Security, like news, is sexy when it's sensational: the hackers are coming, the country will succumb to cyber attack any day now, and anyone can steal your identity. But how many people have given their password some real thought, other than "it's too complicated to memorise and change", or "those people in IT, what torture have they invented now?" writes Ionut Ionescu, director of security services EMEA at Nortel Global Services.
In a company, the security cost is felt by everyone individually, while the benefits are not always clear to the individual but are accrued to the whole community. The economic cost may seem large to the individual when they are asked to change their password every six weeks, for example, but the negative impact felt by the company in case of a security breach could be several orders of magnitude larger.
Information, depending on the medium it is recorded on, can be duplicated or changed with various degrees of ease. Its value can be so big that losing it may lead to the company going bankrupt. Its value could be greater for a competitor than for its rightful owner.
One has to consider how easily it could be used by someone else, how much the company could stand to lose if it did not have it, or if it was corrupted. In most cases, the cost is higher if the company did not know that the information about its business was stolen or corrupted. But we do not think about these things when we log in to our computer at work. Most of us have no interest in computers, we just want computers to make our jobs easier.
So, how do we help people appreciate the economic benefits of good password practice? We have to make them care. We should communicate the value of this good called information and offer positive incentives that are meaningful for the employees.
Mandating that everyone has to attend information security awareness training and change their password every so often is only a start. We could apportion the cost of security breaches to the specific department whose employee chose a weak password that allowed the breach. We could reward employees that choose strong passwords and avoid divulging them to "researchers" tempting them with a box of Belgian chocolates. We could reward whole departments having better security practice with guaranteed higher bandwidth on the firm's internet connection, or with faster print turnarounds, etc. We could celebrate the employees who "get it" and make them security champions, awarding them a weekend break for two at the firm's expense (a clear economic benefit accrued to an individual).
Economically speaking, we could create internal competition to improve security in a company.
But perhaps that would be too much of a paradigm shift for the majority of businesses, which see IT (and security) as a cost. Right now, security departments use too many negative incentives, telling people what they cannot do, and blocking initiatives.
My guess is that security will improve much more quickly and remain strong for longer, when people understand the trade-offs, including the impact to their job. Anyone, ready to start next Monday morning?
About Computer Weekly's Security Zone
Security Zone is a bi-weekly series in Computer Weekly covering all aspects of IT security management. Each article is written by a member of the International Information Systems Security Certification Consortium (ISC)2.
This was first published in February 2008