The landing gear light indicated a problem. The captain, first officer and flight engineer of Eastern Air Lines Flight 401 tried to figure out what was wrong. They removed the light assembly and the flight engineer left his position to go to the avionics bay and investigate. They were so preoccupied with a burnt out…Details
How frustrating is it when you point out the risks to people and they just don’t listen? Every day around the world there are millions of people who smoke, drive too fast and click on strange emails, even though they’ve been repeatedly told about the dangers. They are ‘risk aware’ in the technical sense of the word and yet their behaviour continues. This is a big problem since the mainstream approach to security awareness assumes that all that’s needed to achieve behavioural change is an understanding of the risks. Traditionally when encountering non-compliant behaviour, we security technocrats reiterate the facts and increase the threat of sanctions. But, there is another way.
Luckily for us this is a problem that safety risk communicators have been grappling with for decades. The safety risk communications field has a number of explanatory frameworks to predict how people will react to risk communications. One of the most interesting models to arise is the Extended Parallel Processing Model (EPPM) which seeks to explain why people fail to take action once aware of a threat. This is a goldmine for security professionals looking to apply a more structured, formal approach for promoting behavioural change.
We spend a lot of time talking about how to raise security awareness. We fill entire books, columns and conferences with it. However, anything that can go up must also go down. How about we turn the phrase on its head and ask what lowers security awareness? Just as there are behaviours that raise security awareness there are also some that lower security awareness. But what can we do about it? Name and shame was an important step in getting software vendors to deal with security vulnerabilities in their products. We should be equally critical when human vulnerabilities are created through the promotion of unsafe attitudes and behaviours. In this column I’m going to name and shame particularly egregious examples which I think reduces security awareness.Details
There’s no denying that some people are impervious to our attempts at security awareness and refuse to listen to warnings or instructions. There is a temptation when things go wrong to label such people as ‘bad apples’. I think that this saying is overused. Originally, the expression ‘bad apple’ referred to a rotten apple in a barrel that would spoil the good apples. Usage of the phrase has changed and its now often used to explain failures of scale. The perception is that when there are many apples you have to expect some of them to be bad.
I often hear the phrase used when a governance failure is attributed to human mistakes. Frequently however, I think the phrase bad apple is a convenient cover for poor management where processes and procedures were badly designed or supervised. The bad apple narrative can suit prejudices of humans being a weak link and any narrative is more comforting than no narrative at all. However, bad apple narratives rarely withstand serious scrutiny.Details
Here’s a trivia question for you – how did President George Washington die? No points for anyone who thought he died in battle, fell from a horse or was poisoned. Actually, he had an infection and suffered massive blood loss. Why he suffered massive blood loss is fascinating. For thousands of years people were convinced that blood could become stale and that ‘bad humours’ could cause illness for which bloodletting was the solution. When Washington became sick, his staff did the natural thing at the time and bled him. When he didn’t improve his staff bled him some more. Then the doctor was called and when he arrived Washington was bled again. All told, Washington lost some 6 pints of blood in a 16 hour period. He had a severe infection to be sure, but it’s likely that the massive blood loss significantly contributed to his demise.
Sometimes, how we define a problem limits our ability to solve it. Innovation counts for nothing if the approach itself is the problem. Physicians focused on how to let blood more effectively for thousands of years. Elaborate rituals developed to define where on the body blood could be taken from to fix specific aliments. Contraptions such as scarificators were invented to help people administer their own bloodletting – you didn’t have to visit someone to get them to do it for you (ever wondered what the red on a barber’s pole stood for?).Details
Whoever said that there’s no such thing as a stupid question, only a stupid answer, has probably never seen a feedback survey for security awareness training sessions. Questions such as “Did you learn anything?” and “Do you feel more secure?” are as common as they are idiotic. I guess its largely shaped by the motives of who is asking the question. The trainers involved are primarily interested in demonstrating that they are good trainers and questions are designed to elicit complimentary feedback. Feedback surveys are a great chance to obtain valuable feedback, but only if we’re asking the right questions.
In this column we’re going to look at training feedback surveys in more detail. Getting useful feedback from training sessions is challenging, but not impossible. For a start, you need to be aware of people’s biases. Surveys measure ‘declared preferences’ since they rely on people expressing their views. While easier to gather, declared preferences have inherent biases that need to be acknowledged and allowed for when interpreting the results. ‘Revealed preferences’ are what people actually do but measuring what people do accurately and efficiently can be difficult especially if people know they’re being observed. Here are some suggestions for allowing for people’s biases while obtaining reliable survey data.Details
A good information security policy is normally the starting point when promoting security awareness. However, organizations often implement policies in very different ways. Surprisingly, despite security polices being common practice for decades, we still have trouble agreeing what a good security policy looks like. Too long, too short, too dictatorial, too polite. It’s a subject…Details
If your organisation was an animal, what would it be? Is your organisation a risk taker? Short sighted? Perhaps it’s slow to react? I’ve worked for elephants, giraffes and even a hyena. Animals and organisations both have their behavioural quirks and ways of optimising their survival chances in their particular environment. However, what worked in the past isn’t always the best survival tactic in the present. Sometimes organisations need to adapt due to factors such as customer demand, regulatory changes or new environmental risks. Behaviours adopted in the mistaken perception that they are helpful can even be self-harming and may need to change.
Last month we discussed information security culture and the shared underlying unconscious assumptions of staff that frame it. This month we talk about how to go about trying to change security culture. Changing the culture of an organisation can be a significant challenge and I’ve seen many efforts fail.
There are three things you need to know before you start. Firstly, you need to identify what problematic behaviours exist. Secondly, you need to understand what beliefs, attitudes and unconscious assumptions are enabling them. Thirdly, you need to know what cultural values you’re aiming for to re-align the organisation’s behaviour towards it’s key goals. Potentially, this means the ‘un-learning’ of one set of beliefs and the learning of a new set.Details
As I escorted him to his desk I became conscious that everyone was looking at me. I did all the usual self-checks of fly, food on face and freaky hair but came up negative on all counts. When someone had tailgated me through a secure door I had challenged them. Rather than leave them outside when they didn’t have their pass with them I offered to walk them to their desk. I found his manager who told me with an expression more serious than a budget facelift: ‘Yes, of course he works here – he’s hardly here for the view’. What had encountered amongst the engineers at this small satellite office was a very different security culture than what I was used to with my head office, ivory tower view of the world. The culture that I had encountered worked on high levels of trust. They all trusted Dave so couldn’t understand why I didn’t (even thought I’d never met him). I less than a block from the head office of this organisation and yet the security culture was completely different. For me, the experience was an eye opener that effort is needed to understand not just if people are following security policy but the extent to which policy is reflected in security culture.Details
A common objective of information security awareness is to encourage whistleblowers to use internal mechanisms to report their concerns. External whistleblowing and the airing of concerns in public view risks brand damage and exposure of sensitive information. The Snowden affair has shown how divided we are on the ethics of external whistleblowing. To date, much of the debate has been speculation about Snowden’s character flaws. Sometimes when trying to understand a controversial decision such as Snowden’s it helps to understand the chain of events leading up to the decision since failures in complex systems can rarely be given justice in a single newsbyte. In this case there are a series of failures that occurred prior to the employee of a subcontractor deciding to flee the country and leak sensitive information to foreign journalists:Details