Security Incentives

Schneier put up a thought-provoking (if a tad medievalist) opinion piece to the effect that the best security-awareness training is (metaphorically) hanging a few people that got too lax in their precautions. From the logic that most people know what good security is — they just have more important priorities, like doing work — this serves to re-orient everyone’s priorities.

Lance Spitzner at SANS suggest this is dumb and often impractical, proposing instead that security training be aligned to the users’ interests (e.g relevant to avoiding personal identity theft as well). As a metric for “awareness training success” he’s got a brilliant one — the number of requests to get friends and family in on the training as well.

I’m with Spitzner, for the record. People are generally interested in security (if it doesn’t get in their way).

“One of the problems with motivating proper security behavior within an organization is that the incentives are all wrong. It doesn’t matter how much management tells employees that security is important, employees know when it really isn’t — when getting the job done cheaply and on schedule is much more important.[…]
Similarly, there’s a supposedly an old Chinese proverb that goes “hang one, warn a thousand.” Or to put it another way, we’re really good at risk management. And there’s John Byng, whose execution gave rise to the Voltaire quote (in French): “in this country, it is good to kill an admiral from time to time, in order to encourage the others.””

“…even if firing people is an option, does it fit your culture, do you truly want people to be motivated by fear and resent security, because that is what is going to happen.

The most successful method I have found that make awareness ‘stick’ and change behaviors is engage people, focus on how awareness personally benefits them. People face the same cyber risks at work as they at home. By teaching them how they benefit, and how they can protect themselves and their families, they are far more likely to change behaviors. Even better, they now have the same security behaviors both at home and at work, security is part of their DNA.

Don’t get me wrong, I’m not saying enforcement is not important. It plays an important part of any successful awareness program. However you want your first step to be on the positive side, engage people and you will change behaviors. My favorite metric for a successful awareness program is when people ask how their family and friends can also take the training. “

%d bloggers like this: