My favourite definition of risk management is by Borge who states: “Risk Management means taking deliberate action to shift the odds in your favour - increasing the odds of good outcomes and reducing the odds of bad outcomes”. So with all these deliberate actions we’re taking, how do we know we are effectively managing risk for our organisation? 

Information Security professionals are involved in a myriad of initiatives, from Antivirus management to Information Lifecycle Management – all in an effort to manage risk on behalf of their organisations. Take security awareness - a key component of an information security programme. It is common practice for organizations to dispense security advice to end users on how to compose passwords, what the acceptable rules for Internet and email usage are and so on. The goal is to promote positive behaviour in our organisations by making users comprehend and comply with the company security policies. So, how do we know that our efforts are effective? We could get our employees to write a test to determine how well they understood the policies, but this does not show how it affects their on-the-job behaviour. This article looks at some of the problems with the way security advice is provided to users and how these efforts can be improved to ensure a more successful security programme.

THE IRONY OF SECURITY ADVICE

Firstly, a clear message is not being communicated to end users [1]. This is especially true for dynamic, complex threats - what must I to do? Why must I do it [2]? In an effort to make the message more palatable, we simplify the message to such an extent that the meaning is diluted. We emphasize the worst-case scenario instead of the average case scenario7. We provide security guidance where the actual benefit is speculative - for example, choosing a strong password does not help when attackers use keystroke logging (malicious software on your machine that steals your password on behalf of criminals) and phishing attacks (for example, where criminals email you pretending to be your bank, in order to get you to disclose sensitive information, like your password).

Secondly, security advice may not result in the desired outcomes. In one case, 40 end users were taught how to identify phishing scams which resulted in them simply becoming suspicious of all emails. In a similar case, at a large international ICT organisation, a group of newly recruited employees received a legitimate corporate email with a link requesting them to register on an internal portal. Most users ignored the email as they feared it could be a phishing attempt.

Thus, one result is that users consciously reject security advice because it offers a poor cost-benefit trade-off. In other words, the direct costs which is what the advice attempts to protect them against is outweighed by the indirect costs of time and effort of users [7]. Users see the former as a once-off cost and the latter as an ongoing cost. Too much emphasis has been placed on the value of the message. In doing so, we disregard the practical effectiveness of this advice and the value of end-user’s time and effort [7].

I carried out an experiment at an organisation to measure the impact of security awareness on behaviour. This involved a control and experimental group, and system-generated data as indicators of behaviour. As shown in Figure 1 below, there was no link found between users being exposed to security awareness and the necessary compliant behaviour (as depicted by the bottom X). It was found that security awareness training was effective in terms of end-users retaining security knowledge from the awareness training (as depicted by the tick). However, there was no evidence to suggest that increased security knowledge was sufficient to ensure enactment of the required compliant behaviour by end users (as depicted by the top X).



Figure 1: Testing the effectiveness of security advice

RESPONSE TO CHALLENGES

So what can be done to encourage appropriate behaviour by users and thus make our risk management efforts more effective? Firstly, we need to test our ideas as demonstrated above to ensure that our efforts are having the required outcomes. If we do not measure the effectiveness of our efforts properly how can we hope to succeed?

Secondly, we must recognize what motivates security related behaviours. The problem is more complex than originally anticipated and is more related to the notion of the ability of users to understand risk and make trade-offs [3].

Compliance to policy is in fact made up of the intentions and attitudes of employees (which themselves are determined by various factors). Therefore it makes sense that promoting positive social pressure on employees with respect to compliance to security policies (for example, by all levels of management and peers within organisations) promotes actual security compliance. Practically, this should be done by explicitly stating what is required and by showing what needs to be done, for example, during induction training [5]. 

Factors that influence user security behaviour are: what they are told and what they see around them. Employees are strongly influenced by their peers and the messages released by the organisation whether internally or externally. If they see inconsistencies and contradictions between the message and the actual behaviour of the organisation, this will ultimately influence their behaviour [6]. A colleague who worked for a large multinational company once told me about the strong safety culture in that organisation. It was so entrenched that if one part of the company failed a safety audit, the entire organisation was shocked and embarrassed. There was congruence between what users read (i.e. policies) and what users saw (i.e. behaviour of senior management). It is that type of consistency that security professionals should aim for.

Security awareness by end users is necessary, but not adequate to fully achieve compliant behaviour. To ensure cost-effectiveness, senior management must insist that security awareness programmes are measured in terms of practical effectiveness.  Learning science principles (an interdisciplinary field that examines how to better facilitate learning) should be used - such as providing immediate feedback when incorrect behaviour is observed. More effective techniques to deliver the security message and getting users to actually read and absorb the material – improving the quality of the message - are needed [4]. The use of situational movies and cartoons are a great way to get the message across however, the cost to users in terms of effort and time must also be taken into account. Finally if we are to succeed, senior management must be seen to comply with the information security advice.

Note: The views reflected in this article are those of the author and does not necessarily reflect the views of his company.

REFERENCES:

1. Gaunt N. 2000. Practical approaches to creating a security culture. International Journal of Medical Informatics, 60(2), pp 151-157.
2. Srikwan, S., Jakobsson, M. 2007. Using cartoons to teach Internet Security.
3. Schneier B. (2003), Beyond Fear, Copernicus Books, New York.
4. Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L., Hong, J., Nunge, E., Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. Conference on Human Factors in Computing Systems archive. Proceedings of the SIGCHI conference on Human factors in computing systems. San Jose, California, USA, 2007, pp. 905 – 914.
5. Pahnila, S., Siponen, M., Mahmood, A. Employees’ Behavior towards IS Security Policy Compliance. Proceedings of the 40th Hawaii International Conference on System Sciences, 2007.
6. Leach J. 2003. Improving user security behaviour. Computers & Security, Vol. 22, No. 8, pp 685-692.
7. Herley C. 2009. So Long and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. NSPW, September 8-11 2009.