Habitual security

Getting our work colleagues to behave more securely is a lot like breaking old habits and replacing them with new ones. 'Habit' implies several things, most notably there is stasis, inertia or resistance to change - the very essence of habit - hence directed changes inevitably require both time and energy. Furthermore, old habits die hard: they are our well-practiced, comfortable, default behaviors, mostly performed subsconsciously, autonomously, easily, without thinking or apparent effort. In contrast, changing to a different behavior requires conscious thought and deliberate effort, at least at first, until the new behavior itself becomes habitual. In the middle is the 'unfreeze' phase of Kurt Lewin's classic 3-phase change model, the road-hump separating two distinct behaviors or clusters of activities.

Habitual behavior, including addiction, has been studied extensively for decades and is fairly well understood in terms of the psychology and physiology, so what can we learn from medical science and practice? 

Well, operant conditioning indicates that there are essentially two diametrically-opposed methods of dealing with behavioral changes:


So, one might condition a smoker to 'give up the filthy habit' by emphasizing either the health risks they face if they continue smoking (enforcement) or the health benefits if they cut down on the ciggies (reinforcement), or indeed both (e.g. use enforcement first to break the old smoking habit and then reinforcement to fix the new non-smoking habit in place for good). I blogged recently about applying this simple but powerful approach to information security awareness. Most organizations routinely penalize noncompliance with policies and procedures, but too few actively reward compliant behaviors. They are missing a trick. What a waste!

Focusing on the enforcement end of the scale, aversion therapy associates undesirable behaviors with actual or threatened pain or discomfort. It might be effective to zap someone's rear end with a bolt of static through their office chair when they do something insecure, but I doubt HR, Health and Safety or Legal would let us! 

Moving to the other end of the scale, many weight-loss/anti-obesity programs use the reinforcing effect of social recognition and peer-group respect. "Hey everyone, look at that! Joanne has lost an amazing 3 kilos since last week! Congratulations Jo - you're this week's Star Performer!" Boosting slimmers' low self-esteem (resulting largely from the incessant enforcement pressure of advertising and celebrity figures) is an important part of the therapy. The combination of metrics and social group pressure is another simple but powerful approach. I've used it from time to time in my audit work, compiling benchmark comparisions between departments or business units then deliberately highlighting and celebrating the most secure ones ... although admittedly it is hard to resist the urge to hammer those at the bottom of the league table! Again, most organization can do more on this score, for example deliberately using good news stories in awareness and training materials (e.g. ranking departments by the quality and completeness of their business continuity plans, using positive, upbeat quotes from the leaders to illustrate the stories, and openly acknowledging and thanking or rewarding them for their efforts). 

In the same vein, socializing information security is a central feature of our approach, a key technique in establishing a widespread and deep-rooted corporate culture of security. My compelling suggestion is to spread the word about information security far and wide using social interactions, both formal and informal relationships within the corporation. A simple example is to build a network of 'security amabassadors' or 'sec-reps' embedded within and throughout the business, continually drip-feeding them with awareness content and (just as importantly) encouraging them to provide feedback regarding the program, such as new awareness topics or security pinch-points for the business. Another technique is to provide opportunities for social interaction, knowledge transfer and mutual reinforcement between layers of the organization (e.g. by addressing managers and staff) as well as crossing departmental stovepipes (e.g. drawing on specialists in information security, physical security, IT, risk, compliance, HR, quality, health-and-safety, audit, business continuity and other parts of the business to develop and deliver relevant security awareness messages). The concept goes well beyond social media, but why not make a start by using blogs and tweets and all that jazz to disseminate security awareness messages and gather that feedback I mentioned?

Yet another creative security awareness approach involves the use of social engineering - in a positive, white-hat, fully-sanctioned-by-management manner I hasten to add. Self-phishing (conducting mock phishing attacks against our esteemed colleagues) evidently piqued some imaginations but thankfully the fad has peaked-out. Thinking back to operant conditioning, there are two distinct approaches: either enforce the phishing-related policies and procedures by punishing those employees who are phoolish enough to phall for your phishing lures, or reinforce them by rewarding employees who resist the urge to open the attachments or follow dubious links, instead reporting them as security incidents. Which approach did you use? Score bonus points if you answered both, and go to the top of the class if you (a) used metrics from the mock-phishing assault to celebrate and reward the most phishing-aware departments, and (b) recognized that the security awareness value of social engineering methods goes way beyond mere phishing.

It's not hard to achieve effective security awareness if you actually care and think enough about it to be creative and energetic ... Sadly, however, the approaches I have just outlined remain uncommon in practice, largely I guess because we security awareness pro's have our bad habits too! We sit on our laurels, resisting change, resenting the additional effort needed to figure out something different and put it into practice. There are a million and one excuses: I've heard loads and, I admit, I've used several myself. But hey, when I look back at where we were in security awareness back in the dark old days of the 1990s, some of us (at least) have broken the mold and come on a long long way. At least we no longer expect to 'do' security awareness through the dreaded annual-lecture-to-the-troops, scattering a few childish cartoon posters about the place, or duping our colleagues with self-phishing ... do we*?


* That was the royal 'we' of course. I meant you: what are you doing to make your security awareness program a roaring success? What bad habits are you willing to kick in order to make progress? Think on: the clock is ticking and there's no time like the present. Carpe diem. Every round-the-world journey starts with a step. Some clouds have a silver lining. Do not run with scissors.