Martin Ruskov: People follow examples, not advicePosted: May 10, 2014
Interview with Martin Ruskov – Researcher in Exploratory Learning
Martin Ruskov recently completed his PhD on Educational Serious Games in the Information Security Research Group at UCL. As part of his research he developed a prototype for participatory information security, based on the Conjunction of Criminal Opportunity framework (a holistic crime prevention framework). The prototype is currently being used in graduate classes on security at UCL and Oxford University. Martin has previously worked in the broader field of interactive media and has been involved in teaching in leading organisations across Europe.
What problems do you see with human behaviour and security compliance?
People follow examples, not advice. In other words, for them it is important to see that management take security policies seriously by taking the lead in compliance, not only say so, but later circumvent them. This is a general management issue which was summarised very well by Chris Argyris for HBR in 1991 but there is growing evidence (as in the yet unpublished work at UCL’s Information Security Research Group ) that this is an important issue and subsequently awareness and behaviour of management needs to be addressed.
When management is compliant and transparent about it, the rest will follow. However, this is an expensive process, not only financially, but again in broader resources, with delayed returns.
Finally people are inclined to seek easy answers. Unfortunately reality is complex and very often a simple rule how to handle certain situations cannot be written. The challenge is to find a balance between personal responsibility and judgement on one hand, and efficiency on the other.
Can game-based learning help to resolve this issue?
I am far from convinced that game-based learning is the way to address awareness and behaviour change at the level of senior management.
However, game-based learning and captology have suggestions that show how attention can be attracted, ideas can be explored, and potential solutions can be advocated and encouraged.
How to improve security awareness trainings?
Complex issues require extensive discussion, and feedback about practice as a way to be grasped. It is my strong belief that these are activities that require a lot of effort on behalf of facilitators, trainers or lecturers.
I believe that a sensible way to try to optimise awareness training is to try to automate trivial issues when there exists the desired clear-cut yes or no answer, so that resources can be dedicated to lengthier and confusing discussions about complex topics.
How to improve usability of security controls?
This is a very difficult issue. Ease of use usually means less need for the users to deeply comprehend the underlying mechanisms. As an illustration we can use personal computers, for example usability paradigms in the OSX vs Linux operating systems . Whereas OSX has always the coolest interfaces, presets and skins, it leads people into an Instagram-like mainstream fashion where superb content can be produced with minimal effort. Linux, on the other hand gives users complete control. This leads on one hand to much higher threshold to entry, but on the other to much more experimentation and learning in the process of doing. Ideally we would want professionals (in this case CISOs, and information security officers in general) to be able to work out everything themselves, but in fact we can rarely afford the necessary resources (e.g. time and money) for that. Academia takes this approach – both in mathematics and project management many professors would ask students first to work out a method by hand before they engage with the tools that automate it, but again with academia one of the biggest challenges is that the curriculum is overloaded and not flexible enough to meet new challenges.
How companies should change their approach to information security management?
I believe a continuous iterative approach would provide valuable insights of the issues in context. Information security is an arms race between attackers and preventers. It is difficult to involve in it employees who have other primary tasks, but security managers should be ready to accommodate contributions from volunteering employees. It is much more productive and efficient to collaborate with the people willing to engage, which would hopefully lead to wider engagement from others. Hopefully such an approach would lead to broader awareness culture among employees, while yet maintaining their focus on their main professional goals.