Security Awareness Blog

Why Bruce is Wrong on Getting Incentives Right

Bruce Schneier just published an interesting blog post on why he feels security awareness programs get incentives wrong. Instead of teaching people about risks, he suggests we should be firing people who get security wrong. He explains people understand the risks, just that people choose to ignore them. I disagree.

There are some organizations that have an extremely low tolerance for risk, organizations such as these can and will fire those who fail to follow procedures (intelligence organizations are a good example). But for the vast majority of organizations simply firing people is not an option. First there are labor and union laws that make that impossible (especially for Europe). But even if firing people is an option, does it fit your culture, do you truly want people to be motivated by fear and resent security, because that is what is going to happen.

The most successful method I have found that make awareness 'stick' and change behaviors is engage people, focus on how awareness personally benefits them. People face the same cyber risks at work as they at home. By teaching them how they benefit, and how they can protect themselves and their families, they are far more likely to change behaviors. Even better, they now have the same security behaviors both at home and at work, security is part of their DNA.

Don't get me wrong, I'm not saying enforcement is not important. It plays an important part of any successful awareness program. However you want your first step to be on the positive side, engage people and you will change behaviors. My favorite metric for a successful awareness program is when people ask how their family and friends can also take the training. Hard to get that type of engagement when you are running around trying to get people fired.



Posted March 5, 2013 at 1:57 AM | Permalink | Reply


I had a lot of time on the plane ride back to Montana to think about all the brilliant security awareness advice doled out at RSA. I was in your session, as well as attending a peer 2 peer and the debate on security awareness and training. I was troubled some to listen to Bruce and others debate the value of security awareness programs and conclude (mostly) that they were a waste of resources. Bruce made the same suggestion (''fire someone') during that debate. While firing is not an option for most organizations (legal issues, scarcity of talent, etc), I think the point still stands. The economics of security awareness dictate that it cannot possibly be valuable if there are no rewards for success or consequences for failure. Firing is the most extreme example, but there is a spectrum of less permanent options for sanction. If employee incentives and disincentives don't include security, we can't expect them to change their behavior. At least for HIPAA covered entities, sanctions are a requirement, and rightfully so. In my mind, the most critical component of all this is an effective training program. A well educated user, who knows what to watch for and the consequences of making a mistake, is the least likely to compromise the data entrusted to an organization.

Posted March 5, 2013 at 2:11 AM | Permalink | Reply


Thanks for sharing Steve, I could not agree more

Posted April 5, 2013 at 7:51 PM | Permalink | Reply


I was a bit surprised by Bruce's post as well. I agree with him that people need to see consequences to get incentives right, but this can be abused.
I don't look to movies for advice, but I still consider them insofar as how people think. Anymore, whenever you see a movie, you will see a warped view as to how control works. The hero always disregards the rules to do TheRightThing(TM). Those who are by the book end up dead, humiliated, or are the villains. Bosses are ignored. Rules are broken. The authorities are told to go to he11. Auditors are dismissed or have the door shut in their face so the heroes can DoTheirJobs(TM).
I see this mindset sometimes. WhateverItTakes(TM). People will say "I'm more concerned with taking care of people than doing paperwork." That's fine and dandy, but you have to be able to document the need for the funds or that they are being used properly to keep the funds coming so you can continue to "take care of people." I've also heard people say "as long as it gets done." Nope, noble sounding but wrong again. To do your job and help your constituency, you need information. Information can be misused. Your constituency trusts you to protect their information. You have to take due care. Security. Privacy. Integrity. Disregard protocols designed to do these things, and you hurt those you cut corners to help.
Awareness is important. While it can be costly overkill, some just won't listen, some people just need to know so they will understand how important it is to do. Remember, popular culture tends to reinforce the wrong thing.
Sorry so late. Somehow missed this post.