Security Awareness Blog

Survey - Workers Consistently Rank Personal Risk Over Corporate.

A new survey by Trend Micro reports that workers consistently rank personal risk over corporate. Specifically, the survey of 1,600 employees found that "... employees were more focused on individual concerns and conveniences than their company's overall IT security." To be honest, I don't think anything in the report should be a surprise. Its human nature, most people are going to be more concerned about themselves then the organization they work for. However, it seems like organizations forget this when they roll out an awareness and education program. To often these programs are nothing more then a series of rules of what people can't do. This is the wrong approach. One of the things I have found that gets tremendous feedback is focus on how the individual benefits. I've found that 70-80% of any security awareness program not only applies to work, but the same lessons learned apply to home. Lessons such as social engineering, how to maintain a secure computer, how to surf the web safely, etc. If you focus on how the individual benefits, they are more likely to listen. In addition, if you can get employees to practice secure computer behaviors at home, then these behaviors become second nature at work. So instead of considering reports like this a problem, jump on the wagon and use it to motivate people. Of course there will always be those who do not listen. No matter how you try to motivate people, there will be those who will violate what they have been taught. For this we have to put down the carrot and pick up the stick, unfortunately at times you also need strong enforcement.

1 Comments

Posted December 14, 2010 at 7:59 PM | Permalink | Reply

Jay

I just found this, so apologies for the delay. One thing I've been hammering home to colleagues, auditees, users, anyone else who will listen, is that one rule that will provide results on security is that if you can formulate policies/rules so that the employees' incentives are lined up with the company's.
One exampe of this is a (bad) suggestion I saw where a company did not let employees change their password (until it expired, i.e. minimum age = maximum age). The logic was to force the employee to report potential disclosures to security. The flaw is that self-preservation overridden the intent''"when given a choice between a) risking embarrassment and/or reprimand, or b) keeping quiet and hoping for the best (and playing dumb later), most will chose b. If you change the equation to a choice between a) change your password and correct a possible incident or b) keep quiet and hope for the best, there is a greater chance they will put security first.
2 cents.
Nice article. I'm loving this site.