The security awareness paradox: A case study

Knowledge-intensive organizations are characterized by their dependency on highly skilled personnel who perform their daily work in a decentralized manner. In these organizations it is the users who make the important decisions, and therefore the organization´s information security awareness is upheld by and depends on its users´ combined security awareness. To assess the overall organizational security awareness it therefore becomes interesting to assess both the users´ individual level of security awareness, as well as their level of consistency and conformity with regard to other users´ awareness. In the present case study, 15 semi-structured interviews have been undertaken within a large telecommunication company in order to understand how significant IT security aspects are understood within the organization. The study highlights a number of perception differences where the technical IT staff and the ordinary users do not share the same understanding. It is suggested that these perception differences result from a paradoxical situation where the users´ possibility to uphold security awareness is hindered because of security concerns.