Human - Weakest Link
Shifting from Blame to Design
In this issue, we dive deeper into why well-meaning employees bypass the very security controls put in place to protect them.
Your security team just spent six figures on the best new tool. It’s ironclad. It stops every threat... until an employee finds a way around it.
We often label these incidents a “policy violation.” The employee was non-compliant. Case closed. The focus lands squarely on the person: they didn’t follow the rules.
But what if the “violation” isn’t a malicious act, but a design failure? What if your policy or tool is so slow, so difficult, or so poorly integrated into their workflow that they are forced to bypass it to actually get their job done?
We need to shift our focus from policing non-compliance to designing for compliance. The root causes of non-adherence aren’t always a lack of care, but a conflict between getting the job done and following the rules. It’s time to stop penalising non-compliance and start designing for simplicity.
It’s Not Malice, It’s Friction: The Three Root Causes of Non-Compliance
Security controls are not bypassed because employees are fundamentally bad actors. They are bypassed because of friction. Friction occurs when the secure path conflicts with the immediate need to be productive. Applying insights from behavioral science reveals three primary drivers of this conflict:
1. The Cost of Time (The Policy is Too Slow)
In the modern workplace, time is the ultimate currency. Employees are measured on speed, volume, and meeting deadlines. Security processes that impose significant time delays—even if they only add up to a few minutes each time—are subconsciously viewed as a tax on productivity.
Example: Consider a critical security measure like the process for submitting an exception request to a blocked website. If the process involves filling out a lengthy, multi-page form that requires three separate managerial approvals and takes 48 hours to process, the employee facing an immediate deadline will abandon the process and seek an unapproved workaround (e.g., using a personal device or email) simply to maintain their workflow. Friction is the enemy of adherence.
2. The Cost of Effort (The Tool is Too Difficult)
This is the principle of cognitive load. When a tool or policy is complex, non-intuitive, or requires multiple obscure steps, it demands excessive mental energy to use correctly. Humans will always default to the easiest path, even if they know it’s less secure, because the easiest path requires the least effort.
Example: A new Data Loss Prevention (DLP) tool is installed. When it flags an action, it simply throws up a cryptic error code and stops the operation. It doesn’t explain why the data is blocked, what specific piece of policy it violates, or how to proceed securely. The employee’s only clear path to finishing their task is finding a non-DLP-monitored channel. Complexity is the source of many “shadow IT” solutions.
3. The Cost of Safety (The Fear of Asking Questions)
As we highlighted in our previous issue, Psychological Safety is the ultimate control. In cultures that punish mistakes, employees learn to hide potential risks. If a security question, a near-miss, or a simple mistake leads to public shaming, judgment, or a negative mark on an audit or review, employees will bypass controls instead of drawing attention to them.
The Bypass Trigger: An employee isn’t sure how to properly encrypt a large file for an external partner. If they fear that asking the security team for help will trigger an invasive audit or make them look incompetent, they will risk sending the file unencrypted via a quick, non-monitored service. Their personal safety (career and reputation) trumps the perceived organisational risk.
Shifting the Focus: From Policing to Security Design
The solution is not more training or stricter penalties. It’s applying Design Thinking to your security ecosystem.
Empathy Map the Process: Don’t just audit the results of a policy; audit the experience of using it. Have security team members spend a day working through the tasks of a high-risk user. Where are the mandatory five clicks? Where is the 60-second delay? These are your bypass triggers.
Make the Secure Path the Easiest Path: Your goal should be that the path of least resistance is the path of maximum security. If the quickest way to share a document is via an approved, secure internal link, employees will use it without thinking. Security must become an enabler, not a gatekeeper.
Positive Reinforcement: Stop tracking only failures. Recognise and celebrate instances where an employee used the control correctly or spoke up to ask a question. This changes the perception of security from an organisational cop to a genuine partner in the employee’s success.
The real transformation happens when employees feel empowered to protect the organisation, seeing themselves as guardians, not prisoners. Stop asking why they failed the process and start asking how the process failed them. True risk reduction comes when the secure path is also the easiest path.
Your Tripwire Challenge: The 5-Click Audit
The real transformation begins when you experience the friction firsthand. This week, don’t audit for compliance. Audit for ease of use.
Your challenge is to select one high-volume or high-risk operational task that regularly causes frustration or bypass behaviour among employees (e.g., requesting external access, submitting a security exception, or reporting a suspicious email).
Map the Experience: Have a member of your Risk/Compliance team physically walk through the process, documenting every step from the user’s perspective.
Tally the Friction: Count the total number of clicks, form fields, and required approvals.
The unspoken workaround: Ask the user: “If you were in a hurry, what is the fastest way to bypass this entire process?”
About Tripwire: Your weekly guide to building robust risk and compliance cultures through innovative, human-centered strategies.
What are the success stories you want to recognise and celebrate today?
If you enjoyed this read, the best compliment I could receive would be if you shared it.