A famous thought leader in security, Bruce Schneier, popularised the term «people, process and technology» back in 1999. Our security strategy must cover all three areas, and this holds more true than ever. Technology still gets the most attention, and we still need to advance the people formula. I believe cyber security needs more empathy.
Security awareness practitioners agree that creating permanent behavioural change is our biggest challenge. Knowing that it only takes one employee who clicks a dangerous link or attachment, we may be tempted to say that awareness can never win this battle. No matter how much training we offer, digital criminals will retain their competitive edge as long as their emails keep reaching that one vulnerable person’s inbox. But giving up on people would be the same as giving up on technology, since obviously spam filters aren’t perfect either. We need to advance defences in both areas. And yet our security challenges aren’t only limited to people clicking the wrong things.
People sometimes break rules, exposing our organisation to unwanted risk. This could be due to several reasons, but just like with clicking, we are in a neat position to shame our colleagues for their failures. Our policies and procedures define clearly how we want things to be done, and anyone breaking those rules are at their own fault, right? Unfortunately, while blaming “human errors” will keep our security professional backs covered, this attitude will not help us any closer to securing the humans.
The people and process parts are in reality not taken care of until people actually turn our ideas about security into secure practice for themselves. This is a matter involving awareness, intent, competence, leadership, culture, functionality and user experience.
Based on this, I argue below how people, policies and products must be aligned – indeed, put into harmony – so we can gain from our colleagues as positive contributors to security.
PEOPLE
Some will characterise employees as ignorant or careless, when in reality they give up because security is made too difficult to understand, or too restrictive to be productive. Some have a poor understanding of risk, which makes it personally acceptable for them to take shortcuts when the risk is considered low enough. We would like to increase people’s risk understanding by raising awareness and having employees undergo security training, but communication is not always effective and people may even end up getting annoyed by our recurring efforts.
Scientific research has shed some light on these issues, including a multi-disciplinary team of researchers lead by professor M. Angela Sasse at University College of London. Their findings include a theory on how emotions, along with risk perceptions, drive people’s security behaviours. Yes – people have feelings, and feelings in particular for security. This is not all bad, we know that feelings can be both positive and negative, and a positive attitude could translate into secure practice almost regardless of cost!
But the perceived cost of being compliant with security rules and advice is for many people a source of negative affect towards security requirements. Combine this negative security affect with bad risk perception, and the likelihood that people will stay secure is low. This is the case where people will default to the most convenient response to a situation, even if it involves risk. You may call this a lazy response, but it is not a matter of laziness as we usually consider it. Professor Daniel Kahneman at Princeton University actually named the brain’s fast system “lazy” for making quick emotional responses. In contrast, the brain’s slow system consumes more effort to make a cognitive judgement, which could improve risk perception, but requires intent and attitude to activate.
We therefore need those positive emotions in place, both individually and collectively, and I believe this requires a fair share of empathy from us security professionals. Empathy means getting into other people’s shoes, let them know we’re listening, and not judging their actions as misbehaviour. The good thing about positive affect is that it grows through empathy, and it opens people up to learning.
Have you tried asking your colleagues whether they would like to learn more about information security? If their answer is yes, then go ahead! But if they say no, it is pretty useless to keep doing the same over and over again. Instead, you must dig into why people have negative emotions, and why they do not want to learn. While there are many emotional aspects in life we cannot deal with from a security perspective, you’ll want to uncover friction related to policy and products – so keep on reading.
POLICY
One reason people do not want to learn, is that they do not believe security is their responsibility. While many consider security policies useful for the organisation in an abstract way, employees will not necessarily understand how it relates to their personal behaviour. That is, unless the policy conflicts with getting the job done, and negative feelings arise along with excuses for not following the rules.
This is where people will start improvising, and security suddenly relies on the employee’s individual risk understanding alone. And more importantly: When people start breaking rules, especially when they feel they are really just doing their job, it becomes easier to ignore the rules again. A process may look good on paper, but be completely offset in reality. The negative cultural effect must not be underestimated when people start talking about hopeless rules, hopeless security, and hopeless IT. Especially when everybody sees it, but nothing is done about it.
You could of course get rid of such employees, but they may very well be the most productive ones you have. And it wouldn’t fix the underlying problems. This is again where eye contact and listening with empathy becomes important. A dialogue is by nature a two-way thing, but all too often, security communication goes in only one direction. Have you tried asking your users if they knowingly break any security rules? Instead of annoying them with mandatory security training that they do not wish to attend, you should seek out their honest responses. You cannot reach them with cheap approaches like newsletters and e-learning, you simply need to get out there and talk with them. The cost increases, but that’s the price.
Building relationships with people in the organisation will help their understanding of risk and responsibility. It will also help you understand which practical challenges people face in their daily doings, be it related to security, or to IT in general. A security policy should be stated in a way which makes it socially unacceptable to omit. And products must then support the policy through functionality which makes compliance the easiest way.
PRODUCTS
I believe we must cover technology for more than just security in our strategy. IT products in general comprise the tools people are given to solve their everyday tasks. If a bad user experience ruins your day, you’re also less motivated to go an extra mile for security. We must always keep in mind that security is rarely more than a secondary task to users, but something to support our primary objectives. If the primary task takes all our energy, friction keeps people from doing the right thing. Constant quarrelling with systems and support does not create a good learning environment either.
Enterprise IT systems do not have the best reputation for being user friendly. Luckily, vendors have been improving user experience to compete with born-digital companies. There are many products around that are both secure, user friendly and good for business. Systems can often be improved through simple configuration settings. The trick is to know where the pain is, and again the answer is to talk to people. If the entire system is flawed, there may be better alternatives in the market.
Just like any change, it can be challenging to replace existing products with something better. But if there are risks involved, these are also manageable like any other risks. One way to deal with this in practice, is to do risk assessments of the user experience during your implementation project. Another key is to involve users in continuously improving the systems and policies. If someone flags a problematic area, make sure that they are taken care of and listened to. Do not punish people for reporting incompliance, but take advantage of their concern to improve the systems.
Finally, we have security products which do a great job in keeping the noise down for employees everywhere. After all, if we didn’t have spam filters, anti-virus or web browser security, people wouldn’t get anything done. There is huge value in security technology, and there are a number of innovative products that help reducing the risk for organisations of all kinds. We must keep automating what can be automated, because people’s efforts don’t scale anywhere close to machines.
But when technology falls short, secure practice makes the difference between success and failure.
PS: It is no coincidence that my company Secure Practice helps organisations with people, policies and products for security. If you are looking for some advice, drop us a line at [email protected]!