All workplace security behaviors have either a positive or negative outcome. Positive security behaviors help safeguard assets; negative behaviors put them at risk.
Loss prevention policies are the starting point for encouraging positive security behavior. And security practices—such as monitoring, training, and enforcement—drives employees’ capacity and motivation to adhere to a given company security policy and support a retailer’s asset protection effort. In short, at the source of asset protection, are a retail organization’s LP policies and practices.
How Can You Get Workers to Follow Your Company Security Policy?
Clarity helps. A company security policy should plainly define acceptable and unacceptable behavior. Doing so helps to improve compliance and removes ethical dilemmas that lead to worker stress and negative behavior.
Compliance with security and LP policies also requires that they fit work practices and requirements. For example, research has shown that violations of company cyber security policies often occur when security policies, such as restricting access to computers, conflict with workers’ perceived need for access. This type of conflict can often lead to problems, such as personnel circumventing security controls by propping open doors that require special key access.
When workers don’t “own” a security protocol they often circumvent it. Company security policy guidelines and procedures are often judged by employees with respect to:
- their relevance (are they necessary?);
- their effectiveness (do they actually improve security?); and
- their user-friendliness (are they understandable and not overly cumbersome to implement?)
When any company security policy requires extra effort, employees weigh the extra effort—consciously or subconsciously—against benefits for them, in the context of their production tasks.
LP executives may identify ways to encourage policy compliance by conducting organization-wide auditing on questions such as:
1. Is training on LP policies adequate?
2. Do security and asset protection policies and procedures make sense to line workers?
3. How can employee commitment to a company security policy be enhanced?
One key tool in this endeavor is an employee survey that specifically solicits employees’ opinions and attitudes regarding security policies, including how compatible they are—or aren’t—with their job duties and production tasks. By looking at security compliance through the eyes of employees, LP executives can start to manage compliance, something that is not possible if they simply write security rules and tell employees: “follow this.”
Overall, according to a national security survey by SDR/LPM, 40 percent of organizations have surveyed or interviewed employees in the last twelve months to learn their perceptions of security policies, such as how policies may support or conflict with their work practices. It is most common among publicly traded firms, especially business and professional services companies. It is slightly less common among retail organizations: 29 percent.
In addition to providing LP executives with key data, surveying employees about a company security policy may, by itself, improve compliance with them. Psychology studies show that when people have a chance to express contradictory views, it helps to bring attitudes in line with their beliefs. So, for example, an employee survey on office supply policies not only helps a security team to understand the attitude of workers toward this issue, but also might help remove inconsistencies and steer the corporate culture in the right direction. In short, merely asking a question such as, “Are you aware of the company’s policy on the removal of office supplies for personal use?” helps workers adhere to it.
Asset protection departments must also be careful that routine enforcement of security rules does not create antagonistic views toward security culture. Sometimes employees skirt security procedures—not because of deliberate indifference or antagonism toward security—but because of some external or temporary pressure.
In this case, a harsh rebuke of an employee may result, unnecessarily, in creating a bad attitude toward security. Instead, security leaders should sensitize their staff to the consequences of the mistakes they make with respect to violating security policies, according to Michel Kabay, Ph.D., Norwich University. Rude treatment of employees for a violation of security procedure can cause employees to be less likely to comply with security policy in the future—and will certainly result in employees being less likely to encourage others to comply, says Kabay.