Passwords, crocodiles, and air disasters

What do air disasters and password policies have in common? They were both the subject of anecdotes at last nights IISP lecture on “Security awareness – promoting long term behavioural change” presented by Martin Smith of The Security Company.

Martin was making the point that everybody in an organisation is a stakeholder in information security, and that most businesses are rubbish at getting the right messages across. A copy of the employee handbook, a leaflet and a poster saying “Be Secure” with a picture of a padlock on it do not make for an effective and meaningful security awareness program.

The point was that we need to emphasise messages in terms the business understands. For example, if you lose a pound then that’s one pound profit gone which probably took ten pounds revenue to generate. Therefore you need to make another ten pounds to make that same pound profit back. In fact, you need to make twenty pounds because the first ten now only covers your original loss. Make sense?

The password anecdote related to an organisation that fired somebody because he intentionally shared his password with a colleague to, apparently, facilitate a business related task. I can’t vouch for all the facts but certainly strict and dogged adherence to policy is not always effective. Beat employees up with too big a stick and you’re likely to end up with lots of disgruntled employees who care little for your security regime.

The air disaster was an example of how lots of seemingly unimportant events (lots of little chickens) came together and resulted in a mid-air collision (the crocodile). At any point prior to the incident, somebody should have either raised issues or adjusted their behaviour. Human factors caused the disaster, not technology. An all to real example highlighting the fact that not one single recent data breach has been because of a technology failure. It’s human factors each and every time.