Author Archives: enicaise

If you have a very limited budget and you can only focus on one security awareness activity focused on the message, on one behaviour, what would it be?

Tough question. It was asked by Dr Jessica Barker during the last (ISC)² Secure Summit in Amsterdam. There were hundred of security professionals in the room. The answers were quite classical at the start: Passwords, phishing, trust, and so on.

The best suggestion, from my point of view, was this one: Ask for help!

Too often, users don’t ask for help. Likely because they don’t want to lose time waiting on the line while calling the helpdesk or they don’t want to look stupid (and there is probably a lot of other reasons and a mix of it). But security has become an increasingly complicated matter over the years. Hoping our end-users will become better or as good as security professionals might be wishful thinking (although in some cases, average users are better than most security professionals in some security-specific tasks, I’ll come back to that another day).

So, “Ask for help”, is the most reasonable action to ask our users. It is something they can easily understand, it will cover a large panel of situations and probably increase your reaction time and decrease the number of incidents.

Of course, you need to make it easy (simple phone number, easy to remember the email address, one button to click in an email to signal a fishing attempt), responsive (people don’t like to wait) and nice (you don’t like that the person on the line make you feel like a fool).

Think about it. It might be a good start for a more human centric security (hence more efficient and cost effective).

One of the requirements of any decent policy (and law) is having a penalty link to its non-respect. In penal law, “Nulla lege sine poena” (no law without punishment) is one of the corollaries of the famous principle “Nulla crimen, Nulla poena sine lege ” (no crime, no punishment without a law).

From a behavioural point of view, it is often more efficient (and more humane) to use the carrot (and even more the intrinsic motivation to do the things right) instead of the stick. However, knowing there is a stick that helps to give some consistency to the rule, some consequences. So, when we are drafting policies, we always insist on the necessity to clearly define the consequences of any non-compliance with the rules. Organizations may be fined for it, so should their employees.

It’s often a difficult part of the policies drafting process, moreover in a large organization, as we must find a proportionate response and it must be, in some countries, negotiated beforehand with trade unions and social partners.

But there is more to say about it. First, the consequences mentioned are quite often individual ones: loss of privileges, the impact of financial bonuses or removal from offices. However, there is more to it. Breaking rules can lead to huge monetary losses for the organization, resulting in cost-cutting and having colleagues losing their jobs, putting families in financial and personal difficulties. It’s a bigger picture; it’s not a systematic consequence, although more likely than ever, mainly it is a foreseeable consequence that might trigger more emotional response than the one of the person’s own demise (although it might have some opposite effect if the person has a grudge against the entire company, including its workers). Emotions are leading our choices more than rationality.

The second point is that it must be fair. As suggested by Herath & Rao (2009), too severe punishment will have an adverse effect and increase the likelihood of the infringement. This effect is likely similar to the one observed with the pictures of sick lunges of cigarettes pack: they tend to increase the consumption of cigarettes (mostly with young adults and adolescents).

The third point is that the rule must be the same for everybody, in theory, and in effect. So, we must ensure that we can systematically detect these infringements (see Herath & Rao, 2009) to increase compliance.

But how often do we see people in the organization breaking the rules willingly without any consequence? Sometimes because this person is an expert in his/her field and we believe we need her/his knowledge more than we would. Sometimes it’s for some internal political reasons. Sometimes because (s)he’s a relative of someone high in the food chain.  Whatever the reason, this is not fair and it has some huge impact on the behaviour of your employees. Worse, it becomes part of your culture and that’s something that you will have a lot of difficulties to change after.

So, mind your punishment twice.

References:

• Herath & Rao (2009), “Encouraging information security behaviours in organizations: Role of penalties, pressures and perceived effectiveness” in Decision Support Systems 47

Human error is one of the most overlooked threat to most IT systems. A low level of user acceptance of the security features can be one of the most challenging part of the transformation of a company into a secure organization.

KISSS: Keep it Simple, Stupid and Sexy. The last S from this new version of this old acronym comes from Laurence Vanhée, Chief Happiness Officer. Can we make people happy with security? Why not?

Tech companies have invented the WAF, Woman Acceptance Factor. This factor was defined to predict if the woman were ready to accept the purchase of a new home appliance (Smart TV, and so on). The main factor was usability and attractiveness. At that time came the “girly” versions of a lot of appliances and the simplified version of the remote controls. Not that Woman aren’t capable of using complex systems, they just don’t want to bother about some useless complexity. And I don’t think it’s a “woman” thing. We all do, eventually. But in security, we tend to forget that we need to convince our users to be more secure.

Darin Senneff, a creative user interface designer from New-York, has created and shared on Codepen a very nice user login interface that should inspire other website designers.

https://codepen.io/dsenneff/pen/2c3e5bc86b372d5424b00edaf4990173

As you can see, the nice gorilla’s avatar change its behaviour as you type your email and your password. One could add some new behaviour when the password would not be strong enough and some other (positive reinforcement) when the password reach a certain level of complexity. Such interface will likely be more efficient reinforcer of a security aware behaviour than just a message as it will provide a sense of peer pressure and fun, leveraging security without the fear and the stress factors.

Darin shared the code on Codepen. Get inspired, use it, improve it.