We hear a lot about the consequences of practicing poor security. And for a while, this was rightfully so. When the importance of cybersecurity was still emerging, many people didn’t understand what could happen if they weren’t following proper security procedures.
But those days are long behind us, so it’s time to retire the scare tactics of the past.
I like to call it “spooky security”. It’s when we try to scare people into submission or use fear mongering to force people into behaving more securely. It’s not working, and it’s stopping businesses from building a healthy security culture. A strong culture of security includes individuals not only being aware of policies and procedures but also understanding security and the role they play in it. It also involves employees’ attitudes towards security and how that impacts their actions. If that attitude is fear and uncertainty, they’re less likely to take an active role. An organization with employees disengaged from security is bound to fail.
Not convinced? Let’s compare the two approaches and the overall impact they can have on your organization’s security.
Scare tactics create a culture of fear and anxiety
Fear-based tactics will only invoke fear in the short term. Maybe you scare people into doing the right thing that afternoon, or for a few weeks. But long term, it’s just going to cause anxiety and affect employee productivity. They’ll spend their time second-guessing their choices and will be more likely to make the wrong decision because they’re so stressed out.
But when employees are confident security advocates because they’re being supported and encouraged, they’ll want to actively participate in security.
Removing roadblocks vs. creating obstacles
Fear-based tactics focus on what you’re not allowed to do and introduce roadblocks to processes. It’s often second nature for security professionals to just say “no” to everything that doesn’t fit into their rigid view of security. There’s good intent here, but it’s often impractical. For example, how are employees supposed to create strong, unique, passwords for dozens of different accounts if you aren’t providing them with a password manager? Often, fear-based tactics only introduce the risk associated with bad actions and don’t offer a solution.
Positive security, meanwhile, focuses on those solutions by taking a human-centered approach to security. That means spending the time to fully understand how humans behave, their strengths and weaknesses, and creating a security program and environment that enables employees to succeed at security.
Providing these resources and removing roadblocks for employees increases confidence, and who doesn’t feel good when their confidence is raised? Take time to understand where humans are bound to fail and need support. By doing so, you can make security easier to comply with and ensure everyone has a positive experience.
Your security staff should be approachable
Yet another problem with fear-based security is a lack of communication and transparency on both sides. Often, there are two responses to fear tactics. Either it invokes fear and anxiety, or it creates skeptics who think threats are being exaggerated. Neither are good responses because they’re both ultimately going to lead to poor decision making. And both make employees feel like their employer or security team doesn’t trust them to do the right thing because so much time is spent talking about consequences. That lack of trust, coupled with the secrecy that fear often breeds, means that employees aren’t going to communicate and won’t be transparent when there are potential security issues.
Here at 1Password, we fix this by offering available and approachable security personnel. This means ensuring employees know how to reach the security team and that when they do, that the security team is actually showing interest and doing their best to provide assistance.
Obligatory training vs. learning opportunities
Companies that use fear tactics often view training as an obligation for some sort of compliance requirement. Or, see it as a punishment to be endured when something goes wrong.
If security training isn’t a regular part of your culture, the natural response to training will be that employees believe they’re in trouble or have done something wrong. Training will be viewed as a punishment and a requirement – not something fun, exciting or positive. It’s a negative experience that, again, can cause that stress and anxiety if employees think they’ve done something wrong.
This is why consistent training is an extremely important part of a positive approach to security. It shows interest in employee development and helping them understand security. This doesn’t mean you shouldn’t offer training in response to a mistake or incident, but it does mean that individuals will feel less called out when these things occur because training already happens regularly, regardless of circumstances.
In those cases, I encourage group or team training to learn from the situation without discussing the scenario specifically. This is for two reasons. First, the individual that made a mistake already feels bad that they messed up. Individual training sessions as a consequence can breed negative emotions towards security. And second, if one person made that mistake, it’s likely that anyone else could have done the same. Perhaps they just weren’t put in that certain situation or there were different environmental variables. It’s much better to use those incidents as a learning experience for the entire group instead of making one person feel like they’re being trained as a punishment.
Punishing mistakes vs. praising self accountability
Fear-based security tactics are quick to shame people’s failures. Some companies publicly call out employees, dock their pay, or have “three strikes and you’re out” policies All these do is fuel anxiety. Shaming is the worst offender of fear-based tactics: it fails to recognize where the security team and employer could have done better and assumes that the person involved was purposefully negligent.
Oftentimes, mistakes are caused because an employee was ill prepared to handle that situation. We’ve already talked about how we can try to prevent incidents in the first place by providing resources to employees, but when mistakes inevitably happen, use it as a learning experience for all employees and praise the reporting party. It often takes a lot of courage to acknowledge mistakes and share them with security.
Praising people who speak up is one of my favorite positive approaches. For 1Password, we call it the ‘eyes of the month’ award. It’s given to employees who recognize and report security issues. It doesn’t have to be fancy, but goes a long way toward removing the fear and negative connotations surrounding reporting a security incident. Employees aren’t afraid to disclose issues because they’re more likely to get an award than a slap on the wrist. Of course, we don’t want these things to happen in the first place, but quick reporting leads to quick remediation and then we get to use the incident as a learning experience so it doesn’t happen again.
So now maybe you’re thinking, “Fine, I’ll be more positive in the name of security. But what does this get us? What’s the end goal?” We want individuals to have this positive relationship with security so they’re motivated to become long-term, invested security advocates. And what does a company full of security advocates get us? That strong culture of security we discussed earlier. It makes the correct choice, the default choice, and suddenly security is the easy and exciting path to take. In organizations that empower and uplift their employees to become allies of security, the entire security program is much more likely to succeed.
Harlie Hardage
Guardian of the Galaxy
Tweet about this post