End users tuning you out? Here's a three-step process for taking human factors into account in your security program (and even using them to your advantage).
Let us begin with the premise that security policies exist to protect an entity's assets as it pursues the normal conduct of business.
To ensure that those policies are effective, security professionals must first understand the social elements, including cultural and generational variances, that affect employee behavior and perceptions about security.
With the implementation of a three-step process of discussion, creation and messaging, security policy can be successfully crafted—with consideration given to geographical, cultural and generational factors—while assuring resonance and understanding throughout the organization.
A Cisco white paper, Data Leakage Worldwide: The Effectiveness of Security Policies, illustrates the apparent disparity between the perceptions of end users and IT professionals surrounding the existence, relevance, updating and communication of security policies.
Just as businesses strive to understand their marketplace, they should also conduct internal market research to identify the key characteristics of their employee demographics.
To protect your employees, it is necessary to answer a number of rudimentary questions:
- What are the business's goals?
- Who is responsible and accountable for the business's success?
- Which individuals or business units are most affected by a certain policy?
- Who and what functions are you trying to protect?
- What social differences exist?
So let's look at some of these demographic challenges that an enterprise may face. In the geographic domain, a policy written for one audience may fail elsewhere if not fine-tuned for relevance.
After all, cultural differences affect methods and styles of communication.
"Once employees understand that they have a responsibility to protect the enterprise, the chasm between the security professional and the rest of the staff not only shrinks, it disappears.”
For example, a message crafted for a highly technical audience in Asia may not have much success with a less technical group of employees in the U.S. who are used to a different communication style, and indeed one risks putting them to sleep or having them intellectually check out.
Generationally, how do we deal with individuals who are entering the workforce having collaborated and communicated openly using social media and other collaborative tools?
Truly, this is an unprecedented challenge. The key to success is in the early transfer of responsibility to those engaged in making the business successful.
Take steps to assist those who believe that "there are no secrets” and help them comprehend why their personal livelihood depends on protecting the corporate intellectual property and infrastructure.
Clearly communicate that, in fact, there are secrets.
Once employees understand that they have a responsibility to protect the enterprise, the chasm between the security professional and the rest of the staff not only shrinks, it disappears.
Far too often, security policies arrive as a reactive action as opposed to a proactive management of risk. Through this process, the enterprise will acknowledge security as forethought, not an afterthought.
Unfortunately, many policies are created without any discussion or consideration of business needs. When challenged, an IT department expects automatic adherence.
Managers frequently expect subordinates to comply with a policy even if they don't understand why adherence is expected; it is simply because I said so compliance.
To have security policies arrive as an overlay to an existing procedure is like placing a patch over a hole on a sweater. The patch may be effective, but if applied incorrectly, it can leave a noticeable flaw.
An upfront investment and a mandatory engagement by those crafting security policy need to occur at the point of strategic discussion within the business unit.
This strategic interaction exponentially raises the odds of having a security policy that makes sense and factors in the data from demographic and functional research.