One of the small mercies of being a security consultant is that I’m usually spared the ordeal of attending information security induction sessions. Recently however I was asked to review the induction process for a European organisation. It was classic death by PowerPoint. It included organisational charts of the security function, strategic plans for ISO certification and pages and pages of security policy requirements. The conclusion of the session was a quiz on facts from the security policy.
Why do we do this? Why do we make people’s first contact with information security an ordeal for insomniacs? Consider that in people’s first week at a new job they’re usually nervous and on edge. Accompanying this will be elevated levels of adrenaline and cortisol (a stress hormone) which is not conducive for learning. In some ways we’ve picked the worst week to deliver training.
What is it that we’re trying to achieve with induction sessions? Is there a benefit to users being able to describe the organisational structure of the security department? Surely they would only need to know how to contact the security department in the event of an incident? What benefit is there for users knowing the ISO certification strategy? They might be things we want to tell them, but do they care? We seem to make the mistake as technical experts by selecting the information we want to tell people, not the information people need to know or are disposed to listening to.
I’ll stick my neck out here and suggest that there are three key aims for an information security induction session:
- Helping users understand the overall importance of security in the organisation and what level of diligence is required
- Helping users understand how to obtain information about information security (not trying to cram the information there and then)
- Equipping users with the confidence to challenge unsafe work practices and report suspected information security incidents
To achieve these aims I’d start an induction presentation with a review of security incidents which had impacted competitors or comparable agencies. That takes care of why security was important for the organisation. Then, cover the organisation’s security contact points so users know what resources were available and how to find out more information.
But then how to equip users with the confidence to challenge unsafe work practices? It’s difficult to change the behaviour of existing employees but new employees are a golden opportunity. By default, new users normally just imitate the behaviour of their co-workers and conform to the corporate culture of their new environment. New users with strongly held convictions are a way to change the status quo. To arm people with the confidence to challenge the status quo by raising concerns or objections takes more than just sitting in on a briefing. It requires interaction. I would divide up an induction class into groups and ask each group to consider situations such as “your manager has just asked you to share your password” and “you’ve just seen a co-worker put a very sensitive document in his bag which you know wasn’t supposed to be taken off-site”. Since there is no right or wrong answer people are much more likely to offer an opinion. Ask each group to consider what they should do and what they would do in terms of what they feel comfortable with. The gap between what they should do and what they would do can then be discussed. It’s important to discuss why people have the responses they do. If you don’t know why then it is very difficult to manage the behaviour in question. You’ll probably find in the course of these conversations that you traverse most of the topics you would have with a factual PowerPoint anyway. The difference is your audience will be awake.
Not challenging people without visible identification is a common problem but we rarely stop to consider the reasons why. Are females less comfortable challenging strangers? Is physical safety a factor? What happens if the person you challenge turns out to be a senior manager who is offended? People need a chance to talk about these issues and discuss their concerns in order to deal with them. People have their reasons for tolerating the absence of identification. To manage them effectively we need to find out what they are.
Published in the July 2012 ISSA Security Journal