From colourful rulers with security slogans printed on them to candy bars left on employee keyboards in return for a successful security audit, companies are pulling out all the stops to do the one thing that really matters when it comes to information security: change behaviour.
It’s not easy. New security policies often conflict with the way employees have done their jobs for years. For example, offices and departments that once operated with full and open information sharing are now being told that they must learn to control information, confront strangers who aren’t wearing identification badges and refuse access to sensitive areas to anybody who can’t produce identification – even the boss.
Industry experts and corporate trainers are relying more and more on slogans, posters, games, trinkets and rewards to raise awareness about the importance of information security and the ever-changing threats that companies face in cyberspace. And while these small reminders might not be the entire answer to changing employee behavior or to garnering senior management support, experts agree that they are important elements in an overall security program.
Playing games
Charles R. Hudson Jr., security officer and information security project manager at Wilmington Trust Corp., a 2,700-employee asset management company in Wilmington, Del., said themes and slogans have worked very well in his security awareness program. This year’s theme, says Hudson, is based around popular TV game shows. For example, trainees play a version of Jeopardy that relies on security-related material for the clues.
Wilmington Trust’s program also includes rewards for employees who demonstrate security awareness in their everyday jobs, such as consistently logging off of their computers before leaving work. That means free sodas and lunches, candy bars, small cash prizes and other trinkets.
“It’s not about money,” said Hudson, who spoke at this year’s Computer Security Institute (CSI) conference in Chicago. “Most of this stuff is 50 cents or less.”
In addition to mandatory security briefings for new employees, Hudson said his program relies heavily on a company newsletter and a security intranet site to get the word out. Therefore, company security policies and examples of security horror stories at other firms “are just a few mouse clicks away,” he said.
Dan Erwin, a security officer at The Dow Chemical Co., also uses horror stories from other companies to raise awareness and to spark senior managers’ interest in security.
“The best way to get management excited about a disaster plan is to burn down the building across the street,” said Erwin, who recently won CSI’s lifetime achievement award for security. However, “the best horror stories are your own,” he added.
For example, Midland, Mich.-based Dow recently conducted a three-month e-mail review and found a significant amount of pornography on employee computers. Besides being an inappropriate use of company computers, visiting such Web sites is a security concern – hackers lurk in those places. The subsequent firing of 40 employees served as a “wonderful awareness program,” said Erwin.
But the planning and the delivery methods of an awareness program are just as important as the horror stories and the slogans, said Kathryn Ogborn, a security awareness specialist at Federal Reserve Automation Services in Richmond, Va.
Ogborn used a theme (“Information security counts on you”) and trinkets such as rubber flexballs with security reminders printed on them in her training sessions. But she said working with a fixed deadline for devising the program and getting approval from senior managers were critical factors.
“Begin with a fixed date, and from that point, work backwards,” advises Ogborn.
However, there’s a lot of competition for “airtime” in most companies, where the security gurus must compete with human resources and other departments for employees’ attention, said Ogborn.
At the University of Wisconsin in Madison, it’s an “ongoing fight” to raise awareness among the school’s 40,000 students and 20,000 faculty and staff members, said Jeffrey Savoy, a security manager on the university’s new two-person incident-response team.
The university, too, relies on poster campaigns – this year’s theme was “Rules of the Road.” But officials also plan to create on-line quizzes that users must take in order to log on to all university e-mail accounts. “I expect that within a year, it will be mandatory,” said Savoy.
Health insurer and financial services company Aetna Inc. in Hartford, Conn., uses annual mandatory on-line scenario-based tests to maintain security awareness among all of its employees. The company says the tests work.
“We recognize that they must be informed on a regular basis through a number of mediums,” an Aetna spokesman said, adding that employees receive a certificate when they finish the course. “This has been very successful for us, and we’ve reached a very high percentage of our audience,” he said.
Alan Paller, director of the SANS Institute, a Bethesda, Md.-based research and education organization of more than 100,000 system administrators and security experts, said the Aetna example has been so successful that SANS is working on a replica of the mandatory on-line exams. However, technique is important, too.
“We found two major impediments to success: the wrong teachers and the wrong lessons,” said Paller.
Security practitioners who specialize in IT security “are not the best communicators, and they don’t have interesting material, so they get preachy and boring and maddening,” he said. Likewise, the training classes miss many of the people who need them most, such as salespeople and key marketing executives who travel a lot, said Paller.
Back of the train
But not everybody agrees with the training gimmick strategy. “This is exactly why we got out of the security business and adjusted our focus to intelligence operations,” said Mark Gembecki, chairman of WarRoom Research Inc., a consulting firm in Linthicum, Md. “The mission of corporate America is not good security. It is shareholder value, plain and simple.”
“If software was subject to recall, like Firestone tires [were], for security defects, that would help elevate security in importance,” said John Pescatore, an analyst at Stamford, Conn.-based Gartner Group Inc. “Until we see something like that, security will always be in the caboose [and not] in the locomotive.”
Therefore, the challenge for many awareness programs is the corporate culture, said Winn Schwartau, founder of security consultancy Interpact Inc. in Seminole, Fla.
The answer, said Schwartau, is to determine your culture’s boundaries and figure out what you can do within those boundaries.
“A business will have good security if its corporate culture is correct,” said William Malik, vice-president and research area director for information security at Gartner. “That depends on one thing: tone at the top. There will be no grassroots effort to overwhelm corporate neglect.”
“Organizations don’t change,” said Melissa Guenther, an awareness specialist at Glendale, Ariz.-based LogOn Consulting Inc. “People change. And then people change organizations.”