How to make people report incidents?

Question

I would like to know how you make employees report incidents. Incident reports are a key element of an ISMS. No reports = No discovery of the incident = High chance things go out of control.

We have a kind of game: people can give red cards to each other for small incidents. The cards tell them to report the incident, but people don't want to. I can imagine we have to use a reward system (focus on positive) to make people report and do their best to limit incidents, but how?

The reporting system currently works like this: Person B.A. sees Person A.B is not locking his computer. He then (should) give(s) a red card to the person, takes a picture and send it to the incident@company email with the name of the person in the mail. The mail goes to InfoSec team (not only IT guys btw) who then put it in the system.

Now, no-one sends those emails. I am checking to get enough reports for the audit, but that means people will not report because I will. I did stop checking for a month, then the number dropped to 1/4 of the previous month. I started checking again and it immediately rose...

What to do?

-Edit-important note:

I am a student, doing this as internship. I am an engineering management student, new to this area when I started 3months ago, no IT knowledge. The company is an IT company in Bulgaria. Now 200 employees, last year 100. Now everything is changing very fast of course. That is not the way it should be but the way it is. Please take those things into consideration when you reply. Feedback is welcome, but please tell me How

Answer 1

Of course no one wants to report, they are "turning in" their peers. Also, the time and complexity it takes to go through the reporting process you described is another negative reinforcement. You are only going to get low compliance if everything is a negative.

And ... YOU CANNOT FORCE PEOPLE TO DO ANYTHING!!

You are approaching the problem backwards. You need to:

1. use technical controls so that people do not have to think (set an auto-lockout time on idle workstations)
2. reward people for doing the right thing (and no, reporting their peers is not the right thing)

Instead of punishing non-locked stations, reward people who locked their stations! Praise them publicly, offer them a chocolate. Whatever works for that office/local culture.

Your focus, at the moment, is to collect metrics for your incident reports. I suggest that this is also backwards. Locking a station is a behaviour. Not locking a station is not an incident (it's an event, at best). You are never going to get accurate metrics, so I'm not sure why this would be a focus.

I know that it is a huge mental shift, but there is a big difference between an intentional act of omission or commision (to not do or to do something) to violate policy (an incident) and inattention and inertia that results in non-compliance. You cannot confuse the two. Non-compliance is a behaviour issue, which needs to be handled (and tracked) differently.

---

To answer your question directly, in order to get people to do things, you need to address 3 factors:

1. motivation
2. ability
3. trigger

They have to want to do it, it needs to be easy to do, and the trigger for when they are supposed to do it needs to be clear (the Fogg Model).

Scratching an itchy nose has high motivation, it's easy to do, and the itch is its own trigger. So, everyone does it reliably.

Reporting your peer for not locking a workstation has low motivation (even if you rewarded them for reporting), the process is complex, and the trigger is also not that clear. When does one deem that there is non-compliance? Does one have to be watching all the time? What if the other user stepped away and was within view of their workstation? What if the user is "looking out" for the workstation to ensure there is no unauthorised access?

You simply are on the wrong side of the Fogg Model. Address these 3 factors, and you can experience high compliance.

Answer 2

Encouraging your employees to snitch on each other by sending documentation of minor misbehavior to a centralized email address is a terrible idea for work climate. Nobody does it because nobody wants their colleagues to hate them and nobody wants to build a work environment governed by a denunciation culture. The resistance to your process is not just understandable, it is completely justified.

For this specific case of enforcing locking of workstations I would recommend an automated process. Configure all clients to go to a screensaver when unattended for a while and require the user to reauthenticate when dismissing the screensaver. That's a configuration supported by every operating system I could think of. Locking, unlocking and going to screensaver are all events you should be able to log. If some people's workstations frequently go to screensaver while they are logged in and they don't unlock very soon afterwards, then they likely left their desk without locking their workstation. You could register that as a very (very! (VERY!!)) minor security incident. You should also only act on these incidents when they happen very frequently for specific users. Keep in mind that there are other reasons for this to happen, for example when the user was involved in a longer discussion with someone while still sitting in front of their workstation.

For more serious security incidents (compromising passwords, losing security tokens, setting up insecure systems), you should encourage self-denunciation. "Confess your sins, and you shall receive absolution". Promise that anyone who caused such an incident and reports it in a properly and timely manner will get pardoned for its consequences, while those who try to hide their security blunders will not.

Answer 3

I find it interesting to speak to the one who ever thought this was a good way to achieve results.

The stimulus is extremely negative. You ask people to snitch on their co-workers. They must do this in full view of other co-workers (taking photographs). You clearly distrust the offender to 'own up' and the snitch to report honestly, as you require hard evidence: a photograph. Where in this scenario does an individual ever get anything positive out of it?

Reverse it. Train all staff in security risks. Online courses are easy. Focus on good behaviour. Count locked workstations at lunch. And most important: Reward teams. Team with the highes number of locked workstations gets a reward. Keep a public score. Reward the team weekly. Leave individuals out of it. You want the team to correct their team-members.

Last: Bonus round. Go around and ask the teams to count how many times they've told a co-worker to lock their PC. Reward that team; and reward the team that says they lock without being told.

Public rewards, open scores, no individuals.

Answer 4

It starts with leadership.

In my current contract, for an organization of near 30,000 employees and contractors, I am nearly the only person who wears their photo-id badge. Everyone else carries it, with lanyard attached, in their pocket or purse, and sidles up to doors awkwardly to gain access.

In my previous placement, everyone wore their photo-id card around their neck, at all times; compliance was in excess of 99%. And at the semi-annual presentations by management to employees, seven events total over 3.5 years, every single presenter, from the President and CEO down, wore their photo-id prominently around their necks while on stage.

As long as management, and other privileged individuals, are in non-compliance your employees will be also.

Answer 5

@schroeder's answer is good, but it misses one of the huge problems with security. Instead of motivating people to do the right thing, change the thing so that the desired behavior is the default behavior, or at least the easiest possible action.

For the problem of getting people to lock their workstations when they leave, you could find an app that locks the machine when their phone's Bluetooth goes out of range. BtProx is an open source app that's been on SourceForge for over a decade (I remember playing with something like this in the early 2000s.)

Similarly, 15 years ago I bought a little radio-dongle pair where I kept the transmitter on my keychain and plugged the receiver into the USB of my machine. When I got more than about 10 feet from the machine, the software agent locked it. (It was a great concept, but the software agent it came with was horrible, and it never caught on.)

If your office building's layout supports it, another way could be to have them log in by inserting a smart card into their workstation instead of requiring a password (smart cards are really convenient for that), and use the same smart card media (with embedded RFID) for door access. If they need their smart card to get back into the office area after using the rest room, people will train themselves quickly to keep their cards with them.

Or perhaps there is a face recognition system that would lock the machine instantly when you're not facing it, and unlock it instantly when you turn back. Apple's already offering this on phones; I'd be surprised if it didn't exist for workstations.

And there are no doubt other solutions that would make locking the workstation automatic.

If you have to train/punish/reward people to do security better, it means that your security system isn't optimal. Take that as a sign that you should look for a way to improve the usability of the system.

Answer 6

I agree with all the other answers: you will never get compliance with your current system. There's zero incentive for people to participate in reporting their peers, and being reported isn't the best motivation to keep your screen locked anyway. You need to ditch this plan.

Some comments suggested you start sending out emails from unlocked computers offering to buy the whole office breakfast. Some others said this is a bad idea, because it will make people really upset. I agree that it's likely to backfire if you do it to an unsuspecting victim, but I think there's a way you can make it work.

Get a big wig (like your CEO or someone like that) to play along with pretending they left their computer unlocked, and somebody else sent out a "I'll buy everyone breakfast on Friday," email. Have them send it out themselves, then follow it up a bit later with something like, "Whoops! I forgot to lock my computer when I got up, and [chief of security or whoever] sent out that email to teach me a lesson. I guess I will have to bring donuts on Friday for everyone. It's lucky that's the worst that happened, when [some other real and serious threat, like "hackers would love to steaI our credit card database"]. I know I've learned my lesson, and I hope you all have, too."

This serves multiple purposes:

• It shows executives are being held accountable, and that they're serious about the policy

• It demonstrates that there are real risks associated with leaving your computer unlocked, instead of some vague boogeyman

• It gives people a reason to talk about the policy in a positive manner (they will probably think it's hilarious)

As a bonus, now you can periodically walk around the office and look for unlocked and unattended computers, and slap a sticky note on them that says "You must really want to buy the whole office donuts! =) " It's a consequence that's not too embarrassing, but it reminds people of the dangers. For repeated offenders, you can escalate by changing their wallpaper to be a box of donuts and things like that. Hopefully people will band together and lock computers they see unattended and/or give gentle reminders to each other.

Why do I think this will work? Shortly after I started my job, I was told a story of a co-worker who liked to send emails from unlocked computers offering to buy everyone lunch. I'm not convinced it's even true, but it got me into the habit of locking my laptop. I can also repeat the anecdote when I see other new hires being sloppy about locking their computers, and it doesn't come off as a lecture. I would never report my co-workers, but I have zero qualms about "protecting" them from a "threat" we both face.

In addition to that, I recommend you also configure all new computers to automatically lock after being idle for five minutes or so. Maybe also go around after the "free donuts" email and offer to set it up for people, so they "don't fall victim to any prankster-prone co-workers". It sounds like your employees are a bit protective of their computers, so make it voluntary, and let them know they can increase the time before it locks if they find it annoying; the configuration change is purely for their convenience.

You will never get 100% compliance, but these steps should set you on the path for improving your culture and making it more likely people will care about security. That's really all you can do without upsetting everyone.

Answer 7

Follow the principal of "sunlight is the best disinfectant" as opposed to the principal of "punish offenders into submission". Make it a game, not a snitch.

First of all, let there be no repercussions for transgressions, so that "reporting" is not "snitching". Then prepare a reward for the person with the most reports. Perhaps the INFOSEC team will treat the employee with the highest number of reports to a pizza once per week.

Answer 8

A security incident is a breach or an attempted breach. Someone failing to lock a workstation is neither, though it may in some cases allow a breach to happen.

Try a different approach to promoting security behaviors such as locking workstations: Start a game where employees send prank emails ("Hey, I'm washing cars for free today!") to their team from their teammates' unlocked workstations. Very quickly you'll gain compliance with the security policy, nobody has to spend time filing useless "incident" reports, nobody has to spend time counting and monitoring said reports.