Why employees don’t care about Security

In Security, across the domains of People, Process, Technology, there is a tendency to focus too much on Technology. And forget or ignore Process and People.

It's an issue that's common whether you're working in physical security or the cyber and information security worlds.

Consider a scenario...

• How many of us have experienced being forced by IT to use a new secure file sharing system?

Yes, most of us?

• We were told it's the most secure SUPER-8000-ASYMETRIC-SYSTEM with 4096 bit keys.
• We were sent a link to an 18 page document on how to use the system.

So then, how many of us, after failed attempts, decided it was too difficult to use? Yep, everyone?!

We gave up when we realized we would miss a deadline. Or shuddered at the thought of our clients struggling to download a file.

So what did we do...we found a way around it.

Security became an obstacle.

What went wrong? The IT security team thought they did everything right:

• they selected a best-in-class secure file sharing solution
• they put together a comprehensive user guide
• they sent emails out to the whole organization

Yet, the initiative for 'better security' was largely a failure.

This scenario plays out on a regular basis. It could be file sharing, email encryption, access control for the building, new screening measures, travel security, etc. You name it.

Why does this happen?

For those of us working in security - security is what we value. Within the context of an organization, it's likely most other employees do not share this value.

The Marketing Department is busy creating a new campaign for a product. The Sales Team is out generating leads. The Engineers are under pressure to release a new feature.

We forgot about or ignored the people. And that's why in many cases – security is perceived to be creating obstacles.

People will prioritize getting their work done. Not security. They will rationalize breaching a security policy/measure, if it interferes with their role and objectives. It's human nature. It's not a fault.

Can it be different?

I argue that we as security professionals can do better.

Process and People are just as important as Technology when we are implementing security.

By having this front of mind, we can go a long way to getting our employees to care about, and to value security.

Here are examples of questions we should be asking ourselves when we're implementing or designing a new security system, or writing a new policy/procedure:

• Can we design for a positive outcome?
• Can we simplify it?
• How do we empathize with our users?
• What does the user experience look like (from start to finish)?
• How can we motivate our people to do 'xyz'?
• What do the users value and what are their priorities?
• Can we align our values with the organization's values?

How can we start to re-balance this focus on Technology, and move towards improving the way we implement and interface with Process and People?

Some ideas follow below:

Simplify the process

Re-design and simplify the process. Look at every security process your team is responsible for. Understand the steps involved. And try to do the following:

• Eliminate. Anything that is not necessary should be eliminated.
• Change what doesn't work. Is there a default setting or step? Why is it the default? Is it working? If not, change it. Avoid "it's always been that way".
• Consider motivation and compliance. Harder than the previous items, but force yourself to think as if you're the user. Would you be motivated to follow this process? Is it easy to understand? Why is it important to comply?

Re-designing processes can take time. Start by focusing on existing and known issues, and aim for quick wins. You should be tracking incidents, issues, complaints, etc. so you already have an idea of where problems exist.

Simplify the documentation

Documented policies and procedures are important.

Though, let's be honest, most polices and procedures these days are written to cover backsides, or comply with a standard or regulation. They are rarely written for people.

We have messy documents, designed to cover all bases, in case something goes wrong, so we can say to the prosecutor, regulator, insurer, or whomever "Look, it's all written here in the policy, Bob just didn't follow the rules."

What can we do better:

• Re-write documentation - be clear and concise.

That's it.

I have seen, been part of recommending, and have written wordy, complex policies and procedures in the past. It doesn't work. No one reads it.

Documentation does not create a security culture.

Get good at selling security

How do we sell security to those that interact with it everyday? The typical approaches go something like this:

• Security Team sends an email - "All employees shall comply with new policy/procedure/document XYZ"
• Security Training attempt - "ATTENTION: Watch this important 45min video about phishing right now"
• Security Technology initiative - "Please report to the Security desk for biometric fingerprint enrolment"......You get the idea.

Does this sound familiar? It's obvious these approaches don't work.

Demonstrate value

A simple and direct way to get more engagement is to show the value security brings to the organization.

Show everyone what you (i.e. Security) have achieved for the organization. Highlight your successes. Provide examples.

E.g. Why do we spend money on cameras and alarms:

In February, our alarm and video surveillance systems successfully deterred 2 break-in attempts to the facility. We were able to supply video footage to Law Enforcement and this led to the arrests of multiple suspects.

E.g. Employees are concerned about news reports of a new pandemic virus and don't know what to do:

Our team has developed this simple to follow 1-page guide on how you can stay safe. We also have people monitoring the situation, and if you have concerns, we have set up a dedicated email where you can reach us.

E.g. Implementing security and awareness training:

Did you know - last quarter, with the help of our staff we were able to identify over 20 suspicious emails. These emails could have compromised our systems and affected delivery of projects for our clients. Learning about phishing is as easy as spending 5 minutes on this interactive video.

E.g. Trialing a new secure file sharing system:

We made mistakes last year when we implemented Secure File Sharing.

We have since received great feedback from our people on alternatives.

Now we're looking for volunteers to help us with trialing new systems. If you would like to be part of the trial, let us know...

Engage with other teams

You might be a security subject matter expert, but writing corporate communications and content may not be a strong point. That's OK. It is likely within your organization there are experts - talk to HR, talk to the Marketing team, talk to Communications.

Work with them to craft messages, drive engagement, develop interesting content, or training materials. By reaching out to other teams you also yield some great benefits:

• foster collaboration
• create a better understanding of security
• get feedback - it's an opportunity to improve and learn from other disciplines

Increase motivation

Getting people to be motivated about security can be difficult. However, it is not impossible.

Some tactics you can consider:

• Use the power of influence. Getting the CEO or a senior leader within the organization to show support for Security can be powerful. Work with them to highlight why security is important, showcase the team's previous successes and their capability.
• Tell good stories. Telling a compelling story that relates to users, their day-to-day responsibilities, and connecting it to security can help to improve understanding, as well as being more memorable.
• Add social interaction. If you are testing a new system - call for volunteers to assist you. Implementing a new process - get representatives from multiple departments to walk-through or read it.
• Give trust. Consider ways you can introduce some autonomy and freedom in decision making for people. As we already know, with too many rules or difficult procedures - people find a way around them. You can consider loosening some procedures or giving choices (multiple ways to achieve the result).

Stay away from carrot and stick type motivators. These have been shown to be poor at creating long term behavior change. Incentives such as cash prizes and gifts may be fun for an event, but these result in short-lived changes, and behavior quickly returns to the baseline.

Understand group dynamics

An organization is complex. With many people, departments, teams and so on.

Employees of the organization form part of a broad "in-group" - a psychology term. As we think about the organization we find there are more in-groups and sub-groups. There's an in-group that is the Legal Department, or Finance. Within Legal there are likely smaller in-groups. There are groups that exist across departments - for example a project team, or a committee. There are also "out-groups".

Why is this relevant?

As 'security' people we have our own in-group. Yet, it is also our job to work across different groups. We must be able to connect with and understand a broad range of people. And importantly, we should strive to avoid "us versus them" scenarios - which are far too common in many organizations.

In conclusion...

Don't forget that we need People to make security work.

The above is written from my experiences in security and learning across behavioral economics, design thinking, and marketing.

I value and welcome your thoughts and comments below.

Dusan.

www.securityconsultant.net