While consequences have a negative connotation, consequences contribute to 80% of the success or failure of Security Awareness programs.
When I ask CSOs what consequences there are for security-related behaviors within their organizations, they almost balk at the idea. They assume that I mean punishments, and that they rarely have the authority to strictly enforce any punishments. I have to point out to them that there are consequences for all actions; good, bad or neutral.
Clearly, punishment is a negative consequence. It can range from being called out to being fired. Of course, sometimes the offender creates their own negative consequences by causing harm to themselves. Of course, how severe the punishments are impacts the usefulness. Frequently when people bypass security measures, they are rewarded with fewer impediments to do their jobs. Sometimes the rewards are part of the organization's security program. More frequently, whether or not a person follows a security policy has no impact.
One of the most effective Security Awareness consequences that I experienced was when I began work at a government contractor many years ago. My first day on the job, I forgot to lock up my burn bag. A burn bag is literally a bag where you are supposed to place any classified materials you want to dispose of. Before you left the office for the day, you were supposed to place your burn bag in a locked drawer or similar storage. One day, I apparently left my burn bag out. The next morning, I received a call from the physical security manager, who wanted me to come to his office.
I walked in and he held up my burn bag and asked if I was missing anything that morning. He went on to tell me that the security guards do rounds, and they confiscate any vulnerable information. I said, "Thanks," and assured him it would never happen again. And it didn't. The consequence of being called into the his office was more than enough for me to remember to lock up my burn bag in the future.
Also a contributing factor to consequence is the probability that there will be a consequence. For example, even if there are clearly negative consequences, if the likelihood of being punished is negligible, it negates any negative consequence. If you have rewards in place, but the rewards are not frequently distributed, then they are moot. Consequences are only as useful as their consistency. In my case, I knew that the guards did regular rounds, so the probability of negative consequences was high.
The ABCs of Awareness
There are the ABCs of behavioral science; specifically antecedents, behaviors, and consequences. Antecedents are precursors to behaviors. In Security Awareness, antecedents are typically information. It can take the form of briefings, posters, newsletters, activities, or whatever else is in a traditional awareness program.
Behaviors are the actual behavior a person displays. They are what they are. For the purposes of this article, it does not matter whether the behavior is the desired behavior. The behaviors are the actions that the person takes given all the motivators.
Then there are the consequences. Consequences are the results of the actual behaviors, and have been discussed. However what is important is that while antecedents drive behaviors, so to do consequences. The stereotypic example is that if you burn your hand once on a fire, you know not to do that again.
The 80/20 Rule
As should be obvious, consequences, such as burning your hand on a fire, are much more impactful than telling someone that the fire is hot. For adults, there is the frequent statement by restaurant servers that a plate is hot. Many people hear that, but assume that they are just exaggerating. It is only when you feel how hot the plate is that you behave more cautiously.
Studies indicate that antecedents account for 20% of behavior, while consequences drive 80% of behavior. This is a critical issue to understand, and a major reason for awareness programs failing.
I previously described why awareness programs fail. To put the information in context for this article, it comes down to the fact that the antecedents are poor, and the programs lack the appropriate positive or negative consequences.
Putting the ABCs to Use
Obviously, it would not hurt to put out more relevant information. Putting out the information in multiple formats, so that the information is more likely to be received in a desirable form, is also a good thing. You can review the past article on how to create a successful awareness program as well.
At the same time, you need to look to create the appropriate consequences. I previously discussed gamification, and how to implement that in your organization. Gamification, placed into this context, is creating positive consequences for consistently exercising the desired security behaviors.
Putting together small contests or activities that are short of gamification programs can also be useful.
At the same time, you should approach your organization to see what support you can get to implement both positive and negative consequences related to your organization's overall security program. Security Awareness supports the overall security effort, so your entire department should be supportive of efforts that have people adhering to the appropriate policies.
Perhaps the strongest consequence available to an awareness program is your organization's security culture. Peer pressure is the most impactful tool that you have in implementing behavior. When I was at NSA, if a person did not wear their badge, all of their coworkers would call them out. If you left your desk with classified materials vulnerable, your manager would have a talk with you the next day, if it wasn't your coworkers.
In any environment, you pick up the daily patterns of your coworkers as an organizational security norm is created. So if you want to create ubiquitous consequences, try to change group behaviors. Depending upon the behaviors and the rewards, you might find it is easier to influence a group instead of individuals. And that in turn influences individuals.
I would love to recommend that you put 80% of your awareness efforts into developing and implementing better consequences, however the reality is that you need more support than you are likely to receive. In that case, you need to make due with creating more effective information, and implementing consequences as they arise.
The primary reason for this article is that I find few CSOs and the people responsible for implementing awareness programs are aware of the impact that consequences have on the success of not just an awareness program, but on the entire security program. When you find that you are not getting the results you want with regard to organizational behavior, you need to stop and consider if you need to divert some resources toward consequences. Again, without even considering the issue, you are eliminating 80% of the probability of success.
Ira Winkler, CISSP can be contacted at www.securementem.com.
This story, "Successful security awareness programs hold employees' hands to the fire" was originally published by CSO.