Measure: How to identify the causes of bad security behaviours
The most common mistake in security awareness:
Encouraging people to behave securely, before understanding why they don’t already behave securely.
Measuring why bad behaviours do happen (or why good behaviours don’t happen) allows you to craft security controls that work with people. It also allows you to remove workplace barriers (like restrictive policies) that cause bad behaviour to happen.
This principle can, and should, be applied to all aspects of our work.
The challenge is finding effective ways to measure why behaviours don’t happen.
I’ve started pulling together some ideas here. (Don’t get too hung up on the messaging. These are just examples to demonstrate each point. You’ll know what style of messaging is appropriate for your organisation.)
I’d like this to be a living document. If you’ve had success with other techniques, please reach out and let me know.
Joe
1 Clear desks: Sensitive information can often be found at people’s desks. Either in unattended documents or on unlocked workstations.
When conducting clear desk audits, leave calling cards on desks where information has been left unattended.
You’ve received this card because unattended sensitive information was found at your desk. Either in documents or on an unlocked workstation.Don’t worry, you’re not in trouble. We understand circumstances sometimes mean it's unavoidable. We'd like to know why this happened. So we can help you to make sure it doesn’t happen again. Please consider the following questions:- Why did you leave unattended documents at your desk?- Why did you leave your workstation unlocked?We’ll be back later to collect your answers. Thank you for your help.Your Security Team
2 ID cards: Some workplaces use ID cards or security passes. In these environments, people without visible identification should be politely challenged.
Conduct an audit. Perambulate displaying no visible ID. Survey people who don’t stop to challenge you.
“I’m from the security team. I’m doing an audit into the use of ID cards. May I know why you didn’t challenge me about why I wasn’t wearing mine?”3 Reporting security incidents: Security incidents and near misses should be reported.
Allowing people to report incidents anonymously can increase reporting rates. It also presents an opportunity to find out why they might not have reported otherwise.
Thank you for taking the time to report this incident.You've chosen to remain anonymous. That's cool.We'd like to know if you'd still have reported this incident if the anonymous reporting option hadn't been available.We want to create an environment where everyone feels able to report incidents openly. We'll be working with the leadership team to do this. And your information will help us have an open conversation with them.Thank you.Your Security Team
4 Securely disposing of printed documents: Printed documents containing sensitive information should be disposed of securely (shredded or placed in confidential waste bins).
Workplace printers can be configured to add watermarks or job annotations to all printed documents. Adding a username or employee ID to each page allows the person who printed the document to be identified.
Printed by joe (256615) at 17/05/2020 13:51 PMIf documents containing sensitive information are recovered during ‘waste audits’, the owners can be surveyed.
A waste audit has been conducted by your security team. A sensitive document printed by you was found in a regular waste bin.Don’t worry, you’re not in trouble. Circumstances mean it's sometimes unavoidable.We'd like to know why you didn't use [secure disposal method], so we can help you to make sure it doesn’t happen again.Thank you.Your Security Team
If you would like to submit an article for publication, please get in touch. The best way to reach me is LinkedIn.
