Dear readers,

This post is in succession to my earlier post ( http://isqworld.com/?page=1 ) where I examined behavioral factors that contribute towards people making
mistakes that compromise information. In this post I am presenting an analysis of an information security awareness management system.

During one of my company’s engagement with a large electronic retail chain, we were presented with a following challenge.

1 – The company has spent a few million rupees in information security awareness…(“awareness” alone and not just information security)

2 – They wanted a reality check on how effective the awareness campaign has been?

The strategy we adopted for this exercise was very simple – “Talk to employees and listen to how much they have understood from the “awareness
campaign”?”

So, this is what we did. We analyzed the messages that were conveyed by the company as part of the information security campaign and made a list of the
same. The company had used emails, posters, quizzes; screen savers etc. to spread information security awareness. Presented below is the analysis of just one of the messages and the response of the employees.

Message 1 – Don’t share passwords

Response of the employee(s):

Response 1 – “Which password are you talking about? I have approximately 6 to 8 passwords to remember as part of my work? For example, I am an HR manager
and one of my responsibilities is to process salaries. I store salary information in a spread sheet that is password protected. I have to share this
sheet with my assistant managers and executives so that they can compute the salaries at the end of the month. How do you propose that I get my work done if
I don’t share the password of this spread sheet?”

Response 2 – “I am a sales officer and I have to update the sales calls that I made by 1800 hours every day. Sometimes I am stuck in the traffic; I
don’t have a laptop computer neither a PDA. So, what do I do? My superior officer wants these reports sharp at 1800 hours. The best chance for me is to
share my password with my colleague in the office and ask him to update on the system on my behalf. I do understand that I am breaking the information
security rule, but I am getting the job done. If you were to ask my superior manager, he would agree that I rather break the information security rule if it
is to get the job done”

Here are some more responses….

Response 3 – ” When I return back from vacation my password has expired. The Helpdesk takes anywhere between 24 to 72 hours to reset a password. How can I not work during this period? So, I have to take my colleagues’ password”

So, where is the problem? I believe the problem is that the people who make security rules have not studied the specific characteristics of their business before creating these security rules. Every business is unique like every individual is unique. The information security rules for each business must be made after considering business realities. In the above case, the following facts are evident.

1 – Asking employees not to share passwords is not relevant without having sufficient compensatory mechanisms? Now, what is the cost of the compensatory
mechanism? Is it very costly or do we use “Trust” as a control?

2 – The information security team must talk to and understood the genuine problems the employees will face if they follow the security rules to a
“T” and how it will affect business productivity

3 – The employees are having a feeling that the information security team is creating these campaigns and rules, without really understanding the business. This creates the effect of “these security guys are on the other side of the table and don’t understand my genuine problems”

Hence, from my learning, I have developed a concept that I prefer to call – “Qualities of an Information Security Awareness System”. These qualities are,

1. Reach: Cover Workforce not employees. I will talk more about this in the next post.

2. Visibility: Where are the messages available and viewable?

3. Business relevance: Be specific about the information security awareness message and not generic. Example, when you say, “Don’t share passwords”, which
passwords are you talking about?

4. Impact visualization: Show what can go wrong if security rules are not followed. Often end-users cannot visualize the impact like the security professionals can.

5. Consider cultural factors: Consider the characteristics of the population such as culture of the country etc.

6. Clarity & Ease of understanding: Keep it simple; Less Jargons

Warm regards,

Anup

www.himis.org ( HIMIS – Human Impact Management for Information Security )