Building security culture (A secure week in review)
With statements like «I am amongst the smartest 1% on this earth» and «I am lazy. And it’s not even my fault!» I raised eyebrows this week. I was invited as a speaker to three different information security conferences, with similar yet different presentations.
I started the week with The Cloud Security Rules presentation, describing what is important when evaluating which cloud service to buy. The audience came from the public sector, mainly municipalities in Norway, and I adjusted the message to accommodate their special needs.
Tuesday arrives, with Tekna’s conference «Risiko og sårbarhet i IKT-systemer». I had 30 minutes to excite and waken the crowd. The topic was «Security culture in the cloud», and I used a mix of humor and imagination to explain my point: We, the security people, need to realize that we may not be the right people to create awareness — at the very least, we should look for inspiration and competence outside our own group. I pointed to how ASTD points to seven factors that drive business results, and that technology is only one of those. Three of the other areas are: People, Culture and Training&Development.
My point? It is time for us to humble down a tiny bit, and use HR, Marketing, T&D and so forth to design a complete awareness program.
Look to other areas of success — like the gaming industry. Ask yourself (yes, you, the infosec pro) — what are they doing, that engage so many people? When you understand that, the second question becomes: How can we replicate those mechanisms?
I believe the answer is gamification.
My last slide showed an image of some people who clearly came from QHSE — accompagnied with my claim: «We should learn about successful implementation of behavior change from those who have done it for decades — the QHSE-folks».
Wednesday, I moved on to «Sikkerhetskulturkonferansen», a security culture and awareness conference organized by NorSIS and NSM, the Norwegian NSA. I was quite nervous, as I pictured the audience to be up-tight, stiff, military-types, and I knew my presentation was not exactly «up their alley». The conference is started by Roar Sundseth, the General (boss-man) of the Norwegian Cyber Defense, and we end up having lunch together, a treat I enjoyed very much.
When it’s my turn to take the stage, my hands are moist, and I have decided that I’ll do my usual best, and handle the consequences later. I have a message to share, take it or leave it!
The message is simple enough — we, the info-sec people, need to open our eyes and realize:
1. Humans are different, and are motivated by different things. If you want your message to be understood and adopted, you have the responsibility to alter the message in such a way that your audience can relate to it.
2. Our brain is flawed, we are all lazy. Research by Daniel Kahneman and others suggests this fact, and points to several areas where our «fast» brain makes errors, may also explain why our users continue to click on those pop-ups and e-mail links. My message is: Learn about human behavior, and use that knowledge to adapt your awareness programs.
3. One major flaw we have is how we tend to see a problem (or solution) from only one perspective. No matter how smart (or not) we are, we seems unable to think someone else can be smarter, more ingenious. Think of the BMW key fob — a great idea by German engineers to make it easier for me to unlock and start my car. Yet it turns out to be so easy to circumvent.
In addition to the presentations, I have had a number of very interesting meetings, which mean I will be very busy for a long time ahead. I will participate in projects of both local and national scale, where I will be sharing my thoughts, ideas and research.
— -
I was also approached by one of the international infosec magazines — Help Net Security this week. Mirko, the editor, asked if I would like to write a monthly column for them. A request that I cannot refuse. So starting in April, I will write a monthly column on security over there!
— -
What I have learned throughout the week, is that people start to relate to the message. It starts to gain a foothold among security people and academics, at least here in Norway. If we want a successful awareness (or security culture) program, we must adopt our message to the target user. Which in turn means we must understand them — the user!
