Infosecurity Professional - Issue 9 - ISC

trating on brain surgery,” he explains.
“Humans are part of the IT infrastructure,
and the big mistake we’ve
been making so far is to consider them
separate,” Davidoff says. She places more
of the blame on business executives,
however. “The problem with managing
employees is managing the motivation of
the company itself,” she says. And at this
point, many companies are motivated to
create policy—not enforce it. “They’re
still in the position that if numbers get
stolen and nobody finds out about it
outside of the organization, they don’t
care—because they don’t have an incentive
to,” she adds.
How To Get It Right
Although it’s impossible to write a
string of code that will stop someone
in marketing from spilling company
secrets, there are ways to address the
human side of security. Stewart recommends
using psychology—specifically,
Use yoUr CIssP to save tIme
and money.
Qualify and redeem one seminar waiver for a savings of approximately $5,000.
This program can be completed in as little as 15 months.
Developed and taught by leaders in the field and backed by 189 years of
academic heritage, this program enhances your technical and business
management expertise as you gain consultancy experience through an
organization-wide integrated information security project. Customize your
degree with a specialization in either Business Continuity Management or
Managing Cyber Crime and Digital Incidents.
Norwich University was among the first 23 institutions to receive
the National Security Agency’s designation as a Center of Academic Excellence
in Information Assurance Education.
To learn more please visit
www.msia.norwich.edu/isc
operant conditioning—to promote real
behavioral change.
In layman’s terms, operant conditioning
is like the carrot-and-stick model
of reward and punishment for behavior:
You push for information security
compliance by either punishing bad
behavior or rewarding good. Operant
conditioning shows that the effects of
punishments and rewards are not symmetrical.
Punishments must be consistently
applied to be effective, whereas
rewards can still be effective even if they
are rare or intermittent.
Stewart posits that you’re better off
focusing on rewards. “Fear and the
threat of sanctions are incentives not
to report incidents,” he says. Another
problem with the stick approach is that
the punishment must be consistent to be
effective—something that can be tough
for many organizations. “Noncompliance
may be difficult to detect, or punishment
may not be viable for some user
groups, such as customers,” Stewart says.
“The use of praise or reward offers an
organization a way of avoiding expensive
auditing systems to consistently detect
noncompliant behavior,” he says.
Williamson agrees the carrot is the
better option. “Rather than saying, ‘If
you do this bad thing, here’s what will
happen,’ we have found just the opposite
to be effective,” he says. Take passwords
as an example: Instead of punishing
employees for using “12345” as a password,
he recommends providing examples
of what good passwords are—and
rewarding employees who then follow
those examples.
It’s helpful to appeal to employees
on a human level. Such security training
“should describe how it will benefit
the employee personally as opposed to
the company,” Williamson says. “The
same security countermeasures or the
same best business practices that you’re
asking your employees to practice at
work—they should really practice those
in their homes as well.” Rather than tell
users to be wary of unfamiliar e-mail
because it could negatively affect the
company’s bottom line, explain to them
that such behavior will ultimately affect
their own.
Smith uses similar tactics, but takes
things a step further, appealing to a per-
ISSUE NUMBER 9 InfoSecurity Professional 11
IA 4.625X7_ May 28 09.indd 1
5/28/09 9:59:01 AM