The Information Security Forum (ISF) has designated 2008 the "Year of Security Awareness", but saying something new can be tricky. Here Rob Hadfield, a security awareness specialist for ISF member British Airways, shares his struggle for inspiration
Another identikit hotel room - I know the layout with my eyes shut. The desk will be five steps to the right. The TV remote control will be on the pillow and there will be 16 channels to watch, none of them interesting. In the bathroom there will be a hair-dryer hovering menacingly over the sink, a small bar of lovingly wrapped triple-milled soap (whatever that means) and, curiously, a shoe-horn.
And tomorrow, another conference - where I am expected to offer new insight into security awareness. Hasn't it all been done by now? After 20 or so years of telling people not to share their passwords, can there really be anything new to say? And why do they still do it? I really don't know what I am going to say.
Still, at least the restaurant was good last night. I'd never eaten kangaroo steak before - very nice and very tender.
And in the night it came to me - and it saved my presentation. It was the kangaroo that did it, and here is that story.
The story of the suicidal kangaroo
Researchers at an Australian university have been studying the behaviour of the western grey kangaroo (Macropus fuliginosus) and, in particular, road-related deaths of that species.
Road deaths are common among kangaroos because they often try to cross busy roads near major cities. They are also a hazard to drivers because hitting a 50kg animal cause major damage to cars. By studying the behaviour of the kangaroos, researchers hope to reduce traffic accidents and deaths of the animals.
Over a 12-month period, researchers have noted that kangaroos can acquire a learned behaviour at road junctions.
Typically, a younger kangaroo (a joey) will approach a road and simply hop across it, with no regard for traffic. The incidence of road death among joeys is high.
However, more mature kangaroos exhibit different behaviour and will hop up to the edge of a road, stop and look both ways for traffic. If there is traffic coming, they will wait for it to pass and then hop across the empty road. The incidence of road deaths among more mature kangaroos is low.
About 20% of the more mature kangaroos exhibit a further different behaviour. These animals will hop up to the edge of a road, stop and look both ways for traffic. But if traffic is coming, they will hop across the road regardless. Needless to say, road deaths are common among this 20%.
Researchers have been unable to explain why mature kangaroos show this behaviour. The animals are clearly aware that roads and cars are dangerous, but still continue to cross when there is traffic coming. Researchers have termed this behaviour "suicidal kangaroo syndrome".
So how is the story relevant to information security awareness? And how can it help awareness programmes be more successful?
The story illustrates that, out of a given population, there is likely to be a significant percentage who will understand that certain behaviour is dangerous or inappropriate, but will do it anyway - the suicidal kangaroo syndrome.
If you consider the employees among whom you are trying to increase awareness and change behaviour, there is likely to be a significant percentage who will understand your message and see that certain behaviour is inappropriate, but will continue - or even start - to exhibit that inappropriate behaviour.
In such cases, this percentage of employees will have acquired the awareness, but will not have made the link to a change in behaviour. These people are resistant to behaviour change and no amount of training, action or encouragement will make them alter their behaviour. They are the suicidal kangaroos in your organisation.
To ensure the limited budget for your awareness programme is spent wisely, you should:
1 - Identify the suicidal kangaroos in your organisation. Typically, resistance to behaviour change is related to a particular culture, so you may find that a particular department or function, which has distinctive cultural norms, may be resistant to behaviour change. Experience from running previous awareness programmes may also give insight into where programmes have had least success.
2 - Avoid wasting your money on suicidal kangaroos. You will never change the behaviour of suicidal kangaroos. Of course, you do need to make them aware of what good behaviour is. But for this population, reduce any investment in running awareness programmes to a bare minimum.
3 - Consider the risk of suicidal kangaroos. If the identified population has no access to valuable or confidential information, then the risk of causing harm may be lower than if they regularly deal with high-value information. The approach taken in the next step should be in this context.
4 - Implement compensating controls for suicidal kangaroos. For the identified population in which you are likely to see a high incidence of inappropriate behaviour, you should consider adopting compensating or stronger controls, according to the harm they could cause.
Does this analogy work? Well, it saved my presentation. It is easy to engage people in the story of the kangaroos, and it is memorable. The story has been told around the world and it may be spurious or even inaccurate, but it does make the point, which is this: awareness and behaviour are not the same thing. It is much harder to change behaviour than raise awareness - just ask a kangaroo.
Rob Hadfield told this story to Andy Jones, a senior research consultant with the ISF. The ISF, a not-for-profit association of more than 300 international organisations, has designated 2008 as the "Year of Security Awareness". ISF members fund and co-operate in leading-edge research and the development of practical, business-driven solutions to information-security and risk-management problems. Over £50m has been invested to create a library of more than 200 authoritative reports, along with information risk methodologies and tools, that are available free of charge to ISF members.