I had a very strange encounter with a PCI auditor recently. On viewing my client’s security awareness portfolio he refused to sign it off as meeting PCI requirements because it didn’t cover ‘everything’. It got me thinking. There are two schools of thought when it comes to communicating risk. The first is the comprehensive approach where all the facts are presented. As part of this mindset, most organisations require their staff to read and agree to a security policy which is usually long and written in formal, contractual language. The majority of employees probably only skim their security policies and even if they did read them in full, would they understand them? Information security can be difficult to understand at the best of times without adding the additional complexity of overly formal and legalese phrasing. The Paretto Principle, or 80/20 rule, suggests that only a small percentage of content really matters but comprehensive approach usually means hiding it in a haystack rather than bringing it to a user’s attention. The main benefit of the comprehensive approach is it maximises an employer’s capability to institute dismissal or disciplinary actions against employees who have breached the policy. It also allows them to say that they have achieved regulatory requirements for areas such as PCI even if it means pulping the Amazon twice over.
The other approach focuses on comprehension which means focusing on helping an audience understanding the key points that they need to know. Just as user journeys on websites are optimised, think of the same approach for information security policy. Instead of telling people a mix of things they already know, things they need to know and things they won’t understand, you focus on key points to help shape their decision making.
For many years privacy notifications focused on the comprehensive approach and it was common to have many thousands of words of text that people were expected to scroll through in a small window in order to ‘understand’ the privacy expectations of a given service. It was enough to be able to say “We told you” and whether it was understood or not didn’t matter. For example, Paypal’s terms and conditions are longer than Hamlet. It’s hardly a surprise therefore that users dodn’t bother reading them. Online games retailer Gamestation changed their terms and conditions to include the customer selling their eternal soul and not one of their customers noticed. Terms of Service: Didn’t Read is a project run by Hugo Roy with the aim of shaming companies with demonstrably poor terms of service. According to Hugo in an interview with the BBC, if you actually sat and read all the terms for services you typically used online it would take 76 business days.
The approach to privacy notifications appears to be changing. Where once it was acceptable to present long worded and complex notifications, guidance from the United Kingdom’s Information Commissioner’s Office (ICO) who is responsible for the enforcement of the Data Protection Act (DPA) now makes it clear that this is inadequate: “A privacy notice should be genuinely informative…A privacy notice that is legalistic or drafted with the primary objective of indemnifying an organisation is unlikely to achieve this objective.”
So what does this mean for information security practitioners? There are many goals of an information security policy: user influence, user engagement, regulatory compliance and the ability to dismiss or discipline staff who breach the rules. It’s clear that the comprehensive approach only covers the last two of those objectives. If user influence and user engagement are important to you, then you’ll need to routinely summarise the key points for your audience in addition to making the full policy available.