5 Solid Ways to Build Security Culture in Your Organization (That You Probably Never Heard Of)

Wednesday, January 22, 2014

Pete Herzog


We know that security awareness trainings for the most part are not so good. Most employees avoid them like the plague and do their best to keep security from getting in the way of their work. But it doesn’t have to be like this. You can build a security culture that reinforces security awareness and maintains security on its own. Here are five unconventional tricks that really work:

1. Teach employees NOT to say NO.

One of the ways to manipulate a person into giving information they should not is to prey on their sense of customer service and niceness. That’s why you need to empower them to say “I don’t” instead of “I can’t” or even just “no”. Saying “I don’t want to give you that information” puts one in a position of decision and power and allows the employee to maintain willpower even if the attacker really lays it on thick.  Whereas “I can’t" or just “no" is mentally exhausting. It also helps when employees find their time divided and they are pulled into a position of heavy multi-tasking and stress, a mental weakness which forces people to fall back to routine, leaving themselves more open to attack.

2. Drop the paranoia paraphernalia and threats.

Maybe you threaten them (legally) to read and sign the security policy. Maybe you put up posters or give out mousepads on what evil threats they should look out for. Maybe you even reward them for turning in the people who didn’t wear their badges. Maybe you visit them from time to time to let them know you see what they’re downloading. So stop. Overloading them with paranoia and fear brings an anxious, negative culture which causes even more mental fatigue than employees can handle and still be able to make good decisions. Remember, you need mentally alert employees to detect anomalies or catch attacks.

3. Push happiness.

Rumor has it (and many studies) that happy employees are productive employees. Remember the 7 dwarves whistling on their way to work? Like that. However it does even more than that. It has also proven to reduce an employee’s fatigue-related absenteeism by 23% and makes them 10% more engaged at their work. So not only do you reduce the stress and the need for multi-tasking on those who have to cover for sick employees, you also have employees more mentally capable of fending off a social-engineering attack. Not to mention the effect on work-place turn-over which is a burden on maintaining a security culture if there’s constantly different people.

4. Discourage socializing.

Socializing is another task employees need to “multi” in their day. It’s also the most mentally exhausting of all tasks, requiring mutliple regions of the brain to flare up as we need to think quickly, read expressions, and exhibit the proper niceties of the workplace. Socializing is mentally exhausting and even more so if it’s in the workplace and rules need to be followed or at least anything requiring one to carefully gauge what’s appropriate to say at the moment. As social animals we can just do it so it doesn’t seem to compare as hard for us as something like long division. But it is. It consumes a lot of energy. So much so that studies show 89% of employees are more productive when working alone. However, with so many ways to communicate, is alone really alone? A Google study showed 66% of people use their smartphones and PCs simultaneously. Meanwhile 90% have shown they multi-task through various forms of communication through-out the day. Social networks add to that distraction by both causing employees to divert attention away from their tasks as well as socially engage which further tires their minds. Employees using social networks and constantly communicating with others, even if in a fun and happy way, lose the ability to be alert to threats progressively through the day. So remove social networks for anyone whose job is not social networks and encourage alone time, going for walks, and not sitting around to chat whether in a break room or in a meeting.

5. Encourage walks.


Studies show that quiet walks refocus attention and refresh the mind. If people are going to gather to meet and discuss business or even to socialize they should be walking. Standing and walking are both healthy, keep blood going to the brain, and minimize stress. The human firewall in us needs willpower and problem-solving to be effective which further requires lots of mental energy. So keeping a mind fresh is vital. The last thing you want is an employee to default to a mental routine state where they can be easily swayed to say the wrong thing, click the wrong thing, or not notice when red flags have been raised.

Building a great security culture is tough but not impossible. It does require treating humans like humans, which means knowing how people behave, what they need, and how much they can be expected to keep up with mentally. Studies show that even people who think they can multi-task and focus, really can’t. People fool themselves about things like that all the time. So we need to create an atmosphere that supports them through their weaknesses. That’s especially important for maintaining security.

At ISECOM we designed a full-day workshop to teach you how to create a great security culture in their organization based on years of neuro-hacking research and in-depth knowledge of operational security (creating the OSSTMM). You can get the PDF flyer here with details. And if you happen to be going to Troopers in March or just happen to be around Germany then, I’ll be running the workshop. Check out the details here.

Possibly Related Articles:
Enterprise Security Security Awareness Security Training General
Security Awareness
Post Rating I Like this!
Rod MacPherson Great tips. For some of us the posters and videos do have a place, but it is important that they be educational and humorous if possible, not using scare tactics. I am growing quite weary of the stuff I see with the hacker in the ski mask and the red biohazard symbols. :(
Pete Herzog Thanks Rod! Yes, the key word is Paranoia- apparently the posters are fine as long as they don't add fear or overtones of "we're watching you" to the mix. At least that's what the research shows.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked