Honey is better than vinegar at catching flies. Here are some tips to help you establish a positive reinforcement cybersecurity culture and not a blame-and–shame game.
I used to work in an environment where users were not allowed to be added to Active Directory privileged group without permission from their managers. This was closely monitored and, on one occasion, an email was sent to a large group of people. It stated that the policy had been broken and that someone had updated a group without permission.
SEE: Security incident response policy(TechRepublic Premium).
Multiple managers criticized the sender for calling the alleged perpetrator out. One of them produced the request that authorized this change, exonerating him and causing embarrassment to the accuser, who did apologize. The entire email thread should have been discussed privately with the employee and their manager.
This episode shows you how to approach cybersecurity in a wrong way. Another option is to send phishing emails from companies to internal recipients. This will test their ability to click links that take them to a page criticizing them for clicking on the content. This creates a barrier between the end users, IT/security and makes users less likely to respect them. Positive reinforcement is key to encouraging employees not only to comply but also for the good of the company. To promote cybersecurity principles throughout the organization, recognition by management can be as simple as recognizing that phishing emails were reported and completing training.
Cybersecurity experts agree. SecurityAdvisor CEO Sai Venkataraman said that cybersecurity culture is almost impossible to quantify because there are no measurement tools. Many businesses attempt to quantify the human element of their security posture by sending employees simulated attacks to demonstrate how susceptible workers are to phishing, social engineering, spoofing and other types of hacks. Security leaders claim simulations can help identify high-risk users and secure additional budget. However, this logic is flawed. Simulators can cause embarrassment and place security teams as adversaries rather than allies.
SEE: How to manage passwords – Best practices and security tips (free PDF). (TechRepublic)
Venkataraman stated that embarrassing people is futile. Venkataraman said that embarrassing people is not a positive thing and has been completely discredited from a security perspective. Phishing simulations, and other ‘Gotcha!’simulations Shame culture is evident in security training attacks. Experience has taught us that attacking our employees doesn’t increase cyber-resilience as much as it positions the internal IT teams negatively in the eyes of the organization’s employees, making it more challenging to get people on board with strategic initiatives. These boring training sessions make employees less inclined to see the IT team as a force for good in the organization. The best security leaders use technologies and tactics that create a seamless experience for employees.
Rather than trying to shame and then coach employees, IT and security leaders should create a frictionless security strategy intended to support workers during their greatest time of need, Venkataraman said. “Cookie-cutter” approaches to security training don’t work for long periods of time. This approach doesn’t target at-risk employees when an attack is in progress, or is executed with sufficient frequency to keep employees on guard.
SEE: Working remotely, safely: Remote work on industrial sites increases cyber risk (TechRepublic)
Johanna Baum is the founder and CEO at Strategic Security Solutions, which provides information security consulting services. “Shame is a terrible way to motivate individuals or the masses. It doesn’t work with your children (we’ve all tried), it doesn’t translate well for any other population. While it might trigger some immediate reactions, it can also foster long-term resentment as well as a stockpile of ill will.
She suggested a different approach. She said, “The goal should be to increase overall intelligence and threat intelligence for each user. Although it’s difficult and takes patience, it is far more effective than setting traps and mocking the transgressor. No one wants to share their internal cybersecurity test results.
She said that the general security intelligence of executives and users is very low, so it’s rare for anyone to air their dirty laundry. “Openly discussing security initiatives, assisting your team in internalizing the global impact and promoting wide-scale security evangelism as an organizational imperative, rather than an IT mandate, goes a very long way to securing the organization—certainly much further than the fired employee who was the poster child for the failed shame game phishing test.”