information security behavior
September
Hello Readers,
Often organizations are confused about how to make employees follow information security rules and procedures. They take the step of launching awareness campaigns that spread the security rules and procedures in visual, text and verbal formats. This creates “Awareness”. Organizations often stop here and the reasons is because the organization thinks that if the employee “knows”, then it is enough.
But, “knowing” and “doing” are completely different. If a person “knows”, it is a good beginning, but for a person to “Do”, then there has to be an application of what they “Know”. This must come through a behavioral change. Let us look at a simple fact concerning “Behavior”
What motivates behavior change or adoption of new behavior?
“All behavior is based on the consequence that follows. If the person likes the consequence, the behavior will be repeated. If the person does not like the consequence, then the behavior will not be repeated”.
The first thing that comes to mind while reading the above sentence is the traffic in Bangalore, India. People behave irresponsibly on the road because they know that they can get away with poor behavior. So, what motivates poor behavior? The answer is simple – “poor ENFORCEMENT of rules by the police”". “Enforcement” is the key.
While designing an information security awareness campaign, the responsible people behind it have the challenge of migrating the end-user through 3 stages of change.
1) Stage 1 – I don’t know (… I don’t know anything about information security)
2) Stage 2 – I know, but I don’t do (….Ok I am aware about information security but I don’t apply my learning…)
3) Stage 3 – I know and I do (…I know about the importance of protecting information and I apply my learning on protecting information)
Please us the following diagram – http://www.himis.org/wp-content/uploads/evolution.pdf – for clarity in the migration between the above 3 stages.
Moving further, the challenge is the migration from stage 2 to stage 3. Stage 2, is the situation where the end-user is “Aware”, but is not “behaving”. So, how do you migrate from “Awareness” to “Behavior”. This is precisely where the power of “Enforcement” comes in.
Let us go back to the case of traffic in Bangalore and the recently implemented law in Mumbai against drunken driving. This is a typical example of poor enforcement vs. good enforcement. Though I am not a Mumbaikar, from what I have read, if you are caught driving drunk, then you spent one day in the cooler. Based on reports, this is has resulted in lesser road accidents in Mumbai and higher revenue collections for the traffic police. So, enforcement does work.
But, often the problem is “Consistency” and “Repetition” of enforcement strategies. This applies to Police as well as many information security managers. When there is an incident, in the immediate aftermath of an incident, there is strong enforcement for a few days, then it becomes lax. But constant and repetitive enforcement produces excellent results.
In my next post, I shall explore simple but effective enforcement strategies used by 2 organizations which has produced excellent results in the long run. There is no magic formula, but simple and effective application of rules.
Warm regards,
Anup Narayanan
www.himis.org (HIMIS – Human Impact Management for Information Security)
- Bookmark :
- Digg
- del.icip.us
- Stumbleupon
- Redit it