Making people a strong asset in the management of risk
During my time working in information security, it's not been unusual to hear comments like "people are the weakest link in security". I suspect, in part this is caused by the knowledge and experience of those working in the industry often coming from a background in technology. This can lead to an unconscious bias towards technology and process over people. It's true that people make mistakes but in the same sense technology controls can be poorly designed / configured and badly operated.
People represent one of the core pillars in running an effective security programme along with process and technology. Rather than viewing them as the weakest link, change your perception to consider how they can become your strongest asset.
In this article I introduce topics on security behaviour and psychological safety. I then provide some suggestions of what you can do improve attitudes, perceptions and engagement with the security team.
It can be hard to know where to even get started improving people related security. Companies typically start by providing compliance focused awareness initiatives to meet the needs of regulation or standards. If you want to make a genuine impact on improving people security you need to focus on behaviour / culture change and the delivery of secure behaviours.
You don’t need to be an expert in behavioural psychology to get started!
Secure Behaviour
A good security behaviour is a combination of walking the walk and talking the talk. Saying and doing. To change people's behaviour, you need to consider the factors that are influential in its delivery. The following three factors are from the COM-B model. Consider what you can do to improve each of these factors in your organisation.
Capability (need to know)
Do staff have the knowledge, skills and abilities required to engage in a particular behaviour?
They can't just be expected to know what you want of them. Invest in your staff so that they can develop their capabilities (i.e. report incidents, identify phishing emails) to act securely.
Motivation (need to feel)
Do staff have a reason to act in a certain way? Do they perceive a benefit in performing a behaviour overriding the competing behaviour to not do it? What is their attitude towards a particular topic?
If staff have a poor attitude to security this increases the likelihood that they won't perform them. Consider a situation where an individual perceives a security control as adding little to no value. In this scenario the individual has low motivation and is unlikely to follow the required security behaviour. This may lead them into circumventing it and perhaps even encouraging others to do so.
Opportunity (need to have)
Do external factors make the execution of a particular behaviour possible?
Communication
How are you communicating the behaviour? What scope of your target audience are you reaching and are they engaging with your communications?
Usability
How easy is it to do the right thing? Do what you can to reduce friction and make it easy for staff to perform in the right way. Removal of friction increases the likelihood of staff behaving securely.
Leadership
Do senior leaders' impact, support and lead by example? Its difficult to deliver a culture of security without having senior level support. If senior leaders undermine security initiatives or don't follow security behaviours this will influence a poor culture of security.
Psychological safety
Most staff go to work to be effective in their role. Security by its very nature can add friction into business processes making it more difficult for staff to achieve their (non-security) objectives. Information Security doesn’t exist in a silo and is there to enable the organisation to operate effectively whilst balancing that against the management of security risk.
For your security programme to be effective you want to develop a psychologically safe environment where people are comfortable in expressing and being themselves. Most people want to look smart, capable and helpful. In contrast they don’t want to look ignorant, incompetent or disruptive. This fear over perception can lead to people taking the safe option of staying quiet rather than raising their thoughts and opinions.
Making it safe
There are different approaches that you can take that will either encourage engagement or lead to avoidance of the security team.
General engagements
It is the role of the team to engage with a wide range of stakeholders across the organisation. The way you manage these engagements will impact staff attitudes and perception of security which in turn influences staff motivation (positively or negatively) to behave securely.
It is important to note that senior staff can often feel more safe engaging with others. In contrast those in lower status roles can feel less safe especially when dealing with more senior staff. Make sure you treat all staff with the same level of trust and respect regardless of their status in the organisation.
The following are some suggestions on what you can do. These may seem obvious but in my experience they are often lacking.
| Suggestion | Comment |
|---|---|
| Develop a culture of listening and actively seek feedback. | Understand people's attitude / perception of security. This will help you to understand what does / doesn’t work and adapt. |
| Respond in an appreciative, respectful and productive manner. | |
| Invite participation and a sharing of knowledge. | Be open to people raising concerns, questions, mistakes and ideas. |
| Provide constructive feedback. | Ensure you avoid being critical of the individual. |
| Be willing to accept when you are wrong. | This provides you with a valuable opportunity to learn / develop. |
| Be open to discussion / debate. | |
| Treat staff with trust and respect. | Avoid embarrassing or belittling staff. |
| Act on constructive feedback. | Consider feedback and act on the information provided to you. Failure to take or be seen to take any action can lead to people feeling a sense of futility in reporting. |
Incidents / breaches
The information security team need staff to be willing to report incidents and breaches. Its only possible to contain / minimise the impact of those that you are aware of.
In an incident / breach scenario there will be an increased level of fear from the individual reporting. This is due to the fact that what they are reporting often relates to personal mistakes. In this situation people can perceive it to be safer to cover up the situation rather than admit to any level of incompetence.
In a situation of heightened stress it can be easy to jump to conclusions and attribute blame to others. We each frame situations based on our own knowledge and experience. Take the time to reframe and understand situations from the perspective of the reporter rather than being quick to base it on your own assumptions.
From experience the key change you need to make relates to blameless reporting. Shift away from the belief that incompetence was to blame for an incident or breach. This will help to address staff fear of reporting.
Summary
Focus on making people a strong asset in the management of security risk rather than perceiving them as a weakness. Target your security programme at delivering secure behaviour and endeavour to make people feel psychologically safe when engaging with the security team.
A combination of these approaches will help to transform people security and develop a security oriented culture within your organistion.
For further information on delivering behaviour focussed security take a look at a previously posted article.