(This is part 2 of a 3-part series, part 1 is here)
Not every security vulnerability gets as much media attention as HeartBleed. True, there is a good reason for all the attention – labeled by some as a catastrophic development – and the general public should be made aware of the risks associated with the bug. Yet there are countless other risks that employees encounter on a daily basis which get far less attention, so the question becomes: how do we motivate our employees to pay attention to the seemingly mundane yet essential policies outlined in the company’s security plan?
Organizations can greatly increase the effectiveness of a security plan by recognizing and taking advantage of the ways in which employees’ motivation to comply with the plan can influence their intentions to do so. Specifically, management should seek to increase employee motivation (thereby increasing intention) for observance of security guidelines by creating an environment whereby:
These objectives, along with examples of effective methodologies to accomplish them, are discussed in the paragraphs below.
Most employees view information security as the obligation of the IT department only, so an initial goal for management should be to change this perception. One way to accomplish this can be with a casual reminder to all personnel that, as employees, they are the information agents of the organization, and as such the protection of organizational data is their responsibility as well. Additionally, the implementation of a company-wide reward/recognition program after measurable periods of incidence-free business operations can help create an incentive for increased security plan awareness.
Another popular misconception by employees is the belief that the security of organizational information should not a concern for them individually because, after all, it is organizational information – not their own, personal data. Thus, clearly communicating to the employee that they will, in fact, be personally affected by the loss of organizational information is another highly effective method for enhancing the motivation to follow a security policy. Informing the users that a lax attitude towards security could result in the theft and/or manipulation of employee data – since much of the organization’s sensitive data is personal employee information, such as social security numbers and payroll records – could have a far-reaching influence.
Also, something as seemingly inconsequential as identifying the security personnel by name could have a great impact on risk perceptions. For example, instead of telling employees that “the Network group” is monitoring all Internet activity, stating that “John Smith and Bob Jones in the network group” are monitoring. In this way, the risk is individualized by the employee and the potential loss will be seen as more personally affecting.
Management must be cognizant of the organization-wide opinion of a security plan, as the influence of this opinion on employee intentions can be quite broad. Creating an environment where employees are able to voice their opinions/concerns over the security plan and are able to suggest improvements can help promote a positive attitude toward the proposed guidelines.
Also, the work atmosphere must be one which reinforces all employees’ consistent observance to the plan; therefore it is vital that the organization not only promotes the importance of following the policy but that they establish an analytical basis to measure employee adherence, such as setting monthly/yearly benchmarks for security success. Regardless of the particular method used, the main objective is to facilitate a culture of self-sustained reinforcement by increasing motivation and producing security-seeking intentions.
In Part 3 of this series, we will discuss effective techniques for reducing employees’ security-related errors by understanding the different types of errors and common causes of each. Stay tuned…
Gary Braglia is a Security Specialist at GreyCastle Security with over 10 years of experience as an IT professional. Gary began his career as an application developer with the NYS Office of Information Technology Services (ITS), is a graduate of SUNY Albany with a Master’s degree in Information Science (M.S.I.S.) and the owner of industry-recognized certifications including Tenable Certified Network Auditor (TCNA) and CompTIA Security+.
At GreyCastle, Gary consults with clients in a wide range of security domains, including penetration testing, vulnerability assessments, security assessments, network security, application security and policy development.