Sensitive data 'impossible' to protect

Organisations will always run the risk of being compromised by human psychology

No matter how sophisticated a company's IT system is it is impossible completely to protect sensitive information, UK researchers warned today.

Researchers at Leeds University Business School claimed that organisations will always run the risk of being compromised by human psychology.

The research was led by Professor Gerard Hodgkinson, director of the Centre for Organisational Strategy, Learning and Change at Leeds University.

"Our research shows that organisations will never be able to remove all latent risks in the protection and security of data held on IT systems, because our brains are wired to work on automatic pilot in everyday life," he said.

"People tend to conceptualise the world around them in a simplified way. If we considered and analysed the risks involved in every permutation of every situation we would never get anything done.

"If I make a cup of tea, I do not stop to weigh up the probability of spilling boiling water on myself or choking on the drink."

The research polled individuals who regularly use IT systems in the course of their work. They were asked to list examples of possible data security risks, either imagined or from their own personal experience.

A further group were asked to comment on the probability, underlying causes and likely consequences and impacts of the most commonly described scenarios.

Despite the survey data being collected over a period of two years, many of the risk examples envisaged by the study participants matched some of the recent security lapses relating to IT with surprising accuracy.

"The results showed that when asked to focus on potential problems, employees seemingly exhibit a highly sophisticated perception and categorisation of risk, and insight as to the consequences of risky scenarios," said report co-author Dr Robert Coles.

"However, this perception is not always translated into practice, and elementary errors are still happening and will continue to happen."

The authors maintain that the results are useful for highlighting blind spots in what workers perceive as 'risk' and 'probability', which will enable organisations to improve induction and training processes.

The research also highlights the need to pay closer attention to the design of information security processes.

"Perhaps organisations should consider involving the potential users when developing crucial business processes," said Dr Coles.

"A well designed system should not allow these mistakes to be made. We need more triggers and mechanisms in the workplace that make us stop and think before we act."