Keeping employees committed to information security is tough. The fundamental problem is that the better our security, the less evidence we have to reinforce it. As weeks and months go by with no security incidents, employees unconsciously reduce compliance with security rules. This natural process is called extinguishment and is well known to behavioral psychologists. To overcome extinguishment, we need reinforcement, and that's where security awareness programs can use imagination and fun.
In an information security class in 1993, a student told me about an interesting experiment she had carried out at a large company. Employees were not following company policy about logging off the mainframe systems, and the open sessions were interfering with operations by holding databases open and preventing proper backups. In some cases, operators were able to terminate the sessions remotely, but in others they couldn't. Haranguing people didn't work. You could force employees to contact technical services for a new password, require them to discuss their errors with their managers, and otherwise try to punish them but the compliance rate hovered consistently around 40%.
My student did an experiment. She went around at night and found all the terminals in a specific department that were logged off properly. On the keyboards, she left a little chocolate wrapped in silver foil. There was no explanation for the chocolate. At the end of the month, she found that compliance with the logoff policy had climbed to around 80% in that department but remained at 40% elsewhere. Praise and reward can be more powerful than punishment in changing behavior. Talk to any dog trainer for confirmation.
My friend and colleague K Rudolph (and yes, she uses the letter K without a period as her first name) of Native Intelligence, is a specialist in making security awareness fun. She has a huge collection of security-awareness materials that are directly in line with the observation that making compliance pleasant is a better approach than focusing on criticism and punishment.
You can start with a series of free and very cute, colorful coupons from http://nativeintelligence.com/freebies/caught-coupons.aspx These all have a nautical theme with the word "CAUGHT!" with a charming creature such as a crab, an octopus, a dolphin and so on followed by something good; e.g.,
* Refusing to allow someone to tailgate on your access badge.
* Asking for help with security.
* Challenging an unknown person in your area.
* Verifying that someone requesting information has a need to know.
* Using a locking screensaver.
* Properly disposing of sensitive media.
* Refusing to share your password.
You can print these yourself from the PDF files or just buy them on thick card stock.
Native Intelligence also has an enormous collection (88 at last count) of security-awareness posters at http://nativeintelligence.com/posters/security-posters.asp
For example, one of my favorites is, "Passwords are like bubblegum: strongest when fresh; should be used by an individual, not a group; if left laying around, will create a sticky mess." Many of the posters have charming cartoon animals such as dinosaurs, snails, raccoons and rabbits. One poster reads: "You OTTER backup your files!" and has a furry little critter on his back contemplating a floppy disk.
There is also a series of 14 posters designed to improve HIPAA compliance (http://nativeintelligence.com/posters/hipaa-posters.asp).
Native Intelligence also offers several Web-based awareness courses: Security Awareness, Classified Data Basics and Personnel Safety. Details are on the Web site at http://nativeintelligence.com/courses/index.aspx
* * *
Note: I have no financial involvement whatever with Native Intelligence's courses and posters. However, K and her team are currently working with me on an improved and fully illustrated version of my Cybersafety booklet; the old version is still available free at http://www2.norwich.edu/mkabay/cyberwatch/cybersafety.pdf
Learn more about this topicWindows users put on defensive by SP2
Network World, 08/16/04McAfee upgrades security management software
Network World, 08/16/04Alcatel switches gain security support
Network World, 08/16/04Vendors target remote-access security
Network World, 08/16/04