{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,14]],"date-time":"2026-01-14T15:33:42Z","timestamp":1768404822211,"version":"3.49.0"},"reference-count":61,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2024,6,20]],"date-time":"2024-06-20T00:00:00Z","timestamp":1718841600000},"content-version":"vor","delay-in-days":171,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024,1,2]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Increasingly, organizations are acknowledging the importance of human factors in the management of security in workplaces. There are challenges in managing security infrastructures in which there may be centrally mandated and locally managed initiatives to promote secure behaviours. We apply a co-design methodology to harmonize employee behaviour and centralized security management in a large university. This involves iterative rounds of interviews connected by the co-design methodology: 14 employees working with high-value data with specific security needs; seven support staff across both local and central IT and IT-security support teams; and two senior security decision-makers in the organization. We find that employees prefer local support together with assurances that they are behaving securely, rather than precise instructions that lack local context. Trust in support teams that understand local needs also improves engagement, especially for employees who are unsure what to do. Policy is understood by employees through their interactions with support staff and when they see colleagues enacting secure behaviours in the workplace. The iterative co-design approach brings together the viewpoints of a range of employee groups and security decision-makers that capture key influences that drive secure working practices. We provide recommendations for improvements to workplace security, including recognizing that communication of the policy is as important as what is in the policy.<\/jats:p>","DOI":"10.1093\/cybsec\/tyae007","type":"journal-article","created":{"date-parts":[[2024,6,20]],"date-time":"2024-06-20T12:58:40Z","timestamp":1718888320000},"source":"Crossref","is-referenced-by-count":1,"title":["\u2018The trivial tickets build the trust\u2019: a co-design approach to understanding security support interactions in a large university"],"prefix":"10.1093","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4370-9584","authenticated-orcid":false,"given":"Albes\u00eb","family":"Demjaha","sequence":"first","affiliation":[{"name":"Department of Computer Science, University College London , Gower Street , London WC1E 6BT,","place":["United Kingdom"]},{"name":"The Alan Turing Institute , 96 Euston Rd , London NW1 2DB,","place":["United Kingdom"]}]},{"given":"David","family":"Pym","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University College London , Gower Street , London WC1E 6BT,","place":["United Kingdom"]},{"name":"Department of Philosophy, University College London , Gower Street , London WC1E 6BT,","place":["United Kingdom"]},{"name":"Institute of Philosophy, University of London , Malet St , London WC1E 7HU,","place":["United Kingdom"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7039-6472","authenticated-orcid":false,"given":"Tristan","family":"Caulfield","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University College London , Gower Street , London WC1E 6BT,","place":["United Kingdom"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6667-0440","authenticated-orcid":false,"given":"Simon","family":"Parkin","sequence":"additional","affiliation":[{"name":"Faculty of Technology, Policy and Management, Delft University of Technology , Mekelweg 5, 2628 CD Delft,","place":["The Netherlands"]}]}],"member":"286","published-online":{"date-parts":[[2024,6,20]]},"reference":[{"key":"2024121909135834400_bib1","doi-asserted-by":"crossref","first-page":"47","DOI":"10.1145\/1595676.1595684","article-title":"The compliance budget: managing security behaviour in organisations","volume-title":"Proceedings of the 2008 New Security Paradigms Workshop","author":"Beautement","year":"2008"},{"key":"2024121909135834400_bib2","doi-asserted-by":"publisher","first-page":"40","DOI":"10.1145\/322796.322806","article-title":"Users are not the enemy","volume":"42","author":"Adams","year":"1999","journal-title":"Commun ACM"},{"key":"2024121909135834400_bib3","first-page":"103","article-title":"Unpacking security policy compliance: the motivators and barriers of employees\u2019 security behaviors","volume-title":"Proceedings of the Eleventh Symposium On Usable Privacy and Security (SOUPS 2015)","author":"Blythe","year":"2015"},{"key":"2024121909135834400_bib4","doi-asserted-by":"publisher","first-page":"169","DOI":"10.1016\/j.ijhcs.2019.05.005","article-title":"Moving from a \u2018human-as-problem\u2019 to a \u2018human-as-solution\u2019 cybersecurity mindset","volume":"131","author":"Zimmermann","year":"2019","journal-title":"Int J Hum Comput Stud"},{"key":"2024121909135834400_bib5","doi-asserted-by":"publisher","first-page":"82","DOI":"10.1109\/MSP.2016.57","article-title":"Security dialogues: building better relationships between security and business","volume":"14","author":"Ashenden","year":"2016","journal-title":"IEEE Secur Priv"},{"key":"2024121909135834400_bib6","doi-asserted-by":"crossref","first-page":"33","DOI":"10.1145\/1900546.1900553","article-title":"A stealth approach to usable security: helping IT security managers to identify workable security solutions","volume-title":"Proceedings of the 2010 New Security Paradigms Workshop","author":"Parkin","year":"2010"},{"key":"2024121909135834400_bib7","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3290605.3300663","article-title":"Security managers are not the enemy either","volume-title":"Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems","author":"Reinfelder","year":"2019"},{"key":"2024121909135834400_bib8","first-page":"253","article-title":"Productive security: a scalable methodology for analysing employee security behaviours","volume-title":"Proceedings of the Twelfth Symposium on Usable Privacy and Security (SOUPS 2016)","author":"Beautement","year":"2016"},{"key":"2024121909135834400_bib9","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3171533.3171540","article-title":"Practicing a science of security: a philosophy of science perspective","volume-title":"Proceedings of the 2017 New Security Paradigms Workshop","author":"Spring","year":"2017"},{"key":"2024121909135834400_bib10","doi-asserted-by":"crossref","first-page":"259","DOI":"10.1007\/978-3-030-97124-3_22","article-title":"Meta-modelling for ecosystems security","volume-title":"Proceedings of the International Conference on Simulation Tools and Techniques","author":"Caulfield","year":"2022"},{"key":"2024121909135834400_bib11","doi-asserted-by":"crossref","first-page":"236","DOI":"10.1007\/978-3-030-97124-3_21","article-title":"Engineering ecosystem models: semantics and pragmatics","volume-title":"Simulation Tools and Techniques","author":"Caulfield","year":"2022"},{"key":"2024121909135834400_bib12","doi-asserted-by":"crossref","first-page":"739","DOI":"10.1145\/1518701.1518816","article-title":"Computer help at home: methods and motivations for informal technical support","volume-title":"Proceedings of the SIGCHI Conference on Human Factors in Computing Systems","author":"Poole","year":"2009"},{"key":"2024121909135834400_bib13","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3274361","article-title":"Caring for IT security: accountabilities, moralities, and oscillations in IT security practices","volume":"2","author":"Kocksch","year":"2018","journal-title":"Proc ACM Hum Comput Inter"},{"key":"2024121909135834400_bib14","doi-asserted-by":"crossref","first-page":"70","DOI":"10.1007\/978-3-642-41320-9_5","article-title":"\u2018Comply or Die\u2019 is dead: long live security-aware principal agents","volume-title":"Proceedings of the International Conference on Financial Cryptography and Data Security","author":"Kirlappos","year":"2013"},{"key":"2024121909135834400_bib15","doi-asserted-by":"crossref","DOI":"10.14722\/usec.2014.23007","article-title":"Learning from \u2018Shadow Security\u2019: Why understanding non-compliance provides the basis for effective security","volume-title":"Workshop on Usable Security (USEC) 2014","author":"Kirlappos","year":"2014"},{"key":"2024121909135834400_bib16","doi-asserted-by":"publisher","first-page":"40","DOI":"10.1016\/j.cose.2017.01.004","article-title":"The human aspects of information security questionnaire (HAIS-Q): two further validation studies","volume":"66","author":"Parsons","year":"2017","journal-title":"Comput Secur"},{"key":"2024121909135834400_bib17","article-title":"Information Security Inside Organizations-A Positive Model and Some Normative Arguments Based on New Institutional Economics","author":"Pallas","year":"2009","journal-title":"TU Berlin\u00a0Inf Syst Eng"},{"key":"2024121909135834400_bib18","article-title":"End user information security awareness programs for improving information security in banking organizations: preliminary results from an exploratory study","volume-title":"Proceedings of the AIS SIGSEC Workshop on Information Security and Privacy (WISP 2013), Milano","author":"Bauer","year":"2013"},{"key":"2024121909135834400_bib19","article-title":"Cyber security awareness campaigns: Why do they fail to change behaviour?","volume-title":"Proceedings of the International Conference on Cyber Security for Sustainable Society","author":"Bada","year":"2019"},{"key":"2024121909135834400_bib20","article-title":"Awareness is only the first step: a framework for progressive engagement of staff in cyber security","author":"Beyer","year":"2016"},{"key":"2024121909135834400_bib21","volume-title":"Improving Password System Effectiveness","author":"Brostoff","year":"2005"},{"key":"2024121909135834400_bib22","doi-asserted-by":"publisher","first-page":"396","DOI":"10.1016\/j.cose.2013.09.004","article-title":"CISOs and organisational culture: their own worst enemy?","volume":"39","author":"Ashenden","year":"2013","journal-title":"Comput Secur"},{"key":"2024121909135834400_bib23","first-page":"1","article-title":"Leveraging human factors in cybersecurity: an integrated methodological approach","volume":"24","author":"Pollini","year":"2021","journal-title":"Cogn Technol Work"},{"key":"2024121909135834400_bib24","article-title":"\u2018It\u2019s Problematic but I\u2019m not concerned\u2019: university perspectives on account sharing","author":"Wang","year":"2022","journal-title":"Proceedings of the CSCW 2022"},{"key":"2024121909135834400_bib25","doi-asserted-by":"publisher","first-page":"65","DOI":"10.4013\/sdrj.2018.112.03","article-title":"Holding on to dissensus: participatory interactions in security design","volume":"11","author":"Heath","year":"2018","journal-title":"Strateg Design Res J"},{"key":"2024121909135834400_bib26","doi-asserted-by":"publisher","first-page":"232","DOI":"10.1016\/j.envsoft.2018.08.028","article-title":"Tools and methods in participatory modeling: selecting the right tool for the job","volume":"109","author":"Voinov","year":"2018","journal-title":"Environ Model Softw"},{"key":"2024121909135834400_bib27","doi-asserted-by":"publisher","first-page":"95","DOI":"10.1016\/j.envsoft.2017.01.014","article-title":"Collaborative modelling or participatory modelling? A framework for water resources management","volume":"91","author":"Basco-Carrera","year":"2017","journal-title":"Environ Model Softw"},{"key":"2024121909135834400_bib28","doi-asserted-by":"publisher","first-page":"1617","DOI":"10.1068\/a43482","article-title":"Coproducing flood risk knowledge: redistributing expertise in critical \u2018participatory modelling\u2019","volume":"43","author":"Landstr\u00f6m","year":"2011","journal-title":"Environ Plan A"},{"key":"2024121909135834400_bib29","doi-asserted-by":"publisher","first-page":"196","DOI":"10.1016\/j.envsoft.2015.11.016","article-title":"Modelling with stakeholders\u2013next generation","volume":"77","author":"Voinov","year":"2016","journal-title":"Environ Model Softw"},{"key":"2024121909135834400_bib30","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-031-10183-0_6","article-title":"Found in translation: co-design for security modelling","volume-title":"Proceedings of the 11th Workshop of Socio Technical Aspects of Security (STAST)","author":"Demjaha","year":"2022"},{"key":"2024121909135834400_bib31","volume-title":"Humble Inquiry: The Gentle Art of Asking Instead of Telling","author":"Schein","year":"2021"},{"key":"2024121909135834400_bib32","first-page":"1","article-title":"One size fits all? What counts as quality practice in (reflexive) thematic analysis?","volume":"18","author":"Braun","year":"2020","journal-title":"Qual Res Psychol"},{"key":"2024121909135834400_bib33","doi-asserted-by":"publisher","first-page":"13","DOI":"10.1016\/j.dss.2016.02.012","article-title":"Decision support approaches for cyber security investment","volume":"86","author":"Fielder","year":"2016","journal-title":"Decis Support Syst"},{"key":"2024121909135834400_bib34","doi-asserted-by":"crossref","first-page":"37","DOI":"10.1145\/3046055.3046056","article-title":"Case study: predicting the impact of a physical access control intervention","volume-title":"Proceedings of the Sixth Workshop on Socio-Technical Aspects in Security and Trust","author":"Caulfield","year":"2016"},{"key":"2024121909135834400_bib35","doi-asserted-by":"crossref","first-page":"211","DOI":"10.1109\/SP40001.2021.00053","article-title":"SoK: quantifying cyber risk","volume-title":"Proceedings of the 2021 IEEE Symposium on Security and Privacy (SP)","author":"Woods","year":"2021"},{"key":"2024121909135834400_bib36","doi-asserted-by":"crossref","DOI":"10.1002\/9781119162315","volume-title":"How To Measure Anything In Cybersecurity Risk","author":"Hubbard","year":"2016"},{"key":"2024121909135834400_bib37","first-page":"152","article-title":"Co-design with communities. A reflection on the literature","volume-title":"Proceedings of the Seventh International Development Informatics Association Conference","author":"David","year":"2013"},{"key":"2024121909135834400_bib38","doi-asserted-by":"publisher","first-page":"369","DOI":"10.1016\/j.destud.2008.03.003","article-title":"Barriers and enablers for creating shared understanding in co-design projects","volume":"29","author":"Kleinsmann","year":"2008","journal-title":"Design Stud"},{"key":"2024121909135834400_bib39","doi-asserted-by":"crossref","first-page":"52","DOI":"10.7551\/mitpress\/8351.003.0004","article-title":"Trading with the enemy","volume-title":"Trading Zones and Interactional Expertise: Creating New Kinds of Collaboration","author":"Galison","year":"2010"},{"key":"2024121909135834400_bib40","doi-asserted-by":"crossref","first-page":"28","DOI":"10.1145\/3498891.3498895","article-title":"Change that respects business expertise: stories as prompts for a conversation about organisation security","volume-title":"Proceedings of the New Security Paradigms Workshop","author":"Parkin","year":"2021"},{"key":"2024121909135834400_bib41","first-page":"98","volume-title":"Corporate Cultures: The Rites and Rituals of Organizational Life","author":"Deal","year":"1982"},{"key":"2024121909135834400_bib42","volume-title":"Cultivating and assessing information security culture","author":"Da\u00a0Veiga","year":"2008"},{"key":"2024121909135834400_bib43","volume-title":"Organizational Culture and Leadership","author":"Schein","year":"2010"},{"key":"2024121909135834400_bib44","doi-asserted-by":"crossref","DOI":"10.2139\/ssrn.2445102","article-title":"The Menlo Report: ethical principles guiding information and communication technology research","author":"Kenneally","year":"2012"},{"key":"2024121909135834400_bib45","doi-asserted-by":"crossref","DOI":"10.1145\/3555115","article-title":"\u201cI needed to solve their overwhelmness\u201d: How system administration work was affected by COVID-19","volume-title":"Proceedings of the 25th ACM Conference on Computer-Supported Cooperative Work and Social Computing","author":"Kaur","year":"2022"},{"key":"2024121909135834400_bib46","doi-asserted-by":"publisher","first-page":"1376","DOI":"10.1108\/AAAJ-06-2020-4657","article-title":"Remote working, management control changes and employee responses during the COVID-19 crisis","volume":"34","author":"Delfino","year":"2021","journal-title":"Account Audit Accoun J"},{"key":"2024121909135834400_bib47","doi-asserted-by":"publisher","first-page":"77","DOI":"10.1191\/1478088706qp063oa","article-title":"Using thematic analysis in psychology","volume":"3","author":"Braun","year":"2006","journal-title":"Qual Res Psychol"},{"key":"2024121909135834400_bib48","volume-title":"Productive Workplaces Revisited: Dignity, Meaning, and Community in the 21st Century","author":"Weisbord","year":"2004"},{"key":"2024121909135834400_bib49","doi-asserted-by":"crossref","first-page":"112","DOI":"10.1145\/2841113.2841122","article-title":"\u201cIf you were attacked, you\u2019d be sorry\u201d Counterfactuals as security arguments","volume-title":"Proceedings of the 2015 New Security Paradigms Workshop","author":"Herley","year":"2015"},{"key":"2024121909135834400_bib50","doi-asserted-by":"crossref","DOI":"10.14722\/eurousec.2017.23007","article-title":"Finding security champions in blends of organisational culture","volume-title":"Proceedings of the Workshop on Usable Security (USEC) 2017","author":"Becker","year":"2017"},{"key":"2024121909135834400_bib51","first-page":"63","article-title":"Informal support networks: an investigation into home data security practices","volume-title":"Proceedings of the Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018)","author":"Nthala","year":"2018"},{"key":"2024121909135834400_bib52","first-page":"69","article-title":"What usable security really means: Trusting and engaging users","volume-title":"Proceedings of the International Conference on Human Aspects of Information Security, Privacy, and Trust","author":"Kirlappos","year":"2014"},{"key":"2024121909135834400_bib53","doi-asserted-by":"publisher","first-page":"84","DOI":"10.1109\/MSP.2013.142","article-title":"Everyday security: default to decency","volume":"11","author":"Molotch","year":"2013","journal-title":"IEEE Secur Priv"},{"key":"2024121909135834400_bib54","first-page":"97","article-title":"A typology of perceived triggers for {End-User} security and privacy behaviors","volume-title":"Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019)","author":"Das","year":"2019"},{"key":"2024121909135834400_bib55","doi-asserted-by":"crossref","first-page":"73","DOI":"10.1145\/2841113.2841119","article-title":"Employee rule breakers, excuse makers and security champions: mapping the risk perceptions and emotions that drive security behaviors","volume-title":"Proceedings of the 2015 New Security Paradigms Workshop","author":"Beris","year":"2015"},{"key":"2024121909135834400_bib56","first-page":"1","article-title":"The boundedly rational employee: security economics for behaviour intervention support in organizations","volume":"30","author":"Demjaha","year":"2022","journal-title":"J Comput Secur"},{"key":"2024121909135834400_bib57","doi-asserted-by":"publisher","first-page":"1012","DOI":"10.1086\/677888","article-title":"Resituating knowledge: generic strategies and case studies","volume":"81","author":"Morgan","year":"2014","journal-title":"Philos Sci"},{"key":"2024121909135834400_bib58","first-page":"69","article-title":"Pragmatic security: modelling it security management responsibilities for SME archetypes","volume-title":"Proceedings of the Eighth ACM CCS International Workshop on Managing Insider Security Threats","author":"Parkin","year":"2016"},{"key":"2024121909135834400_bib59","volume-title":"Tiny Habits: The Small Changes that Change Everything","author":"Fogg","year":"2019"},{"key":"2024121909135834400_bib60","first-page":"89","article-title":"A comprehensive quality evaluation of security and privacy advice on the web","volume-title":"Proceedings of the 29th USENIX Security Symposium (USENIX Security 20)","author":"Redmiles","year":"2020"},{"key":"2024121909135834400_bib61","first-page":"1487","article-title":"Measuring up to (reasonable) consumer expectations: providing an empirical basis for holding {IoT} manufacturers legally responsible","volume-title":"Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23)","author":"Kustosch","year":"2023"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/10\/1\/tyae007\/61182391\/tyae007.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/10\/1\/tyae007\/61182391\/tyae007.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,12,19]],"date-time":"2024-12-19T09:14:28Z","timestamp":1734599668000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyae007\/7696551"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"references-count":61,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2024,1,2]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyae007","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2024]]},"published":{"date-parts":[[2024]]},"article-number":"tyae007"}}