Security awareness: a short step in a long journey

Yesterday I was fortunate to attend Martin Smith’s Security Awareness Special Interest Group. It was a sell-out event at BT Centre in London with close to a couple of hundred attendees from across the public and private sectors. Martin has done a tremendous job in recent years in organising security awareness services for large organisations, especially in the banking and communications sectors. Ten years ago, few companies were interested in this area. Now it’s become one of the hottest topics in security. It’s great to see such a high level of interest. But it’s also clear that we have a long way to go to get it right.

All security managers wish to raise their game substantially in this area. Unfortunately, few of their organisations are ready to listen. The spirit might be strong but the budget is weak. The exception, of course, is the select group of organisations who’ve been hit by a large data breach, where the knee-jerk response is an expensive, short-term change programme. Ideally, such efforts should be more evenly distributed. No enterprise is an island. Large organisations rely on dozens of tiers of business partners and contractors, not to mention the cooperation of millions of customers. Education is a community issue. We’re all in it together. 

A further problem is a widespread failure to learn from the safety field about how to prevent and respond to incidents. Security is many decades behind the safety field in understanding how to manage risks. The typical response to a security incident is to select an appropriate neck for the chopping block. That approach breeds a damaging blame culture which discourages teamwork, risk-taking and reporting, as well as failing to address the root causes of the incident. In fact, most incidents are not caused by a single person or action. They are the result of a large number of bad practices, encompassing policy, training, system design, supervision and everyday unsafe acts. And it’s often the best performing staff who make the most mistakes because they will work harder, faster and longer than their lazier, risk-averse colleagues. Aviation safety focuses on eliminating bad practices and root cause analysis of near-misses and incidents. Planes don’t just fall out of the sky in the same way that data regularly goes missing.

A third issue is the lack of psychology applied to the solution space. Security managers talk about winning hearts and minds, but they have yet to identify many positive motivators. Punishments are the easy way out. They are easier to identify and quicker to implement. But they’re much less effective in a modern empowered organisation. Negative incentives only work when you’re constantly watching your staff, and most will not apply to contractors.

A fourth issue is the lack of sophistication and stickiness in the design of educational material. Best-practice leaflets in the security field are not great, they’re just better than most other people’s amateur efforts. Designing compelling methods for communicating messages and influencing attitudes and behaviour is a rich science that’s rarely applied properly. The last time I saw this done properly this was in the early nineties at Shell where we drew of the experience of behavioural psychologists and ex-Saatchi creative teams.

Martin Smith also hits the nail on the head when he says that the true size of your security department is the extent of your enterprise. So far we have failed to recognise and exploit such network effects. The security community need to look outwards and learn how to do this, to steal ideas and methods from other functions and sectors that have succeeded in creating large scale behaviour change. Marketing, for example, is a good field to draw on. Criminology is another. As I’ve often said, these days we can learn more about security from a psychologist than a technologist.