Why are people such a security risk at work? This is particularly the case when it comes to cyber security. For instance why do people so often seem to forget common-sense and share passwords or leave secret documents exposed for others to see? There are a good few reasons.
- It may be because some people find that the rules are too difficult to follow them: for instance complex password protocols are often avoided because “who could ever remember a random 12 character password that is different for every site and that changes every month?”
- Or it may simply be because they don’t understand how to follow the rules. They haven’t been taught the techniques of following them properly and so rather than getting it wrong they do nothing.
These reasons can be addressed through education. But there are other reasons for security lapses, and a number of reasons are related to the credibility of cyber security initiatives.
- Some people may ignore the rules because they feel that the rules are simply unnecessary and don’t actually do anything useful.
- Or they may feel (and perhaps they have evidence) that the rules don’t work; other rules need to be put in place but in the meantime they will ignore the useless current rules.
- They might even think that they are doing the right thing in ignoring the rules – that there are certain circumstances that justify their actions.
These reasons may be a little harder to address, but again with some education supported by evidence people will understand why they are necessary and have confidence that they do work.
There are however a number of reasons that are harder to manage.
- Sometimes people feel that it’s inconvenient to follow security rules. Perhaps they feel that their time is too valuable – or they are too important to follow the rules. Perhaps they are simply too lazy.
- Some people feel that rules are an attack on their freedom. It’s up to them what they do – and no one is going to tell them otherwise.
- Others feel that breaking the rules is in some way funny or exciting and as a result breaking them will be emotionally rewarding: they will be liked or admired for it. Or perhaps the emotional reward will be more negative – revenge on a colleague, boss or organisation that they feel has treated them (or someone else) badly.
- And others will be out for personal gain: perhaps they steal information to further their careers elsewhere, or even in response to a bribe.
- Still others will submit to peer pressure: they follow the crowd – everyone else is doing it so what can the harm be?
Education can’t be the whole answer here. While it is important, there may also need to be a degree of coercion, an acceptance that ignoring the rules may result in unpleasant consequences. After all, not everyone will do the right thing simply because it is the right thing. And remember – coercion doesn’t always have to involve disciplinary procedures. With the right approach the coercion can come from colleagues and rule breaking can become socially unacceptable, as has largely happened with drink driving.
But there are some other reasons that are particularly difficult to manage.
- First of all there is trust. Most people are happy to believe another person, especially if they look and sound confident and trustworthy, and to help them if they ask for something for instance printing out a document on a USB stick for a stranger or getting someone a coffee while they wait alone in a room with a network connection
- And secondly there is fear – fear of being wrong, fear of embarrassment. It is this fear of speaking up when people see something that they think isn’t quite right that opens many organisations to risk.
These characteristics are very hard to manage. And it is because of these that organisations need to go further than education and coercion when managing cyber security.
Gartner has created an interesting model that may help with this. They propose seven core principles that help to establish “people-centred security”. These are:
- Accountability: the owners of data are accountable for its security and so make decisions about who can have access to it
- Autonomy: people who have access to data make their own decisions about how they use it, based on the requirements of their role balanced with the organisation’s security requirements
- Community: people do not make decisions in isolation and so organisations should promote a positive culture of collaboration that supports good decision-making
- Responsibility: people who have access to information are expected to act responsibly and, perhaps more importantly, are held responsible for the consequences of their actions
- Proportionality: controls must be appropriate and proportionate to the risks
- Transparency: people’s behaviour is monitored, but any punitive actions are open to scrutiny to prevent vigilantism, bullying or unfair behaviour
- Immediacy: if someone fails to act responsibly, the reaction will be immediate although as a rule there will be a greater focus on supporting compliance that on punishment
These principles are sound (although perhaps a little “right on” for such an important subject). The focus on education as the fundamental enabler, and community policing of decisions and punishments as the chief source of influence, should be effective in many situations, especially with people who are too trusting or too fearful.
However, a reliance on autonomy may be dangerous, especially where people do not feel confident of their own abilities, or where people are simply incompetent.
And there is a danger that many actions are not open to the scrutiny of the wider community so the community may in reality be powerless to act as a policeman. In addition there are always some people who are mavericks and do not care whether they have community approval, or even seek actively to generate community disapproval.
Organisational security should of course have a strong focus on people and their motivations and behaviour. But there also needs to be an equal focus on business processes so that employees have structures to support their decisions and actions. And underpinning all this must be the technical solutions that are fundamental to any effective cyber security.