3.4 Creating a Security Conscious Culture
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
2 hours 23 minutes
lesson for creating a security conscious culture.
If I asked you what you think, we're the main things that make us adopt new behaviors, you would probably have been thinking along the lines of consequences which could be good or bad
recognition for conformance,
the way we were treated on the norms that are accepted in the environment in which we find ourselves in. These are the basic components that create a culture on which shape our behaviour.
Now, if this sounds a little touchy feely for a hard nosed in for sick professional like you, though, worry this lesson is not about making intersect people into a fluffy bunny. This lesson is really focused on some straightforward and practical steps that you can take to win the support of your colleagues.
Culture is often described as what happens when no one is looking.
I prefer to think about it. Does the things we do without really thinking about it, such as cueing or holding a door open for someone who is following us through it,
something that results in an automatic, almost subliminal response, something we do subconsciously, we don't need to refer to a training guide on what to do when you're going through a door and someone is following you. This behavior has been learned and is just part of our normal behavior.
So culture is generally accepted behaviors and standards
in terms of establishing culture. One way that is virtually guaranteed to fail is to tell people that they need to change their behavior because you want them to.
Even when you have the weight of policies and common sense behind you. It's difficult to get people to do things differently unless there are positive consequences. The challenge for the cyber security specialist is to take the organization with you
to get your colleagues to be proactive members of your overall cyber security strategy.
So we need to change some aspects of their behaviour. And to do that, you need to be able to influence their behavior in some way.
I can almost feel the trepidation here where you may be thinking, Well, we're I t security specialists, not workplace psychologists. We neither have the skills nor the resources to get the attention we need. When the audience is so large and diverse, let alone get them to change their behavior
well, you may be more powerful than you think. Many of the tools that we are going to focus on in this session our tools and techniques that you can deploy at little or no cost to apply positive influencing techniques within your organization.
There were three aspects. The positive influencing that we could include in our cybersecurity program. First, there's the principle of catch them doing something right. Basically, this means saying thank you. When users do the right thing,
I think about it. Most crisp management metrics are focused on capturing metrics related to exceptions things that went wrong or we're not done correctly. But what about capturing things that were done right on giving positive feedback?
A further important part of achieving behavior change is related to consequences for compliance. In other words, we undergo a positive experience for acting in a way that we are being encouraged to do. This does not have to be a huge financial reward.
It could be a thank you or even better, some other kind of recognition.
Much of what we have discussed in this module needs to be managed to ensure that all these initiatives maintain traction in your organization.
They'll need focus and ownership. So you'll need to think about how all of the things we have discussed in this module come together on workers. An ongoing process in most organizations, this will require allocating some dedicated resource ah, human resource to act as a catalyst to give the process momentum
adapted to changing circumstances,
as well as providing upward and downward feedback on results and performance.
Job titles of Rebel A Vint. But you might want to label this resource the security education lead whose overall role is the champion. The delivery and development of your security education program throughout the organization.
catch them doing something right.
What this means is that the people in your organization who are doing the right things know that you know they are doing the right things.
Quite often, the majority of people get nothing for doing the right thing effectively. They get the silent treatment for doing the right thing.
Let's think about this in the context of a clear desk policy. When a cleared escort it is performed in most organizations, the people who don't have a clear debts will get some kind of ticking off note or an email from whoever has performed the ordered. But how about this is an approach.
What about leaving a thank you card on the desk of the people who do have a clear desk
and nothing for those who don't
this achieves to Ames. Firstly, it says thank you to the people who are complying
but also gives a subtle message to those who didn't have a clear desk.
Just a small dose of the silent treatment can make people feel marginalized and separated from their peers. This one's against our nature as humans we want to belong. So this approach gives you two positives. Making the majority feel that their observance of rules is appreciated,
or those who don't receive a more subtle and effective means of encouragement to comply.
How much does this cost? Virtually nothing. Just the cost of printing a few cards.
Ah, further opportunity to say thank you occurs when a suspicious email is reported. All too often, these reports and actions disappear into some kind of black hole on. No feedback is received by the person who took the initiative to make the report.
Here's a few tips that you can use to show your colleagues that you've caught them doing something right
on that, you appreciate their effort.
Firstly, if you have a suspicious email reporting button built into your outlook ribbon, why not create some draws on the inbox? Associate it with the reporting button so that it automatically generates a thank you response? Sending a thank you note shows your colleagues that you recognized that they have done the right thing.
provide feedback on the report, particularly if the user correctly identified a suspicious email. When you've investigated the report, let the person who created it know the outcome. It will make them feel that they and their efforts have been appreciated by in for a sec.
Giving individuals recognition for their actions is a great way to influence behavior throughout the organization.
For example, let's say a colleague has referred a suspicious email to you, and he turns out that it contains a zero day exploit. Obviously, you'll need to address this a soon as possible, warning the organization or maybe tweaking the controls on your email Gateway. But when this has been done,
how about a bit of praise for the person who first spotted it?
There is enormous influence in mileage in making an internal media splash when a colleague spots a real threat on facilitates the efforts of in for sick Why? Because it shows the whole organization that some colleagues are really walking the talk and getting recognition for doing so,
showing that doing the right thing has positive consequences is a major factor in influencing others to do the right thing.
So when this happens, use the mass communication tools that are available in your organization, such as Internet email and social media. Toe publicly praised the individual who spotted the threat on for taking the right action at the right time.
Also, do you remember the ambient influences we discussed in earlier lessons? This approach is also an Ambien influencer because it's an unexpected and out of the blue message received in a familiar communications context on dhe centers around someone who may be familiar to a number of people in the organization.
Again, this costs absolutely nothing on uses facilities that you already have available to you within your own organisation.
To implement the principles of making it stick, you will need to consider how you will organize, coordinate and deploy your security education program, dedicated time and focus will be needed to establish and maintain the threat recognition capabilities of your organization.
So this is not a one off project nor a periodic intervention. It's a process of continuous development, so consider establishing a role of security education lead to create the infrastructural process for delivering on managing your security education program.
As you can see, I have given an outline of the high level responsibilities of this role
that concludes the final session in this course, making it stick. In this final lesson, we have looked at ways in which we can encourage our colleagues to acquire and adopt the skills we need them to have and to keep themselves and the organization secure.
We've looked at the concept of catching them, doing something right on sending the message that doing the right things is noticed. Appreciated on will result in colleagues receiving recognition when they do so.
Our final topic was focused on establishing an organization and structure to maintain traction for the security education program and adapted to changing circumstances.
Thanks for watching and listening
Links to some additional resources will follow together with a brief recap of both modules one and two
We have covered a lot of material in both modules one and two. So I thought it will be helpful to provide a short recap of the main points recovered in each module. Each lesson recap will last for around 10 seconds on. I won't be speaking. I'll just let you sit back, relax and refresh your memory.
Course Assessment - Creating Effective User Awareness Training