17

Security awareness training is a bane to most employees.

A favorite anecdote I have is a group of employees figuring out how to quickly complete their online security awareness training from discovering all the answers in the raw HTML code.

What are good motivating policies to encourage employees to help play good defense?

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
  • Is reading HTML source code of random sites a frequent occurrence at your company? Sounds like some people have plenty of spare time. ;) +1 for a good question. – makerofthings7 Nov 22 '10 at 20:13
  • Related: [How to write an email regarding IT Security that will be read, and not ignored by the end user?](https://security.stackexchange.com/q/5906/32746) – WhiteWinterWolf Jul 18 '17 at 16:28

6 Answers6

16

Social norms. If employees see the managers taking security seriously, it sets a cultural expectation that to get ahead in this company, I must need to take security seriously.

  • That's good. But the other thing that's really worked for me is real war-stories. Things that have actually happened. The stories are often exciting, eye-opening, and a big organisation can often have internal stories that show the real threat. Those are great for getting peoples attention (including the management you'd like to be taking security seriously in your answer...) – JCx Jan 09 '15 at 20:55
10

Paradoxically, the first responsibility of the security training is to show why the security training is important, interesting to you (the employee), and relevant (for your work).
Any training (at least the first-time awareness trainings) must start with this, or at least lead up to it very quickly, otherwise its pointless.

Though it seems from your WTF example that you were referring to testing on the training, which is very different... Training needs to first and foremost TEACH the information.
If the first job (showing why its important) was done well, you don't need to test the rest. If it wasn't - well then, there's not really any point, is there? People will always find some way to cheat if they think its not important.

In addition, having an interesting trainer helps a lot... But not as much as giving the training over a free lunch!
I've done this at some of the biggest banks, to much success - employees are interested in coming for the food (but not just simple sandwiches, mind you); they have reason to hang around and not run out the first chance they get, so they sit and listen; they're enjoying themselves (studies have shown people enjoy themselves when there's food around, go figure); and they have their mental guards down, because of the food.
(Okay, thats more of a strategy than a policy, but still... the policy is making the employees want the training and enjoy it.)

One small addition, again not so much a policy per se, but part of the attitude towards awareness should be offering solutions and practicality of those solutions.
This of course includes proper tools, enough resources to "do" security, etc.
It would be worse than pointless if management got everybody to be aware of security, but then refused them the ability to do anything about it.

AviD
  • 72,138
  • 22
  • 136
  • 218
  • 2
    When creating policy about security, always answer this question: What's in it for me (the employee)? – Everett Nov 22 '10 at 17:57
7

discovering all the answers in the raw HTML code

Isn't it slightly hard to take security training seriously, when the training is that easy to subvert?

For job related security code-review or peer review with positive feedback is probably the best way.

When you get down to it, hiring employees that care is the most important policy followed with letting go the ones that don't care. Nothing makes people not-care, faster than seeing coworkers getting away with bad security practices despite their manager knowing about it.

Bradley Kreider
  • 6,152
  • 2
  • 23
  • 36
6

Ensure that whatever security policy isn't so draconian that it prevents people from actually doing their jobs. This is especially true if you're blacklisting/greylisting sites.

For example, one company I worked for had Google on its greylist. This meant that employees only got a limited amount of time to search on Google before their "quota time" ran out. This might have been okay when the company was working with some proprietary language, but writing .Net without being able to use Google is a real pain (and no, MSDN is not an adequate replacement). This, combined with the opaqueness of the process by which sites were added to the whitelist bred a lot of resentment, and subversion of the policy.

quanticle
  • 161
  • 2
  • 2
    +1 for this. I worked with a very large organisation that had brought in smartcards for building entry and terminal logon. It caused so many issues that staff came up with a huge number of workarounds which broke the security model completely. They would have been more secure with siimple username and passwords. – Rory Alsop Jan 12 '11 at 15:26
-2

When compliance is clearly defined as part of the employees performance goals, it is hard for an employee to say "no".

jl01
  • 225
  • 2
  • 4
  • Somehow I'm skeptical that merely adding this to a job manual is going to address the question of how to motivate the employee. – D.W. Jan 30 '11 at 05:50
  • Have you never had annual performance review where your manager sits down with you, reviews what you did, and sets your goals for the coming year? In my experience when a person knows that the their performance goals for the coming year include their measurable compliance with Terms of Use or other corporate security policies and that figures into future raises or bonuses, based upon their meeting or exceeding those goals, their buy-in is amazingly swift. I'm not talking about a simple update to a job description or a set of procedures. – jl01 Jan 31 '11 at 15:33
-2

Rigidly enforce the security policy. If you have a clear, well-defined security policy and severely discipline those employees who circumvent/ignore the policy, they'll soon enough fall over themselves to be more aware of it.

It sounds a bit harsh, but a security policy with no teeth is worse than no security policy at all.

People hate security training because they don't think its relevent. To a lot of people, the risks are very abstract. If you put the risks to people on a level they can understand, and provide them with the education and information on how to best stick do their jobs in line with the corporate policy, everything will be more effective.

growse
  • 531
  • 3
  • 5
  • 10
    If the only incentive you offer is punishment, you'll _never_ get users on-side. Resentful compliance breeds disgruntlement. –  Nov 21 '10 at 23:20
  • 6
    And eventually circumvention. – Everett Nov 22 '10 at 17:58
  • I never said that the only incentive should be punishment, my point is that there's no point having a policy if you're not going to enforce it properly. That only breeds a false sense of security, because people *will* circumvent a policy they know no-one cares about. – growse Dec 14 '10 at 16:18