most commonly described scenarios.
The researchers revealed that despite the survey data being collected over a period of two years, many of the risk examples envisaged by the study participants ironically matched, with surprising accuracy, some of the recent security lapses relating to information technology.
With reference to such recent IT lapses, the researchers highlighted the loss of a CD by HM Revenue and Customs in November 2007 containing personal and financial details of over seven-million families claiming child benefit, and loss of over 4,000 NHS smartcards that gave potential computer access to patient records.
"The results showed that when asked to focus on potential problems, employees seemingly exhibit a highly sophisticated perception and categorisation of risk, and insight as to the consequences of risky scenarios. However, this perception isn't always translated into practice and elementary errors are still happening - and will continue to happen," says the study's co-author, Dr. Robert Coles.
The authors say that the results are useful for highlighting blind spots in what workers perceive as risk and probability, which will enable organisations to improve their induction and training processes.
The research also highlights the need to pay closer attention to the design of information security processes themselves, they say.
"Perhaps organisations should consider involving the potential users when developing crucial business processes. A well-designed system should not allow these mistakes to be made. We need more triggers and mechanisms in the workplace that make us stop and think before we act," says Dr Coles.
Published in the international journal Risk Analysis, this is the first research in which risk perception has been specifically analysed in terms of workplace information security.