Towards a Risk Assessment Matrix for Information Security Workarounds.

Workarounds are often a necessary response to obstructions or inefficiencies within organisations. Their utilisation could, however, introduce information security risk into an organisation. It is, therefore, important for organisations to firstly identify, then determine the reasons for information security workarounds, and how to assess the potential risk they pose to the organisation. Workarounds are generally triggered by human factors which can be explained with the Protection Motivation Theory, as well as environmental influences that exist within an organisation. This is shown in the paper using a flowchart to illustrate the decision-making process of employees regarding information security workarounds. Having understood why workarounds occur within a particular organisation, the value of their information security risk can be determined using a Risk Assessment Matrix for information security workarounds and an accompanying Information Security Workaround Risk Index. Using the tools proposed in this paper, information security officers can respond appropriately to information security workarounds and, where necessary, make modifications to their information security policies, depending on the potential risk associated with the identified information security workarounds.