Security Awareness Blog

Guest Blog - Nudging Towards Security

2937782Editor's Note: This is a part of a series of blog posts by Sahil Bansal from Genpact on the topic "Nudging Towards Security".

My first post emphasized why security should be really easy if we want people to do it. It also highlighted the importance of security being proactive since a lot of security incidents involve user mistakes. In this post, we would talk about a ?Nudge' that can stop people from making mistakes and help them in taking the right security decisions. An organization's sensitive information (whether it is trade secrets, internal training material or their customer's information) is its bread and butter. It has to protect that information at any cost. Employees are asked to protect this information during the new hire induction, via e-learning courses, posters and security awareness sessions. But such channels cannot ensure that employees fully understand how to protect sensitive information.

There are always cases where employees send sensitive data outside the company network whether it is sent to a personal email id, posted on social networks or copied on a USB. A lot of these incidents are unintentional ? either the users don't know the information was not supposed to be sent out, they don't realize that the information is going out of the network etc. This can be disheartening for awareness and training teams as they put in so much effort to sensitize users but they still keep seeing such cases. And as we are seeing now, there is more reliance on users to take good security decisions. But, what more can be done to inform them and more importantly, what more can be done so that they will listen, remember and adhere to what we say? Technology has armed us with tools that can help us in answering these tough questions.

An example is the DLP (data leakage prevention) tool. Based on how it is configured, DLP tools have the capability to detect personal email ids in the sending list when users try to send an email. Some even have the capability to temporarily/permanently stop the email from being sent if there is sensitive data in the email and there is a personal email address. It can only be sent when a user completes an action. So the way it works is when a user is sending an email which has confidential information (say an organization's training material) and there is Gmail id in the sending list, as soon as the user hits the send button, he will see a pop-up on the screen. Unless he does what the pop-up says, he cannot proceed with sending that email.

There! We have a new teachable moment and the user will read it since they want to send that email. This pop-up can be used to inform the user that maybe they are about to make a mistake. In case there is no business justification to that action, maybe they should not send it. There is also a possibility where users can be asked to type in a justification in that pop-up before proceeding. This popup works wonders in many ways. First, users who were genuinely about to make a mistake (they did not know this is not allowed, they did not notice the Gmail id in the list etc.) will stop. Second, if the users still proceed, they can be held accountable afterwards since they would have typed a reason before sending that email. They can no longer say they did it by mistake. Lastly, we have a got a new teachable moment.

This is also measurable. The DLP tool can track the number of cases in which the users did not proceed with sending the email after seeing the pop-up. Most importantly, an organization might be able to reduce the number of data leakage incidents and we all know the effect each data leakage incident can have on an organization's brand image, its trust among its customer and financially. Other places where this ?Nudge' can be explored are, when people are trying to upload sensitive data on unauthorized web storage sites, when they are trying to copy data on USB drives and when they are trying to post sensitive information on social networks.

Bio: Sahil leads the security awareness, training and culture change initiatives at Genpact. He is a B.Tech, MBA and has done courses on Social Psychology, Behavior Economics, marketing and branding. At present, he is helping Genpact information security team to look at the problem from a people perspective. He has also worked with other IT giants like Infosys and HCL Technologies in the past.