Information Security: Surprising Strategies for Changing Employee Behavior
Some experts think that the primary purpose of security awareness training should be to change behavior.
Because while security technology can protect core systems, it can’t stop employees from posting confidential information on social networks or downloading (unapproved) apps. Furthermore, even though information security education provides skills for dealing with the latest scams, etc., employees may not be motivated to apply those skills.
In a study by Osterman Research, 58% of respondents said they were most worried about malware getting in when workers surf the internet; almost as many worry about personal webmail being opened up in the workplace.
A SANS Institute Reading Room paper (Using Influence Strategies to Improve Security Awareness Programs) goes so far as to say that a failure to motivate the employee to be more security conscious could mean a failure of the whole security program.
How can you raise privacy awareness and motivate employees to better protect confidential information? Here are several surprising strategies:
Show movies: During employee training, show Hollywood movies that include information security or privacy concepts, and have a discussion about them afterwards, said Rebecca Herold, CEO, The Privacy Professor. In a Dell post, she recommended The Final Cut (2004 with Robin Williams), The Billion Dollar Bubble (1978 with James Woods), The Brave Little Toaster (an animated 1987 classic) and others.
Make it personal: Best practices in the office (protecting passwords, using privacy settings on social media sites, etc.) should be taught as best practices for personal life too. “An education program that embraces home and business use of security is the most effective, making these policies second nature,” said Cheryl Martin of Logica UK in a story at theguardian.com.
Laugh: Use humor to heighten information security awareness. Phil Cracknell of TNT Express created a series of short security awareness videos that starred a Darth Vadar character in typical workplace scenarios. In one scenario, for example, Vadar has forgotten his ID card and does a ‘you know who I am’ routine at reception. The videos were very popular with employees, said Cracknell in The Guardian story.
Have fun: Learning though play works for adults too. To teach about phishing, for example, the SANS paper suggests dividing employees into two teams and asking teams to spot the phish in a series of emails. The group discusses tip-offs, and candies are thrown out to the winning side.
Other light-hearted reminders: Hold an information security event in the workplace and give out useful reminders such as coffee mugs or t-shirts printed with information security guidelines or USB sticks customized with photos of viruses. Run an information security poster competition, and then display winners in the office.
Environmental factors: Implement workplace processes that standardize secure behavior. For example, have doors that close quickly, security cameras, and a document destruction process. Partner with an information destruction company that has a secure chain of custody and provides locked consoles, regularly scheduled removal of documents, secure on- or off-site shredding, and a Certificate of Destruction after every shred.
Find out how a Shred-all Policy reduces the risk of a security breach – and simplifies document disposal for employees too. Simplify document destruction by working with a reliable partner who will tailor shredding services to fit your needs.