Security professionals are driven to introduce better processes to improve security, but enterprise users are sometimes apathetic or even hostile about changes to their daily work routines.
Users can be forced to sullenly accept such changes, but brute-force deployments devour the limited goodwill security pros need.
We, as security pros, tend to forget that our work colleagues are not security geeks and will likely undervalue the benefits that better security processes bring to the entire organization. Much in the same way we're too bogged down with firewalls and monitoring network traffic to always care about the finance team implementing a better method of expense reporting, typical enterprise users are generally focused on their own jobs and don't want to deal with new password requirements or a finicky VPN connection.
I'm personally aware of a situation involving a CSO who pushed through new security processes, including longer passwords, only to have users rebel. The changes were eventually rolled back because the users refused to buy in to the new security processes. Having endured some rocky security process transitions myself, I've sought to make such changes more palatable for users by utilizing the best social engineering techniques from psychologists, neuroscientists, behavioral economists, marketers and business leaders.
This tip provides five best practices culled from those experiences that can be applied at nearly any organization to improve user acceptance of new information security processes and strengthen the organization's overall information security culture.
1. Focus on users' needs
The importance of certain security concepts, such as protecting confidential enterprise data, can seem vague to many users, so security pros need to specify how every user can benefit from strengthened security processes. Below are some examples of where common ground can be established between security teams and users.
- Each of us has access to systems with confidential information that could be misused to hurt our colleagues, customers and partners.
- Competitors would love to see us stumble and have a well-publicized security breach that threatens customer confidence.
- Criminals would love to gain access to our employee and customer data for fraud.
Customize each example with specific organizational details to sell users on the idea that security processes affect each user and, as a result, the fortunes of the entire organization. Research the tools, systems and processes various departments uses before beginning a dialogue with them so the examples are as current and relevant as possible, increasing the likelihood that the message resonates with users.
2. Make the message memorable
As security professionals, the technical nature of our duties often interferes with attempts to effectively communicate with our colleagues. Security pros should be responsible for translating the technical facts that users need to know into memorable concepts.
For example, most users don't perceive the positive security effects of a strong password, so a fun way to educate them about password security is to develop a contest where participants have a chance to win a cool prize. A multiple-choice quiz every few days on a password strength factoid will generate some buzz about security best practices around the office. Ask questions concerning the most common password choices, the number of combinations for X amount of characters, and similar topics to encourage users to think about their own password and security choices.
3. Recruit opinion leaders to show them
Instead of security bureaucrats announcing mandates that users will tend to forget , recruiting opinion leaders to deliver and reinforce messages about security is a more effective method of changing an organization’s security culture.
From the Editors: More on social engineering
Rohyt Belani, CEO of PhishMe Inc., discusses how anti-social engineering training can improve the security awareness of end users.
Run informal social engineering tests to improve enterprise awareness of social engineering threats.
Opinion leaders demonstrate the new security protocols to others, leading by example. They are often narrowly recruited from the formal management hierarchy, but hierarchical leaders, though important to signal sponsorship of an initiative, are just one type of opinion leader. Utilize a broad range of opinion leaders to represent various organizational constituents by department, grade, role, geography, age and gender. Not only do opinion leaders represent their respective groups, but they also tend to inspire more respect from those groups.
As an example of the function of opinion leaders, a series of messages could be developed around a rhyme such as "It's weak to use 1234; be strong -- use characters galore." The communication also provides a brief description about how and why the opinion leader selected a strong password. Several different scenarios can be developed for a wide range of security lessons and techniques, with the delivery of the messages spaced out to every few days.
4. Guide them on information security processes
Organizations can try to implement better security practices via the use of environmental cues, such as increasing the length of passwords and forcing users to select new passwords, but this is the equivalent of hitting a dog over the head with a newspaper. Users can be forced to sullenly accept such changes, but brute-force deployments devour the limited goodwill security pros need from users to support broader infosec goals.
Instead, a better approach to an initiative such as strengthening passwords is inviting users to select a longer password. To introduce the new measure, release a statement along the lines of the following:
Given the recent media coverage of the XYZ case, many of our colleagues have requested that we increase password length to match what organizations A, B, and C already have in place. We have enhanced our system to allow you to select stronger passwords in order to protect your HR data and company assets.
When users log on, provide feedback regarding the strength of new passwords and offer a link to change any passwords that are weak. The feedback can be down-to-earth, such as Let us help you select a password that is strong and easy to remember! orYour grandmother's PC could crack that password in X minutes. Also offer tips and examples to help users improve their password choices. More importantly, reinforce good security behavior with congratulations and appreciation.
5. Ensure compliance
Finally, develop a metric to measure users' acceptance of the new measure by tracking how many passwords are strong. Establish a baseline to provide guidance on how to roll out the new process. The pockets of high acceptance can be held up as role models, while the areas of lower acceptance can receive more messaging and support oriented to their needs.
People tend to follow the herd, so once a majority of users have a strong password, the change process can shift gears to emphasize that the majority have already selected a strong password. Avoid using the metric to criticize. Highlighting poor performance has the unintended consequence of reinforcing poor behavior.
With continued messaging from opinion leaders and strong environmental cues, the vast majority will comply voluntarily. At that point, any laggards will be seen as out-of-step with the organization's new security culture. The system can then be locked down and configured to enforce the use of strong passwords. Be considerate and provide messaging on this final change, and reinforce previous offers for support.
Serving up new security processes successfully
These techniques are simple, inexpensive and can be implemented at a wide variety of organizations. Security pros should take the time to plan for both the technical and human aspects when rolling out new security processes. Utilizing these techniques, changes to security processes will not only be palatable, but many users will also find them worthy of their support.
About the author:
Claudia Girrbach, CISSP, has more than 20 years of experience working with companies in retail, finance and healthcare. She also teaches part-time at Stanford University, where she was a Sloan Fellow at the Graduate School of Business and earned an MSBA Her undergraduate work was at U.C. Berkeley with a bachelor of science in electrical engineering and computer sciences.
This was first published in September 2012