son’s social position. “Breaches in the U.K. in the last few years have made people anxious,” he says. “They don’t want to be the ones who have done things wrong. So you say to them, ‘You don’t want to be the one to screw up.’” Overall, Smith believes it’s important to treat workers with respect: “They’re not crooked or harmful; they’re just busy and ignorant,” he says. Incentives are another driver of behavioral change. “We have a society where people get up and go to work and do the same things every day because incentives are in place to make them want to do that,” Davidoff says. “Those ahead of time, but not when it will actually occur. Employees are told in advance that they’ll be rewarded if they don’t fall for her scam. Interestingly, the incentive model works both ways: One of the tactics Davidoff uses to entice people to click on her phony e-mails is to offer them a free iPod if they do. “The key message is know your audience,” Stewart says. He recommends researching personnel statistics to see which demographics have the potential for creating the most risk—allowing you to, for example, direct more of your security training resources to the 20-year-old “If you don’t know who exactly is causing the risk, what their perceptions are and how they best communicate, then your awareness activities will be like golfing in the dark.” — Geordie Stewart, IT security consultant, Risk Intelligence incentives aren’t in place for making them want to behave in a secure fashion around IT.” To illustrate her point, she offers this example: The cultural acceptance of the practice of washing one’s hands to prevent infection took hundreds of years to develop because there wasn’t an instant, personal, negative consequence to not washing them. “It’s the same with computers,” she says. “When you click on [an infected] picture of [actress and singer Jennifer Lopez], your computer doesn’t immediately blow up; it maybe gets a bit slow. Someone else’s information gets stolen, and it never comes back to hurt the individual person.” Taking Awareness Action But it doesn’t have to take hundreds of years to get employees to prevent the spread of spam or malware. “Security works best when people are unaware of it,” Davidoff says. Davidoff recommends using awareness training. For example, organizations hire her to “phish” their employees. She tells personnel about the exercise males in the organization, as opposed to 50-year-old females. “Many information security professionals fail to recognize that information security awareness is, in fact, a marketing campaign,” Stewart adds. “Marketing campaigns involve audience research, careful targeting of communications, and numerous ways of measuring outcomes. Branding a mouse mat with a generic information security message of the day doesn’t achieve any of these.” Security professionals also should examine attitudes and beliefs in their organization that support or undermine compliance. “Is there a belief that antivirus [software] completely protects you from the Internet? Is there an attitude that it’s acceptable for employees to store personal content on their work computers?” Stewart asks. Getting information security compliance is that much harder when employees have different ideas of what information security is at the outset. As for metrics, information security professionals must move away from asking compliance-related questions to gauge the success of a security campaign. “Did you see the poster?” and “Have you read the policy?” are questions whose answers are poor predictors of behavior. “Instead, quantifiable metrics need to be found that are related to the actual behavior that causes risk. For example, if you’re conducting an awareness campaign on password-sharing, then you need to find a way to measure concurrent logons in the systems you are trying to protect,” Stewart says. Finally, take a close look at communication: what style works best for your organization? A good security awareness campaign has its resources concentrated on areas of the most benefit, with format and presentation adjusted accordingly. For example, some audiences prefer to ask questions, while some just want the facts. “Organizations must decide which user behavior they most care about and focus their efforts to control that risk,” Stewart says. “If you don’t know who exactly is causing the risk, what their perceptions are and how they best communicate, then your awareness activities will be like golfing in the dark,” Stewart says. “You’re not sure what you’ve accomplished, your caddy is tired and everyone just wants it to be over so they can go home.” Hackers the world over understand how human nature affects employee behavior; it’s time information security professionals did, too. “We’re coming around to needing a balance between technological countermeasures and change in behavior countermeasures,” says Williamson. Maggie Starvish is a freelance editor and writer based in Massachusetts. 12 InfoSecurity <strong>Professional</strong> ISSUE NUMBER 9
Global Security now has a common address Don’t miss out on the conversation! See what thousands of (<strong>ISC</strong>) 2® members have already discovered, by joining InterSeC today. With a few clicks you can register and start building your personal community, without the noise and clutter of other open social networking sites. That’s right, InterSeC is purpose-built for the information security field, so you can be sure that everyone is governed by a similar code of ethics and has the same passion and interest. Meet other professionals from across the world or down the street, participate in one of over 50 groups or start your own blog. With InterSeC, you are bound to find someone who thinks like you. www.isc2intersec.com