Information Security Awareness - The Human Element

Information Security Awareness- The Human Element

 

Could you guess the weakest link in Information Security chain? The Human Element – It’s something technology can’t control. “The human being is the most precious asset a company has, and the most dangerous thing” says founder of an international security company in UK.

 

I remember a  funny incident that an executive manager in one of  the largest multinational financial company,  while walking on the office floor, noticed a couple of unlocked user PCs. He sent a broadcast email from one PC which says “Dear All, Today’s Lunch is by me (By user X)!” it’s a happy message, but here goes the more panic one from another PC … “Dear All, I am resigning from my job with immediate effect! (By user Y)”.  Ethics behind such messages might be debated, but the moral of the incident is that employees should not leave their desk with unattended pieces of information either digital or in black & white as well. Employee awareness on the “Importance of Information Security” need to be addressed efficiently which could be a team effort by HR & Training, IT, Security and Marketing departments.

Information Security Awareness Training – Current Flaws

The main problems with how information security awareness techniques are commonly implemented relate to “business culture” and “awareness approach”. It’s a common assumption that if someone was aware of the risk or threat, then their behaviour would change.
If you are aware about the presence of attacking dogs, you would take care while walking along those country side roads.  The reality is that people may well be aware of the risk but feel constrained by other factors, such as established business culture.
Another problem is that information security professionals don’t realize information security awareness is all about Marketing. Mouse mats,  motivational posters, screen savers with messages copied from the organization’s security policy are quite easy to do, but in reality a creative marketing approach should  involve audience research, careful targeting of communications, and measuring the outcome. 

People part of Security Implementation always get unattended. The patient is dying of the common cold due to poor nursing, and yet the doctors are concentrating in health of hearts and brains. Yes, the fundamental risks need to be prioritised. The problem with managing employees is managing the motivation of the company itself.

 

Information Security Awareness Training –  A Balanced Approach

No software or anything in black and white can’t stop the spilling of company secrets through mouths of employee. The only solution is to promote real Behavioural Change.

 

It is like the Carrot-and Stick model of reward and punishment for behaviour. You might push for information security compliance by either punishing bad behaviour or rewarding good. The carrot is the better option. The logic is that rewards always motivates!

From my personal experience, I have 2 small kids in my family, and if I buy some chocolates or car toys rather than getting a stick, the effect will be healthy and rewarding as well. Same applies in Information Security awareness training as well. Say for example, If you are planning to apply the complexity requirements for a windows password, you could either punish or issue warning for those who use simple passwords “name123”. On the other side of the coin, you could show example of a strong password and give small rewards to the employees who then follow those examples. What could be your choice???

What users Need to Know?

Users need to know about information security issues that affect their work, their home, themselves and their families. They need to understand the threats and risks as well as the methods they can personally use to defend against these threats.

 

To illustrate the Human Element, let’s consider an example. You might have noticed stickers in hospitals and other public places illustrating the ideal steps to wash hands… Health Authorities and other social services organizations took many years to develop the so-called cultural acceptance of the practice of washing one’s hands to prevent infection, because there wasn’t an instantaneous negative consequence to not washing the hands. It’s the same with Information Security. When you click an anonymous email or a picture of a fair lady, your computer doesn’t immediately blow up; it maybe gets a bit slow. Someone else’s information gets stolen, and it never comes back to hurt the individual person. Hope you got the logic!

 

Message to Information Security Professionals

 

Many organizations are overlooking the security basics in favour of sexy new cyber-attacks most people don’t know about. They worry about cyber-attacks from China or Russia, but they haven’t even fixed the basics that have been broken for years since the conception of the business. Hackers understands very well the “human nature” and its impact on “employee behaviour”, that’s why social engineering and phishing attempts flourishes more than ever before.

 

Best Practices:

Communicate to users How it’s important to them personally: People are more receptive to information that affects them personally. Training should be focused on safe usage not only at workplace, but how it can be used at home as well.

Communicate with real world examples: Keep everyone’s attention by citing examples which audience can identify and realize the impacts. Use any recent public information (internal or external for which consequences could be understood)

Communicate the importance of End User Security Awareness Efforts: Vulnerabilities are not only exploited from the outside, but also can be exploited from internally as well. Approach security awareness with seriousness and give the users tools to help with security efforts.

“We’re coming around to needing a balance between technological countermeasures and change in behaviour countermeasures” says Williamson in (ISC)2, USA.

 

Organizations must decide which user behaviour they most care about and focus their efforts to control that risk. Security professionals also should examine attitudes and beliefs in their organization, and take a positive approach with a right balance of technology and human element in order to ensure a secure computing environment for the business.