Changing Information Security Behaviours

A few weeks ago I did a presentation at the Information Security Forum (ISF) Irish Chapter event entitled “Implementing a Security Awareness Program”. I have posted on this topic before (here) but this presentation went to the next stage of the program I have implemented by looking specifically at behaviour change in the context of the content in the ISF’s paper “From Promoting awareness to embedding behaviours”. As such it just represents some industry best practice in this area which I have recent experience of.

There are four general areas that my program has focused on to embed a change in behaviours;

1. Develop a risk driven program. By clearly linking your program to business requirements with clearly defined risks, I have found it is much easier to get traction with the program. People really listened because my program was designed to specifically mitigate a risk they had. This was the biggest learning I’ve had in the last year and would say it is a priority for behaviour change (as well as culture change).

2. Target Behaviour Change. There are a number of aspects to this from my experience;

·      Provide people with the skills and assets they need. Make it easy for people to learn and understand by providing them content in a variety of formats (as people learn in different ways). This can include eLearning, social media, webinars, newsletters, face-to-face training, infographics and competitions and everything in between. One I have not tried yet is gamification but this does not fit with every organization – it depends on the culture.

·      Get leaders to demonstrate the right behaviours. This is so powerful. I have been lucky enough to have seen leaders in my organization ‘walk the walk’ and people see that it is something to take seriously.

·      Empower People. Make it clear that people are responsible for protecting their data. Your job is to provide them the understanding and the tools to do so and then let them get on with it. I have found that making it clear what the best advice is works – the issue I have found is that quite often you have to remind them (unfortunately).

3. Set realistic expectations.

·      True behaviour change takes time. I am still on the journey. By all means be ambitious but just try and be realistic with your leaders about what can be done in any defined period.

·      Whatever is in your plan, take time to course correct. The environment is constantly changing and so risks change. So be careful to ensure your program of change is flexible while monitoring the environment.

4. Engage people on a personal level. This is a very interesting area and there are several aspects I have found useful.

·      When training people, make the training relevant for their role. Provide examples of breaches and incidents that have happened in their function (or in their area of work in other companies). I have found this really brings the training to life for people.

·      Highlight to people how they can protect themselves and their families at home (e.g. Shopping online, protecting their children, router security configuration etc.). I have had great feedback indicating that when people follow this at home, they bring those security behaviours into the workplace too.

·      When developing your behaviour change program, bring in the right skills. Don’t rely on information security staff (Geeks or otherwise). I have sought help from Comms people, HR, training personnel and design gurus to help us ensure the content is right-sized for the audience. And don’t forget the end user too – road test your content on them to constantly drive improvement.

·      Develop a network of information security champions. They act as ‘change accelerators’ to rapidly drive behaviour change locally in whatever language and format is appropriate in any location, hence making it relevant for people in that location. This will likely be the subject of a future post as I have seen some fantastic people drive real value in this network.

·      Reward and recognise good security behaviour. This helps people copy behaviours and normalize it. This can happen as part of competitions or even who might report a phish first. Make a big deal of this behaviour – make it visible. I have experienced very positive feedback from this activity.

Would be interested to hear if anybody has used any of these ideas in their organization. And I’m particularly interested to hear if there are other methods of behaviour change people have used.