Improving security culture by stopping toxic behaviours

Lately, I’m witnessing a lot of toxic behaviours that prevent my clients to improve their human security posture. Toxic behaviour are not bad behaviour per se but behaviours that act against your security culture and awareness campaigns.

Let me give you a few examples:

  • Internal website use non-recognized SSL certificates while you try to educate your staff to distrust non-SSL and badly signed websites
  • The company is using external email addresses for official internal communications or actions (like for surveys, training, HR, and so on) while you try to make people to be warned by such kind of emails
  • The company is using a zilion different domains for their internal and external website(s) while you try to educate people to recognize the good one(s) from the bad ones

Rings a bell? All these “accepted ” deviation to the common sense and usability makes it even more difficult to educate your staff and change their behaviour. It is like trying to explain the principle of a good diet to your kids while eating a big donut and giving them candies. It’s like slapping their hands when they do something wrong but forcing them to do it so they can do their jobs. In psychology, we call that a double bind and it is believed to be at the source of some psychological diseases. So, imagine what it does to your staff and how adverse it can be to your attempt to develop a positive security culture.

So, should we put a focus on getting rid of toxic behaviours first? I think so. Do you?