Over the past few decades, organizations have spent billions of dollars on information security and risk awareness activities. The logic behind this approach was to take their biggest asset – people – and change their behavior, thus reducing risk by providing them with knowledge of their responsibilities and what they need to do. But instead of simply making people aware of their security responsibilities, and how they should respond, organizations of all sizes need to embed positive security behaviors that will result in “stop and think” becoming a habit.
Continuing to do more of the same, in terms of merely promoting awareness, is not a viable option. But neither is doing nothing. A new approach is required if organizations want their people to become their strongest control. The opportunity to shift away from awareness to tangible behaviors has never been greater. There is an acute focus on good governance and risk management: the C-suite becomes more cyber-savvy everyday, and regulators and stakeholders continually push for stronger governance, particularly in the area of risk management.
Moving to behavior change will provide the chief information security officer (CISO) with the ammunition needed to give positive answers to questions that are likely to be posed by the CEO and other members of the senior management team. These include:
- If the worst happens, can we honestly tell our customers, partners and regulators that we are doing the right thing?
- Does our program prepare us for the future?
- Exactly what are we doing to embed the protection of our information assets into our culture?
But before we discuss how to successfully implement organizational behavioral changes, we need to understand the psychology of information risk. There are three types of psychology that impact the way people learn: behavioral psychology, cognitive psychology and neuropsychology.
Behavioral Psychology:
- Context provides the stimuli for behavior
- Behavior is everything that people do. This includes actions, thoughts, feelings and attitudes
- Consequences of behavior increase or decrease the likelihood of that behavior occurring again
- Understanding context and managing consequences is key to changing behavior
Cognitive Psychology:
- Working memory has limited capacity
- Long-term memory stores information in complex networks, which are strengthened by contextual meaning
- Evaluation processes are required to demonstrate progress and strengthen cognitive networks
- Key principle is the continued practice of activities which comprise the desired skill coupled with timely feedback
Neuropsychology:
- The brain is comprised of complex mental maps, which shape how we see and interact with the world
- Behavioral change requires experiencing “key moments” which change these mental maps
- Continued focus on the new mental maps makes these more stable over time, which leads to new, stable neural structure
Unfortunately, instituting behavior change is not easy – everyone has their own unique characteristics and habits, some of which are hard to change. Therefore, it is helpful to understand why so let’s take a look at a few of the key principles designed to help businesses embed positive information security behaviors within their organizational structure.
Let Risk Drive Solutions
Solutions should be driven by the need to manage information risk. As a consequence, it is critical to define solutions based on an organization’s risk assessments together with the risk profiles of its people. This will help to target resources at the highest risks, while recognizing that a solution to protect high value information assets and critical infrastructure may not be necessary for those people who do not have access to them.
Using risk to drive solutions also helps with:
- Measuring progress against a strong baseline. Information can be collected from a number of sources, such as: observed behaviors; responses to exercises such as simulated phishing tests; and what actually happened on the ground if and when an incident did occur. These can all be expressed in terms of business risk and compared to target behaviors
- Selling the business case to senior management, who will want to see a tangible return on their investment. They will be more confident with a business case presented in terms of business risks, a language they use in their day- to-day work
Solutions should also be designed to support people through their work lifecycle, where a change may result in a heightened risk.
Continue to Look for Alternatives
It is often easy to blame people when things go wrong, but the root cause for a ‘problem’ behavior may well be a complex system, a cumbersome process, or even a problem with the physical environment – for example: if an organization has a problem with tailgating, and a friendly and polite culture prevents people from asking to see others’ passes when they do not recognize them, it may be necessary to install barriers that make tailgating physically impossible in those office locations that pose an unacceptably high level of risk.
A more preventative approach may also be an answer. In fact, a number of leading Information Security Forum (ISF) member companies are designing systems and processes with people in mind, and building security into their systems and processes from the outset.
Embed Positive Behaviors
There is no guarantee that an end user with a good knowledge and understanding of what is expected of them will behave in a secure manner. Moving from awareness (or knowledge) and skills to embedding lasting behavioral change requires the right solutions and a significant step change. Failure to consider how each of these elements will be adopted will jeopardize success.
However, that is not to say that knowledge is not important, only that it is not valuable unless it translates into positive behaviors. Part of that translation will be to provide people with the skills and assets they need to make the knowledge real, for example:
- Policies, training and other materials are easily accessible – as is a helpline
- Locks, privacy screens, secure removable storage, are distributed at no cost
People are much more likely to adopt intended positive security behaviors if they observe their leaders role-modeling them. This can be thought of in terms of intended, expressed and actual behaviors:
- Intended Behavior: The behavior that senior leaders are seeking and expecting through their actions and the systems and controls they put in place
- Expressed Behavior: Visible statements made publicly or internally about the behavior senior leaders wish to see and expect to have in place
- Actual Behavior: The behavior demonstrated by both employees and leaders
Misalignment between intended, expressed and actual behaviors potentially places an organization at risk of unethical business decisions, violation of legal requirements, regulatory scrutiny and significant reputational damage.
Empower People
It’s evident that the ground for behavior change will be much more fertile if people understand why their actions are important and also how they impact them individually. Winning hearts and minds can change behaviors and attitudes. It is therefore important to have ‘adult’ conversations about security and risk – and those conversations are only feasible when they are based on people accepting responsibility for their own actions. That is, when they are empowered.
People should be trusted, motivated and empowered at all levels of the organization as much as is possible. Positive behaviors can then become embedded in the business culture, making information security a critical element of ‘how things are done round here’. For example, this can be evidenced through:
- Policies being cited regularly by leaders
- Security being personally important to employees
- A program based on the reality that information security is a ‘way of working’
Aim for ‘Stop and Think’
Today’s business landscape is complex and subject to rapid change: as a consequence it is not possible to train everyone for every eventuality. Instead, training should be limited to day-to-day, routine matters and frequently encountered circumstances: change should be driven by targeting ‘stop and think’ behaviors.
‘Stop and think’ is a mental check that everyone should always make, particularly when they come across an unfamiliar or complex circumstance and they are dealing with information in any form. Rather than looking for a solution, ‘stop and think’ gives an opportunity for the individual to identify the risks, weigh them in their minds and then consider the appropriate actions – or to consult if the way forward is unclear. ‘Stop and think’ can be viewed as ‘conscious competence’ as people bring to bear their skills, experience and judgment.
‘Stop and think’ also recognizes that people have a job to do – and may be operating under stress – by offering an option to share with colleagues or experts to decide a way forward. ‘Stop and think’ also holds up when knowledge has faded or when too many alternatives leap to mind.
Identify and Integrate Champions into Efforts
It is ultimately the responsibility of the business to embed positive information security behaviors and reduce operational risks to an acceptable level. People from the information security function cannot be expected to ensure that it is worked into the fabric of every group and function across the entire organization.
It is therefore beneficial to build, support and foster champions – business individuals acting as local experts or points of contact – who can form a network across the business to promote and embed positive information security behaviors in the organization’s culture.
Hold People Accountable
It’s fundamental to explain that information risk is a major concern of the organization and that their employer has expectations of their people in this space. The organization must be clear that positive information security behaviors will be identified and recognized, for example through performance management processes.
However, to enforce the importance that senior management attaches to information security, there should also be recognition that people will be held to account for unacceptable behaviors. This is not about punishment, it’s about taking the topic seriously in their day-to-day work – so all communications and training must stress that this is and will remain a key business issue, and that deliberate non-conformance will be addressed constructively at an individual level.
People Must Be an Organization’s Strongest Control
The time is upon us where businesses of all sizes should move away from mere knowledge to the embedding of behaviors that reduce information security risk. Unfortunately, there is no single process or method for introducing information security behavior change, as organizations vary so widely in their demographics, previous experiences and achievements, and goals. To embed positive information security behaviors, an organization needs to build plans, and a strong business case, which clearly articulates the benefits of the program and describe how it will reduce information risks.
I cannot stress this enough: organizations need to shift from promoting awareness of the problem to creating solutions and embedding information security behaviors that affect risk positively. The risks are real because people remain a ‘wild card’. Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure ‘the human element’ of information security. In order to be successful, people need to be an organization’s strongest control.
About the Author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
