IT security managers need to understand the psychology of IT users to manage risk, says David Lacey, an independent security researcher.
Very few are successful in managing the human factor in information security, he said. They tend to create a blame culture, but this does not work and often makes the situation worse.
"Blaming individuals is the worst thing to do," said Lacey. "It makes everyone terrified of making a mistake and leads to a lie culture."
IT security managers should learn from the safety industry, which realised decades ago that incidents are caused by a combination of factors and not by individuals, said Lacey.
They should monitor every incident and then analyse the causes to improve security rather than waiting for a major incident and then pinning the blame on an individual in a knee-jerk reaction, he said.
"Instead, IT security managers should create a blame-free culture in which people report and admit problems they are having," said Lacey.
Most IT security managers fail to exploit the knowledge of end-users to help make decisions, find out the status of security, and identify where things are going wrong, he said.
Another common failing, said Lacey, is that even if IT security managers realise the need for security awareness programmes, they lack the skills to understand and change user behaviour.
They should, therefore, enlist the help of psychologists to understand what influences people's attitudes and create policies that will encourage good security practice.
IT security managers should also enlist the help of journalists to write those policies in a way that is easy for end-users to understand.
"They should not try to do something they do not have the knowledge or the skills to do, but it does need to be done," said Lacey.
Building on his new book "Managing the Human Factor in Information Security," Lacey will explain the nature of people and networks in a presentation at Infosecurity Europe 2009 at Earls Court in London on 29 April.