How do we implement security efficiently in an organization, small or big?
Although some security officers seems to still believe that having security policies and a plan to implement expensive controls like IPS, IAM or DLP (you’ll notice the common use of nice marketing buzzwords and acronyms to make you believe that you should know what an Intrusion Prevention System, an Identity and Access Management or a Data Leakage Prevention system are, like everyone else is supposed too, and maybe does. But does it mean it’s the solution to your problems?) are the solution, it is not! You can believe me on this, I was thinking the same way years ago, I saw it failing too often and now, I took another approach. And that’s probably one of the reasons why I still have a lot of work as a consultant.
So, what is the first thing we should care for?
When Kevin Mitnick, one of the most famous hackers, was still hacking PABX in order to have the possibility to do war dialling on all available modem in a region for free (yes, it was a long time ago), the weakest point for most computer security systems was already between the chair and the keyboard. Whatever you do, there is always a human involved somewhere and human are harder to control and less predictable than human (even if it might not always be the case). Bottom line, a good security starts with a good communication and training plan, like for any transformation journey, as it is the only good way to change users’ behaviour (depending where you live, you might also think about torture and brain washing but in as I live in Belgium and moreover due to my philosophical convictions, I exclude those from the equation)
Is it really necessary to have a communication and training plan?
The first Palo Alto axioms of communication states that we cannot not communicate (yes, I know, double negation are complicated). Let’s rephrase it: whatever you do or do not, you communicate. So, if you don’t communicate about your security, in fact you just communicate that it is not important or that you don’t care or that you don’t have the budget to communicate. It’s BAD! If you communicate poorly, you might in fact give the same message and even worse as you might give the false impression that security is useless or even boring. Really Bad too! And as you probably know, we just have one occasion to give a good first impression. So, don’t miss it. The basic reason for any communication is to change other’s behaviour. So, if you just want to write policies for yourself and don’t bother about the others behaviour, indeed, you can skip he communication plan.
What makes a communication efficient?
If a communication is intended to change other’s behaviour (or ideas), an efficient communication is the one that will change the highest number of person’s behaviour. How can we assess that efficiency? If you do security and risk management, you should know the PDCA cycle. So, you just use it, like scientists. When you do something you try to measure the effect of your action. Fortunately, there is already a lot of people having tried different paradigms and measure their efficiency. That’s what social psychologist and marketing researcher do. And on the specific risk communication issues, Amos Tversky and Daniel Kahneman, two economy Nobel prize winner psychologists, have developed the theory of perspective, highlighting the numerous biases affecting the human when taking decisions about a risk. Lucky for you, you won’t have to read and understand all those books and articles, I am about to give you a cheat sheet to prepare your next communication.
So, practically, how do you do it?
- First, you have to remember the 3 basic rules of education: repeat, repeat and repeat again.
- Then, you have to remember that if you repeat too often a signal, it tend to be ignored by your brain. When you put your socks on your feet, you start ignoring the sensation of the fabric on your skin after a few seconds. The same way, you don’t notice most of the object in your office that are there for so long. But, if you move it or change the color, interrupt the pattern, you will start noticing again. So, the basic education rule might become something like: repeat, explain and do it again differently.
- Keep it simple, stupid and sexy (KISSS): use terms and analogies that everybody can understand. Your target is not a group is security experts.
Ex.: « Security is wearing belt and braces for your first date«
- Give many concrete short examples: give examples that are relevant for your audience. Use their vocabulary, the process they already know, things they do for a living.
- Use examples allowing people to identify themselves to the story
Ex.: « The new employee walk into the printer room and find a confidential document on the printer, as he remember the security training, he brings the document to the security officer»
- Ask questions and mostly questions creating a knowledge gap, meaning your audience won’t have the answer, or at least, not the right answer.
Ex.: « How long will a 8 characters long password last again hackers attack?«
- Use positives sentences (people have difficulties with negative form, they tend to forget the negation)
Ex.: prefer « You will take care » to « You will not jeopardize »
- Use emotion and feelings to describe situations, it will make it more memorable (you can also add references to sensations, sounds, colors)
Ex: “Alice is afraid of loosing her beloved grand-mother gold ring”
- Explain to your audience as if they were your kids or grandparents
Ex.: “You may see Risk as the cost resulting from an incident (like having a car crash) multiply by the probability of this incident occurring« NB: I know, I Repeat myself, but what we call the knowledge curse, meaning believing the others understand what we are saying, is really killing most security communication
- Use precise numbers, it will be perceived as more credible
Ex.: « You have 2.13 times more chance to die from self-inflicted injuries than from transport accident«
- Naming your sources will also add credibility? (if they are credible).
Ex.: « as stated in the Federal Statistic Death Cause report of 2009 »
- Link important concepts to images, Preferably known locations and persons. Use unusual associations (incongruence) to increase the remembrance.
Ex.: « Ghandi walks into a computer shop and ask for a computer bringing serenity«
- Spot the « victims » of the incident or the persons impacted by an incident. Give a face, a personality, to the victims.
Ex.: « Alice, Bob’s secretary, is affraid of being fired after she disclosed confidential information »
- Provide multiple examples of the same risk. it will create an illusion that the risk is higher, helpful to trigger action & compliance
- Use yes sets (A set of affirmation that will be acknowledge by most people (Yes) preceding an affirmation we want them to acknowledge): As they acknowledge the first affirmations (priming), they are more likely to acknowledge the last affirmation.Once acknowledged, not complying with this affirmation will likely trigger a cognitive dissonance (inconsistency) in their mind, increasing the probability of compliance.
Ex.: « As many, you like to keep your secret secret. You understand the risk of disclosing such information. So, You will probably keep this information secret.«
- Use double « No » or paradoxical sentences:
Ex.: « You don’t want us to take such a risk, don’t you? », « As you care about our security, you will classify the document adequately. No? » or « You may give your password to your colleague and be responsible of all his mistakes. No? »
- Make it look like normal: Make your expectations appear like something normal, that we should do as part of our normal behaviour
Ex.: « As most of your colleagues, you take care of your customer’s information… »
- Provide a meaning to your expectations (appeal to our inner trends to make things right)
Ex.: « Keeping our customers’ transaction confidential prevent insider trading… »
- In the military, it is known that no plan survives the contact with the enemy. To circonvene this, always think to provide the CI (Commander’s Intent) that will allow people to take judgmental decision.
Ex.: « The main goal is to ensure our CRM applications remains available between 7 to 20«
- If you make a presentation, speak slowly, pause for a second after important information, it will be perceived as more charismatic
Ok, I stop here. There is of course more to say but you have already more than enough to make your communication at least 3 time more efficient. Combining all these advices, you may change the odds of behavioural change from 21% to 78%! Can you do better?