I’ve been invited to talk about human aspects of security at the CyberSecurity Talks & Networking event. The venue and the format allowed the audience to participate and ask questions and we had insightful discussions at the end of my talk. It’s always interesting to hear what challenges people face in various organisations and how a few simple improvements can change the security culture for the better.
My book has been nominated for the Cybersecurity Cannon, a list of must-read books for all cybersecurity practitioners.
Review by Guest Contributor Nicola Burr, Cybersecurity Consultant
Offer ends 30 November 2016.
I’ve been asked to share my views on creating a security culture at the workplace with The State of Security.
I believe the goal is not to teach tricks, but to create a new culture which is accepted and understood by everyone. In order to effectively do so, messages need to be designed and delivered according to each type of employee: there is no such thing as a one-size-fits-all security campaign. Questions that must always be answered include: What are the benefits? What does it matter or why should I care? What impact do my actions have?
Security campaigns must discard scare tactics such as threatening employees with sanctions for breaches. Campaigns should be oriented towards the users’ goals and values, as well as the values of the organisation, such as professionalism and delivery.
A security campaign should emphasise that employees can cause serious damage to an organisation when they engage in non-compliant behaviour, even if it appears to be in an insignificant way. They should understand that they are bearing some responsibility for the security of the organisation and its exposure to risk.
Furthermore, the entire organisation needs to perceive security as bringing value to the company, as opposed to being an obstacle preventing employees from doing their job. It is important for employees to understand that they contribute to the smooth and efficient operation of business processes when they follow recommended security practices, just as security enables the availability of resources that support these processes.
In order to reduce security risks within an enterprise, security professionals have traditionally attempted to guide employees towards compliance through security training. However, recurring problems and employee behaviour in this arena indicate that these measures are insufficient and rather ineffective.
Security training tends to focus on specific working practices and defined threat scenarios, leaving the understanding of security culture and its specific principles of behaviour untouched. A security culture should be regarded as a fundamental matter to address. If neglected, employees will not develop habitually secure behaviour or take the initiative to make better decisions when problems arise.
In my talk I will focus on how you can improve security culture in your organisation. I’ll discuss how you can:
- Understand the root causes of a poor security culture within the workplace
- Aligning a security programme with wider organisational objectives
- Manage and communicate these changes within an organisation
The goal is not to teach tricks, but to create a new culture which is accepted and understood by everyone. Come join us at the Security Awareness Summit on 11 Nov for an amazing opportunity to learn from and share with each other. Activities include show-n-tell, 306 Lightening Talks, video wars, group case studies and numerous networking activities. Learn more and register now for the Summit.
I wrote about the games you can play to enhance your privacy and cyber security knowledge. We also talked about gamification in the security context. But how do we apply this knowledge to “gamify” security awareness efforts in you organisation?
A recent company I’ve been working with has been experimenting with their security awareness programme; in particular, they’ve designed posters to remind employees of potentially risky behaviours. They placed these posters in the areas where violations could occur: near the confidential bins or printers. They’ve invested in a memorable design and created funny-looking creatures people can relate to. For example, they’ve had something resembling an angry Twitter bird to emphasise the fact that employees should be mindful of what they share on social media. Other examples included monsters on the lookout for confidential data.
I liked the idea and I saw employees discussing the posters shortly after they were released. But what if we wanted to take this a step further? What if people could not only look at the posters but also engage with them?
The recently released and hugely popular Pokemon Go app gives us an example of how this could be done. In the game, players are encouraged to explore the real world around them and catch creatures that appear on the map. The game uses augmented reality to make the experience of catching Pokemon a lot more fun.
The app developers used classic game design elements in this game:
- There’s a ton of items to be collected, like stardust, pokeballs, various potions and eggs.
- You get frequent rewards and feedback on your progress.
- The game is very social in nature and players are encouraged to engage with each other.
- There are leadership boards and there is a chance to get your name displayed in a gym – a place where Pokemon battles take place.
How can some of the ideas from this game be applied to a security awareness programme?
What if we take the monsters from the company’s posters above and make them more engaging? It only takes a small financial investment to attach a QR code to a monster, so an employee could get immediate access to the relevant section in the security policy. Or how about giving employees a quick quiz and, if answered correctly, reward them with bonus points?
These points could be also collected for accomplishing other tasks. Your employee volunteered to participate in a security awareness presentation with her story? 100 points! Attended a lunch and learn session? How about 20 points? Reported a phishing email? Stopped a tailgater? There are many ways people can demonstrate their involvement in a security awareness programme.
As long as participation is voluntary, there are clear objectives and rules, feedback is readily available and rewards are desirable, we’ve got a chance to change security culture for the better!
“So often information security is viewed as a technical discipline – a world of firewalls, anti-virus software, access controls and encryption. An opaque and enigmatic discipline which defies understanding, with a priesthood who often protect their profession with complex concepts, language and most of all secrecy.
Leron takes a practical, pragmatic and no-holds barred approach to demystifying the topic. He reminds us that ultimately security depends on people – and that we all act in what we see as our rational self-interest – sometimes ill-informed, ill-judged, even downright perverse.
No approach to security can ever succeed without considering people – and as a profession we need to look beyond our computers to understand the business, the culture of the organisation – and most of all, how we can create a security environment which helps people feel free to actually do their job.”
David Ferbrache OBE, FBCS
Technical Director, Cyber Security
“This is an easy-to-read, accessible and simple introduction to information security. The style is straightforward, and calls on a range of anecdotes to help the reader through what is often a complicated and hard to penetrate subject. Leron approaches the subject from a psychological angle and will be appealing to both those of a non-technical and a technical background.”
Dr David King
Visiting Fellow of Kellogg College
University of Oxford